research-article

SOFIA: an automated security oracle for black-box testing of SQL-injection vulnerabilities

Authors:
Mariano Ceccato

Fondazione Bruno Kessler, Italy

Fondazione Bruno Kessler, Italy
View Profile

,
Cu D. Nguyen

University of Luxembourg, Luxembourg

University of Luxembourg, Luxembourg
View Profile

,
Dennis Appelt

University of Luxembourg, Luxembourg

University of Luxembourg, Luxembourg
View Profile

,
Lionel C. Briand

University of Luxembourg, Luxembourg

University of Luxembourg, Luxembourg
View Profile

ASE '16: Proceedings of the 31st IEEE/ACM International Conference on Automated Software EngineeringAugust 2016Pages 167–177https://doi.org/10.1145/2970276.2970343

Published:25 August 2016Publication History

ASE '16: Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering

Pages 167–177

ABSTRACT

Security testing is a pivotal activity in engineering secure software. It consists of two phases: generating attack inputs to test the system, and assessing whether test executions expose any vulnerabilities. The latter phase is known as the security oracle problem.

In this work, we present SOFIA, a Security Oracle for SQL-Injection Vulnerabilities. SOFIA is programming-language and source-code independent, and can be used with various attack generation tools. Moreover, because it does not rely on known attacks for learning, SOFIA is meant to also detect types of SQLi attacks that might be unknown at learning time. The oracle challenge is recast as a one-class classification problem where we learn to characterise legitimate SQL statements to accurately distinguish them from SQLi attack statements.

We have carried out an experimental validation on six applications, among which two are large and widely-used. SOFIA was used to detect real SQLi vulnerabilities with inputs generated by three attack generation tools. The obtained results show that SOFIA is computationally fast and achieves a recall rate of 100% (i.e., missing no attacks) with a low false positive rate (0.6%).

References

C. C. Aggarwal and C. K. Reddy. Data clustering: algorithms and applications. CRC Press, 2013. Google ScholarCross Ref
D. Appelt, C. Nguyen, and L. Briand. Behind an application firewall, are we safe from sql injection attacks? In Software Testing, Verification and Validation (ICST), 2015 IEEE 8th International Conference on, pages 1–10, April 2015.Google Scholar
D. Appelt, C. Nguyen, L. Briand, and N. Alshahwan. Automated testing for sql injection vulnerabilities: An input mutation approach. In Proceedings of the 2014 International Symposium on Software Testing and Analysis, ISSTA 2014, pages 259–269, New York, NY, USA, 2014. ACM. Google ScholarDigital Library
A. Avancini and M. Ceccato. Security oracle based on tree kernel methods. In Trustworthy Eternal Systems via Evolving Software, Data and Knowledge, pages 30–43. Springer, 2013.Google Scholar
E. Barr, M. Harman, P. McMinn, M. Shahbaz, and S. Yoo. The oracle problem in software testing: A survey. Software Engineering, IEEE Transactions on, 41(5):507–525, May 2015.Google ScholarDigital Library
P. Bisht, P. Madhusudan, and V. Venkatakrishnan. Candid: Dynamic candidate evaluations for automatic prevention of sql injection attacks. ACM Transactions on Information and System Security (TISSEC), 13(2):14, 2010. Google ScholarDigital Library
G. Buehrer, B. W. Weide, and P. A. Sivilotti. Using parse tree validation to prevent sql injection attacks. In Proceedings of the 5th international workshop on Software engineering and middleware, pages 106–113. ACM, 2005. Google ScholarDigital Library
S. Christey and R. A. Martin. Vulnerability type distributions in cve. Technical report, The MITRE Corporation, 2006.Google Scholar
J. Coffey, L. White, N. Wilde, and S. Simmons. Locating software features in a soa composite application. In Web Services (ECOWS), 2010 IEEE 8th European Conference on, pages 99–106, 2010. Google ScholarDigital Library
W. Halfond, J. Viegas, and A. Orso. A classification of sql-injection attacks and countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering, volume 1, pages 13–15. IEEE, 2006.Google Scholar
W. G. Halfond and A. Orso. Amnesia: analysis and monitoring for neutralizing sql-injection attacks. In Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering, pages 174–183. ACM, 2005. Google ScholarDigital Library
P. Institute. The sql injection threat study. Technical report, Ponemon Institute, 2014.Google Scholar
A. K. Jain. Data clustering: 50 years beyond k-means. Pattern recognition letters, 31(8):651–666, 2010. Google ScholarDigital Library
K. Kemalis and T. Tzouramanis. Sql-ids: a specification-based approach for sql-injection detection. In Proceedings of the 2008 ACM symposium on Applied computing, pages 2153–2158. ACM, 2008. Google ScholarDigital Library
A. Kieyzun, P. Guo, K. Jayaraman, and M. Ernst. Automatic creation of sql injection and cross-site scripting attacks. In Software Engineering, 2009. ICSE 2009. IEEE 31st International Conference on, pages 199 –209, may 2009. Google ScholarDigital Library
D. A. Kindy and A.-S. K. Pathan. A survey on sql injection: Vulnerabilities, attacks, and prevention techniques. 2011.Google Scholar
A. Liu, Y. Yuan, D. Wijesekera, and A. Stavrou. Sqlprob: A proxy-based architecture towards preventing sql injection attacks. In Proceedings of the 2009 ACM Symposium on Applied Computing, SAC ’09, pages 2054–2061, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
C. D. Manning, P. Raghavan, H. Schütze, et al. Introduction to information retrieval, volume 1. Cambridge university press Cambridge, 2008. Google ScholarCross Ref
L. Marinos and A. Sfakianakis. Enisa threat landscape. Technical report, European Network and Information Security Agency, 2012.Google Scholar
C. D. Nguyen, A. Marchetto, and P. Tonella. Combining model-based and combinatorial testing for effective test case generation. In Proceedings of the 2012 International Symposium on Software Testing and Analysis, ISSTA 2012, pages 100–110, New York, NY, USA, 2012. ACM. Google ScholarDigital Library
C. I. Pinzón, J. F. De Paz, Á. Herrero, E. Corchado, J. Bajo, and J. M. Corchado. idmas-sql: intrusion detection based on mas to detect and block sql injection through data mining. Information Sciences, 231:15–31, 2013. Google ScholarDigital Library
A. Reynolds, G. Richards, B. de la Iglesia, and V. Rayward-Smith. Clustering rules: A comparison of partitioning and hierarchical clustering algorithms. Journal of Mathematical Modelling and Algorithms, 5(4):475–504, 2006.Google ScholarCross Ref
D. Shasha and K. Zhang. Fast algorithms for the unit cost editing distance between trees. Journal of algorithms, 11(4):581–621, 1990. Google ScholarDigital Library
Z. Su and G. Wassermann. The essence of command injection attacks in web applications. In ACM SIGPLAN Notices, volume 41, pages 372–382. ACM, 2006. Google ScholarDigital Library
P. Tonella, R. Tiella, and C. D. Nguyen. Interpolated n-grams for model based testing. In Proceedings of the 36th International Conference on Software Engineering, ICSE 2014, pages 562–572, New York, NY, USA, 2014. ACM. Google ScholarDigital Library
F. Valeur, D. Mutz, and G. Vigna. A learning-based approach to the detection of sql attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment, pages 123–140. Springer, 2005. Google ScholarDigital Library
S. Varrette, P. Bouvry, H. Cartiaux, and F. Georgatos. Management of an Academic HPC Cluster: The UL Experience. In Proc. of the 2014 Intl. Conf. on High Performance Computing & Simulation (HPCS 2014), pages 959–967, Bologna, Italy, July 2014. IEEE.Google ScholarCross Ref
J. Williams and D. Wichers. Owasp, top 10, the ten most critical web application security risks. Technical report, The Open Web Application Security Project, 2013.Google Scholar

Index Terms

SOFIA: an automated security oracle for black-box testing of SQL-injection vulnerabilities
1. Security and privacy
  1. Software and application security
    1. Web application security
  2. Systems security
    1. Vulnerability management
      1. Penetration testing
2. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging

Recommendations

Prevention of SQL Injection Attack by Using Black Box Testing
ICDCN '22: Proceedings of the 23rd International Conference on Distributed Computing and Networking

SQL injection attacks are diverse and have fast variations, making it convenient to handle them. An SQL attack can affect the entire system to a great extent, adversely affecting the website, as well as data loss and leaking. In the past, enormous ...
Read More
Security vulnerabilities and mitigation techniques of web applications
SIN '13: Proceedings of the 6th International Conference on Security of Information and Networks

Web applications contain vulnerabilities, which may lead to serious security breaches such as stealing of confidential information. To protect against security breaches, it is necessary to understand the detailed steps of attacks and the pros and cons ...
Read More
Causes and Prevention of SQL Injection Attacks in Web Applications
ICINS '16: Proceedings of the 4th International Conference on Information and Network Security

SQL injection is one of the major threats to the security of the web applications. Attackers try to gain unauthorized access to the database, which has vital and private information of the users. Many researchers have provided various techniques and ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ASE '16: Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering
August 2016
899 pages
ISBN:9781450338455
DOI:10.1145/2970276
General Chair:
David Lo
Singapore Management University, Singapore
,
Program Chairs:
Sven Apel
University of Passau, Germany
,
Sarfraz Khurshid
University of Texas at Austin, USA
Copyright © 2016 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 25 August 2016
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
SQL-injection
Security oracle
Security testing
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate82of337submissions,24%
Upcoming Conference
ASE '24

Sponsor:

sigsoft online

sigsoft online

ASE '24: 39th IEEE/ACM International Conference on Automated Software Engineering

October 27 - November 1, 2024

Sacramento , CA , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 22
  Total Citations
  View Citations
- 607
  Total Downloads
- Downloads (Last 12 months)62
- Downloads (Last 6 weeks)9
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

SOFIA: an automated security oracle for black-box testing of SQL-injection vulnerabilities

ASE '16: Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering

ABSTRACT

References

Cited By

Index Terms

Recommendations

Prevention of SQL Injection Attack by Using Black Box Testing

Security vulnerabilities and mitigation techniques of web applications

Causes and Prevention of SQL Injection Attacks in Web Applications