A Secure Design Pattern Approach Toward Tackling Lateral-Injection Attacks

TL;DR

This paper introduces SEAL, a comprehensive security design pattern that addresses lateral SQL injection attacks by integrating security strategies across architectural, design, and implementation levels, demonstrated through case studies.

Contribution

The paper presents SEAL, a novel security design pattern specifically targeting lateral SQL injection attacks, extending traditional patterns to cover multiple abstraction levels.

Findings

SEAL effectively mitigates lateral SQL injection attacks in case studies.

The approach enhances security by integrating strategies across architecture, design, and implementation.

Evaluation shows improved protection against confidentiality and integrity breaches.

Abstract

Software weaknesses that create attack surfaces for adversarial exploits, such as lateral SQL injection (LSQLi) attacks, are usually introduced during the design phase of software development. Security design patterns are sometimes applied to tackle these weaknesses. However, due to the stealthy nature of lateral-based attacks, employing traditional security patterns to address these threats is insufficient. Hence, we present SEAL, a secure design that extrapolates architectural, design, and implementation abstraction levels to delegate security strategies toward tackling LSQLi attacks. We evaluated SEAL using case study software, where we assumed the role of an adversary and injected several attack vectors tasked with compromising the confidentiality and integrity of its database. Our evaluation of SEAL demonstrated its capacity to address LSQLi attacks.