CN114936369B - Active defense method, system and storage medium for SQL injection attacks based on markers - Google Patents

Abstract

The present invention relates to the field of network security technology, and is a method, system and storage medium for active defense against SQL injection attacks based on marking. The method comprises: converting source code into an abstract syntax tree, defining untrusted variables; analyzing the variables in the abstract syntax tree line by line from top to bottom, analyzing the assignment reference relationship of all variables, building variable dependency relationships, and locating all untrusted variables in the source code; analyzing the abstract syntax tree, judging whether the database parameters are credible, and judging whether the SQL statement contains untrusted variables; if the SQL statement contains untrusted variables, modifying the source code and marking the untrusted variables; adding code for filtering and processing untrusted variables in the database function; running the modified source code, intercepting the database function with a dynamic library, identifying the string part of the untrusted input, checking and filtering the string part of the untrusted input, and realizing the operation failure of the SQL injection attack statement.

Description

Active defense method, system and storage medium for SQL injection attacks based on markers

Technical Field

The present invention relates to the technical field of network security, and is a method, system and storage medium for actively defending against SQL injection attacks based on markers.

Background technique

Structured Query Language (SQL) is a special-purpose programming language. It is a database query and programming language used to access data, query, update, and manage relational database systems. It is widely used in database systems such as Microsoft Access, DB2, Informix, Microsoft SQL Server, Oracle, Sybase, and others.

Because some applications do not judge the legitimacy of user input data or do not filter it strictly, attackers can add additional SQL statements to the end of pre-defined query statements in the application, perform illegal operations without the administrator's knowledge, and thereby deceive the database server into executing unauthorized arbitrary queries, thereby further obtaining corresponding data information.

At present, the security protection methods for code injection attacks mainly come from two technical ideas: program analysis and input rule matching, such as identifying dangerous symbols in SQL statements and filtering them; randomizing keywords in SQL statements in the program to distinguish them from user input, etc. These methods usually require analysis of the use method and attack behavior, and take corresponding protection measures, but there are inherent defects when facing new and unknown attack behaviors or when the attacker has prior knowledge of the protection system.

Summary of the invention

In order to better deal with unknown attack behaviors and achieve active defense, the present invention proposes a tag-based SQL injection attack active defense method, system and storage medium, which are suitable for multi-language environments, use the principle of taint analysis to analyze the server source code, and mark untrusted variables.

The technical solution adopted by the defense method of the present invention is: a tag-based SQL injection attack active defense method, comprising the following steps:

Convert the source code into an abstract syntax tree, define a series of untrusted variables, and build an untrusted variable list;

Analyze the variables in the abstract syntax tree line by line from top to bottom, analyze the assignment reference relationship of all variables in the abstract syntax tree, build variable dependency relationships, and thus locate all untrusted variables in the source code, and record the untrusted variables in the untrusted variable list;

After the analysis of untrusted variables is completed, the abstract syntax tree is analyzed again to find the database function in it, and the parameters in the database function are analyzed to determine whether the parameters are credible, and then determine whether the SQL statement contains untrusted variables;

If the SQL statement contains untrusted variables, modify the source code and mark the untrusted variables in the database function parameters;

After modifying the source code, rewrite the database function and add the code for filtering untrusted variables to the database function;

When the modified source code is run, the database function is intercepted by the dynamic library, the string part from the untrusted input in the SQL statement is identified according to the mark, and the string part of the untrusted input is checked and filtered according to the set filtering strategy, so as to achieve the failure of the operation of the SQL injection attack statement.

The technical solution adopted by the defense system of the present invention is: a SQL injection attack active defense system based on tags, including:

A list building module, which is used to convert source code into an abstract syntax tree and define a series of untrusted variables to build an untrusted variable list;

The variable analysis module is used to analyze the variables in the abstract syntax tree line by line from top to bottom, analyze the assignment reference relationship of all variables in the abstract syntax tree, build variable dependency relationships, thereby locating all untrusted variables in the source code, and record the untrusted variables in the untrusted variable list;

The parameter analysis and judgment module is used to analyze the abstract syntax tree again after the analysis of the untrusted variables is completed, find the database function in it, analyze the parameters in the database function, determine whether the parameters are credible, and then determine whether the SQL statement contains untrusted variables;

The variable marking module is used to modify the source code and mark the untrusted variables in the database function parameters when the SQL statement contains untrusted variables;

The code modification module is used to rewrite the database function after the source code is modified, and add the code for filtering untrusted variables to the database function;

The dynamic library interception module is used to intercept the database function in the dynamic library when running the modified source code, identify the string part from the untrusted input in the SQL statement according to the mark, and check and filter the string part of the untrusted input according to the set filtering strategy, so as to achieve the operation failure of the SQL injection attack statement.

The storage medium of the present invention stores computer instructions thereon, and when the computer instructions are executed by a processor, each step of the SQL injection attack active defense method of the present invention is implemented.

Compared with the prior art, the present invention has the following technical effects:

1. The present invention adopts a static analysis method to analyze the source code and mark the untrusted variables in the SQL statement, so that the untrusted variables in the SQL statement can be accurately located; then the untrusted variables are located according to the marks and harmful inputs are dynamically filtered to prevent SQL injection; the erroneous filtering of trusted variables is avoided, and the untrusted variables can be better filtered and processed, thereby improving the accuracy.

2. Compared with the traditional static analysis method that processes all SQL statements, the present invention only processes SQL statements containing untrusted variables, which reduces the runtime overhead of filtering processing to a certain extent.

3. The present invention uses an abstract syntax tree to perform static analysis, and the analysis method can be applied to multiple languages.

4. The present invention adopts a dynamic library interception method to intercept database functions, which can be better applied to complex multi-language usage scenarios and has stronger universality.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG1 is a flow chart of a defense method according to an embodiment of the present invention;

FIG2 is a schematic diagram of an untrusted variable filtering mode in an embodiment of the present invention;

FIG3 is a schematic diagram of the structure of a defense system in an embodiment of the present invention.

Detailed ways

In general, the present invention uses the principle of taint analysis to analyze the server source code and mark the untrusted variables. Taint analysis is a technology that tracks and analyzes the flow of taint information in the program. In vulnerability analysis, the taint analysis technology is used to mark the data of interest as tainted data, and then by tracking the flow of information related to the tainted data, it can be known whether they will affect certain key program operations, thereby mining program vulnerabilities.

The main process of the present invention is: first, the source code of the database application is converted into an abstract syntax tree (AST), and the untrusted input variables used in the SQL statement are marked by static analysis of the AST and source code modification; then, the database access function in the program is intercepted by a runtime dynamic library (Hook), and the validity of the untrusted input string marked in the SQL statement is determined and filtered according to general rules, so as to achieve the operation failure of the SQL injection attack statement.

The embodiments of the present invention are further described below in conjunction with examples and drawings, but the embodiments of the present invention are not limited thereto.

Example 1

This embodiment provides a method for actively defending against SQL injection attacks based on tags, as shown in FIG1 , including the following steps:

S1. Convert the source code of the database application into an abstract syntax tree and define a series of taint sources, such as user input variables such as $_GET and $_POST, set them as untrusted variables, and build an untrusted variable list.

S2. Analyze the variables in the abstract syntax tree line by line from top to bottom, analyze the assignment reference relationship of all variables in the abstract syntax tree, and build variable dependencies, that is, track the flow and transmission process of tainted data, so as to locate all untrusted variables in the source code and record the untrusted variables in the untrusted variable list.

In the process of locating untrusted variables, the search can be started from the database access function to find out the untrusted variables referenced in the string constituting the SQL statement and add labels to them, thereby marking the positions of all untrusted inputs in the string of the SQL statement.

If a variable is assigned by another untrusted variable, then the variable is also considered an untrusted variable. For example, “$name＝$_GET[‘name’]”, the $name variable is assigned by the $_GET variable, so it is added to the list of untrusted variables.

S3. After the analysis of the untrusted variables is completed, the abstract syntax tree is analyzed again to find the database functions therein, such as the mysqli_query function, and the parameters in the database function are analyzed to determine whether the parameters are credible, and then determine whether the SQL statement contains untrusted variables.

Database functions are the attack points of SQL injection attacks. Malicious injection codes are often transmitted to the database through database functions and perform corresponding operations. The SQL statements in database functions are usually composed of user input and are the root cause of SQL injection attacks.

Analyze the SQL statements in the database function. If it is an untrusted variable, it means that the SQL statement depends on user input and is a potential attack point. For example, $sql = "select*fromtablewherename = '$name'", $sql is a SQL statement, which consists of two parts, the string constant select*fromtablewherename = '' and the untrusted variable $name, so the SQL statement contains an untrusted variable; if the SQL statement is a trusted variable, it means that the SQL statement is composed of program built-in variables or constants and will not become an attack point.

S4. If the SQL statement contains untrusted variables, modify the source code and mark the untrusted variables in the database function parameters.

If the SQL statement contains untrusted variables, the SQL statement needs to be processed, the program (i.e. source code) needs to be modified, and the process ID is used as a label to mark the user input part to form a new SQL statement. For example, the above variable $sql can be processed to obtain $sql = "select * from table where name = '<$pid>$name<$pid>'", where <$pid><$pid> are labels and $pid is a variable generated using the process ID. When the code is run, a new process is generated, and the process ID is randomly generated each time, so it can effectively prevent attackers from using prior knowledge to bypass and deceive the defense system.

S5. After the source code is modified, it means that the static analysis part is completed; then the database function is rewritten, and the code for filtering untrusted variables is added to the database function.

The filtering process includes:

Generate a label using the current process ID;

Use the generated tags to locate untrusted variables in SQL statements in database functions;

Filter untrusted variables according to the set filtering strategy to remove possible malicious code;

Among them, the set filtering strategy is: by summarizing the common SQL injection attack codes existing in the Internet, a set of common SQL injection attack statement composition patterns are obtained, for example, an attack statement often contains comment symbols, SQL keywords (such as INSERT, DELETE, etc.), etc.; based on the SQL injection attack statement composition pattern, the decision tree is used to check the input length, special symbols and other information of the SQL statement to filter untrusted variables, thereby removing possible malicious codes; a simple filtering mode is shown in Figure 2, and the user can check the filtering situation according to the filtering log generated by the program, and appropriately modify the filtering strategy to reduce the false alarm rate and the missed alarm rate;

Use the filtered untrusted variables to form new SQL statements;

Recall the system's database function and pass the SQL statement to the SQL engine to perform the corresponding database operation.

S6. When the modified source code is run, runtime interception of the database access function is implemented, that is, dynamic library interception of the database function is performed, the string part from the untrusted input in the SQL statement is identified according to the mark, and the untrusted input string part is checked and filtered according to the set filtering strategy, so as to achieve the operation failure of the SQL injection attack statement.

When dynamic library interception is performed on database functions, the rewritten database function can be called instead of the system database function each time the database function is called, so that the SQL statement can be filtered and processed each time, thereby better avoiding SQL injection attacks.

This step uses the method of dynamic library interception. On the one hand, it can filter the input without modifying the system database function, avoiding unknown impact caused by user modification of the system database function, so that the stability and convenience of the system are improved. On the other hand, since most scripting languages such as Python and PHP will call the C language dynamic library for processing in order to increase the running speed, the dynamic library interception can realize the processing of multiple languages at the same time while only modifying and intercepting the C language dynamic library, so it can be applied to more complex usage scenarios, which improves the universality of the technical solution of the present invention.

For example, if a user enters a malicious code, such that the user enters a variable $name = "'or1 = 1#", if the SQL statement is not modified and filtered, the SQL statement passed into the database function is select*fromtablewherename = ''or1 = 1#', which is a tautology. Executing this statement can obtain all the data in the table without entering the correct parameters, thus completing an SQL attack. After the code is modified, the SQL statement passed into the database function is select*fromtablewherename = '<$pid>'or1 = 1#<$pid>', and the database function is intercepted by the dynamic library, and the internal content is filtered according to the label, and a new SQL statement select*fromtablewherename = '" can be obtained, completing the filtering of malicious code in the SQL statement, thereby avoiding the occurrence of SQL attacks.

Example 2

This embodiment is based on the same inventive concept as the first embodiment, and provides a tag-based SQL injection attack active defense system, including the following modules:

A list building module, which is used to convert source code into an abstract syntax tree and define a series of untrusted variables to build an untrusted variable list;

The variable analysis module is used to analyze the variables in the abstract syntax tree line by line from top to bottom, analyze the assignment reference relationship of all variables in the abstract syntax tree, build variable dependency relationships, thereby locating all untrusted variables in the source code, and record the untrusted variables in the untrusted variable list;

The parameter analysis and judgment module is used to analyze the abstract syntax tree again after the analysis of the untrusted variables is completed, find the database function in it, analyze the parameters in the database function, determine whether the parameters are credible, and then determine whether the SQL statement contains untrusted variables;

The variable marking module is used to modify the source code and mark the untrusted variables in the database function parameters when the SQL statement contains untrusted variables;

The code modification module is used to rewrite the database function after the source code is modified, and add the code for filtering untrusted variables to the database function;

The dynamic library interception module is used to intercept the database function in the dynamic library when running the modified source code, identify the string part from the untrusted input in the SQL statement according to the mark, and check and filter the string part of the untrusted input according to the set filtering strategy, so as to achieve the operation failure of the SQL injection attack statement.

Among them, in the process of locating untrusted variables, the variable analysis module starts searching from the database access function, finds out the untrusted variables referenced in the string constituting the SQL statement and adds labels to them, thereby marking the positions of all untrusted inputs in the string of the SQL statement.

The code modification module adds the code to the database function to filter the process including:

Generate a label using the current process ID;

Use the generated tags to locate untrusted variables in SQL statements in database functions;

Filter untrusted variables according to the set filtering strategy to remove possible malicious code;

Use the filtered untrusted variables to form new SQL statements;

Recall the system's database function and pass the SQL statement to the SQL engine to perform the corresponding database operation.

In the code modification module, the filtering strategy is set as follows:

By summarizing the common SQL injection attack codes existing on the Internet, a common SQL injection attack statement composition pattern is obtained; based on the SQL injection attack statement composition pattern, a decision tree is used to check the input length and special symbol information of the SQL statement to filter out untrusted variables.

As shown in Figure 3, in actual applications of the defense system of this embodiment, the variable analysis module, the parameter analysis and judgment module, and the variable marking module can be presented as source code static analysis and marking tools to analyze the original source code of the database application and mark untrusted variables, and obtain the marked source code of the database application; the code modification module compiles or interprets the marked source code; the dynamic library interception module generates a database function dynamic library containing filtering rules, and makes its calling priority higher than the system dynamic library, so that the application program gives priority to calling the dynamic library written by itself when calling the database function, thereby using the written database function to filter the input.

This embodiment also provides a storage medium on which computer instructions are stored. When the computer instructions are executed by a processor, each step of the SQL injection attack active defense method in Embodiment 1 is implemented.

The above is a preferred embodiment of the present invention. It should be pointed out that for ordinary technicians in this technical field, several improvements and modifications can be made without departing from the principles of the present invention. These improvements and modifications should be regarded as within the scope of protection of the present invention.

Claims (10)

1. The SQL injection attack active defense method based on the mark is characterized by comprising the following steps of:

Converting the source code into an abstract syntax tree, defining a series of untrusted variables, and constructing an untrusted variable list;

analyzing the variables in the abstract syntax tree line by line from top to bottom, analyzing the assignment reference relation of all the variables in the abstract syntax tree, constructing the variable dependency relation, thereby positioning all the untrusted variables in the source code, and recording the untrusted variables in an untrusted variable list;

after the analysis of the unreliable variables is finished, the abstract syntax tree is analyzed again, database functions in the abstract syntax tree are searched, parameters in the database functions are analyzed, whether the parameters are reliable or not is judged, and whether SQL sentences contain the unreliable variables or not is further judged;

If the SQL statement contains an unreliable variable, modifying the source code and marking the unreliable variable in the database function parameter;

After the source code is modified, a database function is rewritten, and a code for filtering the untrusted variable is added into the database function;

When the modified source code is operated, the database function is dynamically intercepted, the character string part from the unreliable input in the SQL sentence is identified according to the mark, and the character string part of the unreliable input is checked and filtered according to the set filtering strategy, so that the operation failure of the SQL injection attack sentence is realized.

2. The active defense method for SQL injection attack according to claim 1, wherein in the positioning process of the untrusted variables, searching is started from a database access function, the untrusted variables referenced in the character strings forming the SQL sentence are found and labeled, and the position marks of all the untrusted inputs in the character strings of the SQL sentence are realized.

3. The method of active defense against SQL injection attacks of claim 1, wherein the filtering process comprises:

generating a tag by using the current process ID;

Positioning the untrusted variable of the SQL sentence in the database function by using the generated tag;

filtering the unreliable variable according to a set filtering strategy to remove possible malicious codes;

constructing a new SQL sentence by using the filtered untrusted variables;

And re-calling the database function of the system, and transmitting the SQL sentence to the SQL engine to execute the corresponding database operation.

4. The method of claim 3, wherein the set filtering policy is:

summarizing common SQL injection attack codes existing in the Internet to obtain a statement composition mode of the common SQL injection attack; based on the statement constitution mode of SQL injection attack, the decision tree is utilized to check the input length and special symbol information of SQL statements, and the filtering of the untrusted variables is realized.

5. The method for actively defending against SQL injection attacks according to claim 1, wherein when a database function is dynamically intercepted, a rewritten database function is called instead of a systematic database function every time the database function is called, so that SQL statements are filtered every time.

6. The active defense system for SQL injection attack based on the mark is characterized by comprising the following components:

the list construction module is used for converting the source code into an abstract syntax tree, defining a series of untrusted variables and constructing an untrusted variable list;

The variable analysis module is used for analyzing the variables in the abstract syntax tree line by line from top to bottom, analyzing the assignment reference relation of all the variables in the abstract syntax tree, constructing the variable dependency relation, positioning all the unreliable variables in the source code, and recording the unreliable variables in the unreliable variable list;

The parameter analysis judging module is used for analyzing the abstract syntax tree again after the analysis of the unreliable variable is finished, searching a database function in the abstract syntax tree, analyzing parameters in the database function, judging whether the parameters are reliable or not, and further judging whether the SQL sentence contains the unreliable variable or not;

the variable marking module is used for modifying the source code when the SQL statement contains an unreliable variable and marking the unreliable variable in the database function parameter;

The code modification module is used for re-writing the database function after the source code is modified, and adding a code for filtering the untrusted variable into the database function;

And the dynamic library interception module is used for carrying out dynamic library interception on the database function when the modified source code is operated, identifying a character string part from the unreliable input in the SQL sentence according to the mark, and checking and filtering the character string part of the unreliable input according to the set filtering strategy to realize the operation failure of the SQL injection attack sentence.

7. The active defense system for SQL injection attack according to claim 6, wherein the variable analysis module starts searching from the database access function during the positioning of the untrusted variables, finds the untrusted variables referenced in the string constituting the SQL sentence and adds a tag to the untrusted variables, thereby realizing the position marking of all untrusted inputs in the string of the SQL sentence.

8. The active defense system for SQL injection attacks according to claim 6, wherein the code modification module adds code pairs in the database function to filter the code pairs comprising:

generating a tag by using the current process ID;

Positioning the untrusted variable of the SQL sentence in the database function by using the generated tag;

filtering the unreliable variable according to a set filtering strategy to remove possible malicious codes;

constructing a new SQL sentence by using the filtered untrusted variables;

And re-calling the database function of the system, and transmitting the SQL sentence to the SQL engine to execute the corresponding database operation.

9. The active defense system for SQL injection attacks of claim 8, wherein the set filtering policy is:

summarizing common SQL injection attack codes existing in the Internet to obtain a statement composition mode of the common SQL injection attack; based on the statement constitution mode of SQL injection attack, the decision tree is utilized to check the input length and special symbol information of SQL statements, and the filtering of the untrusted variables is realized.

10. A storage medium having stored thereon computer instructions which, when executed by a processor, implement the steps of the SQL injection attack active defense method of any of claims 1-5.