Sunday, October 16, 2011

Some thoughts about MySQL proxy as a DB Firewall

Here are some notes about how to do a self learning DB Firewall.

MySQL proxy as a DB Firewall

A. Syntax statistics
1. Get the token chains (trees)
2. Store the chain producing stats
3. Be flexible on multiple criteria (dis/con)junctions (ie: advanced search forms will append multiple conditions with and/or/IN)

i.e:
- query:
SELECT user, email FROM users WHERE user = "Something"
- becomes:
TK_SQL_SELECT TK_LITERAL TK_COMMA TK_LITERAL TK_SQL_FROM TK_LITERAL TK_SQL_WHERE TK_LITERAL TK_EQ TK_STRING

- query:
SELECT user, comment, email FROM comments WHERE user = "someone" AND comment LIKE "%too bad"
- becomes:
TK_SQL_SELECT TK_LITERAL TK_COMMA TK_LITERAL TK_COMMA TK_LITERAL TK_SQL_FROM TK_LITERAL TK_SQL_WHERE TK_LITERAL TK_EQ TK_STRING TK_SQL_AND TK_LITERAL TK_SQL_LIKE TK_STRING

- query:
UPDATE comments SET comment = "too good" WHERE user = "someone" AND comment LIKE "%too bad"

- becomes:
TK_SQL_UPDATE TK_LITERAL TK_SQL_SET TK_LITERAL TK_EQ TK_STRING TK_SQL_WHERE TK_LITERAL TK_EQ TK_STRING TK_SQL_AND TK_LITERAL TK_SQL_LIKE TK_STRING

With those token chains we can build a tree of statistics based on SQL syntactic statements.


B. Value Stats of user-defined words over syntactic stats
1. For SQL statemens where columns and tables should be constants
2. Produce stats based on userdatas/values

i.e:
- query:
SELECT user, email FROM users WHERE user = "Something"
- becomes:
TK_SQL_SELECT TK_LITERAL TK_COMMA TK_LITERAL TK_SQL_FROM TK_LITERAL TK_SQL_WHERE TK_LITERAL TK_EQ TK_STRING
- values to get stats: TK_LITERALs
user email users


C. Statistical Regex of known chars for specific fields (paranoid mode… approach very restrictive):
1. By checking TK_STRINGS, we can build automatic regex to allow certain types
i.e:
- query:
SELECT user, email FROM users WHERE user = "Something"
- Char class seen for field "user":
\w
- query:
SELECT user, email FROM users WHERE user = "Some@thing.com"
- Char class seen for field "user":
\w@\.


D. Administrative data:
1. Forbid unusual information_scheme queries
2. Custom triggers


E. Other:
1. Forbid unusual "load into IN/OUT file"
2. Other unusual / malicious techniques used in sql injections (i.e: tautological analysis, like 1=1, 1=0, or i.e: listing of fields using NULL or zero in order to build a union select statement, or i.e: ORDER BY 1,2,3..)


F. Time to learn Lua! Happy Hacking!

No comments:

Post a Comment