Bayesian Classification for SQL Injection Detection

Transcription

1 Bayesian Classification for SQL Injection Detection Brandon Skari College of Engineering and Applied Science University of Wyoming Laramie, Wyoming April 6, 2011

2 Overview SQL Injection Types of attacks Prevention techniques SQLassie Brandon Skari (UWyo) Bayesian Classification April / 34

3 Dynamic web sites Change based on user interaction Web mail Online stores Search engines Social networks Banking sites All of the top 10 most popular[1] websites are dynamic Brandon Skari (UWyo) Bayesian Classification April / 34

4 SQL Injection Injection attacks are one of the foremost threats facing dynamic web applications[23, 13, 24, 5] Allow attackers to: Access, modify and delete data Bypass authentication Denial of service Compromise the server Brandon Skari (UWyo) Bayesian Classification April / 34

5 Queries Queries usually come in 4 types: Select Insert Update Delete A typical query may look like the following[6]: SELECT name FROM U s e r s WHERE name = Brandon AND password = 1234 Brandon Skari (UWyo) Bayesian Classification April / 34

6 Queries Brandon Skari (UWyo) Bayesian Classification April / 34

7 Queries A developer has written: SELECT name FROM U s e r s WHERE name = $name AND password = $password What happens when the user enters the following for the username? name = The query is run as the following: SELECT name FROM U s e r s WHERE name = AND password = Brandon Skari (UWyo) Bayesian Classification April / 34

8 Types of attacks Halfond[13] classified attacks based on their intention Identifying injectable parameters Performing database fingerprinting Determining database schema Adding or modifying data Denial of service Accessing data Avoiding detection Bypassing authentication Executing remote commands Performing privilege escalation Brandon Skari (UWyo) Bayesian Classification April / 34

9 Attack techniques There are a number of techniques that attackers use to attack a database[6, 13, 20, 21] Multiple queries Unions Invalid queries Tautologies Inference Detection evasion Second order attacks Brandon Skari (UWyo) Bayesian Classification April / 34

10 Multiple queries The easiest attacks to implement SQL allows multiple queries to be run in sequence, if they are separated by semicolons Attackers can run essentially query, allowing full access to the database Most database engines include special commands to access files or other information from the operating system Some frameworks disallow multiple queries Brandon Skari (UWyo) Bayesian Classification April / 34

11 Multiple queries SELECT name FROM U s e r s WHERE name = $name AND password = $password What if the user enters: ; DROP TABLE U s e r s The query is run as: SELECT name FROM U s e r s WHERE name = ; DROP TABLE Users -- AND password = Brandon Skari (UWyo) Bayesian Classification April / 34

12 Unions Normal SELECT commands retrieve a number of rows from a database UNION can be used to append data from other tables and even from unrelated applications This can expose data that would normally be inaccessible Brandon Skari (UWyo) Bayesian Classification April / 34

13 Unions SELECT name FROM U s e r s WHERE name = $name AND password = $password What if the user enters: UNION SELECT Admin The query is run as SELECT name FROM U s e r s WHERE name = UNION SELECT Admin -- AND password = Brandon Skari (UWyo) Bayesian Classification April / 34

14 Unions SELECT a. f o r u m i d, a. a u t h v i e w, a. auth mod FROM p h p b b a u t h a c c e s s a, p h p b b u s e r g r o u p ug WHERE ug. u s e r i d = $ i d AND ug. u s e r p e n d i n g = 0 AND a. g r o u p i d = ug. g r o u p i d What if the user enters the following: 0 UNION SELECT TABLE SCHEMA, TABLE NAME, COLUMN NAME FROM i n f o r m a t i o n s c h e m a.columns This would return the database name, table name, and column name of everything that s stored in the database engine. wiki - Users - name wiki - Users - password store - Customer - creditcardnumber Brandon Skari (UWyo) Bayesian Classification April / 34

15 Invalid queries When presented with an invalid query, most database engines will provide detailed information that can aid in debugging Attackers can use this information to determine: Database vendor and version Operating system Data types Schema information Most databases are configured by default to run in developer mode You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near AND password = Brandon Skari (UWyo) Bayesian Classification April / 34

16 Tautologies Tautology attacks work by modifying conditionals to make the statement always true Either remove conditionals or add new conditionals SELECT name FROM U s e r s WHERE name = $name AND password = $password SELECT name FROM U s e r s WHERE name = Brandon OR 1 = 1 AND password = Brandon Skari (UWyo) Bayesian Classification April / 34

17 Inference Applications that are in production typically disable debugging to the point that if attacks succeed, no usable feedback is provided Used against mysql.com on March Normal blind attacks Cannot see error messages but can see the results of modified queries Use IF statements to selectively change a value to infer information Totally blind attacks Attackers get no visual feedback Use statements that selectively slow a query to infer information SELECT name FROM U s e r s WHERE name = Brandon AND IF((SELECT SUBSTR(password, 0, 1) FROM Users WHERE name = admin ) < ASCII( L ), 1, 0) -- AND password = Brandon Skari (UWyo) Bayesian Classification April / 34

18 Detection evasion Many intrusion detection systems rely on string comparisons or check for illegal characters Detection evasion tries to evade these detection patterns Build strings using concatenation, insertion, substring Build strings from hashes or constant string function MySQL lets you specify strings in hex: 0x E646F6E Functions to encode numbers to ASCII characters Brandon Skari (UWyo) Bayesian Classification April / 34

19 Second order attacks All of the attacks shown thus far have taken input directly from the an attacker and used it to modify queries Second order attacks work by inserting data into a database and then retrieving it later and using it in attacks These are much more difficult to predict because the database and previous results are usually considered a safe source All data that could have ever originated from a user need to be sanitized every time it s used in a query Brandon Skari (UWyo) Bayesian Classification April / 34

20 Second order attacks Searching for posts by users whose name matches a particular pattern SELECT username FROM p h p b b u s e r s WHERE username LIKE $ r e g e x SELECT p o s t i d, post name FROM p h p b b p o s t s WHERE username = What if a user registers the following username? f a k e UNION SELECT username, u s e r p a s s w o r d FROM p h p b b u s e r s Brandon Skari (UWyo) Bayesian Classification April / 34

21 Prevention So what can you, as a developer, do to prevent injection?[13] Sanitize input Parameterizing input Input type checking Positive pattern matching The problem with all these techniques is that they must be applied consistently by hand Restrict privileges to minimize potential damage Brandon Skari (UWyo) Bayesian Classification April / 34

22 Input sanitization $ c o n n e c t i o n = new m y s q l i ( , Brandon, 1234, w i k i ) ; $name = $ POST [ name ] ; $password = $ POST [ password ] ; $query = SELECT name FROM U s e r s WHERE name = $name AND password = $password ; $ r e s u l t = $ c o n n e c t i o n >q u e r y ( $query ) o r d i e ( $ c o n n e c t i o n >c o n n e c t e r r o r ( ) ) ; So what happens when the user enters: Brandon ; DROP TABLE Users -- The problem is that single quote changes the meaning of the query. By escaping that quote, we can remove its significance. $name = $ c o n n e c t i o n >m y s q l r e a l e s c a p e s t r i n g ( $ POST [ name ] ) ; $password = $ c o n n e c t i o n >m y s q l r e a l e s c a p e s t r i n g ( $ POST [ password ] ) ; Now, name will be set to Brandon \ ; DROP TABLE Users -- This must be done every time you use values that originated from a user! Brandon Skari (UWyo) Bayesian Classification April / 34

23 Input sanitization Unfortunately, you have to do more than just escape strings! SQL lets you leave numeric constants unquoted, so this is ok: SELECT username FROM Users WHERE id = 5 What happens if we do this with PHP? $ i d = $ c o n n e c t i o n >m y s q l r e a l e s c a p e s t r i n g ( $ POST [ i d ] ) ; $ query = SELECT username FROM U s e r s WHERE i d = $ i d ; $ r e s u l t = $ c o n n e c t i o n >q u e r y ( $query ) ; What if the user enters: 5 ; DROP TABLE Users When this string is escaped, it is not changed! Always quote your variables inside of queries $ query = SELECT username FROM U s e r s WHERE u s e r i d = $ i d ; The database will either ignore the second part or give an error Brandon Skari (UWyo) Bayesian Classification April / 34

24 Input sanitization User input can come from unexpected places[19] HTTP POST requests and GET requests Hidden fields HTTP headers (referrer, user-agent, etc.) Cookies In PHP, arrays are stored as key-value pairs: id 1, The extract function moves an array s key-value pairs into variable scope e x t r a c t ( $ POST ) ; is equivalent to $ i d = $ POST [ i d ] ; $ e m a i l = $ POST [ e m a i l ] ; $newpassword = ; f o r ( $ i = 0 ; $ i < 8 ; $ i ++) $newpassword.= chr ( rand ( 9 7, 122) ) ; e x t r a c t ( $ POST ) ; $connect >q u e r y ( UPDATE u s e r s SET password = $newpassword WHERE i d = $ i d ) ; Brandon Skari (UWyo) Bayesian Classification April / 34

25 Parameterizing input Easiest, most reliable way to prevent injection attacks Queries are prepared with placeholders where data will go User input is bound and sent to the database separately The database treats input as values so there is no possibility of injection Parameterized queries are slower than dynamically built ones Brandon Skari (UWyo) Bayesian Classification April / 34

26 Parameterizing input In PHP, when you bind a parameter, you have to specify its type i integer d double s string b binary blob $ c o n n e c t i o n = new m y s q l i ( , Brandon, 1234, w i k i ) ; $ i d = $ POST [ i d ] ; $ t o p i c = $ POST [ t o p i c ] ; $stmt = $ c o n n e c t i o n >p r e p a r e ( SELECT postcount FROM p o s t s WHERE u s e r i d =? AND t o p i c =? ) ; $stmt >bind param ( i s, $id, $ t o p i c ) ; $stmt >e x e c u t e ( ) ; $stmt >c l o s e ( ) ; Brandon Skari (UWyo) Bayesian Classification April / 34

27 Input type checking $ i d = $ c o n n e c t i o n >m y s q l r e a l e s c a p e s t r i n g ( $ POST [ i d ] ) ; $ query = SELECT username FROM U s e r s WHERE i d = $ i d ; $ r e s u l t = $ c o n n e c t i o n >q u e r y ( $query ) ; An attacker could enter: 5 ; DROP TABLE USERS -- What if you just typecast as you receive it from the user? $ i d = ( i n t ) $ POST [ i d ] ; Your framework will either reject the input, or ignore the bad part No injection is possible through integers! Brandon Skari (UWyo) Bayesian Classification April / 34

28 Positive pattern matching It s difficult to predict all the bad things that an attacker can do It s easy to predict what kinds of things are normal Use regular expressions to match what is expected i f (1 == preg match ( ˆ\w+$, $name ) ) Brandon Skari (UWyo) Bayesian Classification April / 34

29 Black box testing Black box testing tests an application without examining source code SQL Inject Me[25] WAVES[15] SQLiX[7] HP WebInspect[14] IBM Rational AppScan[16] Black box testing is limited by its list of prebuilt attacks Will probably not find second order attacks Brandon Skari (UWyo) Bayesian Classification April / 34

30 Static analysis Analyzes the source code for problems No runtime overhead JDBC checker[8] LAPSE[19] PHP-Checker[27] Pixy[17] Source code is not always available Can present false positives because they can t determine if a source is safe[27] Fixing the source can be difficult Brandon Skari (UWyo) Bayesian Classification April / 34

31 Static and dynamic analysis Source code is analyzed and then queries are monitored at runtime A model of normal queries is built and queries that don t match are rejected AMNESIA[11] DFA web filter[22] Source code is not always available Fixing the source can be difficult If queries are not identified during the static analysis, there will be false positives Brandon Skari (UWyo) Bayesian Classification April / 34

32 Taint tracking User input is marked as tainted as it enters an application Tainted data are tracked Queries that are generated using input are checked to make sure that tainted data do not modify the query SQLGuard[4] Java String class[10] WASP[12] SQLrand[3] CANDID[2] Metacharacter tracking[26] Hamming distance[18] Ignore second order attacks False sense of security Brandon Skari (UWyo) Bayesian Classification April / 34

33 Blacklisting Reject queries based on certain features Effectiveness is proportional to the sophistication of the detection technique Doesn t require access to source code Requires no interaction from the user or modification of code GreenSQL[9] SQLassie Blacklists must be updated to deal with new attacks Runtime overhead Best used when writing an application Brandon Skari (UWyo) Bayesian Classification April / 34

34 Permissions MySQL lets you define permissions on a per user/host basis Each user/host combination can have a separate password and permission set Most web applications shouldn t need to DROP TABLES, so remove those permissions Give each application a separate account and only give that user access to one particular database Make sure the passwords are strong! Limit connections to machines you trust Brandon Skari (UWyo) Bayesian Classification April / 34

35 [1] Alexa. Alexa top 500 global sites. December [2] Bandhakavi, S., Bisht, P., Madhusudan, P., and Venkatakrishnan, V. N. CANDID: preventing SQL injection attacks using dynamic candidate evaluations. In CCS 07: Proceedings of the 14th ACM conference on Computer and communications security (New York, NY, USA, 2007), ACM, pp [3] Boyd, S. W., and Keromytis, A. D. SQLrand: Preventing SQL injection attacks. In In Proceedings of the 2nd Applied Cryptography and Network Security (ACNS) Conference (2004), pp [4] Buehrer, G., Weide, B. W., and Sivilotti, P. A. G. Using parse tree validation to prevent SQL injection attacks. Brandon Skari (UWyo) Bayesian Classification April / 34

36 In Proceedings of the 5th international workshop on Software engineering and middleware (New York, NY, USA, 2005), SEM 05, ACM, pp [5] Christey, S., and Martin, R. A. CVE - vulnerability type distributions in CVE. May [6] Clarke, J. SQL Injection Attacks and Defense, first ed. Syngrass, May [7] Cochin, C. SQLiX project. OWASP_SQLiX_Project, August [8] Gould, C., Su, Z., and Devanbu, P. JDBC checker: a static analysis tool for SQL/JDBC applications. In Software Engineering, ICSE Proceedings. 26th International Conference on (May 2004), pp Brandon Skari (UWyo) Bayesian Classification April / 34

37 [9] GreenSQL. GreenSQL open source SQL database security, SQL injection prevention. December [10] Haldar, V., Chandra, D., and Franz, M. Dynamic taint propagation for Java. In In Proceedings of the 21st Annual Computer Security Applications Conference (2005), pp [11] Halfond, W. G. J., and Orso, A. Combining static analysis and runtime monitoring to counter SQL-injection attacks. In Proceedings of the third international workshop on Dynamic analysis (New York, NY, USA, 2005), WODA 05, ACM, pp [12] Halfond, W. G. J., Orso, A., and Manolios, P. Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. Brandon Skari (UWyo) Bayesian Classification April / 34

38 In Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering (New York, NY, USA, 2006), SIGSOFT 06/FSE-14, ACM, pp [13] Halfond, W. G. J., Viegas, J., and Orso, A. A classification of SQL-injection attacks and countermeasures. In Proc. of the International Symposium on Secure Software Engineering (2006). [14] Hewlett Packard. HP WebInspect Software. December [15] Huang, Y.-W., Huang, S.-K., Lin, T.-P., and Tsai, C.-H. Web application security assessment by fault injection and behavior monitoring. In Proceedings of the 12th international conference on World Wide Web (New York, NY, USA, 2003), WWW 03, ACM, pp [16] IBM. IBM software - AppScan product line. Brandon Skari (UWyo) Bayesian Classification April / 34

39 December [17] Jovanovic, N. Pixy: XSS and SQLI scanner for PHP. July [18] Liu, A., Yuan, Y., Wijesekera, D., and Stavrou, A. SQLProb: a proxy-based architecture towards preventing SQL injection attacks. In Proceedings of the 2009 ACM symposium on Applied Computing (New York, NY, USA, 2009), SAC 09, ACM, pp [19] Livshits, V. B., and Lam, M. S. Finding security vulnerabilities in Java applications with static analysis. In Proceedings of the 14th conference on USENIX Security Symposium - Volume 14 (Berkeley, CA, USA, 2005), USENIX Association, pp [20] Mackay, C. A. Brandon Skari (UWyo) Bayesian Classification April / 34

40 SQL injection attacks and some tips on how to prevent them. SqlInjectionAttacks.aspx, January [21] Mavituna, F. SQL injection cheat sheet. http: //ferruh.mavituna.com/sql-injection-cheatsheet-oku, March [22] Muthuprasanna, M., Wei, K., and Kothari, S. Eliminating SQL injection attacks - a transparent defense mechanism. In Web Site Evolution, WSE 06. Eighth IEEE International Symposium on (2006), pp [23] OWASP. Open web application security project (OWASP) top ten project. OWASP_Top_Ten_Project, December Brandon Skari (UWyo) Bayesian Classification April / 34

41 [24] SANS Institute. SANS: The top cyber security risks. September [25] SecCom. SQL inject me sql-inject-me/, May [26] Su, Z., and Wasserman, G. The essence of command injection attacks in web applications. ACM Press, pp [27] Xie, Y., and Aiken, A. Static detection of security vulnerabilities in scripting languages. In Proceedings of the 15th conference on USENIX Security Symposium - Volume 15 (Berkeley, CA, USA, 2006), USENIX Association. Brandon Skari (UWyo) Bayesian Classification April / 34