A Secure Design Pattern Approach Toward Tackling Lateral-Injection Attacks Chidera BiringaID
2025-04-30
0
0
3.05MB
4 页
10玖币
侵权投诉
A Secure Design Pattern Approach Toward Tackling
Lateral-Injection Attacks
Chidera Biringa ID
University of Massachusetts Dartmouth
Dartmouth, USA
cbiringa@umassd.edu
G¨
okhan Kul ID
University of Massachusetts Dartmouth
Dartmouth, USA
gkul@umassd.edu
Abstract—Software weaknesses that create attack surfaces
for adversarial exploits, such as lateral SQL injection (LSQLi)
attacks, are usually introduced during the design phase of
software development. Security design patterns are sometimes
applied to tackle these weaknesses. However, due to the stealthy
nature of lateral-based attacks, employing traditional security
patterns to address these threats is insufficient. Hence, we present
SEAL, a secure design that extrapolates architectural, design, and
implementation abstraction levels to delegate security strategies
toward tackling LSQLi attacks. We evaluated SEAL using case
study software, where we assumed the role of an adversary and
injected several attack vectors tasked with compromising the
confidentiality and integrity of its database. Our evaluation of
SEAL demonstrated its capacity to address LSQLi attacks.
Index Terms—Lateral-Injection, Lateral-SQLi
I. INTRODUCTION
SQL injection attacks constitute a specialized set of attacks
where an adversary injects malicious inputs to compromise
the security of software or network [1]. An NTT report [2]
presented in a case study that SQL injection attacks alone cost
up to $196,000 to an anonymized national bank, which em-
phasizes the importance of robust defense systems. Common
Weakness Enumeration (CWE) regularly spotlights various
injection attack types on the top 25 most dangerous software
weaknesses [3]. Common targets of injection attacks are
software that allows the insertion of inputs, such as web
applications. In 2021, The Open Web Application Security
Project (OWASP) ranked injection attacks top 3 significant
threats to the security of the web [4]. These attacks violate
confidentiality, integrity, availability, and traceability (CIAT)
security concerns. In severe cases, they can potentially lead
to the total unavailability of critical services. Lateral SQL
Injection (LSQLi) attacks are derived from injection attacks
where an adversary conducts exploits in fragments through
time [5]. LSQLi differentiates itself from SQLi attacks by
persistently adopting multiple attack strategies to compromise
software security. After obtaining initial access, an adver-
sary employs several malicious mechanisms to stealthily and
progressively traverse through the system gaining elevated
privileges and trust levels. Secure design patterns have been
used to prevent the accidental or intentional introduction of
software weaknesses during the design phase of software
development [6], [7]. However, to the best of our knowledge,
no research has investigated tackling lateral-SQLi attacks from
the design level. The study of SQLi and lateral-SQLi attacks
are comprehensive and reliable solutions proposed [8], and
language-dependent measures such as prepared statements are
adopted [9]. Recently, machine learning-based approaches [10]
have produced good results in this regard. The goal of this
paper is to explore the application of a secure design pattern
in addressing lateral SQLi attacks and not to propose concrete
secure methods and algorithms that prevent lateral SQLi
attacks from occurring. Hence, we present a Secure DEsign
pattern Approach towards tackling Lateral-injection attacks –
SEAL. SEAL is a secure design pattern that decomposes user
and security level features into independent but collaborative
components to tackle lateral-based in-band SQL injection
attacks. We split SEAL into three zones (i) Injection Zone
(IZ), (ii) Sensitive Zone (SenZ), and (iii) Security Zone (SecZ).
The IZ models a user interaction component through which a
potential adversary injects single or multiple attack vectors
to compromise software security. The SenZ is where we
store and manage sensitive data, such as user credentials
and authorization privileges. SecZ is the core component of
SEAL, responsible for accommodating secure algorithms to
tackle lateral-based SQLi, which provides the insertion and
deployment of concrete security algorithms.
Outline. In Section II, we describe the necessary background
for this work. Sections III and IV details proposed design
and threat model analysis. Section V evaluates SEAL and
Section VI concludes this paper.
II. BACKGROUND
Lateral SQLi Attacks: Inband Variant. Lateral in-band
SQLi attacks are a variant of SQLi attacks. In this case, an
adversary executes a lateral-augmented attack using traditional
entry points. Technically-adept adversaries typically employ
several attack vectors and strategies when attacking a system,
as in the case of Advanced Persistent Threats (APT) [11].
Thus, it is pertinent to have secure software systems that
are reactive to the evolving behavior of attack strategies. For
example, Figure 2 is a lateral SQLi attack tree that models
adversarial attacks comprising a collection of SQLi methods.
In this scenario, an adversary utilizes a multifaceted strategy
involving the persistent injection and substitution of payloads
until the attack is advanced and compromise successful.
We demonstrate SEAL using an in-band SQLi attack. An
in-band is the most typical of SQLi attacks. It describes an
摘要:
展开>>
收起<<
ASecureDesignPatternApproachTowardTacklingLateral-InjectionAttacksChideraBiringaIDUniversityofMassachusettsDartmouthDartmouth,USAcbiringa@umassd.eduG¨okhanKulIDUniversityofMassachusettsDartmouthDartmouth,USAgkul@umassd.eduAbstract—Softwareweaknessesthatcreateattacksurfacesforadversarialexploits,such...
声明:本站为文档C2C交易模式,即用户上传的文档直接被用户下载,本站只是中间服务平台,本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私,请立即通知玖贝云文库,我们立即给予删除!
相关推荐
-
【词汇变形总汇】2025高考词汇变形总汇 - 教师版VIP免费
2024-12-06 3 -
【超简37页】新课标高考英语考纲3500词汇VIP免费
2024-12-06 4 -
《高考英语3500词详解》(WORD版)VIP免费
2024-12-06 13 -
《高考英语3500词详解》VIP免费
2024-12-06 11 -
高中英语-[教师版]80天通关高考3500词汇VIP免费
2024-12-06 12 -
高中人教选修7课文逐句翻译VIP免费
2024-12-06 7 -
高中人教选修7课文原文及翻译VIP免费
2024-12-06 13 -
高中人教必修4课文逐句翻译VIP免费
2024-12-06 7 -
高中人教必修4课文原文及翻译VIP免费
2024-12-06 13 -
高考英语核心高频688词汇VIP免费
2024-12-06 10
分类:图书资源
价格:10玖币
属性:4 页
大小:3.05MB
格式:PDF
时间:2025-04-30
作者详情
相关内容
-
3-专题三 牛顿运动定律 2-教师专用试题
分类:中学教育
时间:2025-04-07
标签:无
格式:DOCX
价格:5.9 玖币
-
2-专题二 相互作用 2-教师专用试题
分类:中学教育
时间:2025-04-07
标签:无
格式:DOCX
价格:5.9 玖币
-
6-专题六 机械能 2-教师专用试题
分类:中学教育
时间:2025-04-07
标签:无
格式:DOCX
价格:5.9 玖币
-
4-专题四 曲线运动 2-教师专用试题
分类:中学教育
时间:2025-04-08
标签:无
格式:DOCX
价格:5.9 玖币
-
5-专题五 万有引力与航天 2-教师专用试题
分类:中学教育
时间:2025-04-08
标签:无
格式:DOCX
价格:5.9 玖币
渝公网安备50010702506394
