SEPTIC: Detecting Injection Attacks and Vulnerabilities Inside the DBMS
| Autor: | Iberia Medeiros, Miguel Correia, Nuno Neves, Miguel Beatriz |
|---|---|
| Rok vydání: | 2019 |
| Předmět: |
Password
SQL 021103 operations research Database Computer science Process (engineering) 0211 other engineering and technologies Data validation 02 engineering and technology computer.software_genre Identification (information) SQL injection False positive paradox Overhead (computing) Electrical and Electronic Engineering Safety Risk Reliability and Quality computer computer.programming_language |
| Zdroj: | IEEE Transactions on Reliability. 68:1168-1188 |
| ISSN: | 1558-1721 0018-9529 |
| DOI: | 10.1109/tr.2019.2900007 |
| Popis: | Databases continue to be the most commonly used backend storage in enterprises, but they are often integrated with vulnerable applications, such as web frontends, which allow injection attacks to be performed. The effectiveness of such attacks stems from a semantic mismatch between how SQL queries are believed to be executed and the actual way in which databases process them. This leads to subtle vulnerabilities in the way input validation is done in applications. In this paper, we propose SEPTIC, a mechanism for DBMS attack prevention, which can also assist on the identification of the vulnerabilities in the applications. The mechanism was implemented in MySQL and evaluated experimentally with various applications and alternative protection approaches. Our results show no false negatives and no false positives with SEPTIC, on the contrary to other solutions. They also show that SEPTIC introduces a low performance overhead, in the order of 2.2%. |
| Databáze: | OpenAIRE |
| Externí odkaz: |
|