, Evaluation of a library against injection attacks

THE INSTITUTE OF ELECTRONICS, INFMATION AND COMMUNICATION ENGINEERS TECHNICAL REPT OF IEICE., () 211 8588 4 1 1 221 0835 2 14 1 E-mail: okubo@jp.fujitsu.com, tanaka@iisec.ac.jp Web,,,, Evaluation of a library against injection attacks Takao OKUBO, and Hidehiko TANAKA Fujitsu Laboratories ltd. Kamikodanaka 4 1 1, Nakahara-ku, Kawasaki, 211 8588 Japan Institute of Information Security Tsuruyacho 2 14 1, Kanagawa-ku, Yokohama, 221 0835 Japan E-mail: okubo@jp.fujitsu.com, tanaka@iisec.ac.jp Abstract Injection vulnerabilities, those enable attacks done by injecting command string into input data, have big percentage of total software vulnerabilities. Existing Programming techniques and libraries are not sufficient to present complete solution and easy testing methods. We have proposed general convention set and a secure library SafeStatement for preventing and testing injection attacks. In this papaer, the library are evalluated with some sample application programs, compared with other existing methods. And some improvement has done based on the results. Key words pl A TEX 2ε class file, typesetting 1. 2 IPA [IPA07] 2006 Web 750 ( 704 ) SQL (1) Web 2006 (43%) SQL (23%) 7 Web Apache Tomcat (2) [CVE07] 1

4 AMNESIA [HO06] Web AMNESIA (SQL OS SQL (XSS)) (NDFA) Web 2. 3. Java PreparedStatement 4. Serialization API SQL API Serialization API 5. 6. 2. SQL 1 SQL Java Source ( ) code1 Java PreparedStatement SQL 1 String query = "SELECT * FROM user_info WHERE userid=\"" + userid + "\" AND password=\"" + password + "\""; 2 Serialization API PreparedStatement pstmnt = con.preparestatement( query); ResultSet rs = pstmnt.executequery(); Source Code 1 Java PreparedStatementPerl DBIPHP,Python ADOldbVisualBASIC SQLCommand 3 SQL Java (Source code1) 2 6 1 5 SQLBlock 62 SQL Web HTTP SQL 3. 2

Statement stmnt = con.createstatement(); 2 String query = "SELECT * FROM user_info "; Set keyset = map.keyset(); Iterator iter = keyset.iterator(); boolean first = true; while (iter.hasnext()) { 7 String key =(String) iter.next(); String[] value = (String[]) map.get(key); if(value[0]!= ""){ if(!first) { query+= " "; 12 else { query+= " WHERE "; query+= key + "=\"" + value[0] + "\""; first = false; 17 ResultSet rs = stmnt.executequery(query); Serialization API Serialization API Source Code 2 Figure 1 ( ) Serialization API SQL SQL OS Serialization API OS (Source Code1Source Code2 OS ) (XSS) Serialization API HTML ( ) HTML SQL Serialization API ID, SELECT * FROM utable WHERE userid="( ID)" AND password="( )" () SQL Java or a = a Figure 1 API API SELECT * FROM utable WHERE userid="dummy" AND password="" "a"="a" SQL API utable 1 API 2 API 3

PreparedStatement PreparedStatement PreparedStatement#executeQuery() 4. SQL Java Web SQL (1)Statement (2)PreparedStatement (3) Figure 2 (4)AMNESIA 4 AMNESIA 2 PreparedStatement JavaVM:JDK1.5.11 PreparedStatement Servlet :Tomcat5.5.23 Source Code4 Source :MYSQL 5.0.41 String query = "SELECT * from userinfo WHERE userid=? AND 4. 1 password=?"; ID 2 PreparedStatement pstmnt = con.preparestatement(query); pstmnt.setstring(1, userid); Figure pstmnt.setstring(2, password); 2 SQL ResultSet rs = pstmnt.executequery(); Source Code 4 PreapredStatement (1) 3 Code4 13 1 or sex= female sex female 3 PreparedStatement PreparedStatement 2 ;SELECT * from admininfo Source Code1 WHERE a = a (admininfo) (1)(3) PreparedStatement SQL 3 ;DELETE * FROM userinfo WHERE a = a SQL (userinfo) 4 1 Statement Statement Source Code3 Source Code5 Source Code5 Source Code3 13 SELECT * FROM userinfo WHERE userid= 1 Statement stmnt = con.createstatement(); String query = "SELECT * FROM userinfo WHERE userid=\""+ userid + "\" AND password=\"" + password + "\""; ResultSet rs = stmnt.executequery(query); Source Code 3 MYQUERY1 AND password= MYQUERY2 SafeStatement Statement userid 4

SafeStatement sstmnt = new SafeStatement(); sstmnt.add(userconstvalue.myquery1); //SELECT * FROM userinfo WHERE userid= sstmnt.add(userid); sstmnt.add(userconstvalue.myquery2); // AND password= 5 sstmnt.add(password); ResultSet rs = sstmnt.prepareandexecute(con); SELECT * FROM utable WHERE userid = Source Code 5 (1) (1)(3) SafeStatement PreparedStatement 5 Figure 3 Source Code6 Source Code6 SELECT AND password = AMNESIA SQL SafeStatement sstmnt = new SafeStatement(); sstmnt.add("select * FROM user_info WHERE userid="); sstmnt.add(userid); 4 sstmnt.add(" AND password="); sstmnt.add(password); ResultSet rs = sstmnt.prepareandexecute(con); Source Code 6 (2) * FROM userinfo WHERE userid= AND password= PreparedStatement Figure 4 SafeStatement (1)???? PreparedStatement JDBC 2 (2) (SQLException ) ;SELECT * from admininfo 6 AMNESIA Statement (3 AMNESIA SQL Figure 3 3 ;DELETE * FROM userinfo (1)( WHERE a = a ) SELECT * FROM ustable WHERE userid= dummy a = a (userinfo) Figure 3 1 Statement 4. 2 HTTP for 5 Figure 4 (1)(3) 3 2 PreparedStatement 1 or a = a WHERE a = a (admininfo) Statement Source Code2 PreparedStatement 5

5 15 31 = = = 3 Source Code7 Source Code7 Statement (Source AMNESIA SafeStatement sstmnt = new SafeStatement(); sstmnt.add(userconstvalue.select); Set keyset = map.keyset(); 4 Iterator iter = keyset.iterator(); boolean first = true; while (iter.hasnext()) { String key =(String) iter.next(); String[] value = (String[]) map.get(key); 9 if(value[0]!= ""){ if(!first) { sstmnt.add(userconstvalue.); else { sstmnt.add(userconstvalue.where); 14 //query+= key + "=\"" + value[0] + "\""; UserConstValue constkey = findkey(key); if(constkey!= null) { sstmnt.add(constkey); 19 else { sstmnt.add(key); sstmnt.add(userconstvalue.eq); sstmnt.add(value[0]); 24 first = false; ResultSet rs = sstmnt.prepareandexecute(con); SELECT * FROM utable WHERE = = Figure 5 4. 3 AMNESIA SQL Table 1 PreparedStatement SQL AMNESIA PreparedStatement SQL Source Code 7 5. 5. 1 Code2) for Statement add() Source Code2 1 key 19 27 Source Code7 SQL HTTP (1)(3) key 4 AMNESIA AMNESIA Source PreparedStatement Code2 5 Figure 5 1 SELECT * FROM utable WHERE userid= sex= female 6

Statement PreparedStatement AMNESIA Table 1 2 SQL ( ) JDBC Source Code6???? 5 SELECT * FROM utable WHERE userid=??? MySQL JDBC SQL References SELECT * FROM utable [CVE07] National Vulnerability Database, common Vulnerabilities and Exposures, CVE 2007 1355, http://cve.mitre. WHERE userid=??? org/cgi-bin/cvename.cgi?name=cve-2007-1355(2007). [HO06] William G. J. Halfond, Alessandro Orso, Preventing SQL 3 injection attacks using AMNESIA, Proceeding of the 28th international conference on Software engineering,pp.795-798(2006). add() [IPA07], 2007, http://www.ipa.go.jp/security/vuln/20070309_ ISwhitepaper.html(2007). [OT07] Takao Okubo, Hidehiko Tanaka, Secure Sofoware Development through Coding Conventions and Frameworks, The 4 Second International Conference on Availability, Reliability and Security (ARES 07), pp.1042-1051(2007). [SQLB07] SQLBlock, http://www.sqlblock.com/(2007). Java 5 enum Java SQL 5. 2 properties properties SQL 6. 7