Creation and Evaluation of SQL Injection Security Tools

Fabrizio Monticelli
000000167 001__ 167
000000167 005__ 20130522141945.0
000000167 037__ $$aLERSSE-THESIS-2008-005
000000167 041__ $$aeng
000000167 100__ $$aFabrizio Monticelli
000000167 245__ $$aCreation and Evaluation of SQL Injection Security Tools
000000167 260__ $$c2008-11-03
000000167 300__ $$a184p
000000167 520__ $$aThis work summarizes our research on the topic of the creation and evaluation of security tools against SQL injection attacks (SQLIAs). We introduce  brieﬂy the key concepts and problems of information security and we present  the ma jor role that SQL Injection is playing in this scenario. Based on the  above analysis and on today’s computer security state-of-the-art, we focus  our research on the speciﬁc ﬁeld of SQLIAs, which are still one of the most  exploited and dangerous intrusion techniques used to access web applications.  More exactly we address both the problems of (1) how to completely evaluate  SQLIAs security systems in order to achieve useful results and subsequently  a better level of security by proposing a novel evaluation methodology, and  (2) how to be safe from SQLIAs by creating and presenting, as a case study  of our evaluation procedure, an eﬀective tool for detecting and preventing  known as wel l as new SQL injection attacks.  The proposal evaluation methodology is general and adaptable to any security tools for detection or prevention of SQLIAs. It is a complete step-by-step  procedure which provides a guideline to test and value important characteristics such as eﬃciency, eﬀectiveness, stability, ﬂexibility and performance and  achieves usable and comparable results to properly judge the tested tool. In  addiction, as a case study of our methodology, we present the evaluation of  our tool we have named SQLPrevent which dynamically detects SQL injection attacks using a heuristics approach, and blocks the corresponding SQL  statements from being submitted to the back-end database. In our experiments, SQLPrevent produced no false positives or false negatives, it has  100% detection and prevention rate measured on diﬀerent types of SQLIAs,  is environment independence, and imposed on average of 0.3% performance  overhead. 
000000167 6531_ $$aSQL Injection Detection and Prevention
000000167 6531_ $$aWeb Application Security
000000167 6531_ $$aSQLPrevent
000000167 8560_ $$fqiangw@ece.ubc.ca
000000167 8564_ $$uhttp://lersse-dl.ece.ubc.ca/record/167/files/167.pdf$$yTransfer from CDS 0.99.7
000000167 909C4 $$pFabrizio Monticelli, "Creation and Evaluation of SQL Injection Security Tools," Master thesis, Milano (MI), Italia, Department of Computer Engineering, Politecnico di Milano Technical University, Oct, 2008, pp.184. 
000000167 980__ $$aTHESIS
guest :: login LERSSE Digital Library
		Search		Submit		Personalize Your alerts Your baskets Your searches		Help