Core GRASP – SQL injection prevention for PHP
SQL injection vulnerabilities are still common in web applications. The damage done when attackers are able to send raw SQL commands through to your database are severe enough that most developers have some idea about avoiding it: using bound parameters and stored procedures rather than the usual method (building an SQL statement by concatenating constants and user input into one big string).
At Blackhat this year Core Security released an interesting patch for the PHP source code called CORE GRASP that attempts to prevent SQL injection at the parser level. It uses data labeling to track input from untrusted sources then prevents it from reaching the SQL server.
This is similar to the taint mechanism Perl has used for years. Ruby and other languages provide a similar feature. In Perl with taint checking enabled, a variable receiving external data is labeled as “tainted” and prevented from being used with a list of potentially harmful operations: accessing the file system or network, running shell commands and so on. Any variable receiving content from a tainted variable also becomes tainted. To remove the taint label, a variable must be sanitized by filtering it though a search and replace regular expression. Perl doesn’t check that the filtering actually removes potentially malicious characters… just that the developer remembered to do so. Taint mode in Perl is more of a reminder to developers than a highly robust security mechanism.
Looking at the whitepaper, the technique used by GRASP goes much further than Perl taint. Every character in a variable receives a label, not just the entire variable. Untrusted data is not simply blocked from being sent to the SQL server… the characters are examined for known SQL metacharacters and allowed through if not in a list of known exploits. GRASP can also work the other way… database fields for internal use only can be labeled and data originating from them can be prevented from reaching the web browser.
Core describes GRASP as a prototype, not for use in production. Currently it is specific to one version of PHP and only looks for SQL injection attacks against MySQL, not Postgres or MS SQL. The whitepaper describes other attacks this technique could be used to mitigate (XSS, shell injection) but those are not detected by this prototype. On nice thing is that Core claims GRASP does work with Suhosin .
The technique used by GRASP sounds remarkably similar to the Precise Tainting paper published by researchers at the University of Virginia in 2005: labeling individual characters from untrusted input then checking for malicious content before passing to a vulnerable backend.
Identifying SQL injection inside the PHP engine should be more accurate than protocol-level filtering used by mod_security and other web application firewalls, though according to the paper the performance hit is a massive 30%. One day the PHP developers may even implement native taint checking… legendary SATAN and Postfix developer Wietse Venema said recently he’s working on an implementation. Unfortunately the PHP developers have a history of rejecting security improvements to PHP.
Tags: application security, intrusion prevention, php, php security, sql injection, web application security