“Hacking the DBMS to Prevent Injection Attacks”
From Navigators
(Difference between revisions)
Line 3: | Line 3: | ||
|document=Document for Publication-CODASPY 2016.pdf | |document=Document for Publication-CODASPY 2016.pdf | ||
|title=Hacking the DBMS to Prevent Injection Attacks | |title=Hacking the DBMS to Prevent Injection Attacks | ||
- | |author=Ibéria Medeiros, Nuno Neves, Miguel Correia, | + | |author=Ibéria Medeiros, Nuno Ferreira Neves, Miguel Correia, |
|Project=Project:SEGRID, | |Project=Project:SEGRID, | ||
|ResearchLine=Fault and Intrusion Tolerance in Open Distributed Systems (FIT) | |ResearchLine=Fault and Intrusion Tolerance in Open Distributed Systems (FIT) | ||
Line 26: | Line 26: | ||
alternative approaches, causing also a low performance overhead | alternative approaches, causing also a low performance overhead | ||
in the order of 2.2%. | in the order of 2.2%. | ||
- | |||
|booktitle=Proceedings of the ACM Conference on Data and Applications Security and Privacy (CODASPY) | |booktitle=Proceedings of the ACM Conference on Data and Applications Security and Privacy (CODASPY) | ||
}} | }} |
Latest revision as of 08:04, 5 June 2016
Ibéria Medeiros, Nuno Ferreira Neves, Miguel Correia
in Proceedings of the ACM Conference on Data and Applications Security and Privacy (CODASPY), Mar. 2016.
Abstract: After more than a decade of research, web application security continues to be a challenge and the backend database the most appetizing target. The paper proposes preventing injection attacks against the database management system (DBMS) behind web applications by embedding protections in the DBMS itself. The motivation is twofold. First, the approach of embedding protections in operating systems and applications running on top of them has been effective to protect these applications. Second, there is a semantic mismatch between how SQL queries are believed to be executed by the DBMS and how they are actually executed, leading to subtle vulnerabilities in protection mechanisms. The approach – SEPTIC – was implemented in MySQL and evaluated experimentally with web applications written in PHP and Java/Spring. In the evaluation SEPTIC has shown neither false negatives nor false positives, on the contrary of alternative approaches, causing also a low performance overhead in the order of 2.2%.
Download paper
Download Hacking the DBMS to Prevent Injection Attacks
Export citation
Project(s): Project:SEGRID
Research line(s): Fault and Intrusion Tolerance in Open Distributed Systems (FIT)