TY - GEN
T1 - CANDID
T2 - 14th ACM Conference on Computer and Communications Security, CCS'07
AU - Bandhakavi, Sruthi
AU - Bisht, Prithvi
AU - Madhusudan, P.
AU - Venkatakrishnan, V. N.
PY - 2007
Y1 - 2007
N2 - SQL injection attacks are one of the topmost threats for applications written for the Web. These attacks are launched through specially crafted user input on web applications that use low level string operations to construct SQL queries. In this work, we exhibit a novel and powerful scheme for automatically transforming web applications to render them safe against all SQL injection attacks. A characteristic diagnostic feature of SQL injection attacks is that they change the intended structure of queries issued. Our technique for detecting SQL injection is to dynamically mine the programmer-intended query structure on any input, and detect attacks by comparing it against the structure of the actual query issued. We propose a simple and novel mechanism, called CANDID, for mining programmer intended queries by dynamically evaluating runs over benign candidate inputs. This mechanism is theoretically well founded and is based on inferring intended queries by considering the symbolic query computed on a program run. Our approach has been implemented in a tool called CANDID, that retrofits Web applications written in Java to defend them against SQL injection attacks. We report extensive experimental results that show that our approach performs remarkably well in practice.
AB - SQL injection attacks are one of the topmost threats for applications written for the Web. These attacks are launched through specially crafted user input on web applications that use low level string operations to construct SQL queries. In this work, we exhibit a novel and powerful scheme for automatically transforming web applications to render them safe against all SQL injection attacks. A characteristic diagnostic feature of SQL injection attacks is that they change the intended structure of queries issued. Our technique for detecting SQL injection is to dynamically mine the programmer-intended query structure on any input, and detect attacks by comparing it against the structure of the actual query issued. We propose a simple and novel mechanism, called CANDID, for mining programmer intended queries by dynamically evaluating runs over benign candidate inputs. This mechanism is theoretically well founded and is based on inferring intended queries by considering the symbolic query computed on a program run. Our approach has been implemented in a tool called CANDID, that retrofits Web applications written in Java to defend them against SQL injection attacks. We report extensive experimental results that show that our approach performs remarkably well in practice.
KW - Dynamic monitoring
KW - Retrofitting code
KW - SQL injection attacks
KW - Symbolic evalua-tion
UR - http://www.scopus.com/inward/record.url?scp=49949109144&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=49949109144&partnerID=8YFLogxK
U2 - 10.1145/1315245.1315249
DO - 10.1145/1315245.1315249
M3 - Conference contribution
AN - SCOPUS:49949109144
SN - 9781595937032
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 12
EP - 24
BT - CCS'07 - Proceedings of the 14th ACM Conference on Computer and Communications Security
Y2 - 29 October 2007 through 2 November 2007
ER -