Access Control Mechanism For Web Databases By Using Parameterized Cursor

Access Control Mechanism For Web Databases By Using Parameterized Cursor Zahoor Jan #1, Muhammad Shah *2, Saeed Mahfooz #5 Department of Computer Science, University of Peshawar, Peshawar Pakistan. 1 [email protected], [email protected] 5

Azhar Rauf #3 , Mohd Amir Khan*4 , Department of Computer Science, University of Peshawar, Peshawar Pakistan. 3 [email protected],[email protected]

[email protected]

ABSTRACT---Web applications have gained an enormous increase in popularity for providing various facilities online, such as e-shopping, ebanking, e-ticketing, e-learning etc. As the use of web applications grow, there is an increase in the attacks on web applications as well. Among these attacking techniques, SQL Injection has been emerging as one of the most dangerous threats to web applications. SQL Injection technique is mostly an attack on data driven web applications. By providing especially built user input through the web form fields, the attacker can access and modify the contents of the underlying database of a web application. This research work presents a technique, which will be used for the detection and prevention from SQL Injection. The parameterized cursor is used to implement the concept. The user session information will be passed as a parameter to cursor. If the user is an authorized user then the cursor will fetch the desired tuples else will fail to execute. This research work can easily be adopted and implemented in any platform and database. An example application is developed in Oracle Internet Developer suite 10g and Oracle Database 10g to test the performance against SQL Injection. Key words: SQL injection, parameterized cursor, web

applications for online marketing, storing customer or product details or other sensitive information, displaying different kinds of information depending upon their company’s requirements and generating different kind of reports for analysis and decision making. A number of solutions are available to solve the problem of security/SQL Injection that compromise the performance of the system and not acceptable to the business. The solution we proposed in this research work is efficient enough to provide optimal security or protection from SQL Injection and with lowest compromise on performance. It has also the ability to maintain the information about the attacks by the attackers, in order to take some precautionary measures. Rest of the paper is arranged as follows: Section 2 describes in detail the SQL Injection problems and its types. Some of prevention techniques are explored in section 3. Section 4 explores our technique in detail. Section 5 shows the performance comparison while in section 6 the work is concluded.

applications

II. I.

INTRODUCTION

In today’s world web applications are basic need for every organization, company or a business to show its existence to external world. Web applications, especially data-driven web applications, are playing an important role in expanding the business of various kinds of companies. Different companies are using web

Related Work

Discussing web application [8] mentioned that the use of web applications has been increased over past few years, not only its use but its importance is growing as well. Nowadays, web applications are providing more facilities in order to fulfill various kinds of customer needs. The number of attacks are also increased on the web and one such type of attack is SQL Injection. In [3] Finnegan defines SQL Injection as an attack technique which allows the attacker

978-1-4244-6949-9/10/$26.00 ©2010 IEEE

to obtain illegitimate entrance to the databases through the web applications and to the important data stored in the databases. Web applications vulnerable to SQL Injection may permit the attacker, in several cases, to change the contents of the underlying database. In [7] Halfond mentioned in his research article about the increasing number of vulnerable web applications that the major cause of SQL Injection is the inadequate validation of the input provided by the user. Researchers have made the SQL Injection attacking technique very clear and well understood but this problem still exist because of the lack of effective prevention techniques and countermeasures. In [9] Shen discussed that one common type of SQL Injection technique is to include a tautology into the SQL query. In this technique, the attacker injects malicious code into the WHERE clause of the SQL statement, so that the query always evaluates to true, and the result set include all the contents of the database table. In [1] Bravenboer describes another type of SQL Injection that is Union Query. This type of SQL Injection technique is also used for bypassing authentication and extracting data from the database. UNION keyword is used in SQL to merge two SQL statements and display the returned data of both the queries in one result set. The attacker injects the statement like, UNION SELECT < part of injected query >. In this technique, an attacker can get the result from the table other than the programmer intended. Before going to attack on web application, an attacker checks the vulnerability of web application to SQL Injection. Buehrer in [2] mentioned about this technique that this type of attack is used to find injectable parameters in a web application through which the attacker can put malicious code in order to obtain illegitimate access to the database. This technique is often used to capture the preliminary information necessary for executing other attacks. In this technique, incorrect code is injected to cause type conversion, logical or syntax error into the database, these database errors are usually very descriptive providing information which can be useful for the attackers. III.

Prevention Techniques

Researchers are continuously working on web, finding ways out of this very critical

problem and a number of techniques are proposed by the research community. Very few of them are described here in detail. Halfond [7] states that one of the important techniques to prevent SQL Injection vulnerability emphasis on performing input validation. Many of the SQL Injection attacks are executed by injecting malicious code through the unchecked input parameter. Input validation is a very important step in securing applications. Simple validation of input parameters can prevent many SQL Injection attacks. In [5] the range of code based techniques proposed by researchers are mostly effective against the SQL Injection attack but these techniques are unable to make the application completely secure and stop the attacks. The attackers also keep changing their attack methods by using various programming schemes. They continuously try to find new ways of attack or make amendments in their old attack methods. AMNESIA [6] is a model based approach that works by combining static analysis and dynamic runtime monitoring. This technique captures all the queries before sending it to database and assess all that queries against the statically built models. Queries that go against the static models are considered as SQL Injection Attacks and are prohibited from executing on the database. The primary limitation of this technique is that its success is dependent on its accuracy of static analysis for building query models [7]. The techniques proposed in [10] and [2] i.e. SQLGUARD and SQLCHECK are similar techniques like AMNESIA. Both these techniques check queries at run time and compare them with expected model. In SQLGUARD, a class is used to build two parsed trees, the first tree has unpopulated user tokens and the second tree is populated with user inputs, and is then compared for matching structure. While in SQLCHECK, each input gets amplified with some meta-characters, the SQLCHECK attempts to parse the augmented queries generated by the application. If the parsing is successful, then the query is sent to database without meta-characters, otherwise, it is blocked. In the paper [7] Halfond describes the major limitation of these two approaches that both the techniques uses secret key in order to restrict the

input provided by the user, which means that security of both the techniques depends on the safety of the key. The technique is secure enough until the attacker does not find out the key. The second limitation is that in both techniques, developers need to write code to use as intermediate library or making some special changes in the code manually, but the user input is embedded to a query generated dynamically. Ehud and Alex suggest in [4] a new way of dealing with SQL Injection problem. They proposed a parameter method that will be implemented at database level rather then on application level. The parameter method allows transferring the identity of the user working with the database to database and not only to the application. In this technique a user session is maintained and stored in database table with some other necessary information like user id, username and password. A new concept of parameterized views was also introduced in this technique which takes the user session information as a parameter and executes the sub query associated with the view and returns the result. IV.

Proposed technique

For experimental purpose, we have selected the data of a real time database. In that data set we have more than 15 objects and the size of the database is 5GB. The results are compared with some other techniques in both security and performance. No direct queries will be executed on the database by any authorized and un-authorized user. The user session information will be passed as a parameter to the cursor if the user is valid and authorized to perform the desire task the query will be executed else the query will fail to execute. The blocks used in this research work implementation are control block means that it cannot communicate with the database and hence no user connected to the web can access any information and neither can manipulate the database with malicious data. Cursor is a named location in memory which holds data from objects in memory. There are two types of cursors. One is implicit while the other is explicit cursor. Implicit is built-in while explicit is user defined cursor and user has full control over its usage. Cursor is a five step process as shown Fig-1.

SQL Injection is one of the serious security concerns for Web Databases. A number of techniques as discussed earlier are proposed by researchers to solve this problem. But very few of them are good enough to protect the backend databases. These proposed solutions at one hand are very complicated to understand and very difficult to implement. On the other hand, they degrade the performance. There is always a tradeoff between security and performance but we must keep one thing in mind that we are going on-line and if any one who is our valued customer interested to retrieve some information and it takes too long, we will lose the business. This is not acceptable to any organization. Keeping all this in mind we must require both security and performance at optimal level. In order to overcome the concerns of both the security and performance, we have proposed a new method of accessing the web databases with optimal security and enhanced performance. In this research we are using the Fine-grain Access method with the help of parameterized cursor. In This research work we have used the cursor concept in such a way that we have overcome both the security and performance overheads in parallel.

Figure 1: Block Diagram of Cursor internal process.

The first step in defining the cursor is to declare the cursor, in second step we will open the cursor for normal operation and in the next step the data will be fetched from the cursor. This process will continue till the last record found, and at the end the cursor will be closed

properly. We must have to be careful while using the cursor because if the open cursor is not closed properly it may degrade performance. The parameter method allows transferring the identity of the user working with the web database to the backend database and not only to the application. In this technique a user session is maintained and stored in database table with some other necessary information like user id, username & password and Date of Login. The user session will be passed as a parameter to cursor whenever user queries the database. If the user is authenticated by the process the query will be executed else will fail and report that

SQL Injection has attacked. As all the information of the user is stored in database so with the help of this we can identify the attempt and will take some more precautionary measures. Fig-2 will explain the whole picture. In this block diagram the user input will be stored in database what ever it is with session and date of login, and this session information will be passed to cursor for further processing when ever there is a request for retrieving or modifying the data in database.

Figure 2: Block Diagram of the Fine-grain access method using Parameterized Cursor.

As the blocks that are used in this implementation are control blocks not data blocks, so no user can do any thing directly with the database without following the define process. Suppose user comes and login successfully in the website and request for certain information. His session information will be passed to cursor as a parameter, on the basis of this session information the credential provided by the user will be checked against the defined credential for the user. If the credential provided by the user match with the defined one, the query will be executed and will retrieve the desire information to user else will show the message to the attacker that SQL Injection occurs and you are not able to perform any task on the database. As for as the security of the proposed technique is concernd it is strong enough to restrict the execution of any SQL query by unauthorized user. It provides security of the same level as provided by [4].

A) Auditing One of the additional benefits of our technique is to maintain an audit log. As in this technique all the user trying to connect to our application irrespective of the fact that the user is valid or not is stored in our database and we are not going to delete this information after user log-off, so we can use it for audit as well and

identify the number of times the attackers attack on our database and can take some precautionary measures in order to protect our database as shown in Fig-3.

Figure 3: Detail of all users tried to access database

V. Performance Overview Performance is one of the serious concerns for the web database; no one can wait for long time for extracting desired information over web. So we must be efficient enough to retain our customer with prompt response and optimal security. Here in this section we compare the performance of our technique with parameterized view, and we achieve 75 % performance gain. As shown in Fig-4. The concept of parameterized views proposed in [4] was not yet implemented by any DBMS. We implement this with help parameterized function.

18 16

15.75

Time (Sec)

14 12 10.406

10 8

8.922

7.906

6

4.906

4

2.359 1.922 0.895

2 0 0

4.57 2.766

100000 200000 300000 400000 500000 600000 700000 800000 900000 Total # of rows View

Cursor

Figure 4: Performance enhancement chart in comparison with Parameterized Views.

VI.

CONCLUSION AND FUTURE WORK

SQL Injection is one of serious security issues for the organizations and businesses operating on the web. Secrecy of the data is very important for any business success whether operating on the web or not. Web is open to all but we want only authentic user can access the data and perform authorized activities with no compromise on the performance. There is always trade off between security and performance. A number of solutions are available to solve the problem of security/SQL Injection with compromise on the performance, which is not acceptable to our business. The solution we proposed here in this research work is efficient enough to provide optimal security or protection from SQL Injection and with lowest compromise on performance. It has also the ability to maintain the information about the attacks by the attackers, in order to take some precautionary measures. In future work we will enhance the performance of this technique up to its optimal level and will advance it to other attack technique as well.

REFERENCES [1]. Bravenboer, M., Dolstra, E., and Visser, E. (2007) Preventing injection attacks with syntax embeddings. In Proceedings of the 6th international Conference on Generative Programming and Component Engineering (Salzburg, Austria, October 01 - 03, 2007). GPCE '07. ACM, New York, Pages 3-12. [2]. Buehrer, G., Weide, B. W., and Sivilotti, P. A. (2005). Using parse tree validation to prevent SQL injection attacks. In Proceedings of the 5th international Workshop on Software Engineering and Middleware (Lisbon, Portugal, September 05 - 06, 2005). SEM '05. ACM, New York, Pages 106-113. [3]. Finnigan, P. (2002) SQL Injection and Oracle, Part One. [4]. Gudes E, Roichman A. (2007) Fine-grained Access Control to Web Databases, SACMAT’07 Proceding of 12th ACM Symposium on Access Control model and Technologies. [5]. Halfond, W.G and Orso, A. (2005) Combining static analysis and runtime monitoring to counter SQLinjection attacks. SIGSOFT Software. Eng. Notes 30, 4 (Jul. 2005), Pages 1-7. [6]. Halfond, W.G and Orso, A. (2005). AMNESIA: analysis and monitoring for Neutralizing SQL-injection attacks. In Proceedings of the 20th IEEE/ACM international Conference on Automated Software Engineering (Long Beach, CA, USA, November 07 11, 2005). ASE '05. ACM, New York.

[7]. Halfond, W.G, Viegas, J, and Orso, A. (2006) A classification of SQL Injection Attacks and countermeasures. [8]. Kemalis, K. and Tzouramanis, T. (2008) SQL-IDS: a specification-based approach for SQL-injection detection. In Proceedings of the 2008 ACM Symposium on Applied Computing (Fortaleza, Brazil, March 16 20, 2008). SAC '08. ACM, New York, Pages 21532158. [9]. Shen, K., Zhong, M., Dwarkadas, S., Li, C., Stewart, C., and Zhang, X. (2008) Hardware counter driven onthe-fly request signatures. In Proceedings of the 13th international Conference on Architectural Support For Programming Languages and Operating Systems (Seattle, WA, USA, March 01 - 05, 2008). ACM, New York, Pages 189-200. [10]. Su, Z. and Wassermann, G. (2006) The essence of command injection attacks in web applications SIGPLAN Not. 41, 1 (Jan. 2006), 372-382.