PachyRand: SQL Randomization for the PostgreSQL JDBC Driver

PachyRand: PostgreSQL JDBC Randomization
Many websites are driven by web applications that deliver dynamic content stored in SQL databases. Such systems take input directly from the client via HTML forms. Without proper input validation, these systems are vulnerable to SQL injection attacks. The predominant defense against such attacks is to implement better input validation. This strategy is unlikely to succeed on its own. A better approach is to protect systems against SQL injection automatically and not rely on manual supervision or testing strategies (which are incomplete by nature). SQL randomization is a technique that defeats SQL injection attacks by transforming the language of SQL statements in a web application such that an attacker needs to guess the transformation in order to successfully inject his code. We present PachyRand, an extension to the PostgreSQL JDBC driver that performs SQL randomization. Our system is easily portable to most other JDBC drivers, has a small performance impact, and makes SQL injection attacks infeasible.

Michael E. Locasto, PhD student, Computer Science Department, Columbia University
Angelos D. Keromytis, Professor, Computer Science Department, Columbia University

A Java development kit should be installed; users will have to change the path in the Makefile to compile things themselves. Also, users should have Ant installed if they want to compile the JDBC Driver (located under /src/pgjdbc). The JDBC Driver source is available via anonymous CVS. More details are available here: