Identifying Security Issues in the Semantic Web: Injection attacks in the Semantic Query Languages
1. Introduction
Vulnerable code samples
Addressing code injection
Conclusions
Addressing Security Issues in the Semantic Web:
Injection attacks in the Semantic Query Languages
Pablo OrduĖa, Aitor Almeida, Unai Aguilera, Xabier Laiseca,
n
Diego LĀ“pez-de-IpiĖa, Aitor GĀ“mez-Goiri
o n o
September 9th, 2010
Future Internet - Elkarlaneko ikerkuntza estrategikorako programa;
ETORTEK 2008 img/deustotech.png
P. OrduĖa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
2. Introduction
Introduction
Vulnerable code samples
Query Languages
Addressing code injection
Security issues
Conclusions
Introduction
The Semantic Web is based on a set of technologies:
XML
RDF
OWL
...
img/deustotech.png
P. OrduĖa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
3. Introduction
Introduction
Vulnerable code samples
Query Languages
Addressing code injection
Security issues
Conclusions
Query Languages
New technologies have been developed to query the ontologies
later later
RDQL ā ā SPARQL ā ā SPARUL
āā āā
These new query languages are based on SQL
RDQL and SPARQL ā Read-only query languages
introduces
SPARUL (SPARQL/Update) ā ā ā ā modiļ¬cation
ā ā āā
capabilities
SPARQL Sample:
1 PREFIX injection: <http://www.morelab.deusto.es/
injection.owl#>
2 SELECT ?p1
3 WHERE {
4 ?p1 a injection:Person .
5 } img/deustotech.png
P. OrduĖa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
4. Introduction
Introduction
Vulnerable code samples
Query Languages
Addressing code injection
Security issues
Conclusions
Security issues
The use of these new query languages introduce vulnerabilities
already found in a bad use of query languages
Attacks like SQL Injection, LDAP Injection or even XPath
Injection are already well known
Libraries provide tools to sanitize user input in these languages
A proper usage of the query languages is required in order to
face new techniques, including:
(Blind) SPARQL Injection
SPARUL Injection
img/deustotech.png
P. OrduĖa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
5. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
SPARQL Injection
Introducing SPARQL Injection
The following query is assumed to retrieve the friends of a user
whom fullName is provided by the variable name
The ontology is available in
http://www.morelab.deusto.es/injection.owl
img/deustotech.png
P. OrduĖa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
7. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
SPARQL Injection
Introducing SPARQL Injection
This code can be exploited to retrieve any information in the
ontology
The problem is that the variable name has not been sanitized
This variable can include SPARQL code, and thus modify the
query itself
A variable with malicious content can be found in the next
slide
img/deustotech.png
P. OrduĖa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
8. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
Appending the Strings
1 String queryString =
2 "PREFIX injection: <http://www.morelab.deusto.es
/injection.owl#> " +
3 "SELECT ?name1 ?name2 WHERE {" +
4 " ?p1 a injection:Person . " +
5 " ?p2 a injection:Person . " +
6 " ?p1 injection:fullName ā" + name + "ā . " +
7 " ?p1 injection:isFriendOf ?p2 . " +
8 " ?p1 injection:fullName ?name1 . " +
9 " ?p2 injection:fullName ?name2 . " +
10 "}";
11 String name = "Pablo Ordunaā . " +
12 "?b1 a injection:Building . " +
13 "?b1 injection:name ?name1 . " +
14 "} #";
img/deustotech.png
P. OrduĖa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
10. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
The ļ¬nal query
1 String queryString =
2 "PREFIX injection: <http://www.morelab.deusto.es
/injection.owl#> " +
3 "SELECT ?name1 ?name2 WHERE {" +
4 " ?p1 a injection:Person . " +
5 " ?p2 a injection:Person . " +
6 " ?p1 injection:fullName āPablo Ordunaā . " +
7 " ?b1 a injection:Building . " +
8 " ?b1 injection:name ?name1 . " +
9 " } #" + /* From this point everything
10 is commented and thus ignored */ "ā . " +
11 " ?p1 injection:isFriendOf ?p2 . " +
12 " ?p1 injection:fullName ?name1 . " +
13 " ?p2 injection:fullName ?name2 . " +
14 "}";
img/deustotech.png
P. OrduĖa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
11. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
SPARQL Injection
This code will return the name of the building instead of the
name of a user
It is possible to use the ļ¬exibility of SPARQL to perform other
kind of queries retrieving any information in the ontology
img/deustotech.png
P. OrduĖa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
12. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
Blind SPARQL Injection
Introducing Blind SPARQL Injection
The previous sample was especially vulnerable since it returned
a string
It is possible to retrieve any information as a string
Strings are usually not retrieved in SPARQL, but individuals
What if the returning value is an individual?
Itās still possible to retrieve any information
If itās possible to know if a given query is true or false, itās
possible to iteratively retrieve any information
The following code retrieves the individuals themselves
Itās possible to know if the query provided or not the
individuals
img/deustotech.png
P. OrduĖa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
14. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
Blind SPARQL Injection
Once again, the variable name has not been sanitized
So itās still possible to inject SPARQL code
The injected code canāt return a building or the building name
But, adding a condition like ādoes the building name start by
this letterā we will get:
The common results ā so the building name starts by that
letter
No results ā so the building name does not start by that
letter
img/deustotech.png
P. OrduĖa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
16. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
The ļ¬nal query would be. . .
1 "PREFIX xsd: <http://www.w3.org/2001/XMLSchema#>
" +
2 "PREFIX injection: <http://www.morelab.deusto.es
/injection.owl#> " +
3 "SELECT ?p1 ?p2 WHERE {" +
4 " ?p1 a injection:Person . " +
5 " ?p2 a injection:Person . " +
6 " ?p1 injection:fullName āPablo Ordunaā . " +
7 " ?b1 a injection:Building . " +
8 " ?b1 injection:name ?buildingName . " +
9 " FILTER regex(?buildingName, "Ė" + s + ".*")
. " +
10 " } #" + /* from here ignored*/ "āĖĖxsd:string .
" +
11 " ?p1 injection:isFriendOf ?p2 . }";
img/deustotech.png
P. OrduĖa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
17. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
Querying recursively. . .
1 public static String recursively(String letters)
throws Exception{
2 for(int i = 0; i < POSSIBLE_LETTERS.length(); ++
i){
3 char c = POSSIBLE_LETTERS.charAt(i);
4 if(tryBlind(letters + c)){
5 System.out.println(c);
6 return "" + c + recursively(letters + c);
7 }
8 }
9 return "";
10 }
img/deustotech.png
P. OrduĖa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
18. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
Blind SPARQL Injection
It is possible to optimize this system using binary search
Performing queries using Regular Expressions like Ė[A-M].*
to know if the char is between the char A and M
Given a charset of length 64, we would reduce the number of
iterations from 64 times 10 (640) to 6 times 10 (60)
Using the whole UTF-16 charset, it would reduce the number
of iterations from 65536 times 10 (655360) to 16 times 10
(160)
The point is that itās possible to retrieve any information in
the ontology independently from the values returned by the
query
img/deustotech.png
P. OrduĖa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
19. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
SPARUL Injection
Introducing SPARQL/Update Injection
All the previous examples are executed in read-only query
languages
SPARUL introduces the chance to modify the ontology
INSERT, MODIFY and DELETE statements are available
The following sample modiļ¬es the fullName of the resource
injection:Pablo, setting it to the value of the variable name
img/deustotech.png
P. OrduĖa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
21. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
SPARUL Injection
1 String name = "Pablo OrdunyaāĖĖxsd:string" +
2 "} n " +
3 "INSERT {" +
4 " injection:Pablo injection:isFriendOf
injection:EvilMonkey" +
5 "} #"; // }:-D
6 String result = sample.run(name);
With this vulnerability, it is possible to modify the whole
ontology.
img/deustotech.png
P. OrduĖa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
22. Introduction
Vulnerable code samples
Introduction
Addressing code injection
Conclusions
Addressing code injection
Mechanisms provided by the library must be used (if provided)
Not as simple as scaping the ā characters: the string u0027 is
a simple quote, just as in Java
1 System.out.println("au0022.length() +
u0022b".length());
2 // This code prints "2", the result of
("a".length() + "b".length())
3 // since u0022 will be replaced by "
even if it is commented or inside
4 // String
img/deustotech.png
P. OrduĖa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
23. Introduction
Vulnerable code samples
Introduction
Addressing code injection
Conclusions
Frameworks
In Jena, the initialBinding argument can be used in the
QueryExecutionFactory
1 // initial binding
2 QuerySolutionMap initialBinding = new
QuerySolutionMap();
3 RDFNode parameterizedName = model.createLiteral(
name);
4 initialSetting.add("thename", parameterizedName);
5
6 // Perform the query
7 Query query = QueryFactory.create(queryString);
8 QueryExecution qe = QueryExecutionFactory.create(
query, model, initialBinding);
9 ResultSet results = qe.execSelect();
img/deustotech.png
P. OrduĖa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
24. Introduction
Vulnerable code samples
Addressing code injection
Conclusions
Conclusions
Not sanitizing the user input might add a set of security
vulnerabilities in our systems
In the paper it is presented how new query languages inherit
security issues present in older query languages, and therefore
they should also be taken into account when working with
them
img/deustotech.png
P. OrduĖa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
25. Introduction
Vulnerable code samples
Addressing code injection
Conclusions
Questions?
DeustoTech - Internet
http://www.morelab.deusto.es
Pablo OrduĖan pablo.orduna@deusto.es
Aitor Almeida aitor.almeida@deusto.es
Unai Aguilera unai.aguilera@deusto.es
Xabier Laiseca xabier.laiseca@deusto.es
Diego LĀ“pez-de-IpiĖa
o n dipina@deusto.es
Aitor GĀ“mez-Goiri
o aitor.gomez@deusto.es
img/deustotech.png
P. OrduĖa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .