计算机工程

• 安全技术 • 上一篇    下一篇

面向PHP程序的SQL漏洞检测系统

王耀辉,王丹,付利华   

  1. (北京工业大学计算机学院,北京 100124)
  • 收稿日期:2015-03-09 出版日期:2016-04-15 发布日期:2016-04-15
  • 作者简介:王耀辉(1987-),男,硕士研究生,主研方向为入侵检测、Web安全;王丹,教授、博士;付利华,讲师、博士。
  • 基金项目:
    国家自然科学基金资助项目(61202074)。

SQL Vulnerability Detection System for PHP Program

WANG Yaohui,WANG Dan,FU Lihua   

  1. (College of Computer Science,Beijing University of Technology,Beijing 100124,China)
  • Received:2015-03-09 Online:2016-04-15 Published:2016-04-15

摘要: 针对PHP程序,提出一种基于注入活动分析技术的结构化查询语言(SQL)漏洞检测方法。以动静态相结合的分析技术为基础,对注入活动从数据流和程序行为方面进行分析,给出基于词法特征比较的SQL漏洞判定算法。通过检测模拟测试数据,并结合别名分析技术、行为模型和SQL漏洞判定算法设计并实现SQL漏洞检测系统。实验结果表明,与Pixy和RIPS系统相比,该系统具有较强的SQL漏洞检测能力和较低的时间开销。

关键词: 结构化查询语言漏洞, 动静态结合分析, 别名分析, 行为模型, 词法特征

Abstract: Aiming at PHP program,this paper proposes an Structured Query Language(SQL) vulnerability detection method based on the injection analysis technology.This method makes a detailed analysis on the injection in the aspects of data flow and program behavior,on the basis of the combination of dynamic and static analysis technique.A lexcial feature comparison-based decision algorithm is designed and implemented to detect SQL vulnerability through simulating data.Combining alias analysis technology,behavior model and decision algorithm,the SQL vulnerabilities detection system based on lexical feature comparison is designed and realized.Experimental result indicates that,compared with Pixy and RIPS system,this system has higher SQL vulnerability detection capability and lower time cost.

Key words: Structured Query Language(SQL) vulnerability, dynamic and static combined analysis, alias analysis, behavior model, lexical feature

中图分类号: