Database Schema Extraction Prevention Through DBMS Error Handling

Naghdi, Sepideh | 2014

2370 Viewed
  1. Type of Document: M.Sc. Thesis
  2. Language: Farsi
  3. Document No: 46033 (19)
  4. University: Sharif University of Technology
  5. Department: Computer Engineering
  6. Advisor(s): Amini, Morteza
  7. Abstract:
  8. Nowadays large volume of sensitive data of organizations are stored in the databases. Thus, databases are attractive to the attackers to execute different types of attacks with different purposes. The useful information that attackers try to achieve in the preliminary steps of the attacks against the databases, is the database structure or schema. One of the popular approach to extract the schema of a database is to analyze the returned error messages from its DBMS. Hence, a solution to prevent schema disclosure via the error messages is customizing and modifying them. To achieve this goal, in this thesis, we propose a framework to handle and customize the error messages automatically and prevent schema revealing.To this aim, we introduce two policies; strict policy and non-strict one. In strict policy, after identifying and introducing an appropriate set of categories of error messages, each error message that is returned from a DBMS is placed in a proper category. According to the sensitive data that exist in the error messages of each category, some rules are defined to be leveraged for modifying the error messages of the category before the submission of them to the application. A general way to determine the error message category is checking the existence of some keywords in the error message. In this solution, for a given error message, a score is calculated for each category based on the predefined keywords determined for identifying the category and their weights in that category. The category with the greatest score is the category of the error message. The sensitive parts of the error message are changed according to the determined category and so structural information does not disclose via the error message. The experimental results show that the error message categorization is performed correctly (using the proposed approach) in about 95% of the queries throwing an error in Microsoft SQL Server 2012
  9. Keywords:
  10. Fault Management ; Database Security ; Database Schema Extraction ; Error Messages Customization

 Digital Object List


...see more