Hacking the DBMS to Prevent Injection Attacks
| Title | Hacking the DBMS to Prevent Injection Attacks |
| Publication Type | Conference Paper |
| Year of Publication | 2016 |
| Authors | Medeiros, Ibéria, Beatriz, Miguel, Neves, Nuno, Correia, Miguel |
| Conference Name | Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy |
| Publisher | ACM |
| Conference Location | New York, NY, USA |
| ISBN Number | 978-1-4503-3935-3 |
| Keywords | data privacy, dbms self-protection, Human Behavior, injection attacks, Metrics, privacy, pubcrawl, Resiliency, security, software security, SQL Injection, SQL injection attack, Web applications |
| Abstract | After more than a decade of research, web application security continues to be a challenge and the backend database the most appetizing target. The paper proposes preventing injection attacks against the database management system (DBMS) behind web applications by embedding protections in the DBMS itself. The motivation is twofold. First, the approach of embedding protections in operating systems and applications running on top of them has been effective to protect this software. Second, there is a semantic mismatch between how SQL queries are believed to be executed by the DBMS and how they are actually executed, leading to subtle vulnerabilities in prevention mechanisms. The approach - SEPTIC - was implemented in MySQL and evaluated experimentally with web applications written in PHP and Java/Spring. In the evaluation SEPTIC has shown neither false negatives nor false positives, on the contrary of alternative approaches, causing also a low performance overhead in the order of 2.2%. |
| URL | http://doi.acm.org/10.1145/2857705.2857723 |
| DOI | 10.1145/2857705.2857723 |
| Citation Key | medeiros_hacking_2016 |