信息安全研究 ›› 2015, Vol. 1 ›› Issue (2): 140-148.

• 学术论文 • 上一篇    下一篇

一种基于污染源追踪的PHP源代码SQL注入漏洞检测算法

张冰琦1,孙伟2   

  1. 1. 中山大学软件学院
    2. 中山大学信息科学技术学院
  • 收稿日期:2015-09-04 修回日期:2015-11-15 出版日期:2015-11-17 发布日期:2016-01-18
  • 通讯作者: 张冰琦

A PHP Source-code SQL Injection Attack Detection Algorithm Based on Taint Tracking

Zhang Bingqi1,Sun Wei2   

  1. 1. School of Software, Sun Yetsen University
    2. School of Information Science and Technology, Sun Yatsen University
  • Received:2015-09-04 Revised:2015-11-15 Online:2015-11-17 Published:2016-01-18
  • Contact: Zhang Bingqi

摘要: SQL注入攻击被列为OWASP(open Web application security project)2010年和2013年十大Web应用系统安全威胁之首.SQL注入攻击检测及如何提高Web代码对SQL注入攻击的防御能力是目前常见的研究问题之一,结合词法分析及PHP语言特性,提出基于规则及特征匹配的漏洞检测架构,实现了PHP源代码的静态检测算法.测试结果表明该算法效果较好,具有较低的误报率,能够在词法分析阶段进行一定的别名分析及污染分析,从而在程序实现初期提高代码的安全性;同时漏洞检测框架可以进行拓展,实现对其他“taintstyle”类型的漏洞检测.

关键词: SQL注入, 词法分析, 静态分析, 污染分析, 规则匹配

Abstract: The concept of “SQL injection” has been proposed for more than 10 years, however, SQL injection attack was still rated the number one attack on the Open Web Application Security Project(OWASP) in 2013. With the rapid development of dynamic Web applications, PHP becomes popular because it's fast, reliable and can be combined with many different types of RDBMS, and it's also a cheap option for developing and hosting applications on the Web. PHP is a powerful language which can access files, execute commands and open network connections on the server. However, these properties also make anything is run on a Web server insecure by default. As there are several ways of utilizing PHP, there are many configuration options controlling its behavior. A large selection of options guarantees that PHP can be utilized to a lot of purposes. With proper runtime configuration options and coding practices, PHP can provide exactly the combination of freedom and security. This paper considers the security risks related to PHP programming language, and describes different situations which will lead to website vulnerabilities. It also proposes a static lexical analysis framework for detecting SQL injections based on the matching rules, and implements the PHP sourcecode SQL injection attack detection algorithm. The experiments demonstrate that the algorithm is effective, and it can also be extended to detect other “taintstyle” Web vulnerabilities.

Key words: SQL injection, lexical analysis, static analysis, taint analysis, matching rules