摘要
针对PHP程序,提出一种基于注入活动分析技术的结构化查询语言(SQL)漏洞检测方法。以动静态相结合的分析技术为基础,对注入活动从数据流和程序行为方面进行分析,给出基于词法特征比较的SQL漏洞判定算法。通过检测模拟测试数据,并结合别名分析技术、行为模型和SQL漏洞判定算法设计并实现SQL漏洞检测系统。实验结果表明,与Pixy和RIPS系统相比,该系统具有较强的SQL漏洞检测能力和较低的时间开销。
Aiming at PHP program, this paper proposes an Structured Query Language(SQL) vulnerability detection method based on the injection analysis technology. This method makes a detailed analysis on the injection in the aspects of data flow and program behavior, on the basis of the combination of dynamic and static analysis technique. A lexcial feature comparison-based decision algorithm is designed and implemented to detect SQL vulnerability through simulating data. Combining alias analysis technology, behavior model and decision algorithm, the SQL vulnerabilities detection system based on lexical feature comparison is designed and realized. Experimental result indicates that, compared with Pixy and RIPS system,this system has higher SQL vulnerability detection capability and lower time cost.
出处
《计算机工程》
CAS
CSCD
北大核心
2016年第4期112-118,共7页
Computer Engineering
基金
国家自然科学基金资助项目(61202074)
关键词
结构化查询语言漏洞
动静态结合分析
别名分析
行为模型
词法特征
Structured Query Language (SQL) vulnerability
dynamic and static combined analysis
alias analysis
behavior model
lexical feature
