ABSTRACT
Security testing is a pivotal activity in engineering secure software. It consists of two phases: generating attack inputs to test the system, and assessing whether test executions expose any vulnerabilities. The latter phase is known as the security oracle problem.
In this work, we present SOFIA, a Security Oracle for SQL-Injection Vulnerabilities. SOFIA is programming-language and source-code independent, and can be used with various attack generation tools. Moreover, because it does not rely on known attacks for learning, SOFIA is meant to also detect types of SQLi attacks that might be unknown at learning time. The oracle challenge is recast as a one-class classification problem where we learn to characterise legitimate SQL statements to accurately distinguish them from SQLi attack statements.
We have carried out an experimental validation on six applications, among which two are large and widely-used. SOFIA was used to detect real SQLi vulnerabilities with inputs generated by three attack generation tools. The obtained results show that SOFIA is computationally fast and achieves a recall rate of 100% (i.e., missing no attacks) with a low false positive rate (0.6%).
- C. C. Aggarwal and C. K. Reddy. Data clustering: algorithms and applications. CRC Press, 2013. Google ScholarCross Ref
- D. Appelt, C. Nguyen, and L. Briand. Behind an application firewall, are we safe from sql injection attacks? In Software Testing, Verification and Validation (ICST), 2015 IEEE 8th International Conference on, pages 1–10, April 2015.Google Scholar
- D. Appelt, C. Nguyen, L. Briand, and N. Alshahwan. Automated testing for sql injection vulnerabilities: An input mutation approach. In Proceedings of the 2014 International Symposium on Software Testing and Analysis, ISSTA 2014, pages 259–269, New York, NY, USA, 2014. ACM. Google ScholarDigital Library
- A. Avancini and M. Ceccato. Security oracle based on tree kernel methods. In Trustworthy Eternal Systems via Evolving Software, Data and Knowledge, pages 30–43. Springer, 2013.Google Scholar
- E. Barr, M. Harman, P. McMinn, M. Shahbaz, and S. Yoo. The oracle problem in software testing: A survey. Software Engineering, IEEE Transactions on, 41(5):507–525, May 2015.Google ScholarDigital Library
- P. Bisht, P. Madhusudan, and V. Venkatakrishnan. Candid: Dynamic candidate evaluations for automatic prevention of sql injection attacks. ACM Transactions on Information and System Security (TISSEC), 13(2):14, 2010. Google ScholarDigital Library
- G. Buehrer, B. W. Weide, and P. A. Sivilotti. Using parse tree validation to prevent sql injection attacks. In Proceedings of the 5th international workshop on Software engineering and middleware, pages 106–113. ACM, 2005. Google ScholarDigital Library
- S. Christey and R. A. Martin. Vulnerability type distributions in cve. Technical report, The MITRE Corporation, 2006.Google Scholar
- J. Coffey, L. White, N. Wilde, and S. Simmons. Locating software features in a soa composite application. In Web Services (ECOWS), 2010 IEEE 8th European Conference on, pages 99–106, 2010. Google ScholarDigital Library
- W. Halfond, J. Viegas, and A. Orso. A classification of sql-injection attacks and countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering, volume 1, pages 13–15. IEEE, 2006.Google Scholar
- W. G. Halfond and A. Orso. Amnesia: analysis and monitoring for neutralizing sql-injection attacks. In Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering, pages 174–183. ACM, 2005. Google ScholarDigital Library
- P. Institute. The sql injection threat study. Technical report, Ponemon Institute, 2014.Google Scholar
- A. K. Jain. Data clustering: 50 years beyond k-means. Pattern recognition letters, 31(8):651–666, 2010. Google ScholarDigital Library
- K. Kemalis and T. Tzouramanis. Sql-ids: a specification-based approach for sql-injection detection. In Proceedings of the 2008 ACM symposium on Applied computing, pages 2153–2158. ACM, 2008. Google ScholarDigital Library
- A. Kieyzun, P. Guo, K. Jayaraman, and M. Ernst. Automatic creation of sql injection and cross-site scripting attacks. In Software Engineering, 2009. ICSE 2009. IEEE 31st International Conference on, pages 199 –209, may 2009. Google ScholarDigital Library
- D. A. Kindy and A.-S. K. Pathan. A survey on sql injection: Vulnerabilities, attacks, and prevention techniques. 2011.Google Scholar
- A. Liu, Y. Yuan, D. Wijesekera, and A. Stavrou. Sqlprob: A proxy-based architecture towards preventing sql injection attacks. In Proceedings of the 2009 ACM Symposium on Applied Computing, SAC ’09, pages 2054–2061, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
- C. D. Manning, P. Raghavan, H. Schütze, et al. Introduction to information retrieval, volume 1. Cambridge university press Cambridge, 2008. Google ScholarCross Ref
- L. Marinos and A. Sfakianakis. Enisa threat landscape. Technical report, European Network and Information Security Agency, 2012.Google Scholar
- C. D. Nguyen, A. Marchetto, and P. Tonella. Combining model-based and combinatorial testing for effective test case generation. In Proceedings of the 2012 International Symposium on Software Testing and Analysis, ISSTA 2012, pages 100–110, New York, NY, USA, 2012. ACM. Google ScholarDigital Library
- C. I. Pinzón, J. F. De Paz, Á. Herrero, E. Corchado, J. Bajo, and J. M. Corchado. idmas-sql: intrusion detection based on mas to detect and block sql injection through data mining. Information Sciences, 231:15–31, 2013. Google ScholarDigital Library
- A. Reynolds, G. Richards, B. de la Iglesia, and V. Rayward-Smith. Clustering rules: A comparison of partitioning and hierarchical clustering algorithms. Journal of Mathematical Modelling and Algorithms, 5(4):475–504, 2006.Google ScholarCross Ref
- D. Shasha and K. Zhang. Fast algorithms for the unit cost editing distance between trees. Journal of algorithms, 11(4):581–621, 1990. Google ScholarDigital Library
- Z. Su and G. Wassermann. The essence of command injection attacks in web applications. In ACM SIGPLAN Notices, volume 41, pages 372–382. ACM, 2006. Google ScholarDigital Library
- P. Tonella, R. Tiella, and C. D. Nguyen. Interpolated n-grams for model based testing. In Proceedings of the 36th International Conference on Software Engineering, ICSE 2014, pages 562–572, New York, NY, USA, 2014. ACM. Google ScholarDigital Library
- F. Valeur, D. Mutz, and G. Vigna. A learning-based approach to the detection of sql attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment, pages 123–140. Springer, 2005. Google ScholarDigital Library
- S. Varrette, P. Bouvry, H. Cartiaux, and F. Georgatos. Management of an Academic HPC Cluster: The UL Experience. In Proc. of the 2014 Intl. Conf. on High Performance Computing & Simulation (HPCS 2014), pages 959–967, Bologna, Italy, July 2014. IEEE.Google ScholarCross Ref
- J. Williams and D. Wichers. Owasp, top 10, the ten most critical web application security risks. Technical report, The Open Web Application Security Project, 2013.Google Scholar
Index Terms
- SOFIA: an automated security oracle for black-box testing of SQL-injection vulnerabilities
Recommendations
Prevention of SQL Injection Attack by Using Black Box Testing
ICDCN '22: Proceedings of the 23rd International Conference on Distributed Computing and NetworkingSQL injection attacks are diverse and have fast variations, making it convenient to handle them. An SQL attack can affect the entire system to a great extent, adversely affecting the website, as well as data loss and leaking. In the past, enormous ...
Security vulnerabilities and mitigation techniques of web applications
SIN '13: Proceedings of the 6th International Conference on Security of Information and NetworksWeb applications contain vulnerabilities, which may lead to serious security breaches such as stealing of confidential information. To protect against security breaches, it is necessary to understand the detailed steps of attacks and the pros and cons ...
Causes and Prevention of SQL Injection Attacks in Web Applications
ICINS '16: Proceedings of the 4th International Conference on Information and Network SecuritySQL injection is one of the major threats to the security of the web applications. Attackers try to gain unauthorized access to the database, which has vital and private information of the users. Many researchers have provided various techniques and ...
Comments