簡易檢索 / 詳目顯示

回結果列表
研究生: 陳詰昌
Chieh-chang Chen
論文名稱: 補強AMNESIA防堵所有型態之資料隱碼攻擊
Enhanced AMNESIA to counter all types of SQLIAs
指導教授: 洪西進
Shi-Jinn Horng
口試委員: 古鴻炎
Hung-yan Gu
蔡鴻旭
Hung-Hsu Tsai
江季翰
Ji-Han Jiang
學位類別: 碩士
Master
系所名稱: 電資學院 - 資訊工程系
Department of Computer Science and Information Engineering
論文出版年: 2012
畢業學年度: 100
語文別: 中文
論文頁數: 68
中文關鍵詞: 中間元、資料隱碼攻擊預存程序動態監測
外文關鍵詞: SQLIA, Stored Procedure, MiddleWare
相關次數: 點閱:123下載:3
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • 電子商務的快速發展,資料庫成為不可或缺的一部分,但是因為資料庫先天性的缺陷,再加上資料庫儲存許多私密性的資料,若Web應用程式沒有適當驗證使用者輸入參數,亟可能成為資料隱碼攻擊(SQLIA)的目標。為保障資料庫之安全,許多方法被提出來用於資料隱碼攻擊之防禦措施,但是大部分方法對於預存程序(Stored Procedures)部分的資料隱碼攻擊很少著墨,以致於預存程序無法抵擋資料隱碼攻擊之比率偏高。
    本文將Web應用程式及預存程序中熱點上SQL查詢句轉換為有限狀態機方式表示,並以比對前後有限狀態機是否相符,做為資料隱碼攻擊之判斷依據,目前常見之語法比對方式有自動狀態機及轉換樹之方法,而本文則利用JSA及SQL parser將Web應用程式及預存程序中之控制流程圖(CFG)取出,辨識熱點所在後並進行字串分析,最後會得到SQL有限狀態機,做為表示於熱點上任意插入使用者變數後的表示方法;並藉由比對使用者參數插入前及插入後有限狀態機結構之差異,來判斷資料隱碼攻擊是否發生;另外,本文增加一中間元(MiddleWare)於應用程式伺服器及資料庫伺服器之間,用來過濾非允許名單內之預存程序呼叫,避免預存程序進行不必要之檢測,降低系統負擔。

    With the rapid development of e-commerce, database has become an integral part of the websites. Many websites didn’t validate the user input properly, so hacker could exploit it and access the database. The loss in SQLIAs is more than millions of dollars in each year, so SQLIAs is one of the most serious threats to the security of database driven application. To prevent SQLIAs (SQL Injection Attacks), many experts and researchers proposed a lot of defensive measures for SQLIAs.
    The related method for SQLIAs includes penetration test、static analysis、runtime validationetc., but no one could ensure that the method they proposed could block all SQLIAs.Comparing all the methods for SQLIAs detection and prevention, the paper found AMNESIA is a practical method for SQLIAs.But AMNESIA could not detect SQLIAs in stored procedures. Based on AMNESIA, the paper add a method using static analysis and runtime monitoring to detect SQLIAs in stored procedures.
    Furthermore the paper add a middleware between application server and database server to intercept all SQL commands and queries from web applications. The MiddleWare could filter the SQL command if exist SQLIAs in stored procedures by checking allowed list of stored procedures. If most of the SQLIAs in stored procedures block by MiddleWare, the runtime overhead would decrease.
    Finally, the paper use the method to detect SQLIAs in five web sites. The method could detect all SQLIAs and has no false positive. The MiddleWare could decrease 75 percentage runtime overhead in detecting SQLIAs in stored procedures.

    中文摘要………………………………………………………………I 英文摘要 ……………………………………………………………II 目錄…………………………………………………………………III 圖索引…………………………………………………………………V 表索引………………………………………………………………VI 第一章緒論 …………………………………………………………1 1.1 研究背景………………………………………………………1 1.2 研究動機………………………………………………………2 1.3研究目標 …………………………………………………………6 1.4論文架構 …………………………………………………………8 第二章相關研究 ……………………………………………………10 2.1WEB應用程式安全性威脅………………………………………10 2.2資料隱碼攻擊(SQL Injection)………………………………15 2.3資料隱碼攻擊防禦方法…………………………………………31 第三章分析規劃與系統架構………………………………………39 3.1分析規劃…………………………………………………………39 3.2系統架構…………………………………………………………45 第四章系統實驗與結果 ……………………………………………59 4.1 實驗目的…………………………………………………………59 4.2 實驗環境…………………………………………………………59 4.3測試資料 …………………………………………………………60 4.4 實驗結果…………………………………………………………63 第五章結論與未來展望 ……………………………………………66 5.1 結論……………………………………………………………66 5.2 未來展望 …………………………………………………………67 參考文獻 ………………………………………………………………69

    [1] Sun-Tsai Sun, Ting Han Wei, Stephan Liu, Sheung Lau, “Classification of SQL Injection Attacks”, https://courses.ece.ubc.ca/412/term_project/reports/2007-fall/Classification_of_SQL_Injection_Attacks.pdf
    [2] “OWASP Top 10 -2010 ( the Top 10 Most Critical Web Application  Security Risks )”, The Open Web Application Security Project (OWASP) ,http:// www.owasp.org/index.php/Topten.
    [3] William G.J. Halfond, Jeremy Viegas, and Alessandro Orso, “A Classification of SQL Injection Attacks and Countermeasure.”, In Proceedings of the IEEE International Symposium on Secure Software Engineering(SEEE) ,March 2006
    [4] “2011 CWE/SANS Top 25 Most Dangerous Software Errors”, http://cwe.mitre.org/top25/
    [5] Junjin, M., “ An approach for SQL Injection Vulnerability Detection.”, Proc. Of the 6th International Conference on Information Technology: New Generation, Las Vegas, Nevada, April(2009),1411-1414
    [6] Haixia, Y. and Zhihong, N., “A database security testing scheme of web application.”, Proc. Of 4th International Conference on Computer Science & Education 2009 (ICCSE ’09),25-28 July 2009,953-955
    [7]Stephen Thomas, Laurie Williams, Tao Xie, “On automated prepared statement generation to remove SQL injection vulnerabilities.”, Information and software Technology,2009,589-598
    [8] C. Anley., “ Advanced SQL Injection In SQL Server Applications.”, White paper, Next Generation Security Software Ltd., 2002.
    [9] S. McDonald., “SQL Injection: Modes of attack, defense, and why it matters.”, White paper, GovernmentSecurity.org, April 2002.
    [10]Kindy, D.A., Pathan, A.K, “A survey on SQL injection: Vulnerabilities, attacks, and prevention techniques”, In proceedings of The 15th IEEE Symposium on Consumer Electronics (ISCE 2011), June 14-17,Singapore (2011),468-471
    [11] Tajpour, A., JorJor Zade Shooshtari, M., “Evaluation of SQL Injection Detection and Prevention Techniques.”, Proc. Of 2010 Second International Conference on Computational Intelligence, Communication System and Networks (CICSyN’10), 28-30 July (2010), 216-221
    [12] M. Howard and D. LeBlanc., “Writing Secure Code”, Microsoft Press, Redmond, Washington, second edition, 2003.
    [13] C.A. Mackay. , "SQL Injection Attacks and Some tips on How to Prevent them.”, Technical report, The Code Project, January 2005. [Online] Available: http://www.codeproject.com/cs/database/SqlInjectionAttacks.asp.
    [14] A. S. OferMaor, “Sql injection signatures evasion”, White paper, Imperva Inc., 2005. [Online] Available: http://www.securesos.com/whitepapers/Imperva.pdf
    [15] McClure, R.A.; Kruger, I.H., “SQL DOM: compile time checking of dynamic SQL statement.”, Software Engineering, 2005. ICSE 2005. Proceedings. 27th International Conference,2005,p.88-96
    [16] William R. Cook , Siddhartha Rai, “Safe query objects: statically typed objects as remotely executable queries”, Proceedings of the 27th international conference on Software engineering, May 15-21, 2005.
    [17] Carl Gould , Zhendong Su , Premkumar Devanbu, Static Checking of Dynamically Generated Queries in Database Applications, Proceedings of the 26th International Conference on Software Engineering, p.645-654, May 23-28, 2004.
    [18]Z. Su and G. Wasserman, “The Essence of Command Injection Attacks in Web Applications”, In Proceedings of Symposium on Principles of Programming Languages POPL’06, Jan 2006, South Carolina, USA, pp. 372-382.
    [19]W.G. Halfond and A. Orso, “AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks,” Proc. 20th IEEE and ACM Int’l Conf. Automated Software Eng., pp. 174-183, Nov. 2005.
    [20] S. W. Boyd, and A. D. Keromytis, “SQLrand: Preventing SQL Injection Attacks”, Springer Berlin /Heidelberg, Department of Computer Science, Columbia University, 2004, pp. 292-302.
    [21] Ke Wei, M. Muthuprasanna, Suraj Kothari, “Preventing SQL Injection Attacks in Stored Procedures”, Proceedings of the 2006 Australian Software Engineering Conference(ASWEC’06),IEEE, Australia, 2006, pp 1-7.
    [22]William G.J. Halfond, Assistant Professor, “SQL Injection Application Testbed”, Computer Science,University of Southern California , http://www-bcf.usc.edu/~halfond/testbed.html
    [23] Halfond, W., Orso, A., and Manolios, “Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks”, In proceedings of the ACM International Conference. In Foundations of Software Engineering, pp. 175–185, 2006.
    [24] Gregory T. Buehrer, Bruce W. Weide, Paolo A. G. Sivilotti,“Using Parse Tree Validation to Prevent SQL Injection Attacks”, ACM 1-59593-204-4/05/09,Sep 2005.
    [25] Y. Kosuga, K. Kono, M. Hanaoka, M. Hishiyama, Y. Takahama, “Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection”, In Proceedings of 23rd Annual Computer Security Applications Conference, 2007 (ACSAC 2007), Miami, Dec 2007, pp. 107-117.
    [26] Y. Huang, S. Huang, T. Lin, and C. Tsai., “ Web Application Security Assessment by Fault Injection and Behavior Monitoring.”, In Proceedings of the 11th International World Wide Web Conference (WWW 03), May 2003.
    [27] Konstantinos Kemalis and Theodoros Tzouramanis., “SQL-IDS: A Specification-based Approach for SQL Injection Detection.”, Symposium on Applied Computing.2008, 2153-2158 , Fortaleza, Ceara, Brazil. New York, NY, USA: ACM
    [28] F. Valeur, D. Mutz, and G. Vigna. “A Learning-Based Approach to the Detection of SQL Attacks.”, In Proceedings of the Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), Vienna, Austria, July 2005.
    [29] Michael Kofler, “The Definitive Guide to MySQL 5 - 3 ed”, Apress, 2005
    [30] K. Spett. “Blind sql injection.”, White paper, SPI Dynamics, Inc., 2003.http://www.spidynamics.com/whitepapers/Blind SQLInjection.pdf.
    [31] A. S. Christensen, A. M_ller, and M. I. Schwartzbach. “ Precise analysis of string expressions.”, In Proc. 10th Intern. Static Analysis Symposium (SAS 2003), pages 1-18, Jun.2003.
    [32] P. Bisht, P. Madhusudan, and V. N. Venkatakrishnan.,”CANDID: Dynamic Candidate Evaluations for Automatic Prevention of SQL Injection Attacks”. ACM Trans. Inf. Syst. Secur., 13(2):1-39,2010
    [33] San-Tsai Sun and Konstantin Beznosow,”Retrofitting Existing Web Applications with Effective Dynamic Protection Against SQL Injection Attacks.”,IJSSE, 1(1):20-40, 2010.
    [34] William GJ. Halfond, Shauvik Roy Choudhary, and Alessandro Orso,”Penetration Testing with Improved Input Vector Identification”,In ICST ’09, pages 346–355.

    QR CODE