Xiaowei Li, Wei Yan, Yuan Xue
Citation
Xiaowei Li, Wei Yan, Yuan Xue. "SENTINEL: securing database from logic flaws in web applications". Proceedings of the second ACM conference on Data and Application Security and Privacy, 2012.
Abstract
Logic flaws within web applications allow the attackers to disclose or tamper sensitive information stored in back-end databases, since the web application usually acts as the single trusted user that interacts with the database. In this paper, we model the web application as an extended finite state machine and present a black-box approach for deriving the application specification and detecting malicious SQL queries that violate the specification. Several challenges arise, such as how to extract persistent state information in the database and infer data constraints. We systematically extract a set of invariants from observed SQL queries and responses, as well as session variables, as the application specification. Any suspicious SQL queries that violate corresponding invariants are identified as potential attacks. We implement a prototype detection system SENTINEL (SEcuriNg daTabase from logIc flaws iN wEb appLication) and evaluate it using a set of real-world web applications. The experiment results demonstrate the effectiveness of our approach and show that acceptable performance overhead is incurred by our implementation.
Electronic downloads
| Citation formats |
- HTML
Xiaowei Li, Wei Yan, Yuan Xue. <a href="http://www.truststc.org/pubs/884.html" >SENTINEL: securing database from logic flaws in web applications</a>, Proceedings of the second ACM conference on Data and Application Security and Privacy, 2012.
- Plain text
Xiaowei Li, Wei Yan, Yuan Xue. "SENTINEL: securing database from logic flaws in web applications". Proceedings of the second ACM conference on Data and Application Security and Privacy, 2012.
- BibTeX
@inproceedings{LiYanXue12_SENTINELSecuringDatabaseFromLogicFlawsInWebApplications, author = {Xiaowei Li and Wei Yan and Yuan Xue}, title = {SENTINEL: securing database from logic flaws in web applications}, booktitle = {Proceedings of the second ACM conference on Data and Application Security and Privacy}, year = {2012}, abstract = {Logic flaws within web applications allow the attackers to disclose or tamper sensitive information stored in back-end databases, since the web application usually acts as the single trusted user that interacts with the database. In this paper, we model the web application as an extended finite state machine and present a black-box approach for deriving the application specification and detecting malicious SQL queries that violate the specification. Several challenges arise, such as how to extract persistent state information in the database and infer data constraints. We systematically extract a set of invariants from observed SQL queries and responses, as well as session variables, as the application specification. Any suspicious SQL queries that violate corresponding invariants are identified as potential attacks. We implement a prototype detection system SENTINEL (SEcuriNg daTabase from logIc flaws iN wEb appLication) and evaluate it using a set of real-world web applications. The experiment results demonstrate the effectiveness of our approach and show that acceptable performance overhead is incurred by our implementation.}, URL = {http://www.truststc.org/pubs/884.html} }
Posted by Mary Stewart on 4 Apr 2012.
For additional information, see the
Publications FAQ or
contact webmaster at www truststc org.
Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.