SQLMVED：基于多变体执行的SQL注入运行时防御系统

马博林; 张铮; 刘浩; 邬江兴

doi:10.11959/j.issn.1000-436x.2021046

您当前的位置：

首页 >

文章列表页 >

SQLMVED：基于多变体执行的SQL注入运行时防御系统

学术论文 | 更新时间：2024-06-05

- SQLMVED：基于多变体执行的SQL注入运行时防御系统
- SQLMVED: SQL injection runtime prevention system based on multi-variant execution
- 通信学报 2021年42卷第4期页码：127-138
- 作者机构：
  
  1. 信息工程大学，河南郑州 450001
  2. 网络通信与安全紫金山实验室，江苏南京 211100
- 作者简介：
  
  [ "马博林（1993- ），男，河北吴桥人，信息工程大学博士生，主要研究方向为网络空间安全。" ]
  [ "张铮（1976- ），男，湖北黄梅人，博士，信息工程大学副教授，主要研究方向为网络空间安全、高性能计算。" ]
  [ "刘浩（1997- ），男，安徽阜阳人，网络通信与安全紫金山实验室工程师，主要研究方向为网络空间安全。" ]
  [ "邬江兴（1953- ），男，浙江嘉兴人，中国工程院院士，信息工程大学教授，主要研究方向为通信与信息系统、网络空间安全。" ]
- 基金信息：
  
  国家自然科学基金创新群体基金资助项目(61521003);国家重点研发计划基金资助项目(2018YFB0804003)
- DOI：10.11959/j.issn.1000-436x.2021046
  中图分类号： TP393
- 网络出版日期：2021-04，
  
  纸质出版日期：2021-04-25
- 稿件说明：
移动端阅览
马博林, 张铮, 刘浩, 等. SQLMVED：基于多变体执行的SQL注入运行时防御系统[J]. 通信学报, 2021,42(4):127-138.

Bolin MA, Zheng ZHANG, Hao LIU, et al. SQLMVED: SQL injection runtime prevention system based on multi-variant execution[J]. Journal on communications, 2021, 42(4): 127-138.
马博林, 张铮, 刘浩, 等. SQLMVED：基于多变体执行的SQL注入运行时防御系统[J]. 通信学报, 2021,42(4):127-138. DOI： 10.11959/j.issn.1000-436x.2021046.

Bolin MA, Zheng ZHANG, Hao LIU, et al. SQLMVED: SQL injection runtime prevention system based on multi-variant execution[J]. Journal on communications, 2021, 42(4): 127-138. DOI： 10.11959/j.issn.1000-436x.2021046.

摘要

SQL解析过程中利用随机化进行SQL注入攻击（SQLIA）防御的有效性是建立在攻击者不了解当前系统采用的具体随机化方法的基础上，因此，攻击者一旦掌握了当前系统的随机化形式，便能够实施有效的SQLIA。为了解决该问题，基于多变体执行设计出一种SQL注入运行时防御系统，多变体间采用互不相同的随机化方法，攻击者注入的非法 SQL 无法同时被所有变体解析成功，即使在攻击者掌握了随机化方法的情况下，非法SQL也最多只能被某一变体解析成功，利用表决机制对多变体的响应结果或解析结果进行表决，及时发现异常，阻断SQLIA的攻击路径。面向Web服务实现了原型系统SQLMVED，实验证明该系统能够有效抵御SQLIA。

Abstract

The effectiveness of combining SQL statement parsing with randomization to defend against SQL injection attack (SQLIA) was based on the fact that attackers did not know about the current method of randomization adopted by system.Therefore

once attackers had mastered the current method of randomization who can launch effective SQLIA.In order to solve this problem

a SQL injection runtime prevention system based on multi-variant execution was designed

the multi-variant apply randomization methods from any other

so that illegal SQL statements could not be parsed successfully by all variants.Even if attackers had mastered the method of randomization

illegal SQL statements could only be parsed successfully by a certain variant at most

meanwhile the parsing results of multiple variants were voted to find the abnormality in time and block attack path.The prototype system SQLMVED is implemented for Web services and experiments show that the prototype can effectively defeat SQLIA.

关键词

Keywords

references

BOYD S W , KEROMYTIS A D . SQLrand:preventing SQL injection attacks [C ] // International Conference on Applied Cryptography and Network Security . Berlin:Springer , 2004 : 292 - 302 .

马博林 , 张铮 , 陈源 , 等 . 基于指令集随机化的抗代码注入攻击方法 [J ] . 信息安全学报 , 2020 , 5 ( 4 ): 30 - 43 .

MA B L , ZHANG Z , CHEN Y , et al . The defense method for code-injection attacks based on instruction set randomization [J ] . Journal of Cyber Security , 2020 , 5 ( 4 ): 30 - 43 .

方滨兴 . 定义网络空间安全 [J ] . 网络与信息安全学报 , 2018 , 4 ( 1 ): 1 - 5 .

FANG B X . Define cyberspace security [J ] . Chinese Journal of Network and Information Security , 2018 , 4 ( 1 ): 1 - 5 .

SHAR L K , TAN H B K . Defeating SQL injection [J ] . Computer , 2013 , 46 ( 3 ): 69 - 77 .

MCCLURE R A , KRUGER I H . SQL DOM:compile time checking of dynamic SQL statements [C ] // Proceedings of 27th International Conference on Software Engineering . Piscataway:IEEE Press , 2005 : 88 - 96 .

COOK W R , RAI S . Safe query objects:statically typed objects as remotely executable queries [C ] // Proceedings of 27th International Conference on Software Engineering . Piscataway:IEEE Press , 2005 : 97 - 106 .

KIEYZUN A , GUO P J , JAYARAMAN K , et al . Automatic creation of SQL Injection and cross-site scripting attacks [C ] // 2009 IEEE 31st International Conference on Software Engineering . Piscataway:IEEE Press , 2009 : 199 - 209 .

孙歆 , 姚一杨 , 卢新岱 , 等 . 基于HTTP代理的模糊测试技术研究 [J ] . 网络与信息安全学报 , 2016 , 2 ( 2 ): 75 - 86 .

SUN X , YAO Y Y , LU X D , et al . Research and implementation of fuzzing testing based on HTTP proxy [J ] . Chinese Journal of Network and Information Security , 2016 , 2 ( 2 ): 75 - 86 .

KAR D , PANIGRAHI S , SUNDARARAJAN S . SQLiGoT:detecting SQL injection attacks using graph of tokens and SVM [J ] . Computers＆ Security , 2016 , 60 : 206 - 225 .

韩宸望 , 林晖 , 黄川 . 基于SQL语法树的SQL注入过滤方法研究 [J ] . 网络与信息安全学报 , 2016 , 2 ( 11 ): 70 - 77 .

HAN C W , LIN H , HUANG C . Research on the SQL injection filtering based on SQL syntax tree [J ] . Chinese Journal of Network and Information Security , 2016 , 2 ( 11 ): 70 - 77 .

赵宇飞 , 熊刚 , 贺龙涛 , 等 . 面向网络环境的SQL注入行为检测方法 [J ] . 通信学报 , 2016 , 37 ( 2 ): 88 - 97 .

ZHAO Y F , XIONG G , HE L T , et al . Approach to detecting SQL injection behaviors in network environment [J ] . Journal on Communications , 2016 , 37 ( 2 ): 88 - 97 .

APPELT D , PANICHELLA A , BRIAND L . Automatically repairing web application firewalls based on successful SQL injection attacks [C ] // 2017 IEEE 28th International Symposium on Software Reliability Engineering . Piscataway:IEEE Press , 2017 : 339 - 350 .

张慧琳 , 丁羽 , 张利华 , 等 . 基于敏感字符的SQL注入攻击防御方法 [J ] . 计算机研究与发展 , 2016 , 53 ( 10 ): 2262 - 2276 .

ZHANG H L , DING Y , ZHANG L H , et al . SQL injection prevention based on sensitive characters [J ] . Journal of Computer Research and Development , 2016 , 53 ( 10 ): 2262 - 2276 .

NGUYEN-TUONG A , GUARNIERI S , GREENE D , et al . Automatically hardening Web applications using precise tainting [C ] // IFIP International Information Security Conference . Berlin:Springer , 2005 : 295 - 307 .

PIETRASZEK T , BERGHE C V . Defending against injection attacks through context-sensitive string evaluation [C ] // International Conference on Recent Advances in Intrusion Detection . Berlin:Springer , 2005 : 124 - 145 .

HALFOND W G J , ORSO A . AMNESIA:analysis and monitoring for NEutralizing SQL-injection attacks [C ] // Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering . New York:ACM Press , 2005 : 174 - 183 .

何成万 , 叶志鹏 . 基于AOP和动态污点分析的SQL注入行为检测方法 [J ] . 电子学报 , 2019 , 47 ( 11 ): 2413 - 2419 .

HE C W , YE Z P . SQL injection behavior detection method based on AOP and dynamic taint analysis [J ] . Acta Electronica Sinica , 2019 , 47 ( 11 ): 2413 - 2419 .

HRANICKÝ R , ZOBAL L , RYŠAVÝ O . Distributed password cracking with BOINC and hashcat [J ] . Digital Investigation , 2019 , 30 : 161 - 172 .

KNOWLTON K C . A combination hardware-software debugging system [J ] . IEEE Transactions on Computers , 1968 , 100 ( 1 ): 84 - 86 .

COX B , EVANS D , FILIPI A , et al . N-Variant systems:a secretless framework for security through diversity [C ] // Proceedings of the 15th conference on USENIX Security Symposium . New York:ACM Press , 2006 : 105 - 120 .

BERGER E D , ZORN B G . DieHard:probabilistic memory safety for unsafe languages [C ] // ACM SIGPLAN Conference on Programming Language Design ＆ Implementation . New York:ACM Press , 2006 : 158 - 168 .

NOVARK G , BERGER E D . DieHarder:securing the heap [C ] // Proceedings of the 17th ACM Conference on Computer and Communications Security . New York:ACM Press , 2010 : 1 - 12 .

NOVARK G , BERGER E D , ZORN B G . Exterminator:automatically correcting memory errors with high probability [J ] . ACM SIGPLAN Notices , 2007 , 42 ( 6 ): 1 - 11 .

邬江兴 . 网络空间拟态防御研究 [J ] . 信息安全学报 , 2016 , 1 ( 4 ): 1 - 10 .

WU J X . Research on cyber mimic defense [J ] . Journal of Cyber Security , 2016 , 1 ( 4 ): 1 - 10 .

WU J X . Cyberspace mimic defense [M ] . Cham : Springer International Publishing , 2020 .

张铮 , 马博林 , 邬江兴 . web服务器拟态防御原理验证系统测试与分析 [J ] . 信息安全学报 , 2017 , 2 ( 1 ): 13 - 28 .

ZHANG Z , MA B L , WU J X . The test and analysis of prototype of mimic defense in web servers [J ] . Journal of Cyber Security , 2017 , 2 ( 1 ): 13 - 28 .

马博林 , 张铮 , 刘健雄 . 应用于动态异构 web 服务器的相似度求解方法 [J ] . 计算机工程与设计 , 2018 , 39 ( 1 ): 282 - 287 .

MA B L , ZHANG Z , LIU J X . Similarity calculation method applied to dynamic heterogeneous web server system [J ] . Computer Engineering and Design , 2018 , 39 ( 1 ): 282 - 287 .

唐海娜 , 林小拉 , 韩春静 . 基于移动指针的数据流冗余消除算法 [J ] . 通信学报 , 2012 , 33 ( 2 ): 7 - 14 .

TANG H N , LIN X L , HAN C J . Duplicate elimination algorithm for data streams with SKIP Bloom filter [J ] . Journal on Communications , 2012 , 33 ( 2 ): 7 - 14 .

浏览量

390

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

暂无数据