A C# Source Code SQL Injection Attack Detection Algorithm Based on Abstract Syntax Tree

Abstract

Abstract: SQL injection attacks is ranked first in OWASP (open Web application security project) Top10 Web application security threats in both 2010 and 2013. This paper proposes a static abstract syntax tree analysis framework for detecting SQL injections based on the matching rules, and implements the C# sourcecode SQL injection attack detection algorithm. This paper focuses on data flow analysis based on the abstract syntax tree, tracing the route of transmission of data and detecting SQL vulnerability in accordance with the predefined rules. Then this paper achieves injection detection algorithm based on C# language source code and MSSQL. The detection algorithm results show that the algorithm works well for C# language source code. But the results also show that it is possible to make false negative due to lack of supportof detecting the vulnerability existing in the crossfile and crossfunction. However, the proposed architecture and algorithms can be extended to other programming platforms. Finally, this paper makes a summary on both SQL injection and the defense, points out the shortcomings itself and makes a prospect of the SQL injection research.

Key words: SQL injection, abstract syntax tree, data flow analysis, feature matching, static analysis

摘要： SQL注入攻击是数据库安全的主要威胁.SQL注入攻击被列为OWASP(open Web application security project)2010年和2013年十大Web应用系统安全威胁之首.SQL注入攻击检测及防御是目前常见的研究热点，结合抽象语法树的数据传播分析及C#语言特性，提出基于规则及特征匹配的漏洞检测架构，实现了C#源代码的静态检测算法.测试结果表明该算法效果良好，简单实用，通过生成源代码的抽象语法树及追踪数据的传播途径，根据规则匹配进行检测，实现C#源代码的SQL注入漏洞检测，在开发阶段提高了代码的安全性；同时提出的漏洞检测框架可以进行拓展，实现对其他编程语言的SQL注入漏洞检测.

关键词: SQL注入, 抽象语法树, 数据流分析, 规则匹配, 静态分析

Sun Wei Chen Lin. A C# Source Code SQL Injection Attack Detection Algorithm Based on Abstract Syntax Tree[J]. Journal of Information Security Research, 2015, 1(2): 112-125.

孙伟陈林. 一种基于抽象语法树的C#源代码SQL注入漏洞检测算法[J]. 信息安全研究, 2015, 1(2): 112-125.

References

［1］2015 data breach investigations report［ROL］. New York: Verizon, 2015 ［20151019］. https:msisac.cisecurity.orgresourcesreportsdocumentsrp_databreachinvestigationreport2015_en_xg.pdf ［2］Creative Commons Attributution Sharealike. The top10 most critical Web application security risks 2010［ROL］. United States: OWASP, 2010 ［20151019］. http:owasptop10.googlecode.comfilesOWASP%20Top%2010%20%202010.pdf ［3］Creative Commons Attributution Sharealike. The top10 most critical Web application security risks 2013［ROL］. United States: OWASP, 2013 ［20151019］. http:owasptop10.googlecode.comfilesOWASP%20Top%2010%20%202013.pdf ［4］安华金和. 2015H1安华金和数据库漏洞威胁报告［ROL］. 北京: 安华金和数据库攻防实验室, 2015 ［20151019］. http:www.dbsec.cnservicepdf2015H1DATABASEVULNERABILITIESREPORT.pdf ［5］NTT Innovation Institute. Global threat intelligence report［ROL］. Palo Alto, California: NTT Group, 2015 ［20151019］. https:nttgroupsecurity.comarticlescontentarticlesdownloadthe2014report ［6］维基百科编者. SQL injection［GOL］. 维基百科, (20151019) ［20151019］. https:en.wikipedia.orgwikiSQL_injection ［7］马小婷, 胡国平, 李舟军. SQL注入漏洞检测与防御技术研究［J］. 计算机安全, 2010 (11): 1824 ［8］Doupé A, Cova M, Vigna G. Why johnny cant pentest: An analysis of blackbox Web vulnerability scanners［M］ Detection of Intrusions and Malware, and Vulnerability Assessment. Berlin: Springer, 2010: 111131 ［9］Huang Y W, Huang S K, Lin T P, et al. Web application security assessment by fault injection and behavior monitoring［C］ Proc of the 12th Int Conf on World Wide Web. New York: ACM, 2003: 148159 ［10］Liu Lei,Xu Jing, Li Minglei, et al. A dynamic SQL injection vulnerability test case generation model based on the multiple phases detection approach［C］ Proc of the 37th IEEE Annual Computer Software and Applications Conf. Piscataway, NJ: IEEE, 2013: 256261 ［11］Gould C, Su Z, Devanbu P. JDBC checker: A static analysis tool for SQLJDBC applications［C］ Proc of the 26th Int Conf on Software Engineering. Los Alamitos, CA: IEEE Computer Society, 2004: 697698 ［12］Livshits B V, Lam M S. Finding security errors in Java programs with static analysis［C］ Proc of the 14th USENIX Security Symp. Berkeley: USENIX Association, 2005: 271286 ［13］Whaley J, Lam M S. Cloningbased contextsensitive pointer alias analysis using binary decision diagrams［J］. ACM SIGPLAN Notices, 2004, 39(6): 131144 ［14］Martin M, Livshits B, Lam M S. Finding application errors using PQL: A program query language［R］. Palo Alto, California: Stanford University, 2004 ［15］Martin M, Livshits B, Lam M S. Finding application errors and security flaws using PQL: A program query language［J］. ACM SIGPLAN Notices, 2005, 40(10): 365383 ［16］丁翔, 仇寅, 郑滔. 一种利用PHP防御SQL注入攻击的方法［J］. 计算机工程, 2011, 37(11): 152153 ［17］李小花, 孙建华, 陈浩. 程序分析技术在SQL注入防御中的应用研究［J］. 小型微型计算机系统, 2011, 32(6): 10891093 ［18］谢亿鑫, 孙乐昌, 刘京菊. 基于数据流分析的SQL注入漏洞发现技术研究［J］. 微计算机信息, 2010 (15): 163165 ［19］Mono. Cecil［CPOL］. 2015 ［20150910］. http:www.monoproject.comdocstools+librarieslibrariesMono.Cecil［20］维基百科编者. Abstract syntax tree［GOL］. 维基百科, (20150908) ［20151019］. https:en.wikipedia.orgwikiAbstract_syntax_tree

[1]	. Obfuscated Android Malware Detection Based on Random Forest [J]. Journal of Information Security Research, 2021, 7(2): 126-135.
[2]	. The Study of Defect Patterns Matching Based on Static Analysis [J]. Journal of Information Security Research, 2018, 4(4): 359-363.
[3]	. Method on the Detection of Second-Order Vulnerability for PHP Applications [J]. Journal of Information Security Research, 2018, 4(4): 380-386.
[4]	. Research on security audit method of source code [J]. Journal of Information Security Research, 2018, 4(11): 977-986.
[5]	Mei-Rong Mei-rongWEI. Analysis of Host Anomaly Behavior Based on Stream Data Feature Matchinge [J]. Journal of Information Security Research, 2017, 3(5): 469-476.
[6]	. Research on Android Application Permission Monitor [J]. Journal of Information Security Research, 2017, 3(2): 139-144.
[7]	Sun Wei. Research and Application of Security Data Space Construction Method [J]. Journal of Information Security Research, 2016, 2(12): 1098-1104.
[8]	Zhang Bingqi Sun Wei. A PHP Source-code SQL Injection Attack Detection Algorithm Based on Taint Tracking [J]. Journal of Information Security Research, 2015, 1(2): 140-148.