PachyRand: SQL Randomization for the PostgreSQL JDBC Driver
PachyRand: PostgreSQL JDBC Randomization
|
Many websites are driven by web applications that deliver dynamic content
stored in SQL databases. Such systems take input directly from the client
via HTML forms. Without proper input validation, these systems are vulnerable
to SQL injection attacks.
The predominant defense against such attacks is to implement better
input validation. This strategy is unlikely to succeed on its own. A
better approach is to protect systems against SQL injection automatically
and not rely on manual supervision or testing strategies (which are
incomplete by nature). SQL randomization is a technique that defeats
SQL injection attacks by transforming the language of SQL statements in a
web application such that an attacker needs to guess the transformation in
order to successfully inject his code.
We present PachyRand, an extension to the
PostgreSQL
JDBC driver that
performs SQL randomization. Our system is easily portable to most other JDBC
drivers, has a small performance impact, and makes SQL injection attacks
infeasible.
|
|
Downloads
|
A Java development kit should be installed; users
will have to change the path in the Makefile to
compile things themselves. Also, users should have
Ant installed
if they want to compile the JDBC Driver
(located under /src/pgjdbc). The JDBC Driver source
is available via anonymous CVS. More details are
available here:
http://gborg.postgresql.org/project/pgjdbc/projdisplay.php
|
|
|
|
|
|