cybersecurity and sql injection - university of …byoung/slides-sql.pdfsql injection is one method...
TRANSCRIPT
CS327E: Elements of DatabasesCybersecurity and SQL Injection
Dr. Bill YoungDepartment of Computer Sciences
University of Texas at Austin
Last updated: October 31, 2016 at 12:21
CS327E SQL Injection Slideset: 1 SQL Injection
What I’d Like to Discuss
Why cyber security isImportant
Why cyber security is hard
SQL Injection
CS327E SQL Injection Slideset: 2 SQL Injection
From the Headlines
Silent War, Vanity Fair, July 2013
On the hidden battlefields of history’sfirst known cyber-war, the casualties arepiling up. In the U.S., many banks havebeen hit, and the telecommunicationsindustry seriously damaged, likely inretaliation for several major attacks onIran.
Washington and Tehran are ramping up their cyber-arsenals, builton a black-market digital arms bazaar, enmeshing such high-techgiants as Microsoft, Google, and Apple.
CS327E SQL Injection Slideset: 3 SQL Injection
From the Headlines
U.S. Not Ready for Cyberwar Hostile Attackers CouldLaunch, The Daily Beast, 2/21/13
Leon Panetta says future attacks couldplunge the U.S. into chaos. We’re notprepared. If the nightmare scenariobecomes suddenly real ... If hackers shutdown much of the electrical grid and therest of the critical infrastructure goes withit ...
If we are plunged into chaos and suffer more physical destructionthan 50 monster hurricanes and economic damage that dwarfs theGreat Depression ... Then we will wonder why we failed to guardagainst what outgoing Defense Secretary Leon Panetta has termeda “cyber-Pearl Harbor.”
CS327E SQL Injection Slideset: 4 SQL Injection
The U.S. at Risk?
Experts believe that U.S. is perhaps particularly vulnerable tocyberattack compared to many other countries. Why?
CS327E SQL Injection Slideset: 5 SQL Injection
The U.S. at Risk?
Experts believe that U.S. is perhaps particularly vulnerable tocyberattack compared to many other countries. Why?
The U.S. is highlydependent on technology.
Sophisticated attack toolsare easy to come by.
A lot of critical informationis available on-line.
Critical infrastructure maybe accessible remotely.
Other nations exercise morecontrol over information andresources.
CS327E SQL Injection Slideset: 6 SQL Injection
How Bad Is It?
Cyberwarfare greater threat to US than terrorism, saysecurity experts, Al Jazeera America, 1/7/14
Cyberwarfare is the greatest threatfacing the United States — outstrippingeven terrorism — according to defense,military, and national security leaders ina Defense News poll.
45 percent of the 352 industry leaders polled said cyberwarfare isthe gravest danger to the U.S., underlining the government’s shiftin priority—and resources—toward the burgeoning digital arena ofwarfare.
CS327E SQL Injection Slideset: 7 SQL Injection
Is Cyber Security Particularly Hard?
Why would cybersecurity by any harder than other technologicalproblems?
CS327E SQL Injection Slideset: 8 SQL Injection
Is Cyber Security Particularly Hard?
Why would cybersecurity by any harder than other technologicalproblems?
Partial answer: Most technologicalproblems are concerned with ensuringthat something good happens.Security is all about ensuring that badthings never happen.
To ensure that, you have to knowwhat all the bad things are!
CS327E SQL Injection Slideset: 9 SQL Injection
Cyber Defense is Asymmetric
In cybersecurity, you have to defeat an actively malicious adversary.
The defender has to find andeliminate all exploitablevulnerabilities; the attacker onlyneeds to find one!
CS327E SQL Injection Slideset: 10 SQL Injection
Cyber Security is Tough
Perfect security is unachievable
in any useful system. Wetrade-off security with otherimportant goals: functionality,usability, efficiency,time-to-market, and simplicity.
CS327E SQL Injection Slideset: 11 SQL Injection
Is It Getting Better?
“The three golden rules to ensure computersecurity are: do not own a computer; do notpower it on; and do not use it.” –Robert H.Morris (mid 1980’s), former chief scientist ofthe National Computer Security Center
“Unfortunately the only way to really protect[your computer] right now is to turn it off,disconnect it from the Internet, encase it incement and bury it 100 feet below theground.” –Prof. Fred Chang (2009), formerdirector of research at NSA
CS327E SQL Injection Slideset: 12 SQL Injection
Some Sobering Facts
There is no completely reliableway to tell whether a given pieceof software contains maliciousfunctionality.
Once PCs are infected they tendto stay infected. The medianlength of infection is 300 days.
“The number of detected information security incidents hasrisen 66% year over year since 2009. In the 2014 survey, thetotal number of security incidents detected by respondentsgrew to 42.8 million around the world, up 48% from 2013—anaverage of 117,339 per day.” (CGMA Magazine, 10/8/2014)
CS327E SQL Injection Slideset: 13 SQL Injection
The Cost of Data Breaches
The Privacy Right’sClearinghouse’s Chronology of
Data Breaches (January, 2012)estimates that more than half
a billion sensitive records have
been breached since 2005.This is actually a very“conservative estimate.”
The Ponemon Institute estimates that the approximate currentcost per record compromised is around $318.
“A billion here, a billion there, and pretty soon you’re talking real
money” (attributed to Sen. Everett Dirksen)
CS327E SQL Injection Slideset: 14 SQL Injection
How Bad Could it Be?
Some security experts warn that asuccessful possible widespread attackon U.S. computing infrastructurecould largely shut down the
U.S. economy for up to 6 months.
It is estimated that the destruction from a single wave of cyberattacks on U.S. critical infrastructures could exceed $700 billionUSD—the equivalent of 50 major hurricanes hitting U.S. soil atonce. (Source: US Cyber Consequences Unit)
CS327E SQL Injection Slideset: 15 SQL Injection
CyberAttacks: An Existential Threat?
Cyberattacks an ’Existential Threat’ to U.S., FBI Says,Computerworld, 3/24/10
A top FBI official warned today thatmany cyber-adversaries of the U.S. havethe ability to access virtually anycomputer system, posing a risk that’s sogreat it could “challenge our country’svery existence.”
According to Steven Chabinsky, deputy assistant director of theFBI’s cyber division: “The cyber threat can be an existentialthreat—meaning it can challenge our country’s very existence, orsignificantly alter our nation’s potential.”
CS327E SQL Injection Slideset: 16 SQL Injection
Structure of an SQL Injection?
CS327E SQL Injection Slideset: 17 SQL Injection
What is SQL Injection?
An SQL Injection is a vulnerability thatresults when you give an attacker theability to influence the SQL queries thatyou pass to the database.
They’ve been around a long time. In 1998, Rain Forest Puppy wrotean article for Phrack titled “NT Web Technology Vulnerabilities”that first highlighted SQL injection attacks.
CS327E SQL Injection Slideset: 18 SQL Injection
Web Application Structure
Most Web applications are interactive,accepting input from the user.
Many are also database driven, meaningthat they query a database in responseto user input.
Web applications often have three tiers:
1 presentation tier: interface (e.g. web browser) acceptinguser inputs;
2 middle (logic) tier: services user requests by presentingqueries to the database;
3 data tier: database processing queries from the logic tier.
CS327E SQL Injection Slideset: 19 SQL Injection
Web Application Structure
CS327E SQL Injection Slideset: 20 SQL Injection
Accepting User Input
Many web applications accept user input from online forms, searchboxes, etc. The user is free to type in any ASCII text.
The application interprets that text to generate an appropriateresponse.
CS327E SQL Injection Slideset: 21 SQL Injection
Simple SQLi Example
Scenario 1: an online retailer provides an option to search forproducts of interest, including those less than a given price.
E.g. to view all products of cost less than $100, the user inputs:
Products: all
Cost below: 100
In response, the interface produces URL:
ht tp : //www. dupe . com/ p roduc t s . php? v a l =100
CS327E SQL Injection Slideset: 22 SQL Injection
Simple SQLi Example
In response, to this http request
ht tp : //www. dupe . com/ p roduc t s . php? v a l =100
the middle layer code (products.php) generates a query to thedata layer:
SELECT ∗
FROM Product sWHERE P r i c e < ’ 100 ’ORDER BY Produ c tDe s c r i p t i o n ;
CS327E SQL Injection Slideset: 23 SQL Injection
Simple SQLi Example (Continued)
But suppose the attacker types:
Products: all
Cost below: 100’ OR ’1’=’1
The system generates the following http request:
ht tp : //www. dupe . com/ p roduc t s . php? v a l =100 ’ OR ’1 ’= ’1
CS327E SQL Injection Slideset: 24 SQL Injection
Simple SQLi Example (Continued)
A careless middle layer might produce this query for the data layer:
SELECT ∗
FROM Product sWHERE P r i c e < ’ 100 ’ OR ’ 1 ’=’ 1 ’ORDER BY Produ c tDe s c r i p t i o n ;
Now the user sees all products, not just those under $100.
CS327E SQL Injection Slideset: 25 SQL Injection
What Went Wrong?
The middle layer accepted user inputand incorporated it directly into adatabase query, without checking foracceptability.
But who cares? So what if the user seesall products rather than a select set?
CS327E SQL Injection Slideset: 26 SQL Injection
SQLi Example 2
Scenario 2: the retailer’s login interface checks username /password against records in the database.
Username: foo
Password: bar
From this the presentation layer produces http request:
ht tp : //www. dupe . com/ l o g i n . php? u s e r=foo&passwd=bar
CS327E SQL Injection Slideset: 27 SQL Injection
SQLi Example 2
ht tp : //www. dupe . com/ l o g i n . php? u s e r=foo&passwd=bar
From this the middle layer (login.php) generates:
SELECT u s e r i dFROM CMSUsersWHERE u s e r = ’ foo ’ AND passwd = ’ bar ’ ;
The user is granted access only if the database returns more thanzero records.
CS327E SQL Injection Slideset: 28 SQL Injection
SQLi Example 2 (Continued)
The attacker types:
Username: foo
Password: any’ OR ’1’=’1
where foo is any legitimate user.
From this the interface generates http request:
ht tp : //www. dupe . com/ l o g i n . php? u s e r=foo&passwd=any ’ OR ’1 ’= ’1
A careless middle layer could send this query to the data layer:
SELECT u s e r i dFROM CMSUsersWHERE u s e r = ’ foo ’ AND passwd = ’ any ’ OR ’ 1 ’=’ 1 ’ ;
The attacker is granted access to the system.
CS327E SQL Injection Slideset: 29 SQL Injection
SQLi Example 3
Scenario 3: a business allows a logged-in customer to access thatcustomer’s data:
Get Data for Customer: 17
ht tp : //www. dupe . com/ customer . php? u s e r i d=17
This generates the database query:
SELECT ∗
FROM u s e r i n f oWHERE u s e r i d = 17 ;
CS327E SQL Injection Slideset: 30 SQL Injection
SQLi Example 3 (Continued)
Instead the customer types:
Get Data for Customer: 17; DROP TABLE users
which generates http request:
ht tp : //www. dupe . com/ customer . php? u s e r i d =1; DROP TABLE u s e r s
A careless middle layer might send this query to the data layer:
SELECT ∗
FROM u s e r i n f oWHERE u s e r i d = 17 ; DROP TABLE u s e r s ;
Some database system allow multiple statements to be executedwith one call in this way.
CS327E SQL Injection Slideset: 31 SQL Injection
Do You Get It?
What is this cartoon about? Would this attack work?
CS327E SQL Injection Slideset: 32 SQL Injection
How Common are They?
The SANS Institute has consistently ranked SQL injection as themost dangerous software error.
Not everyone agrees! Whitehat Security founder JeremiahGrossman said:
“SQL injection, for all the damage that it causes, is
actually not in our top 10 when it comes to strict
prevalence. It’s number 14 at 7 percent of websites.”
CS327E SQL Injection Slideset: 33 SQL Injection
Examples of Attacks
March, 2008; Heartland PaymentSystems: 134 million credit cardsexposed
February, 2014; AVS TV: 40,000accounts
February, 2014; United NationsInternet Governance Forum: 3,215account details leaked
February, 2014; SpirolInternational: 70,000 user accountscompromised
August 2014, Hold Security: disclosed theft of confidentialinformation from nearly 420,000 websites
CS327E SQL Injection Slideset: 34 SQL Injection
How to Counter SQL Injection
CS327E SQL Injection Slideset: 35 SQL Injection
Countering SQLi Flaws
There are two primary means of avoiding SQL injection attacks:
1 Avoid the use of dynamicSQL queries entirely. I.e.,don’t generate queries onthe fly from user suppliedinputs.
2 Prevent user-supplied inputfrom affecting query logic bysanitizing it.
CS327E SQL Injection Slideset: 36 SQL Injection
Prevent SQL Injection
Use parameterized statements: instead of embedding userinput in queries, parameters have associated types and can’tbe arbitrary text.
Enforce least privilege: minimize the privileges assigned todatabase accounts. E.g., very few accounts require privilege todelete tables.
CS327E SQL Injection Slideset: 37 SQL Injection
Prevent SQL Injection
Escape user supplied input:characters with special meaning toSQL are “escaped” to ensure thatthey are not treated as code, butas data.
Perform input validation:authenticate user input against aset of predefined rules for length,type, and syntax.
CS327E SQL Injection Slideset: 38 SQL Injection
Conclusions
Cyber attacks are a serious threat tothe U.S. and other states.
The nature of the Internet makescyber attacks powerful, difficult tocounter, and difficult to attribute.
SQL Injection is one method ofcyberattack that is pervasive andextremely dangerous.
There are good technical solutions youcan employ to protect your data.
Treaties and legal frameworks have not kept pace with thethreat.Promising theories and approaches are developing to help theinternational community cope.
CS327E SQL Injection Slideset: 39 SQL Injection