Augmented Attack Tree Modelling of SQL Injection Attacks

Report as inappropriate Your report has been received

Shared by: hkksew3563rd

Tags

attack tree, IEEE International Conference, Jie Wang, David J, Loughborough University, Wireless Sensor Networks, Key Exchange, Raphael Chung, Block Cipher, Attack Detection

Stats

views:: 13
posted:: 3/21/2011
language:: English
pages:: 5

Public Domain

Document Sample

Augmented Attack Tree Modelling of SQL Injection Attacks

Jie Wang, Raphael C.-W. Phan, John N. Whitley and David J. Parish
High Speed Networks Research Group
Department of Electronic and Electrical Engineering,
Loughborough University, LE11 3TU, UK
Email: {J.Wang3, R.Phan, J.N.Whitley, D.J.Parish}@lboro.ac.uk

Abstract subtle SQLIA-constructed statements. Attack trees describe
attacks against a system as a construction of atomic attack
The SQL injection attacks (SQLIAs) vulnerability is ex- steps modelled as states that an attack must go through to
tremely widespread and poses a serious security threat to achieve success [2]. Such trees focus on the analysis of mea-
web applications with built-in access to databases. The surable goals that can ultimately be translated into speciﬁc
SQLIA adversary intelligently exploits the SQL statement tests against real-world implementations. While conventional
parsing operation by web servers via specially constructed attack trees have been widely used [1]–[3], [5], [10], they
SQL statements that subtly lead to non-explicit executions only concentrate on showing the states of an attack. We
or modiﬁcations of corresponding database tables. In this argue that for SQLIAs it is crucial to explicitly model the
paper, we present a formal and methodical way of modelling transition process (edge of the attack tree) between states as
SQLIAs by way of augmented attack trees. This modelling well, and therefore conventional attack trees cannot provide
explicitly captures the particular subtle incidents triggered sufﬁcient information for analysis of SQLIAs. Our SQLIA
by SQLIA adversaries and corresponding state transitions. modelling based on the Augmented Attack Tree allows to
To the best of our knowledge, this is the ﬁrst known attack explicitly link regular expressions capturing generic attack
tree modelling of SQL injection attacks. signatures to different types of SQLIAs.
The rest of this paper is organized as follows. Section 2
1. Introduction provides background information about SQLIAs and de-
scribes the attack tree modeling techniques including the
Since web applications have become one of the most im- conventional attack tree and augmented attack tree. Section 3
portant communication channels between service providers shows our proposed SQLIA modeling. Section 4 reviews the
and clients, more script kiddies and sophisticated hackers related work. Finally, Section 5 concludes the paper.
target victims either for fun, commercial reasons or personal
gain. The increasing frequency and complexity of web based 2. Preliminaries
attacks has raised awareness of web application administra-
tors of the need to effectively protect their web applications.
The OWASP 2010 report places Injection Attacks, including 2.1. SQL Injection Attacks
SQLIAs, as the most likely and damaging [9]. SQLIAs are
caused by attackers inserting a malicious SQL query into the SQLIAs are command-injection attacks where the at-
web application to manipulate data, or even to gain access to tacker injects a malicious SQL query into the back-end
the back-end database. The main reason contributing to the database through the web application interface. The back-
successful SQLIAs is due to bad web application design and end database executes the system deﬁned SQL statement
implementation. In design and development phase, SQLIAs with the injected SQL query, and sends the corresponding
can be prevented by some adherence to guidelines including: execution results back to the attacker. The attacker could
validation of inputs before passing them to the database; the submit malicious SQL commands directly to the back-end
use of safe SQL statements for data access; and providing database to extract conﬁdential information or even obtain
no error messages [4]. the root privilege of the database.
In assessing the risk of a web based system against SQLIAs are classiﬁed into seven types: Tautologies; Il-
SQLIAs and in facilitating detection of such intrusions, there legal/Logically Incorrect Queries; UNION Query; Piggy-
is a need to properly model SQLIAs especially the subtly Backed Queries; Stored Procedures; Inference and Alternate
constructed SQL statements. Encodings [13]. There are ten kinds of attack goals of
In this paper, we model SQLIAs with the Augmented At- SQLIAs: identify injectable parameters; identify database
tack Tree (AAT) [6]–[8] technique and furthermore propose ﬁnger-prints; determine database schema; extract data; add
regular expressions as a solution to generically capture the or modify data; perform denial of service; evade detection;
bypass authentication; execute remote commands; and esca- Deﬁnition 2. An incident-choice is a group of related
late privilege [13]. Any of the attack goals can be achieved incidents, the occurrence of any one of which can contribute
by any of the SQLIA types, so there is a large combination towards the state transition in the attack tree.
of attacks.
Deﬁnition 3. An attack Signature SIGu,v is a sequence
of incident-choices (incident-choice1 , incident-choice2 ,. . .,
2.2. Attack Tree Modelling incident-choicen ) such that the sequence (incidenti,1 ,
incidenti,2 , . . . , incidentm,n ) constitute an atomic attack.
2.2.1. Conventional Attack Trees. Attack trees were pro-
posed as a formal and methodical way to model threats
3. Modelling SQL Injection Attacks
against computer network systems [11]. The tree structure
is utilized to represent attacks against a system, with the
This section shows our modeling of SQLIAs with AAT
root node representing the ultimate attack goal and the
and regular expressions. Of the seven well known SQLIA
branches of nodes representing ways to achieve the goal.
types [13], we model: Tautology Query; Logically Incorrect
Two connection types, OR and AND, are used to connect
Query; UNION Query; Piggy-Backed Query; and Timing
multiple child nodes with same parent node. OR means that
Inference Query. We ignored to model Stored Procedures,
the goal can be reached if any one of the subgoals is reached,
Alternate Encodings and Blind Injection Inference Query
whereas AND means that the goal can be reached only if
because of the following: Stored Procedures provides the
all subgoals are reached.
functionality to consolidate and centralize logic that was
originally implemented in applications. As such the content
2.2.2. Augmented Attack Tree. Augmented Attack Tree of a stored procedure is not distinct from other SQLIA at-
(AAT) [6]–[8], [14] extended the conventional attack tree tacks, so cannot be modelled separately. Alternate Encodings
by associating with each branch a sequence of malicious provide different coding practices and is used in conjunction
operations that could have been used in the attack. The with other SQL based attacks. The attacker injects a Blind
formalization of AAT is stated as follows [7], [8]: Injection Inference Query mainly dependent on individual’s
Deﬁnition 1. An augmented attack tree is a rooted labeled intuition and experience without the assistant of database
tree given by AAT= V, E, ε, Label, SIGu,v , where feedback information. The injection contents are the same
• V is the set of nodes in the tree representing the as other SQLIA methods. Therefore, we focus on modelling
different states of partial compromise or sub-goals that with above mentioned ﬁve types. In this section, we ﬁrst
an adttacker needs to move through in order to fully discuss our mechanism of modelling. Then, we model each
compromise a system. ν ∈ V is a special node, dis- type of SQLIAs in turn.
tinguished from others, that forms the root of the tree.
It represents the ultimate goal of the attacker, namely 3.1. Modelling Mechanism
system compromise. The set V can be partitioned into
two subsets, leaf nodes and internal nodes, such that The modelling of SQLIA obeys the deﬁnition of AAT.
∗ leaf nodes internal nodes=V, For lack of a better name, we term our modelling result as
∗ leaf nodes internal nodes=∅, Augmented SQL Injection Attack Tree (ASQLIAT).
∗ ν ∈ internal nodes Node. A node in ASQLIAT represents the state. The child
node represents the state during the whole attack procedure.
• E ⊆ V×V constitutes the set of edges in the attack
The root node represents SQLIA as the ultimate goal. Since
tree. An edge u,v ∈ E deﬁnes an atomic attack and
the ﬁrst step of a computer network attack is usually to
represents the state transition from a child node v to
identify the attack object, we assume that the leaf node in
a parent node u, where u, v ∈ V. An atomic attack is
all branches is the state where the attacker has found out the
a sequence of incidents. The edge u, v is said to be
targeted web application. Each node has a symbol enclosed
“emergent from” v and “incident to” u.
by brackets as identiﬁcation.
• ε is a set of tuples of the form v, decomposition such
Edge. An edge in ASQLIAT represents the state transition
that
from the child node to the parent node along a set of
∗ v ∈ internal nodes and incidents.
∗ decomposition ∈ [AND-decomposition, OR- Incident. An incident in ASQLIAT represents either the
decomposition] injection behavior or the web server execution behavior.
• Label is the name of the exploit associated with each Label. A label in ASQLIAT represents the edge name.
edge. Signature. An SQLIA signature is the related regular
• SIGu,v is an attack signature which is deﬁned as expression that captures the SQL statement constructed by
Deﬁnition 3 below. the SQLIA adversary to mount the particular type of SQLIA.
For clarity of illustration, we model the signature with the adversary progresses to the next state: Found Injection
Perl’s regular expression style [12] (although any regular Place. The expression below shows the incidents and their
expression syntax can be used w.l.o.g). Table 1 shows the corresponding signatures.
elements of a modelled SQLIA signature and corresponding Incident∈{Web Page Form Access, URL Header Access}
expression symbols. Alphanumeric means the combination SIGT2,T1 ∈{SIGWPFA , SIGURLHA }
of any digits or alphabets. Comment Mark indicates that
the rest of the current SQL query is a comment and 3.2. Tautology Query
should be ignored. Quotation Mark is used in SQL as a
string terminator. Comparison Mark denotes any comparison The Tautology Query attack injects a piece of malicious
methods between two alphanumeric substrings. Type means code into one or more conditional statements so that they
the data type in SQL database, whereas Type Conversion always evaluate to true and generate the result according to
Keyword changes the data type between SQL types. SQL the evaluated true condition. Branch (1) in Figure 1 illus-
Keyword contains SQL data manipulation keywords, data trates the modelled Tautology Query attack in ASQLIAT,
deﬁnition keywords and data control keywords. Delimiter with four states and three edges. The second edge which
Mark is used to end an SQL statement. Note that symbols resides between the state Found Injection Place and Web
may contain square brackets, round brackets, plus mark, Server Execute Tautology Query is the Tautology Query
asterisk and vertical pipe. Square brackets indicate the Injection. For this kind of attack, the most signiﬁcant feature
matching of any characters inside them, round brackets of injection content is containing three key parts: OR; true
indicate the matching of the whole pattern inside them, plus condition; and comment mark. In the generated signature, it
mark indicates character matching more than once, asterisk must include those three parts. In order to model and identify
indicates character matching 0 or more times and vertical that an attack is a Tautology Query attack, the attacker
pipe indicates OR. Additionally, the entire generated regular injected code should be captured the deﬁned signature,
expression that forms an SQLIA signature is enclosed by which is shown as below,
forward slashes, and Case Insensitive Symbol i must place Incident∈{Tautology Query Statement}
after second forward slash. Moreover, we apply a pair of SIGT3,T2 ∈{/(’|”)(\s )(OR)(\s )(\w+)([=<>]|[<>!]=)
curly brackets to include a set of possible incidents or (\w+)(\s )\-\-/i}
signatures in each edge. The generated signature expression can be explained
based on Table 1. The signature must be enclosed by a
Table 1. Elements and Symbols in Signature set of slashes and begin with a quotation mark. Then, it
follows with an OR keyword and 0 or more white spaces.
Element Symbol (\s ) denotes white space match 0 or more times. Next, a
conditional part composed of two alphanumeric substrings
Alphanumeric \w
Comment Mark (\-\-) and a comparison mark to provide logical true, and the
Quotation Mark (’|”) comment mark following with it. Finally, i ﬂag places
Comparison Mark ([=<>]|[<>!]=) after the second slash to ignore case. Due to the page
Logical Keyword (OR)
Type (int|char|varchar) limitation, we only elaborate on the signature expression in
Type Conversion Keyword (CONVERT|CAST) this subsection.
SQL Keyword (SELECT|INSERT|UPDATE|DROP) When the state of Web Server Execute Tautology Query
UNION Keyword (UNION|UNION ALL)
Delimiter Mark ; occurs, the only way to transit into the SQLIA state is
Delay Time \d through the edge Tautology Attack, which can be described
White Space \s by some incidents to indicate the achieving of SQLIA. This
Bracket \(
Case Insensitive i set is {Bypass Authentication,Information Retrieval}.
Incident∈{Bypass Authentication, Information Retrieval}
SIGS,T3 ∈{SIGBA , SIGIR }
Figure 1 illustrates the generated ASQLIAT. The leaf
node, i.e. Found Web Application denotes the state where the 3.3. Logically Incorrect Query
adversary has found a particular attack target. Then, the at-
tacker performs some actions to explore suitable places to in- Logically Incorrect Query attack is where the attacker
ject command(s) into the database through web applications. intends to obtain the error feedback message by injecting
Usually, the attacker injects the malicious command through incorrect command into the database. The database structure
either any input forms on the web application or via the URL and type information can be extracted according to the error
header. Therefore, the transiting incidents along the edge can message. Branch (2) in Figure 1 displays the generated
be taken from the set {Web Page Form Access,URL Header Logically Incorrect Query branch in ASQLIAT. The labels
Access}; and upon successful execution of either incident, of the second edge and third edge are Logically Incorrect
SQLIA (S)

Tautology Query Attack OR Timing Inference Attack
Logically Incorrect UNION Piggy-Backed
Query Attack Query Attack Query Attack
Web Server Executes Web Server Executes Web Server Executes Web Server Executes Web Server Executes
Tautology Query (T3) Logically Incorrect Query(LI3) UNION Query (U3) Piggy-Backed Query (PB3) Timing Inference Query(TI3)

Tautology Logically Incorrect UNION Piggy-Backed Timing Inference
Query Injection Query Injection Query Injection Query Injection Query Injection

Found Injection Place (T2) Found Injection Place (LI2) Found Injection Place (U2) Found Injection Place (PB2) Found Injection Place (TI2)

Explore Explore Explore Explore Explore
Injection Place Injection Place Injection Place Injection Place Injection Place

Found Web Application (T1) Found Web Application (LI1) Found Web Application (U1) Found Web Application (PB1) Found Web Application (TI1)

(1) (2) (3) (4) (5)

Figure 1. Augmented Attack Tree Modelling of SQL Injection Attacks

Query and Logically Incorrect Query Attack. The trick of 3.5. Piggy-Backed Query
this SQLIA is to change the data type of the injected data
and provide different data type against the system deﬁned In Piggy-Backed Query attack, the query is extended by
data type. The database server returns an error feedback injecting additional queries after the original one. Conse-
message which can assist the attacker to further explore the quently, the database receives multiple SQL queries and
database server. Keywords to change different data type are executes them in sequence. Branch (4) in Figure 1 illustrates
CONVERT and CAST and either of them must be exist the Piggy-Backed Query branch in ASQLIAT. The incident
in the query. Therefore, the signature to detect this attack in the second edge, whose label is Piggy-Backed Query
must contain those keywords. Once the attacker triggers Injection, is to inject multiple queries into the original
the incident in the second edge, the state transits into the one. Because Piggy-Backed Query combines several SQL
state of Web Server Execute Logically Incorrect Query. The queries together, there must be some data manipulation
generated signature is stated as follows, keywords or data deﬁnition keywords. It is wise to model
Incident∈{Logically Incorrect Query Statement} the signature with those keywords followed with a delimiter
SIGLI3,LI2 ∈{/(CONVERT|CAST)(\(+)(int|char|varchar)/i} which indicates the ending of the previous query.
For the last edge leading to SQLIA state, its incident are Incident∈{Piggy-Backed Query Statement}
as follows: SIGPB3,PB2 ∈{/(’|”)(\s )(;)(\s )(SELECT|INSERT|UPDATE|
Incident∈{Return Error Message from Database, Informa- DELETE |DROP)/i}
tion Retrieval} The incidents in the top edge, whose label is Piggy-Backed
SIGS,LI3 ∈{SIGEM , SIGIR } Query Attack, can be Information Retrieval, Information
Modiﬁcation and Denial of Service.
Incident∈{Information Retrieval, Information Modiﬁca-
3.4. UNION Query tion and Denial of Service}
SIGS,PB3 ∈{SIGIR , SIGIM , SIGDoS }
The UNION Query attack is to inject the UNION keyword
followed with another SELECT query statement. The result 3.6. Timing Inference Query
is that the database returns the dataset that is the union result
of the original ﬁrst query and the injected second query. The The inference attack is implemented according to the
generated UNION Query branch is shown as Branch (3) in obtained result from a true or false evaluation about data
Figure 1. The label of the second edge is UNION Query values in the database. In this kind of attack, the target
Injection. The most important keywords in the injected code web server has been secured enough so that there is not
are UNION and SELECT. So, the generated signature is: enough or usable feedback error messages. In this situation,
Incident∈{UNION Query Statement} the attacker injects malicious command into the web server
SIGU3,U2 ∈{/(’|”)(\s )(UNION|UNION ALL)(\s ) and then observes how the website changes.
(SELECT)/i} For Timing Inference Query, the attacker injects a query
The label in the top edge is UNION Query Attack. The with both if/then evaluation statement and delay time. The
possible incidents are Information Retrieval and Bypass attacker then obtains information from the database by mon-
Authentication. itoring the timing delay as the response of the database. If
Incident∈{Information Retrieval, Bypass Authentication} the timing delay take place occurs, it means that the injected
SIGS,U3 ∈{SIGIR , SIGBA } if/then evaluation statement been executed successfully by
the database server. Otherwise, the statement is wrong and References
need further modiﬁcation. The last branch in Figure 1
displays the modelling of this kind of SQLIA. The label [1] E. J. Byres, M. Franz, and D. Miller. The Use of Attack Trees
of the edge between the state Found Injection Place and the in Assessing Vulnerabilities in SCADA Systems. In IEEE In-
state Web Server Execute Timing Inference Query, is Timing ternational Infrastructure Survivability Workshop (IISW’04),
Lisbon, Portugal, 2004.
Inference Query Injection. It should contain the keyword
WAITFOR and the length of waiting time in the generated [2] P. A. Khand. System Level Security Modeling Using Attack
signature. The generated signature expression is stated as Trees. In 2nd International Conference on Computer, Control
follows, and Communication, 2009. IC4 2009, pages 1–6, February
Incident∈{Timing Inference Query Statement} 2009.
SIGTI3,TI2 ∈{/(WAITFOR)(\s+)(\d+)/i}
[3] X. Lin, P. Zavarsky, R. Ruhl, and D. Lindskog. Threat
Moreover, the label of the top edge is Timing Inference Modeling for CSRF Attacks. In International Conference
Attack. The possible incidents are Information Retrieval, on Computational Science and Engineering, 2009. CSE ’09,
Information Modiﬁcation and Identify Database Scheme. volume 3, pages 486–491, August 2009.
Incident∈{Information Retrieval, Information Modiﬁca-
tion and Identify Database Scheme} [4] S. Madan and S. Madan. Shielding Against SQL Injection
Attacks Using ADMIRE Model. In First International
SIGS,TI3 ∈{SIGIR , SIGIM , SIGIDS }
Conference on Computational Intelligence, Communication
Systems and Networks, 2009. CICSYN ’09., pages 314–320,
4. Related Work July 2009.

A different kind of AAT [6] applied the conventional [5] A. Morais, E. Martins, A. Cavalli, and W. Jimenez. Security
attack tree with extra attack probability labels. A label l Protocol Testing Using Attack Trees. In International Confer-
is associated with a node S, given by the tuple n, m ence on Computational Science and Engineering, 2009. CSE
where m and n are positive integers greater than 0 with ’09, volume 2, pages 690–697, August 2009.
n≤m. m is termed the least effort to compromise subgoal [6] N. Poolsapassit and I. Ray. Using Attack Trees to Identify
S while n is termed the number of currently compromised Malicious Attacks From Authorized Insiders. Lecture Notes
n
subgoals under S. The ratio m provides the measure of how in Computer Science, 3679:231–246, 2005.
far an attacker has progressed towards the ultimate goal in
terms of the least effort along the most advanced attack path [7] N. Poolsapassit and I. Ray. Investigating Computer Attacks
Using Attack Trees. IFIP International Federation for Infor-
that s/he has been through. Wang et al. [14] improved this mation Processing, 242:331–343, 2007.
AAT [6] with a notion of “minimal attack tree” and proposed
a new trimming attack tree algorithm to reduce the redundant [8] N. Poolsapassit and I. Ray. A Systematic Approach for
branches. Investigating Computer Attacks Using Attack Trees. The
Byres et al. [1] described the ﬁrst known work of how 3rd IFIP TC-11 WG 11.9 Working Conference on Digital
Forensics, January 2007.
to model the SCADA protocol MODBUS/TCP with attack
trees. Their attack tree analysis was qualitatively used to [9] The Open Web Application Security Project. Owasp
identify levels of technical difﬁculty, severity of impact, 10-2010. http://www.owasp.org/images/0/0f/OWASP T10 -
probability of detection and the underlying critical vulnera- 2010 rc1.pdf.
bilities. Lin et al. [3] applied the attack trees to model the
[10] V. Saini, Q. Duan, and V. Paruchuri. Threat Modeling Using
threat of Cross Site Request Forgery (CSRF) attacks. Morais Attack Trees. Journal of Computing Sciences in Colleges,
et al. [5] utilized the attack trees to model known attacks 23(4):124–131, 2008.
and derive injection test scenarios to evaluate the security
properties of the WTLS protocol for WAP-enabled mobile [11] B. Schneier. Attack Trees. Dr. Dobb’s Journal, 24(12):21–29,
devices. Saini et al. [10] applied the attack tree to study and 1999.
evaluate the security of the MyProxy system with all the [12] R. L. Schwartz, T. Phoenix, and B. D. Foy. Learning Perl.
possible threats, the cost of attack execution by attacker and O’Reilly Media, Inc., 2005.
the cost of damage from attack.
[13] J. Viegas, W. Halfond, and A. Orso. A Classiﬁcation of
5. Conclusion SQL-Injection Attacks and Countermeasures. In International
Symposium on Secure Software Engineering, 2006.
In this paper, we have presented a method for mod-
[14] H. Wang, S. Liu, and X. Zhang. An Improved Model of
elling SQLIAs with the Augmented Attack Tree and regular Attack Probability Prediction System. Wuhan University
expressions to capture subtle SQL statements formed by Journal of Natural Sciences, 11(6):1498–1502, 2006.
SQLIA adversaries. This approach is generic, thus it can be
made to equally apply to other kinds of web based attacks.