KArMA - A Knowledge-Aided Monitoring Approach for SQL Injection Attacks

In the general context of web security, there is a clear difficulty in pre- venting, or even modeling, SQL injection attacks due to the nature itself of this kind of attacks. They derive from the execution of an untrusted input containing data created precisely for making the program execute un- intended code. It is quite hard to universally model what is unintended, since it may depend on the particular kind of program. In this paper, we propose a monitoring approach (KArMA - Knowledge-Aided Monitoring Ap- proach) combining static and dynamic analyses. In particular, in the static phase we aid the programmer in understanding which (untrusted) inputs’ structure need to be fixed (by contracts) for preventing attacks. Then, dur- ing execution, a monitor checks whether the dynamic structures respect the given contracts. In order to prove the feasibility of KArMA, we develop a prototype tool for a simplified programming language.