ZIZI ‡‡‡ 선택과 집중~ ‡‡‡

What is GreenSQL?

GreenSQL is an Open Source database firewall used to protect databases from SQL injection attacks. GreenSQL works as a proxy for SQL commands and has built in support for MySQL. The logic is based on evaluation of SQL commands using a risk scoring matrix as well as blocking known db administrative commands (DROP, CREATE, etc). GreenSQL is distributed under the GPL license.

GreenSQL Architecture

GreenSQL works as a reverse proxy for MySQL connections. It means, that instead of MySQL server, your applications will connect to GreenSQL server. GreenSQL will analyze SQL queries and forward them to the back-end MySQL server.

The following picture describes the whole process.

                                                  GreenSQL Architecture

As you can see, GreenSQL calls real database server to execute SQL commands and web application connects to GreenSQL server as if it is a real database server.

GreenSQL can be installed together with database server on the same computer or it can use a distinct server. By default GreenSQL listens on local port 127.0.0.1:3305 redirecting SQL requests to 127.0.0.1:3306 (default MySQL settings). This settings could be altered using GreenSQL Console.

Supported modes

GreenSQL db firewall can be used in a number of ways:

• Simulation Mode (database IDS)
• Blocking Suspicious Commands (database IPS)
• Learning mode
• Active protection from unknown queries (db firewall)

During the Simulation Mode nothing is basically blocked. In this case GreenSQL works as database IDS system (IDS stands for Intrusion Detection System). During this mode we use our risk scoring matrix engine to find suspicious queries and notify the database administrator using the GreenSQL Management Console.

When the system is configured to Block Suspicious Commands we use our heuristics engine to find "illegal" queries and block them automatically. This is basically database IPS system (IPS is Intrusion Prevention System). If the query is considered illegal - whitelist is checked. If it was found in the whitelist, it will be redirected to genuine MySQL server. If it was found "illegal", an empty result set will be send to application. During this mode, we can sometimes generate false positive and false negative errors. As a result, some legal queries can be blocked or our system can pass "illegal" query undetected. These are pros and cons of the IPS systems. We constantly improve our heuristics engine but it is still not perfect.

In order to address disadvantages of the above methods we recommend to enable Learning Mode and after learning period is over switch to Active protection from unknown queries. During the learning mode all queries are automatically added to the whitelist. When the learning mode is over, we automatically enable active protection. If Active protection from unknown queries is enabled, all unknown commands are blocked. This is basically database firewall mode. When unknown SQL command is detected, it is automatically blocked. In addition we calculate it's risk using our heuristics methods and display the result using GreenSQL Management Console. This is basically the most fastest mode because we calculate risk only for new queries witch will not happen that often.

How GreenSQL finds "illegal" queries?

The GreenSQL finds suspicious queries using a number of methods:

• Finds administrative and sensitive SQL commands.
• Calculates risk of the query.

Finds administrative and sensitive SQL commands

GreenSQL uses a pattern matching engine to find commands that are considered "illegal". Basically this is a signature-based subsystem. For example, the following commands will be considered "illegal": database administrative commands; commands that try to change db structure; commands used to access system files. Administrator can also approve "illegal" query by adding it to the whitelist or by altering configuration file with a list of "illegal" patterns.

Calculates risk of the query.

For each query GreenSQL calculates its risk. Basically this is anomaly detection subsystem. After the risk is calculated GreenSQL can block the query or just create a warning message (depends on the application mode). There are a number of heuristics we use when calculating risk. For example:

• Access to sensitive tables increases risk query (users, accounts, credit information)
• Comments inside SQL commands increases query risk
• Usage of an empty password string
• Found ‘or’ token inside query
• Found SQL expression that always return true (SQL tautology)
• Comparison of constant values (SQL tautology)
• ...

In order to find anomalies GreenSQL uses it's own SQL language lexer to find SQL tokens.

How commands are blocked?

When GreenSQL determines that a query should be blocked it will generate an empty resultset send back to the application so it can continue gracefully.

How Whitelist works?

Each time GreenSQL considers a SQL query as a security risk - it is blocked. You can alter this behavior for a specific query by explicitly adding it to the whitelist.
New: During the Learning mode all new queries are automatically added to the whitelist.
--------------------------------------------------------------------------------------------------------------------

GreenSQL-FW: 0.9.4 released