ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2016, Vol. 53 ›› Issue (10): 2262-2276.doi: 10.7544/issn1000-1239.2016.20160443

所属专题: 2016网络空间共享安全研究进展专题

• 信息安全 • 上一篇    下一篇



  1. 1(北京大学计算机科学技术研究所 北京 100080); 2(加州大学伯克利分校 加利福尼亚伯克利 94720); 3(百度美国有限责任公司 加利福尼亚森尼韦尔 94089) (
  • 出版日期: 2016-10-01
  • 基金资助: 
    国家自然科学基金项目(61572149,61402125) This work was supported by the National Natural Science Foundation of China (61572149, 61402125).

SQL Injection Prevention Based on Sensitive Characters

Zhang Huilin1, Ding Yu1, Zhang Lihua1, Duan Lei1, Zhang Chao2, Wei Tao3, Li Guancheng1, Han Xinhui1   

  1. 1(Institute of Computer Science and Technology, Peking University, Beijing 100080); 2(University of California at Berkeley, Berkeley, CA, 94720); 3(Baidu USA Limited Liability Company, Sunnyvale, CA, 94089)
  • Online: 2016-10-01

摘要: SQL注入攻击历史悠久,其检测机制也研究甚广.现有的研究利用污点分析(taint analysis)结合SQL语句语法分析进行SQL注入攻击检测,但由于需要修改Web应用程序执行引擎来标记和跟踪污点信息,难以部署,并且时间和空间性能损失过大.通过分析SQL注入攻击机理,提出一种基于敏感字符的SQL注入攻击防御方法.1)仅对来自常量字符串的可信敏感字符进行积极污点标记;2)无需修改Web应用程序执行引擎,利用编码转换将污点信息直接存储在可信敏感字符的编码值中,动态跟踪其在程序中的传播;3)无需SQL语句语法分析,只需利用编码值判断SQL语句中敏感字符的来源、转义非可信敏感字符,即可防御SQL注入攻击.基于PHP的Zend引擎实现了系统原型PHPGate,以插件方式实现、易部署.实验证明:PHPGate可精确防御SQL注入攻击,且有效提升污点传播效率,页面应答的时间开销不超过1.6%.

关键词: SQL 注入攻击, 可信敏感字符, 动态污点分析, 积极污点分析, 编码转换

Abstract: SQL injection attacks are prevalent Web threats. Researchers have proposed many taint analysis solutions to defeat this type of attacks, but few are efficient and practical to deploy. In this paper, we propose a practical and accurate SQL injection prevention method by tainting trusted sensitive characters into extended UTF-8 encodings. Unlike typical positive taint analysis solutions that taint all characters in hard-coded strings written by the developer, we only taint the trusted sensitive characters in these hard-coded strings. Furthermore, rather than modifying Web application interpreter to track taint information in extra memories, we encode the taint metadata into the bytes of trusted sensitive characters, by utilizing the characteristics of UTF-8 encoding. Lastly, we identify and escape untrusted sensitive characters in SQL statements to prevent SQL injection attacks, without parsing the SQL statements. A prototype called PHPGate is implemented as an extension on the PHP Zend engine. The evaluation results show that PHPGate can protect Web applications from real world SQL injection attacks and introduce a low performance overhead (less than 1.6%).

Key words: SQL injection attack, trusted sensitive character, dynamic taint analysis, positive taint analysis, UTF-8 encoding