基于AOP和动态污点分析的SQL注入行为检测方法  被引量：9

作　　者：何成万[1] 叶志鹏 HE Cheng-wan;YE Zhi-peng(School of Computer Science and Engineering,Wuhan Institute of Technology,Wuhan,Hubei 430205,China)

机构地区：[1]武汉工程大学计算机科学与工程学院

出　　处：《电子学报》2019年第11期2413-2419,共7页Acta Electronica Sinica

基　　金：国家自然科学基金(No.61272115)

摘　　要：Web应用程序时刻面临着来自网络空间中诸如SQL注入等代码注入式攻击的安全威胁.大多数针对SQL注入攻击的检测方法执行效率较低,检测精度也不够高,特别是实现方法不易被重用.根据注入型脆弱性特征提出了一种基于AOP(Aspect-Oriented Programming)和动态污点分析的SQL注入行为检测方法,并通过方面(aspect)模块化单元对污点分析过程进行了封装,使得安全这类典型的程序横切关注点从基层子系统中分离,提高了检测代码的可重用性.在污点汇聚点结合通知(advice)机制动态加载各类检测组件实现在运行时执行检测代码,从而应对SQL注入这类典型的针对Web应用程序的代码注入攻击方式.实验表明,该方法能够在不修改应用程序执行引擎及源码的前提下实现自保护过程,有效防御重言式(tautologies)、逻辑错误查询(logically incorrect queries)、联合查询(union query)、堆叠查询(piggy-backed queries)、存储过程(stored procedures)、推理查询(inference query)、编码转换(alternate encodings)等7种典型的SQL注入攻击类型.Web applications are constantly exposed to security threats from code injection attacks such as SQL injection in cyberspace.At present,most detection methods against SQL injection attacks have low execution efficiency and low detection accuracy,and are not easy to be reused.According to the characteristics of injection vulnerability,a SQL injection behavior detection method based on aspect-oriented programming and dynamic taint analysis is proposed,the taint analysis process is encapsulated by the aspect unit,so that the typical program crosscutting-concerns are separated from the base system,which improves the reusability of detection code.The Advice mechanism is used to dynamically load the various detection component implementations to execute the detection code at runtime to counter typical code injection attacks such as SQL injection against Web applications.Experiments show that this method can realize the self-protection process without modifying the application execution engine and source code,so as to effectively defend against seven typical types of SQL injection attacks such as tautologies,logically incorrect queries,union query,piggy-backed queries,stored procedures,inference query,alternate encodings,and so on.

关 键 词：WEB安全 SQL注入 污点分析 面向方面编程 漏洞检测 

分 类 号：TP309.2[自动化与计算机技术—计算机系统结构]