1. Field of the Invention
The present invention relates to computer system security. More specifically, the present invention relates to a method and an apparatus for preventing unauthorized access to computer system resources.
2. Related Art
Databases commonly store highly sensitive data, such as salaries, corporate financial data, and even classified military secrets. Consequently, database systems are typically designed to prevent unauthorized accesses to sensitive data. This problem is compounded by the fact that middle-tier applications often access a database on behalf of various users. Consequently, the database system must often rely on applications to provide access control mechanisms. Although applications that access databases typically ensure that a given query originates from an authorized user, many of these applications are vulnerable to a form of attack known as “SQL injection.”
During a Structured Query Language (SQL) injection attack, a hacker provides an input to an application which includes an SQL statement. In doing so, the hacker knows that the application will incorporate this input, which includes the SQL statement, into a query, and that the SQL statement will cause the query to retrieve data which is different from the data that the application intended to retrieve.
SQL injection attacks come in many forms. In a common SQL injection technique, a hacker inserts code into a SQL statement which is intended to return a set of rows R in a set of tables T. However, because of the inserted code, instead of returning R, the database returns a set of rows R′ in a set of tables T′, where T′ is a superset of T.
Another technique employed by hackers to gain control of a system is a buffer-overflow attack. The buffer-overflow attack is typically aimed at programs written in the C or C++ programming languages. During a buffer-overflow attack, a hacker causes a buffer overflow by sending more information to a program than the program can handle. After the buffer overflow occurs, the hacker can then use various tricks to gain control of a computer system. For example, buffer-overflow attacks are commonly used by a hacker to invoke arbitrary programs, such as a shell program, as a privileged user.
Hence, what is needed is a method and an apparatus for preventing unauthorized access to computing resources without the problems listed above.