WIXLIB

execution path, and also verifies the results returned withrespect to the instrumented checkpoint. When a criticalvariable violates the checkpoint and in turn follows an invalidpath, the runtime monitor immediately detects the abnormalbehavior of the application due to the critical variable andnotifies the administrator.database. The checkpoint to this variable is instrumented inthe source code, which checks the number of records returnedby the query execution which will help us to detect themalicious inputs.III. AN EXAMPLEIn this section, we introduce an example of a Java applicationthat is vulnerable to tautology based SQLIAs and explain howour proposed framework can be used to detect and prevent theattack. This particular example illustrates an attack based oninjecting a tautology into the query string.The Java application developed uses a XAMPP web server forApache HTTP service and MySQL database for the back endstorage of data. The application simulates the working of anemployee information retrieval website, which uses a back enddatabase to store the employee related information and eachrecord is unique to a single employee. Figure 2 shows a Javacode snippet of the employee information retrieval applicationas described above. First, a method inputUserInfo() is invokedto accept the login information from the user which includesboth username and password. The submitted credentials arethen used to dynamically build the query1 as shown below:String query1 "Select * FROM personalinfo whereusername '" strLine1 "' and password '" strLine2 "'";During the execution of application, SQL query string asformed above will be submitted to the database. The responsereceived from the database consists of all records satisfyingthe SQL query. Any website that uses this code would bevulnerable to SQL Injection Attacks when a user enters “’ OR1 1 --” and “”, instead of “John” and “Pouch2345”, theresulting query is:SELECT * FROM userInfo WHERE login ’’ OR 1 1 --’AND pass ’ ’;The character “--” indicates the beginning of a comment, andeverything following the comment is ignored. The databaseinterprets everything after the WHERE token as a conditionalstatement, and inclusion of the “OR 1 1” clause turns thisconditional into a tautology. Thus, when the above query isexecuted, more than one record is returned by the database. Asa result, the information about all the users will be displayedby the application. In this way, an attacker could insert a widerange of SQL commands via this exploit.We now discuss the implementation of our proposedframework which is an extension of our previous work in [4]to handle tautology based SQLIAs existing in the Javaapplication described above.Using the software repository as explained earlier, query1 isidentified as one of the critical variables, because it embedsthe inputs received from the external user and holds the resultsof the query execution by interacting with the internalFigure 2. Java code snippet.Pre-deployment testing techniques such as data flow and basispath testing are used to obtain all valid execution paths of theapplication. In our framework, we consider the possiblesequence of function calls that can be called upon as a validpath which reflects the valid execution of the application. Thepath identification function is then used to obtain all thecritical paths of the application, which needs to be monitored.The developed application will first check for the number ofrows returned by the database after the execution of the query.If the number of rows returned by the application is more thanone, the application will rollback the transaction occurred atthat point and function named attacker() is invokedimmediately. To prevent the attacker from gaining access toinformation about all users, the runtime monitor developed byusing the proposed framework observes the behavior of theapplication. When an invocation to the attacker() function ismade after the invocation of the inputUserInfo() function, thisabnormal behavior of the application which indicates thatmore than one row has been returned by the database isimmediately identified by the runtime monitor.The monitor then halts the execution of the respective module

in the application trying to access the internal database andnotifies the administrator about the possible occurrence oftautology based SQLIAs. Figure 3 shows the monitor codeinstrumented to the respective module in the source code ofthe application.target systems or on a single target system connected tointernet. Each module/component is instrumented with theirrespective runtime monitor, represented using m1, m2 and m3as shown in Figure 4. The runtime monitor will detect theabnormal behavior of the module/component during itsexecution which may be caused due to existing internal errorsFigure 4. Game Inspired Defense Architecture (GIDA) [6]Figure 3. Monitor development code.Thus, the run time monitor developed will successfully detecttautology based SQL Injection Attacks and will prevent theattacker from retrieving confidential information about all theusers.IV. GIDA FRAMEWORKThe framework proposed in the current paper will be used toenhance the working of Target Self-monitoring Applicationcomponent present in the GIDA architecture as shown inFigure 4. Shiva et al. in [6, 7] proposed Game InspiredDefense Architecture (GIDA) as a holistic approach designedto secure target applications/network against probable attacks.GIDA architecture shown in Figure 4 consists of the followingcomponents, namely: Intrusion Detection System (IDS),Knowledge Management System (KMS), Game InspiredDecision Module (GIDM), Honeypot and Target SelfMonitoring Application (TSMA). In rest of the paper, we referTSMA as Monitoring System (MS).The IDS is used to monitor the network traffic and captureinformation about the network behavior and its usagestatistics. An IDS is considered as a network level sensor inthe GIDA Framework.We consider software applications developed in modularfashion consisting of different modules/componentsrepresented using C1, C2, and C3 as shown in Figure 4.Different modules/components execute either in differentor external attacks. The process of identifying the abnormalbehavior by the runtime monitor will be performed byutilizing the framework proposed in the current paper. Theruntime monitor is considered to be an application level sensorfor the GIDA Framework.Once the abnormal behavior is identified, the runtime monitorcan perform any of the following functions:i) If the monitor is able to identify the attack that has occurred,it will immediately execute defense action by itself to securethe module/component. The simplest and direct defense actionto implement by the runtime monitor is to immediately haltthe execution of the entire module/component depicting theabnormal behavior.ii) If the monitor is not able to identify the attack that hasoccurred, then it forwards the information gathered related tothe abnormal behavior to both KMS and GIDM, to identify theattack occurred and wait for the response.The output from either the network or the application levelsensors is forwarded as input to GIDM which is the brain andan important component of the proposed Game InspiredDefense Architecture (GIDA). GIDM processes the inputinformation received from sensors (IDS and MS) and couldtake either of the following mentioned actions based on theinput received and its knowledge about the attacks occurred:i) If GIDM is able to identify the attack occurred, then itsuggests a defense.ii) If GIDM is not able to identify the attack occurred, itforwards the input received either from IDS or MS about theoccurred abnormal behavior to KMS, for identification of theattack that has occurred and a suitable defense action to beexecuted.

iii) If neither KMS nor GIDM is able to identify the attackoccurred, then GIDM invokes the honeypot which is primarilyused for analyzing traffic and gathering additional informationfrom the attacker.the information gathered from the testing techniques to help inthe development of runtime monitors, to detect tautologybased SQL Injection Attacks from observing the behavior ofthe application during its execution.The KMS focuses on determining the type of attack and itconsists of game models mapped to the kinds of attack theycan address. The KMS is based on a cyber-attack taxonomycalled AVOIDT [8]. Based on the parameters provided asinputs from GIDM, KMS uses AVOIDIT to identify thecharacteristics of an attack. Once an attack is identified, acandidate game model which can defend against such anattack is selected and notified to GIDM. GIDM then eitherexecutes the suggested game model as the defense action toprotect the target network/application or GIDM will forwardthe defense action information to either IDS or MS for them toexecute the suggested defense action.In [12], Valeur et al propose an Intrusion Detection System todetect SQL Injection Attacks. The proposed system uses ananomaly detection approach to learn profiles of the normaldatabase access using different models performed by webapplications. During training phase, profiles are learnedautomatically by analyzing a number of sample databaseaccesses. During detection phase, anomalous queries that leadto SQL Injection Attack are identified. In our proposedapproach we do not maintain profiles of database access andbased on the behavior of the software during its executiondetect if the application is vulnerable to SQL Injection Attackand immediately stop the execution of the software and notifythe administrator about the possible exploitation of thevulnerability.GIDA follows the below steps to provide security to either thetarget application/network:1. Receive inputs from either the network or applicationsensors.2. Identify the attack occurred either by its prior knowledge orwith the help of KMS or honeypot.3. Select a relevant game model for the occurred attack byeither utilizing its prior knowledge or with the help of KMS.4. Execute the selected game model or allow the sensors toperform defense actions to secure target application/networkagainst the attacker.V. RELATED WORKIn this section, we provide a survey of various existingtechniques which include both static and dynamic techniquesto handle tautology based SQLIAs.In [10], Wasserman and Su propose a static analysisframework that operates directly on the source code of theapplication. Static analysis is used to obtain a set of SQLqueries that a program may generate as a finite stateautomaton. The framework then applies an algorithm on thegenerated automaton to check whether there is a tautology andthe existence of a tautology indicates the presence of apotential vulnerability.Our proposed approach detectstautology based SQL Injection Attacks based on the behaviorof the application during its execution and no finite automatonis used.In [11], Huang et al propose a web application securityassessment framework called WAVES (Web ApplicationVulnerability Scanner). WAVES is a black box testing toolfrom the research community which can be used to identifyweb application vulnerabilities. AppScan, WebInspect andScanDo are some of the commercially available webapplication back box testing tools. In practice, testing tools areuseful for finding vulnerabilities but, they cannot be used tomake security guarantees. While our proposed approach usesIn [13], Su et al propose SQL-Check which is a runtimechecking system. The approach used in SQL check will firsttrack the user input substring in the program and syntacticallytrack those substrings using a syntactic policy. This willspecify all the permitted syntactic forms. This process formsan annotated query also called an augmented query. A parseris then used by SQL Check to parse the augmented query andto find whether the query is legitimate or not. If the queryparses successfully, then the query is supposed to have met thesyntactic constraints and is considered as legitimate. But, if thequery has not successfully passed by the parser then it isconsidered to be a command injection attack query. In ourproposed approach we also try to detect SQL Injection Attackat the runtime but, neither a parser nor policy is used and theSQL Injection Attacks are identified based on the anomalousbehavior of the software during its execution.In [14], Halfond et al propose a tool called Analysis andMonitoring for Neutralizing SQL Injection attacks(AMNESIA). It consists of a static and a dynamic phase.During the static phase models for the different types ofqueries which an application can legally generate at each pointof access to the database are built. During the dynamic phasequeries are intercepted before they are sent to the database andare checked against the statically built models. If the queriesviolate the model then a SQL Injection Attack is detected andfurther queries are prevented from accessing the database. Ourproposed approach does not consist of a static and dynamicphase. SQL Injection attacks are detected based on thebehavior of the application with the help of runtime monitorsdeveloped by using our proposed framework.In [15], Bisht et al propose Candidate evaluations forDiscovering Intent Dynamically (CANDID) which at eachSQL query location dynamically mines programmer intendedquery structures and detects attacks by comparing it againstthe structure of the actual query issued. Program

Transformation is used by CANDID to retrofit webapplications written in Java. In [16], Cova et al propose anapproach for the anomaly based detection of state violations inweb applications and designed a tool called Swaddler. Theinternal state of a web application is analyzed and therelationships between the applications critical execution pointsand the applications internal state are learned. This process ofanalysis and learning is used by Swaddler to identify attacksthat attempt to bring an application in an inconsistentanomalous state. In our proposed approach we identify thecritical variables and determine the paths to be monitored toidentify the anomalous behavior of the application during itsexecution which will help us to detect and prevent tautologybased SQLIAs.VI. CONCLUSIONIn this paper, we proposed a framework for development ofruntime monitors used to perform post-deployment monitoringof the software to detect and prevent tautology based SQLIAs.Thus using our proposed framework we ensure that the qualityand security of software is achieved not only during its predeployment phase but, also during its post-deployment phaseand any possible exploitation of vulnerability in the softwareby an external attacker is detected and prevented. We furtherintend to automate the entire process of using the proposedframework to develop the runtime monitors and also extendthe framework to detect and prevent the other types of attacks.VII. REFERENCES[1][2][3][4][5][6][7][8][9]OWASP – Open Web Application Secuirty Project. Top ten most index.php/OWASP TOP Ten Project, April 2010.W. G. J. Halfond, A. Orso and P. Manolios, “Using Positive Taintingand Syntax-aware Evaluation to Counter SQL Injection Attacks”, InSIGSOFT’06/FSE-14: Proceedings of the 14th ACM SIGSOFTInternational Symposium on Foundations of Software Engineering,2006.W. G. J. Halfond, J. Viegas and A.Orso, “A Classification of SQLInjection Attacks and Countermeasures”, Proceedings of the IEEEInternational Symposium on Secure Software Engineering, 2006.Ramya Dharam, Sajjan. G. Shiva, “A Framework for Development ofRuntime Monitors”, InternationalConference on Computer andInformation Sciences (ICCIS), Kuala Lumpur, Malaysia, June 2012.F. Chen and G. Rosu, “Java MOP: A Monitoring Oriented ProgrammingEnvironment for Java”, in Proceedings of Eleventh InternationalConference on Tools and Algorithms for the Construction and Analysisof Systems (TACAS), 2005.S. Shiva, H. Bedi, C. Simmons, M. Fisher, R. Dharam, “A HolisticGame Inspired Defense Architecture”, International Conference on DataEngineering and Internet Technology (DEIT), March 2011.S. Shiva, S. Roy and D. Dasgupta, “Game Theory for Cyber Security”,6th Cyber Security and Information Intelligence Research Workshop,April 2010.C. Simmons, S. Shiva, D. Dasgupta, and Q. Wu, “AVOIDT: A CyberAttack Taxonomy”, Technical Report: CS-09-003, University ofMemphis, August 2009.A. Tajpour, M. Massrum and M. Z. Heydari, “Comparison of SQLInjection Detection and Prevention Techniques”, 2nd InternationalConference on Education Technology and Computer (ICETC), 2012.[10] G. Wassermann and Z. Su, “An Analysis Framework for Security inWeb Applications”, Proceedings of the FSE Workshop on Specificationand Verification of Component Based Systems (SAVCBS 2004), 2004.[11] Y.-W. Huang, F. Yu, C. Hang, C. –H. Tsai, D. T. Lee and S. –Y. Kuo,“Securing Web Application Code by Static Analysis and RuntimeProtection”, Proceedings of the 12th International World Wide WebConference (WWW 2004), 2004.[12] F. Valeur, D. Mutz, and G. Vigna, “A Learning Based Approach to theDetection of SQL Attacks”, Proceedings of the Conference on Detectionof Intrusions and Malware and Vulnerability Assessment (DIMVA),2005.[13] Z. Su and G. Wassermann, “The Essence of Command Injection Attacksin web Applications”, The 33rd Annual Symposium on Principles ofProgramming Languages (POPL 2006), 2006.[14] W. G. Halfond and A. Orso, “AMNESIA: Analysis and Monitoring forNeutralizing SQL-Injection Attacks”, Proceedings of the IEEE andACM International Conference on Automated Software Engineering(ASE 2005), Nov 2005.[15] P. Bisht and P. Madhusudan, “CANDID: Dynamic CandidateEvaluations for Automatic Prevention of SQL Injection Attacks”,Proceedings of the 14th ACM Conference on Computer andCommunications Security, 2007.[16] M. Cova, D. Balzarotti, “Swaddler: An Approach for the Anomalybased Detection of State Violations in Web Applications”, Proceedingsof the 10th International Symposium on Recent Advances in IntrusionDetection (RAID), 2007.[17] Steve Ragan. Sony was asking for it – millions of records LulzSec - Sony-was-asking-forit- millions-of-records-compromised-(Update2), June 2011.[18] A. Orso, “Monitoring, Analysis, and Testing of Deployed Software”,Proceedings of the FSE/SDP workshop on Future of softwareengineering research (FoSER’10), 2010.[19] F. S. Rietta, “Application Layer Intrusion Detection for SQL Injection”,Proceedings of the 44th annual southeast regional conference (ACM-SE44), 2006.[20] Y. Xie and A. Aiken, “Static Detection of Secuirty Vulnerabilities inScripting Languages”, Proceedings of the 15th Conference on USENIXSecurity Symposium (USENIX-SS’06), 2006.[21] V. B. Livshits and M. S. Lam, “Finding Security Vulnerabilities in JavaApplications with Static Analysis”,Proceedings of the 14thConference on USENIX Security Symposium (SSYM’05), 2005.

SQL Injection Attacks. Keywords- Runtime Monitors, Path Testing, Data Flow Testing, Post-deployment Monitoring, Tautology, SQL Injection Attacks (SQLIAs). I. INTRODUCTION Web applicat