期刊文献+
任意字段
题名或关键词
题名
关键词
文摘
作者
第一作者
机构
刊名
分类号
参考文献
作者简介
基金资助
栏目信息

程序分析技术在SQL注入防御中的应用研究 被引量:3

Application Study of the Program Analysis Technology in Preventing SQL Injection Attacks
下载PDF
导出
摘要 SQL(Structured Query Language)注入是一种常用且易于实施的攻击手段,对Web应用程序的安全构成严重危害.通过分析SQL注入攻击的原理,提出一种基于程序分析技术的SQL注入防御原型系统.该系统以静态分析为基础,对污染数据进行跟踪,并为包含污染数据的SQL语句建立合法查询自动机模型,然后以此作为被测程序的探针,进行动态测试,跟踪并记录程序的执行情况.系统的实现针对Java的Web应用程序,不需要修改服务器以及数据库平台的配置.实验表明,该系统具有较好的防范SQL注入的效果和较低的运行开销. SQL injection,which is a popular and easy method to carry out,poses a major threat to Web application security.This paper analyzes the principle of SQL injection attack and then presents a prototype system of countering it with program analysis techniques.The key idea of the system on the basis of static analysis is to trace the taint data and get automata models of legal query for the SQL statement contained them and insert automata as probes in the Web applications for dynamic testing,then track and record the implementations of the procedures.Aiming at the Java-based Web applications,the prototype needs no change to the configuration of server and database.Experiments show that the mechanism is effective to prevent SQL injection attacks and imposes negligible performance overhead.
作者 李小花 孙建华 陈浩
机构地区 湖南大学计算机与通信学院 长沙师范学校电子信息工程系
出处 《小型微型计算机系统》 CSCD 北大核心 2011年第6期1089-1093,共5页 Journal of Chinese Computer Systems
基金 国家自然科学基金项目(60803130)资助
关键词 WEB安全 SQL注入 静态分析 动态分析 Web security sql injection static analysis dynamic analysis
分类号 TP393 [自动化与计算机技术—计算机应用技术]
  • 相关文献

参考文献12

  • 1周敬利,王晓锋,余胜生,夏洪涛.一种新的反SQL注入策略的研究与实现[J].计算机科学,2006,33(11):64-68. 被引量:21
  • 2Stephen W Boyd, Angelos D Keromytis. SQLrand:preventing SQL injection attacks[ C]. Proceedings of the 2nd Applied Cryptography and Network Security (ACNS) Conference,Berlin:Springer Berlin Heidelberg, 2004,292-302.
  • 3Valeur F, Mutz D, Vigna O. A learning-based approach to the detection of SQL attacks[ C]. Proceedings of the Conference on Detection of Intrusions and Malware and Vulnerability Assessment ( DIMVA ). Berlin: Springer Heidelberg, 2005,123 -140.
  • 4Fu X,Lu X,Pcltsverger B, et al. A static analysis framework for detecting SQL injection vulncrabilitics[ A]. Proceedings of the 31st Annual International Computer Software and Applications Conference[C], New York: ACM, 2007,87-96.
  • 5Cheng Win-hie, Qin Zhao, Bei Yu, et al. Taint trace: efficient flow tracing with dynamic binary rewriting[ C]. Proceedings of the 11th IEEEE Symposium on Computers and Communications (ISCC'06), NJ: IEEE, 2006,749-754.
  • 6William G J Halfond, Alessandro Orso. AMNESIA:analysis and monitoring for neutralizing SQL-injecfion attacks[ C]. Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, ACM, 2005,174-183.
  • 7Huang J C. Program insu'umentation and software testing [ C ]. IEEE Computer. USA: IEEE Computer Society, 1978,25-32.
  • 8Christensen A S,Mollex A, Sehwartzbach M I. Precise analysis of string expressions[ C]. Proceedings of the 10th International Static Analysis Symposium, Berlin: Springer Berlin Hddelberg,2003,1-18.
  • 9Harry R Lewis, Christos H Papadimitriou. Elements of the thcory of computation ( second edition ) [ M ]. Beijing: Prentice Hall, 2002,34-37.
  • 10Yasuhiko Minamide. Static approximation of dynamically generated web pages[ A]. Proceedings of the 1401 International Conference on World Wide Web[ C], New York:ACM, 2005,432-441.

二级参考文献6

  • 1Scott D, Sharp R. Abstracting Application-Level Web Security.In:Proc llth Int'l World Wide Web Conf, May 2002. 396-407
  • 2SNORT:The open source network ids. Web page at http://www. snort. org
  • 3PHP Group. PHP Hypertext Preprocessor. Web page at http://www. php. net (2001-2005)
  • 4Boyd S, Keromytis A. SQLrand: Preventing SQL injection attacks. In: Jakobsson M, Yung M, Zhou J. eds. Proceedings of the 2nd Applied Cryptography and Network Security (ACNS)Conference. Volume 3089 of Lecture Notes in Computer Science, Springer-Verlag,2004. 292-304
  • 5phpBB Group. phpBB, com. Web page at http://www. phpbb.com (2001-2005)
  • 6SecurityFocus: BugTraq. Web page at http://www. securityfocus. com/bid (1998-2005)

共引文献20

同被引文献20

  • 1王清,郑庆华,管晓宏,张哲菲.一种基于证明树反演的安全漏洞定位方法[J].西安交通大学学报,2007,41(4):439-443. 被引量:2
  • 2Kumar P, Pateriya R K. A survey on SQL injection attacks, detection and prevention techniques[ C ]//Computing Communication & Networ- king Technologies ( ICCCNT), 2012 Third International Conference on. IEEE,2012:1 -5.
  • 3吴翰清.白帽子讲Web安全[M].北京:电子工业出版社,2013:152-178.
  • 4Dharam R, Shiva S G. Runtime Monitors to Detect and Prevent Union Query Based SQL Injection Attacks[ C ]//Information Technology:New Generations (ITNG),2013 Tenth International Conference on. IEEE, 2013:357 - 362.
  • 5JustinClarke.SQL注入攻击与防御[M].2版.清华大学出版社,2013:21-69.
  • 6Antunes N, Vieira M. Penetration Testing in Web Services [ J ]. IEEE Computer Society,2014,47 ( 2 ) :30 - 36.
  • 7Shar L K,Tan H B K,Briand L C. Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis [ C ]//Proceed- ings of the 2013 International Conference on Software Engineering. IEEE Press,2013:642 - 651.
  • 8Halfond W G J, Orso A, Manolios P. WASP:Protecting Web applica- tions using positive tainting and syntax-aware evaluation [ J ]. Software Engineering, IEEE Transactions on,2008,34 ( 1 ) :65 - 81.
  • 9缪纶,叶茂,王冠华.SQL注入攻击及Web应用安全防范技术研究与实践[J].水利技术监督,2009,17(1):48-50. 被引量:7
  • 10刘帅.SQL注入攻击及其防范检测技术的研究[J].电脑知识与技术,2009,5(10):7870-7872. 被引量:13

引证文献3

二级引证文献24

小型微型计算机系统
2011年 第6期

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部