SQL Injection Attacks have been described as one of the most serious attacks on web applications. Vulnerability to SQLIA allows an attacker to directly access the database underlying a web application and modify or expose sensitive information. A proficient attacker can even use an SQLIA to completely compromise the host system. To detect and prevent SQLIA, we introduce the Analysis for Monitoring and NEutralizing SQL Injection Attacks (AMNESIA), a fully automated tool for protecting web applications against SQLIA. AMNESIA uses a model-based approach that combines static analysis and runtime monitoring. Our evaluation results have shown AMNESIA to be highly effective at protecting web applications from a wide range of SQLIA.

AMNESIA is a general technique that is able to detect and prevent all types of SQL Injection Attacks (SQLIA). It is a a model-based technique that combines static analysis and runtime monitoring. AMNESIA uses static analysis to build models of the different types of queries an application can generate at each database call point. At runtime, all queries to the database are intercepted and the queries are compared against the statically built models. Queries that violate the model represent potential SQLIAs and are prevented from executing on the database.

The key intuition behind the approach is that (1) the source code contains enough information to infer models of the expected, legitimate SQL queries generated by the application, and (2) an SQLIA, by injecting additional SQL statements into a query, would violate such a model.

Four main steps:
  1. Identify hotspots: Scan the application code to identify hotspots--points in the application code that issue SQL queries to the underlying database.
  2. Build SQL-query models: For each hotspot, build a model that represents all the possible SQL queries that may be generated at that hotspot. A SQL-query model is a non-deterministic finite-state automaton in which the transition labels consist of SQL tokens (SQL keywords and operators), delimiters, and place holders for string values.
  3. Instrument Application: At each hotspot in the application, add calls to the runtime monitor.
  4. Runtime monitoring: At runtime, check the dynamically-generated queries against the SQL-query model and reject and report queries that violate the model.

Evaluation

Note that this is an expanded version of the testbed used in the ASE paper. It includes the applications mentioned in the ASE paper and also the attacks and legitimate accesses referenced in our WASP paper (FSE 2006).

Papers related to AMNESIA:

AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks
W. Halfond and A. Orso
Automated Software Engineering (ASE 2005)
Preventing SQL Injection Attacks Using AMNESIA
W. Halfond and A. Orso
International Conference on Software Engineering (ICSE 2006) - Formal Demo
Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks
W. Halfond and A. Orso
Workshop on Dynamic Analysis (WODA 2005)