Systems and Internet Security Laboratory Center for RITES	Search: Login\|Print
RITES SISL Blog

Research Projects

Site info

Members

Index

Main » CANDIDJavaImplementation

An Efficient Implementation of Candidate Evaluation in a Java Environment

Capabilities of the Instrumented Environment
Instrumented Environment Setup
Project Report
External links
People
Acknowledgments

Capabilities of the Instrumented Environment

Prevents SQL Injection Attacks on Java/Tomcat based applications.
Detects the attacks and issues a warning in the form of an SQLException.
Provides this protection without any change to the application itself.
Very minor changes are required to the Java environment.
Experimental results have proved that this implementation has no significant performance overhead.
Functional experiments have proved that this environment is capable of protecting medium to large sized(4.5KLOC - 17KLOC)applications successfully.
The environment is resilient to legitimate inputs that look like attacks, i.e there are no false positives.
All the attacks were detected successfully in functional testing, i.e. there were no false negatives.

Instrumented Environment Setup

Objective:The instrumented Java environment provides a layer of safety to the applications running in this environment. Once the instrumented environment has been set up the application is automatically protected and any SQLCIA on the application is signaled in the form of an SQLException thereby preventing the execution of any malicious query.

Installation Requirements: Linux (glibc 2.4 or above), Apache Tomcat 6.0 and MySQL Server 5.0.
Installation Steps:
- Download the instrumented version of Harmony JDK 5.0.
- Copy the sql parser to the tomcat library.
- Replace the catalina.jar in the tomcat library with the instrumented version.
- Copy the instrumented MySQL connector to the tomcat library.
Error Messages: The following screen shots demonstrate the error messages shown in case of an SQLCIA or a malformed query:

SQL Attack Detected

Query Parsing Failed

Project Report

The complete text of the project report can be found here.

External links

The CANDID Project
Harmony JDK 5.0
Apache Tomcat 6.0
MySQL Server 5.0

People

Megha Chauhan
V. N. Venkatakrishnan

Acknowledgments

Prithvi Bisht for his help and advice throughout the course of the project.
Jon Solworth for his time and support.
Developers at the Apache Harmony Project for their helpful insight into the Harmony JDK.
National Science Foundation grants CNS-0716584 and CNS-0551660.

r10 - 19 Jan 2009 - 02:04:42 - MeghaChauhan?

Syndicate this site RSS ATOM

Systems and Internet SecurityLaboratory

Publications