Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks Alex Orso with William Halfond and Pete Manolios Georgia Institute of Technology {orso|whalfond|manolios}@cc.gatech.edu Supported by NSF awards CCR- 0205422 and CCR-0306372 to GA Tech and by DHS and US Air Force under Contract No. FA8750-05-C-0179.
21
Embed
Using Positive Tainting and Syntax-Aware Evaluation to ...cercs.gatech.edu/iucrc06/material/orso.pdf · Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Using Positive Tainting andSyntax-Aware Evaluation to
Counter SQL Injection Attacks
Alex Orsowith William Halfond and Pete Manolios
Georgia Institute of Technology{orso|whalfond|manolios}@cc.gatech.edu
Supported by NSF awards CCR- 0205422 and CCR-0306372 to GA Techand by DHS and US Air Force under Contract No. FA8750-05-C-0179.
Alessandro Orso – CERCS Industry Workshop – 2006
SQL Injection
String queryString = "SELECT info FROM userTable WHERE ";if ((! login.equals("")) && (! password.equals(""))) { queryString += "login='" + login + "' AND pass='" + password + "'";} else { queryString+="login='guest'";}ResultSet tempSet = stmt.executeQuery(queryString);
Alessandro Orso – CERCS Industry Workshop – 2006
Normal UsageUser submits login “doe” and password “xyz”
SELECT info FROM users WHERE login=’doe’ AND pass=’xyz’
Attack Scenario
String queryString = "SELECT info FROM userTable WHERE ";if ((! login.equals("")) && (! password.equals(""))) { queryString += "login='" + login + "' AND pass='" + password + "'";} else { queryString+="login='guest'";}ResultSet tempSet = stmt.executeQuery(queryString);
Alessandro Orso – CERCS Industry Workshop – 2006
Malicious UsageAttacker submits “admin’ -- ” and password of “”
SELECT info FROM users WHERE login=’admin’ -- ’ AND pass=’’
Attack Scenario
String queryString = "SELECT info FROM userTable WHERE ";if ((! login.equals("")) && (! password.equals(""))) { queryString += "login='" + login + "' AND pass='" + password + "'";} else { queryString+="login='guest'";}ResultSet tempSet = stmt.executeQuery(queryString);
Alessandro Orso – CERCS Industry Workshop – 2006
Overall Goal of The Project
• Protecting existing (insecure) Webapplications by automatically detectingand preventing SQLIAs
• Highly automated — Little/no human effort
• Conservative — No false negatives
• Precise — Few/no false positives
Alessandro Orso – CERCS Industry Workshop – 2006
WASP(Web Application SQL-injection Preventer)
Basic idea => Allow only developer-trusted strings to form sensitiveparts of a query
Solution:1. Positive tainting
2. Syntax-Aware Evaluation
Alessandro Orso – CERCS Industry Workshop – 2006
Positive VS Negative Tainting
public Login(request, response) {
String login = request.getParameter(“login”);
String pin = request.getParameter(“pin”);
Statement stmt = connection.createStatement();
String queryString = "SELECT info FROM userTable WHERE ";
if ((! login.equals("")) && (! password.equals(""))) {
=> Increased automation: Trusted data readilyidentifiable in Web applications
=> Increased safety: Incompleteness leads to easy-to-eliminate false positives(normal in-house testing causes set of trusted datato converge to complete set)
In general, it implements the security principle of“fail-safe defaults”
Identify and mark trusted data instead of untrusted data
Alessandro Orso – CERCS Industry Workshop – 2006
Syntax-aware Evaluation
• Cannot simply forbid the use ofuntrusted data in queries
• Dependence on filtering rules requiresunsafe assumptions
=> Syntax-aware evaluation• Performed right before the query is sent to
the database• Consider the context in which trusted and
untrusted data is used: permit untrusteddata to be only in string and numeric literals
Alessandro Orso – CERCS Industry Workshop – 2006
Example1. String queryString = "SELECT info FROM userTable WHERE ";2. if ((! login.equals("")) && (! password.equals(""))) {3. queryString += "login='" + login + "' AND pass='" + password + "'"; } else {4. queryString+="login='guest'"; }5. ResultSet tempSet = stmt.executeQuery(queryString);
MetaString: queryString
[S][E][L][E][C][T] … [W][H][E][R][E][]
login -> “doe”, password -> “xyz”
SELECT info FROM userTable WHERE login = ‘ ‘doe AND pass = ‘ ‘xyz !