Saturday, March 14, 2020
Heathcliff and Catherine in Wuthering Heights Essay Example Heathcliff and Catherine in Wuthering Heights Essay Heathcliff and Catherine in Wuthering Heights Essay Essay Topic: Wuthering Heights Heathcliff and Catherine are depicted as soul mates, their love exists on a higher or spiritual plane; they have such a high affinity for each other that they are drawn together uncontrollably. The relationship is portrayed as almost one entity as if the two characters have become united. Catherine pronounces to Nelly Ã¢â¬ËI am Heathcliff! HeÃ¢â¬â¢s always, always in my mind. But as my beingÃ¢â¬â¢. The quotation epitomises their inextricable love, regardless of separate marriage and physical detachment their souls will always be inseparably linked. Moreover, the metaphor perhaps symbolises eternity, as their love is never absent or divided, their hearts have become permanently indivisible. The use of the exclamative sentence emphasises the passion and intensity surrounding their relationship. Additionally, the repetition of Ã¢â¬ËalwaysÃ¢â¬â¢ strengthens the sense of perpetual and undying love. In chapter 16, after CatherineÃ¢â¬â¢s death Heathcliff echoes CatherineÃ¢â¬â¢ s speech to Nelly and he is conveyed as disordered as part of his sole has perished due to her demise. Heathcliff states Ã¢â¬ËOh God! It is unutterable! I cannot live without my life! I cannot live without my soul!Ã¢â¬â¢ illustrating his dependence on her, suggesting that her existence is a requirement for his identity and he falls into confusion and chaos without her. It could be viewed that quotation depicts that without Catherine, HeathcliffÃ¢â¬â¢s identity is impaired and that is unbearable to endure life without Catherine. Bronte presents Heathcliff and Catherine to be soul mates, she portrays both characters to be reliant on one another for stability and that it would be purely intolerable for one to live without the other. The love between Heathcliff and Catherine is also portrayed as obsessive and all consuming. On HeathcliffÃ¢â¬â¢s return to Wuthering Heights, he visits Catherine at Thrushcross Grange. Bronte uses a simile to illustrate CatherineÃ¢â¬â¢s obsession with Heathcliff Ã¢â¬Ëher gaze
Wednesday, February 26, 2020
The Gulf War from the American perspective - Essay Example In any case, once thing is clear; the publicly stated reasons of Iraq war were not digestible to many people. This paper analyses Gulf War from American perspectives. George Bush thought that Gulf War may help him to win the presidential election once again. He thought that this war might help him and his party (Republicans) to increase the popularity and hence he may get an easy walkover in the coming presidential election. However, Bill Clinton proved that such beliefs were wrong. Ã¢â¬Å"Clinton successfully made the economy the issue in the next election and managed to win itÃ¢â¬ 1. Ã¢â¬Å"For years Saddam received US support while committing atrocities. His was not the only government committing atrocities. His atrocities were never publicly discussed until he invaded KuwaitÃ¢â¬ 2. The invasion of Kuwait brought Saddam Hussein into the public lime light. It was difficult for America to justify Saddam further. It should be noted that democracy is prevailing in America and Amer ica believes themselves as the saviour of human rights. Under such circumstances, it was impossible for America to stay blind while Iraq was questioning the sovereignty of an independent country. Moreover, many Americans thought that Saddam is trying to become another Hitler. Increased influence of Saddam in the Middle East was not good for the American interests. Ã¢â¬Å"Saddam was repeatedly compared to Hitler. Then he was publicly defied and demeaned. The president said he has "had it" with "Sad'm" Hussein. Under U. S. leadership, the world was mobilized against himÃ¢â¬ 3. America suspected the possibility of another world war unless they prevent Saddam from conquering neighbouring countries. It should be noted that the military power of other gulf countries were negligible in front of IraqÃ¢â¬â¢s military power at that time. In short, many people believe that America attacked Iraq to save the world from the possibility of another world war. Another argument claims that Americ a attacked Iraq to control the oil resources. However, this argument seems to be far from reality since AmericaÃ¢â¬â¢s oil imports from Iraq account only 5% of the total energy needs in America. There are plenty of other countries in this world which rely heavily on Iraqi oil resources for their energy needs. Ã¢â¬Å"So oil is not the whole answer. Other possible aspects of the answer include "a new world order," collective security, interdependence, prevention of regional hegemony, and reversal of American declineÃ¢â¬ 4. Even though Iraqi oil does not cause much direct problems to America, it has the potential to cause indirect economic problems in America. If Saddam Hussein had raised oil prices to $27 a barrel, the increase in our import bill would have been about $20 billion a year, or less than one half of one percent of GNP. The greater harm comes when sudden rises depress the economy, but this effect is harder to estimate. Some economists believe that a temporary oil price of $40 a barrel, for example, helped to trigger the recession, which represented a loss of several percent of GNP5. Ã¢â¬Å"U.S. policy toward the Middle East is characterized by an intention to ultimately control the oil there, and keep other powers--not just the Soviet Union, but also Britain and France--away, if not dependent on the United States6. It is a fact that oil resources in America are rapidly exhausting even though the demand for oil increases. The oil needs or the energy
Monday, February 10, 2020
Scholarly paper - Scholarship Essay Example Whether or not a law prohibiting smoking in cars containing minors could be passed in the US would ultimately depend on the lawÃ¢â¬â¢s constitutionality under the Commerce Clause of the US constitution. The Commerce Clause allows congress Ã¢â¬Å"to regulate commerce with foreign nations and among the several statesÃ¢â¬ and has long been an issue of political and social debate. The Supreme CourtÃ¢â¬â¢s current standard for determining whether Congress has exceeded its commerce power can be subjective, making it difficult to predict constitutionality of proposed public health laws. However, the court has shown surprising willingness in recent cases to broaden the power of congress to regulate commerce in order to protect public health. Especially to innocent children confined to auto mobiles and who cannot protect themselves, as such a federal law prohibiting smoking in cars containing minors could be found constitutional. Furthermore, if congress were to refuse to take such a law into consideration, it could be possible for states, themselves, to regulate smoking in cars under the dormant commerce clause. This problem cannot be easily prevented by taking simple actions like opening of the car windows. This is because this action can change the direction of the air flow and as a result the smoke gets blown right back into the face of the child. What requires to be done is a law to be passed that prohibits smoking in motor vehicles. This can place stiff penalties to the offenders with the possibility that the parents can lose custody of their children if found engaging in the act. The level of exposure to secondary smoke by children is about 11% in the United States. This study was carried out among children aged below 6 years. It was also revealed that it was the parents who were the main source of exposure to their children, exposure by parents accounted for 90%. There was a new revelation in the research
Thursday, January 30, 2020
Persuasive Essay, the Player, All Realities Are Fictitious Essay Our world consists of many realties. Two being commercial, and the other, artistic. A commercial reality is one of indulgence, and pleasure, always aiming to suit those who yearn for it. Artistic reality however, is open to interpretation. This means there are many possible outcomes. One could be saddened or depressed by the reality, and others, joyful. It is because of this uncertainty in artistic realities that the film industry, as well as many other industries, have taken it upon themselves to glorify the truth. It is because of the clashing of these two realities, that reality as a whole becomes difficult to interpret. The statement that every reality is fictitious, is rather bold however. Although in numbers, there are a few people who hold very strong moral and have a sense of quality in what they do. The Hollywood film industry is entirely commercial. Offering little or no interest in writers work that consists of depth, moral and truth. This reality consumes those considered as naive to the industry. Commercial realities are realities that are created by people who want to escape their own and subconsciously create a reality that is deemed impossible in the Ã¢â¬Å"realÃ¢â¬ world. Commercial realities are attractive to most, because you can experience something otherwise unimaginable. It is us, the audience of massive Hollywood productions, that show true appreciation of films made by producers who show no other interest than creating fictional nonsense and profiting from us . The film making industry is created by artificial characters living paranormal lives that we aspire to have. However, who can jump from a 4 story building and land on the ground with no injury? Who can be stabbed and instantly heeled by only a bandage and continue battling the world with heroic attributes and a vision to sustain Ã¢â¬Å"humanity as we know itÃ¢â¬ Commercial realities are fictitious, and it leaves us dreaming of a better life, and fantasizing over it. Many of our youth are involved in lives that are run by action, violence, recklessness and stupidity. A contrasting reality to those of commercial is that of artistic. This reality has deeper meaning to it, and value. Artistic reality may be generally defined as the attempt to represent subject matter truthfully, without artificiality and avoiding artistic conventions, implausible, exotic and supernatural elements. Artistic reality is better known as Ã¢â¬Ërealism. Ã¢â¬â¢ Realism revolted against the exotic subject matter and exaggerated emotionalism and drama of the Romantic Movement. Instead it sought to portray real and typical contemporary people and situations with truth and accuracy, and not avoiding unpleasant or sordid aspects of life. Artistic realities often reject changes wrought by Commercial Revolutions. Artistic realities reveal the truth, which means they may emphasize the ugly or sordid. Artists use their work as a form of expressionism, which is open to interpretation. They see true value in their oeuvre, as they see ordinary, everyday subjects as the depiction of naturalism. Many people attempt to depict things accurately, from either a visual, social or emotional perspective. Theatre Realism shares many stylistic choices with naturalism, including a focus on every day (middle-class) drama, colloquial speech, and mundane settings. Realism rejects imaginative idealization in favour of a close observation of outward appearances. Often artistic realities can be labelled as fictitious. This is due to the majority of society being so consumed by commercial reality that they no longer can differentiate from commercial actually being fake, and artistic as being real. Commercial realities enhance the breeding of money. Commercial values manipulate the very anatomy of a natural, mundane reality. Commercially precious films of Ã¢â¬ËrealityÃ¢â¬â¢ have become the organ grinderÃ¢â¬â¢s monkeys of money. They are made to increase the generative value and staying in power of money, the power of money to breed money, to fertilize itself. They are not made to empower people and provide certain value. Artistic reality however, leaves no stone unturned. Realism sees no value in money, and it sees no reciprocal (mutual? Would this be better? ) material possession that could be exchanged for money. Artistic realities merely capture that which is tangible and accurate. Society may attempt to defend themselves by escaping this as it may be deeply depressing. It is the confusion of distinguishing between commercial and artistic realities that ultimately reduces both to nothing but fictitious mumbo jumbo that controls our lives. The difference between the two is huge, however difficult for Ã¢â¬ËcommonersÃ¢â¬â¢, or those not involved in the film industry, to interpret. Whether an individual comprises their lives of commercial or realistic values, these values can be labelled as fabricated or factual. The film industryÃ¢â¬â¢s repackaging and misrepresenting the truth to suit themselves is profitable. This profitability is their ultimate ruling guideline. If a film does not provide profits, the film was a total failure, regardless of its realism. Artistic realities are open to interpretation and provide a bit of freedom for people to choose the outcomes of scenarios. Painters, writers, film makers and news reporters are some of the main people involved in the way reality is interpreted because they are in the spotlight. Every one watches them, reads their papers or interperates their work. It is important for people to recognise that regardless of the message that is trying to be brought across, reality is subjective, and hence, it may appear fictitious to anyone apart from their maker. Commercial or artistic.
Wednesday, January 22, 2020
HONOR CAN BE DEFINED IN SO MANY WAYS CAN mean respect and esteem shown to another. HONOR may ALSO apply to the recognition of one's right to great respect or to any expression of such recognition IN SOME SITUATIONS IT implies profound respect mingled with love, devotion.There is a priceless respect that everyone in the world possesses, and that is the. respect of a person?s honor. A person?s honor is something that can not be bought, sold,. or traded it?s something that must be gained by the respect of your peers. An example of. how honor is seen in everyday life in through a persons word. The standard dictionary definition of honor first lists public regard and esteem under the word, with ethical conduct or high standards of justice and responsibility appearing much further down the list. This is reflected in the way the modern world treats the issue of honor. In ancient times, honor was the manner of being that we now describe as having integrity. In plain language, an honorable p erson avoids deception whenever possible, treats others with respect and sticks to her beliefs no matter how others think or act. People generally do not seem to behave very well toward each other any more.Honor determines the hierarchy of an individual while revealing his loyalty and true intentions. Reward comes for those at the top whose honor does not diminish, while a false or fleeting honor of a lesser mortal causes destruction. Exploring and discussing how to act honorably toward each other is a place to start.The greatest way to live with honor in this world is to be what we pretend to be. How can you be a person of integrity? First, figure out what integrity (honor) is. My mother used to say to treat others the way you wanted to be treated. Does anyone do that these days? Well, I know that I don't want to be cut off in traffic, or yelled at, or bumped into rudely at the grocery store, or left picking up garbage all over my yard from the street. So I could try not to do thos e things to other people. I won't cut off others in traffic, or yell, or act rude at the grocery store, or throw garbage in the street. That's just a place to start. Treat others the way you want to be treated.
Tuesday, January 14, 2020
IJCSNS International Journal of Computer Science and Network Security, VOL. 11 No. 1, January 2011 197 An Approach to Detect and Prevent SQL Injection Attacks in Database Using Web Service IndraniBalasundaram 1 Dr. E. Ramaraj2 1 Lecturer, Department of Computer Science, Madurai Kamaraj University, Madurai 2 Director of Computer Centre Alagappa University, Karaikudi. Abstract SQL injection is an attack methodology that targets the data residing in a database through the firewall that shields it. The attack takes advantage of poor input validation in code and ebsite administration. SQL Injection Attacks occur when an attacker is able to insert a series of SQL statements in to a Ã¢â¬ËqueryÃ¢â¬â¢ by manipulating user input data in to a web-based application, attacker can take advantages of web application programming security flaws and pass unexpected malicious SQL statements through a web application for execution by the backend database. This paper proposes a novel specification-ba sed methodology for the prevention of SQL injection Attacks. The two most important advantages of the new approach against xisting analogous mechanisms are that, first, it prevents all forms of SQL injection attacks; second, Current technique does not allow the user to access database directly in database server. The innovative technique Ã¢â¬Å"Web Service Oriented XPATH Authentication TechniqueÃ¢â¬ is to detect and prevent SQLInjection Attacks in database the deployment of this technique is by generating functions of two filtration models that are Active Guard and Service Detector of application scripts additionally allowing seamless integration with currently-deployed systems. General TermsLanguages, Security, Verification, Experimentation. Keywords Database security, world-wide web, web application security, SQL injection attacks, Runtime Monitoring changes to data. The fear of SQL injection attacks has become increasingly frequent and serious. . SQL-Injection Attacks are a cl ass of attacks that many of these systems are highly vulnerable to, and there is no known fool-proof defend against such attacks. Compromise of these web applications represents a serious threat to organizations that have deployed them, and also to users who trust these systems to store confidential data. The Web applications hat are vulnerable to SQL-Injection attacks user inputs the attackerÃ¢â¬â¢s embeds commands and gets executed . The attackers directly access the database underlying an application and leak or alter confidential information and execute malicious code . In some cases, attackers even use an SQL Injection vulnerability to take control and corrupt the system that hosts the Web application. The increasing number of web applications falling prey to these attacks is alarmingly high  Prevention of SQLIAÃ¢â¬â¢s is a major challenge. It is difficult to implement and enforce a rigorous defensive coding discipline. Many olutions based on defensive coding ad dress only a subset of the possible attacks. Evaluation of Ã¢â¬Å"Ã¢â¬Å"Web Service Oriented XPATH Authentication TechniqueÃ¢â¬ has no code modification as well as automation of detection and prevention of SQL Injection Attacks. Recent U. S. industry regulations such as the Sarbanes-Oxley Act  pertaining to information security, try to enforce strict security compliance by application vendors. 1. Introduction 1. 1 SAMPLE Ã¢â¬â APPLICATION Information is the most important business asset in todayÃ¢â¬â¢s environment and achieving an appropriate level of Information Security. SQL-Injection Attacks (SQLIAÃ¢â¬â¢s) re one of the topmost threats for web application security. For example financial fraud, theft confidential data, deface website, sabotage, espionage and cyber terrorism. The evaluation process of security tools for detection and prevention of SQLIAÃ¢â¬â¢s. To implement security guidelines inside or outside the database it is recommended to access the sensitive databases should be monitored. It is a hacking technique in which the attacker adds SQL statements through a web application's input fields or hidden parameters to gain access to resources or make Application that contain SQL Injection vulnerability.The example refers to a fairly simple vulnerability that could be prevented using a straightforward coding fix. This example is simply used for illustrative purposes because it is easy to understand and general enough to illustrate many different types of attacks. The code in the example uses the input parameters LoginID, password to dynamically build an SQL query and submit it to a database. For example, if a user submits loginID and password as Ã¢â¬Å"secret,Ã¢â¬ and Ã¢â¬Å"123,Ã¢â¬ the application dynamically builds and submits the query: Manuscript received January 5, 2011 Manuscript revised January 20, 2011 198IJCSNS International Journal of Computer Science and Network Security, VOL. 11 No. 1, January 2011 SELECT * from FROM loginID=Ã¢â¬â¢secretÃ¢â¬â¢ AND pass1=123 user_info WHERE If the loginID and password match the corresponding entry in the database, it will be redirect to user_main. aspx page other wise it will be redirect to error. aspx page. 1. dim loginId, Password as string 2. loginId = Text1. Text 3. password = Text2. Text 3. cn. open() 4. qry=Ã¢â¬ select * from user_info where LoginID=Ã¢â¬â¢Ã¢â¬ & loginID & Ã¢â¬Å"Ã¢â¬â¢ and pass1=Ã¢â¬ & password & Ã¢â¬Å"Ã¢â¬ 5. cmd=new sqlcommand(qry,cn) 6. rd=cmd. executereader() 7. if (rd. Read=True) Then 8. Response. redirect(Ã¢â¬Å"user_main. spxÃ¢â¬ ) 9. else 10. Response. redirect(Ã¢â¬Å"error. aspxÃ¢â¬ ) 11. end if 12. cn. close() 13. cmd. dispose() b. Union Query In union-query attacks, Attackers do this by injecting a statement of the form: UNION SELECT because the attackers completely control the second/injected query they can use that query to retrieve information from a specified table. The result of this attack is that th e database returns a dataset that is the union of the results of the original first query and the results of the injected second query. Example: An attacker could inject the text Ã¢â¬Å"Ã¢â¬â¢ UNION SELECT pass1 from user_info where LoginID=Ã¢â¬â¢secret Ã¢â¬â -Ã¢â¬ nto the login field, which produces the following query: SELECT pass1 FROM user_info WHERE loginID=Ã¢â¬â¢Ã¢â¬â¢ UNION SELECT pass1 from user_info where LoginID=Ã¢â¬â¢secretÃ¢â¬â¢ Ã¢â¬â AND pass1=Ã¢â¬â¢Ã¢â¬â¢ Assuming that there is no login equal to Ã¢â¬Å"Ã¢â¬ , the original first query returns the null set, whereas the second query returns data from the Ã¢â¬Å"user_infoÃ¢â¬ table. In this case, the database would return column Ã¢â¬Å"pass1Ã¢â¬ for account Ã¢â¬Å"secretÃ¢â¬ . The database takes the results of these two queries, unions them, and returns them to the application. In many applications, the effect of this operation is that the value for Ã¢â¬Å"pass1Ã¢â¬ is displayed along with the account informationFigure 1: Example of . NET code implementation. 1. 2 Techniques of SQLIAÃ¢â¬â¢S Most of the attacks are not in isolated they are used together or sequentially, depending on the specific goals of the attacker. a. Tautologies Tautology-based attack is to inject code in one or more conditional statements so that they always evaluate to true. The most common usages of this technique are to bypass authentication pages and extract data. If the attack is successful when the code either displays all of the returned records or performs some action if at least one record is returned. Example: In this example attack, an attacker submits Ã¢â¬Å" Ã¢â¬â¢ or 1=1 Ã¢â¬â -Ã¢â¬ The Query for Login mode is: SELECT * FROM user_info WHERE loginID=Ã¢â¬â¢Ã¢â¬â¢ or 1=1 Ã¢â¬â AND pass1=Ã¢â¬â¢Ã¢â¬â¢ The code injected in the conditional (OR 1=1) transforms the entire WHERE clause into a tautology the query evaluates to true for each row in the table and returns a ll of them. In our example, the returned set evaluates to a not null value, which causes the application to conclude that the user authentication was successful. Therefore, the application would invoke method user_main. aspx and to access the application   . c. Stored Procedures SQL Injection Attacks of this type try to execute stored procedures present in the database.Today, most database vendors ship databases with a standard set of stored procedures that extend the functionality of the database and allow for interaction with the operating system. Therefore, once an attacker determines which backend database is in use, SQLIAs can be crafted to execute stored procedures provided by that specific database, including procedures that interact with the operating system. It is a common misconception that using stored procedures to write Web applications renders them invulnerable to SQLIAs. Developers are often surprised to find that their stored procedures can be just as vulner able o attacks as their normal applications [18, 24]. Additionally, because stored procedures are often written in special scripting languages, they can contain other types of vulnerabilities, such as buffer overflows, that allow attackers to run arbitrary code on the server or escalate their privileges. CREATE PROCEDURE DBO. UserValid(@LoginID varchar2, @pass1 varchar2 AS EXEC(Ã¢â¬Å"SELECT * FROM user_info WHERE loginID=Ã¢â¬â¢Ã¢â¬ [emailÃ protected]+ Ã¢â¬Å"Ã¢â¬â¢ and pass1=Ã¢â¬â¢Ã¢â¬ [emailÃ protected]+ Ã¢â¬Å"Ã¢â¬â¢Ã¢â¬ );GO Example: This example demonstrates how a parameterized stored procedure can be exploited via an SQLIA. In the example, we assume that the query string constructed at ines 5, 6 and 7 of our example has been replaced by a call IJCSNS International Journal of Computer Science and Network Security, VOL. 11 No. 1, January 2011 to the stored procedure defined in Figure 2. The stored procedure returns a true/false value to indicate whether the u serÃ¢â¬â¢s credentials authenticated correctly. To launch an SQLIA, the attacker simply injects Ã¢â¬Å" Ã¢â¬â¢ ; SHUTDOWN; Ã¢â¬âÃ¢â¬ into either the LoginID or pass1 fields. This injection causes the stored procedure to generate the following query: SELECT * FROM user_info WHERE loginID=Ã¢â¬â¢secretÃ¢â¬â¢ AND pass1=Ã¢â¬â¢; SHUTDOWN; -At this point, this attack works like a piggy-back attack.The first query is executed normally, and then the second, malicious query is executed, which results in a database shut down. This example shows that stored procedures can be vulnerable to the same range of attacks as traditional application code       . d. Extended stored procedures IIS(Internet Information Services) Reset There are several extended stored procedures that can cause permanent damage to a system. Extended stored procedure can be executed by using login form with an injected command as the LoginId LoginId:';execmaster.. xp_xxx;-Passwo rd:[Anything] LoginId:';execmaster.. p_cmdshell'iisreset';-Password:[Anything] select password from user_info where LoginId=Ã¢â¬ ; exec master.. xp_cmdshell Ã¢â¬Ëiisreset'; Ã¢â¬âÃ¢â¬Ë and Password=Ã¢â¬ This Attack is used to stop the service of the web server of particular Web application. Stored procedures primarily consist of SQL commands, while XPs can provide entirely new functions via their code. An attacker can take advantage of extended stored procedure by entering a suitable command. This is possible if there is no proper input validation. xp_cmdshell is a built-in extended stored procedure that allows the execution of arbitrary command lines. For example: exec master.. p_cmdshell Ã¢â¬Ëdir' will obtain a directory listing of the current working directory of the SQL Server process. In this example, the attacker may try entering the following input into a search form can be used for the attack. When the query string is parsed and sent to SQL Server, the server wi ll process the following code: SELECT * FROM user_info WHERE input text =Ã¢â¬ exec master.. xp_cmdshell LoginId /DELETE'Ã¢â¬âÃ¢â¬Ë 199 Here, the first single quote entered by the user closes the string and SQL Server executes the next SQL statements in the batch including a command to delete a LoginId to the user_info table in the database. . Alternate Encodings Alternate encodings do not provide any unique way to attack an application they are simply an enabling technique that allows attackers to evade detection and prevention techniques and exploit vulnerabilities that might not otherwise be exploitable. These evasion techniques are often necessary because a common defensive coding practice is to scan for certain known Ã¢â¬Å"bad characters,Ã¢â¬ such as single quotes and comment operators. To evade this defense, attackers have employed alternate methods of encoding their attack strings (e. g. , using hexadecimal, ASCII, and Unicode character encoding).Common scanning an d detection techniques do not try to evaluate all specially encoded strings, thus allowing these attacks to go undetected. Contributing to the problem is that different layers in an application have different ways of handling alternate encodings. The application may scan for certain types of escape characters that represent alternate encodings in its language domain. Another layer (e. g. , the database) may use different escape characters or even completely different ways of encoding. For example, a database could use the expression char(120) to represent an alternately-encoded character xÃ¢â¬ , but char(120) has no special meaning in the application languageÃ¢â¬â¢s context. An effective code-based defense against alternate encodings is difficult to implement in practice because it requires developers to consider of all of the possible encodings that could affect a given query string as it passes through the different application layers. Therefore, attackers have been very succe ssful in using alternate encodings to conceal their attack strings. Example: Because every type of attack could be represented using an alternate encoding, here we simply provide an example of how esoteric an alternativelyencoded attack could appear.In this attack, the following text is injected into the login field: Ã¢â¬Å"secretÃ¢â¬â¢; exec(0x73687574646f776e) Ã¢â¬â Ã¢â¬â Ã¢â¬ . The resulting query generated by the application is: SELECT * FROM user_info WHERE loginID=Ã¢â¬â¢secretÃ¢â¬â¢; exec(char(0x73687574646f776e)) Ã¢â¬â AND pass1=Ã¢â¬â¢Ã¢â¬â¢ This example makes use of the char() function and of ASCII hexadecimal encoding. The char() function takes as a parameter an integer or hexadecimal encoding of a character and returns an instance of that character. The stream of numbers in the second part of the injection is the 200 IJCSNS International Journal of Computer Science and Network Security, VOL. 11 No. , January 2011 ASCII hexadecimal encoding of the strin g Ã¢â¬Å"SHUTDOWN. Ã¢â¬ Therefore, when the query is interpreted by the database, it would result in the execution, by the database, of the SHUTDOWN command. References:  f. Deny Database service This attack used in the websites to issue a denial of service by shutting down the SQL Server. A powerful command recognized by SQL Server is SHUTDOWN WITH NOWAIT . This causes the server to shutdown, immediately stopping the Windows service. After this command has been issued, the service must be manually restarted by the administrator. select password from user_info whereLoginId=';shutdown with nowait; Ã¢â¬âÃ¢â¬Ë and Password='0' The Ã¢â¬ËÃ¢â¬âÃ¢â¬Ë character sequence is the Ã¢â¬Ësingle line comment' sequence in Transact Ã¢â¬â SQL, and the Ã¢â¬Ë;' character denotes the end of one query and the beginning of another. If he has used the default sa account, or has acquired the required privileges, SQL server will shut down, and will require a restart in order to f unction again. This attack is used to stop the database service of a particular web application. Select * from user_info where LoginId=Ã¢â¬â¢1;xp_cmdshell Ã¢â¬Ëformat c:/q /yes Ã¢â¬Ë; drop database mydb; Ã¢â¬âAND pass1 = 0 This command is used to format the C: drive used by the ttacker. 2. Related Work There are existing techniques that can be used to detect and prevent input manipulation vulnerabilities. 2. 1 Web Vulnerability Scanning Web vulnerability scanners crawl and scan for web vulnerabilities by using software agents. These tools perform attacks against web applications, usually in a black-box fashion, and detect vulnerabilities by observing the applicationsÃ¢â¬â¢ response to the attacks . However, without exact knowledge about the internal structure of applications, a black-box approach might not have enough test cases to reveal existing vulnerabilities and also have alse positives. 2. 2 Intrusion Detection System (IDS) Valeur and colleagues  propose the use of an Intrusion Detection System (IDS) to detect SQLIA. Their IDS system is based on a machine learning technique that is trained using a set of typical application queries. The technique builds models of the typical queries and then monitors the application at runtime to identify queries that do not match the model in that it builds expected query models and then checks dynamically-generated queries for compliance with the model. Their technique, however, like most techniques based on learning, can generate large umber of false positive in the absence of an optimal training set. Su and Wassermann  propose a solution to prevent SQLIAs by analyzing the parse tree of the statement, generating custom validation code, and wrapping the vulnerable statement in the validation code. They conducted a study using five real world web applications and applied their SQLCHECK wrapper to each application. They found that their wrapper stopped all of the SQLIAs in their attack set without g enerating any false positives. While their wrapper was effective in preventing SQLIAs with modern attack structures, we hope to shift the focus rom the structure of the attacks and onto removing the SQLIVs. 2. 3 Combined Static and Dynamic Analysis. AMNESIA is a model-based technique that combines static analysis and runtime monitoring . In its static phase, AMNESIA uses static analysis to build models of the different types of queries an application can legally generate at each point of access to the database. In its dynamic phase, AMNESIA intercepts all queries before they are sent to the database and checks each query against the statically built models. Queries that violate the model are identified as SQLIAÃ¢â¬â¢s and prevented from executing on the database.In their evaluation, the authors have shown that this technique performs well against SQLIAÃ¢â¬â¢s. The primary limitation of this technique is that its success is dependent on the accuracy of its static analysis f or building query models. Certain types of code obfuscation or query development techniques could make this step less precise and result in both false positives and false negatives Livshits and Lam  use static analysis techniques to detect vulnerabilities in software. The basic approach is to use information flow techniques to detect when tainted input has been used to construct an SQL query. These ueries are then flagged as SQLIA vulnerabilities. The authors demonstrate the viability of their technique by using this approach to find security vulnerabilities in a benchmark suite. The primary limitation of this approach is that it can detect only known patterns of SQLIAÃ¢â¬â¢s and, IJCSNS International Journal of Computer Science and Network Security, VOL. 11 No. 1, January 2011 because it uses a conservative analysis and has limited support for untainting operations, can generate a relatively high amount of false positives. Wassermann and Su propose an approach that uses stati c analysis combined with automated reasoning to verify that he SQL queries generated in the application layer cannot contain a tautology . The primary drawback of this technique is that its scope is limited to detecting and preventing tautologies and cannot detect other types of attacks. 3. Proposed Technique This Technique is used to detect and prevent SQLIAÃ¢â¬â¢s with runtime monitoring. The solution insights behind the technique are that for each application, when the login page is redirected to our checking page, it was to detect and prevent SQL Injection attacks without stopping legitimate accesses. Moreover, this technique proved to be efficient, imposing only a low overhead on the Web pplications. The contribution of this work is as follows: A new automated technique for preventing SQLIAÃ¢â¬â¢s where no code modification required, Webservice which has the functions of db_2_XMLGenrerator and XPATH_ Validator such that it is an XML query language to select specific part s of an XML document. XPATH is simply the ability to traverse nodes from XML and obtain information. It is used for the temporary storage of sensitive dataÃ¢â¬â¢s from the database, Active Guard model is used to detect and prevent SQL Injection attacks. Service Detector model allow the Authenticated or legitimate user to access the web applications.The SQLIAÃ¢â¬â¢s are captured by altered logical flow of the application. Innovative technique (figure:1) monitors dynamically generated queries with Active Guard model and Service Detector model at runtime and check them for compliance. If the Data Comparison violates the model then it represents potential SQLIAÃ¢â¬â¢s and prevented from executing on the database. This proposed technique consists of two filtration models to prevent SQLIAÃ¢â¬â¢S. 1) Active Guard filtration model 2) Service Detector filtration model. The steps are summarized and then describe them in more detail in following sections. a. Active Guard Filtration Mod elActive Guard Filtration Model in application layer build a Susceptibility detector to detect and prevent the Susceptibility characters or Meta characters to prevent the malicious attacks from accessing the dataÃ¢â¬â¢s from database. b. Service Detector Filtration Model Service Detector Filtration Model in application layer validates user input from XPATH_Validator where the Sensitive dataÃ¢â¬â¢s are stored from the Database at second 201 level filtration model. The user input fields compare with the data existed in XPATH_Validator if it is identical then the Authenticated /legitimate user is allowed to proceed. c. Web Service LayerWeb service builds two types of execution process that are DB_2_Xml generator and XPATH_ Validator. DB_2_Xml generator is used to create a separate temporary storage of Xml document from database where the Sensitive dataÃ¢â¬â¢s are stored in XPATH_ Validator, The user input field from the Service Detector compare with the data existed in XPATH_ Val idator, if the dataÃ¢â¬â¢s are similar XPATH_ Validator send a flag with the count iterator value = 1 to the Service Detector by signifying the user data is valid. Procedures Executed in Active Guard Function stripQuotes(ByVal strWords) stripQuotes = Replace(strWords, Ã¢â¬Å"Ã¢â¬ËÃ¢â¬ , Ã¢â¬Å"Ã¢â¬ Ã¢â¬ ) Return stripQuotesEnd Function Function killChars(ByVal strWords) Dim arr1 As New ArrayList arr1. Add(Ã¢â¬Å"selectÃ¢â¬ ) arr1. Add(Ã¢â¬Å"Ã¢â¬âÃ¢â¬Å") arr1. Add(Ã¢â¬Å"dropÃ¢â¬ ) arr1. Add(Ã¢â¬Å";Ã¢â¬ ) arr1. Add(Ã¢â¬Å"insertÃ¢â¬ ) arr1. Add(Ã¢â¬Å"deleteÃ¢â¬ ) arr1. Add(Ã¢â¬Å"xp_Ã¢â¬ ) arr1. Add(Ã¢â¬Å"Ã¢â¬ËÃ¢â¬ ) Dim i As Integer For i = 0 To arr1. Count Ã¢â¬â 1 strWords = Replace(strWords, arr1. Item(i), Ã¢â¬Å"Ã¢â¬ , , , CompareMethod. Text) Next Return strWords End Function IJCSNS International Journal of Computer Science and Network Security, VOL. 11 No. 1, January 2011 202 Figure 2: proposed Architecture Procedures Executed in Service D etector navi. Compile(Ã¢â¬Å"/Main_Tag/Details[LoginId='Ã¢â¬ & userName & Ã¢â¬Å"Ã¢â¬Ë and Password=Ã¢â¬ & Password & Ã¢â¬Å"]Ã¢â¬ ) _Public Sub Db_2_XML() adapt=New SqlDataAdapter(Ã¢â¬Å"select LoginId,Password from user_infoÃ¢â¬ , cn) Dim nodes As XPathNodeIterator = navi. Select(expr) Dim count2 As Integer = nodes. Count. ToString() Return count2 dst = New DataSet(Ã¢â¬Å"Main_TagÃ¢â¬ ) End Function adapt. Fill(dst, Ã¢â¬Å"DetailsÃ¢â¬ ) dst. WriteXml(Server. MapPath(Ã¢â¬Å"XML_DATAXML_D ATA. xmlÃ¢â¬ )) End Sub Procedures Executed in Web Service _ Public Function XPath_XML_Validation(ByVal userName As String, ByVal Password As Integer) As Integer Dim xpathdoc As New XPathDocument(Server. MapPath(Ã¢â¬Å"XML_DATAX ML_DATA. xmlÃ¢â¬ )) Dim navi As XPathNavigator = xpathdoc. CreateNavigator() Dim expr As XPathExpression = . Identify hotspot This step performs a simple scanning of the application code to identify hotspots. Each hotspot will be verified with the Active Server to remove the susceptibility character the sample code (figure: 2) states two hotspots with a single query execution. (In . NET based applications, interactions with the database occur through calls to specific methods in the System. Data. Sqlclient namespace, 1 such as Sqlcommand- . ExecuteReader (String)) the hotspot is instrumented with monitor code, which matches dynamically generated queries against query models. If a generated query is matched with Active Guard, then it is onsidered an attack. 3. 1 Comparison of Data at Runtime Monitoring When a Web application fails to properly sanitize the parameters, which are passed to, dynamically created SQL statements (even when using parameterization techniques) it is possible for an attacker to alter the construction of back-end SQL statements. IJCSNS International Journal of Computer Science and Network Security, VOL. 11 No. 1, January 2011 When an attacker is able to modify an SQL statement, the statement will execute with t he same rights as the application user; when using the SQL server to execute commands that interact with the operating system, the rocess will run with the same permissions as the component that executed the command (e. g. , database server, application server, or Web server), which is often highly privileged. Current technique (Figure: 1) append with Active Guard, to validate the user input fields to detect the Meta character and prevent the malicious attacker. Transact-SQL statements will be prohibited directly from user input. For each hotspot, statically build a Susceptibility detector in Active Guard to check any malicious strings or characters append SQL tokens (SQL keywords and operators), delimiters, or string tokens to the legitimate command.Concurrently in Web service the DB_2_Xml Generator generates a XML document from database and stored in X_PATH Validator. Service Detector receive the validated user input from Active Guard and send through the protocol SOAP (Simple Obj ect Access Protocol) to the web service from the web service the user input data compare with XML_Validator if it is identical the XML_Validator send a flag as a iterator count value = 1 to Service Detector through the SOAP protocol then the legitimate/valid user is Authenticated to access the web application, If the data mismatches the XML_Validator send a flag as a count alue = 0 to Service Detector through the SOAP protocol then the illegitimate/invalid user is not Authenticated to access the web application. In figure 3: In the existing technique query validation occur to validate a Authenticated user and the user directly access the database but in the current technique, there is no query validation . From the Active Guard the validated user input fields compare with the Service Detector where the Sensitive data is stored, db_2_XML Generator is used to generate a XML file and initialize to the class XPATH document the instance Navigator is used to search by using cursor in the selected XML document.With in the XPATH validator, Compile is a method which is used to match the element with the existing document. The navigator will be created in the xpathdocument using select method result will be redirected to the XPATH node iterator. The node iterator count value may be 1 or 0, If the flag value result in Service Detector as 1 then the user consider as Legitimate user and allowed to access the web application as the same the flag value result in Service Detector as 0 then the user consider as Malicious user and reject/discard from accessing the web application If the script builds an SQL query by concatenating hard-coded trings together with a string entered by the user, As long as injected SQL code is syntactically correct, tampering cannot be detected programmatically. String concatenation is the primary point of entry for script injection Therefore, 203 we Compare all user input carefully with Service Detector (Second filtration model). If the user input and Sensitive dataÃ¢â¬â¢s are identical then executes constructed SQL commands in the Application server. Existing techniques directly allows accessing the database in database server after the Query validation. Web Service Oriented XPATH Authentication Technique does not allow directly to ccess database in database server. 4. EVALUATIONS The proposed technique is deployed and tried few trial runs on the web server. Table 1: SQLIAÃ¢â¬â¢S Prevention Accuracy SQL Injection Types Unprotected Protected 1. TAUTOLOGIES Not Prevented Prevented 2. PIGGY BACKED QUERIES Not Prevented Prevented 3. STORED PROCEDURE Not Prevented Prevented 4. ALTERNATIVE ENCODING Not Prevented Prevented 5. UNION Not Prevented Prevented Table 2: Execution Time comparison for proposed technique Total Number of Entries in Database Execution Time in Millisecond Existing Proposed Technique Technique 1000 1640000 46000 2000 1420000 93000 3000 1040000 6000 4000 1210000 62000 5000 1670000 78000 6000 1390000 107000 T he above given table 2 illustrate the execution time taken for the proposed technique with the existing technique. 4. 1 SQLIA Prevention Accuracy Both the protected and unprotected web Applications are tested using different types of SQLIAÃ¢â¬â¢s; namely use of Tautologies, Union, Piggy-Backed Queries, Inserting additional SQL statements, Second-order SQL injection and various other SQLIA s. Table 1 shows that the proposed technique prevented all types of SQLIA s in all cases. The proposed technique is thus a secure and robust solution to defend against SQLIAÃ¢â¬â¢sIJCSNS International Journal of Computer Science and Network Security, VOL. 11 No. 1, January 2011 204 4. 2 Execution Time at Runtime Validation The runtime validation incurs some overhead in terms of execution time at both the Web Service Oriented XPATH Authentication Technique and SQL-Query based Validation Technique. Taken a sample website ETransaction measured the extra computation time at the query validation, th is delay has been amplified in the graph (figure: 4 and figure:5) to distinguish between the Time delays using bar chart shows that the data validation in XML_Validator performs better than query validation.In Query validation(figure:5) the user input is generated as a query in script engine then it gets parsed in to separate tokens then the user input is compared with the statistical generated data if it is malicious generates error reporting. Web Service Oriented XPATH Authentication Technique (figure: 4) states that user input is generated as a query in script engine then it gets parsed in to separate tokens, and send through the protocol SOAP to Susceptibility Detector, then the validated user data is sequentially send to Service Detector through the protocol SOAP then the user input is ompared with the sensitive data, which is temporarily stored in dataset. If it is malicious data, it will be prevented otherwise the legitimate data is allowed to access the Web application. 5. C ONCLUSION SQL Injection Attacks attempts to modify the parameters of a Web-based application in order to alter the SQL statements that are parsed to retrieve data from the database. Any procedure that constructs SQL statements could potentially be vulnerable, as the diverse nature of SQL and the methods available for constructing it provide a wealth of coding options. 1800000 Execution time in Milli Sec 1600000 1400000 1200000 000000 Proposed Technique Existing Technique 800000 600000 400000 200000 0 1000 2000 3000 4000 5000 6000 Total Number of Entries in Database Figure4: Execution Time comparison for proposed technique (data validation in X-path) with existing technique The primary form of SQL injection consists of direct insertion of code into parameters that are concatenated with SQL commands and executed. This technique is used to detect and prevent the SQLI flaw (Susceptibility characters & exploiting SQL commands) in Susceptibility Detector and prevent the Susceptibility att acker Web Service Oriented XPATH Authentication Technique hecks the user input with valid database which is stored separately in XPATH and do not affect database directly then the validated user input field is allowed to access the web application as well as used to improve the performance of the server side validation This proposed technique was able to suitably classify the attacks that performed on the applications without blocking legitimate accesses to the database (i. e. , the technique produced neither false positives nor false negatives). These results show that our technique represents a promising approach to countering SQLIAÃ¢â¬â¢s and motivate further work in this irection References  William G. J. Halfond and Alessandro Orso , Ã¢â¬Å"AMNESIA: Analysis and Monitoring for Neutralizing SQLInjection AttacksÃ¢â¬ , ASEÃ¢â¬â¢05, November 7Ã¢â¬â11, 2005  William G. J. Hal fond and Alessandro Orso, Ã¢â¬Å"A Classification of SQL injection attacks and countermeasure sÃ¢â¬ ,proc IEEE intÃ¢â¬â¢l Symp. Secure Software Engg. , Mar. 2006. IJCSNS International Journal of Computer Science and Network Security, VOL. 11 No. 1, January 2011  Muthuprasanna, Ke Wei, Suraj Kothari, Ã¢â¬Å"Eliminating SQL Injection Attacks Ã¢â¬â A TransparentDefenceMechanismÃ¢â¬ , SQL Injection Attacks Prof. Jim Whitehead CMPS 183. Spring 2006, May 17, 2006 4] William G. J. Hal fond, Alessandro Orso, Ã¢â¬Å"WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation IEEE Software Engineering, VOL. 34, NO. 1January/February 2008  K. Beaver, Ã¢â¬Å"Achieving Sarbanes-Oxley compliance for Web applicationsÃ¢â¬ , http://www. spidynamics. com/support/whitepapers/, 2003  C. Anley, Ã¢â¬Å"Advanced SQL Injection In SQL Server Applications,Ã¢â¬ White paper, Next Generation Security Software Ltd. , 2002.  W. G. J. Halfond and A. Orso, Ã¢â¬Å"Combining Static Analysis and Runtime Monitoring to Counter SQL Injection Attacks,Ã¢â¬ 3rd International Workshop on Dynamic Analysis, 2005, pp. Ã¢â¬â 7  Z. Su and G. Wassermann, Ã¢â¬Å"The Essence of Command Injection Attacks in Web Applications,Ã¢â¬ 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 2006, pp. 372-382.  G. Wassermann and Z. Su. An Analysis Framework for Security in Web Applications. In Proceedings of the FSE Workshop on Specification and Verification of componentBased Systems (SAVCBS 2004), pages 70Ã¢â¬â78, 2004.  P. Finnigan, Ã¢â¬Å"SQL Injection and Oracle Ã¢â¬â Parts 1 & 2,Ã¢â¬ Technical Report, Security Focus, November 2002. http://securityfocus. com/infocus/1644  F. Bouma, Ã¢â¬Å"Stored Procedures are Bad, OÃ¢â¬â¢kay,Ã¢â¬ Technical report,Asp. Net Weblogs, November 2003. http://weblogs. asp. net/fbouma/archive/2003/11/18/38178. as px.  E. M. Fayo, Ã¢â¬Å"Advanced SQL Injection in Oracle Databases,Ã¢â¬ Technical report, Argeniss Information Security, Black Hat Briefings, Black Hat USA, 2 005.  C. A. Mackay, Ã¢â¬Å"SQL Injection Attacks and Some Tips on How to Prevent them,Ã¢â¬ Technical report, The Code Project, January 2005. http://www. codeproject. com/cs/database/ qlInjectionAttacks. asp.  S. McDonald. SQL Injection: Modes of attack, defense, and why it matters. White paper, GovernmentSecurity. org, April 2002. http://www. governmentsecurity. rg/articles/SQLInjectionM odesofAttackDefenceandWhyItMatters. php  S. Labs. SQL Injection. White paper, SPI Dynamics, Inc. ,2002. http://www. spidynamics. com/assets/documents/Whitepaper SQLInjection. pdf.  V. B. Livshits and M. S. Lam. Finding Security Errors in Java Programs with Static Analysis. In Proceedings of the 14th Usenix Security Symposium, pages 271Ã¢â¬â286, Aug. 2005.  F. Valeur and D. Mutz and G. Vigna Ã¢â¬Å"A Learning-Based Approach to the Detection of SQL Attacks,Ã¢â¬ In Proceedings of the Conference on Detection of Intrusions and Malware Vulnerability Assessment (DIMVA), July 20 05.  Kals, S. Kirda, E. , Kruegel, C. , and Jovanovic, N. 2006. SecuBat: a web vulnerability scanner. In Proceedings of the 205 15th International Conference on World Wide Web. WWW '06. ACM Press, pp. 247-256.  Sql injection Ã¢â¬â HSC Guides Ã¢â¬â Web App Security Written by Ethical Hacker sunday, 17 February 2008. http://sqlinjections. blogspot. com/2009/04/sql-injection-hscguides-web-app. html. Prof. E. Ramaraj is presently working as a Technology Advisor, Madurai Kamaraj University, Madurai, Tamilnadu, India on lien from Director, computer centre at Alagappa university, Karaikudi. He has 22 years teaching experience and 8 years esearch experience. He has presented research papers in more than 50 national and international conferences and published more than 55 papers in national and international journals. His research areas include Data mining, software engineering, database and network security. B. Indrani received the B. Sc. degree in Computer Science, in 2002; t he M. Sc. degree in Computer Science and Information Technology, in 2004. She had completed M. Phil. in Computer Science. She worked as a Research Assistant in Smart and Secure Environment Lab under IIT, Madras. Her current research interests include Database Security.
Monday, January 6, 2020
Amber Rogers Dr. Kim Loel Argumentative Analysis of the Essay Ã¢â¬Å"First Amendment JunkieÃ¢â¬ by Susan Jacoby What is a First Amendment Junkie? According to author Susan Jacoby, censorship of any form is wrong. From the beginning of JacobyÃ¢â¬â¢s essay, Ã¢â¬Å"First Amendment Junkie,Ã¢â¬ itÃ¢â¬â¢s obvious where she stands on the topic. Jacoby states that the people who most support the censorship of pornography are women. These women are often self-proclaimed feminists who ironically support the First Amendment. While criticizing the production of pornography, these feminists attempt to argue that Ã¢â¬Å"mainstreamÃ¢â¬ pornography is no different than child porn. However, they fail to realize the obvious error in this argument because this is simply not a firstÃ¢â¬ ¦show more contentÃ¢â¬ ¦If pornography is censored because it offends certain people, then what about religion, or even sexual orientation? Sure, gay marriage has recently been legalized, but there are some people in this country who find it just as offensive and obscene as some people find pornography. Are we as a country supposed to satisfy the sensibilities of one group of people (i.e.: self-proclaimed feminists, in this case) simply because something bothers them or are we right to allow the freedom of expression that pornography claims to be to keep in ordinance with the First Amendment? And what about fictional characters such as Santa Claus and the Easter Bunny which is offensive to the Christian community? Or those who protest being forced to say the Pledge of Allegiance in schools? Are these people considered less patriotic and should they too be stripped of their First Amendment rights? ItÃ¢â¬â¢s impossible to censor all disagreeable sides because all that would be left is a bland Ã¢â¬Å"politically correctÃ¢â¬ society and thatÃ¢â¬â¢s an unattainable goal because itÃ¢â¬â¢s not possible to please everyone. In the end, there will always be someone who disagrees with someone else about something and they will indeed use their First Amendment right to free speech to voice these grievances. As per her written essay, Jacoby is Ã¢â¬Å"First Amendment junkie,Ã¢â¬