CANDID: Preventing SQL Injection Attacks using Dynamic Candidate Evaluations
Ventkat Venkatakrishnan - University of Illinois at Chicago
Nov 28, 2007Size: 109.9MB
Download: MP4 Video
Watch in your Browser Watch on YouTube
AbstractSQL injection attacks are one of the topmost threats for applications
written for the Web. These attacks are launched through specially crafted user input on web applications that use low level string operations to construct SQL queries. In this talk, I will present a novel and powerful scheme for automatically transforming web applications to render them safe against all SQL injection attacks.
A characteristic diagnostic feature of SQL injection attacks is that they change the intended structure of queries issued. Our technique for detecting SQL injection is to dynamically mine the programmer-intended query structure on any input, and detect attacks by comparing it against the structure of the actual query issued. We propose a simple and novel mechanism for mining programmer intended queries by dynamically evaluating runs over benign candidate inputs. This mechanism is theoretically well founded and is based on inferring intended queries by considering the symbolic query computed on a program run. Our approach has been implemented in a tool called CANDID that retrofits Web applications written in Java to defend them against SQL injection attacks. We report experimental results that show that our approach performs remarkably well in practice.
(Joint work with Sruthi Bandhakavi, Prithvi Bisht and P. Madhusudan)
About the SpeakerDr. V. N. Venkatakrishnan is an Assistant Professor of
Computer Science at the University of Illinois at Chicago. He is co-founder and co-director of the Center for Research and Instruction in Technologies for Electronic Security (RITES) at UIC. Venkat's main research expertise is in using practical program transformation techniques for systems security. Specific research areas that he works on are web application security, browser security, mobile code security and data tainting mechanisms for addressing information flow confidentiality. He received his Ph.D degree from Stony Brook University in 2004. He is the recipient of the best research paper award at ACSAC 2003, and the UIC College of Engineering teaching award in 2007.
The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.