Augmented Attack Tree Modeling of SQL Injection Attacks

by Jungh K
For this week’s blog assignment, I read an article, titled “Augmented Attack Tree Modeling of SQL Injection Attacks”.  The authors state that SQLIAs (SQL Injection Attacks) are the most frequently used and damaging attack methods according to the OWASP 2010 report.  Even though conventional attack trees are widely used, they lack in sufficient information for analysis of SQLIAs and therefore the authors propose augmented attack tree modeling to “link regular expressions capturing generic signatures to different types of SQLIAs”.  The authors outline seven types of SQLIAs, which are tautologies, illegal/logically incorrect queries, UNION query, piggy-backed queries, stored procedures, and inference and alternate encodings.  Also, the authors state that any one of the attack types can achieve the following ten kinds of attack goals:  identify injectable parameters, identify database finger-prints, determine database schema, extract data, add or modify data, perform DoS, evade detection, bypass authentication, execute remote commands, and escalate privilege.  In order to categorize the attack types, the authors utilize regular expressions to define specific signatures.  For instance, there are three key parts for the tautology query attacks to work.  Therefore, a regular expression to catch OR, true condition, and comment mark in the injected code is defined as a signature for tautology query attacks.  The authors lay out specific regular expressions for five out of the seven attack types discussed in the article.  This approach, according to the authors, captures attack types as well as the states of an attack that the convention attack trees are only capable of displaying.  The augmented attack tree modeling can be applied to evaluate and to study all the possible threats.

This week’s topic on SQL is relevant to how SQL injection attacks are performed and what exploits are needed to be secured to prevent SQLIAs.  The augmented attack tree modeling’s approach is a comprehensive way to evaluate any security compromises on the target system.  Also, its generic approach can be extended to other security threats, such as network and application levels.  SQLIAs have been an interest of mine since it can be applied virtually everywhere these days where data are used.  Since there is no comprehensive way to prevent SQLIAs collectively, I believe that augmented attack tree modeling is suitable for detecting possible SQLIA paths.

*Above figure (example of the augmented attack tree) is from the article.

Jie Wang; Phan, R.C.-W.; Whitley, J.N.; Parish, D.J.; , “Augmented attack tree modeling of SQL injection attacks,” Information Management and Engineering (ICIME), 2010 The 2nd IEEE International Conference on , vol., no., pp.182-186, 16-18 April 2010
doi: 10.1109/ICIME.2010.5478321