New Technique from Sentrigo Combats Zero-Day SQL Injection Database Attacks

Method detects attacks based on context, prevents privilege escalation attempts

• By James E. Powell
• 11/28/2007

Sentrigo, Inc. has updated its Hedgehog software with the ability to address SQL injection in database built-in packages. The hacking technique is often used for privilege escalation and can be used in ways that are difficult to detect. Hedgehog directly monitors the database’s memory and examines the context of the SQL statements’ source, the types of commands used, and the user’s database access privileges. It can then identify SQL injections missed by tools that track only the signatures of known injections.

“Putting a stop to SQL injections is a substantial challenge for database administrators and IT security professionals alike, who can use existing security products to combat attacks using known SQL patterns, but are essentially without a defense against attacks that use new vectors and exploit vulnerabilities,” said Slavik Markovich, chief technology officer at Sentrigo, in a company statement. “We’ve enhanced Hedgehog to provide it with unique capabilities that allow it to recognize the intended effect of the SQL injection such as privilege escalation without depending on analysis of the way SQL statements are written.”

Hedgehog detects SQL injections based on the context of actions in the database and examines the actions run by packages, triggers, and stored procedures. The company says that “when a database package initiates a command incongruent with its intended use and the package is declared with definer rights of a privileged user -- for example a GRANT command coming from a SYS-owned package -- this can only be the result of unlawful manipulation through SQL injection. Hedgehog uses pre-defined rules to address such attack vectors for built-in packages and similar rules can be created by Hedgehog administrators for their own custom-written stored procedures.”

This allows for defense against zero-day SQL injection attacks without producing “false positive” alerts. Hedgehog monitors the database’s shared memory and is effective against insiders and privileged users as well as against sophisticated hacking attempts from the outside.

For additional information visit http://www.sentrigo.com