透過您的圖書館登入
IP:3.144.75.143
  • 學位論文

以合理輸入值驗證為基礎之預存程序組合型SQL指令植入式攻擊之防禦

A Defense against Stored Procedure Compositional SQL Injection Attack through Validation on Input Legitimacy

指導教授 : 田筱榮

摘要


SQL指令植入式攻擊可能導致與網路服務相連的資料庫系統遭受破壞或是資料庫內的資料遭到竊取。過去的研究多以防禦SQL指令植入式攻擊為目的,然而對於以預存程序為對象的攻擊較缺乏防禦做法,在本研究中我們將防禦範圍擴展到能處理發生於預存程序內的組合型SQL指令植入式攻擊。在靜態分析階段,除了分析網頁原始碼之外,並針對資料庫內的預存程序內容做分析,找出使用者輸入參數與程序內SQL指令之間的關係,在動態分析階段,使用者進行參數輸入時能夠檢查參數代入預存程序內與SQL指令結合後是否產生SQL指令植入式攻擊,將其阻擋並拒絕請求。藉由我們的防禦機制,使用者和網頁程式設計師可以 不需知道防禦程式如何運作狀態下即可達到防禦效果;系統管理者只需將防禦程式掛載於網頁伺服器端即可達到防禦功能。

並列摘要


SQL injection attacks may lead to data theft, content destruction, even database crash. Many defense mechanisms have been proposed to resolve explicit SQL injection attacks, where the attacks take advantage of the web application programs. However, defense against SQL injection attacks aiming at stored procedures provided by supporting database system have not been successfully addressed. In this study, we extend the input legitimacy validation method to SQL injection attack on stored procedures. Besides the web application program, the statics analysis is also performed on the stored procedures provided by database system to obtain knowledge on the relationships between user input parameters and the stored procedures. During on-line dynamic analysis phase, input parameters are verified according to the previously derived knowledge. If a potential SQL injection attack is detected, the user request will be rejected before forwarding to the web application programs. The proposed enhancement to the original method provides a more comprehensive defense on SQL injection attacks. Our method is transparent to users and web application program designers. It provides effective defense with no need to rewrite application programs.

參考文獻


[1]. 吳靜茹,「以合理輸入值驗證為基礎之SQL指令植入式攻擊防禦」,中原大學研究所,碩士論文,中華民國九十八年七月。
[2]. 李安娜,「以合理輸入值驗證為基礎之組合型SQL指令植入式攻擊防禦」,中原大學研究所,碩士論文,中華民國一○○年七月。
[3]. OWASP Top Ten Project
[4]. ModSecurity Open Source Web Application Firewall
[8]. Ezumalai R., Aghila G., "Combinatorial Approach for Preventing SQL Injection Attacks", Advance Computing Conference, 2009. IACC 2009. IEEE International, 6-7 March 2009, India

延伸閱讀