Android应用中SQL注入漏洞静态检测方法
|
摘要
随着移动互联网的迅猛发展,基于Android平台的移动终端以及移动应用数量逐年攀升,极大地改变了人们的生活方式。然而,移动应用具有交互复杂、难于调试、版本更新迭代频繁等特点,很多应用没有经过充分检测就投入了使用,致使Android应用中各种漏洞导致的故障频发。其中,SQL注入漏洞是一类常见安全漏洞,会引发用户信息泄露、恶意篡改数据库等严重后果。但现有的通用静态分析工具大多无法有效检测Android应用中的SQL注入漏洞。针对这一问题,分析了SQL注入漏洞的代码特征和数据特征,提出了一种基于污点分析的静态检测方法,并在开源工具FindBugs的基础上,实现了原型工具SQLInj。实验结果表明,该方法能有效检测出Android应用中存在的SQL注入漏洞。
The number of Android terminals and applications has been increasing in recent years with the rapid development of mobile Internet, which greatly changes people.s life. However, mobile applications are complicated to interact, difficult to debug, and their versions update frequently. Many applications have been published without adequate testing, which makes failures caused by various vulnerabilities in Android applications occur frequently.SQL(structured query language) injection is a kind of common security vulnerability, which can cause user informationleakage and database to be tampered maliciously. However, general static analysis tools cannot detect SQL injection vulnerabilities in Android applications effectively. Aiming at this problem, this paper analyzes the code and data characteristics of SQL injection vulnerabilities, and puts forward a static detection approach based on taint analysis.It extends the open source tools Find Bugs, and implements the prototype tool SQLInj. The experimental results indicate that this approach can detect the SQL injection vulnerabilities in Android applications effectively.
The number of Android terminals and applications has been increasing in recent years with the rapid development of mobile Internet, which greatly changes people.s life. However, mobile applications are complicated to interact, difficult to debug, and their versions update frequently. Many applications have been published without adequate testing, which makes failures caused by various vulnerabilities in Android applications occur frequently.SQL(structured query language) injection is a kind of common security vulnerability, which can cause user informationleakage and database to be tampered maliciously. However, general static analysis tools cannot detect SQL injection vulnerabilities in Android applications effectively. Aiming at this problem, this paper analyzes the code and data characteristics of SQL injection vulnerabilities, and puts forward a static detection approach based on taint analysis.It extends the open source tools Find Bugs, and implements the prototype tool SQLInj. The experimental results indicate that this approach can detect the SQL injection vulnerabilities in Android applications effectively.
引文
[1]OWASP.OWASP top ten project[EB/OL].[2017-07-11].https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=Main.
[2]Weng Zisheng,Wang Baosheng,Lin Jinbin.Array analysis in program symbol execution[J].Journal of Yangtze University:Natural Science Edition,2010,7(1):225-228.
[3]Zhong Fangting,Liu Chao,Jin Maozhong.Improvement of instrumentation in program dynamic analysis system[J].Computer Engineering and Design,2007,28(19):4585-4588.
[4]HPE.Fortify static code analyzer[EB/OL].[2017-07-01].https://saas.hpe.com/zh-cn/software/sca.
[5]Coverity.Coverity development testing platform[EB/OL].[2017-07-12].http://www.coverity.com/html_cn/w-content/uploads/2014/01/DS_Coverity_Solutions_Overview.pdf.
[6]CNNIC.China statistical report on Internet development[EB/OL].[2017-07-10].http://www.cnnic.cn/hlwfzyj/hlwxzbg/hlwtjbg/201701/P020170123364672657408.pdf.
[7]CNNIC.Report on network security status of Chinese mobile Internet users in 2015[EB/OL].[2017-07-10].http://www.cnnic.cn/gywm/xwzx/rdxw/2016/201610/P020161010424290641484.pdf.
[8]Veracode.Veracode state of software security report[EB/OL].[2017-07-06].https://info.veracode.com/state-of-softwaresecurity-report.html.
[9]Hovemeyer D,Pugh W.Finding bugs is easy[J].ACM Sigplan Notices,2004,39(12):92-106.
[10]Arzt S,Rasthofer S,Fritz C,et al.Flow Droid:precise context,flow,field,object-sensitive and lifecycle-aware taint analysis for Android apps[J].ACM Sigplan Notices,2014,49(6):259-269.
[11]Chen Xiaobing,Zhang Hanyu,Luo Liming,et al.Research on technique of SQL injection attacks and detection[J].Computer Engineering and Applications,2007,43(11):150-152.
[12]Dong Min.Research on the attack detection of SQL injection based on dynamic analysis[D].Beijing:Beijing University of Technology,2014.
[13]Zhou Yan.Research and implementation of SQL injection detection method[D].Xi’an:Northwest University,2011.
[14]Aho A V,Sethi R,Ullman J D.Compilers:principles,techniques,and tools[M].Upper Saddle River:Addison-Wesley,1986.
[15]Li Yong,Huang Zhiqiu,Fang Bingwu,et al.Using cost-sensitive classification for software defects prediction[J].Journal of Frontiers of Computer Science&Technology,2014,8(12):1442-1451.
[16]Gupta M K,Govil M C,Singh G.Static analysis approaches to detect SQL injection and cross site scripting vulnerabilities in web applications:a survey[C]//Proceedings of the2014 International Conference on Recent Advances and Innovations in Engineering,Jaipur,May 9-11,2014.Piscataway:IEEE,2014:1-5.
[17]Xu Chen.A program verification and testing tool based on symbolic execution and constraint solving[D].Beijing:Chinese Academy of Sciences(Institute of Software),2002.
[18]Son S,Mckinley K S,Shmatikov V.Role Cast:finding missing security checks when you do not know what checks are[J].ACM Sigplan Notices,2011,46(10):1069-1082.
[19]Ernst M D,Lovato A,Macedonio D,et al.Boolean formulas for the static identification of injection attacks in Java[C]//LNCS 9450:Proceedings of the 20th International Conference on Logic for Programming,Artificial Intelligence,and Reasoning,Suva,Nov 24-28,2015.Berlin,Heidelberg:Springer,2015:130-145.
[20]Zhang Mu,Yin Heng.App Sealer:automatic generation of vulnerability-specific patches for preventing component hijacking attacks in Android applications[C]//Proceedings of the 21st Annual Network and Distributed System Security Symposium,San Diego,Feb 23-26,2014:1-15.
[21]Zhou Yajin,Jiang Xuxian.Detecting passive content leaks and pollution in Android applications[C]//Proceedings of the 20th Annual Network and Distributed System Security Symposium,San Diego,Feb 24-27,2013:1-16.
[22]Dong Guowei,Wang Meilin,Shao Shuai,et al.Android application security vulnerability analysis framework based on feature matching[J].Journal of Tsinghua University:Science and Technology,2016,56(5):461-467.
[23]Chess B,West J.Dynamic taint propagation:finding vulnerabilities without attacking[J].Information Security Technical Report,2008,13(1):33-39.
[24]Jang Y S,Choi J Y.Detecting SQL injection attacks using query result size[J].Computers&Security,2014,44(2):104-118.
[25]Doshi J C,Christian M,Trivedi B H.SQL FILTER-SQL injection prevention and logging using dynamic network filter[C]//Proceedings of the 2nd International Symposium on Security in Computing and Communications,Delhi,Sep 24-27,2014.Berlin,Heidelberg:Springer,2014,467:400-406.
[26]Kumar D G,Chatterjee M.MAC based solution for SQL injection[J].Journal of Computer Virology and Hacking Techniques,2015,11(1):1-7.
[27]Hay R,Tripp O,Pistoia M.Dynamic detection of interapplication communication vulnerabilities in Android[C]//Proceedings of the 2015 International Symposium on Software Testing and Analysis,Baltimore,Jul 12-17,2015.New York:ACM,2015:118-128.
[28]Yue Hongzhou,Zhang Yuqing,Wang Wenjie,et al.Android static taint analysis of dynamic loading and reflection mechanism[J].Journal of Computer Research and Development,2017,54(2):313-327.
[29]Wang Yunchao,Wei Qiang,Wu Zehui.Approach of Android applications intent injection vulnerability detection based on static taint analysis[J].Computer Science,2016,43(9):192-196.
[30]Zhao Jingling,Qi Junxin,Zhou Liang,et al.Dynamic taint tracking of web application based on static code analysis[C]//Proceedings of the 10th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing,Fukuoka,Jul 6-8,2016.Washington:IEEE Computer Society,2016:96-101.
[31]Enck W,Gilbert P,Chun B G,et al.Taint Droid:an information flow tracking system for real-time privacy monitoring on smartphones[J].ACM Transactions on Computer Systems,2012,32(2):1-29.
[2]翁子盛,王宝生,林锦滨.程序符号执行中的数组分析[J].长江大学学报:自然科学版,2010,7(1):225-228.
[3]钟芳挺,刘超,金茂忠.程序动态分析系统中插装方式的改进[J].计算机工程与设计,2007,28(19):4585-4588.
[11]陈小兵,张汉煜,骆力明,等.SQL注入攻击及其防范检测技术研究[J].计算机工程与应用,2007,43(11):150-152.
[12]董敏.基于动态污点分析的SQL注入攻击检测问题的研究[D].北京:北京工业大学,2014.
[13]周琰.SQL注入检测方法的研究与实现[D].西安:西北大学,2011.
[15]李勇,黄志球,房丙午,等.代价敏感分类的软件缺陷预测方法[J].计算机科学与探索,2014,8(12):1442-1451.
[17]徐辰.基于符号执行和约束求解的程序验证与测试工具[D].北京:中国科学院研究生院(软件研究所),2002.
[22]董国伟,王眉林,邵帅,等.基于特征匹配的Android应用漏洞分析框架[J].清华大学学报:自然科学版,2016,56(5):461-467.
[28]乐洪舟,张玉清,王文杰,等.Android动态加载与反射机制的静态污点分析研究[J].计算机研究与发展,2017,54(2):313-327.
[29]王允超,魏强,武泽慧.基于静态污点分析的Android应用Intent注入漏洞检测方法[J].计算机科学,2016,43(9):192-196.
[2]Weng Zisheng,Wang Baosheng,Lin Jinbin.Array analysis in program symbol execution[J].Journal of Yangtze University:Natural Science Edition,2010,7(1):225-228.
[3]Zhong Fangting,Liu Chao,Jin Maozhong.Improvement of instrumentation in program dynamic analysis system[J].Computer Engineering and Design,2007,28(19):4585-4588.
[4]HPE.Fortify static code analyzer[EB/OL].[2017-07-01].https://saas.hpe.com/zh-cn/software/sca.
[5]Coverity.Coverity development testing platform[EB/OL].[2017-07-12].http://www.coverity.com/html_cn/w-content/uploads/2014/01/DS_Coverity_Solutions_Overview.pdf.
[6]CNNIC.China statistical report on Internet development[EB/OL].[2017-07-10].http://www.cnnic.cn/hlwfzyj/hlwxzbg/hlwtjbg/201701/P020170123364672657408.pdf.
[7]CNNIC.Report on network security status of Chinese mobile Internet users in 2015[EB/OL].[2017-07-10].http://www.cnnic.cn/gywm/xwzx/rdxw/2016/201610/P020161010424290641484.pdf.
[8]Veracode.Veracode state of software security report[EB/OL].[2017-07-06].https://info.veracode.com/state-of-softwaresecurity-report.html.
[9]Hovemeyer D,Pugh W.Finding bugs is easy[J].ACM Sigplan Notices,2004,39(12):92-106.
[10]Arzt S,Rasthofer S,Fritz C,et al.Flow Droid:precise context,flow,field,object-sensitive and lifecycle-aware taint analysis for Android apps[J].ACM Sigplan Notices,2014,49(6):259-269.
[11]Chen Xiaobing,Zhang Hanyu,Luo Liming,et al.Research on technique of SQL injection attacks and detection[J].Computer Engineering and Applications,2007,43(11):150-152.
[12]Dong Min.Research on the attack detection of SQL injection based on dynamic analysis[D].Beijing:Beijing University of Technology,2014.
[13]Zhou Yan.Research and implementation of SQL injection detection method[D].Xi’an:Northwest University,2011.
[14]Aho A V,Sethi R,Ullman J D.Compilers:principles,techniques,and tools[M].Upper Saddle River:Addison-Wesley,1986.
[15]Li Yong,Huang Zhiqiu,Fang Bingwu,et al.Using cost-sensitive classification for software defects prediction[J].Journal of Frontiers of Computer Science&Technology,2014,8(12):1442-1451.
[16]Gupta M K,Govil M C,Singh G.Static analysis approaches to detect SQL injection and cross site scripting vulnerabilities in web applications:a survey[C]//Proceedings of the2014 International Conference on Recent Advances and Innovations in Engineering,Jaipur,May 9-11,2014.Piscataway:IEEE,2014:1-5.
[17]Xu Chen.A program verification and testing tool based on symbolic execution and constraint solving[D].Beijing:Chinese Academy of Sciences(Institute of Software),2002.
[18]Son S,Mckinley K S,Shmatikov V.Role Cast:finding missing security checks when you do not know what checks are[J].ACM Sigplan Notices,2011,46(10):1069-1082.
[19]Ernst M D,Lovato A,Macedonio D,et al.Boolean formulas for the static identification of injection attacks in Java[C]//LNCS 9450:Proceedings of the 20th International Conference on Logic for Programming,Artificial Intelligence,and Reasoning,Suva,Nov 24-28,2015.Berlin,Heidelberg:Springer,2015:130-145.
[20]Zhang Mu,Yin Heng.App Sealer:automatic generation of vulnerability-specific patches for preventing component hijacking attacks in Android applications[C]//Proceedings of the 21st Annual Network and Distributed System Security Symposium,San Diego,Feb 23-26,2014:1-15.
[21]Zhou Yajin,Jiang Xuxian.Detecting passive content leaks and pollution in Android applications[C]//Proceedings of the 20th Annual Network and Distributed System Security Symposium,San Diego,Feb 24-27,2013:1-16.
[22]Dong Guowei,Wang Meilin,Shao Shuai,et al.Android application security vulnerability analysis framework based on feature matching[J].Journal of Tsinghua University:Science and Technology,2016,56(5):461-467.
[23]Chess B,West J.Dynamic taint propagation:finding vulnerabilities without attacking[J].Information Security Technical Report,2008,13(1):33-39.
[24]Jang Y S,Choi J Y.Detecting SQL injection attacks using query result size[J].Computers&Security,2014,44(2):104-118.
[25]Doshi J C,Christian M,Trivedi B H.SQL FILTER-SQL injection prevention and logging using dynamic network filter[C]//Proceedings of the 2nd International Symposium on Security in Computing and Communications,Delhi,Sep 24-27,2014.Berlin,Heidelberg:Springer,2014,467:400-406.
[26]Kumar D G,Chatterjee M.MAC based solution for SQL injection[J].Journal of Computer Virology and Hacking Techniques,2015,11(1):1-7.
[27]Hay R,Tripp O,Pistoia M.Dynamic detection of interapplication communication vulnerabilities in Android[C]//Proceedings of the 2015 International Symposium on Software Testing and Analysis,Baltimore,Jul 12-17,2015.New York:ACM,2015:118-128.
[28]Yue Hongzhou,Zhang Yuqing,Wang Wenjie,et al.Android static taint analysis of dynamic loading and reflection mechanism[J].Journal of Computer Research and Development,2017,54(2):313-327.
[29]Wang Yunchao,Wei Qiang,Wu Zehui.Approach of Android applications intent injection vulnerability detection based on static taint analysis[J].Computer Science,2016,43(9):192-196.
[30]Zhao Jingling,Qi Junxin,Zhou Liang,et al.Dynamic taint tracking of web application based on static code analysis[C]//Proceedings of the 10th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing,Fukuoka,Jul 6-8,2016.Washington:IEEE Computer Society,2016:96-101.
[31]Enck W,Gilbert P,Chun B G,et al.Taint Droid:an information flow tracking system for real-time privacy monitoring on smartphones[J].ACM Transactions on Computer Systems,2012,32(2):1-29.
[2]翁子盛,王宝生,林锦滨.程序符号执行中的数组分析[J].长江大学学报:自然科学版,2010,7(1):225-228.
[3]钟芳挺,刘超,金茂忠.程序动态分析系统中插装方式的改进[J].计算机工程与设计,2007,28(19):4585-4588.
[11]陈小兵,张汉煜,骆力明,等.SQL注入攻击及其防范检测技术研究[J].计算机工程与应用,2007,43(11):150-152.
[12]董敏.基于动态污点分析的SQL注入攻击检测问题的研究[D].北京:北京工业大学,2014.
[13]周琰.SQL注入检测方法的研究与实现[D].西安:西北大学,2011.
[15]李勇,黄志球,房丙午,等.代价敏感分类的软件缺陷预测方法[J].计算机科学与探索,2014,8(12):1442-1451.
[17]徐辰.基于符号执行和约束求解的程序验证与测试工具[D].北京:中国科学院研究生院(软件研究所),2002.
[22]董国伟,王眉林,邵帅,等.基于特征匹配的Android应用漏洞分析框架[J].清华大学学报:自然科学版,2016,56(5):461-467.
[28]乐洪舟,张玉清,王文杰,等.Android动态加载与反射机制的静态污点分析研究[J].计算机研究与发展,2017,54(2):313-327.
[29]王允超,魏强,武泽慧.基于静态污点分析的Android应用Intent注入漏洞检测方法[J].计算机科学,2016,43(9):192-196.