SQLMVED：基于多变体执行的SQL注入运行时防御系统

doi:10.11959/j.issn.1000-436x.2021046

摘要/Abstract

摘要：

SQL解析过程中利用随机化进行SQL注入攻击（SQLIA）防御的有效性是建立在攻击者不了解当前系统采用的具体随机化方法的基础上，因此，攻击者一旦掌握了当前系统的随机化形式，便能够实施有效的SQLIA。为了解决该问题，基于多变体执行设计出一种SQL注入运行时防御系统，多变体间采用互不相同的随机化方法，攻击者注入的非法 SQL 无法同时被所有变体解析成功，即使在攻击者掌握了随机化方法的情况下，非法SQL也最多只能被某一变体解析成功，利用表决机制对多变体的响应结果或解析结果进行表决，及时发现异常，阻断SQLIA的攻击路径。面向Web服务实现了原型系统SQLMVED，实验证明该系统能够有效抵御SQLIA。

关键词: SQL注入攻击, 运行时防御, 多变体执行, 随机化

Abstract:

The effectiveness of combining SQL statement parsing with randomization to defend against SQL injection attack (SQLIA) was based on the fact that attackers did not know about the current method of randomization adopted by system.Therefore, once attackers had mastered the current method of randomization who can launch effective SQLIA.In order to solve this problem, a SQL injection runtime prevention system based on multi-variant execution was designed, the multi-variant apply randomization methods from any other, so that illegal SQL statements could not be parsed successfully by all variants.Even if attackers had mastered the method of randomization, illegal SQL statements could only be parsed successfully by a certain variant at most, meanwhile the parsing results of multiple variants were voted to find the abnormality in time and block attack path.The prototype system SQLMVED is implemented for Web services and experiments show that the prototype can effectively defeat SQLIA.

Key words: SQL injection attack, runtime prevention, multi-variant execution, randomization

中图分类号:

TP393

马博林, 张铮, 刘浩, 邬江兴. SQLMVED：基于多变体执行的SQL注入运行时防御系统[J]. 通信学报, 2021, 42(4): 127-138.

Bolin MA, Zheng ZHANG, Hao LIU, Jiangxing WU. SQLMVED: SQL injection runtime prevention system based on multi-variant execution[J]. Journal on Communications, 2021, 42(4): 127-138.

图/表 20

图1

表1

图2

图3

图4

图5

图6

图7

图8

图9

图10

图11

图12

表2

表3

表4

图13

图14

图15

图16

参考文献 28

[1]	BOYD S W , KEROMYTIS A D . SQLrand:preventing SQL injection attacks[C]// International Conference on Applied Cryptography and Network Security. Berlin:Springer, 2004: 292-302.
[2]	马博林, 张铮, 陈源 ,等. 基于指令集随机化的抗代码注入攻击方法[J]. 信息安全学报, 2020,5(4): 30-43.
	MA B L , ZHANG Z , CHEN Y ,et al. The defense method for code-injection attacks based on instruction set randomization[J]. Journal of Cyber Security, 2020,5(4): 30-43.
[3]	方滨兴 . 定义网络空间安全[J]. 网络与信息安全学报, 2018,4(1): 1-5.
	FANG B X . Define cyberspace security[J]. Chinese Journal of Network and Information Security, 2018,4(1): 1-5.
[4]	SHAR L K , TAN H B K . Defeating SQL injection[J]. Computer, 2013,46(3): 69-77.
[5]	MCCLURE R A , KRUGER I H . SQL DOM:compile time checking of dynamic SQL statements[C]// Proceedings of 27th International Conference on Software Engineering. Piscataway:IEEE Press, 2005: 88-96.
[6]	COOK W R , RAI S . Safe query objects:statically typed objects as remotely executable queries[C]// Proceedings of 27th International Conference on Software Engineering. Piscataway:IEEE Press, 2005: 97-106.
[7]	KIEYZUN A , GUO P J , JAYARAMAN K ,et al. Automatic creation of SQL Injection and cross-site scripting attacks[C]// 2009 IEEE 31st International Conference on Software Engineering. Piscataway:IEEE Press, 2009: 199-209.
[8]	孙歆, 姚一杨, 卢新岱 ,等. 基于HTTP代理的模糊测试技术研究[J]. 网络与信息安全学报, 2016,2(2): 75-86.
	SUN X , YAO Y Y , LU X D ,et al. Research and implementation of fuzzing testing based on HTTP proxy[J]. Chinese Journal of Network and Information Security, 2016,2(2): 75-86.
[9]	KAR D , PANIGRAHI S , SUNDARARAJAN S . SQLiGoT:detecting SQL injection attacks using graph of tokens and SVM[J]. Computers＆ Security, 2016,60: 206-225.
[10]	韩宸望, 林晖, 黄川 . 基于SQL语法树的SQL注入过滤方法研究[J]. 网络与信息安全学报, 2016,2(11): 70-77.
	HAN C W , LIN H , HUANG C . Research on the SQL injection filtering based on SQL syntax tree[J]. Chinese Journal of Network and Information Security, 2016,2(11): 70-77.
[11]	赵宇飞, 熊刚, 贺龙涛 ,等. 面向网络环境的SQL注入行为检测方法[J]. 通信学报, 2016,37(2): 88-97.
	ZHAO Y F , XIONG G , HE L T ,et al. Approach to detecting SQL injection behaviors in network environment[J]. Journal on Communications, 2016,37(2): 88-97.
[12]	APPELT D , PANICHELLA A , BRIAND L . Automatically repairing web application firewalls based on successful SQL injection attacks[C]// 2017 IEEE 28th International Symposium on Software Reliability Engineering. Piscataway:IEEE Press, 2017: 339-350.
[13]	张慧琳, 丁羽, 张利华 ,等. 基于敏感字符的SQL注入攻击防御方法[J]. 计算机研究与发展, 2016,53(10): 2262-2276.
	ZHANG H L , DING Y , ZHANG L H ,et al. SQL injection prevention based on sensitive characters[J]. Journal of Computer Research and Development, 2016,53(10): 2262-2276.
[14]	NGUYEN-TUONG A , GUARNIERI S , GREENE D ,et al. Automatically hardening Web applications using precise tainting[C]// IFIP International Information Security Conference. Berlin:Springer, 2005: 295-307.
[15]	PIETRASZEK T , BERGHE C V . Defending against injection attacks through context-sensitive string evaluation[C]// International Conference on Recent Advances in Intrusion Detection. Berlin:Springer, 2005: 124-145.
[16]	HALFOND W G J , ORSO A . AMNESIA:analysis and monitoring for NEutralizing SQL-injection attacks[C]// Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering. New York:ACM Press, 2005: 174-183.
[17]	何成万, 叶志鹏 . 基于AOP和动态污点分析的SQL注入行为检测方法[J]. 电子学报, 2019,47(11): 2413-2419.
	HE C W , YE Z P . SQL injection behavior detection method based on AOP and dynamic taint analysis[J]. Acta Electronica Sinica, 2019,47(11): 2413-2419.
[18]	HRANICKY R , ZOBAL L , RY?AVY O . Distributed password cracking with BOINC and hashcat[J]. Digital Investigation, 2019,30: 161-172.
[19]	KNOWLTON K C . A combination hardware-software debugging system[J]. IEEE Transactions on Computers, 1968,100(1): 84-86.
[20]	COX B , EVANS D , FILIPI A ,et al. N-Variant systems:a secretless framework for security through diversity[C]// Proceedings of the 15th conference on USENIX Security Symposium. New York:ACM Press, 2006: 105-120.
[21]	BERGER E D , ZORN B G . DieHard:probabilistic memory safety for unsafe languages[C]// ACM SIGPLAN Conference on Programming Language Design ＆ Implementation. New York:ACM Press, 2006: 158-168.
[22]	NOVARK G , BERGER E D . DieHarder:securing the heap[C]// Proceedings of the 17th ACM Conference on Computer and Communications Security. New York:ACM Press, 2010: 1-12.
[23]	NOVARK G , BERGER E D , ZORN B G . Exterminator:automatically correcting memory errors with high probability[J]. ACM SIGPLAN Notices, 2007,42(6): 1-11.
[24]	邬江兴 . 网络空间拟态防御研究[J]. 信息安全学报, 2016,1(4): 1-10.
	WU J X . Research on cyber mimic defense[J]. Journal of Cyber Security, 2016,1(4): 1-10.
[25]	WU J X . Cyberspace mimic defense[M]. Cham: Springer International Publishing, 2020.
[26]	张铮, 马博林, 邬江兴 . web服务器拟态防御原理验证系统测试与分析[J]. 信息安全学报, 2017,2(1): 13-28.
	ZHANG Z , MA B L , WU J X . The test and analysis of prototype of mimic defense in web servers[J]. Journal of Cyber Security, 2017,2(1): 13-28.
[27]	马博林, 张铮, 刘健雄 . 应用于动态异构 web 服务器的相似度求解方法[J]. 计算机工程与设计, 2018,39(1): 282-287.
	MA B L , ZHANG Z , LIU J X . Similarity calculation method applied to dynamic heterogeneous web server system[J]. Computer Engineering and Design, 2018,39(1): 282-287.
[28]	唐海娜, 林小拉, 韩春静 . 基于移动指针的数据流冗余消除算法[J]. 通信学报, 2012,33(2): 7-14.
	TANG H N , LIN X L , HAN C J . Duplicate elimination algorithm for data streams with SKIP Bloom filter[J]. Journal on Communications, 2012,33(2): 7-14.

攻击类型	攻击目标	示例
重言式	1)、2)	SELECT account FROM users WHERE login = ’zhangsan’ or 1=1-- ’ AND pass=’1234’;
批量查询	1)、2)、3)	SELECT account FROM users WHERE login = ’zhangsan’ AND pass=’ ’; drop table users -- ’;
错误回显	2)、3)、4)	SELECT account FROM users WHERE login = ’zhangsan’ AND (SELECT 1 FROM (SELECT count(),concat((SELECT account FROM users WHERE login = ’zhangsan’),floor(rand(0)2))x FROM users group by x)a)-- ’ AND pass=’1234’；
联合查询	1)、2)	SELECT account FROM users WHERE login = ’zhangsan’ UNION SELECT * FROM users WHERE login = ’zhangsan’ -- ’ AND pass=’1234’;
存储过程	1)、2)、3)	CREATE PROCEDURE DBO.isAuthenticated
		@userName varchar2, @pass varchar2, @pin int AS
		EXEC(’’SELECT accounts FROM users WHERE login=’’’ +@userName+ ’’’ AND pass=’’’ +@password+ ’’’ AND pin=’’+@pin); GO
盲注	2)、4)	布尔盲注(bool blind injection)
		SELECT account FROM users WHERE login=’zhangsan’ AND SELECT length(database())>n-- ’ AND pass=’1234’;
		时间盲注(time blind injection)
		SELECT account FROM users WHERE login=’zhangsan’ AND if(length(database())>=8,sleep(5),1)-- ’ AND pass=’1234’;
交替编码	5)	SELECT account FROM users WHERE login=’zhangsan’; exec(char(0x73687574646f776e)) -- AND pass=’’;

架构		操作系统	服务器	中间件	数据库
LAMP		CentOS	Apache	php-fpm	MySQL
	用户请求代理	CentOS	Nginx	python	—
	E₁变体	CentOS	Apache	php-fpm	—
本文架构	E₂变体	CentOS	Apache	php-fpm	—
	E₃变体	CentOS	Apache	php-fpm	—
	数据库代理	CentOS	—	sqlparse python	—
	数据库	Windows10	—	—	MySQL

应用程序	注入点	LAMP架构	SQLMVED架构
	GET/Search	×	√
	POST/Select	×	√
	Login Form/Hero	×	√
	Drupal	×	×
	Stored User-Agent	×	√
	Blind Time-Based	×	√
	GET/Select	×	√
	AJAX/JSON/jQuery	×	√
bWAPP 2.2(Low)	Login Form/User	×	√
	Stored Blog	×	√
	Stored XML	×	√
	Blind SQLite	×	×
	POST/Search	×	√
	CAPTCHA	×	√
	SQLite	×	×
	Stored SQLite	×	×
	Blind Boolean-Based	×	√
	Blind Web Services/SOAP	×	√
DVWA 1.9(Low)	sqli	×	√
	sqli_blind	×	√
	Error Based- String(GET)	×	√
	Error Based- DoubleQuotes String(GET)	×	√
	Dump into Outfile(GET)	×	√
	Blind- Time based- Double Quotes- String(GET)	×	√
	Double Injection- String- with twist(POST)	×	√
	Blind- Time Based- Double quotes- String(POST)	×	√
	Header Injection- RefererError Based- string(POST)	×	√
	Error Based- Intiger(GET)	×	√
	Double Query- Single QuotesString(GET)	×	√
SQLI-LABS (Less 1~ 20)	Blind- Boolian- Single QuotesString(GET)	×	√
	Error Based- String(POST)	×	√
	Double Injection- Double quotes- String(POST)	×	√
	Update Query- Error based String(POST)	×	√
	Cookie Injection- Error Basedstring(POST)	×	√
	Error Based- String with Twist(GET)	×	√
	Double Query- Double QuotesString(GET)	×	√
	Blind- Time based- Single Quotes-String(GET)	×	√
	Error Based- Double quotesString(POST)	×	√
	Blind- Boolian BasedString(POST)	×	√
	Header Injection- Error Basedstring(POST)	×	√

类型	测试语句
读数据	SELECT account FROM users WHERE login='test' AND pass='1234';
写数据	UPDATE users SET account=92 WHERE login='test' AND pass='1234';