[논문]A Reusable SQL Injection Detection Method for Java Web Applications

He, Chengwan; He, Yue

doi:10.3837/tiis.2020.06.014

A Reusable SQL Injection Detection Method for Java Web Applications 원문보기

KSII Transactions on internet and information systems : TIIS, v.14 no.6, 2020년, pp.2576 - 2590

He, Chengwan (School of Computer Science and Engineering, Wuhan Institute of Technology) , He, Yue (School of Information Engineering, Wuhan University of Technology)

Abstract ▼ AI-Helper

The fundamental reason why most SQL injection detection methods are difficult to use in practice is the low reusability of the implementation code. This paper presents a reusable SQL injection detection method for Java Web applications based on AOP (Aspect-Oriented Programming) and dynamic taint analysis, which encapsulates the dynamic taint analysis processes into different aspects and establishes aspect library to realize the large-grained reuse of the code for detecting SQL injection attacks. A metamodel of aspect library is proposed, and a management tool for the aspect library is implemented. Experiments show that this method can effectively detect 7 known types of SQL injection attack such as tautologies, logically incorrect queries, union query, piggy-backed queries, stored procedures, inference query, alternate encodings and so on, and support the large-grained reuse of the code for detecting SQL injection attacks.

주제어

표/그림 (11)

그림 Fig. 1. The basic idea
그림 Fig. 2. The SQL injection detection method based on AOP and dynamic taint analysis
그림 Fig. 3. Tainting process
그림 Fig. 4. Taint propagation analysis
표 Fig. 5. String concatenation
그림 Fig. 6. Substring extraction
표 Table 1. SQL keywords
그림 Fig. 7. Join points definition based on the semantic information
그림 Fig. 8. Metamodel of Aspect library
표 Table 2. Comparison of Detection Types of Several Typical Methods
그림 Fig. 9. Method portability

AI 본문요약
AI-Helper

* AI 자동 식별 결과로 적합하지 않은 문장이 있을 수 있으니, 이용에 유의하시기 바랍니다.

문제 정의

The approach proposed in this paper is an improvement and further study of our previous work [10]. In this paper, we improve the tainting method of starting and ending information of tainted data, and propose the taint propagation algorithm using string concatenation and substring extraction as examples.

제안 방법

Dynamic taint analysis has two methods: positive tainting and negative tainting, both of which have advantages and disadvantages. Considering that the type of taint source on the server-side of a Web application is limited, and our method allows users to specify the taint source, this paper adopts the method of negative tainting and uses AOP to encapsulate tainted data and taint propagation analysis. However, we believe that this method is also suitable for the taint analysis process with positive tainting, except that the implementation code of the tainted data marking and SQL syntax analysis are slightly different.
The approach proposed in this paper is an improvement and further study of our previous work [10]. In this paper, we improve the tainting method of starting and ending information of tainted data, and propose the taint propagation algorithm using string concatenation and substring extraction as examples. At the same time, we also propose the metamodel and construction method of aspect library.
This paper presented a reusable SQL injection behavior detection method for Java Web applications based on AOP and dynamic taint analysis, which encapsulates the dynamic taint analysis processes into different aspects and establishes the aspect library to realize the large-grained reuse of SQL injection detection code. The detection code encapsulated by aspect is woven into the source code by the weaver.
For these functions, the logic of taint propagation should be implemented one by one. This paper selects two commonly used string manipulation functions (string concatenation and substring extraction) to illustrate the algorithm of taint propagation analysis.

성능/효과

The above reasons indicate the following facts: 1) For most developers that are inexperienced and have no knowledge of security programming techniques, even if the security experts point out the program defects, there is no way to solve these security defects. Programmers need to reuse solutions, technologies, and especially code to prevent security threats at large granularity.
Programmers need to reuse solutions, technologies, and especially code to prevent security threats at large granularity. 2) Application vulnerabilities are the main targets of hacker attacks, Web applications should use more general and robust detection and defense methods, and tackle SQL injection attacks as the main target of detection and defense; 3) In order to shorten the development cycle and reduce the development cost, most enterprises do not fully analyze and mitigate the security vulnerabilities that may be contained in the program, which leads to the result that a large number of Web applications may suffer from security vulnerabilities. Reworking all the code is almost impossible, and dynamic attack detection and defense are essential to complement static security detection.

참고문헌 (31)

IBM Security. "Five Steps to Achieve Risk-Based Application Security Management," Thought Leadership White Paper, Jul. 2015.
L. K. Shar, H. B. K. Tan, "Defeating SQL injection," Computer, vol. 46, no. 3, pp. 69-77, 2013.

상세보기
W. G. J. Halfond, J. Viegas, and A. Orso, "A classification of SQL injection attacks and countermeasures," in Proc. of the International Symposium on Secure Software Engineering, Washington, USA, pp. 13-15, 2006.
W. G. J. Halfond, A. Orso, P. Manolios, "WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation," IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, vol.34, no.1, PP. 65-81, 2008.

상세보기
M. Sridharan, S. Artzi, M. Pistoia, S. Guarnieri, O. Tripp, and R. Berg, "F4F: Taint analysis of framework-based Web applications," ACM SIGPLAN Notices, vol. 46, no. 10, pp. 1053？1068, 2011.

상세보기
I. Papagiannis, M. Migliavacca, and P. Pietzuch, "PHP ASPIS: Using partial taint tracking to protect against injection attacks," in Proc. of the Usenix Conf. on Web Application Development, pp. 1-8, Feb. 2011.
WANG Yi, LI Zhou-jun, and GUO Tao, "Literal tainting method for preventing code injection attack in web application," Journal of Computer Research and Development, vol. 49, no.11, pp. 2414-2423, 2012.
WANG Lei, LI Feng, LI Lian, et al, "Principle and practice of taint analysis," Journal of Software, vol. 28, no. 4, pp. 860-882, 2017.
G. Kiczales, J. Lamping, A. Mendhekar, et al, "Aspect-oriented programming," in Proc. of the European Conference on Object-Oriented Programming, Jyvaskyla, Finland, pp. 220-242, 1997.
HE Cheng-wan, YE Zhi-peng, "SQL Injection Behavior Detection Method Based on AOP and Dynamic Taint Analysis." Acta Electronica Sinica, vol.47, no.11, pp.2413-2419, 2019.
Y. Shin, L. Williams, T. Xie, "SQLUnitGen: Test Case Generation for SQL Injection Detection," North Carolina State University, 2006.
M. S. Lam, M. Martin, J. Whaley, et al, "Securing web applications with static and dynamic information flow tracking," in Proc. of ACM Sigplan Symposium on Partial Evaluation and Semantics-Based Program Manipulation, San Francisco, CA, USA, pp.3-12, 2008.
V. B. Livshits, and M. S. Lam, "Finding security vulnerabilities in java applications with static analysis," in Proc. of the 14th Conference on USENIX Security Symposium, California, USA, pp. 18-18, 2005.
N. Jovanovic, C. Kruegel, and E. Kirda E, "Pixy: a static analysis tool for detecting web application vulnerabilities," in Proc. of IEEE Symposium on Security and Privacy, pp. 258-263, Berkeley, USA, 2006.
Y. Minamide, "Static approximation of dynamically generated Web pages," in Proc. of the International Conference on the World Wide Web, pp. 432-441, 2005.
G. Wassermann, and Zhendong Su, "Sound and precise analysis of web applications for injection vulnerabilities," in Proc. of PLDI '07: Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 32-41, 2007.
G.Wassermann, Zhendong Su, "Static detection of cross-site scripting vulnerabilities," in Proc. of ACM/IEEE International Conference on Software Engineering, pp. 171-180, 2008.
A. Naderi-Afooshteh, A. Nguyen-Tuong, M. Bagheri-Marzijarani, et al, "Joza: Hybrid taint inference for defeating web application SQL injection attacks," in Proc. of IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 172-183, Rio de Janeiro, Brazil.
E. J. Schwartz, T. Avgerinos, and D. Brumley, "All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask)," in Proc. of IEEE international Conference on Security and Privacy, pp. 317-331, 2010.
ZHOU Ying, FANG Yong, HUANG Cheng, et al, "Detection of SQL injection behaviors for PHP applications," Journal of Computer Applications, vol. 38, no. 1, pp. 201-206, 2018.
P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, G. Vigna, "Cross site scripting prevention with dynamic data tainting and static analysis," in Proc. of the Network and Distributed System Security Symposium, San Diego, California, USA, Feb. 2007.
MA Jin-xin, LI Zhou-jun, ZHANG Tao, et al, "Taint analysis method based on offline indices of instruction trace," Journal of Software, vol. 28, no. 9, pp. 2388-2401, 2017.
A. guyen-Tuong, S. Guarnieri, D. Greene, et al, "Automatically hardening web applications using precise tainting," in Proc. of IFIP 20th International Information Security Conference, Chiba, Japan, pp. 295-307, 2005.
M. Martin, M. S. Lam, "Automatic Generation of XSS and SQL Injection Attacks with Goal-directed Model Checking," in Proc. of USENIX Security Symposium, pp. 31-44, 2008.
T. Pietraszek, C. V. Berghe, "Defending against injection attacks through context-sensitive string evaluation," in Proc. of International Conference on Recent Advances in Intrusion Detection, Seattle, WA, USA, pp. 124-145, 2005.
A. Kieyzun, P. J. Guo, K. Jayaraman, et al, "Automatic creation of SQL Injection and cross-site scripting attacks," in Proc. of IEEE International Conference on Software Engineering, Vancouver, BC, Canada , pp. 199-209, 2009.
S. W. Boyd, and A. D. Keromytis, "SQLrand: Preventing SQL Injection Attacks," in Proc. of 2ndInternational Conference on Applied Cryptography and Network Security, Yellow Mountain, China, pp. 292-302, 2004.
ZHANG Hui-lin, DING Yu, ZHANG Li-hua, et al, "SQL injection prevention based on sensitive characters," Journal of Computer Research and Development, vol. 53, no. 10, pp. 2262-2276, 2016.
ZHAO Yu-fei, XIONG Gang, HE Long-tao, et al, "Approach to detecting SQL injection behaviors in network environment," Journal on Communications, vol. 37, no. 2, pp. 89-98, 2016.
ShayChen, "TheWebApplicationVulnerability Scanner Evaluation Project," 2019.
OWASP, "WebGoat," 2019. [Online]. Available: https://github.com/WebGoat/WebGoat,

표제어: PCR

동의어: Packet Collision Rate

용어 설명 출처 목록 (6)

용어 설명: PCR은 세균 특이성이 있는 primer를 이용하여 적은 수의 세균이 있을지라도 쉽게 검출할 수 있는 유용한 방법이며, 이를 이용하여 구강 내 치면세균막이나 타액에서 직접 세균을 검출할 수 있게 되었다[8].

내보내기 구분	파일저장 인쇄 메일전송
구성항목	기본정보 상세정보 관리번호, 논문명, 저널/프로시딩명, 저자 , 발행년, 권, 호, 시작페이지, 끝페이지, 발행기관 관리번호, 논문명, 대등논문명, 저자 , 저널/프로시딩명, 발행기관, 발행년, 발행언어, 권, 호, 시작페이지, 끝페이지, ISBN, ISSN, 주제분야, 키워드, 초록(한글), 초록(영문), 저자(소속기관)
저장형식	Text(ASCII format) Excel format RefWorks Direct Export RIS format (for Reference Manager, ProCite, EndNote), Scholar's Aids, Mendeley
메일정보	받는사람 (필수) @ 보내는사람 (선택) @ 제목 내용 KISTI 검색결과 이메일 서비스
안내	총 건의 자료가 검색되었습니다. 다운받으실 자료의 인덱스를 입력하세요. (1-10,000) 검색결과의 순서대로 최대 10,000건 까지 다운로드가 가능합니다. 데이타가 많을 경우 속도가 느려질 수 있습니다.(최대 2~3분 소요) 다운로드 파일은 UTF-8 형태로 저장됩니다. 파일의 내용이 제대로 보이지 않을실 때는 웹브라우저 상단의 보기 -> 인코딩 -> 자동선택 여부를 확인하십시오. ~ Text(ASCII format) Excel format

연합인증