Design And Implementation Of Preventing SQL Injection Attacks System Based On Program Analysis

With the rapid development of computer technology and network technology, Web application based on B/S model is becoming increasingly popular. SQL injection attack is one of primary threat to Web application security, so the study of SQL injection attack protection technology is very meaningful to Web application security. The existing security technologies of defensing SQL injection attacks, including input filter, penetration test, anomaly detection and instruction set randomization, can not be successful against all types of SQL injection attacks and complex to deploy. Recently, program analysis technology has experienced a rebirth of popularity due to its many excellent features in the area of preventing SQL injection attacks and plenty of studies have arisen. However, previous program analysis methods in the design and implementation exit some problems, such as how to balance and compromise between the reliability of static analysis and accuracy of dynamic analysis, and have a high rate of false positive and false negative.Therefore, a system of preventing SQL injection attacks based on program Analysis (SQLProbe) is developed. The most prominent feature of this system is as follow:First, it utilizes data-flow-trace technology to track the path of taint data and point out all injection points that may exist in the application. Then, the abstract representation of the application is abtained through the lexical analysis and syntax analysis, and then genaretes automata models of legal query for the SQL statement contained injection points. Finally, automaton as probe is inserted into the Web applications for dynamic testing, then inspects the dynamically-generated queries and checks them against the statically-built model and records the implementations of the procedures. Aiming at the Java-based Web applications, the prototype needs no change to the configuration of server and database. Therefore, without sacrificing any normal functionality of server and database, it incurs little overhead to the system.Compared with similar systems, our evaluation demonstrates that SQLProbe with higher degree of automation and faster speed of detection is much more effective to prevent SQL injection attacks and imposes negligible performance overhead.