以SQL語句剖析結合剖面技術設計實作資料隱碼攻擊之防禦工具 / An Anti-SQLIA tool based on SQL parsing and aspect technology

王瑛瑛, Wang, Ying Ying

Unknown Date

資料隱碼攻擊（SQLIA）是一種Web應用程式弱點，這個弱點為Web客戶端輸入值隱藏攻擊字串而改變了動態產生的SQL語句結構。根據OWASP(Open Web Application Security Project）2010年的網站風險評鑑報告，資料隱碼攻擊被列為最嚴重的Web應用程式風險。資料隱碼攻擊的弱點可能讓攻擊者能夠直接存取資料庫，導致敏感性資料遭到修改或竊取，有經驗的攻擊者，甚至可以利用一個資料隱碼攻擊的漏洞，而接管整個應用系統。 在本篇論文中，我們基於資料隱碼攻擊的原理實作一個自動化的防禦工具。我們的工具以SQL語句剖析結合剖面技術實作，利用窮舉法，動態分析及動態監控應用程式所執行的SQL語句，毋須開發者學習新的程式寫法或修改應用程式，即能將防禦機制套用於應用程式(原始碼及中間碼)，並透過使用者介面設定可動態調整防禦監控的範圍，提供一個有效保護WEB應用程式的資料隱碼攻擊防禦機制。 / SQL injection attack (SQLIA) is a type of attack on web applications that exploits the fact that input provided by web clients may be directly included in the dynamically generated SQL statements. According to the WASP Foundation, injection attacks, particularly SQL injection, were the most serious web application vulnerability type in 2010. By using SQLIA, an attacker may directly access the database underlying a web application and modify or expose sensitive information. A proficient attacker can even use an SQLIA to completely compromise the host system. In this thesis, we study SQL injection attacks and develop a fully automated, configurable tool for protecting web applications against SQLIA. Our tool uses a heuristic method that combines runtime learning and runtime monitoring of valid/legal SQL statements, by parsing them to calculate and verify MD5 represented patterns (called SQL fingerprints) respectively, and is implemented in Java and AspectJ in order to achieve the goal that requires no training of developers and no modification of the legacy applications. Our evaluation results have shown this tool to be highly effective at protecting web applications from all types of SQL injection attacks.

剖面導向程式設計

剖面

資料隱碼攻擊

AOP

Aspect

SQLIA