Graduation Year
2019
Document Type
Dissertation
Degree
Ph.D.
Degree Name
Doctor of Philosophy (Ph.D.)
Degree Granting Department
Computer Science and Engineering
Major Professor
Jay Ligatti, Ph.D.
Committee Member
Dmitry Goldgof, Ph.D.
Committee Member
Yao Liu, Ph.D.
Committee Member
Sean Barbeau, Ph.D.
Committee Member
Kaiqi Xiong, Ph.D.
Keywords
Authentication methods, Formal verification, GitHub analysis, Prepared statements, SQL-Injection attacks
Abstract
This dissertation addresses the top two “most critical web-application security risks” by combining two high-level contributions.
The first high-level contribution introduces and evaluates collaborative authentication, or coauthentication, a single-factor technique in which multiple registered devices work together to authenticate a user. Coauthentication provides security benefits similar to those of multi-factor techniques, such as mitigating theft of any one authentication secret, without some of the inconveniences of multi-factor techniques, such as having to enter passwords or biometrics. Coauthentication provides additional security benefits, including: preventing phishing, replay, and man-in-the-middle attacks; basing authentications on high-entropy secrets that can be generated and updated automatically; and availability protections against, for example, device misplacement and denial-of-service attacks. Coauthentication is amenable to many applications, including m-out-of-n, continuous, group, shared-device, and anonymous authentications. The principal security properties of coauthentication have been formally verified in ProVerif, and implementations have performed efficiently compared to password-based authentication.
The second high-level contribution defines a class of SQL-injection attacks that are based on injecting identifiers, such as table and column names, into SQL statements. An automated analysis of GitHub shows that 15.7% of 120,412 posted Java source files contain code vulnerable to SQL-Identifier Injection Attacks (SQL-IDIAs). We have manually verified that some of the 18,939 Java files identified during the automated analysis are indeed vulnerable to SQL-IDIAs, including deployed Electronic Medical Record software for which SQL-IDIAs enable discovery of confidential patient information. Although prepared statements are the standard defense against SQL injection attacks, existing prepared-statement APIs do not protect against SQL-IDIAs. This dissertation therefore proposes and evaluates an extended prepared-statement API to protect against SQL-IDIAs.
Scholar Commons Citation
Cetin, Cagri, "Authentication and SQL-Injection Prevention Techniques in Web Applications" (2019). USF Tampa Graduate Theses and Dissertations.
https://digitalcommons.usf.edu/etd/7766