Determine Exact Database Access Control Permissions

1
Determine Exact Database Access Control
Permissions

• Project Proposal for CS 590F
• K R Jayaram

2
Problem

• To statically analyze a web applications Dynamic
  SQL query generation components and identify the
  database access privileges required by the web
  application
• The output can then be used to give only the
  requisite access to the application (
  application-specific access control) which can
  prevent some (not all) SQL injection attacks

3
Definitions

• Example (server side) web application
• Written in Java
• Accesses database (to check password for example)
  through dynamically generated SQL queries through
  the JDBC interface
• SQL injection attacks occur in web applications
  when SQL queries are entered where legitimate
  input is expected.
• Example
• Query select from accounts where name
  input1 and password input2
• select from accounts where name badguy and
  password OR a a

4
Plan (First attempt)

• Leverage existing work on static analysis of Java
  string expressions.
• Precise Analysis of String Expressions by
  Christensen, Moller et al. SAS 2003
• Java String Analyzer, http//www.brics.dk/JSA/
• Use JSA to get values for dynamically generated
  SQL strings
• Represent them as a Finite automaton as in
• Static Checking of Dynamically Generated Queries
  in Database Applications, Gould, Su and Devanbu,
  ICSE 2004
• Use the automaton to extract access privileges.

5
Related Work

• AMNESIA Analysis and Monitoring for NEutralizing
  SQL-Injection Attacks, Halford and Orso, ASE 2005
• The essence of Command injection attacks in Web
  Applications, Su and Wassermann, POPL 06

6
Questions?