You are here: TUCS > PUBLICATIONS > Publication Search > Diversifying SQL to Prevent In...
Diversifying SQL to Prevent Injection Attacks
Sampsa Rauti, Jukka Teuhola, Ville Leppänen, Diversifying SQL to Prevent Injection Attacks. In: Raimo Kantola (Ed.), Trustcom/BigDataSE/ISPA, 2015 IEEE , 344–351, IEEE, 2015.
http://dx.doi.org/10.1109/Trustcom.2015.393
Abstract:
This paper proposes an idea of instruction set randomization (ISR) to make SQL resistant against injection attacks. Our solution is based on a novel two-layered approach. It allows the SQL server to support several different instruction sets so that the SQL symbols used by every application are different. The internal SQL symbols used by the server are also uniquely diversified. We also tested our approach by applying it to MySQL server. We show that it prevents several injection attacks that earlier proxy-based solutions can not catch. Because our solution only quickly decodes the randomized SQL symbols in the query when it arrives to the server, it does not cause any significant performance losses contrary to a proxy-based solution. The queries in applications that use the SQL server need to be diversified accordingly, but this could be done automatically to a great extent.
BibTeX entry:
@INPROCEEDINGS{inpRaTeLe15a,
title = {Diversifying SQL to Prevent Injection Attacks},
booktitle = {Trustcom/BigDataSE/ISPA, 2015 IEEE },
author = {Rauti, Sampsa and Teuhola, Jukka and Leppänen, Ville},
editor = {Kantola, Raimo},
publisher = {IEEE},
pages = {344–351},
year = {2015},
ISSN = {2324-898X},
}
Belongs to TUCS Research Unit(s): Algorithmics and Computational Intelligence Group (ACI), Software Development Laboratory (SwDev)
Publication Forum rating of this publication: level 1