Journal
IEEE TRANSACTIONS ON RELIABILITY
Volume 68, Issue 3, Pages 1168-1188Publisher
IEEE-INST ELECTRICAL ELECTRONICS ENGINEERS INC
DOI: 10.1109/TR.2019.2900007
Keywords
DBMS self-protection; injection attacks; security; software security
Categories
Funding
- EC [FP7-607109]
- Fundacao para a Ciencia e a Tecnologia (FCT)/MCTES (PIDDAC)/FEDER [AAC-2/SAICT/2017-029058, UID/CEC/00408/2019, UID/CEC/50021/2019]
- Fundação para a Ciência e a Tecnologia [UID/CEC/00408/2019] Funding Source: FCT
Ask authors/readers for more resources
Databases continue to be the most commonly used backend storage in enterprises, but they are often integrated with vulnerable applications, such as web frontends, which allow injection attacks to be performed. The effectiveness of such attacks stems from a semantic mismatch between how SQL queries are believed to be executed and the actual way in which databases process them. This leads to subtle vulnerabilities in the way input validation is done in applications. In this paper, we propose SEPTIC, a mechanism for DBMS attack prevention, which can also assist on the identification of the vulnerabilities in the applications. The mechanism was implemented in MySQL and evaluated experimentally with various applications and alternative protection approaches. Our results show no false negatives and no false positives with SEPTIC, on the contrary to other solutions. They also show that SEPTIC introduces a low performance overhead, in the order of 2.2%.
Authors
I am an author on this paper
Click your name to claim this paper and add it to your profile.
Reviews
Recommended
No Data Available