Scribd Logo
Upload

Welcome to Scribd!

  • 7 views

    CANDID: Preventing SQL Injection Attacks Using Dynamic Candidate Evaluations

    Uploaded by

    Teshome Mulugeta
    This document discusses SQL injection attacks and presents an approach called CANDID (Dynamic Candidate Evaluations) to prevent them. CANDID works by simultaneously executing the web application with the actual user input and a set of benign "candidate" inputs. It generates both an actual query and candidate query, and only issues the actual query if its parse structure matches that of the candidate query. This allows it to dynamically infer the intended query structure and prevent attacks from altering it.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    CANDID: Preventing SQL Injection Attacks Using Dynamic Candidate Evaluations

    Uploaded by

    Teshome Mulugeta
    7 views19 pages
    This document discusses SQL injection attacks and presents an approach called CANDID (Dynamic Candidate Evaluations) to prevent them. CANDID works by simultaneously executing the web application with the actual user input and a set of benign "candidate" inputs. It generates both an actual query and candidate query, and only issues the actual query if its parse structure matches that of the candidate query. This allows it to dynamically infer the intended query structure and prevent attacks from altering it.

    Original Description:

    Original Title

    SQL Injection

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses SQL injection attacks and presents an approach called CANDID (Dynamic Candidate Evaluations) to prevent them. CANDID works by simultaneously executing the web application with the actual user input and a set of benign "candidate" inputs. It generates both an actual query and candidate query, and only issues the actual query if its parse structure matches that of the candidate query. This allows it to dynamically infer the intended query structure and prevent attacks from altering it.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as ppt, pdf, or txt
    7 views19 pages

    CANDID: Preventing SQL Injection Attacks Using Dynamic Candidate Evaluations

    Uploaded by

    Teshome Mulugeta
    This document discusses SQL injection attacks and presents an approach called CANDID (Dynamic Candidate Evaluations) to prevent them. CANDID works by simultaneously executing the web application with the actual user input and a set of benign "candidate" inputs. It generates both an actual query and candidate query, and only issues the actual query if its parse structure matches that of the candidate query. This allows it to dynamically infer the intended query structure and prevent attacks from altering it.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as ppt, pdf, or txt
    of 19

    CANDID : Preventing SQL Injection

    Attacks Using Dynamic Candidate


    Evaluations

    V. N. Venkatakrishnan
    Assistant Professor,
    Computer Science
    University of Illinois at Chicago

    Joint work with:


    Sruthi Bandhakavi (UIUC) Prithvi Bisht (UIC)
    and P. Madhusudan (UIUC)
    SQL Injection : Typical Query

    Phonebook Record Manager SELECT * FROM


    phonebook WHERE
    Username John username =
    ‘John’ AND password =
    Password open_sesame
    ‘open_sesame’
    Display Delete John’s phonebook
    Submit entries are displayed

    Application
    Web User Server
    browser Input Query Database

    Web Result
    Page Set
    SQL Injection : Typical Query

    Phonebook Record Manager SELECT * FROM phonebook


    WHERE username = ‘John’
    Username John’ OR 1=1 -- OR 1=1 --AND password =
    ‘not needed’
    Password not needed
    Display Delete All phonebook entries
    Submit are displayed
    Application
    Web User Server
    browser Input Query Database

    Web Result
    Page Set
    SQL Injection Attacks are a Serious Threat

    L
    S SQ tion

    S
    XS

    XS
    L n jec
    I
    SQ tion
    ec
    Inj

    CVE Vulnerabilities (2004) CVE Vulnerabilities (2006)


    CardSystems security breach(2006):
    263,000 customer credit card numbers
    stolen, 40 Million more exposed
    Talk Overview

    CANDID Safe
    Web
    Program Web
    Application
    Transformer Application

    [ACM CCS’07]
    SQL Injection

    • Most systems separate code from data


    • SQL queries can be constructed by arbitrary
    sequences of programming constructs that
    involve string operations
    • Concatenation, substring ….
    • Such construct also involve (untrusted) user
    inputs
    • Inputs should be mere “data”, but in case of
    SQL results in “code”
    • Result: Queries intended by the programmer
    can be “changed” by untrusted user input
    Parse Structure for a Benign Query

    <sql_query>

    <where_clause>
    <cond_term>
    <cond_term>
    <cond>
    <cond>
    Select * <id> <lit>
    from <id> <lit>
    Table

    WHERE username = ‘John’ AND password = ‘os’


    Parse Structure for a Attack Query
    <sql_query>

    <where_clause>
    <comment>
    <cond_term>
    <cond_term>
    Select * <cond> <cond>
    from
    <id> <lit> <lit> <lit>
    Table

    WHERE username = ‘John’ OR 1=1 -- AND …


    Attacks Change Query Structure
    Boyd et. al [BK 04], ANCS ; Buehrer et. al. [BWS 05], SEM;
    Halfond et. al.[HO 05], ASE; Nguyen-Tuong et. al. [NGGSE 05], SEC; Pietraszek et.
    al[PB 05], RAID; Valeur et. al. [VMV 05], DIMVA;
    Su et. al. [SW 06], POPL ...

    <sql_query> <sql_query>

    <where_clause> <comment>
    <where_clause>
    <cond_term>
    <cond_term>
    <cond_term>
    <cond_term> <cond>
    <cond> <cond>
    <cond> <literal>
    <lit> <id> <lit>
    <id> <lit>
    <id> <lit>

    WHERE username = ‘John’ OR 1=1 --’ AND ...


    WHERE username = ‘John’ AND password = ‘os’

    Benign Query Attack Query


    Prepared Statements

    <sql_query>
    •mysql> PREPARE stmt_name
    FROM " SELECT * FROM <where_clause>
    phonebook WHERE username =
    <cond_term>
    ? AND password = ?”
    placeholder <cond_term>
    <cond>
    for input <lit>
    <cond>
    <id>
    <id> <lit>

    • Separates query
    structure from data WHERE username = ‘?’ AND password = ‘?’

    • Statements are NOT


    parsed for every user
    input
    Legacy Applications

    • For existing applications adding PREPARE statements


    will prevent SQL injection attacks
    • Hard to do automatically with static techniques
    • Need to guess the structure of query at each query
    issue location
    • Query issued at a location depends on path taken in
    program
    • Human assisted efforts can add PREPARE statements
    • Costly effort

    • Problem: Is it possible to dynamically infer the


    benign query structure?
    High level idea : Dynamic Candidate Evaluations
    • Create benign sample inputs (Candidate Inputs) for every
    user input
    • Execute the program simultaneously over actual inputs
    and candidate inputs
    • Generate a candidate query along with the actual query
    • The candidate query is always non-attacking
    • Actual query is possibly malicious
    • Issue the actual query only if parse structures match
    Actual Actual
    Match
    I/P
    Actual Query
    SQL
    I/P Application Parser DB
    Candidate SQL
    Candidate Parser No Match
    I/P
    Candidate
    Query
    I/P
    How can we guess benign candidate inputs for every execuction?
    Finding Benign Candidate Inputs
    • Have to create a set of
    candidate inputs which
    • Are Benign Candidate
    Path
    • Issue a query at the Actual
    Path
    same query issue
    location
    • By following the same
    path in the program

    •Problem: Hard Query


    Issue
    • In the most general Location

    case it is undecidable
    Our Solution : Use Manifestly benign inputs

    Phonebook Record Manager


    • For every string create a
    sample string of ‘a’ s having
    User Name John
    the same length
    Password os • Candidate Input:
    uname = ‘aaaa’
    Display Delete pwd = ‘aa’
    Submit • Shadow every intermediate
    string variable that depends
    on input
    • For integer or boolean
    variable, use the originals
    • Follow the original control
    flow
    Evaluate conditionals only on actual inputs
    Candidate Input : input str uname, User Input : Candidate
    uname = “aaaa” str pwd, bool display uname = “john” Input :
    pwd = “aa” pwd = “os” uname = “aaaa”
    display = true display = false pwd = “aa”

    true false
    display?

    query = ‘SELECT * from phonebook WHERE username = ‘ +


    uname + ’ AND password = ’ + pwd +’

    query = ‘DELETE * from phonebook WHERE


    username = ‘ + uname + ’ AND password = ’ + pwd +’

    Actual Query: DELETE * from phonebook WHERE username = ‘john’ AND password = ’ os’
    Candidate Query: DELETE * from phonebook WHERE username = ‘aaaa’ AND password = ’aa’
    CANDID Program Transformation Example
    i/p str uname; i/p str pwd; i/p bool delete;
    str uname_c; str pwd_c;

    uname = input_1, pwd = input_2, delete = input_3;


    uname_c = createSample(uname) , pwd_c = createSample(pwd);

    false true
    display?

    query = DELETE * from phonebook WHERE username = ‘ +


    uname + ’ AND password = ’ + pwd +’
    query_c = DELETE * from phonebook WHERE username = ‘ +
    uname_c + ’ AND password = ’ + pwd_c +’;

    query = SELECT * from phonebook WHERE username = ‘ + uname + ’ AND


    password = ’ + pwd +’ ;
    query_c = SELECT * from phonebook WHERE username = ‘ + uname_c + ’
    AND password = ’ + pwd_c +’;

    if(match_queries(query,query_c) == true) execute_query(query)


    execute_query(query)
    Resilience of CANDID
    Input Splitting

    “Alan Turing” Input “aaaaaaaaaaa”

    space_index = 4 Input
    Instrumented space_index = 4
    Splitting
    Input Splitting
    fn = input[0..3] fn_c = input_c[0..3]
    Function
    = “Alan” = “aaaa”
    ln = input[5..9] ln_c = input_c[5..9]
    = “Turing” = “aaaaaa”
    Query

    SELECT ... WHERE first_name SELECT ... WHERE first_name


    = “Alan” AND last_name = = “aaaa” AND last_name =
    “Turing” “aaaaaa”
    CANDID Implementation Architecture

    Offline View
    java
    bytecode
    Instrumented
    Original Java Bytecode
    Web
    Program transformer
    Application

    Online View
    Tomcat
    Web Server server

    SQL Parse Tree


    Checker java

    DB
    Instrumented
    MySql
    Browser Web
    Application

    java
    bytecode
    Thank You
    Questions?

    Acknowledgments: xkcd.com

    You might also like