Mechanism to detect and analyze SQL injection threats

US 20060212941A1
Filed: 03/16/2005
Published: 09/21/2006
Est. Priority Date: 03/16/2005
Status: Active Grant

First Claim

Patent Images

1. A method for detecting vulnerable sites within a database application, the method comprising:

constructing, within a memory of a computer system, a data flow graph that reflects data flow between the value-holders that are referred to in at least a portion of the code of the database application;

automatically identifying, in the data flow graph, a set of command-formation nodes that correspond to value-holders whose values are used to form database commands that the database application may submit to a database server when the database application is executed; and

generating output, based on the data flow graph and the identified set of command-formation nodes, for use in detecting vulnerable sites within the application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A vulnerability analysis tool is provided for identifying SQL injection threats. The tool is able to take advantage of the fact that the code for many database applications is located in modules stored within a database. The tool constructs a data flow graph based on all, or a specified subset, of the application code within the database. The tool identifies, within the data flow graph, the nodes that represent values used to construct SQL commands. Paths to those nodes are analyzed to determine whether any SQL injection threats exist.

62 Citations

View as Search Results

46 Claims

1. A method for detecting vulnerable sites within a database application, the method comprising:
- constructing, within a memory of a computer system, a data flow graph that reflects data flow between the value-holders that are referred to in at least a portion of the code of the database application;
  
  automatically identifying, in the data flow graph, a set of command-formation nodes that correspond to value-holders whose values are used to form database commands that the database application may submit to a database server when the database application is executed; and
  
  generating output, based on the data flow graph and the identified set of command-formation nodes, for use in detecting vulnerable sites within the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44)
- - 2. The method of claim 1 further comprising:
    - detecting vulnerable sites based on whether, within the data flow graph, paths exist from user input nodes to the command-formation nodes;
      
      wherein user input nodes are nodes that correspond to value-holders whose values reflect user input that may be entered into the database application when the database application is executed.
  - 3. The method of claim 1 wherein:
    - the method further comprises determining which of the command-formation nodes are vulnerable to injection threats; and
      
      the step of generating output, based on the data flow graph and the identified set of command-formation nodes, includes generating output based on the data flow graph and the command-formation nodes that are vulnerable to injection threats.
  - 4. The method of claim 3 wherein the step of determining which of the command-formation nodes are vulnerable to injection threats includes determining which of the command-formation nodes are associated with value holders whose values are reflected in a constructed database command.
  - 5. The method of claim 1 wherein the step of automatically identifying a set of command-formation nodes includes identifying a set of command-formation nodes that correspond to value-holders whose values are used to form SQL commands.
  - 6. The method of claim 1 wherein:
    - the database stores a plurality of code modules;
      
      the data flow graph is based on value-holders in a subset of the code modules;
      
      the method further includes reading dependency model metadata from the database; and
      
      automatically determining which code modules, of the plurality of code modules, are included in the subset based on the dependency model metadata.
  - 7. The method of claim 6 wherein:
    - the method further comprises receiving user input that specifies a particular set of code modules; and
      
      the subset of code modules is determined based on the particular set of code modules and dependencies represented in the dependency model metadata.
  - 8. The method of claim 1 wherein:
    - the database application is implemented as a plurality of code modules stored in a database; and
      
      the data flow graph is constructed based on statements in said plurality of code modules.
  - 9. The method of claim 8 wherein the plurality of code modules include one or more PL/SQL stored procedures.
  - 10. The method of claim 1 further comprising:
    - identifying sanitization code in the application; and
      
      based on the identified sanitization code, identifying sanitized nodes within the data flow graph;
      
      wherein the step of generating output includes generating output that is based, at least in part, no which nodes within the data flow graph were identified as sanitized nodes.
  - 11. The method of claim 10 wherein the step of identifying sanitization code is performed by detecting statements, within the application, that call a particular routine.
  - 12. The method of claim 10 wherein the step of identifying sanitization code is performed by detecting tags associated particular code within the database application.
  - 13. The method of claim 1 wherein:
    - the method includes receiving user input that specifies a scope of a vulnerability analysis operation; and
      
      said data flow graph is constructed based only on application code associated with said specified scope.
  - 14. The method of claim 13 wherein specified scope includes a plurality of applications that are implemented by code stored in the database.
  - 15. The method of claim 13 wherein the specified scope includes only a subset of said application.
  - 16. The method of claim 1 further comprising storing said output, in said database, as results of a first vulnerability analysis operation.
  - 17. The method of claim 16 further comprising performing a second vulnerability analysis operation based, in part, on the results of the first vulnerability analysis operation.
  - 18. The method of claim 16 further comprising performing an incremental vulnerability analysis operation based on which portions of the application have changed since performance of the first vulnerability operation.
  - 19. The method of claim 18 further comprising determining which portions of the application to include in the incremental vulnerability analysis operation based on dependency model metadata stored within the database.
  - 20. The method of claim 1 wherein:
    - the application includes a user-specified analysis barrier; and
      
      the data flow graph does not account for code that exists beyond the user-specified analysis barrier.
  - 21. The method of claim 1 wherein:
    - the method includes making a snapshot of the database, wherein the snapshot includes code modules of the application but does not include user data from the database; and
      
      the step of constructing the data flow graph is performed based on information retrieved from said snapshot.
  - 24. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 1.
  - 25. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 2.
  - 26. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 3.
  - 27. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 4.
  - 28. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 5.
  - 29. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 6.
  - 30. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 7.
  - 31. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 8.
  - 32. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 9.
  - 33. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 10.
  - 34. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 11.
  - 35. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 12.
  - 36. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 13.
  - 37. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 14.
  - 38. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 15.
  - 39. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 16.
  - 40. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 17.
  - 41. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 18.
  - 42. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 19.
  - 43. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 20.
  - 44. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 21.

22. An analysis tool for performing an analysis based on code of one or more applications, the analysis tool being configured to:
- read, from a database, dependency model metadata;
  
  based on the dependency model metadata, select for the analysis one or more code modules contained within the database;
  
  read the one or more code modules from the database; and
  
  perform the analysis based on code contained in the one or more code modules.
- View Dependent Claims (23, 45, 46)
- - 23. The method of claim 22 wherein, as part of the analysis, the analysis tool constructs a data flow graph that reflects data flow between value-holders represented in the code contained in the one or more code modules.
  - 45. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 22.
  - 46. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 23.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Bronnikov, Dmitri, Wetherell, Charles

Granted Patent

US 7,860,842 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

Mechanism to detect and analyze SQL injection threats

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

62 Citations

46 Claims

Specification

Solutions

Use Cases

Quick Links

Mechanism to detect and analyze SQL injection threats

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

46 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links