Preventing SQL Code Injection by Combining Static and Runtime Analysis

Abstract

Many software systems have evolved to include a Web-based component that makes them available to the public via the Internet and can expose them to a variety of Web-based attacks. One of these attacks is SQL injection, which can give attackers unrestricted access to the databases underlying Web applications and has become increasingly frequent and serious. In this project, we developed techniques and tools to detect, prevent, and report SQL injection attacks. Our techniques leverage static and dynamic analysis, are effective and efficient, and have minimal deployment requirements. Given a previously developed Web application, our tools automatically transform the application into an equivalent application that is protected from SQL injection attacks. In the project, we also developed a testbed that can be used to evaluate SQL injection detection and prevention tools. Our testbed has been used extensively both by us and by other organizations. The tools and techniques developed within the project are being disseminated through different channels and are currently being commercialized by our industrial partner.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
May 01, 2008
Accession Number
ADA483186

Entities

People

  • Adam Shostack
  • Alessandro Orso
  • Wenke Lee

Organizations

  • Georgia Tech

Tags

Communities of Interest

  • Cyber

DTIC Thesaurus Topics

  • Air Force
  • Code Injection
  • Computer Programming
  • Computer Programs
  • Computer Science
  • Computers
  • Cybersecurity
  • Databases
  • Detection
  • Domain Specific Programming Languages
  • Instruction Set Architecture
  • Internet
  • Intrusion Detectors
  • Operating Systems
  • Software Testing
  • Web Applications
  • Web Browsers

Fields of Study

  • Computer science

Readers

  • Combustion and Flow Dynamics.
  • Cybersecurity.
  • Distributed Systems and Data Platform Development