Sommario
Questo lavoro di tesi sintetizza le nostre ricerche sulla creazione e valutazione
di speciali programmi contro attacchi informatici del tipo “SQL Injection”
(SQLI). Vengono introdotti brevemente i concetti chiave ed i problemi legati
alla sicurezza dell’informazione evidenziando il ruolo principale che SQL In-
jection sta giocando all’interno di questo scenario. Sulla base delle precedenti
analisi e sullo stato dell’arte della sicurezza informatica, focalizzeremo le nos-
tre ricerche proprio nel campo della SQL Injection, che e` tuttora una delle
tecniche di intrusione piu` pericolosa ed utilizzata. Nello specifico affronter-
emo entrambi i problemi di (1) come valutare i sistemi di sicurezza contro
questo tipo di attacchi, proponendo una nuova metodologia di testing, il cui
obiettivo e` quello di raccogliere risultati utili, valutando la bonta` del tool
esaminato, e conseguentemente raggiungere un livello migliore di protezione
(2) come difendersi dagli attacchi SQLI grazie all’utilizzo di un nostro nuovo
programma, sviluppato appositamente per proteggere le applicationi web.
La metodologia proposta e` adattabile a tutti quei programmi per la deten-
zione e/o prevenzione degli attacchi SQLI. E’ un modello passo-passo che
fornisce delle linee guida per testare e valutare caratteristiche fondamentali
del tool stesso, quali: efficienza, efficacia, stabilita`, flessibilita` e prestazioni.
In aggiunta viene presentata, come caso di studio, la fase di testing del nostro
programma: SQLPrevent, il quale dinamicamente rileva gli attacchi e blocca
i corrispondenti “SQL statements” corrotti dall’essere spediti al database.
Nei nostri test, SQLPrevent non produce ne` falsi positivi ne` falsi negativi, ha
una percentuale del 100% di detenzione e prevenzione misurata su diversi tipi
di attacchi SQLI, e` indipendente dell’ambiente di lavoro e in media produce
un aumento delle prestazioni del solo 0.3%
V
Chapter 1
Introduction
1.1 Motivations: Importance of the Problem
Information is the most important business asset today and achieving an ap-
propriate level of “Information Security” can be viewed as essential in order
to maintain a competitive edge. SQL Injection Attacks (SQLIAs) are one of
the topmost threats for web application security, and SQL injections are one
of the most serious vulnerability types. They are easy to detect and exploit;
that is why SQLIAs are frequently employed by malicious users for different
reasons, e.g. financial fraud, theft confidential data, deface website, sabotage,
espionage, cyber terrorism, or simply for fun. Furthermore, SQL Injection
attack techniques have become more common, more ambitious, and increas-
ingly sophisticated, so there is a deep need to find an effective and feasible
solution for this problem in the computer security community. Detection
or prevention of SQLIAs is a topic of active research in the industry and
academia. To achieve those purposes, automatic tools and security systems
have been implemented, but none of them are complete or accurate enough
to guarantee an absolute level of security on web applications. One of the
important reasons of this shortcoming is that there is a lack of common and
complete methodology for the evaluation of those tools. In fact, in order to
avoid SQLIAs, testing is a fundamental and essential step for any security
systems. This significant weakness has stimulated our research and driven
this work.
1.2. Research Focus and Original Contributions
1.2 Research Focus and Original Contribu-
tions
Our research work focused on the analyses and resolution of the problem of
SQL Injection attacks, in order to protect and make reliable any vulnerable
web applications. Firstly, we address the problem of the evaluations pro-
cess of security tools for detection and prevention of SQLIAs. To achieve
our goal we propose a general and complete evaluation methodology as a
common guideline to test security systems against SQLIAs. Then as a case
study of our proposal model, we present, analyze and evaluate our novel tool
(SQLPrevent) implemented for detection and prevention of SQLIAs. Our
key original contributions can be identified as follows:
• We propose a complete evaluation methodology supported by abstract
and detailed diagrams, frameworks and step-by-step procedure for the
testing process of SQLIAs systems, which is something that is lacking
in literature.
• We provide an effective and original security tool (SQLPrevent) for
effective dynamic detection and prevention of SQLIAs without access to
the application source code. It implements our novel heuristic approach
to protect run time existing vulnerable web applications from known
as well as new or obfuscated SQLIAs.
• We analyzed as a detailed case study of our proposed methodology,
the evaluation process of SQLPrevent. The results we have found con-
firm SQLPrevent as a valid solution. In fact, it has been measured
that SQLPrevent is effective, efficient, scalable, flexible and with high
performance.
1.3 Structure of the Work
The rest of this work is organized as follows. In Section 2 we briefly pro-
vide a general background knowledge on the key terminologies, concepts and
2
Chapter 1. Introduction
problems of information security focusing on the critical role of web appli-
cations. Moreover, we show the state of the art of computer security, de-
scribing attacks, consequences and countermeasures that characterized the
current situations of these last years, highlighting the important position of
SQL Injection.
Section 3 explains both theoretically and with practical examples, how
SQL Injection attacks work, and its consequences. It also furnishes classifi-
cations of SQLIA techniques, a methodology for a successful attack and the
typical countermeasures adopted against them, focusing on their functions
and weaknesses. In addiction in the end of this section we review existing
work and compares it with the proposed approach, bringing out the different
evaluation procedures and tests adopted in the analyzed related work.
In section 4 and 5 we characterize in details, respectively, our novel tool
SQLPrevent and our proposal evaluation methodology. We also provide and
analyze abstract frameworks, accurate diagrams and a step-by-step procedure
of our approach.
Section 6 contributes a case study of the proposal methodology based on
the evaluation of SQLPrevent. Finally, in section 7, we draw our conclusions,
outlining the future directions of this work.
3
1.3. Structure of the Work
4
Chapter 2
State Of The Art
In this chapter we will provide the reader with a brief overview of the general
concepts of information and computer security. We will introduce important
actors such as web applications and vulnerabilities. In addition, we will
present the security problems that currently affect society such as cyber-
crime, and the consequent security techniques that must be employed.
2.1 Computer and Information Security: an
Overview
2.1.1 Terminologies and Formal Definitions
Computer security is a branch of technology known as information security,
applied to computers. Information security is based on the general concept
of the protection of data against unauthorized access. The objective of com-
puter security varies and can include protection of information from theft or
corruption, or the preservation of availability, as defined in the security policy.
Computer security is the process of preventing and detecting unauthorized
use of your computer. Prevention measures help you prevent unauthorized
users, also known as “intruders”, from accessing any part of your computer
system. Detection helps you to determine whether or not someone attempted
to break into your system, whether or not the breach was successful, and the
extent of the damage that may have been done. This makes computer se-
2.1. Computer and Information Security: an Overview
curity particularly challenging because it is difficult enough just to ensure
that computer programs do everything they are designed to do correctly [1].
Nowadays most information in the world is processed through computer sys-
tems, so it is common to use the term information security to also denote
computer security. This is quite a common mistake: in fact, academically,
the definition of information security includes all the processes of handling
and storing information. Information can be printed on paper, stored elec-
tronically, transmitted by post or by using electronic means, shown on films,
or spoken in conversation. The U.S. National Information Systems Security
Glossary [2] defines Information systems security (INFOSEC) as:
“the protection of information systems against unauthorized
access to or modification of information, whether in storage, pro-
cessing or transit, and against the denial of service to authorized
users or the provision of service to unauthorized users, including
those measures necessary to detect, document, and counter such
threats.”
It defines computer security as:
“Measures and controls that ensure confidentiality, integrity,
and availability of the information processed and stored by a com-
puter”
This observation on information pervasiveness is especially important in to-
days increasingly interconnected business environment. As a result of it,
information is exposed to a growing number and a wider variety of threats
and vulnerabilities, which often have nothing to do with computer systems
at all. In this work, however, we will deal mostly with computer security and
not information systems in general.
2.1.2 The C.I.A. Paradigm
Information security has held that confidentiality, integrity and availability,
known as the C.I.A. paradigm, are the core principles of information security.
Confidentiality is the ability of a system to make its resources acces-
sible only to the parties authorized to access them. Confidentiality is the
6
Chapter 2. State Of The Art
property of preventing disclosure of information to unauthorized individuals
or systems. For example, a credit card transaction on the Internet requires
the credit card number to be transmitted from the buyer to the merchant
and from the merchant to a transaction processing network. The system
attempts to enforce confidentiality by encrypting the card number during
transmission, by limiting the places where it might appear (in databases, log
files, backups, printed receipts, and so on), and by restricting access to the
places where it is stored. If an unauthorized party obtains the card num-
ber in any way, a breach of confidentiality has occurred. Confidentiality is
necessary, but not sufficient for maintaining the privacy of the people whose
personal information a system holds.
Integrity is the ability of a system to allow only authorized parties to
modify its resources and data, and only in authorized methods which are
consistent with the functions performed by the system. Integrity means that
data cannot be modified without authorization. Integrity is violated, for ex-
ample, when someone accidentally or with malicious intent deletes important
data files, when a computer virus infects a computer, when an employee is
able to modify his own salary on a payroll database, when an unauthorized
user vandalizes a web site, when someone is able to cast a very large number
of votes in an online poll, and so on.
Availability is the important property that a rightful request to access
information must never be denied, and must be satisfied in a timely manner.
In other words, for any information system to serve its purpose, the informa-
tion must be available when it is needed. Ensuring availability also involves
preventing denial-of-service attacks.
Sometimes other goals have been added to the C.I.A. paradigm, such as
authenticity, accountability, non-repudiation, safety and reliability. However,
the general consensus is that these are either a consequence of the three core
concepts defined above, or a means to attain them.
2.1.3 The A.A.A. Architecture
In software engineering terms, we could say that the C.I.A. paradigm belongs
to the world of requirements, stating the high-level goals related with security
7
2.1. Computer and Information Security: an Overview
of information. The A.A.A. architecture and components are specifications
of a software and hardware system architecture which strives to implement
those requirements. Then, of course, security systems are the real world
implementations of these specifications. In computer security A.A.A. stands
for Authentication, Authorization and Accounting. These are the three basic
issues that are encountered frequently in many network services where their
functionality is frequently needed. Examples of these services are dial-in
access to the Internet, electronic commerce, Internet printing, and Mobile
IP. Typically, authentication, authorization, and accounting are more or less
dependent on each other. However, separate protocols are used to achieve
the A.A.A. functionality.
Authentication: refers to the process of establishing the digital identity
of one entity to another entity. Commonly one entity is a client and the other
entity is a server. Authentication is accomplished via the presentation of an
identity and its corresponding credentials. Examples of types of credentials
are passwords, one-time tokens and digital certificates. So authentication
is a security measure designed to establish the validity of a transmission,
message, or originator, or a means of verifying an individual’s eligibility to
receive specific categories of information.
Authorization: access rights granted to a user, program, or process.
It refers to the granting of specific types of privileges (or not privilege) to
an entity or a user, based on their authentication, what privileges they are
requesting, and the current system state. Authorization may be based on
restrictions, for example time-of-day restrictions or physical location restric-
tions. Most of the time the granting of a privilege constitutes the ability to
use a certain type of service. Examples of types of service include, but are
not limited to: IP address filtering, address assignment, route assignment
and encryption.
Accounting: refers to the tracking of the consumption of network re-
sources by users. This information may be used for management, planning,
billing, or other purposes. Real-time accounting refers to accounting infor-
mation that is delivered concurrently with the consumption of the resources.
Batch accounting refers to accounting information that is saved until it is de-
livered at a later time. Typical information that is gathered in accounting is
8
Chapter 2. State Of The Art
the identity of the user, the nature of the service delivered, when the service
began, and when it ended.
2.2 Vulnerabilities, Risks and Threats
There is the need of some other formal definitions and practical observations
related to the world of computer security. This will outline better concepts
and main actors that play an important role in computer security and dif-
ferentiate one from the other.
Risk: combination of the likelihood of an event and its impact.
Threat: a series of events through which a natural or intelligent adversary
(or set of adversaries) could use the system in an unauthorized way to cause
harm, such as compromising confidentiality, integrity, or availability of the
systems information.
Vulnerability: if computer security is applied to a weakness in a system
which allows an attacker to violate the integrity of that system. This weak-
ness of an asset or group of assets can be exploited by one or more threats.
Vulnerabilities may result from different reasons such as weak passwords,
software bugs, a computer virus, other malware, script code injection or a
SQL injection.
Information security tasks are all related to managing and reducing the
risks related to information usage in an organization, usually, but not always,
by reducing or handling vulnerabilities or threats. Thus, it is wrong to think
of security in terms of vulnerability reduction. Security is a component of
the organizational risk management process; a set of coordinated activities
to direct and control an organization with regard to risk [3]. In other words,
information security is the protection of information from a wide range of
threats in order to ensure continuity, minimize risk, and maximize return on
investments and business opportunities. The main phases of a proper secu-
rity risk recovery are:
Risk analysis/assessment: process of analyzing threats and vulnerabil-
ities of an information system, and the potential impact that the loss of
information or capabilities of a system would have on national security and
using the analysis as a basis for identifying appropriate and cost-effective
9
2.3. Web Applications
measures. It is the systematic use of information to identify risk sources and
to estimate the risk;
Risk evaluation: the process of comparing the estimated risk against given
risk criteria to determine the significance of the risk;
Risk management: Process concerned with the identification, measure-
ment, control, and minimization of security risks in information systems.
2.3 Web Applications
Web application, or webapp, is the general term that is normally used to
refer to all distributed web-based applications. According to the more tech-
nical software engineering definition, a web application is described as an
application accessible by the web through a network. Many companies are
converting their computer programs into web-based applications. Web Appli-
cations are similar to computer-based programs but differ only in that they
are accessible through the web, allowing the creation of dynamic websites
and providing complete interaction with the end-user. Web Applications are
placed on the Internet and all processing is done on the server, the computer
which hosts the application [4] [5].
Web applications are sets of web pages, files and programs that reside
on a companys web server, which any authorized user can access over a
network such as the World Wide Web or a local intranet. A web application is
usually a three-tiered construction. Normally, the first tier is a Web browser
on the client side, the second is the real engine on the server-side where
the applications core runs, and the third layer is a database as showed in
figure 2.1. The Web browser makes the initial request to the middle layer,
which, in turn, accesses the database to perform the requested task, either by
retrieving information from the database, or by updating it and generating a
user interface. A server processes all user transactions and usually the end-
user simply accesses the web application by a Web browser, interacting with
it. Since web applications reside on a server, they are easy to manage. In
fact, they can be updated and modified at any time by the web applications
owner with minimal effort and without any distribution or installation of
software on the clients machines. This is the main reason for the widespread
10
Chapter 2. State Of The Art
Figure 2.1: Three Tired J2EE Web Applications Model
adoption of Web applications in todays organizations [6].
Nowadays, web applications are becoming increasingly popular and are
poised to become a major player in the overall software market due to the
benefits they afford, such as visibility and worldwide access. They are, with-
out a doubt, essential to the current and next generation of businesses and
they have become part of our everyday online lives. In fact, a web application
is a worldwide gate accessible not only through standard personal computers
but also though different communication devices such as mobile phones and
PDAs (fig. 2.2). The use of web applications is especially beneficial for a
company: with just a little investment, a company can open up a marketing
channel that will allow potential clients easy global access to its business 24
hours a day. A typical example of a web application is an online questionnaire
or user survey. The end-user client simply completes the online questions by
filling in a form that is accessible worldwide through any kind of network
device and submits the responses to the application that then collects and
stores the data in a database on the server side [7].
Web applications are present in all aspects of our daily internet use. Com-
mon examples are those applications used for searching the internet such as
“Google”; for collaborative open source projects as “SourceForge”; for public
auctions as “eBay” and many others as well as blogs, webmail, web-forums,
shopping carts, e-commerce, dynamic contents, discussion boards and so-
cial networks. At the moment, according to Carsonifieds survey “Top Web
Applications of 2008”, the most popular web application, with over 50 mil-
11
2.3. Web Applications
Figure 2.2: Typical Internet World Wide Network Configuration
lion users, is Gmail [8] [9]. The core part of a web application, as stated
above, is stored on the server-side within the application server. This core
consists of a real computer software program coded in a browser supported
programming language such as PHP, ASP, CGI, Perl, Java/JSP, J2EE. Gen-
erally, to run the application, you must deploy it in a server and configure it
properly. However, the way you install web applications depends on server
machine you are using and also the particular application used. In our work
we have used J2EE web applications for their good compatibility with our
security tool. Java 2 Enterprise Edition (this name has since been changed
to Java EE version 5.0) is a well-known open source web service platform
that uses a distributed multi-tier application model for enterprise java-based
applications. At first glance, the J2EE architecture appears convoluted. In
actuality, all J2EE components work together to serve a common purpose:
to make the application more scalable. J2EE is the standard architecture for
web applications that guarantees important features such as the integration
and re-utilization of software. The standard has been defined by the partic-
12
Ricevi informazioni sui nostri servizi, sulle offerte e non perdere news e consigli su università e lavoro.
