防御代码注入式攻击的字面值污染方法  被引量：18

作　　者：王溢[1] 李舟军[1] 郭涛[2] 

机构地区：[1]北京航空航天大学计算机学院,北京100191 [2]中国信息安全测评中心,北京100085

出　　处：《计算机研究与发展》2012年第11期2414-2423,共10页Journal of Computer Research and Development

基　　金：国家自然科学基金项目(90718017;60973105;90818021)

摘　　要：当前几乎所有的Web应用程序都面临着诸如跨站脚本(XSS)和SQL注入等代码注入式攻击的威胁,这种威胁源自于程序对用户输入缺乏验证和过滤,导致恶意输入可作为数据库查询或页面中的脚本而执行,从而破坏网站的数据完整性,泄露用户隐私.为了增强应用程序对此类攻击的抵抗性,提出一种针对Web程序的字面值污染方法,该方法能够对代码注入式攻击给予高效的防御且十分易于部署.此方案通过强化服务器端脚本配合可自定义的安全过滤策略,达到对此类攻击的完全免疫.尽管需要对Web应用程序进行插桩等修改,但该过程是完全自动化和正确的,在处理大规模的程序时具有很强的实用价值.通过实现该技术的原型系统PHPHard对若干PHP应用程序的初步实验,可以发现该方法能够移除恶意脚本,成功阻止跨站脚本的攻击.与传统方法相比,它在精确度和有效性上具有优势,且仅引入了很小的开销.Nearly every Web application faces the threat of code injection such as XSS （cross-site scripting） and SQL injection. This flaw occurs when a Web application takes the data originated from a user without validating or encoding the content, and makes malicious input run as part of database query or script in response Web page, which causes destruction of data integrity or user privacy leakage. In order to counteract this trend, we present a literal tainting method for Web application and argue that it is an efficient and easy-to-deploy solution for preventing such attacks. This approach involves hardening the server side script with customizable security filtering policy for full prevention of code injection attacks. Although instrumentation to the Web application is needed, we will show that the process is fully automated and sound so that the approach is practical even for large Web applications. After preliminary experiments of several real world PHP applications with prototype tool PHPHard system implementing the techniques, we find that the literal tainting method can prevent XSS successfully by removing the evil script injection code. In comparison with the traditional taint propagation methods. It shows many advantages both in precision and effectivity while only causing fairly acceptable overhead.

关 键 词：代码注入 字面值污染 WEB应用程序 漏洞 跨站脚本 污点传播 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]