SQL Server: SQL Injection Attacks

SQL Server: SQL Injection Attacks

Found a great article on SQL Server Injection Attacks at Manipulating SQL Server Using SQL Injection. It really underscores the reasons for using parameterized queries. If you aren't using parameterized queries, you really open yourself up to a world of trouble. And don't think your database is the only thing at risk. Once an attacker knows that they can execute arbitrary queries on your server, they are going to attempt to elevate their permissions giving them access to your entire server. Now they can execute commands on your server with the same authority as the service running sql server (sqlserver.exe process). If this is running with domain level permissions, you're entire network is compromised. Of course, this is just covering what can happen on a Microsoft network, but SQL Server is not the only platform susceptible. SQL Injection can be used against any website using a database. Here are some more articles:

http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection/
http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf

Genetic Programming: What is crossover and mutation?

In my last post (What is a chromosome), I described what a chromosome was, but didn't really say what you could do with one. At the beginning of a GP program, you create an initial pool of chromosomes (or the Primordial Soup, if you prefer) which is the basis for a multitude of variations. This is accomplished through crossover and mutation. Crossover takes the chromosome from one parent and merges it with that of another creating two new children. Here is an example of crossover using three inputs:

Mother -> inputs(5, 10, 3) -> Binary(101, 1010, 0011) -> Chromosome(10110100011)
Father -> inputs(4, 2, 13) -> Binary(100, 0010, 1101) -> Chromosome(10000101101)

Now, since our chromosome has a length of 11 lets return a random value between 1 and 9. This ensures that at least the first or last bit from each parent will be passed on to each of the children (we are assuming a 0 based array). Let's say our random number is 4. Our chromosomes will be split in the following manner:

Mother(0): 10110; Mother(1):100011
Father(0): 10000; Father(1): 101101

Combine Mother(0) with Father(1) and Mother(1) with Father(0) to create a two new binary strings:

Mother(0) + Father(1) : 10110 101101-> 10110101101 (Child1)
Mother(1) + Father(0) : 10000 100011 -> 10000100011 (Child2)

Time to mutate! For each of the two children strings select a random number beteen 0 and 10 (the length of the binary string). Using the random value as an index, invert the appropriate bit.

Child1: Random Value=2: 10 1 10101101 -> 10 0 10101101
Child2: Random Value=9: 100001000 1 1 -> 100001000 0 1

Now we can decode our chromosome. We know that the first 3 characters describe the first value, the next 4 describe the second value and the last 4 describe the third value. Let's decode

Child1: 100, 1010, 1101 -> 4, 10, 13
Child2: 100, 0010, 0001 -> 4, 2, 1

You can well imagine how this process running continually over several generations could generate a vast number of combinations.

Genetic Programming: What is a chromosome?

In Genetic Programming, we use chromosomes to describe our inputs and/or outputs. Best way to explain this is to give an example. Let's say we have two inputs X and Y.

X = 5
Y = 10

We would want this these values in binary, so lets convert.

X = 101
Y = 1010

Now to build our chromosome, we simply append one string to the other

chromosome = 1011010

There you have a chromosome. Why would we want to this instead of just passing the integers as part of an array? the answer lies in crossovers and mutations. I'll cover those in a later post.

Genetic Programming is Cool

Have you ever heard of Genetic Programming? If you haven't, Genetic Programming (GP) is a design pattern inspired by the replication and mutation of chromosomes in nature. GP can be used to limit the number of potential answers to those that will fit a given criteria. By assigning our inputs some random intial values, converting them into binary strings and then concatenating them, we create our chromosomes. Each chromosome is then crossed with other chromosomes to create 2 new children. the Children chromosomes have a random bit changed to create a new series of inputs, related to both parents, but different enough to create a genetic variation. When the children are created, their chromosomes are decoded into their respective inputs. If their values fall within the range of the constraints, they will continue to breed. If not, they are either destroyed or they are penalized in such a way that they are less likely to breed than other chromosomes.

Check out www.geneticprogramming.com