English  |  正體中文  |  简体中文  |  全文筆數/總筆數 : 80990/80990 (100%)
造訪人次 : 41709741      線上人數 : 2187
RC Version 7.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
搜尋範圍 查詢小技巧:
  • 您可在西文檢索詞彙前後加上"雙引號",以獲取較精準的檢索結果
  • 若欲以作者姓名搜尋,建議至進階搜尋限定作者欄位,可獲得較完整資料
  • 進階搜尋


    請使用永久網址來引用或連結此文件: http://ir.lib.ncu.edu.tw/handle/987654321/44558


    題名: TransSQL: A Translation and Validation-based Solution for SQL-Injection AttacksTransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks
    作者: 黃浩倫;Hao-lun Huang
    貢獻者: 資訊工程研究所
    關鍵詞: 資料隱碼;網頁安全;SQL injection;web security
    日期: 2010-07-04
    上傳時間: 2010-12-09 13:49:05 (UTC+8)
    出版者: 國立中央大學
    摘要: 隨著網際網路的快速發展,許多Web應用程式提供學習、教育、娛樂、資訊交換、商業交易等服務,這類型Web應用程式通常將各式各樣資料儲存在資料庫中,這些資料可能包含使用者帳戶資訊、私人檔案、交易明細等。因此,攻擊者透過SQL Injection的方式攻擊Web應用程式,這樣的攻擊方式可能會執行破壞或竊取資料的行為,更甚者可奪取伺服器的控制權。過去許多防止SQL Injection攻擊的研究與產品常因為配置過於繁瑣、需要修改當前應用程式原始碼或無法涵蓋所有漏洞等因素而無法徹底防禦SQL Injection攻擊。基於以上的理由,如果有效且便利的防止SQL Injection攻擊,成為一件很重要的事。 本篇論文,我們提出一個嶄新的防禦機制,將每一即將送達資料庫的請求翻譯為相等的請求送往LDAP,利用LDAP的特性及一些額外的防禦措施來驗證該請求是否合法。我們將這個防禦機制命名為TransSQL,TransSQL包含了兩個步驟,第一個步驟是前置作業,我們使用sqldump來擷取資料庫中的資料,並且複製一份到LDAP中。第二個步驟是運作監控,我們監控所有送到資料庫的請求來防止SQL Injection攻擊。我們的防禦機制布置在Web應用程式和資料庫之間並且從實驗結果來看,TransSQL能有效的防禦SQL Injection攻擊Web-based applications have become the major means of providing services by web servers and databases. These applications are the frequent target for attacks be-cause the databases underlying Web applications often contain private information (e.g., user accounts and financial records). In particular, SQL injection attacks, a class of injection flaw in which specially crafted input strings leads to illegal queries to da-tabases, are one of the topmost threats to web applications. A number of research pro-totypes and commercial products that maintain the queries structure in web applica-tions have been developed but these techniques fail to address the full scope of the problem or have limitations. In this paper, we propose a novel and effective mechanism for automatically translating SQL requests to LDAP-equivalent requests to render them secure against SQL injection attacks. After queries are executed on SQL database and LDAP, our technique checks the difference in responses from SQL database and LDAP to prevent SQL injection attacks. We implemented our technique in a tool, TransSQL, consists of two steps. In the preprocessing step, Database Duplicating process, we adopt sqldump program to extract entire information of SQL database that could be used to produce LDAP schema and LDAP Data Interchange Format file. In the runtime step, Request Translation process, the technique intercepts SQL queries for translation and checks the results from LDAP against SQL database. TransSQL has been implemented in Java and deployed between web applications and databases. Our empirical evaluation has shown that TransSQL is both effectiveness and efficiency against SQL injection attacks.
    顯示於類別:[資訊工程研究所] 博碩士論文

    文件中的檔案:

    檔案 描述 大小格式瀏覽次數
    index.html0KbHTML887檢視/開啟


    在NCUIR中所有的資料項目都受到原著作權保護.

    社群 sharing

    ::: Copyright National Central University. | 國立中央大學圖書館版權所有 | 收藏本站 | 設為首頁 | 最佳瀏覽畫面: 1024*768 | 建站日期:8-24-2009 :::
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - 隱私權政策聲明