期刊文献+
任意字段
题名或关键词
题名
关键词
文摘
作者
第一作者
机构
刊名
分类号
参考文献
作者简介
基金资助
栏目信息

基于指令集随机化的SQL注入防御技术研究 被引量:4

Research on Preventing SQL Injection Attacks Based on ISR
下载PDF
导出
摘要 WEB应用程序广泛受到SQL注入攻击的威胁,SQL攻击易于实施且危害严重。分析了现有的各种防范技术,在此基础上提出了一种基于指令集随机化技术的SQL注入防范原型系统。该系统首先对SQL关键字经过特殊的随机化处理,然后与用户输入组装成完整的SQL语句,再使用随机化的SQL语法分析程序对语句是否存在注入进行判定。系统的实现不依赖于现有WEB应用程序和服务器平台。实验表明,此系统具有较好的防范SQL注入的效果和较低的运行开销。 SQL injection poses a major thread to web application security. The paper analyzes the existing solutions to prevent it and the problem of those solutions. Then it presents a method of countering SQL injection attacks with ISR (Instruction Set Randomization). Based on the method, a prototype system of prevention SQL injection attacks is intro- duced. First, SQL keywords are randomized. Then, the user input is picked up and embedded into randomized SQL sen- tences. Finally, these randomized SQL sentences are checked with especial syntax analysis. The experiment shows that the mechanism imposes negligible performance overhead and can be easily retrofitted to existing systems.
作者 李原 蒋华伟
机构地区 河南工业大学信息科学与工程学院
出处 《计算机与数字工程》 2009年第1期96-99,共4页 Computer & Digital Engineering
基金 河南省教育厅科技攻关项目(编号:2008A520005)资助
关键词 SQL注入 指令集随机化 应用层安全 网络攻击 SQL injection, ISR, application level security, attack of network
分类号 TP393.08 [自动化与计算机技术—计算机应用技术]
  • 相关文献

参考文献10

  • 1MITRE. Common Vulnerabilities And Exposures List[EB/OL]. http://cve.mitre.org/
  • 2赵文龙,朱俊虎,王清贤.SQL Injection分析与防范[J].计算机工程与设计,2006,27(2):300-302. 被引量:8
  • 3V. Benjamin Livshits, Monica S. Lam. Finding security vulnerabilities in Java applications with static analysis [C]. Proceedings of the 14th conference on USENIX Security Symposium-Volume 14, U. S. A:USENIX Association, 2005
  • 4Yichen Xie, Alex Aiken. Static detection of security vulnerabilities in scripting languages. Proceedings of the 15th conference on USENIX Security Symposium[C]. U. S. A:USENIX Association, 2006,15
  • 5Sabelfeld A, Myers AC. Language-based infoumation-flow security[J]. IEEE JSA,2003
  • 6周敬利,王晓锋,余胜生,夏洪涛.一种新的反SQL注入策略的研究与实现[J].计算机科学,2006,33(11):64-68. 被引量:21
  • 7Carl Gould, Zhendong Su, and Premkumar Devanbu. Static checking of dynamically generated queries in database applications. ACM Transactions on Software Engineering and Methodology (TOSEM)[C]. U. S. A: ACM, 2007, 16
  • 8William G. J. Halfond. A Classification of SQL-Injection Attacks and Countemleasures[C]. IEEE Computer Society, 2006
  • 9W. Halfond, A. Orso. AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In Proceedings of the 20th IEEE/ACM international Conference on Automated software enginee[C],2005
  • 10Louden,K.C.编译原理及实战[M].北京:机械工业出版社,2000

二级参考文献17

  • 1JoelScanbray ShemaMike.Web application security secrets and Solutions[M].北京:清华大学出版社,2003..
  • 2Kevin Spett. White paper SQL injection [EB/OL]. 2002.http://www.spidynamics.com/whitepapers/WhitepaperSQLInjection.pdf.
  • 3Anley Chris.Advanced SQL injection in SQL server applications[EB/OL]. 2003.http://www. nextgenss.com/papers/advanced-sql-injection.pdf.
  • 4Zou Cliff C,Don Towsley, Gong Weibo.E-mail virus propagation modeling and analysis [EB/OL]. 2003.http://tennis.ecs.umass.edu/-czou/research/emailvirus-techreport.pdf.
  • 5潘志强 岑进锋.黑客攻防编程解析[M].北京:机械工业出版社,2003..
  • 6Maximum Security:A hacker's guide to protecting your internet site and network[M].Macmillan Computer Publishing, 1998.
  • 7McClureScambrayS 杨洪涛.Windows 2000黑客大曝光[M].北京:清华大学出版社,2002..
  • 8Adida Ben. Securing the Web [M]. Massachusetts Institute of Technology, IEEE Internet Computing, 1997.
  • 9Richards W Tevens AddisonWesley 范建华.TCP/IP详解[M].北京:机械工业出版社,2000..
  • 10StanekWilliamR.Windows 2000脚本编程[M].北京:中国水利水电出版社,2001..

共引文献25

同被引文献31

引证文献4

二级引证文献11

计算机与数字工程
2009年 第1期

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部