摘要
SQL注入攻击是数据库安全的主要威胁.SQL注入攻击被列为OWASP(open Web application security project)2010年和2013年十大Web应用系统安全威胁之首.SQL注入攻击检测及防御是目前常见的研究热点,结合抽象语法树的数据传播分析及C#语言特性,提出基于规则及特征匹配的漏洞检测架构,实现了C#源代码的静态检测算法.测试结果表明该算法效果良好,简单实用,通过生成源代码的抽象语法树及追踪数据的传播途径,根据规则匹配进行检测,实现C#源代码的SQL注入漏洞检测,在开发阶段提高了代码的安全性;同时提出的漏洞检测框架可以进行拓展,实现对其他编程语言的SQL注入漏洞检测.
SQL injection attacks is ranked first in OWASP (open Web application security project) ToplO Web application security threats in both 2010 and 2013. This paper proposes a static abstract syntax tree analysis framework for detecting SQL injections based on the matching rules? and implements the C# source-code SQL injection attack detection algorithm. This paper focuses on data flow analysis based on the abstract syntax tree, tracing the route of transmission of data and detecting SQL vulnerability in accordance with the predefined rules. Then this paper achieves injection detection algorithm based on language source code and MSSQL. The detection algorithm results show that the algorithm works well for C# language source code. But the results also show that it is possible to make false negative due to lack of supportof detecting the vulnerability existing in the cross-file and cross-function. However, the proposed architecture and algorithms can be extended to other programming platforms. Finally, this paper makes a summary on both SQL injection and the defense, points out the shortcomings itself and makes a prospect of the SQL injection research.
出处
《信息安全研究》
2015年第2期112-125,共14页
Journal of Information Security Research
关键词
SQL注入
抽象语法树
数据流分析
规则匹配
静态分析
SQL injection
abstract syntax tree
data flow analysis
feature matching
static analysis