Synthesis of Allowlists for Runtime Protection against SQLi
Synthesis of Allowlists for Runtime Protection against SQLi
13 April 2024
Data is the new oil. This metaphor is commonly used to highlight the fact that data is a highly valuable commodity. Nowadays, much of worldwide data sits in SQL databases and transits through web-based applications of all kinds. As the value of data increases and attracts more attention from malicious actors, application protections against SQL injections need to become more sophisticated. Although SQL injections have been known for many years, they are still one of the top security vulnerabilities. For example, in 2022 more than 1000 CVEs related to SQL injection were reported. We propose a runtime application protection approach that infers and constrains the information that can be disclosed by database-backed applications. Where existing approaches use syntax or hand-crafted features as a proxy for information disclosure, we propose a lightweight information disclosure model that faithfully captures the semantics of SQL and achieves finer-grain security.
Venue : New Ideas and Emerging Results (NIER) track of International Conference on Software Engineering (ICSE)
File Name : icse-nier-24.pdf