SQLrand: Preventing SQL Injection Attacks
Stephen W. Boyd,Angelos D. Keromytis +1 more
- 08 Jun 2004
- pp 292-302
TL;DR: This work applies the concept of instruction-set randomization to SQL, creating instances of the language that are unpredictable to the attacker, and shows how to use this technique with the MySQL database using an intermediary proxy that translates the random SQL to its standard language.
read more
Abstract: We present a practical protection mechanism against SQL injection attacks Such attacks target databases that are accessible through a web front-end, and take advantage of flaws in the input validation logic of Web components such as CGI scripts We apply the concept of instruction-set randomization to SQL, creating instances of the language that are unpredictable to the attacker Queries injected by the attacker will be caught and terminated by the database parser We show how to use this technique with the MySQL database using an intermediary proxy that translates the random SQL to its standard language Our mechanism imposes negligible performance overhead to query processing and can be easily retrofitted to existing systems
read more
Chat with Paper
AI Agents for this Paper
Find similar papers on Google Scholar, PubMed and Arxiv
Write a critical review of this paper
Analyze citations of this paper to find unaddressed research gaps
Citations
A Comprehensive Study of Security of Internet-of-Things
Arsalan Mosenia,Niraj K. Jha +1 more
TL;DR: This survey attempts to provide a comprehensive list of vulnerabilities and countermeasures against them on the edge-side layer of IoT, which consists of three levels: (i) edge nodes, (ii) communication, and (iii) edge computing.
720
A Classification of SQL-Injection Attacks and Countermeasures
William G. J. Halfond,Jeremy Viegas,Alessandro Orso +2 more
- 01 Jan 2006
TL;DR: An extensive review of the different types of SQL injection attacks known to date is presented, including descriptions and examples of how attacks of that type could be performed and existing detection and prevention techniques against SQL injections.
The essence of command injection attacks in web applications
Zhendong Su,Gary Wassermann +1 more
- 11 Jan 2006
TL;DR: This paper presents the first formal definition of command injection attacks in the context of web applications, and gives a sound and complete algorithm for preventing them based on context-free grammars and compiler parsing techniques.
Cybersecurity data science: an overview from machine learning perspective
Iqbal H. Sarker,Iqbal H. Sarker,A. S. M. Kayes,Shahriar Badsha,Hamed Alqahtani,Paul A. Watters,Alex Hay-Man Ng +6 more
TL;DR: This paper focuses and briefly discusses on cybersecurity data science, where the data is being gathered from relevant cybersecurity sources, and the analytics complement the latest data-driven patterns for providing more effective security solutions.
Using parse tree validation to prevent SQL injection attacks
Gregory Buehrer,Bruce W. Weide,Paolo A. G. Sivilotti +2 more
- 05 Sep 2005
TL;DR: A technique to prevent this kind of manipulation and hence eliminate SQL injection vulnerabilities is described, based on comparing, at run time, the parse tree of the SQL statement before inclusion of user input with that resulting after inclusion of input.
References
•Proceedings Article
StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks
Crispin Cowan,Calton Pu,Dave Maier,Heather Hintony,Jonathan Walpole,Peat Bakke,Steve Beattie,Aaron Grier,Perry Wagle,Qian Zhang +9 more
- 26 Jan 1998
TL;DR: StackGuard is described: a simple compiler technique that virtually eliminates buffer overflow vulnerabilities with only modest performance penalties, and a set of variations on the technique that trade-off between penetration resistance and performance.
Countering code-injection attacks with instruction-set randomization
Gaurav S. Kc,Angelos D. Keromytis,Vassilis Prevelakis +2 more
- 27 Oct 2003
TL;DR: A new, general approach for safeguarding systems against any type of code-injection attack, by creating process-specific randomized instruction sets of the system executing potentially vulnerable software that can serve as a low-overhead protection mechanism, and can easily complement other mechanisms.
Obfuscation of executable code to improve resistance to static disassembly
Cullen Linn,Saumya K. Debray +1 more
- 27 Oct 2003
TL;DR: Experimental results indicate that significant portions of executables that have been obfuscated using the techniques described are disassembled incorrectly, thereby showing the efficacy of the methods.
•Proceedings Article
Improving host security with system call policies
Niels Provos
- 04 Aug 2003
TL;DR: This paper discusses the methodology and design of privilege separation, a generic approach that lets parts of an application run with different levels of privilege, and illustrates how separation of privileges reduces the amount of OpenSSH code that is executed with special privilege.
Randomized instruction set emulation to disrupt binary code injection attacks
Elena Gabriela Barrantes,David H. Ackley,Stephanie Forrest,Trek S. Palmer,Darko Stefanovic,Dino Dai Zovi +5 more
- 27 Oct 2003
TL;DR: RISE as discussed by the authors is a randomized instruction set emulator based on the open-source Valgrind x86-to-x86 binary translator, which is designed to resist binary code injection attacks.
Related Papers (5)
Zhendong Su,Gary Wassermann +1 more
- 11 Jan 2006
Russell A. McClure,Ingolf H. Krüger +1 more
- 15 May 2005