Electronic Theses and Dissertations

Identifier

1147

Author

Ramya Dharam

Date

2014

Date of Award

5-21-2014

Document Type

Dissertation (Access Restricted)

Degree Name

Doctor of Philosophy

Major

Computer Science

Committee Chair

Sajjan G Shiva

Committee Member

Scott Fleming

Committee Member

Vinhthuy Phan

Committee Member

Linda Sherrell

Abstract

The increasing use of web applications to provide reliable online services, such as banking, shopping, etc., and to store sensitive user data has made them vulnerable to attacks that target them. In particular, SQL injection, whihc allows attackers to gain unauthorized access to the database by injecting specially crafted input strings, is one of the most serious threats to web applications. Although researchers and practioners have proposed various menthods to address the SQL injection problem, organizations continue to be its victim, as attackers are successfully able to circumvent the employed techniques. In this research, we develop a Runtime Monitoring Framework to detect and prevent SQL Injection Attacks on web applications. At its core, the framework leverages the knowledge gained from pre-deployment testing of web applications to identify legal/valid execuiton paths. Monitors are then developed and instrumented to observe the application's behavior and check it for compliance with the valid/legal execution paths obtained; any deviation in the application's behavior is identified as a possible SQL Injection Attack. We conducted an extensive evaluation of the framework by targeting subject applications with a large number of both legitimate and malicious inputs, and assessed its ability to detect and prevent SQL Injection Attacks. The framework successfully allowed all the legitimate inputs to access the database without generating any false positives, and was able to effectively detect attacks without generating false negative. Moreover, the framework imposed a low runtime overhead on the subject applications compared to other techniques.

Comments

Data is provided by the student.

Library Comment

Dissertation or thesis originally submitted to the local University of Memphis Electronic Theses & dissertation (ETD) Repository.

Share

COinS