Abstract

SQL injection attacks (SQLIAs) use maliciously crafted SQL input to
force web application to function differently from what the query
designed to be. Several researchers have developed intrusion
prevention techniques based on input validation, learning, or static
analysis. A weakness of these techniques is that they primarily
focused on identifying malicious input, but not the output. To address
this weakness, we develop a policy-based type checking approach that
first identifies all the database access points, then use security
policy to enforce each of them. The novelty of our approach, as
compare to other SQLIAs prevention techniques, is that it focuses on
the meaning of the query and the necessary information sending between
the program and the database. An interesting aspect of our technique
is that when the policies integrate with the control flow graph of
user of different privilege level, it can significantly increase the
precision of prevention. To evaluate the effectiveness and the
performance of our system, we implemented a prototype system which
tested by real SQL attacks. We demonstrate that our approach is robust
enough and holds promise for more precise detection.

Speaker Bio 

Anyi Liu is a Ph.D. student in the Department of Information and
Software Engineering/Computer Science at George Mason University. He
received a BS and MS in Computer Science from Dalian University of
Technology, China, in 1997 and 2001, respectively. He is now pursuing
a Ph.D. in Information Technologies from George Mason University. His
research interests include information security, intrusion
detection/prevention, and security issues of web applications.