A key challenge to widespread adoption of service oriented architectures and supporting Web services technologies is the issue of maintaining consistency of interacting, long running, autonomous business processes that constitute distributed applications, in the presence of application level failures, concurrent activities and other exceptional events. One of the main sources of inconsistency is the non-conformance between business processes and their external behaviors, expressed through service contracts. Today, the onus is on the programmers to write complex code to handle such non-conformance due to shortcomings in supporting tools and technologies. This paper addresses this problem in the context of consistency requirements, firstly, by describing the relationships between the business process workflow and Web service contracts, and then by providing a prototype tool that checks the conformance between them.
{"title":"Checking conformance between business processes and Web service contract in service oriented applications","authors":"Jenny Bhuiyan, S. Nepal, J. Zic","doi":"10.1109/ASWEC.2006.20","DOIUrl":"https://doi.org/10.1109/ASWEC.2006.20","url":null,"abstract":"A key challenge to widespread adoption of service oriented architectures and supporting Web services technologies is the issue of maintaining consistency of interacting, long running, autonomous business processes that constitute distributed applications, in the presence of application level failures, concurrent activities and other exceptional events. One of the main sources of inconsistency is the non-conformance between business processes and their external behaviors, expressed through service contracts. Today, the onus is on the programmers to write complex code to handle such non-conformance due to shortcomings in supporting tools and technologies. This paper addresses this problem in the context of consistency requirements, firstly, by describing the relationships between the business process workflow and Web service contracts, and then by providing a prototype tool that checks the conformance between them.","PeriodicalId":285684,"journal":{"name":"Australian Software Engineering Conference (ASWEC'06)","volume":"4 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-04-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115320198","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
An SQL injection attack targets interactive Web applications that employ database services. These applications accept user inputs and use them to form SQL statements at runtime. During an SQL injection attack, an attacker might provide malicious SQL query segments as user input which could result in a different database request. By using SQL injection attacks, an attacker could thus obtain and/or modify confidential/sensitive information. An attacker could even use a SQL injection vulnerability as a rudimentary IP/Port scanner of the internal corporate network. Several papers in literature have proposed ways to prevent SQL injection attacks in the application layer by examining dynamic SQL query semantics at runtime. However, very little emphasis is laid on securing stored procedures in the database layer which could also suffer from SQL injection attacks. Some papers in literature even refer to stored procedures as a remedy against SQL injection attacks. As stored procedures reside on the database front, the methods proposed by them cannot be applied to secure stored procedures themselves. In this paper, we propose a novel technique to defend against the attacks targeted at stored procedures. This technique combines static application code analysis with runtime validation to eliminate the occurrence of such attacks. In the static part, we design a stored procedure parser, and for any SQL statement which depends on user inputs, we use this parser to instrument the necessary statements in order to compare the original SQL statement structure to that including user inputs. The deployment of this technique can be automated and used on a need-only basis. We also provide a preliminary evaluation of the results of the technique proposed, as performed on several stored procedures in the SQL Server 2005 database.
SQL注入攻击的目标是使用数据库服务的交互式Web应用程序。这些应用程序接受用户输入,并在运行时使用它们来形成SQL语句。在SQL注入攻击期间,攻击者可能会提供恶意SQL查询段作为用户输入,从而导致不同的数据库请求。通过使用SQL注入攻击,攻击者可以获取和/或修改机密/敏感信息。攻击者甚至可以使用SQL注入漏洞作为内部公司网络的基本IP/端口扫描器。文献中的几篇论文提出了通过在运行时检查动态SQL查询语义来防止应用层中的SQL注入攻击的方法。然而,很少强调数据库层中的存储过程的安全,因为它们也可能遭受SQL注入攻击。文献中的一些论文甚至将存储过程称为对抗SQL注入攻击的补救措施。由于存储过程位于数据库前端,因此它们提出的方法不能应用于保护存储过程本身。在本文中,我们提出了一种新的技术来防御针对存储过程的攻击。该技术将静态应用程序代码分析与运行时验证相结合,以消除此类攻击的发生。在静态部分,我们设计了一个存储过程解析器,对于任何依赖于用户输入的SQL语句,我们使用这个解析器来检测必要的语句,以便将原始SQL语句结构与包含用户输入的SQL语句结构进行比较。这种技术的部署可以自动化,并且只在需要的基础上使用。我们还对所提出的技术的结果进行了初步评估,并在SQL Server 2005数据库中的几个存储过程上进行了测试。
{"title":"Preventing SQL injection attacks in stored procedures","authors":"Ke Wei, M. Muthuprasanna, S. Kothari","doi":"10.1109/ASWEC.2006.40","DOIUrl":"https://doi.org/10.1109/ASWEC.2006.40","url":null,"abstract":"An SQL injection attack targets interactive Web applications that employ database services. These applications accept user inputs and use them to form SQL statements at runtime. During an SQL injection attack, an attacker might provide malicious SQL query segments as user input which could result in a different database request. By using SQL injection attacks, an attacker could thus obtain and/or modify confidential/sensitive information. An attacker could even use a SQL injection vulnerability as a rudimentary IP/Port scanner of the internal corporate network. Several papers in literature have proposed ways to prevent SQL injection attacks in the application layer by examining dynamic SQL query semantics at runtime. However, very little emphasis is laid on securing stored procedures in the database layer which could also suffer from SQL injection attacks. Some papers in literature even refer to stored procedures as a remedy against SQL injection attacks. As stored procedures reside on the database front, the methods proposed by them cannot be applied to secure stored procedures themselves. In this paper, we propose a novel technique to defend against the attacks targeted at stored procedures. This technique combines static application code analysis with runtime validation to eliminate the occurrence of such attacks. In the static part, we design a stored procedure parser, and for any SQL statement which depends on user inputs, we use this parser to instrument the necessary statements in order to compare the original SQL statement structure to that including user inputs. The deployment of this technique can be automated and used on a need-only basis. We also provide a preliminary evaluation of the results of the technique proposed, as performed on several stored procedures in the SQL Server 2005 database.","PeriodicalId":285684,"journal":{"name":"Australian Software Engineering Conference (ASWEC'06)","volume":"28 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-04-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133190919","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: