7July_01_2008_sqlrand_notes
technique here is instruction-set randomization to SQL,
creating instances of the language that the attacker cannot predict
then sql injections intrusions will be caught and terminated.
bufferoverflow attacks researched a lot... not so much the SQL injection attack
intuition behind attacks: pre-defined logical expressions w/in a pre-defined
query
changed by injecting operations that always result in true/false statements.
thru webform, cgi with no validation of input.
Not just character fields, but also wehre and having when no numeric
restriction exists for numeric fields
std SQL error messagescan assist the attacker who is not knowledgeable of the
underlying SQL
helpful but not enough:
-improve programming techniques
-escaping single quotes
-limiting input character length
-filtering exception msgs
-PREPARE statement feature supported by many databases
designed for optimization, it can address SQL injection attacks
if the same query is issued many times (michelle note: however the
intrusion has occured, then was detected... better to prevent)
-dynamic queries this doesn't work.
still need other methods:
pg. 2.
"Our solution extends the application of Instruction-Set Randomization
[22] to the
SQL language: the SQL standard keywords are manipulated by appending a random
integer to them, one that an attacker cannot easily guess. Therefore, any
malicious user
attempting an SQL injection attack would be thwarted, for the user input
inserted into
the 'randomized' query would always be classified as a set of
non-keywords, resulting
in an invalid expression."
but can't change the db language, so this is handled as the proxy, outside the
DBMS
so the middleware between cgi script creates the randomized sql.
select gender, avg(age)
from cs101.students
where dept = %d
group by gender
The utility will identify the six keywords in the example query and append the
key to
each one (e.g., when the key is “123”):
select123 gender, avg123 (age)
from123 cs101.students
where123 dept = %d
group123 by123 gender
references to check:
5. C. Anley. Advanced SQL Injection In SQL Server Applications. http://www.
nextgenss.com/papers/advanced\_sql\_injection.pdf, 2002.
6. V. Anupam and A. Mayer. Security of Web Browser Scripting Languages:
Vulnerabilities,
Attacks, and Remedies. In Proceedings of the 7th USENIX Security Symposium,
pages 187–
200, January 1998.
7. R. Balzer and N. Goldman. Mediating connectors: A non-bypassable process
wrapping tech-
nology. In Proceeding of the 19th IEEE International Conference on Distributed
Computing
Systems, June 1999.
8. E. G. Barrantes, D. H. Ackley, S. Forrest, T. S. Palmer, D. Stefanovic, and
D. D. Zovi. Ran-
domized Instruction Set Emulation to Disrupt Binary Code Injection Attacks. In
Proceedings
of the 10th ACM Conference on Computer and Communications Security (CCS), pages
281–
289, October 2003.
17. J. Foster, M. Fahndrich, and A. Aiken. A theory of type qualifiers.
In Proceedings of the
ACM SIGPLAN Conference on Programming Language Design and Implementation
(PLDI),
May 1999.
18. T. Fraser, L. Badger, and M. Feldman. Hardening COTS Software with
Generic Software
Wrappers. In Proceedings of the IEEE Symposium on Security and Privacy,
Oakland, CA,
May 1999.
19. T. Garfinkel. Traps and Pitfalls: Practical Problems in System
Call Interposition Based Se-
curity Tools. In Proceedings of the Symposium on Network and Distributed
Systems Security
(SNDSS), pages 163–176, February 2003.
22.
G. S. Kc, A. D. Keromytis, and V. Prevelakis. Countering Code-Injection Attacks
With
Instruction-Set Randomization. In Proceedings of the ACM Computer and
Communications
Security (CCS) Conference, pages 272–280, October 2003.