Augmented Attack Tree Modelling of SQL Injection Attacks

Document Sample
Augmented Attack Tree Modelling of SQL Injection Attacks Powered By Docstoc
					                  Augmented Attack Tree Modelling of SQL Injection Attacks

                            Jie Wang, Raphael C.-W. Phan, John N. Whitley and David J. Parish
                                           High Speed Networks Research Group
                                   Department of Electronic and Electrical Engineering,
                                          Loughborough University, LE11 3TU, UK
                               Email: {J.Wang3, R.Phan, J.N.Whitley, D.J.Parish}

                         Abstract                                 subtle SQLIA-constructed statements. Attack trees describe
                                                                  attacks against a system as a construction of atomic attack
   The SQL injection attacks (SQLIAs) vulnerability is ex-        steps modelled as states that an attack must go through to
tremely widespread and poses a serious security threat to         achieve success [2]. Such trees focus on the analysis of mea-
web applications with built-in access to databases. The           surable goals that can ultimately be translated into specific
SQLIA adversary intelligently exploits the SQL statement          tests against real-world implementations. While conventional
parsing operation by web servers via specially constructed        attack trees have been widely used [1]–[3], [5], [10], they
SQL statements that subtly lead to non-explicit executions        only concentrate on showing the states of an attack. We
or modifications of corresponding database tables. In this         argue that for SQLIAs it is crucial to explicitly model the
paper, we present a formal and methodical way of modelling        transition process (edge of the attack tree) between states as
SQLIAs by way of augmented attack trees. This modelling           well, and therefore conventional attack trees cannot provide
explicitly captures the particular subtle incidents triggered     sufficient information for analysis of SQLIAs. Our SQLIA
by SQLIA adversaries and corresponding state transitions.         modelling based on the Augmented Attack Tree allows to
To the best of our knowledge, this is the first known attack       explicitly link regular expressions capturing generic attack
tree modelling of SQL injection attacks.                          signatures to different types of SQLIAs.
                                                                     The rest of this paper is organized as follows. Section 2
1. Introduction                                                   provides background information about SQLIAs and de-
                                                                  scribes the attack tree modeling techniques including the
   Since web applications have become one of the most im-         conventional attack tree and augmented attack tree. Section 3
portant communication channels between service providers          shows our proposed SQLIA modeling. Section 4 reviews the
and clients, more script kiddies and sophisticated hackers        related work. Finally, Section 5 concludes the paper.
target victims either for fun, commercial reasons or personal
gain. The increasing frequency and complexity of web based        2. Preliminaries
attacks has raised awareness of web application administra-
tors of the need to effectively protect their web applications.
The OWASP 2010 report places Injection Attacks, including         2.1. SQL Injection Attacks
SQLIAs, as the most likely and damaging [9]. SQLIAs are
caused by attackers inserting a malicious SQL query into the         SQLIAs are command-injection attacks where the at-
web application to manipulate data, or even to gain access to     tacker injects a malicious SQL query into the back-end
the back-end database. The main reason contributing to the        database through the web application interface. The back-
successful SQLIAs is due to bad web application design and        end database executes the system defined SQL statement
implementation. In design and development phase, SQLIAs           with the injected SQL query, and sends the corresponding
can be prevented by some adherence to guidelines including:       execution results back to the attacker. The attacker could
validation of inputs before passing them to the database; the     submit malicious SQL commands directly to the back-end
use of safe SQL statements for data access; and providing         database to extract confidential information or even obtain
no error messages [4].                                            the root privilege of the database.
   In assessing the risk of a web based system against               SQLIAs are classified into seven types: Tautologies; Il-
SQLIAs and in facilitating detection of such intrusions, there    legal/Logically Incorrect Queries; UNION Query; Piggy-
is a need to properly model SQLIAs especially the subtly          Backed Queries; Stored Procedures; Inference and Alternate
constructed SQL statements.                                       Encodings [13]. There are ten kinds of attack goals of
   In this paper, we model SQLIAs with the Augmented At-          SQLIAs: identify injectable parameters; identify database
tack Tree (AAT) [6]–[8] technique and furthermore propose         finger-prints; determine database schema; extract data; add
regular expressions as a solution to generically capture the      or modify data; perform denial of service; evade detection;
bypass authentication; execute remote commands; and esca-        Definition 2. An incident-choice is a group of related
late privilege [13]. Any of the attack goals can be achieved     incidents, the occurrence of any one of which can contribute
by any of the SQLIA types, so there is a large combination       towards the state transition in the attack tree.
of attacks.
                                                                 Definition 3. An attack Signature SIGu,v is a sequence
                                                                 of incident-choices (incident-choice1 , incident-choice2 ,. . .,
2.2. Attack Tree Modelling                                       incident-choicen ) such that the sequence (incidenti,1 ,
                                                                 incidenti,2 , . . . , incidentm,n ) constitute an atomic attack.
2.2.1. Conventional Attack Trees. Attack trees were pro-
posed as a formal and methodical way to model threats
                                                                 3. Modelling SQL Injection Attacks
against computer network systems [11]. The tree structure
is utilized to represent attacks against a system, with the
                                                                    This section shows our modeling of SQLIAs with AAT
root node representing the ultimate attack goal and the
                                                                 and regular expressions. Of the seven well known SQLIA
branches of nodes representing ways to achieve the goal.
                                                                 types [13], we model: Tautology Query; Logically Incorrect
Two connection types, OR and AND, are used to connect
                                                                 Query; UNION Query; Piggy-Backed Query; and Timing
multiple child nodes with same parent node. OR means that
                                                                 Inference Query. We ignored to model Stored Procedures,
the goal can be reached if any one of the subgoals is reached,
                                                                 Alternate Encodings and Blind Injection Inference Query
whereas AND means that the goal can be reached only if
                                                                 because of the following: Stored Procedures provides the
all subgoals are reached.
                                                                 functionality to consolidate and centralize logic that was
                                                                 originally implemented in applications. As such the content
2.2.2. Augmented Attack Tree. Augmented Attack Tree              of a stored procedure is not distinct from other SQLIA at-
(AAT) [6]–[8], [14] extended the conventional attack tree        tacks, so cannot be modelled separately. Alternate Encodings
by associating with each branch a sequence of malicious          provide different coding practices and is used in conjunction
operations that could have been used in the attack. The          with other SQL based attacks. The attacker injects a Blind
formalization of AAT is stated as follows [7], [8]:              Injection Inference Query mainly dependent on individual’s
Definition 1. An augmented attack tree is a rooted labeled        intuition and experience without the assistant of database
tree given by AAT= V, E, ε, Label, SIGu,v , where                feedback information. The injection contents are the same
   • V is the set of nodes in the tree representing the          as other SQLIA methods. Therefore, we focus on modelling
     different states of partial compromise or sub-goals that    with above mentioned five types. In this section, we first
     an adttacker needs to move through in order to fully        discuss our mechanism of modelling. Then, we model each
     compromise a system. ν ∈ V is a special node, dis-          type of SQLIAs in turn.
     tinguished from others, that forms the root of the tree.
     It represents the ultimate goal of the attacker, namely     3.1. Modelling Mechanism
     system compromise. The set V can be partitioned into
     two subsets, leaf nodes and internal nodes, such that          The modelling of SQLIA obeys the definition of AAT.
       ∗ leaf nodes       internal nodes=V,                      For lack of a better name, we term our modelling result as
       ∗ leaf nodes       internal nodes=∅,                      Augmented SQL Injection Attack Tree (ASQLIAT).
       ∗ ν ∈ internal nodes                                         Node. A node in ASQLIAT represents the state. The child
                                                                 node represents the state during the whole attack procedure.
   • E ⊆ V×V constitutes the set of edges in the attack
                                                                 The root node represents SQLIA as the ultimate goal. Since
     tree. An edge u,v ∈ E defines an atomic attack and
                                                                 the first step of a computer network attack is usually to
     represents the state transition from a child node v to
                                                                 identify the attack object, we assume that the leaf node in
     a parent node u, where u, v ∈ V. An atomic attack is
                                                                 all branches is the state where the attacker has found out the
     a sequence of incidents. The edge u, v is said to be
                                                                 targeted web application. Each node has a symbol enclosed
     “emergent from” v and “incident to” u.
                                                                 by brackets as identification.
   • ε is a set of tuples of the form v, decomposition such
                                                                    Edge. An edge in ASQLIAT represents the state transition
                                                                 from the child node to the parent node along a set of
       ∗ v ∈ internal nodes and                                  incidents.
       ∗ decomposition ∈ [AND-decomposition, OR-                    Incident. An incident in ASQLIAT represents either the
          decomposition]                                         injection behavior or the web server execution behavior.
   • Label is the name of the exploit associated with each          Label. A label in ASQLIAT represents the edge name.
     edge.                                                          Signature. An SQLIA signature is the related regular
   • SIGu,v is an attack signature which is defined as            expression that captures the SQL statement constructed by
     Definition 3 below.                                          the SQLIA adversary to mount the particular type of SQLIA.
For clarity of illustration, we model the signature with         the adversary progresses to the next state: Found Injection
Perl’s regular expression style [12] (although any regular       Place. The expression below shows the incidents and their
expression syntax can be used w.l.o.g). Table 1 shows the        corresponding signatures.
elements of a modelled SQLIA signature and corresponding            Incident∈{Web Page Form Access, URL Header Access}
expression symbols. Alphanumeric means the combination              SIGT2,T1 ∈{SIGWPFA , SIGURLHA }
of any digits or alphabets. Comment Mark indicates that
the rest of the current SQL query is a comment and               3.2. Tautology Query
should be ignored. Quotation Mark is used in SQL as a
string terminator. Comparison Mark denotes any comparison           The Tautology Query attack injects a piece of malicious
methods between two alphanumeric substrings. Type means          code into one or more conditional statements so that they
the data type in SQL database, whereas Type Conversion           always evaluate to true and generate the result according to
Keyword changes the data type between SQL types. SQL             the evaluated true condition. Branch (1) in Figure 1 illus-
Keyword contains SQL data manipulation keywords, data            trates the modelled Tautology Query attack in ASQLIAT,
definition keywords and data control keywords. Delimiter          with four states and three edges. The second edge which
Mark is used to end an SQL statement. Note that symbols          resides between the state Found Injection Place and Web
may contain square brackets, round brackets, plus mark,          Server Execute Tautology Query is the Tautology Query
asterisk and vertical pipe. Square brackets indicate the         Injection. For this kind of attack, the most significant feature
matching of any characters inside them, round brackets           of injection content is containing three key parts: OR; true
indicate the matching of the whole pattern inside them, plus     condition; and comment mark. In the generated signature, it
mark indicates character matching more than once, asterisk       must include those three parts. In order to model and identify
indicates character matching 0 or more times and vertical        that an attack is a Tautology Query attack, the attacker
pipe indicates OR. Additionally, the entire generated regular    injected code should be captured the defined signature,
expression that forms an SQLIA signature is enclosed by          which is shown as below,
forward slashes, and Case Insensitive Symbol i must place           Incident∈{Tautology Query Statement}
after second forward slash. Moreover, we apply a pair of            SIGT3,T2 ∈{/(’|”)(\s )(OR)(\s )(\w+)([=<>]|[<>!]=)
curly brackets to include a set of possible incidents or         (\w+)(\s )\-\-/i}
signatures in each edge.                                            The generated signature expression can be explained
                                                                 based on Table 1. The signature must be enclosed by a
     Table 1. Elements and Symbols in Signature                  set of slashes and begin with a quotation mark. Then, it
                                                                 follows with an OR keyword and 0 or more white spaces.
          Element                       Symbol                   (\s ) denotes white space match 0 or more times. Next, a
                                                                 conditional part composed of two alphanumeric substrings
        Alphanumeric                        \w
       Comment Mark                       (\-\-)                 and a comparison mark to provide logical true, and the
       Quotation Mark                      (’|”)                 comment mark following with it. Finally, i flag places
     Comparison Mark                ([=<>]|[<>!]=)               after the second slash to ignore case. Due to the page
      Logical Keyword                      (OR)
            Type                    (int|char|varchar)           limitation, we only elaborate on the signature expression in
  Type Conversion Keyword          (CONVERT|CAST)                this subsection.
        SQL Keyword         (SELECT|INSERT|UPDATE|DROP)             When the state of Web Server Execute Tautology Query
      UNION Keyword              (UNION|UNION ALL)
       Delimiter Mark                        ;                   occurs, the only way to transit into the SQLIA state is
         Delay Time                         \d                   through the edge Tautology Attack, which can be described
         White Space                        \s                   by some incidents to indicate the achieving of SQLIA. This
           Bracket                          \(
       Case Insensitive                      i                   set is {Bypass Authentication,Information Retrieval}.
                                                                    Incident∈{Bypass Authentication, Information Retrieval}
                                                                    SIGS,T3 ∈{SIGBA , SIGIR }
   Figure 1 illustrates the generated ASQLIAT. The leaf
node, i.e. Found Web Application denotes the state where the     3.3. Logically Incorrect Query
adversary has found a particular attack target. Then, the at-
tacker performs some actions to explore suitable places to in-      Logically Incorrect Query attack is where the attacker
ject command(s) into the database through web applications.      intends to obtain the error feedback message by injecting
Usually, the attacker injects the malicious command through      incorrect command into the database. The database structure
either any input forms on the web application or via the URL     and type information can be extracted according to the error
header. Therefore, the transiting incidents along the edge can   message. Branch (2) in Figure 1 displays the generated
be taken from the set {Web Page Form Access,URL Header           Logically Incorrect Query branch in ASQLIAT. The labels
Access}; and upon successful execution of either incident,       of the second edge and third edge are Logically Incorrect
                                                                                                     SQLIA (S)

                                      Tautology Query Attack                                        OR                                                      Timing Inference Attack
                                                                                        Logically Incorrect        UNION                    Piggy-Backed
                                                                                          Query Attack           Query Attack                Query Attack
                 Web Server Executes                      Web Server Executes                  Web Server Executes                    Web Server Executes                        Web Server Executes
                 Tautology Query (T3)                  Logically Incorrect Query(LI3)           UNION Query (U3)                    Piggy-Backed Query (PB3)                  Timing Inference Query(TI3)

            Tautology                            Logically Incorrect                        UNION                               Piggy-Backed                             Timing Inference
           Query Injection                        Query Injection                        Query Injection                        Query Injection                           Query Injection

               Found Injection Place (T2)               Found Injection Place (LI2)          Found Injection Place (U2)            Found Injection Place (PB2)                 Found Injection Place (TI2)

               Explore                                  Explore                              Explore                                Explore                                    Explore
           Injection Place                          Injection Place                      Injection Place                        Injection Place                            Injection Place

              Found Web Application (T1)               Found Web Application (LI1)          Found Web Application (U1)            Found Web Application (PB1)                 Found Web Application (TI1)

                             (1)                                       (2)                                 (3)                                    (4)                                        (5)

                                     Figure 1. Augmented Attack Tree Modelling of SQL Injection Attacks

Query and Logically Incorrect Query Attack. The trick of                                                         3.5. Piggy-Backed Query
this SQLIA is to change the data type of the injected data
and provide different data type against the system defined                                                           In Piggy-Backed Query attack, the query is extended by
data type. The database server returns an error feedback                                                         injecting additional queries after the original one. Conse-
message which can assist the attacker to further explore the                                                     quently, the database receives multiple SQL queries and
database server. Keywords to change different data type are                                                      executes them in sequence. Branch (4) in Figure 1 illustrates
CONVERT and CAST and either of them must be exist                                                                the Piggy-Backed Query branch in ASQLIAT. The incident
in the query. Therefore, the signature to detect this attack                                                     in the second edge, whose label is Piggy-Backed Query
must contain those keywords. Once the attacker triggers                                                          Injection, is to inject multiple queries into the original
the incident in the second edge, the state transits into the                                                     one. Because Piggy-Backed Query combines several SQL
state of Web Server Execute Logically Incorrect Query. The                                                       queries together, there must be some data manipulation
generated signature is stated as follows,                                                                        keywords or data definition keywords. It is wise to model
   Incident∈{Logically Incorrect Query Statement}                                                                the signature with those keywords followed with a delimiter
   SIGLI3,LI2 ∈{/(CONVERT|CAST)(\(+)(int|char|varchar)/i}                                                        which indicates the ending of the previous query.
   For the last edge leading to SQLIA state, its incident are                                                       Incident∈{Piggy-Backed Query Statement}
as follows:                                                                                                         SIGPB3,PB2 ∈{/(’|”)(\s )(;)(\s )(SELECT|INSERT|UPDATE|
   Incident∈{Return Error Message from Database, Informa-                                                        DELETE |DROP)/i}
tion Retrieval}                                                                                                     The incidents in the top edge, whose label is Piggy-Backed
   SIGS,LI3 ∈{SIGEM , SIGIR }                                                                                    Query Attack, can be Information Retrieval, Information
                                                                                                                 Modification and Denial of Service.
                                                                                                                    Incident∈{Information Retrieval, Information Modifica-
3.4. UNION Query                                                                                                 tion and Denial of Service}
                                                                                                                    SIGS,PB3 ∈{SIGIR , SIGIM , SIGDoS }
   The UNION Query attack is to inject the UNION keyword
followed with another SELECT query statement. The result                                                         3.6. Timing Inference Query
is that the database returns the dataset that is the union result
of the original first query and the injected second query. The                                                       The inference attack is implemented according to the
generated UNION Query branch is shown as Branch (3) in                                                           obtained result from a true or false evaluation about data
Figure 1. The label of the second edge is UNION Query                                                            values in the database. In this kind of attack, the target
Injection. The most important keywords in the injected code                                                      web server has been secured enough so that there is not
are UNION and SELECT. So, the generated signature is:                                                            enough or usable feedback error messages. In this situation,
   Incident∈{UNION Query Statement}                                                                              the attacker injects malicious command into the web server
   SIGU3,U2 ∈{/(’|”)(\s )(UNION|UNION ALL)(\s )                                                                  and then observes how the website changes.
(SELECT)/i}                                                                                                         For Timing Inference Query, the attacker injects a query
   The label in the top edge is UNION Query Attack. The                                                          with both if/then evaluation statement and delay time. The
possible incidents are Information Retrieval and Bypass                                                          attacker then obtains information from the database by mon-
Authentication.                                                                                                  itoring the timing delay as the response of the database. If
   Incident∈{Information Retrieval, Bypass Authentication}                                                       the timing delay take place occurs, it means that the injected
   SIGS,U3 ∈{SIGIR , SIGBA }                                                                                     if/then evaluation statement been executed successfully by
the database server. Otherwise, the statement is wrong and        References
need further modification. The last branch in Figure 1
displays the modelling of this kind of SQLIA. The label            [1] E. J. Byres, M. Franz, and D. Miller. The Use of Attack Trees
of the edge between the state Found Injection Place and the            in Assessing Vulnerabilities in SCADA Systems. In IEEE In-
state Web Server Execute Timing Inference Query, is Timing             ternational Infrastructure Survivability Workshop (IISW’04),
                                                                       Lisbon, Portugal, 2004.
Inference Query Injection. It should contain the keyword
WAITFOR and the length of waiting time in the generated            [2] P. A. Khand. System Level Security Modeling Using Attack
signature. The generated signature expression is stated as             Trees. In 2nd International Conference on Computer, Control
follows,                                                               and Communication, 2009. IC4 2009, pages 1–6, February
   Incident∈{Timing Inference Query Statement}                         2009.
   SIGTI3,TI2 ∈{/(WAITFOR)(\s+)(\d+)/i}
                                                                   [3] X. Lin, P. Zavarsky, R. Ruhl, and D. Lindskog. Threat
   Moreover, the label of the top edge is Timing Inference             Modeling for CSRF Attacks. In International Conference
Attack. The possible incidents are Information Retrieval,              on Computational Science and Engineering, 2009. CSE ’09,
Information Modification and Identify Database Scheme.                  volume 3, pages 486–491, August 2009.
   Incident∈{Information Retrieval, Information Modifica-
tion and Identify Database Scheme}                                 [4] S. Madan and S. Madan. Shielding Against SQL Injection
                                                                       Attacks Using ADMIRE Model. In First International
                                                                       Conference on Computational Intelligence, Communication
                                                                       Systems and Networks, 2009. CICSYN ’09., pages 314–320,
4. Related Work                                                        July 2009.

   A different kind of AAT [6] applied the conventional            [5] A. Morais, E. Martins, A. Cavalli, and W. Jimenez. Security
attack tree with extra attack probability labels. A label l            Protocol Testing Using Attack Trees. In International Confer-
is associated with a node S, given by the tuple n, m                   ence on Computational Science and Engineering, 2009. CSE
where m and n are positive integers greater than 0 with                ’09, volume 2, pages 690–697, August 2009.
n≤m. m is termed the least effort to compromise subgoal            [6] N. Poolsapassit and I. Ray. Using Attack Trees to Identify
S while n is termed the number of currently compromised                Malicious Attacks From Authorized Insiders. Lecture Notes
subgoals under S. The ratio m provides the measure of how              in Computer Science, 3679:231–246, 2005.
far an attacker has progressed towards the ultimate goal in
terms of the least effort along the most advanced attack path      [7] N. Poolsapassit and I. Ray. Investigating Computer Attacks
                                                                       Using Attack Trees. IFIP International Federation for Infor-
that s/he has been through. Wang et al. [14] improved this             mation Processing, 242:331–343, 2007.
AAT [6] with a notion of “minimal attack tree” and proposed
a new trimming attack tree algorithm to reduce the redundant       [8] N. Poolsapassit and I. Ray. A Systematic Approach for
branches.                                                              Investigating Computer Attacks Using Attack Trees. The
   Byres et al. [1] described the first known work of how               3rd IFIP TC-11 WG 11.9 Working Conference on Digital
                                                                       Forensics, January 2007.
to model the SCADA protocol MODBUS/TCP with attack
trees. Their attack tree analysis was qualitatively used to        [9] The Open Web Application Security Project.     Owasp
identify levels of technical difficulty, severity of impact,            10-2010. T10 -
probability of detection and the underlying critical vulnera-           2010 rc1.pdf.
bilities. Lin et al. [3] applied the attack trees to model the
                                                                  [10] V. Saini, Q. Duan, and V. Paruchuri. Threat Modeling Using
threat of Cross Site Request Forgery (CSRF) attacks. Morais            Attack Trees. Journal of Computing Sciences in Colleges,
et al. [5] utilized the attack trees to model known attacks            23(4):124–131, 2008.
and derive injection test scenarios to evaluate the security
properties of the WTLS protocol for WAP-enabled mobile            [11] B. Schneier. Attack Trees. Dr. Dobb’s Journal, 24(12):21–29,
devices. Saini et al. [10] applied the attack tree to study and        1999.
evaluate the security of the MyProxy system with all the          [12] R. L. Schwartz, T. Phoenix, and B. D. Foy. Learning Perl.
possible threats, the cost of attack execution by attacker and         O’Reilly Media, Inc., 2005.
the cost of damage from attack.
                                                                  [13] J. Viegas, W. Halfond, and A. Orso. A Classification of
5. Conclusion                                                          SQL-Injection Attacks and Countermeasures. In International
                                                                       Symposium on Secure Software Engineering, 2006.
   In this paper, we have presented a method for mod-
                                                                  [14] H. Wang, S. Liu, and X. Zhang. An Improved Model of
elling SQLIAs with the Augmented Attack Tree and regular               Attack Probability Prediction System. Wuhan University
expressions to capture subtle SQL statements formed by                 Journal of Natural Sciences, 11(6):1498–1502, 2006.
SQLIA adversaries. This approach is generic, thus it can be
made to equally apply to other kinds of web based attacks.