SQL Injection Vulnerabilities in Desktop Applications

Document Sample
SQL Injection Vulnerabilities in Desktop Applications Powered By Docstoc
					                                 Motivation
                               SQL Injection
                               SQL Sanitizer
                                Future Work




SQL Injection Vulnerabilities in Desktop
             Applications

Derek Ditch (lead)                    Dylan McDonald                   Justin Miller

                   Missouri University of Science & Technology
                         Computer Science Department


                                  April 29, 2008



Derek Ditch, Dylan McDonald, & Justin Miller   SQL Injection Vulnerabilities in Desktop Applications
                                        Motivation
                                      SQL Injection
                                      SQL Sanitizer
                                       Future Work


Outline
  Objective: To protect desktop applications and user data
  from SQL injection attacks
  1 Motivation
       Background
       Akonadi Architecture
       Akonadi & SQL Injection
  2   SQL Injection
        SQL Injection
        Types of Attacks
        Example
  3   SQL Sanitizer
  4   Future Work
       Derek Ditch, Dylan McDonald, & Justin Miller   SQL Injection Vulnerabilities in Desktop Applications
                                     Motivation
                                                   Background
                                   SQL Injection
                                                   Akonadi Architecture
                                   SQL Sanitizer
                                                   Akonadi & SQL Injection
                                    Future Work


Background



 Why choose Akonadi?
    Part of core architecture for upcoming KDE 4.1 release
    Significant privacy data at risk
    Lack of protection for Qt applications in general from
    SQL injection




    Derek Ditch, Dylan McDonald, & Justin Miller   SQL Injection Vulnerabilities in Desktop Applications
                                        Motivation
                                                      Background
                                      SQL Injection
                                                      Akonadi Architecture
                                      SQL Sanitizer
                                                      Akonadi & SQL Injection
                                       Future Work


Akonadi
Akonadi Architecture


      Desktop neutral Personal
      Information Manager (PIM)
      service
      Akonadi stores/caches
             Email
             Chat logs
             Calendars
             Address Books
             RSS Feeds
      Uses MySQL backend
      Provides IMAP client interface
       Derek Ditch, Dylan McDonald, & Justin Miller   SQL Injection Vulnerabilities in Desktop Applications
                                                                                                        Motivation
                                                                                                                       Background
                                                                                                      SQL Injection
                                                                                                                       Akonadi Architecture
                                                                                                      SQL Sanitizer
                                                                                                                       Akonadi & SQL Injection
                                                                                                       Future Work


          Akonadi
          Akonadi & SQL Injection

                                                   <<interface>>
                                                        IMAP
                                                                                                                      Rogue client accesses IMAP
                                                           <<realize>>

anager
                                 <<thread>>
                              AkonadiConnection                    handler                                            socket interface
                                                                      Handler
                                      use

   <<TcpServer>>
    AkonadiServer
                                                                                                                      Executes valid IMAP client
                                                                                             Append
                                1
                                     1
                                     1
                                                                                                                      command, with inter-mixed SQL
                                      <<thread>>                                         Delete
                                      CacheCleaner
                                                                                Status
                                                                                                                      as “user data”
orage                                                                                                                 “User data” is injected into SQL
 NotificationCollector                      clear old values

                                                                                                                      query
                               send changes
                                1

                         DataStore
                                               build db                                                               SQL is passed through API
                                                                             DbInitializer

                                                                                                                      directly to database layer
                                                          <<interface>>
                                                          MySQL Database




                                     Derek Ditch, Dylan McDonald, & Justin Miller                                      SQL Injection Vulnerabilities in Desktop Applications
                                        Motivation
                                                      SQL Injection
                                      SQL Injection
                                                      Types of Attacks
                                      SQL Sanitizer
                                                      Example
                                       Future Work


SQL Injection
SQL Injection




        SQL injection attacks inject arbitrary text into prepared
        SQL buffers to perform actions unintended by the
        developer
        Even with internal SQL data stores, poorly crafted or
        protected queries are vulnerable
        In particular, Akonadi uses a passwordless internal SQL
        store protected only by file permissions




       Derek Ditch, Dylan McDonald, & Justin Miller   SQL Injection Vulnerabilities in Desktop Applications
                                        Motivation
                                                      SQL Injection
                                      SQL Injection
                                                      Types of Attacks
                                      SQL Sanitizer
                                                      Example
                                       Future Work


SQL Injection
Types of Attacks




     Tautology adds logic that is trivially true in order to make
               query return more results than intended
     Comment uses special character sequence (“--” or “/*”) in
               input to disable parts of intended query
    Subqueries inserts a query within a query to change behavior
               of database server or modify arbitrary data within
               SQL database




       Derek Ditch, Dylan McDonald, & Justin Miller   SQL Injection Vulnerabilities in Desktop Applications
                                        Motivation
                                                      SQL Injection
                                      SQL Injection
                                                      Types of Attacks
                                      SQL Sanitizer
                                                      Example
                                       Future Work


SQL Injection
SQL Injection Attack Setup


        Suppose we have a user table:
         User          Password       Admin
         tauritzd      takeCS348      T
         ajfrost       hackAllATMs F
         justinmiller offToIowa        F
        Queries like SELECT * FROM users WHERE user = $un
        AND password = $pwd; are often used to authenticate
        users when they enter their username and passwords in
        the application
        Let’s see how ajfrost can become an admin!

       Derek Ditch, Dylan McDonald, & Justin Miller   SQL Injection Vulnerabilities in Desktop Applications
                                        Motivation
                                                      SQL Injection
                                      SQL Injection
                                                      Types of Attacks
                                      SQL Sanitizer
                                                      Example
                                       Future Work


SQL Injection
SQL Injection Attack Result




        We will now try an attack by entering SQL logic into an
        application’s password field, resulting in this SQL query:
   Resulting SQL Query
   SELECT * FROM users WHERE username = ’ajfrost’
   AND password = ’’ OR 1 = 1 AND admin = ’T’;

        We can use any row to be an administrator

       Derek Ditch, Dylan McDonald, & Justin Miller   SQL Injection Vulnerabilities in Desktop Applications
                                        Motivation
                                      SQL Injection
                                      SQL Sanitizer
                                       Future Work


SQL Sanitizer
SQL Sanitizer Command Line Interface




        A special interactive mode flag can be passed from the
        command line for testing multiple queries in short order
        When in interactive mode, a prompt is displayed and as
        queries are entered, the provided and cleaned queries are
        run against a MySQL database
        Command line and interactive modes both show the
        impacts of the queries on the database




       Derek Ditch, Dylan McDonald, & Justin Miller   SQL Injection Vulnerabilities in Desktop Applications
                                         Motivation
                                       SQL Injection
                                       SQL Sanitizer
                                        Future Work


SQL Sanitizer Example
SQL Sanitizer API



   Example usage:
   1   // Create sqlCleaner then autoclean query
   2   SQLSanitizer sqlCleaner(query);
   3
   4   if( true == sqlCleaner.cleaned() )
   5        // Process query
   6        query = sqlCleaner.getQuery()
   7        ...
   8   else
   9        // Handle error


        Derek Ditch, Dylan McDonald, & Justin Miller   SQL Injection Vulnerabilities in Desktop Applications
                                        Motivation
                                      SQL Injection
                                      SQL Sanitizer
                                       Future Work


SQL Sanitizer Example
SQL Sanitizer Output



   % ./sqlSan "SELECT * FROM users
   WHERE username = ’ajfrost’ AND
   password = ’’ OR 1 = 1 AND admin = ’T’;"

   SQLSanitizer Test App v1
   By: Dylan McDonald, Justin Miller, Derek Ditch
   Sanitized Query:
     SELECT * FROM users WHERE = ’ajfrost’ AND
   password = ’’ AND admin = ’T’;



       Derek Ditch, Dylan McDonald, & Justin Miller   SQL Injection Vulnerabilities in Desktop Applications
                                        Motivation
                                      SQL Injection
                                      SQL Sanitizer
                                       Future Work


SQL Sanitizer
Under the hood


   What happens to the string?
      If no parameters are given to the constructor then
      default, safe behavior is used.
      The query is automatically processed unless the
      parameter is set to false.
      The query is checked for commands that change the
      schema, subqueries, and tautologies.
      If all went well, cleaned() returns true.
      Otherwise, it returns false.


       Derek Ditch, Dylan McDonald, & Justin Miller   SQL Injection Vulnerabilities in Desktop Applications
                                     Motivation
                                   SQL Injection
                                   SQL Sanitizer
                                    Future Work


Future Work


     Make the SQL Sanitizer “smarter”
             Handle more complex queries
             Reduce overhead of added protection
     Give back to community
             Ensure code conforms to KDE standards
             Submit patch to KDE developer mailing lists
             Make additional changes as necessary
     Publish findings



    Derek Ditch, Dylan McDonald, & Justin Miller   SQL Injection Vulnerabilities in Desktop Applications