以SQL語句剖析結合剖面技術設計實作資料隱碼攻擊之防禦工具 / An Anti-SQLIA tool based on SQL parsing and aspect technology

王瑛瑛, Wang, Ying Ying

Unknown Date

資料隱碼攻擊（SQLIA）是一種Web應用程式弱點，這個弱點為Web客戶端輸入值隱藏攻擊字串而改變了動態產生的SQL語句結構。根據OWASP(Open Web Application Security Project）2010年的網站風險評鑑報告，資料隱碼攻擊被列為最嚴重的Web應用程式風險。資料隱碼攻擊的弱點可能讓攻擊者能夠直接存取資料庫，導致敏感性資料遭到修改或竊取，有經驗的攻擊者，甚至可以利用一個資料隱碼攻擊的漏洞，而接管整個應用系統。 在本篇論文中，我們基於資料隱碼攻擊的原理實作一個自動化的防禦工具。我們的工具以SQL語句剖析結合剖面技術實作，利用窮舉法，動態分析及動態監控應用程式所執行的SQL語句，毋須開發者學習新的程式寫法或修改應用程式，即能將防禦機制套用於應用程式(原始碼及中間碼)，並透過使用者介面設定可動態調整防禦監控的範圍，提供一個有效保護WEB應用程式的資料隱碼攻擊防禦機制。 / SQL injection attack (SQLIA) is a type of attack on web applications that exploits the fact that input provided by web clients may be directly included in the dynamically generated SQL statements. According to the WASP Foundation, injection attacks, particularly SQL injection, were the most serious web application vulnerability type in 2010. By using SQLIA, an attacker may directly access the database underlying a web application and modify or expose sensitive information. A proficient attacker can even use an SQLIA to completely compromise the host system. In this thesis, we study SQL injection attacks and develop a fully automated, configurable tool for protecting web applications against SQLIA. Our tool uses a heuristic method that combines runtime learning and runtime monitoring of valid/legal SQL statements, by parsing them to calculate and verify MD5 represented patterns (called SQL fingerprints) respectively, and is implemented in Java and AspectJ in order to achieve the goal that requires no training of developers and no modification of the legacy applications. Our evaluation results have shown this tool to be highly effective at protecting web applications from all types of SQL injection attacks.

剖面導向程式設計

剖面

資料隱碼攻擊

AOP

Aspect

SQLIA

資料外洩稽核工具之設計與實作 / Design and implementation of an audit tool for data leakage

高華志, Kao, Hua Chih

Unknown Date

隨著國內法令規範對於隱私政策更加重視，國內外企業組織因應鉅額罰款與政策的施行，再加上個人資料外洩事件頻傳，各企業無不擔心客戶資料的保護與落實內部資料控制。而大型政府機關或企業，由於服務範圍廣大，應用系統繁多，針對資料外洩的保護與落實，將更加的複雜。大部份的組織針對實體文件、安全性儲存設備管制、使用採購防火牆設備等，皆有進行相關的管理與設備的採購，但上述機制未能解決應用系統的資料外洩問題。對稽核人員而言稽查應用程式是否有資料外洩之虞，由應用程式原始程式碼相當實為不易，而新制定一套更安全存取控管的介面更需投入相當高的成本與時間。 / 本研究在設計與實作資料外洩稽核工具，參考國際標準ISO27002與ISO 13569資訊安全作法，摘選出應用系統資訊安全指引，並根據實務經驗與金融產業的系統特性，找出資料外洩存取規則(Rules)。除此之外需搭配資料庫執行指令記錄器(DB Logger)，由大量的資料庫指令紀錄中快速產生稽核報表，藉以協助稽核人員查核資料外洩的線索並督促組織內部問題的改善，以落實內部資料控管政策與外部法令要求。 / The rapid spread of information technologies into every facet of our life results in a surge in attention to privacy recently. Bills are enacted and a comprehensive privacy policy becomes a sign of a responsible corporation. However, the complexity and diversity of application systems of information makes it very difficult to ensure that the information systems conform to all the privacy regulations and polices. Although most corporations have established some privacy policies for controlling physical documents and various hardware devices, the main problem for data leakage is at application layer. Application developers could retrieve sensitive data by exploiting application flaws. This poses great challenges to information system auditors. Firstly, it is rather difficult for auditors to review the code to spot the flaws. Secondly, it is impractical to make a new coding standard and re-write the legacy applications accordingly. Thirdly, application developers lack the motivation to improve the protection level of existing systems. / This thesis argues that a database audit tool can partly address the above difficulties faced by auditors. Specifically, we design and implement a tool for data leakage auditing. We derive right rules for identifying the potential sources of data leakage by referencing to information security practices such as ISO27002 and ISO 13569, and our practical experience in financial industry. Our tool makes good use of the database logger to produce an audit report based on those rules. The audit reports provide not only useful hints for auditors to detect possible data leakage, but also good evidence for urging developers to enhance their applications for privacy protection.

資料外洩

稽核工具

資訊安全

隱碼攻擊

ISO27002

ISO 13569

Data Leakage Prevention

Audit Tools

Information Security

ISO27002

ISO 13569

Injection Flaws

SQL Injection

DLP