Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Application Layer Intrusion Detection for SQL Injection (2006)

Frank Rietta
March 11, 2006
Research
0
120

Application Layer Intrusion Detection for SQL Injection (2006)

My research in computer science, presented to the ACM Southeastern Conference in March, 2006.

The paper is available free of charge from my website at http://rietta.com/papers/rietta_acmse2006.pdf. Originally published on my Georgia Tech website prior to my graduation.

It's available through the ACM Digital Library at:
http://dl.acm.org/citation.cfm?id=1185564

See the citations for the underlaying paper in Google Scholar:
http://scholar.google.com/scholar?hl=en&q=application+layer+intrusion+detection+for+sql+injection&btnG=&as_sdt=1%2C11&as_sdtp=

Frank Rietta

March 11, 2006
Tweet

More Decks by Frank Rietta

See All by Frank Rietta
Securing the Open Source Software Supply Chain
rietta
0
110
Taming Mr. Beeblebrox: Uniting the Two Heads of Agile and Security in Software Development (with Test Driven Development)
rietta
0
55
Breach Prevention for Developers at KSU
rietta
0
160
Metro Atlanta ISSA: Defending Against Data Breaches, as part of a Custom Software Development Process
rietta
0
130
ISSAINTL 2015 - Defending Against Data Breaches, as part of a Custom Software Development Process
rietta
1
75
Defending Against Data Breaches, as a Practicing Ruby Developer - RMR 2015
rietta
0
1.2k
RMR Preview for Defending Against Data Breaches, as a Practicing Ruby Developer
rietta
0
120
Understanding & Defending Against Data Breaches, as a Practicing Software Developer
rietta
1
1.2k
Commercial Information Security Classification System
rietta
1
260

Other Decks in Research

See All in Research
Combating Misinformation in the age of LLMs
teacherpeterpan
0
130
論文紹介 DISN: Deep Implicit Surface Network for High quality Single-view 3D Reconstruction / DISN: Deep Implicit Surface Network for High quality Single-view 3D Reconstruction
nttcom
0
110
時系列解析と疫学
kingqwert
2
920
Generative Spoken Dialogue Language Modeling [対話論文読み会@電通大]
yuta0306
1
130
Target trial emulationの概要
shuntaros
2
1.1k
20240209 データを肴に熊本の交通を考える会「車1割削減、渋滞半減、公共交通2倍」をめざし世界に学ぼう
trafficbrain
0
820
Alexander Mielke Hellinger--Kantorovich (a.k.a. Wasserstein-Fisher-Rao) Spaces and Gradient Flows
jjzhu
3
180
待機電力を削減したネットワーク更新型電子ペーパーサイネージの開発と評価 / IOT64
yumulab
0
110
200名の育児中男性の声 「僕たちは、キャリアとライフをトレードオフにしたくない」共働き3.0世代の男性が 本当に求める働き方とは【ワーキングペアレンツの転職意識調査2023|XTalent株式会社】
xtalent
0
480
First Authorに俺はなるっ!! IROS’23 CCC2023 FY
shota_nishiyama
0
180
リサーチに組織を巻き込むための「準備8割」の話
terasho
0
470
NeurIPS-23 参加報告 + DPO 解説
akifumi_wachi
4
1.5k

Featured

See All Featured
The Art of Programming - Codeland 2020
erikaheidi
42
12k
10 Git Anti Patterns You Should be Aware of
lemiorhan
648
58k
StorybookのUI Testing Handbookを読んだ
zakiyama
13
4.6k
Fontdeck: Realign not Redesign
paulrobertlloyd
76
4.9k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
187
16k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
34
8.9k
Optimizing for Happiness
mojombo
370
69k
Become a Pro
speakerdeck
PRO
11
4.5k
Done Done
chrislema
178
15k
Ruby is Unlike a Banana
tanoku
96
10k
Build your cross-platform service in a week with App Engine
jlugia
225
17k
Art, The Web, and Tiny UX
lynnandtonic
289
19k

Transcript

  1. Application Layer Intrusion Detection for SQL Injection by Frank S.

    Rietta For ACMSE’06, 11 March 2006

  2. 2 Presentation Overview •  Three big dangers of SQL Injection

    Attacks •  Web Apps, and ineffective DBMS access control, open the door to increased exposure •  Database-host-based IDS methods •  ARM yourself against Injection Attacks

  3. 3 Introduction to the SQL Injection Threat •  Three big

    dangers of SQL Injection Attacks •  Web Apps, and ineffective DBMS access control, open the door to increased exposure •  Database-host-based IDS methods •  ARM yourself against Injection Attacks

  4. 4 The Big Three Dangers of SQLIA’s SQL Injection Attacks

    (SQLIA’s) can lead to: •  Information disclosure •  Unauthorized tampering with data •  Arbitrary code execution

  5. 5 Introduction to Vulnerable Web Applications •  Three big dangers

    of SQL Injection Attacks •  Web Apps, and ineffective DBMS access control, open the door to increased exposure •  Database-host-based IDS methods •  ARM yourself against Injection Attacks While SQLIA’s are not unique to web applications, they are often wide open for access and allow increased exposure to surveillance by attackers.

  6. 6 Web Applications: The Good, Bad, & Ugly •  Web

    applications are everywhere to be found and generally open to the Internet •  Pass data through firewalls and network security •  Provide access to databases! DBMS WWW Users

  7. 7 Ineffective DBMS Access Control •  “God” users often have

    unnecessary permissions to one or more databases. •  Role-based access control would be appropriate for many applications, but is often not used. •  Developers leave security entirely up to the application, rendering the DBMS powerless to mitigate SQL injection risks.

  8. 8 SQL Templates and String Manipulation •  Often SQL statements

    are formed by filling user and application supplied data into a preexisting query template. •  A SQLIA is the result of clever user-supplied input changing the meaning of the query through. •  Parameterization attacks are the most common venue for exploitation.

  9. 9 1st Order Parameter Replacement SELECT * FROM Directory WHERE

    LastName LIKE ‘${NAME}’ ; SELECT * FROM Directory WHERE LastName LIKE ‘frank’ OR 1=1 UNION SELECT user, password FROM mysql.user WHERE ‘q’=‘q’ OR ‘’ Fetches a full listing of MySQL user table, including passwords!

  10. 10 2nd Order Parameter Replacement SELECT * FROM Listing WHERE

    LastName=‘${NAME}’ OR LastName =‘${NAME}’ SELECT * FROM Listing WHERE LastName = ‘Bob’ OR 1=1 OR LastName = ‘Bob’ OR 1=1 Tautologies are typical in SQL injection attacks. Usually always evaluating to true.

  11. 11 Unquoted Numerical Parameter UPDATE Financial_Records SET Salary = ${NEW_SALARY}

    WHERE Name = '${NAME}' Without quotes in the template, any string literal other than a number will be part of the SQL statement and will not be treated as a literal by the DBMS, resulting in a direct injection.

  12. 12 Review of Parameterization Attacks •  A template has one

    or more parameters placed to make the SQL query for submission to the DBMS •  Dangling parameters are often exploited •  Unquoted numerical parameters are the the easiest to exploit •  Trampoline attacks use values retrieved from the database to attack parameters in new queries

  13. 13 IDS Sensors for Network Security •  Three big dangers

    of SQL Injection Attacks •  Web Apps, and ineffective DBMS access control, open the door to increased exposure •  Database-host-based IDS methods •  ARM yourself against Injection Attacks Many IDS’s are network-centric, but app. layer sensors can take advantage of context & domain knowledge.

  14. 14 General Intrusion Detection Methods •  Signatures •  Honey Tokens

    •  Anomaly Detection

  15. 15 Proposed Anomaly Detection Model •  Consider SQL traffic for

    a particular application and user in its full context •  Utilize domain knowledge of SQL •  Look for things such as: •  Unexpected constructs •  Query length and encoding •  Keyword usage •  Compare weighted average to a threshold •  Similar to the approach used by SpamAssassin

  16. 16 Improving Coding Practices for Security •  Three big dangers

    of SQL Injection Attacks •  Web Apps open the door to increased exposure •  Database-host-based IDS methods •  ARM yourself against Injection Attacks Security is not the sum of security features. An IDS, network or app. layer, is not a silver bullet.

  17. 17 Improving Coding Practices for SQL •  Certain dangerous language

    features, such as unquoted numbers should be avoided. •  Coding policies, that is “best practices,” should be developed in such a way as to be automatically enforced. •  Validate all input strings from both users and database query results!

  18. 18 Please Remember to Validate All Input •  Accept it

    •  Reject it •  Manipulate it Image source www.historiccamdencounty.com When writing applications, be sure to validate ALL input strings. There are three, and only three, options when given a piece of data:

  19. 19 Related Work Not Mentioned in the Paper •  F.

    Valeur, D. Mutz, and G. Viega published a paper, in the conference of Detection of Intrusions and Malware Vulnerability Assessment (DIMVA), July 2005, proposing a machine-learning-based IDS for SQLIA’s. •  William Halfond, Jeremy Viegas, and Alessandro Orso have a forthcoming paper on Classification and Countermeasures for SQLIA’s.

  20. 20 Contributors •  Dr. Shamkant Navathe, professor of Computer Science,

    sponsored this project as a capstone undergraduate research class. He provided valuable feedback throughout the writing process. •  Harrison Caudill provided feedback and helped convert the original OO document to LaTeX. •  Jonathan Cullifer and Eric McCorkle both helped proofread the paper and provided feedback. •  My mother patiently reviewed my writing despite not understanding the technical details.

  21. 21 Questions?

  22. 22 The Really Big Picture Data & Code Integrity Strong

    Auth. Access Ctrl. Efficiency Availability Security Reliability

  23. 23 An Example Parse Tree OR LastName = 'Bob' 1

    = 1 WHERE FirstName = 'Bob' 1 = 1 OR OR