Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks

---

William G.J. Halfond, Alessandro Orso, and Panagiotis Manolios Proceedings of the Fourteenth ACM SIGSOFT Symposium on Foundations of Software Engineering (FSE 2006)., to appear. © ACM

Abstract

SQL injection attacks pose a serious security threat to Web applications because they allow attackers to obtain unrestricted access to the underlying databases and the potentially sensitive information they contain. Although researchers and practitioners have proposed various methods to address the SQL injection problem, all current approaches have severe limitations. In this paper, we propose a novel, automated approach to address the SQL injection problem. Our approach marks as trusted only strings in the program that are explicitly defined by the developer (e.g., string literals). We then prevent SQL-injection attacks by parsing the SQL queries before they are submitted to the database and only permitting queries in which all SQL keywords and operators were created using trusted strings. To add and maintain string-marking information, we developed MetaStrings, a set of classes that can be transparently used in place of string-related classes, but which provide functionality for storing and automatically propagating string metadata. To evaluate our approach, we developed a prototype implementation of our technique and used it to protect several Web application from a large set of attacks of various kinds. The evaluation was successful, in that our tool successfully and efficiently stopped all of the attacks without generating any false positives.

PDF (612K) © ACM