SOFIA: An automated security oracle for black-box testing of SQL-injection vulnerabilities

Mariano Ceccato, Cu D. Nguyen, Dennis Appelt, Lionel C. Briand

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

Security testing is a pivotal activity in engineering secure software. It consists of two phases: generating attack inputs to test the system, and assessing whether test executions expose any vulnerabilities. The latter phase is known as the security oracle problem. In this work, we present SOFIA, a Security Oracle for SQLInjection Vulnerabilities. SOFIA is programming-language and source-code independent, and can be used with various attack generation tools. Moreover, because it does not rely on known attacks for learning, SOFIA is meant to also detect types of SQLi attacks that might be unknown at learning time. The oracle challenge is recast as a one-class classification problem where we learn to characterise legitimate SQL statements to accurately distinguish them from SQLi attack statements. We have carried out an experimental validation on six applications, among which two are large and widely-used. SOFIA was used to detect real SQLi vulnerabilities with inputs generated by three attack generation tools. The obtained results show that SOFIA is computationally fast and achieves a recall rate of 100% (i.e., missing no attacks) with a low false positive rate (0.6%).

Original languageEnglish
Title of host publicationASE 2016 - Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering
EditorsSarfraz Khurshid, David Lo, Sven Apel
PublisherAssociation for Computing Machinery, Inc
Pages167-177
Number of pages11
ISBN (Electronic)9781450338455
DOIs
Publication statusPublished - 25 Aug 2016
Externally publishedYes
Event31st IEEE/ACM International Conference on Automated Software Engineering, ASE 2016 - Singapore, Singapore
Duration: 3 Sep 20167 Sep 2016

Publication series

NameASE 2016 - Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering

Conference

Conference31st IEEE/ACM International Conference on Automated Software Engineering, ASE 2016
Country/TerritorySingapore
CitySingapore
Period3/09/167/09/16

Keywords

  • Security oracle
  • Security testing
  • SQL-injection

Fingerprint

Dive into the research topics of 'SOFIA: An automated security oracle for black-box testing of SQL-injection vulnerabilities'. Together they form a unique fingerprint.

Cite this