Professional Documents
Culture Documents
CANDID: Preventing SQL Injection Attacks Using Dynamic Candidate Evaluations
CANDID: Preventing SQL Injection Attacks Using Dynamic Candidate Evaluations
CANDID: Preventing SQL Injection Attacks Using Dynamic Candidate Evaluations
V. N. Venkatakrishnan
Assistant Professor,
Computer Science
University of Illinois at Chicago
Application
Web User Server
browser Input Query Database
Web Result
Page Set
SQL Injection : Typical Query
Web Result
Page Set
SQL Injection Attacks are a Serious Threat
L
S SQ tion
S
XS
XS
L n jec
I
SQ tion
ec
Inj
CANDID Safe
Web
Program Web
Application
Transformer Application
[ACM CCS’07]
SQL Injection
<sql_query>
<where_clause>
<cond_term>
<cond_term>
<cond>
<cond>
Select * <id> <lit>
from <id> <lit>
Table
<where_clause>
<comment>
<cond_term>
<cond_term>
Select * <cond> <cond>
from
<id> <lit> <lit> <lit>
Table
<sql_query> <sql_query>
<where_clause> <comment>
<where_clause>
<cond_term>
<cond_term>
<cond_term>
<cond_term> <cond>
<cond> <cond>
<cond> <literal>
<lit> <id> <lit>
<id> <lit>
<id> <lit>
<sql_query>
•mysql> PREPARE stmt_name
FROM " SELECT * FROM <where_clause>
phonebook WHERE username =
<cond_term>
? AND password = ?”
placeholder <cond_term>
<cond>
for input <lit>
<cond>
<id>
<id> <lit>
• Separates query
structure from data WHERE username = ‘?’ AND password = ‘?’
case it is undecidable
Our Solution : Use Manifestly benign inputs
true false
display?
Actual Query: DELETE * from phonebook WHERE username = ‘john’ AND password = ’ os’
Candidate Query: DELETE * from phonebook WHERE username = ‘aaaa’ AND password = ’aa’
CANDID Program Transformation Example
i/p str uname; i/p str pwd; i/p bool delete;
str uname_c; str pwd_c;
false true
display?
space_index = 4 Input
Instrumented space_index = 4
Splitting
Input Splitting
fn = input[0..3] fn_c = input_c[0..3]
Function
= “Alan” = “aaaa”
ln = input[5..9] ln_c = input_c[5..9]
= “Turing” = “aaaaaa”
Query
Offline View
java
bytecode
Instrumented
Original Java Bytecode
Web
Program transformer
Application
Online View
Tomcat
Web Server server
DB
Instrumented
MySql
Browser Web
Application
java
bytecode
Thank You
Questions?
Acknowledgments: xkcd.com