Web Application Security; Penetration Testing; Software Testing
Résumé :
[en] Security testing is a pivotal activity in engineering secure software. It consists of two phases: generating attack inputs to test the system, and assessing whether test executions expose any vulnerabilities. The latter phase is known as the security oracle problem.
In this work, we present SOFIA, a Security Oracle for SQL-Injection Vulnerabilities. SOFIA is programming-language and source-code independent, and can be used with various attack generation tools. Moreover, because it does not rely on known attacks for learning, SOFIA is meant to also detect types of \sqli attacks that might be unknown at learning time. The oracle challenge is recast as a one-class classification problem where we learn to characterise legitimate SQL statements to accurately distinguish them from \sqli attack statements.
We have carried out an experimental validation on six applications, among which two are large and widely-used. SOFIA was used to detect real \sqli vulnerabilities with inputs generated by three attack generation tools. The obtained results show that SOFIA is computationally fast and achieves a recall rate of 100\% (i.e., missing no attacks) with a low false positive rate (0.6\%).
Centre de recherche :
ULHPC - University of Luxembourg: High Performance Computing
Disciplines :
Sciences informatiques
Auteur, co-auteur :
Ceccato, Mariano; Fondazione Bruno Kessler
NGUYEN, Duy Cu ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
APPELT, Dennis ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
BRIAND, Lionel ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Co-auteurs externes :
yes
Langue du document :
Anglais
Titre :
SOFIA: An Automated Security Oracle for Black-Box Testing of SQL-Injection Vulnerabilities
Date de publication/diffusion :
2016
Nom de la manifestation :
31st IEEE/ACM International Conference on Automated Software Engineering (ASE 2016)
Date de la manifestation :
from 05-09-2016 to 07-09-2016
Manifestation à portée :
International
Titre de l'ouvrage principal :
Proceedings of the 31th IEEE/ACM International Conference on Automated Software Engineering
Peer reviewed :
Peer reviewed
Focus Area :
Security, Reliability and Trust
Projet FnR :
FNR4800382 - Black-box Security Testing For Web Applications And Services, 2012 (01/10/2012-30/06/2016) - Dennis Appelt
Organisme subsidiant :
FNR - Fonds National de la Recherche FBK Mobility project
C. C. Aggarwal and C. K. Reddy. Data clustering: algorithms and applications. CRC Press, 2013.
D. Appelt, C. Nguyen, and L. Briand. Behind an application firewall, are we safe from sql injection attacks? In Software Testing, Verification and Validation (ICST), 2015 IEEE 8th International Conference on, pages 1-10, April 2015.
D. Appelt, C. Nguyen, L. Briand, and N. Alshahwan. Automated testing for sql injection vulnerabilities: An input mutation approach. In Proceedings of the 2014 International Symposium on Software Testing and Analysis, ISSTA 2014, pages 259-269, New York, NY, USA, 2014. ACM.
A. Avancini and M. Ceccato. Security oracle based on tree kernel methods. In Trustworthy Eternal Systems via Evolving Software, Data and Knowledge, pages 30-43. Springer, 2013.
E. Barr, M. Harman, P. McMinn, M. Shahbaz, and S. Yoo. The oracle problem in software testing: A survey. Software Engineering, IEEE Transactions on, 41(5):507-525, May 2015.
P. Bisht, P. Madhusudan, and V. Venkatakrishnan. Candid: Dynamic candidate evaluations for automatic prevention of sql injection attacks. ACM Transactions on Information and System Security (TISSEC), 13(2):14, 2010.
G. Buehrer, B. W. Weide, and P. A. Sivilotti. Using parse tree validation to prevent sql injection attacks. In Proceedings of the 5th international workshop on Software engineering and middleware, pages 106-113. ACM, 2005.
S. Christey and R. A. Martin. Vulnerability type distributions in cve. Technical report, The MITRE Corporation, 2006.
J. Coffey, L. White, N. Wilde, and S. Simmons. Locating software features in a soa composite application. In Web Services (ECOWS), 2010 IEEE 8th European Conference on, pages 99-106, 2010.
W. Halfond, J. Viegas, and A. Orso. A classification of sql-injection attacks and countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering, volume 1, pages 13-15. IEEE, 2006.
W. G. Halfond and A. Orso. Amnesia: analysis and monitoring for neutralizing sql-injection attacks. In Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering, pages 174-183. ACM, 2005.
P. Institute. The sql injection threat study. Technical report, Ponemon Institute, 2014.
A. K. Jain. Data clustering: 50 years beyond k-means. Pattern recognition letters, 31(8):651-666, 2010.
K. Kemalis and T. Tzouramanis. Sql-ids: a specification-based approach for sql-injection detection. In Proceedings of the 2008 ACM symposium on Applied computing, pages 2153-2158. ACM, 2008.
A. Kieyzun, P. Guo, K. Jayaraman, and M. Ernst. Automatic creation of sql injection and cross-site scripting attacks. In Software Engineering, 2009. ICSE 2009. IEEE 31st International Conference on, pages 199-209, may 2009.
D. A. Kindy and A.-S. K. Pathan. A survey on sql injection: Vulnerabilities, attacks, and prevention techniques. 2011.
A. Liu, Y. Yuan, D. Wijesekera, and A. Stavrou. Sqlprob: A proxy-based architecture towards preventing sql injection attacks. In Proceedings of the 2009 ACM Symposium on Applied Computing, SAC '09, pages 2054-2061, New York, NY, USA, 2009. ACM.
C. D. Manning, P. Raghavan, H. Schütze, et al. Introduction to information retrieval, volume 1. Cambridge university press Cambridge, 2008.
L. Marinos and A. Sfakianakis. Enisa threat landscape. Technical report, European Network and Information Security Agency, 2012.
C. D. Nguyen, A. Marchetto, and P. Tonella. Combining model-based and combinatorial testing for effective test case generation. In Proceedings of the 2012 International Symposium on Software Testing and Analysis, ISSTA 2012, pages 100-110, New York, NY, USA, 2012. ACM.
C. I. Pinzón, J. F. De Paz, A. Herrero, E. Corchado, J. Bajo, and J. M. Corchado. idmas-sql: intrusion detection based on mas to detect and block sql injection through data mining. Information Sciences, 231:15-31, 2013.
A. Reynolds, G. Richards, B. de la Iglesia, and V. Rayward-Smith. Clustering rules: A comparison of partitioning and hierarchical clustering algorithms. Journal of Mathematical Modelling and Algorithms, 5(4):475-504, 2006.
D. Shasha and K. Zhang. Fast algorithms for the unit cost editing distance between trees. Journal of algorithms, 11(4):581-621, 1990.
Z. Su and G. Wassermann. The essence of command injection attacks in web applications. In ACM SIGPLAN Notices, volume 41, pages 372-382. ACM, 2006.
P. Tonella, R. Tiella, and C. D. Nguyen. Interpolated n-grams for model based testing. In Proceedings of the 36th International Conference on Software Engineering, ICSE 2014, pages 562-572, New York, NY, USA, 2014. ACM.
F. Valeur, D. Mutz, and G. Vigna. A learning-based approach to the detection of sql attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment, pages 123-140. Springer, 2005.
S. Varrette, P. Bouvry, H. Cartiaux, and F. Georgatos. Management of an Academic HPC Cluster: The UL Experience. In Proc. of the 2014 Intl. Conf. on High Performance Computing & Simulation (HPCS 2014), pages 959-967, Bologna, Italy, July 2014. IEEE.
J. Williams and D. Wichers. Owasp, top 10, the ten most critical web application security risks. Technical report, The Open Web Application Security Project, 2013.
