摘要
SQL解析过程中利用随机化进行SQL注入攻击(SQLIA)防御的有效性是建立在攻击者不了解当前系统采用的具体随机化方法的基础上,因此,攻击者一旦掌握了当前系统的随机化形式,便能够实施有效的SQLIA。为了解决该问题,基于多变体执行设计出一种SQL注入运行时防御系统,多变体间采用互不相同的随机化方法,攻击者注入的非法SQL无法同时被所有变体解析成功,即使在攻击者掌握了随机化方法的情况下,非法SQL也最多只能被某一变体解析成功,利用表决机制对多变体的响应结果或解析结果进行表决,及时发现异常,阻断SQLIA的攻击路径。面向Web服务实现了原型系统SQLMVED,实验证明该系统能够有效抵御SQLIA。
The effectiveness of combining SQL statement parsing with randomization to defend against SQL injection attack(SQLIA)was based on the fact that attackers did not know about the current method of randomization adopted by system.Therefore,once attackers had mastered the current method of randomization who can launch effective SQLIA.In order to solve this problem,a SQL injection runtime prevention system based on multi-variant execution was designed,the multi-variant apply randomization methods from any other,so that illegal SQL statements could not be parsed successfully by all variants.Even if attackers had mastered the method of randomization,illegal SQL statements could only be parsed successfully by a certain variant at most,meanwhile the parsing results of multiple variants were voted to find the abnormality in time and block attack path.The prototype system SQLMVED is implemented for Web services and experiments show that the prototype can effectively defeat SQLIA.
作者
马博林
张铮
刘浩
邬江兴
MA Bolin;ZHANG Zheng;LIU Hao;WU Jiangxing(Information Engineering University,Zhengzhou 450001,China;Purple Mountain Laboratories,Nanjing 211100,China)
出处
《通信学报》
EI
CSCD
北大核心
2021年第4期127-138,共12页
Journal on Communications
基金
国家自然科学基金资助项目(No.61521003)
国家重点研发计划基金资助项目(No.2018YFB0804003)。
关键词
SQL注入攻击
运行时防御
多变体执行
随机化
SQL injection attack
runtime prevention
multi-variant execution
randomization
