[1]毛辰宇,郭 帆,叶继华.面向用户意图的SQL注入检测方法[J].江西师范大学学报(自然科学版),2016,40(04):386-391.
 MAO Chenyu,GUO Fan,YE Jihua.The Intention-Oriented SQL Injection Defense[J].Journal of Jiangxi Normal University:Natural Science Edition,2016,40(04):386-391.
点击复制

面向用户意图的SQL注入检测方法()
分享到:

《江西师范大学学报》(自然科学版)[ISSN:1006-6977/CN:61-1281/TN]

卷:
40
期数:
2016年04期
页码:
386-391
栏目:
出版日期:
2016-09-01

文章信息/Info

Title:
The Intention-Oriented SQL Injection Defense
作者:
毛辰宇郭 帆叶继华
江西师范大学计算机信息工程学院,江西 南昌 330022
Author(s):
MAO ChenyuGUO FanYE Jihua
College of Computer Information and Engineering,Jiangxi Normal University,Nanchang Jiangxi 330022,China
关键词:
SQL注入 动态分析 有限自动机 攻击模式
Keywords:
SQL injection dynamic analysis DFA attack pattern
分类号:
TP 311
文献标志码:
A
摘要:
Web程序安全的首要威胁是SQL注入攻击,动态分析技术可有效防御此类攻击.提出面向用户意图的检测方法,在程序发布前预先定义Web程序期望的所有数据库操作,在运行时拦截提交至数据库的操作,阻止不符合意图的操作.设计并实现描述数据库操作意图的语言SQLIDL,将开发者提供的允许操作集合解释为以确定有限自动机(DFA)表示的字符串集合,并支持表名、列名、列值及存储过程名的正则表示.在SecuriBench测试集的实验表明,该方法可有效检测现有SQL攻击模式且运行开销较小.
Abstract:
SQL injection attack(SQLIA)is the most serious threat to Web program security,while dynamic analysis may effectively defend SQLIA.An intention-oriented detection approach is proposed to represent all the database operations expected by Web users,to intecept the operations before the user submission and drop the unintentional operations.A language named SQLIDL is proposed to express the intention of database operations,to transform the SQL operations into string sets formalized by deterministic finite automata(DFA).SQLIDL currently implements the regular expression representation of table names,column names,values and store procedure names.The prototype implementation is evaluated on SecuriBench datasets and the results demonstrate all existing SQL attack patterns can be correctly detected with acceptable run-time overhead.

参考文献/References:

[1] OWASP Top10-Open Web Application Security Project.Top ten Web application security risks [EB/OL].
[2015-03-14].http://www.owasp.org.cn/owasp-project/2013top10.
[2] Wasserman G,Su Zhendong.Sound and precise analysis of Web applications for injection vulnerabilities [EB/OL].
[2015-03-14].http://web.cs.ucdavis.edu/~su/publications/pldi07.pdf.
[3] Jovanovic N,Kruegel C,Kirda E.Static analysis for detecting taint-style vulnerabilities in web applications [J].Journal of Computer Security,2010,18(5):861-907.
[4] 黄强,曾庆凯.基于信息流策略的污点传播分析及动态验证 [J].软件学报,2011,22(9):2036-2048.
[5] Ray D,Ligatti J.Defining code-injection attacks [J].Acm Sigplan Notices,2015,47(1):179-190.
[6] Tuong N,Guarnieri A,Greene S,et al.Automatically hardening web applications using precise tainting [J].Ifip Advances in Information & Communication Technology,2010,181:372-382.
[7] 王溢,李舟军,郭涛.防御代码注入式攻击的字面值污染方 [J].计算机研究与发展,2012,49(11):2414-2423.
[8] Son S,McKinley K S,Shmatikov V.Diglossia:detecting code injection attacks with precision and efficiency [EB/OL].
[2015-02-17].http://msr-waypoint.com/pubs/202166/diglossia-ccs-2013.pdf.
[9] Bandhakavi S,Bisht P,Madhusudan P.CANDID:preventing SQL injection attacks using dynamic candidate evaluations [EB/OL].
[2015-02-17].https://www.cs.uic.edu/~pbisht/files/candid-sql-injection-ccs07.pdf.
[10] Su Zhendong,Wassermann G.The essence of command injection attacks in Web applications [J].Acm Sigplan Notices,2006,41(1):372-382
[11] GitHub Inc.P6spy [EB/OL].
[2015-02-17].https://github.com/p6spy/p6spy.
[12] Benjam in Livshits.Stanford securi bench [EB/OL].
[2015-02-17].http://suif.stanford.edu/~livshits/securibench/.
[13] Aarhus University.Java string analysis [EB/OL].
[2015-02-17].http://www.brics.dk/JSA/
[14] GitHub Inc.BodgeIt [EB/OL].
[2015-07-11].http://code.google.com/p/bodgeit.

备注/Memo

备注/Memo:
收稿日期:2015-08-07基金项目:国家自然科学基金(61562040)和江西师范大学科研计划(7177)资助项目.通信作者:郭 帆(1977-),男,江西南昌人,副教授,博士,主要从事网络与信息安全的研究.
更新日期/Last Update: 1900-01-01