hashdays 2011: Christian Bockermann - Protecting Databases with Trees

Protecting Databases
with Trees
A syntax-based approach to detect SQL injections

Christian Bockermann - chris @ jwall.org

About Me

Researcher of the Artificial Intelligence Group
at the University of Dortmund, Germany
Computer Science
Department
Studying machine learning methods Artiﬁcial Intelligence Group

for web-security

Developer of several projects supplementory www.jwall.org
to ModSecurity @jwallorg

AuditViewer, AuditConsole

Web Policy Compiler, Web Application Profiler

jwall-tools

Hashdays 2011, Luzern Christian Bockermann - chris @ jwall.org

Outline

Are SQL injections still a threat?
Where to fight SQL injections?
Protecting Databases with Trees


We start like every
SQL injection talk...


$name = $_POST[‘name‘];
// $name = “Robert‘); DROP TABLE Students; --“

$insert = “INSERT INTO STUDENTS VALUES (‘$name‘);“;


$name = $_POST[‘name‘];
// $name = “Robert‘); DROP TABLE Students; --“

$insert = “INSERT INTO STUDENTS VALUES (‘$name‘);“;

INSERT INTO STUDENTS VALUES (‘Robert‘); DROP TABLE
Students; -- ‘);


It‘s over 5 years old!


The Web Hacking Incident
Database, June 2011

New Sony Hack Claims Over a
Million User Passwords
2011-06-02 FBI Partner Organization Website
Hacked
Sony Europe hacked by Lebanese 2011-06-06
hacker... Again
2011-06-04 Hacker breaks into MIT website

2011-06-08
LulzSec has compromised
SonyPictures.RU
Citigroup Card Customers’ Data
2011-06-05
Hacked
2011-06-09
DDoS attack takes down
Atlassian's SaaS platform Sony Portugal latest to fall to
2011-06-06 hackers
2011-06-09


Database, June 2011

New Sony Hack Claims Over an
Million User Passwordsnje ctio
S QL I FBI Partner Organization Website
2011-06-02
tion
Hacked Injec
SQL 2011-06-06
Sony Europe hacked by Lebanese
hacker... Again tion
Injec2011-06-04 Hacker breaks into MIT website
SQL
tion
njec
QL I 2011-06-08
LulzSec has compromised S
SonyPictures.RU tion
Injec2011-06-05 Citigroup Card Customers’ Data
SQL Hacked
2011-06-09
DDoS attack takes down
Atlassian's SaaS platform Sony Portugal latest to fall to
2011-06-06 hackers
tion
Injec2011-06-09
SQL


Database, June 2011

SQL Injection
dos/ddos
other
Web Hacking Incident Database, June 2011
http://projects.webappsec.org/


Imperva‘s Trend Report #4
Anatomy of a SQL attack

Monitoring 30 web applications:
on average 71 SQL injection attempts per hour
800-1300 injection attempts at peak times
Use of highly automated SQL injection tools,
e.g. sqlmap, Havij,...

Imperva Monthly Trend Report #4, September 2011
http://www.imperva.com/download.asp?id=352


Imperva‘s recent
Hack-Forum Analysis

spam
SQL Injection
dos/ddos
zero-day
shell code
brute force
Imperva Monthly Trend Report #5, October 2011
HTML injection http://www.imperva.com/download.asp?id=327


Just a couple of days ago...


Motivation - Top 10 Attacks

The Open Web Application Security Project lists the
OWASP - Open Web
Top-10 vulnerabilities: Application Security
Project
1.Injection Flaws (SQL-Injection, RFI, ...) http://www.owasp.org/

2.Cross Site Scripting (XSS)

3.Broken Authentication / Session Management

4.Insecure Direct Object Reference

5.Cross Site Request Forgery (CSRF)

6.Security Misconfiguration

7.Malicious File Execution (Remote File Inclusion)


Mitre Top-25
Improper Neutralization of SQL Elements SQL Injection

Improper Neutralization of OS commands Command Injection

Buffer copy without size-check Buffer overflow

Improper Neutralization of Input during page generation Cross-Site Scripting

Missing Authentication of critical functions

Missing Authorization

Use of hard-coded credentials

Missing Encryption of sensitive data

Unrestricted file uploads of dangerous file-types

...


Not only web...

A SQL injection vulnerability in
Symantec's Sygate Management
Server (SMS) version 4.1, build
1417 and earlier could potentially
allow a remote or local attacker to
gain administrative privileges to the
SMS server.


What makes a SQL injection?
/query?search=security

Web Server

Web Application
SELECT title,abstract FROM DOCS
WHERE
txt LIKE ‘%security%‘

database


1. Attacker injects SQL code into the application
2. injection alters the statement that is executed


Web Server

Web Application
WHERE
txt LIKE ‘%security%‘

database


1. Attacker injects SQL code into the application
2. injection alters the statement that is executed

/query?search=`+UNION+SELECT+LOGIN,PASSWORD+FROM
+USERS; --

Web Server
Web Application WHERE
txt LIKE ‘%‘
UNION
SELECT LOGIN,PASS FROM USERS;
--%`;
database




Web Server

Web Application

database




Web Server

Web Application Within the app‘s code

database




Within the HTTP traffic
Web Server


database




Within the HTTP traffic
Web Server


Within the executed SQL
database


Fighting SQL injections (code)
Conceptual approaches to elevate OWASP Guides

the security of web applications Code Review Guide
Eoin Keary et.al.

Testing Guide
Specifications, Developer Trainings Matteo Meucci et.al.

Backend Security Project
Carlo Pelliccioni et.al.
Penetration testing, Code Reviews AppSensors Project
Michael Coates, Colin Watson
et.al.
Risk Management
Risk Management
Strategies
STRIDE / DREAD
J.D. Meier et. al. Microsoft 2005


Prepared statements can help a lot
PreparedStatement p =
con.prepareStatement(
“SELECT * FROM USERS WHERE login = ?“ );

p.setParameter( 0, username );
p.executeQuery();



“SELECT * FROM USERS WHERE login = “ + username );
p.executeQuery();



“SELECT * FROM USERS WHERE login = “ + username );
p.executeQuery();

Proper use of prepared statements required!


Yes, the whole intrusion
detection (and prevention ...)
game is ‚just‘ a big attempt to
‚patch‘ bugged systems...
Damiano Bolzoni, focus-ids mailing list 10/2008


Fighting SQL injections (waf/ids)
External approaches to web security

Intrusion Detection Systems
PHPIDS, Snort

Web Application Firewalls
Web Server
ModSecurity,...
Web Application

database



WAF / IDS usually check for SQL attack patterns in
HTTP requests, i.e. the user input

/query?search=`+UNION+SELECT+NAME,PASSWORD+FROM+USERS; --



WAF / IDS usually check for SQL attack patterns in
HTTP requests, i.e. the user input

/query?search=`+UNION+SELECT+NAME,PASSWORD+FROM+USERS; --

UNION
Any SQL keywords SELECT
DROP TABLE
contained?? INSERT


Almost(?) all WAF/IDS approaches follow this black-
listing or pattern based approach
The ModSecurity Core-Rules
IBM Web Application Firewall
Imperva SecureSphere
AQTRONIX Webknight
PHPIDS
Snort


It‘s not just keywords, it‘s mostly regular expressions


It‘s not just keywords, it‘s mostly regular expressions

"(?:b(?:(?:s(?:electb(?:.{1,100}?b(?:(?:length|count|top)b.{1,100}?
bfrom|fromb.{1,100}?bwhere)|.*?b(?:d(?:umpb.*bfrom|ata_type)|(?:to_
(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|
execute(?:sql)?|makewebtask)ql_(?:longvar char|variant))|xp_(?:reg(?:re
(?:movemultistring|ad)|delete(?:value|key)enum(?:value|key)s|addmultistring|
write)|e(?:xecresultset|numdsn)|(?:terminat|dirtre)e|availablemedia|
loginconfig|cmdshell|filelist|makecab|ntsec)|u(?:nionb.{1,100}?bselect|tl_
(?:file|http))|groupb.*bbyb.{1,100}?bhaving|d(?:eletebW*?bfrom|
bms_java)|loadbW*?bdatab.*binfile|(?:n?varcha|tbcreato)r)b|i(?:n(?:to
bW*?b(?:dump|out)file|sertbW*?binto|nerbW*?bjoin)b|(?:f(?:bW*?
(W*?bbenchmark|nullb)|snullb)W*?()|a(?:ndb ?(?:d{1,10}|['"][^=]
{1,10}['"]) ?[=<>]+|utonomous_transactionb)|o(?:rb ?(?:d{1,10}|['"]
[^=]{1,10}['"]) ?[=<>]+|pen(?:rowset|query)b)|havingb ?(?:d{1,10}|
['"][^=]{1,10}['"]) ?[=<>]+|printbW*?@@|castbW*?()|(?:;W*?b
(?:shutdown|drop)|@@version)b|'(?:s(?:qloledb|a)|msdasql|dbo)')"


How do keyword/regex filters work with text?

„The following Cookie triggers [rule] 981248

LtpaToken2=x5Orq
(it didn't like "50r"?????)“

ModSecurity Core Rules Mailing list, 2.9.2011


Evading Pattern Detection
Some WAFs try to remove keywords from inputs
Replacements can easily be evaded:

id=1+UNunionION+SEselectLECT+1,2,3--




This would likely result in a database error




id=1+UNION+SELECT+1,2,3--




id=1+UNION+SELECT+1,2,3--

This looks like a good candidate for a successful
SQL injection


There are many approaches to evade
pattern detection:
SQLi filter evasion and
by encoding obfuscation
Johannes Dahse, RUB
at Conference Confidence 2.0
by obfuscation
Beyond SQLi: Obfuscate and
Bypass
by HTTP parameter pollution By CWH Underground
www.exploit-db.com/papers/17934

Bypassing PHPIDS 0.6.5
Michael Brooks (https://sitewat.ch)


Some WAFs do only a single decoding before filtering
double encoding your attack will bypass the WAF

http://victim.com/news.php?id=1%252f
%252a*/union%252f%252a*/select%252f
%252a*/1,2,3%252f%252a*/from%252f
%252a*/users--



http://victim.com/news.php?id=1%2f
%2a*/union%2f%2a*/select%2f%2a*/
1,2,3%2f%2a*/from%2f%2a*/users--



http://victim.com/news.php?id=1/**/
union/**/select/**/1,2,3/**/from/**/
users--


SQL injections possible in a lot of places
Example: ASP viewState variable
Stores client-side state
base64-encoded


base64-encoded

aWQ9YCBPUiAxID4gMDtzdGF0ZT17d
mFyOiJBQkMiLGNvbHVtbnM6M30

What about this?


base64-encoded

id=` OR 1 > 0;
state={var:"ABC",columns:3}


Catching /* */ comments is sometimes not enough
MySQL allows for 3 different types of comments
starting with # until end-of-line
starting with -- until end-of-line
C-style comments /* */


Most DBMS are pretty tolerant regarding their SQL
MySQL does accept comments in a lot of places


Most DBMS are pretty tolerant regarding their SQL
MySQL does accept comments in a lot of places

id=1/**/union/**/select/**/1,2/**/
from/**/users--


The following comment based evasion was used to
bypass a simple ModSecurity CRS rule

http://victim.com/news.php?id=0+div
+1+union%23foo*%2F*bar%0D%0Aselect
%23foo%0D%0A1%2C2%2Ccurrent_user


The following comment based evasion was used to
bypass a simple ModSecurity CRS rule

http://victim.com/news.php?id=0 div
1 union#foo*/*bar
select#foo
1,2,current_user


Special format of MySQL comments allows inline-code

/*! MySQL code */

Can be extended for version specific code

CREATE /*!32302 TEMPORARY */
TABLE t ..


This allows for another style of comments

/news.php?id=1/*!UnIoN*/SeLecT+1,2,3--

Used to bypass ModSecurity CRS and Wapple WAF:

1 ||1=1

1 /*!order by*/ 3

1 /*!union select*/ 1,table_name from
/*!information_schema.tables*/

Patterns like ` OR 1 > 0` can be evaded by an endless
repertoire of variants

` OR 2*3 > 4

` OR @@version == @@version

` OR 1

` or round(pi(),1) + 1 + 1 = version()


Exploiting different views of WAF and Application

/news.php?id=val1&id=val2

Web Server Interpretation Example

ASP.NET/IIS Concat by comma id=val1,val2

ASP/IIS Last parameter id=val2

PHP/Apache First parameter id=val1

JSP/Tomcat First parameter id=val1

DBMan Concat by tildes id=val1~~val2


Bypassing ModSecurity CRS with HPP

/?id=select name&id=password from users




ModSecurity filter view:
id=select name
id=password from users




ModSecurity filter view:
id=select name
id=password from users

Backend ASP application:
id=select name,password from users


Parameter pollution+variants have been used to evade
ModSecurity CRS


Parameter pollution+variants have been used to evade
ModSecurity CRS

So, how to evade the evasion?


Taking a different perspective

Web Server

Web Application

database


Where to detect injections?
At this detection point
any encodings have been decoded by the web-
server and the application
no more „mangling“ is done
prior execution Web Server

any encoding-based evasions Web Application
do not apply anymore

database


What makes a successful SQLi?
1. SQL injection needs to modify existing statement
2. modified statement needs to be valid SQL

WHERE
txt LIKE ‘DROP TABLE STUDENTS‘;



WHERE
txt LIKE ‘%‘
UNION
--%`;



WHERE
txt LIKE ‘%‘
UNION
--%`;

How do we „capture“ such modifications?


Structure of SQL
SQL is a highly structured language
(ISO SQL-92, ISO/IEC9075:2003, ...)

statements parsed to abstract syntax tree
AST presents the structure of a statement


Structure of SQL
(ISO SQL-92, ISO/IEC9075:2003, ...)


SELECT
title,abstract
FROM DOCS
WHERE
txt LIKE ‘%security%‘;


Structure of SQL
(ISO SQL-92, ISO/IEC9075:2003, ...)


SELECT
SELECT
title,abstract
FROM DOCS
FROM COLS WHERE
WHERE
txt LIKE ‘%security%‘;
COL COL LIKE

`DOCS` `title` `abstr` `txt` `%`


Structure of an SQL injection
WHERE
txt LIKE ‘%`;

SELECT

TABLE_REF COLUMN_LIST WHERE_COND

LIKE
COLUMN COLUMN

COLUMN CONST

`DOCS` `title` `abstr`
`txt` `%`


WHERE
txt LIKE ‘%‘
UNION
SELECT LOGIN,PASS FROM USERS; --%`;
UNION

SELECT SELECT

TABLE_REF COLUMN_LIST WHERE_COND COLUMN_LIST
TABLE_REF

LIKE
COLUMN COLUMN COLUMN COLUMN

COLUMN CONST

`DOCS` `title` `abstr`
`txt` `%` `USERS` `LOGIN` `PASS`


INSERT INTO STUDENTS (NAME,CLASS,GRADE)
VALUES (`Robert`, ``, ``); DROP TABLE STUDENTS; --
`CS1`,`4`);

INSERT DROP

TABLE_REF COLUMN_LIST VALUE_LIST
TABLE_REF

COLUMN COLUMN COLUMN CONST CONST CONST

`STUDENTS` `NAME` `CLASS` `GRADE` `Robert` `` `` `STUDENTS`


Related Work
Parse Tree Validation to prevent SQL-Injections
injected snippets do change overall
structure of the query
Using Parse Tree Validation to
Prevent SQL Injection Attacks.
compare query trees BEFORE and Gregory T. Buehrer, Bruce W.
Weide, Paolo A.G. Sivilotti
AFTER inserting user-data SEM '05: Proceedings of the 5th
international workshop on
Software engineering and

implementation „SQLGuard“ extends middleware, ACM, 2005

Java‘s JDBC interface


Related Work



Change in application code required, for
checking before and after user-data insertion


Related Work



If you need to change the code, then
switch to prepared statements!!!!


How to detect structural changes?
What changes as SQL snippets are inserted into
SQL statements?

regular injected


SQL statements?
the number of inner tree nodes 9 : 15


SQL statements?
the number of leave nodes 6 : 10


SQL statements?
the number of leave nodes 6 : 10
the height of the tree 4:5


Effect of Evasions?
How does this scale in case of other WAF evasion
techniques?


Effect of Evasions?
techniques?
replace or 1 = 1 with


Effect of Evasions?
techniques?
replace or 1 = 1 with
or round(pi(),1) + 1 + 1 = version()


Effect of Evasions?
techniques?
or round(pi(),1) + 1 + 1 = version()
OR

fn:equals

fn:add fn:version

fn:round fn:add

fn:pi 1 1 1


Effect of Evasions?
true-(mod(length(trim(leading(concat(lower(conv(version
()*(true+pi()), pi()*pi(),pow(pi(),pi()))),lower(conv
(pi()*pi()*pi()-pi()-pi(),pi()*pi(), pow(pi(),pi
()))),lower(conv(pi()*version(),pi()*pi(),pow(pi(),pi
()))), conv(version()*(true+pi()),pi()*pi(),pow(pi(),pi
())),lower(conv(pi()*pi()*pi( )-pi()-pi(),pi()*pi(),pow
(pi(),pi()))),lower(conv(pi()*version(),pi()*pi(), pow
(pi(),pi()))),lower(conv(ceil(pi()*version())+true,pi()
*pi(),pow(pi(), pi()))),lower(conv(ceil((pi()+ceil(pi
()))*pi()),pi()*pi(),pow(pi(),pi()))), lower(conv(ceil
(pi())*ceil(pi()+pi()),pi()*pi(),pow(pi(),pi()))), conv
(ceil(pi()*version()),pi()*pi(),pow(pi(),pi())),lower
(conv(ceil(pi()*pi() +pi()),pi()*pi(),pow(pi(),pi
()))),lower(conv(ceil(version()*version()),pi()*pi
(),pow(pi(),pi()))),lower(conv(ceil(pi()*pi()+pi()),pi
()*pi(),pow(pi(),pi()))))) from(pass))),length(pass)))


How can we use that to detect
attacks?


A simple Demo-Shop
We implemented a simple Java Web Shop
uses MySQL backend
highly vulnerable to SQL injections
allows for simple definition of URL-to-SQL map

logs SQL statements along with request
allows logging ModSecurity anomaly scoring


A simple Demo-Shop
Multiple URLs that execute one or more SQL queries,
defined in a URL-to-SQL map:

GET /view-product: SELECT * FROM products
WHERE id = %{id};

POST /search: SELECT * FROM products
WHERE name LIKE ‘%%{query}%‘
OR desc LIKE ‘%%{query}%‘;

GET /cart/view: SELECT * FROM cart
WHERE id = ‘%{SESSION:ID}‘;

GET /cart/add: INSERT INTO cart VALUES
( %{SESSION:ID}, %{id}, 1 );

...

A simple Experiment
Generated some SQL logs
SQLMAP
Generated a „normal work load“ Bernardo Damele, Miroslav Stampar
http://www.sqlmap.org

attacked the shop with sqlmap
Recorded all HTTP traffic and SQL queries

test-client sqlmap Total
6251 147 6398


Distribution of number of inner nodes vs. total node
count for normal statements and SQL injections


Training a classifier
We‘re looking for a simple binary classification
Use some training data to find a function f that will
output „normal“ or „attack“ on new, unseen data

Recorded
Data



Training
Recorded
Data
Test



Training classifier
Recorded
Data
Test



Training
Recorded
Data
Test classifier



Training
Recorded
Data
Test classifier ??


Normal Attacks Total
Watching a single URL 514 65 579

We trained a simple classifier on the data to distinguish
a normal query and its modifications

normal sqlmap

pred normal 514 21 96,1 %

pred sqlmap 0 44 100 %

100 % 67,7 %



We trained a simple classifier on the data to distinguish
a normal query and its modifications

normal sqlmap

pred normal 514 21 96,1 %

pred sqlmap 0 44 100 %

100 % 67,7 %

Data labeled by User-Agent string, but sqlmap sends valid
requests at initial probe phase. These are no injections.



On a second data set with correctly labeled data, the
classifier perfectly detects all attacks with no false
positives

normal attack

pred normal 1245 0 100 %

pred attack 0 55 100 %

100 % 100 %

Results obtained by a 10-fold,
stratified cross validation


Watching multiple URLs
So we‘re able to learn how to tell a normal query and
its anomalous modification apart
Most web apps use more than a single query
How does our approach scale with multiple
queries?


A more complex Experiment
In this experiment, we checked detection capabilities with multiple
statements and their modified injection versions

normal attack

pred normal 6251 31 99,51 %


100 % 78,91 %


In this experiment, we checked detection capabilities with multiple
statements and their modified injection versions

normal attack

pred normal 6251 31 99,51 %


100 % 78,91 %

The results above are obtained with a Support Vector Machine
(SVM) with linear kernel, C=1000.0


The power of trees...
So far we explored classification using only the height and number of
nodes of a tree


nodes of a tree

What about using the complete tree?

SELECT name,SUM(PUNKTE)
FROM STUDENTS
WHERE
name = 'Marcin'
AND lvID = '42509'

SELECT

name SUM


nodes of a tree


SELECT name,SUM(PUNKTE)
Start --> SELECT
FROM STUDENTS
SELECT --> ResultCols From Where
WHERE
ResultCols --> ResultCol ResultCol
name = 'Marcin'
ResultCol --> ColRef
AND lvID = '42509'
ColRef --> 'NAME'
ResultCol --> ColRef
SELECT
AggregateNode --> SUM
ColRef --> 'PUNKTE'
FromList --> TableRef
TableRef --> STUDENTS
Where --> AndNode
AndNode --> BinOp BinOp
name SUM BinaryOp --> Eq ColRef Const
ColRef --> `name`
Const --> `Marcin`
...


nodes of a tree

.
SELECT name,SUM(PUNKTE) 0
Start --> SELECT 1
FROM STUDENTS
SELECT --> ResultCols From Where 1
WHERE 1
ResultCols --> ResultCol ResultCol
name = 'Marcin' 1
ResultCol --> ColRef 2
AND lvID = '42509'
ColRef --> 'NAME' 1
ResultCol --> ColRef 1
SELECT 1
AggregateNode --> SUM
1
ColRef --> 'PUNKTE' 1
FromList --> TableRef 1
TableRef --> STUDENTS 1
Where --> AndNode 1
1
AndNode --> BinOp BinOp
1
name SUM BinaryOp --> Eq ColRef Const 1
ColRef --> `name` 1
Const --> `Marcin` 1
... 0
.


The power of trees... Experiment
A high-dimensional feature space provides more chances to separate
between normal and attack - so let‘s see:

normal attack

pred normal 6251 11 99,82 %


100 % 92,52 %


A high-dimensional feature space provides more chances to separate
between normal and attack - so let‘s see:

normal attack

pred normal 6251 11 99,82 %


100 % 92,52 %

The SVM classifier performs much better and is able to predict the attacks pretty
good, with a polynomial kernel of degree 3, gamma=100.0, C=1000.0


11 attacks missed??
So what went wrong?

SELECT id,name,desc,price
FROM products
WHERE
name LIKE '%secret%'
OR desc LIKE '%secret%'

By accident labeled as „attack“ (User-Agent).
Just a „probe“ query of sqlmap


11 attacks missed??
So what else went wrong?

SELECT id,name,desc,price
FROM products WHERE
name LIKE '%secret) AND 8579=8579 AND (7161=7161%'
OR
desc LIKE '%secret) AND 8579=8579 AND (7161=7161%'

This one was labeled as „attack“ in the test data.
The classifier said it is „normal“.


After manual inspection - all missed attacks turned out
to be normal queries or unsuccessful SQL injections

normal attack



100 % 100 %


After manual inspection - all missed attacks turned out
to be normal queries or unsuccessful SQL injections

normal attack



100 % 100 %

The SVM classifier perfectly distinguished attacks and normal queries
with a polynomial kernel of degree 3, gamma=100.0, C=1000.0


So what about a real application?
Good question!
Please upload your database-logs + web-logs to my
web-site and I will try :-)


So what about a real application?
Good question!
Please upload your database-logs + web-logs to my
web-site and I will try :-)

We checked out Typo-3
1000 queries, 15 artificial attacks
about 90% detection rate
too few training data


Trying to visualize SQL of Typo-3...


Trying to visualize SQL of Typo-3...

ISOM created from Typo3 1000 SQL queries with 15 artificial SQL
injections, a tree-kernel was used as similarity measure

Summary
A successful SQL injection needs to alter the query

Syntactical approach for detecting SQL injections
Escapes evasion attacks by inspecting the queries
just before they hit the database
Vectorization of trees for detection using machine
learning showed good results
Creating an SQL parser is the hardest part :-)


Ingres SQL Parser Collection
References Part of the Ingres Migration Toolset
http://code.ingres.com/
jsqlparser
SQL parser libraries http://jsqlparser.sf.net

my fork of jsqlparser
jsqlparser (Java) github.com/cbockermann/jsqlparser
(generated with javacc)

Ingres SQL parser library (Java)
(based on antlr, conversion of mysql parser)

Machine Learning Tool
RapidMiner RapidMiner
http://rapid-i.com/


hashdays 2011: Christian Bockermann - Protecting Databases with Trees

More Related Content

Similar to hashdays 2011: Christian Bockermann - Protecting Databases with Trees (20)

More from Area41 (11)

Recently uploaded (20)

hashdays 2011: Christian Bockermann - Protecting Databases with Trees