CN114936369A - SQL injection attack active defense method, system and storage medium based on mark - Google Patents

Abstract

The invention relates to the technical field of network security, in particular to a marked SQL injection attack active defense method, a marked SQL injection attack active defense system and a marked SQL injection attack active defense storage medium. The method comprises the following steps: converting the source code into an abstract syntax tree, and defining an untrusted variable; analyzing variables in the abstract syntax tree line by line from top to bottom, analyzing assignment reference relations of all the variables, constructing variable dependency relations, and positioning all the incredible variables in the source code; analyzing the abstract syntax tree, judging whether the database parameters are credible or not, and judging whether the SQL sentences contain an incredible variable or not; if the SQL statement contains an untrusted variable, modifying the source code and marking the untrusted variable; adding a code for filtering the untrusted variable into the database function; and running the modified source code, carrying out dynamic library interception on the database function, identifying the character string part which is not credibly input, checking and filtering the character string part which is not credibly input, and realizing the operation failure of the SQL injection attack statement.

Description

SQL injection attack active defense method, system and storage medium based on mark

Technical Field

The invention relates to the technical field of network security, in particular to a marked SQL injection attack active defense method, a marked SQL injection attack active defense system and a marked SQL injection attack active defense storage medium.

Background

Structured Query Language (SQL), a special purpose programming language, is a database query and programming language for accessing data and querying, updating and managing relational database systems, and is widely applied to database systems such as microsoft access, DB2, Informix, microsoft sqlserver, Oracle, Sybase and others.

Because some application programs do not judge or filter the legality of the data input by the user badly, an attacker can add additional SQL sentences at the tail of the query sentences defined in advance in the application programs, illegal operation is realized under the condition that an administrator does not know, and accordingly the database server is deceived to execute unauthorized random query, and corresponding data information is further obtained.

At present, the security protection method of code injection attack mainly comes from two technical ideas of program analysis and input rule matching, such as identifying dangerous symbols in SQL sentences and filtering; and randomizing the keywords in the SQL sentence in the program to achieve a method different from the user input, and the like. These methods typically require analysis of the manner of utilization, the attack behavior, and corresponding safeguards, but have inherent drawbacks in the face of new, unknown attack behaviors or when the attacker has a priori knowledge of the protection system.

Disclosure of Invention

In order to better cope with unknown attack behaviors and realize active defense, the invention provides a marked SQL injection attack active defense method, a marked SQL injection attack active defense system and a storage medium, which are suitable for a multi-language environment, analyze a server source code by using a taint analysis principle and mark an untrusted variable.

The defense method adopts the following technical scheme: the active defense method of SQL injection attack based on the mark comprises the following steps:

converting a source code into an abstract syntax tree, defining a series of untrusted variables, and constructing an untrusted variable list;

analyzing variables in the abstract syntax tree line by line from top to bottom, analyzing assignment reference relations of all variables in the abstract syntax tree, and constructing a variable dependency relation, thereby locating all untrustworthy variables in a source code and recording the untrustworthy variables in an untrustworthy variable list;

after the analysis of the unreliable variables is finished, analyzing the abstract syntax tree again, searching a database function in the abstract syntax tree, analyzing parameters in the database function, judging whether the parameters are reliable or not, and further judging whether the SQL statement contains the unreliable variables or not;

if the SQL statement contains an untrusted variable, modifying the source code, and marking the untrusted variable in the function parameter of the database;

after the source code is modified, rewriting the database function, and adding a code for filtering the untrusted variable into the database function;

when the modified source code is operated, dynamic library interception is carried out on a database function, a character string part from the untrusted input in the SQL statement is identified according to the mark, the character string part from the untrusted input is checked and filtered according to a set filtering strategy, and operation failure of the SQL injection attack statement is achieved.

The defense system adopts the technical scheme that: the SQL injection attack active defense system based on the mark comprises:

the list construction module is used for converting the source code into an abstract syntax tree, defining a series of untrusted variables and constructing an untrusted variable list;

the variable analysis module is used for analyzing the variables in the abstract syntax tree line by line from top to bottom, analyzing the assignment reference relations of all the variables in the abstract syntax tree, and constructing a variable dependency relation, so as to locate all the untrustworthy variables in the source code and record the untrustworthy variables in an untrustworthy variable list;

the parameter analysis and judgment module is used for analyzing the abstract syntax tree again after the analysis of the incredible variables is finished, searching for database functions in the abstract syntax tree, analyzing parameters in the database functions, judging whether the parameters are credible or not and further judging whether the SQL sentences contain the incredible variables or not;

the variable marking module is used for modifying the source code and marking the untrusted variable in the function parameter of the database when the SQL statement contains the untrusted variable;

the code modification module is used for rewriting the database function after the source code is modified, and adding a code for filtering the untrusted variable into the database function;

and the dynamic library interception module is used for carrying out dynamic library interception on the database function when the modified source code is operated, identifying a character string part from the untrusted input in the SQL statement according to the mark, and checking and filtering the character string part from the untrusted input according to a set filtering strategy to realize the operation failure of the SQL injection attack statement.

The storage medium of the invention stores computer instructions thereon, and when the computer instructions are executed by the processor, the steps of the SQL injection attack active defense method are realized.

Compared with the prior art, the invention has the following technical effects:

1. the invention adopts a static analysis method to analyze the source code and mark the incredible variable in the SQL statement, thereby accurately positioning the incredible variable in the SQL statement; then, positioning an untrusted variable according to the mark and dynamically filtering harmful input to prevent SQL injection; the method avoids error filtering of the credible variable, can better perform filtering processing on the unreliable variable, and improves the accuracy.

2. Compared with the traditional static analysis method for processing all SQL statements, the method only processes the SQL statements containing the untrusted variables, and reduces the operation cost of filtering processing to a certain extent.

3. The invention uses abstract syntax tree to carry out static analysis, and the analysis method can be suitable for various languages.

4. The invention adopts a dynamic library interception mode to intercept the database function, can be better suitable for a multilingual complex use scene, and has stronger universality.

Drawings

FIG. 1 is a flow chart of a defense method in an embodiment of the invention;

FIG. 2 is a diagram illustrating an untrusted variable filtering mode according to an embodiment of the present invention;

FIG. 3 is a schematic structural diagram of a defense system according to an embodiment of the present invention.

Detailed Description

In general, the invention analyzes the server source code by utilizing the principle of taint analysis and marks the incredible variable. Taint analysis is a technique to track and analyze the flow of taint information in a program. In vulnerability analysis, data of interest is marked as taint data by using taint analysis technology, and then whether the taint data can affect certain key program operations or not can be known by tracking the flow direction of information related to the taint data, so that program vulnerabilities can be mined.

The main process of the invention is as follows: firstly, converting a source code applied by a database into an Abstract Syntax Tree (AST), and marking an untrusted input variable used in an SQL statement by performing static analysis and source code modification on the AST; and then, performing runtime dynamic library interception (Hook) on a database access function in the program, and performing validity judgment and filtering on the untrusted input character strings marked in the SQL statement according to the general rule to realize the operation failure of the SQL injection attack statement.

The following further describes embodiments of the present invention with reference to examples and drawings, but the embodiments of the present invention are not limited thereto.

Example 1

The embodiment provides a label-based active defense method for SQL injection attack, as shown in FIG. 1, including the following steps:

and S1, converting the source code of the database application into an abstract syntax tree, defining a series of dirty point sources, setting user input variables such as $ _ GET, $ _ POST and the like as unreliable variables, and constructing an unreliable variable list.

And S2, analyzing the variables in the abstract syntax tree line by line from top to bottom, analyzing the assignment reference relations of all the variables in the abstract syntax tree, and constructing the variable dependency relations, namely tracking the flow transmission process of taint data, thereby positioning all the untrustworthy variables in the source code and recording the untrustworthy variables in an untrustworthy variable list.

In the positioning process of the untrusted variable, searching can be started from a database access function, the untrusted variable quoted in the character string forming the SQL statement is found and added with a label, and the position marking of all untrusted inputs in the character string of the SQL statement is realized.

A variable may also be considered an untrusted variable if it is assigned by another untrusted variable. For example, "$ name $ GET [ 'name' ]" $ name variable is assigned by the $ _ GET variable and is therefore added to the list of untrusted variables.

And S3, after the unbelievable variables are analyzed, analyzing the abstract syntax tree again, searching for a database function, such as a mysqli _ query function, analyzing parameters in the database function, judging whether the parameters are credible, and further judging whether the SQL statement contains the unbelievable variables.

The database function is an attack point of SQL injection attack, malicious injection codes are often transmitted to the database through the database function and corresponding operations are executed, and SQL sentences in the database function are usually formed by user input and are the root cause of the SQL injection attack.

And analyzing the SQL statement in the database function, and if the SQL statement is an untrusted variable, indicating that the SQL statement depends on user input and is a potential attack point. For example, $ SQL ═ select ═ from tablewhere $ name '", SQL is an SQL statement, which consists of two parts, the string constant select $ from tablewhere $ name'", and the untrusted variable $ name, so the SQL statement contains the untrusted variable; if the SQL statement is a credible variable, the SQL statement is composed of program built-in variables or constants and cannot become an attack point.

And S4, if the SQL statement contains an untrusted variable, modifying the source code and marking the untrusted variable in the parameter of the database function.

If the SQL statement contains an untrusted variable, the SQL statement needs to be processed, the program (i.e., the source code) is modified, the process ID is used as a tag, and the user input part in the program is marked to form a new SQL statement, for example, the variable $ SQL is processed to obtain $ SQL ═ select from the tablespace $ pid > $ name $ pid >', where $ pid > < $ pid > is the tag and $ pid is a variable generated by using the process ID. When the code is run, a new process is generated, and the process ID is randomly generated every time, so that an attacker can be effectively prevented from circumventing a defense system by using priori knowledge.

S5, after the source code is modified, the static analysis part is completed; and then rewriting the database function, and adding a code for filtering the untrusted variable into the database function.

Wherein, the process of filtering treatment comprises the following steps:

generating a label by using the current process ID;

positioning an untrusted variable of an SQL statement in a database function by using the generated label;

filtering the untrusted variables according to a set filtering strategy to remove possible malicious codes in the untrusted variables;

wherein, the set filtering strategy is as follows: a common SQL injection attack code existing in the Internet is summarized to obtain a set of general SQL injection attack statement composition modes, for example, an attack statement always contains an annotation symbol and SQL keywords (such as INSERT, DELETE and the like); based on the statement formation mode of SQL injection attack, the decision tree is utilized to check information such as input length, special symbols and the like of the SQL statement, so that filtering of non-trusted variables is realized, and possible malicious codes are removed; a simple filtering mode is shown in fig. 2, a user can check the filtering condition according to the filtering log generated by the program, and appropriately modify the filtering strategy to reduce the false alarm rate and the false negative rate;

constructing a new SQL statement by using the filtered unbelievable variables;

and recalling the database function of the system, and transmitting the SQL statement to the SQL engine so as to execute the corresponding database operation.

And S6, when the modified source code is operated, realizing the operation interception of the database access function, namely carrying out dynamic library interception on the database function, identifying the character string part from the untrusted input in the SQL statement according to the mark, and checking and filtering the character string part of the untrusted input according to the set filtering strategy to realize the operation invalidation of the SQL injection attack statement.

When dynamic library interception is carried out on the database function, the database function which is rewritten can be called instead of the database function of the system when the database function is called each time, so that the SQL sentence can be filtered each time, and SQL injection attack can be better avoided.

In the step, by means of dynamic library interception, on one hand, input can be filtered under the condition that the system database function is not modified, unknown influence caused by modification of the system database function by a user is avoided, and stability and convenience of the system are improved. On the other hand, most script languages such as Python, PHP and the like call the C language dynamic library for processing in order to improve the running speed, so that dynamic library interception can realize simultaneous processing of multiple languages under the condition of only modifying and intercepting the C language dynamic library, and therefore, the method and the device can be applied to more complicated use scenes, and the universality of the technical scheme of the invention is improved.

For example, a user inputs a malicious code, so that the user inputs a variable $ name ═ or1 ═ 1#, if the SQL statement is not modified and filtered, the SQL statement passed into the database function is selected from the table where the "or 1 ═ 1#, and the SQL statement is a repeating type, and the execution of the statement can acquire all the data in the table without inputting the correct parameters, thereby completing an SQL attack. After the code modification, the SQL statement transmitted into the database function is selected from 'free', or1 from 1# < '$ pid', the database function is dynamically intercepted, and the internal content is filtered according to the label, so that a new SQL statement selected from 'free', or the filtering of the malicious code in the SQL statement is completed, thereby avoiding the occurrence of SQL attack.

Example 2

The embodiment and the embodiment 1 are based on the same inventive concept, and provide a mark-based SQL injection attack active defense system, which comprises the following modules:

the list construction module is used for converting the source code into an abstract syntax tree, defining a series of untrusted variables and constructing an untrusted variable list;

the variable analysis module is used for analyzing the variables in the abstract syntax tree line by line from top to bottom, analyzing the assignment reference relations of all the variables in the abstract syntax tree, and constructing a variable dependency relation, so as to locate all the untrustworthy variables in the source code and record the untrustworthy variables in an untrustworthy variable list;

the parameter analysis and judgment module is used for analyzing the abstract syntax tree again after the analysis of the incredible variables is finished, searching for database functions in the abstract syntax tree, analyzing parameters in the database functions, judging whether the parameters are credible or not and further judging whether the SQL sentences contain the incredible variables or not;

the variable marking module is used for modifying the source code and marking the untrusted variable in the function parameter of the database when the SQL statement contains the untrusted variable;

the code modification module is used for rewriting the database function after the source code is modified, and adding a code for filtering the untrusted variable into the database function;

and the dynamic library interception module is used for performing dynamic library interception on a database function when the modified source code is operated, identifying a character string part from the untrusted input in the SQL statement according to the mark, and checking and filtering the character string part from the untrusted input according to a set filtering strategy to realize the operation failure of the SQL injection attack statement.

In the positioning process of the untrusted variables, the variable analysis module starts to search from the database access function, finds the untrusted variables quoted in the character strings forming the SQL statement and adds labels to the untrusted variables, so that the position marking of all untrusted inputs in the character strings of the SQL statement is realized.

The process of filtering the code pair added into the database function by the code modification module comprises the following steps:

generating a label by using the current process ID;

positioning the untrusted variable of the SQL statement in the database function by using the generated label;

filtering the untrusted variables according to a set filtering strategy to remove possible malicious codes in the untrusted variables;

constructing a new SQL statement by using the filtered unbelievable variables;

and recalling the database function of the system, and transmitting the SQL statement to the SQL engine so as to execute the corresponding database operation.

In the code modification module, the set filtering policy is as follows:

summarizing common SQL injection attack codes existing in the Internet to obtain a general statement composition mode of SQL injection attack; and based on the statement forming mode of SQL injection attack, checking the input length and the special symbol information of the SQL statement by using a decision tree to filter the non-trusted variables.

As shown in fig. 3, in practical application of the defense system of this embodiment, the variable analysis module, the parameter analysis and judgment module, and the variable marking module can be presented as a source code static analysis and marking tool, so as to analyze an original source code of the database application and mark an untrusted variable, and obtain a source code marked by the database application; the code modification module compiles and executes or interprets and executes the marked source code; the dynamic library interception module generates a database function dynamic library containing the filtering rules, and the calling priority of the database function dynamic library is higher than that of a system dynamic library, so that the application program preferentially calls the dynamic library written by the application program when calling the database function, and the input is filtered by using the written database function.

The present embodiment further provides a storage medium, on which computer instructions are stored, and when the computer instructions are executed by a processor, the steps of the SQL injection attack active defense method in embodiment 1 are implemented.

While the foregoing is directed to the preferred embodiment of the present invention, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention as defined in the appended claims.

Claims (10)

1. The active defense method of SQL injection attack based on the mark is characterized by comprising the following steps:

converting a source code into an abstract syntax tree, defining a series of untrusted variables, and constructing an untrusted variable list;

analyzing variables in the abstract syntax tree line by line from top to bottom, analyzing assignment reference relations of all variables in the abstract syntax tree, and constructing a variable dependency relation, thereby locating all untrustworthy variables in a source code and recording the untrustworthy variables in an untrustworthy variable list;

after the analysis of the incredible variables is finished, analyzing the abstract syntax tree again, searching a database function in the abstract syntax tree, analyzing parameters in the database function, judging whether the parameters are credible or not, and further judging whether the SQL sentences contain the incredible variables or not;

if the SQL statement contains an untrusted variable, modifying the source code, and marking the untrusted variable in the function parameter of the database;

after the source code is modified, rewriting the database function, and adding a code for filtering the untrusted variable into the database function;

when the modified source code is operated, dynamic library interception is carried out on a database function, a character string part from the untrusted input in the SQL statement is identified according to the mark, the character string part from the untrusted input is checked and filtered according to a set filtering strategy, and the operation failure of the SQL injection attack statement is realized.

2. The active defending method for SQL injection attacks, according to claim 1, characterized in that in the positioning process of the untrusted variables, the search is started from the database access function, the untrusted variables quoted in the character strings constituting the SQL statement are found and added with labels, and the position marking of all untrusted inputs in the character strings of the SQL statement is realized.

3. The SQL injection attack active defense method of claim 1, wherein the filtering process comprises:

generating a label by using the current process ID;

positioning the untrusted variable of the SQL statement in the database function by using the generated label;

filtering the untrusted variables according to a set filtering strategy to remove possible malicious codes in the untrusted variables;

constructing a new SQL statement by using the filtered unbelievable variables;

and recalling the database function of the system, and transmitting the SQL statement to the SQL engine so as to execute the corresponding database operation.

4. The SQL injection attack active defense method of claim 3, wherein the set filtering policy is:

summarizing common SQL injection attack codes existing in the Internet to obtain a general SQL injection attack statement forming mode; and based on the statement formation mode of the SQL injection attack, checking the input length and the special symbol information of the SQL statement by using a decision tree to filter the incredible variables.

5. The SQL injection attack active defense method according to claim 1, wherein when dynamic library interception is performed on a database function, a rewritten database function is called instead of a database function of a system each time the database function is called, so that an SQL statement is filtered each time.

6. The SQL injection attack active defense system based on the mark is characterized by comprising the following steps:

the list construction module is used for converting the source code into an abstract syntax tree, defining a series of untrusted variables and constructing an untrusted variable list;

the variable analysis module is used for analyzing the variables in the abstract syntax tree line by line from top to bottom, analyzing the assignment reference relations of all the variables in the abstract syntax tree, and constructing a variable dependency relation, so as to locate all the untrustworthy variables in the source code and record the untrustworthy variables in an untrustworthy variable list;

the parameter analysis and judgment module is used for analyzing the abstract syntax tree again after the analysis of the incredible variables is finished, searching the database function in the abstract syntax tree, analyzing the parameters in the database function, judging whether the parameters are credible or not and further judging whether the SQL sentences contain the incredible variables or not;

the variable marking module is used for modifying the source code and marking the untrusted variable in the function parameter of the database when the SQL statement contains the untrusted variable;

the code modification module is used for rewriting the database function after the source code is modified, and adding a code for filtering the untrusted variable into the database function;

and the dynamic library interception module is used for performing dynamic library interception on a database function when the modified source code is operated, identifying a character string part from the untrusted input in the SQL statement according to the mark, and checking and filtering the character string part from the untrusted input according to a set filtering strategy to realize the operation failure of the SQL injection attack statement.

7. The active defense system against SQL injection attacks as claimed in claim 6, characterized in that the variable analysis module starts a search from the database access function during the localization of the untrusted variables, finds and tags the untrusted variables referenced in the string constituting the SQL statement, and implements the location marking of all untrusted inputs in the string of the SQL statement.

8. The SQL injection attack active defense system of claim 6, wherein the process of filtering the code pair added by the code modification module in the database function comprises:

generating a label by using the current process ID;

positioning an untrusted variable of an SQL statement in a database function by using the generated label;

filtering the untrusted variables according to a set filtering strategy to remove possible malicious codes in the untrusted variables;

constructing a new SQL statement by using the filtered unbelievable variables;

and recalling the database function of the system, and transmitting the SQL statement to the SQL engine so as to execute the corresponding database operation.

9. The SQL injection attack active defense system of claim 8, wherein the set filtering policy is:

summarizing common SQL injection attack codes existing in the Internet to obtain a general statement composition mode of SQL injection attack; and based on the statement forming mode of SQL injection attack, checking the input length and the special symbol information of the SQL statement by using a decision tree to filter the non-trusted variables.

10. A storage medium having stored thereon computer instructions, wherein said computer instructions, when executed by a processor, implement the steps of the SQL injection attack active defense method of any of claims 1-5.

Images