“SEPTIC: Detecting Injection Attacks and Vulnerabilities Inside the DBMS”
IEEE Transactions on Reliability, vol. 68, no. 3, pp. 1168 – 1188, Sept. 2019.
Abstract: Databases continue to be the most commonly used backend storage in enterprises, but they are often integrated with vulnerable applications, such as web frontends, that allow injection attacks to be performed. The effectiveness of such attacks stems from a semantic mismatch between how SQL queries are believed to be executed and the actual way in which databases process them. This leads to subtle vulnerabilities in the way input validation is done in applications. We propose SEPTIC, a mechanism for DBMS attack prevention, which can also assist on the identification of the vulnerabilities in the applications. The mechanism was implemented in MySQL and evaluated experimentally with various applications and alternative protection approaches. Our results show no false negatives and no false positives with SEPTIC, on the contrary to other solutions. They also show that SEPTIC introduces a low performance overhead, in the order of 2.2%
Research line(s): Fault and Intrusion Tolerance in Open Distributed Systems (FIT)