AutoRand: Automatic Keyword Randomization to Prevent Injection Attacks

AutoRand automatically transforms Java applications to use SQL keyword randomization to defend against SQL injection vulnerabilities. AutoRand is completely automatic. Unlike previous approaches it requires no manual modifications to existing code and does not require source (it works directly on Java bytecode). It can thus easily be applied to the large numbers of existing potentially insecure applications without developer assistance. Our key technical innovation is augmented strings. Augmented strings allow extra information (such as random keys) to be embedded within a string. AutoRand transforms string operations so that the extra information is transparent to the program, but is always propagated with each string operation. AutoRand checks each keyword at SQL statements for the random key. Experimental results on large, production Java applications and malicious inputs provided by an independent evaluation team hired by an agency of the United States government showed that AutoRand successfully blocked all SQL injection attacks and preserved transparent execution for benign inputs, all with low overhead.