Preventing database schema extraction by error message handling

• A framework to prevent schema revealing via database error messages is proposed.
• Keyword based categorization approach determines the category of error messages.
• Errors are handled automatically based on their categories and defined policies.
• In error handling, sensitive parts of error messages are removed/modified/obfuscated.

Nowadays, a large volume of an organization׳s sensitive data is stored in databases making them attractive to attackers. The useful information attackers try to obtain in the preliminary steps, is the database structure or schema. One of the popular approaches to infer and extract the schema of a database is to analyze the returned error messages from its DBMS. In this paper, we propose a framework to handle and modify the error messages automatically in order to prevent schema revealing. To this aim, after identifying and introducing an appropriate set of categories of error messages, each error message that is returned from a DBMS is placed in a proper category. According to the policy specified for each category, corresponding rules are applied for removing/modifying/obfuscating the sensitive data in the error messages of that category before submitting them to the application. The general way proposed to determine the category of an error message is employing the keyword based categorization approach, which is 95% accurate for Microsoft SQL Server 2012.