Authors: M. Mansouri, P. Jaklitsch, E. Teiniker

Abstract:

SQL injection on web applications is a very popular kind of attack. There are mechanisms such as intrusion detection systems in order to detect this attack. These strategies often rely on techniques implemented at high layers of the application but do not consider the low level of system calls. The problem of only considering the high level perspective is that an attacker can circumvent the detection tools using certain techniques such as URL encoding. One technique currently used for detecting low-level attacks on privileged processes is the tracing of system calls. System calls act as a single gate to the Operating System (OS) kernel; they allow catching the critical data at an appropriate level of detail. Our basic assumption is that any type of application, be it a system service, utility program or Web application, “speaks” the language of system calls when having a conversation with the OS kernel. At this level we can see the actual attack while it is happening. We conduct an experiment in order to demonstrate the suitability of system call analysis for detecting SQL injection. We are able to detect the attack. Therefore we conclude that system calls are not only powerful in detecting low-level attacks but that they also enable us to detect highlevel attacks such as SQL injection.

Keywords: Linux system calls, Web attack detection, Interception.

Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1096043

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 1955

References:

[1] M. Bernaschi, "Remus: a security-enhanced operating system,” ACM Trans. on Information and System Security (TISSEC), 2002, pp.36-61.
[2] S. Forrest, S. A. Hofmeyr, "A Sense of Self for Unix Processes,” in Proc. IEEE Symposium on Security and Privacy, Washington, 1996, pp. 120.
[3] W. Robertson, G. Vigna, "Using Generalization and Characterization Techniques in the Anomaly-based Detection of Web Attacks, "in Proc. of the 13th Symposium on Network and Distributed System Security California, 2006.
[4] C. Kruegel, G. Vigna, "A multi-model approach to the detection of webbased attacks,” Elsevier Computer Networks: The International Journal of Computer and Telecommunications Networking - Web security, New York, 2005,pp. 717 - 738.
[5] S. Peisert, M. Bishop, S. Karin, and K. Marzullo, "Analysis of Computer Intrusions Using Sequences of Function Calls,” in IEEE Trans. on Dependable and Secure Computing, 2007, 137-150.
[6] Gustavo Miguel Barroso Assis do Nascimento, "Anomaly detection of web-based attacks,” Master Thesis. Lisboa, Portugal, Universidade de Lisboa, 2010.
[7] M. T. Jones, IBM, "Kernel command using Linux system calls,” from http://www.ibm.com/developerworks/linux/library/l-system-calls, 2010, Retrieved 12 11, 2013.
[8] Oracle, "The Native Authentication Plug-in,” from http://dev.mysql.com/doc/refman/5.5/en/native-authenticationplugin. html, 2013, Retrieved 12 11, 2013.
[9] OWASP, "2013 Top 10 List”, from https://www.owasp.org/ index.php/Top_10_2013-Top_10, Retrieved 9 14, 2014
[10] Oracle, "Chapter 4 Java Servlet Technology: Filtering Requests and Responses”, http://docs.oracle.com/cd/E19159-01/819-3669/bnafd/ index.html