臺灣博碩士論文加值系統

隨著網際網路的快速發展，許多Web應用程式提供學習、教育、娛樂、資訊交換、商業交易等服務，這類型Web應用程式通常將各式各樣資料儲存在資料庫中，這些資料可能包含使用者帳戶資訊、私人檔案、交易明細等。因此，攻擊者透過SQL Injection的方式攻擊Web應用程式，這樣的攻擊方式可能會執行破壞或竊取資料的行為，更甚者可奪取伺服器的控制權。過去許多防止SQL Injection攻擊的研究與產品常因為配置過於繁瑣、需要修改當前應用程式原始碼或無法涵蓋所有漏洞等因素而無法徹底防禦SQL Injection攻擊。基於以上的理由，如果有效且便利的防止SQL Injection攻擊，成為一件很重要的事。
本篇論文，我們提出一個嶄新的防禦機制，將每一即將送達資料庫的請求翻譯為相等的請求送往LDAP，利用LDAP的特性及一些額外的防禦措施來驗證該請求是否合法。我們將這個防禦機制命名為TransSQL，TransSQL包含了兩個步驟，第一個步驟是前置作業，我們使用sqldump來擷取資料庫中的資料，並且複製一份到LDAP中。第二個步驟是運作監控，我們監控所有送到資料庫的請求來防止SQL Injection攻擊。我們的防禦機制布置在Web應用程式和資料庫之間並且從實驗結果來看，TransSQL能有效的防禦SQL Injection攻擊

Web-based applications have become the major means of providing services by web servers and databases. These applications are the frequent target for attacks be-cause the databases underlying Web applications often contain private information (e.g., user accounts and financial records). In particular, SQL injection attacks, a class of injection flaw in which specially crafted input strings leads to illegal queries to da-tabases, are one of the topmost threats to web applications. A number of research pro-totypes and commercial products that maintain the queries structure in web applica-tions have been developed but these techniques fail to address the full scope of the problem or have limitations.
In this paper, we propose a novel and effective mechanism for automatically translating SQL requests to LDAP-equivalent requests to render them secure against SQL injection attacks. After queries are executed on SQL database and LDAP, our technique checks the difference in responses from SQL database and LDAP to prevent SQL injection attacks. We implemented our technique in a tool, TransSQL, consists of two steps. In the preprocessing step, Database Duplicating process, we adopt sqldump program to extract entire information of SQL database that could be used to produce LDAP schema and LDAP Data Interchange Format file. In the runtime step, Request Translation process, the technique intercepts SQL queries for translation and checks the results from LDAP against SQL database. TransSQL has been implemented in Java and deployed between web applications and databases. Our empirical evaluation has shown that TransSQL is both effectiveness and efficiency against SQL injection attacks.

摘要 i
Abstract ii
1. Introduction 1
2. SQL Injection Attacks 5
2.1 Example of SQL Injection Attacks 5
2.2 Injection Mechanism 6
3. Design of TransSQL 9
3.1 Overview of TransSQL 9
3.2 LDAP Features 11
3.3 Database Duplication 12
3.4 SQL Request Translation 17
3.5 Special Cases 18
4. Implementation 21
5. Evaluation 23
5.1 Assumption 23
5.2 Injection Code 23
5.3 General Query 24
5.4 Experimental Setup 24
5.5 Results 26
6. Related Work 28
6.1 Coding Practices 28
6.2 Application Analysis 28
6.3 Defense framework 29
7. Conclusion 32
References 33
APPENDIX A 37
APPENDIX B 39

[1]C. Anley. Advanced SQL Injection In SQL Server Applications. White paper, Next Generation Security Software Ltd., 2002.
[2]C.Anley. (more) Advanced SQL Injection. White paper, Next Generation Securi-ty Software Ltd., 2002.
[3]OWASP Top Ten Project. OWASP Top 10 for 2010. http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
[4]Symantec Global Internet Security Threat Report Trends for 2009 Volume XV, Published April 2010. http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xv_04-2010.en-us.pdf
[5]Breach, The Web Hacking Incidents Database 2009: Bi-Annual Report, The Web Hacking Incidents Database 2008: Annual Report, The Web Hacking Incidents Database 2007: Annual Report, http://www.breach.com/resources/whitepapers/
[6]V. B. Livshits and M. S. Lam. Finding Security Errors in Java Programs with Static Analysis. In Usenix Security Symposium (2005).
[7]Y. Xie, and A. Aiken. Static detection of security vulnerabilities in scripting lan-guages. In USENIX Security Symposium (2006).
[8]Y. Huang, S. Huang, T. Lin, and C. Tsai. Web Application Security Assessment by Fault Injection and Behavior Monitoring. In the International World Wide Web Conference (WWW 2004).
[9]Network Working Group. RFC2616 - Hypertext Transfer Protocol -- HTTP/1.1. The Internet Society, 1999.
[10]Network Working Group. RFC2965 - HTTP State Management Mechanism. The Internet Society, 2000.
[11]T. M. D. Network. Request.servervariables collection. Technical report, Microsoft Corporation, 2005. http://msdn.microsoft.com/en-us/library/ms525396(VS.90).aspx
[12]OpenLDAP community. OpenLDAP Project. http://www.openldap.org/
[13]RSnake and ha.ckers.org web application security lab. SQL Injection cheat sheet Esp: for filter evasion. http://ha.ckers.org/sqlinjection/
[14]Ferruh.mavituna. SQL Injection Cheat Sheet. http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
[15]W. Halfond, J. Viegas and A. Orso. A Classification of SQL Injection Attacks and Prevention Techniques. International Symposium on Secure Software Engineering (ISSSE 2006)
[16]Python Software Foundation. Python Programming Language. http://www.python.org/
[17]MySQL Library. mysql_real_escape_string() function. http://php.net/manual/en/function.mysql-real-escape-string.php
[18]Hibernate. hibernate.org. http://www.hibernate.org/.
[19]R. McClure and I. Kr¨uger. SQL DOM: Compile Time Checking of Dynamic SQL Statements. In Proceedings of the 27th International Conference on Soft-ware Engineering (ICSE 05), 2005.
[20]W. R. Cook and S. Rai. Safe Query Objects: Statically Typed Objects as Re-motely Executable Queries. In Proceedings of the 27th International Conference on Software Engineering (ICSE 2005), 2005.
[21]Y. Huang, S. Huang, T. Lin, and C. Tsai. Web Application Security Assessment by Fault Injection and Behavior Monitoring. In Proceedings of the 11th Interna-tional World Wide Web Conference (WWW 03), 2003.
[22]Y. Kosuga, K. Kono, M. Hanaoka, M. Hishiyama, and Y. Takahama. Sania: Syn-tactic and Semantic Analysis for Automated Testing against SQL Injection. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC 07), 2007.
[23]V. B. Livshits and M. S. Lam. Finding Security Errors in Java Programs with Static Analysis. In Proceedings of the 14th Usenix Security Symposium, 2005.
[24]Y. Xie, and A. Aiken. Static detection of security vulnerabilities in scripting lan-guages. In Proceedings of the 15th Conference on USENIX Security Symposium. 2006.
[25]W. G. Halfond and A. Orso. AMNESIA: Analysis and Monitoring for NEutraliz-ing SQL-Injection Attacks. In Proceedings of the IEEE and ACM International Conference on Automated Software Engineering (ASE 2005), 2005.
[26]W. G. Halfond and A. Orso. Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks. In Proceedings of the Third International ICSE Workshop on Dynamic Analysis (WODA 2005), 2005.
[27]G. T. Buehrer, B. W. Weide, and P. A. G. Sivilotti. Using Parse Tree Validation to Prevent SQL Injection Attacks. In International Workshop on Software Engi-neering and Middleware (SEM), 2005.
[28]Z. Su and G. Wassermann. The Essence of Command Injection Attacks in Web Applications. In The 33rd Annual Symposium on Principles of Programming Languages (POPL 2006), 2006.
[29]T. Pietraszek and C. V. Berghe. Defending Against Injection Attacks through Context-Sensitive String Evaluation. In Proceedings of Recent Advances in In-trusion Detection (RAID2005), 2005.
[30]S. W. Boyd and A. D. Keromytis. SQLrand: Preventing SQL Injection Attacks. In Proceedings of the 2nd Applied Cryptography and Network Security (ACNS) Conference, 2004.
[31]MySQL. mysqldump — A Database Backup Program. http://dev.mysql.com/doc/refman/5.1/en/mysqldump.html.
[32]My Virtual Directory. JDBC->LDAP Bridge. http://myvd.sourceforge.net/jdbcldap.html, 2008
[33]S. McDonald. SQL Injection: Modes of attack, defense, and why it matters. White paper, GovernmentSecurity.org, 2002.
[34]K. Spett. Blind sql injection. White paper, SPI Dynamics, Inc., 2003. http://www.net-security.org/dl/articles/Blind_SQLInjection.pdf.