Preventing SQL Code Injection by Combining Static and Runtime Analysis

Orso, Alessandro; Lee, Wenke; Shostack, Adam

Preventing SQL Code Injection by Combining Static and Runtime Analysis

Active / Technical Report | Accession Number: ADA483186 |

Open PDF

Abstract:

Many software systems have evolved to include a Web-based component that makes them available to the public via the Internet and can expose them to a variety of Web-based attacks. One of these attacks is SQL injection, which can give attackers unrestricted access to the databases underlying Web applications and has become increasingly frequent and serious. In this project, we developed techniques and tools to detect, prevent, and report SQL injection attacks. Our techniques leverage static and dynamic analysis, are effective and efficient, and have minimal deployment requirements. Given a previously developed Web application, our tools automatically transform the application into an equivalent application that is protected from SQL injection attacks. In the project, we also developed a testbed that can be used to evaluate SQL injection detection and prevention tools. Our testbed has been used extensively both by us and by other organizations. The tools and techniques developed within the project are being disseminated through different channels and are currently being commercialized by our industrial partner.

Author(s):

Orso, Alessandro ; Lee, Wenke ; Shostack, Adam

Author Organization(s):

GEORGIA INST OF TECH ATLANTA

Descriptive Note:

Final rept. May 2005-Oct 2007

Supplementary Note:

Prepared in cooperation with Reflective, LLC, Atlanta, GA. The original document contains color images. DOI: 10.21236/ADA483186

Pagination:

0068

Security Markings

DOCUMENT & CONTEXTUAL SUMMARY

Distribution:

Approved For Public Release

Distribution Statement:

Approved For Public Release; Distribution Is Unlimited.

RECORD

Collection: TR

Identifying Numbers

Report Number(s):

AFRL-RI-RS-TR-2008-144

Contract/Grant Number(s):

FA8750-05-2-0214

Task Number(s):

GI

Project Number(s):

DHSD

Monitor Series:

TR-2008-144, AFRL-RI-RS

Subject Terms

Joint Capability Areas:

JCA_5_Command and Control; JCA_7.1.2_Prevent Non-kinetic Attack; JCA_7.1_Prevent; JCA_7_Protection; JCA_6_Net Centric; JCA_6.4.1_Secure Information Exchange; JCA_6.4_Information Assurance; JCA_5.3_Planning; JCA_5.2_Understand; JCA_5.2.3_Share Knowledge and Situational Awareness; JCA_3.2_Engagement; JCA_3_Force Application; JCA_3.2.2_Non-Kinetic Means; JCA_4.6_Engineering; JCA_8_Building Partnerships; JCA_4.6.1_General Engineering; JCA_8.2_Shape; JCA_8.2.4_Leverage Capacities and Capabilities of Security Establishments; JCA_1_Force Support; JCA_4.1_Deployment and Distribution; JCA_1.2_Force Preparation

Modernization Areas:

Cyber

Communities of Interest:

Cyber

Descriptor(s):

*COMPUTER PROGRAMS, *DATA PROCESSING SECURITY, *PROGRAMMING LANGUAGES, *INTERNET, DETECTION, ATTACK, COMPUTER PROGRAMMING, PREVENTION, TEST BEDS, INJECTION, DATA BASES

Field(s)/Group(s):

Computer Programming and Software, Computer Systems Management and Standards

Keyword(s):

*SQL PROGRAMMING LANGUAGE, *SQL INJECTION, STATIC ANALYSIS, DYNAMIC ANALYSIS, VULNERABILITY DISCOVERY AND REMEDIATION, *WEB APPLICATIONS, WUAFRLDHSDGIOT

Report Date:

2008 May 01

Creation Date:

2008 Jul 23