Abstract
Online, data-driven applications have become the cornerstone of e-commerce, health care, and our economy as a whole, as well as a part of almost every web application and mobile app in our daily lives. Unfortunately, this reliance on databases encourages attackers to exploit every attack surface to compromise these data-driven systems. While there are many security methodologies in place to protect and preserve the confidentiality, availability, and integrity of data, there are cases where these implementations fail, resulting in unintended consequences. In this paper, the STRIDE threat modeling is used to identify potential threats to the MySQL database management system to assist developers and admins in proactively securing these systems. Overall, this research identified spoofing, tampering, and denial of service as the more common threats facing data-driven applications, each of which can cause significant damage against an insufficiently protected MySQL database. Moreover, this paper suggests potential countermeasures to better protect MySQL databases against adversarial threats.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Marback, A., Do, H., He, K., Kondamarri, S., Xu, D.: Security test generation using threat trees. In: ICSE Workshop on Automation of Software Test, pp. 62–69 (2009)
Hasan, R., Myagmar, S., Lee, A.J., Yurcik, W.: Toward a threat model for storage systems. In: Proceedings of the 2005 ACM Workshop on Storage Security and Survivability, StorageSS 2005, pp. 94–102 (2005). https://doi.org/10.1145/1103780.1103795
Abomhara, M., Køien, G., Gerdes, M.: A STRIDE-based threat model for telehealth systems (2015)
Bertino, E., Bruschi, D., Franzoni, S., Nai-Fovino, I., Valtolina, S.: Threat modelling for SQL servers. In: Chadwick, D., Preneel, B. (eds.) Communications and Multimedia Security. IFIP — The International Federation for Information Processing, vol. 175. Springer, Boston (2005)
Chadwick, D.: Threat modelling for active directory. In: Chadwick, D., Preneel, B. (eds.) Communications and Multimedia Security. IFIP — The International Federation for Information Processing, vol. 175. Springer, Boston (2005)
Fang, Y., Peng, J., Liu, L., Huang, C.: WOVSQLI: detection of SQL injection behaviors using word vector and LSTM. In: Proceedings of the 2nd International Conference on Cryptography, Security and Privacy, pp. 170–174. ACM, March 2018
Marback, A., Do, H., He, K., Kondamarri, S., Xu, D.: A threat model-based approach to security testing. Softw. Pract. Experience 43(2), 241 (2013). https://doi.org/10.1002/spe.2111
Potteiger, B., Martins, G., Koutsoukos, X.: Software and attack centric integrated threat modeling for quantitative risk assessment. In: Proceedings of the Symposium and Bootcamp on the Science of Security, pp. 99–108. ACM, April 2016
Mathew, S., Petropoulos, M., Ngo, H.Q., Upadhyaya, S.: A data-centric approach to insider attack detection in database systems. In: International Workshop on Recent Advances in Intrusion Detection, pp. 382–401. Springer, Heidelberg, September 2010
Shostack, A.: Threat Modeling: Designing for Security. Wiley, Hoboken (2014)
Shevchenko, N., Chick, T.A., O’Riordan, P., Scanlon, T.P., Woody, C.: Threat Modeling: A Summary of Available Methods (2018)
Rodsan: Microsoft threat modeling tool – azure, 16 August 2018. https://docs.microsoft.com/en-us/azure/security/azure-security-threat-modeling-tool-feature-overview. Accessed 12 Dec 2018
Kumar, N., Sharma, S.: Study of intrusion detection system for DDoS attacks in cloud computing. In: Tenth International Conference on Wireless and Optical Communications Networks (WOCN), pp. 1–5. IEEE, July 2013
Lonea, A.M., Popescu, D.E., Tianfield, H.: Detecting DDoS attacks in cloud computing environment. Int. J. Comput. Commun. Control 8(1), 70–78 (2013)
Mishra S., Mahanty C., Dash S., Mishra B.K.: Implementation of BFS-NB hybrid model in intrusion detection system. In: Recent Developments in Machine Learning and Data Analytics, pp. 167–175. Springer, Singapore (2019)
Kambire, M. K., Gaikwad, P. H., Gadilkar, S. Y., & Funde, Y. A: An improved framework for tamper detection in databases. Int. J. Comput. Sci. Inform. Technol. 6, 57–60 (2015)
Dhillon, D.: Developer-driven threat modeling: lessons learned in the trenches. IEEE Secur. Priv. 9(4), 41–47 (2011)
Zargar, S.T., Joshi, J., Tipper, D.: A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Commun. Surv. Tutor. 15(4), 2046–2069 (2013)
Introduction to Microsoft Security Development Life Cycle (SDL) Threat Modeling, pp. 1–77 (n.d.). [PDF file] Microsoft https://download.microsoft.com/download/9/3/5/935520EC-D9E2-413E-BEA7-0B865A79B18C/Introduction_to_Threat_Modeling.ppsx. Accessed 13 Dec 2018
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Sanfilippo, J., Abegaz, T., Payne, B., Salimi, A. (2020). STRIDE-Based Threat Modeling for MySQL Databases. In: Arai, K., Bhatia, R., Kapoor, S. (eds) Proceedings of the Future Technologies Conference (FTC) 2019. FTC 2019. Advances in Intelligent Systems and Computing, vol 1070. Springer, Cham. https://doi.org/10.1007/978-3-030-32523-7_25
Download citation
DOI: https://doi.org/10.1007/978-3-030-32523-7_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-32522-0
Online ISBN: 978-3-030-32523-7
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)