CANDID: preventing sql injection attacks using dynamic candidate evaluations

Authors:
Sruthi Bandhakavi;Prithvi Bisht;P. Madhusudan;V. N. Venkatakrishnan
Affiliations:
University of Illinois at Urbana Champaign, Urbana, IL;University of Illinois at Chicago, Chicago, IL;University of Illinois at Urbana Champaign, Urbana, IL;University of Illinois at Chicago, Chicago, IL
Venue:
Proceedings of the 14th ACM conference on Computer and communications security
Year:
2007

Citing 15
Cited 24

Mining specifications

POPL '02 Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Synthesis of interface specifications for Java classes

Proceedings of the 32nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
SQL DOM: compile time checking of dynamic SQL statements

Proceedings of the 27th international conference on Software engineering
Safe query objects: statically typed objects as remotely executable queries

Proceedings of the 27th international conference on Software engineering
AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks

Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering
Using parse tree validation to prevent SQL injection attacks

SEM '05 Proceedings of the 5th international workshop on Software engineering and middleware
The essence of command injection attacks in web applications

Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Using positive tainting and syntax-aware evaluation to counter SQL injection attacks

Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering
Finding security vulnerabilities in java applications with static analysis

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Static detection of security vulnerabilities in scripting languages

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Dynamic test input generation for database applications

Proceedings of the 2007 international symposium on Software testing and analysis
Mining temporal specifications for error detection

TACAS'05 Proceedings of the 11th international conference on Tools and Algorithms for the Construction and Analysis of Systems
A learning-based approach to the detection of SQL attacks

DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Defending against injection attacks through context-sensitive string evaluation

RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection

XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks

DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
SQLProb: a proxy-based architecture towards preventing SQL injection attacks

Proceedings of the 2009 ACM symposium on Applied Computing
Systematically Eradicating Data Injection Attacks Using Security-Oriented Program Transformations

ESSoS '09 Proceedings of the 1st International Symposium on Engineering Secure Software and Systems
Automatic creation of SQL Injection and cross-site scripting attacks

ICSE '09 Proceedings of the 31st International Conference on Software Engineering
Teaching with security in mind

Proceedings of the 47th Annual Southeast Regional Conference
A Case Study on Asprox Infection Dynamics

DIMVA '09 Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment
On the Effectiveness of Software Diversity: A Systematic Study on Real-World Vulnerabilities

DIMVA '09 Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment
CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks

ACM Transactions on Information and System Security (TISSEC)
Preventing drive-by download via inter-module communication monitoring

ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
NoTamper: automatic blackbox detection of parameter tampering opportunities in web applications

Proceedings of the 17th ACM conference on Computer and communications security
Taxonomy and classification of automatic monitoring of program security vulnerability exploitations

Journal of Systems and Software
Strengthening XSRF defenses for legacy web applications using whitebox analysis and transformation

ICISS'10 Proceedings of the 6th international conference on Information systems security
Is teaching with security in mind working?

2010 Information Security Curriculum Development Conference
Building components with embedded security monitors

Proceedings of the joint ACM SIGSOFT conference -- QoSA and ACM SIGSOFT symposium -- ISARCS on Quality of software architectures -- QoSA and architecting critical systems -- ISARCS
Practical elimination of external interaction vulnerabilities in web applications

Journal of Web Engineering
Preventing web application injections with complementary character coding

ESORICS'11 Proceedings of the 16th European conference on Research in computer security
Defining code-injection attacks

POPL '12 Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
SENTINEL: securing database from logic flaws in web applications

Proceedings of the second ACM conference on Data and Application Security and Privacy
Automatically preparing safe SQL queries

FC'10 Proceedings of the 14th international conference on Financial Cryptography and Data Security
SQL injection attack mechanisms and prevention techniques

ADCONS'11 Proceedings of the 2011 international conference on Advanced Computing, Networking and Security
Diglossia: detecting code injection attacks with precision and efficiency

Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
A survey on server-side approaches to securing web applications

ACM Computing Surveys (CSUR)
Automatic detection and correction of web application vulnerabilities using data mining to predict false positives

Proceedings of the 23rd international conference on World wide web
Automated detection of parameter tampering opportunities and vulnerabilities in web applications

Journal of Computer Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

SQL injection attacks are one of the topmost threats for applications written for the Web. These attacks are launched through specially crafted user input on web applications that use low level string operations to construct SQL queries. In this work, we exhibit a novel and powerful scheme for automatically transforming web applications to render them safe against all SQL injection attacks. A characteristic diagnostic feature of SQL injection attacks is that they change the intended structure of queries issued. Our technique for detecting SQL injection is to dynamically mine the programmer-intended query structure on any input, and detect attacks by comparing it against the structure of the actual query issued. We propose a simple and novel mechanism, called CANDID, for mining programmer intended queries by dynamically evaluating runs over benign candidate inputs. This mechanism is theoretically well founded and is based on inferring intended queries by considering the symbolic query computed on a program run. Our approach has been implemented in a tool called CANDID, that retrofits Web applications written in Java to defend them against SQL injection attacks. We report extensive experimental results that show that our approach performs remarkably well in practice.