“SEPTIC: Detecting Injection Attacks and Vulnerabilities Inside the DBMS”
From Navigators
(Difference between revisions)
(Created page with "{{Publication |type=article |title=SEPTIC: Detecting Injection Attacks and Vulnerabilities Inside the DBMS |author=Ibéria Medeiros, Miguel Beatriz, Nuno Ferreira Neves, Miguel C...") |
|||
| Line 2: | Line 2: | ||
|type=article | |type=article | ||
|title=SEPTIC: Detecting Injection Attacks and Vulnerabilities Inside the DBMS | |title=SEPTIC: Detecting Injection Attacks and Vulnerabilities Inside the DBMS | ||
| - | |author=Ibéria Medeiros, Miguel Beatriz, Nuno Ferreira Neves, Miguel Correia, | + | |author=Ibéria Medeiros, Miguel Beatriz, Nuno Ferreira Neves, Miguel Correia, |
| - | |Project=Project:SEAL, | + | |Project=Project:SEAL, |
|ResearchLine=Fault and Intrusion Tolerance in Open Distributed Systems (FIT) | |ResearchLine=Fault and Intrusion Tolerance in Open Distributed Systems (FIT) | ||
| + | |month=sep | ||
|year=2019 | |year=2019 | ||
|abstract=Databases continue to be the most commonly used backend storage in enterprises, but they are often integrated with vulnerable applications, such as web frontends, that allow injection attacks to be performed. The effectiveness of such attacks stems from a semantic mismatch between how SQL queries are believed to be executed and the actual way in which databases process them. This leads to subtle vulnerabilities in the way input validation is done in applications. We propose SEPTIC, a mechanism for DBMS attack prevention, which can also assist on the identification of the vulnerabilities in the applications. The mechanism was implemented in MySQL and evaluated experimentally with various applications and alternative protection approaches. Our results show no false negatives and no false positives with SEPTIC, on the contrary to other solutions. They also show that SEPTIC introduces a low performance overhead, in the order of 2.2% | |abstract=Databases continue to be the most commonly used backend storage in enterprises, but they are often integrated with vulnerable applications, such as web frontends, that allow injection attacks to be performed. The effectiveness of such attacks stems from a semantic mismatch between how SQL queries are believed to be executed and the actual way in which databases process them. This leads to subtle vulnerabilities in the way input validation is done in applications. We propose SEPTIC, a mechanism for DBMS attack prevention, which can also assist on the identification of the vulnerabilities in the applications. The mechanism was implemented in MySQL and evaluated experimentally with various applications and alternative protection approaches. Our results show no false negatives and no false positives with SEPTIC, on the contrary to other solutions. They also show that SEPTIC introduces a low performance overhead, in the order of 2.2% | ||
|journal=IEEE Transactions on Reliability | |journal=IEEE Transactions on Reliability | ||
| - | | | + | |volume=68 |
| + | |number=3 | ||
| + | |pages=1168 - 1188 | ||
}} | }} | ||
Latest revision as of 00:09, 18 September 2019
Ibéria Medeiros, Miguel Beatriz, Nuno Ferreira Neves, Miguel Correia
IEEE Transactions on Reliability, vol. 68, no. 3, pp. 1168 – 1188, Sept. 2019.
Abstract: Databases continue to be the most commonly used backend storage in enterprises, but they are often integrated with vulnerable applications, such as web frontends, that allow injection attacks to be performed. The effectiveness of such attacks stems from a semantic mismatch between how SQL queries are believed to be executed and the actual way in which databases process them. This leads to subtle vulnerabilities in the way input validation is done in applications. We propose SEPTIC, a mechanism for DBMS attack prevention, which can also assist on the identification of the vulnerabilities in the applications. The mechanism was implemented in MySQL and evaluated experimentally with various applications and alternative protection approaches. Our results show no false negatives and no false positives with SEPTIC, on the contrary to other solutions. They also show that SEPTIC introduces a low performance overhead, in the order of 2.2%
Export citation
Project(s): Project:SEAL
Research line(s): Fault and Intrusion Tolerance in Open Distributed Systems (FIT)
