Vol. 40 No Journal of Jiangxi Normal University Natural Science Jul SQL. SQL Web SQLIDL DFA. SecuriBench

Transcription

1 40 4 Vol 40 No Journal of Jiangxi Normal University Natural Science Jul SQL * Web SQL Web SQLIDL DFA SecuriBench SQL SQL TP 311 A DOI /j cnki issn SQL 0 SQLIA Context-Free Grammar Web CFG SQL OWASP CFG SQL Open Web application security project 2013 CFG SQLIA Web SQL SQL Attack SQLIA 1 1 SQLIA SQLIA Web Web SQL Web SQLIA SQL DFA SQLIA 2 SQL 2 i SQL SQLIA Web SQLIA 2 ii 1 Web SQLIA PHP D Ray 5 7 SQLIA 6-7 SQL CFG 10 9 SQLIA Web SQL SQL SQLIA 2 8 SQL

2 4 SQL 387 SQLIDL DFA SQL SQL 5 DFA DFA SQL SQLIA SQL SQL Ps6spy 11 SQL 2 1 SQLIDL SQLIDL 3 SQL 10 CFG SQL SQL SQLIDL SQL SQL CFG SQLIA 10 DFA SQL 2 10 Program > Variable Assignment* SQL 2 VariableDefinitions* Query* Query > select insert update Delete Select > select Distinct ColumnList from Table Join where Where Order Union select Distinct Order Column values VarList Update > update TableName set UpdateAssignmentList where Where 1 ColumnList from Table Join where Where Web Insert > insert into TableName SQL Delete > delete from TableName where Where Variable Assignment > VarName VarName * TABLEVAR COLUMNVAR VALUEVAR ALIASESVAR METHODVAR VariableDefinitions > VarName = Regex VarName > A - Za - z 0-9A - Za - z_ * ' A - Za - z 0-9A - Za - z_ * ' VarColumn > Varname Column Distinct > distinct JoinType > inner left right join JoinTable > Table JoinType JoinTable Table on JoinOn Join > JoinType JoinTable JoinOn > AliasesName ColumnName Operators Regex and or AliasesName ColumnName Operators Regex * Order > order by AliasesName ColumnName ASC DESC Where > AliasesName ColumnName Operators Regex and or AliasesName ColumnName Operators Regex * Table > TableName TableName as AliasesName TableName AliasesName UpdateAssignmentList > ColumnName = VarName ColumnName = VarName * VarList > VarName VarName * ColumnList > Column VarColumn * '* ' Column > ColumnName ColumnName * AliasesName ColumnName AliasesName ColumnName * ColumnName > VarName TableName > VarName AliasesName > VarName Operators > = < > > < < = > = like Regex > 1 SQLIA 2 SQLIDL SQLIDL i select ii insert iii update SQL Intention Description Language SQLIDL iv delete v order by SQLIDL user1 user2 id id x x

3 SQLIDL t1 TABLEVAR v1 VALUEVAR t1 = user 12 v1 = select id from t1 where id > v1 by id ASC id = t1 user 12 v1 v2 id v1 = 1-9 * $ id select from SQL v v3 = 1-9 * $ v1 2 2 SQLIDL 1 or 'id' = v3 select* from News where type = 2 and is_show = 1 order update News set title = 'aa' type = 2 where is_show = 1 or insert into News id title type is_show values 1 'title' 1 delete from News where id = 1 SQL v3 VALUENAME v2 = A-Za-z0-9 + $ select* from 'News' where 'type' = v1 and 'is_show' = 1 order by 'id' ASC update 'News' set 'title' = v2 'type' = v1 where 'is_show' = insert into 'News' values v3 v2 v1 v1 delete from 'News' where 'id' = v3 SQLIDL 4 SQLIDL News i 3 type is_ show id SQL ii SQL is_show id title SQLIA type iii iv id SQLIDL 4 SQL 3 5 DFA SQLIDL 4 SQLIA 5 4 DFA 5 DFA 5 password 11 SQLIA1 N Tuong 6 SQLIA SQLIDL SQL SQL S Son SELECT balance FROM 7 10 acct WHERE password = TRUE TRUE flag = TRUE

4 4 SQL SQLIDL SQLIDL Y Y Y Y Y Y Y Y Y Y Y 5 Y Y Y N Y Y N Y Y Y N 6 Y N Y Y N N N N N Y Y 8 Y Y Y N Y Y N Y Y N N Y Y Y N N N Y N N N Y test F1 10 Y N Y N N N N N N N Y SQLIA select * from News where n type = exit and is_show = 1 1 SQL order by id ASC 4 type OR 1 = SQLIDL select* from News where 5 type = OR 1 = and is_show = 1 order by id 6 ASC 6 DFA 7 select 5 DFA or 1 = 1 * from News where type = TRUE and is_show = 1 order by id ASC TRUE type 8 9 SQL select* from News where type = exec char 0x f776e - - and 2 SQL is_show = 1 order by id ASC 9 select* from News where type = exit and is_ show = 1 order by id ASC 6 5 DFA SQLIDL DFA type 9 v2 exit 5 DFA SQL 3 flag = > GLOBAL SQL SQL select* from News where type = 100 > GLOB- AL and is_show = 1 order by id ASC 2 SQL 1 1 type 100 > GLOBAL SQL v2 8 drop table News - - SQL 4 select select * from News where type = 1 drop table * from News where n type = and test F1 = News - and is_show = '1' order by id ASC and is_show = '1' order by id ASC 10 DFA 9 8 9

5 Ps6spy 11 JDBC SQL Ps6spy Ps6spy JDBC SecuriBench 12 BodgeIt Ps6spy 14 SQLIA Web Tomcat6 0 SQLIDL Mysql5 6 JAVA JDK1 6 SQLIDL SQLIDL Java Web CPU 2GHz 4GB JSA 13 Windows 7 SQL Ps6spy 2 SecuriBench 12 Ps6spy com Ps6spy engine logging P6LogStatement java P6LogPreparedStatement ja- drop table News va2 2 4 DFA SQL SQL SQLIDL SQL i Ps6spy Web SQL ii DFA iii SQL SQL SQL 4 2 Program Version number File Count Line Count s Uninstrumented Averagetime / ms Instrumented Averagetime / ms webgoat personalblog snipsnap 1 0-BETA roller jboard bodgeit 1 4 0_ Total SQL Injection SecuriBench personalblog snipsnap bodgeit SQLIA webgoat SQLIA result result SQL 100 ms ~ 110 ms Numeric Add Data with String Database webgoat Backdoors SQLIA SQLIDL LAB Blind Numeric SQLIA 3 Modify Data with Blind String webgoat SQLIA

6 4 SQL J Ray D Ligatti J Defining code-injection attacks J Acm SQL Sigplan Notices Tuong N Guarnieri A Greene S et al Automatically hardening web applications using precise tainting J Ifip Ad- SQL vances in Information & Communication Technology J Son S McKinley K S Shmatikov V Diglossia detecting code injection attacks with precision and efficiency EB / OL http / /msr-waypoint com /pubs / Web / diglossia-ccs-2013 pdf 9 Bandhakavi S Bisht P Madhusudan P CANDID preventing SQL injection attacks using dynamic candidate evalu- ations EB /OL https / /www cs uic edu / ~ pbisht / files / candid-sql-injection-ccs07 pdf 10 Su Zhendong Wassermann G The essence of command injection attacks in Web applications J Acm Sigplan 6 No- 1 OWASP Top10-Open Web Application Security Project Top ten Web application security risks EB /OL http / /www owasp org cn /owasp-project / 2013top10 2 Wasserman G Su Zhendong Sound and precise analysis of Web applications for injection vulnerabilities EB /OL http / /web cs ucdavis edu / ~ su /publications / pldi07 pdf 3 Jovanovic N Kruegel C Kirda E Static analysis for detecting taint-style vulnerabilities in web applications J Journal of Computer Security tices GitHub Inc P6spy EB /OL https / / github com / p6spy / p6spy 12 Benjam in Livshits Stanford securi bench EB /OL http / /suif stanford edu / ~ livshits /securibench / 13 Aarhus University Java string analysis EB /OL http / /www brics dk /JSA / 14 GitHub Inc BodgeIt EB /OL http / /code google com /p /bodgeit The Intention-Oriented Defense MAO Chenyu GUO Fan * YE Jihua College of Computer Information and Engineering Jiangxi Normal University Nanchang Jiangxi China Abstract SQL injection attack SQLIA is the most serious threat to Web program security while dynamic analysis may effectively defend SQLIA An intention-oriented detection approach is proposed to represent all the database operations expected by Web users to intecept the operations before the user submission and drop the unintentional operations A language named SQLIDL is proposed to express the intention of database operations to transform the SQL operations into string sets formalized by deterministic finite automata DFA SQLIDL currently implements the regular expression representation of table names column names values and store procedure names The prototype implementation is evaluated on SecuriBench datasets and the results demonstrate all existing SQL attack patterns can be correctly detected with acceptable run-time overhead Key words SQL injection dynamic analysis DFA attack pattern