Questo sito utilizza cookie di terze parti per inviarti pubblicità in linea con le tue preferenze. Se vuoi saperne di più clicca QUI 
Chiudendo questo banner, scorrendo questa pagina, cliccando su un link o proseguendo la navigazione in altra maniera, acconsenti all'uso dei cookie. OK

Creation and Evaluation of SQL Injection Security Tools

This work summarizes our research on the topic of the creation and evaluation of security tools against SQL injection attacks (SQLIAs). We introduce briefly the key concepts and problems of information security and we present the major role that SQL Injection is playing in this scenario. Based on the above analysis and on today's computer security state-of-the-art, we focus our research on the specific field of SQLIAs, which are still one of the most exploited and dangerous intrusion techniques used to access web applications.
More exactly we address both the problems of how to completely evaluate SQLIAs security systems in order to achieve useful results and subsequently a better level of security by proposing a novel evaluation methodology, and (2) how to be safe from SQLIAs by creating and presenting, as a case study of our evaluation procedure, an effective tool for detecting and preventing known as well as new SQL injection attacks.
The proposal evaluation methodology is general and adaptable to any security tools for detection or prevention of SQLIAs. It is a complete step-by-step procedure which provides a guideline to test and value important characteristics such as efficiency, effectiveness, stability, exibility and performance and achieves usable and comparable results to properly judge the tested tool. In addiction, as a case study of our methodology, we present the evaluation of our tool we have named SQLPrevent which dynamically detects SQL injection attacks using a heuristics approach, and blocks the corresponding SQL statements from being submitted to the back-end database. In our experiments, SQLPrevent produced no false positives or false negatives, it has 100% detection and prevention rate measured on different types of SQLIAs, is environment independence, and imposed on average of 0.3% performance overhead.

Mostra/Nascondi contenuto.
Abstract This work summarizes our research on the topic of the creation and evalua- tion of security tools against SQL injection attacks (SQLIAs). We introduce briefly the key concepts and problems of information security and we present the major role that SQL Injection is playing in this scenario. Based on the above analysis and on today’s computer security state-of-the-art, we focus our research on the specific field of SQLIAs, which are still one of the most exploited and dangerous intrusion techniques used to access web applications. More exactly we address both the problems of (1) how to completely evaluate SQLIAs security systems in order to achieve useful results and subsequently a better level of security by proposing a novel evaluation methodology, and (2) how to be safe from SQLIAs by creating and presenting, as a case study of our evaluation procedure, an effective tool for detecting and preventing known as well as new SQL injection attacks. The proposal evaluation methodology is general and adaptable to any secu- rity tools for detection or prevention of SQLIAs. It is a complete step-by-step procedure which provides a guideline to test and value important characteris- tics such as efficiency, effectiveness, stability, flexibility and performance and achieves usable and comparable results to properly judge the tested tool. In addiction, as a case study of our methodology, we present the evaluation of our tool we have named SQLPrevent which dynamically detects SQL injec- tion attacks using a heuristics approach, and blocks the corresponding SQL statements from being submitted to the back-end database. In our exper- iments, SQLPrevent produced no false positives or false negatives, it has 100% detection and prevention rate measured on different types of SQLIAs, is environment independence, and imposed on average of 0.3% performance overhead. III

Laurea liv.II (specialistica)

Facoltà: Ingegneria

Autore: Fabrizio Monticelli Contatta »

Composta da 181 pagine.

 

Questa tesi ha raggiunto 531 click dal 07/11/2008.

 

Consultata integralmente una volta.

Disponibile in PDF, la consultazione è esclusivamente in formato digitale.