| Search the Collection|Browse Subjects|Services|Library Information|Community |News & Events | |
|
|
|
|
|
|
|
|
||||
|
|||||||
Type of Document Master's Thesis Author Thomas, Stephen , Author's Email Address smthomas@ncsu.edu URN etd-11062007-151028 Title Using Automated Fix Generation to Mitigate SQL Injection Vulnerabilities Degree Master of Science Graduate Program Computer Science Advisory Committee
Advisor Name Title Laurie Williams Committee Chair Keywords
- prepared statement
- automated fix generation
- SQL injection
Date of Defense 2007-11-01 Availability unrestricted Abstract Since 2002, over 10% of total cyber vulnerabilities were SQL injection vulnerabilities(SQLIVs). Since most developers are not experienced software security practitioners, a
solution for correctly removing SQLIVs that does not require security expertise is desirable.
In this paper, a prepared statement replacement algorithm for removing SQLIVs by replacing
SQL statements with prepared SQL statements is described. Prepared SQL statements have a
static structure and take type-specific input parameters, which prevents SQL injection attack
input from changing the structure and logic of a statement. The prepared statement
replacement algorithm is evolved over the course of preparing for and analyzing the results
of four formative and evaluative case studies. Each algorithm version was tested by
converting projects and testing the projects with for security, functional equivalency, logical
equivalency of the SQL statements. The converted applications were found to be secure,
functionally equivalent, and logically equivalent in comparison to the original application.
Additionally, the final algorithm version was implemented by an automated fix generation
code generator, which converted the last two case study projects without direct developer
intervention. Finally, the assumptions and limitations of the final algorithm as well as the fix generation code generator are detailed.
Files
Filename Size Approximate Download Time (Hours:Minutes:Seconds)
28.8 Modem 56K Modem ISDN (64 Kb) ISDN (128 Kb) Higher-speed Access etd.pdf 533.20 Kb 00:02:28 00:01:16 00:01:06 00:00:33 00:00:02