基于敏感字符的SQL注入攻击防御方法  被引量：20

作　　者：张慧琳[1] 丁羽[1] 张利华[1] 段镭[1] 张超 韦韬 李冠成[1] 韩心慧[1] Zhang Huilin;Ding Yu;Zhang Lihua;Duan Lei;Zhang Chao;Wei Tao;Li Guancheng;Han Xinhui

机构地区：[1]北京大学计算机科学技术研究所,北京100080 [2]加州大学伯克利分校,加利福尼亚伯克利94720 [3]百度美国有限责任公司,加利福尼亚森尼韦尔94089

出　　处：《计算机研究与发展》2016年第10期2262-2276,共15页Journal of Computer Research and Development

基　　金：国家自然科学基金项目(61572149;61402125)~~

摘　　要：SQL注入攻击历史悠久,其检测机制也研究甚广.现有的研究利用污点分析(taint analysis)结合SQL语句语法分析进行SQL注入攻击检测,但由于需要修改Web应用程序执行引擎来标记和跟踪污点信息,难以部署,并且时间和空间性能损失过大.通过分析SQL注入攻击机理,提出一种基于敏感字符的SQL注入攻击防御方法.1)仅对来自常量字符串的可信敏感字符进行积极污点标记;2)无需修改Web应用程序执行引擎,利用编码转换将污点信息直接存储在可信敏感字符的编码值中,动态跟踪其在程序中的传播;3)无需SQL语句语法分析,只需利用编码值判断SQL语句中敏感字符的来源、转义非可信敏感字符,即可防御SQL注入攻击.基于PHP的Zend引擎实现了系统原型PHPGate,以插件方式实现、易部署.实验证明:PHPGate可精确防御SQL注入攻击,且有效提升污点传播效率,页面应答的时间开销不超过1.6%.SQL injection attacks are prevalent Web threats. Researchers have proposed many taintan alysis solutions to defeat this type of attacks, but few are efficient and practical to deploy. In this paper, we propose a practical and accurate SQL injection prevention method by tainting trusted sensitive characters into extended UTF-8 encodings. Unlike typical positive taint analysis solutions that taint all characters in hard-coded strings written by the developer, we only taint the trustedsensitive characters in these hard-coded strings. Furthermore, rather than modifying Web application interpreter to track taint information in extra memories, we encode the taint metadata into the bytes of trusted sensitive characters, by utilizing the characteristics of UTF-8 encoding. Lastly, we identifyand escape untrusted sensitive characters in SQL statements to prevent SQL injection attacks, without parsing the SQL statements. A prototype called PHPGate is implemented as an extension on the PHP Zend engine. The evaluation results show that PHPGate can protect Web applications from real world SQL injection attacks and introduce a low performance overhead (less than 1. 6%).

关 键 词：SQL注入攻击 可信敏感字符 动态污点分析 积极污点分析 编码转换 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]