多层次网站安全防护系统研究
|
摘要
网络的飞速发展、网民数量的剧增以及日常生活的日益信息化,使得网站成为了网络生活中的重要角色,担当了信息化的重要载体,网站在发挥重要作用和丰富人们生活的同时,针对网站的攻击亦开始活跃起来,这给网站带来了极大的安全隐患。网站安全问题的产生催生了各种防护措施和产品,其在保护网站安全方面发挥了重要作用;然而各种常见的安全防护措施和产品往往只关注一个层次的问题,而网站安全是一个多层次的问题,任何一个层次的防护缺失都将造成网站被成功攻陷。本文针对单一的网站安全防护系统不能有效解决当前网站安全的问题,研究了一种多层次的网站安全防护系统。
本文首先对当前网站安全的形势及网站安全的研究现状进行了介绍,分析了一些常见安全防护的优点和缺点,进而引出了本文的研究内容:多层次网站安全防护系统研究。然后对本文中涉及到的网站安全相关知识进行了阐述,包括注入攻击(Injection Attack),跨站脚本攻击(XSS Attack),防篡改技术,WebShell介绍等。第三部分重点对本文研究的多层次网站安全防护系统进行介绍并设计实现,首先对多层次的网站安全防护系统总体上进行设计,包括了防注入/防XSS攻击系统,网站防篡改系统,WebShell和特殊文件夹(特殊文件)检测系统,然后对各个部分进行详细介绍:(1)防注入/防XSS攻击系统主要针对网站的SQL注入、跨站脚本攻击等问题,防止攻击者利用此类攻击获取管理员甚至系统权限,阻止其对客户端用户进行攻击,同时针对比较隐蔽和灵活的cookie注入攻击,系统及时检测分析cookie中数据,保证恶意代码无法传递到Web服务器,从而保护网站正常运行;(2)防篡改系统的功能主要是保证网站目录中文件不被非法篡改,采用基于文件过滤驱动技术实现,在指定监控目录、指定监控文件类型、指定操作权限的情况下,在内核态对文件读写操作请求进行拦截分析,不符合策略则立即对请求的IRP (I/O Request Package)流进行拒绝,从而实现防篡改的目的,同时本文防篡改系统实现了对写入文件内容的主动分析拦截功能,防止恶意文件写入网站目录中;(3)网站后台木马WebShell文件及特殊文件夹(特殊文件)检测系统主要对网站的WebShell文件进行检测,防止网站后台木马对网站及系统的控制,同时对一些特殊文件夹、特殊文件(以windows设备等命名)进行检测,清除WebShell木马和广告链接的藏身之处,两种检测结合起来可以保证网站目录文件的无木马化。论文第四部分通过实验对本文研究实现的多层次防护系统进行验证,实验结果表明,本文实现的系统可以对常见的网站攻击起到良好的防护作用,多个层次相互作用,可以对网站安全起到综合的防护效果。
The rapid development of network and dramatic increase of Netizens, and the growing informationization of daily life,make the website to dominate an essential role in the Internet life, being an important carrier of information. Website is playing important role in enriching people's life. Meanwhile, the attacks towards the website start to be active, which brings to website a great security risk. Website security issues have spawned a variety of protective measures and products that play an important role in safeguarding the website security. However, various common security measures and products only concern with one level of the problem, while the website security is a multi-level problem, and lack of any level of protection will lead to the successful capture of the website. This paper, aiming at the fact that single website security protection is not able to solve the current website security problem, does research on a multi-level website security protection system.
The paper, firstly doing a general introduction for the current situation and research status of the website security, makes analysis of the advantages and disadvantages of the common security protection, and thus puts forwards the research content of this paper: research on the multi-level website security protection system. Then the paper makes an exploration of the website security involved in this paper, which includes the injection attacks, cross site script attack(XSS), tamper-resistant technology, WebShell etc. In the third part it focuses on the introduction of multi-level website security system and also the design and implementation of the system. Firstly it makes the overall design of the multi-level website security protection system, including the anti-injection/anti-XSS attack system, website tamper-resistant system, WebShell and the special folders (special files) detection system, and then gives a detailed account of each part:(1) Anti-injection/anti-XSS attack system mainly used to solve such problems as SQL injection attacks, cross site scripting attacks etc, and thus to prevent the attackers from employing such kinds of attacks to obtain authority of administrator even the system. And it can also stop the attacks on the client user, Meanwhile, for more subtle and flexible for cookie injection attack, the system can timely detect and analyze the cookie data to guarantee that malicious code not be passed to the Web server, thereby protecting the normal operation of website. (2) The main function of the tamper-resistant level is to ensure the files in a website directory not be tampered unauthorizedly. It adopts the technology of File Filter Driver to make the block analysis in kernel mode of the file reading and writing operation request, under the conditions of specified detection directory, specified detection file type, and specified operating authority. If the strategy does not meet the requirement, it will immediately reject the request of IRP to realize the purpose of tamper-resistant. Furthermore, the tamper-resistant system in this paper realizes function of active analysis and block of the written file, so as to prevent the malicious file from being written into website directory.(3) The website background Trojan WebShell files and special folders (special file) detection system, is mainly employed to make detection of the website WebShell files to prevent the control of background Trojan to website and system. And it also monitors some special folders, special file (in the name of windows equipment),so as to clear the hiding place of Webshell Trojans and advertising links. The combination of these two detection methods can guarantee no-Trojans of website directory files. Finally, in the fourth part of this paper it verify the multi-level protection system through experiments. The experimental results show that the system in this paper can achieve the sound protection against the common website attacks, and the interaction of multiple levels can give a general protection effects on website security.
本文首先对当前网站安全的形势及网站安全的研究现状进行了介绍,分析了一些常见安全防护的优点和缺点,进而引出了本文的研究内容:多层次网站安全防护系统研究。然后对本文中涉及到的网站安全相关知识进行了阐述,包括注入攻击(Injection Attack),跨站脚本攻击(XSS Attack),防篡改技术,WebShell介绍等。第三部分重点对本文研究的多层次网站安全防护系统进行介绍并设计实现,首先对多层次的网站安全防护系统总体上进行设计,包括了防注入/防XSS攻击系统,网站防篡改系统,WebShell和特殊文件夹(特殊文件)检测系统,然后对各个部分进行详细介绍:(1)防注入/防XSS攻击系统主要针对网站的SQL注入、跨站脚本攻击等问题,防止攻击者利用此类攻击获取管理员甚至系统权限,阻止其对客户端用户进行攻击,同时针对比较隐蔽和灵活的cookie注入攻击,系统及时检测分析cookie中数据,保证恶意代码无法传递到Web服务器,从而保护网站正常运行;(2)防篡改系统的功能主要是保证网站目录中文件不被非法篡改,采用基于文件过滤驱动技术实现,在指定监控目录、指定监控文件类型、指定操作权限的情况下,在内核态对文件读写操作请求进行拦截分析,不符合策略则立即对请求的IRP (I/O Request Package)流进行拒绝,从而实现防篡改的目的,同时本文防篡改系统实现了对写入文件内容的主动分析拦截功能,防止恶意文件写入网站目录中;(3)网站后台木马WebShell文件及特殊文件夹(特殊文件)检测系统主要对网站的WebShell文件进行检测,防止网站后台木马对网站及系统的控制,同时对一些特殊文件夹、特殊文件(以windows设备等命名)进行检测,清除WebShell木马和广告链接的藏身之处,两种检测结合起来可以保证网站目录文件的无木马化。论文第四部分通过实验对本文研究实现的多层次防护系统进行验证,实验结果表明,本文实现的系统可以对常见的网站攻击起到良好的防护作用,多个层次相互作用,可以对网站安全起到综合的防护效果。
The rapid development of network and dramatic increase of Netizens, and the growing informationization of daily life,make the website to dominate an essential role in the Internet life, being an important carrier of information. Website is playing important role in enriching people's life. Meanwhile, the attacks towards the website start to be active, which brings to website a great security risk. Website security issues have spawned a variety of protective measures and products that play an important role in safeguarding the website security. However, various common security measures and products only concern with one level of the problem, while the website security is a multi-level problem, and lack of any level of protection will lead to the successful capture of the website. This paper, aiming at the fact that single website security protection is not able to solve the current website security problem, does research on a multi-level website security protection system.
The paper, firstly doing a general introduction for the current situation and research status of the website security, makes analysis of the advantages and disadvantages of the common security protection, and thus puts forwards the research content of this paper: research on the multi-level website security protection system. Then the paper makes an exploration of the website security involved in this paper, which includes the injection attacks, cross site script attack(XSS), tamper-resistant technology, WebShell etc. In the third part it focuses on the introduction of multi-level website security system and also the design and implementation of the system. Firstly it makes the overall design of the multi-level website security protection system, including the anti-injection/anti-XSS attack system, website tamper-resistant system, WebShell and the special folders (special files) detection system, and then gives a detailed account of each part:(1) Anti-injection/anti-XSS attack system mainly used to solve such problems as SQL injection attacks, cross site scripting attacks etc, and thus to prevent the attackers from employing such kinds of attacks to obtain authority of administrator even the system. And it can also stop the attacks on the client user, Meanwhile, for more subtle and flexible for cookie injection attack, the system can timely detect and analyze the cookie data to guarantee that malicious code not be passed to the Web server, thereby protecting the normal operation of website. (2) The main function of the tamper-resistant level is to ensure the files in a website directory not be tampered unauthorizedly. It adopts the technology of File Filter Driver to make the block analysis in kernel mode of the file reading and writing operation request, under the conditions of specified detection directory, specified detection file type, and specified operating authority. If the strategy does not meet the requirement, it will immediately reject the request of IRP to realize the purpose of tamper-resistant. Furthermore, the tamper-resistant system in this paper realizes function of active analysis and block of the written file, so as to prevent the malicious file from being written into website directory.(3) The website background Trojan WebShell files and special folders (special file) detection system, is mainly employed to make detection of the website WebShell files to prevent the control of background Trojan to website and system. And it also monitors some special folders, special file (in the name of windows equipment),so as to clear the hiding place of Webshell Trojans and advertising links. The combination of these two detection methods can guarantee no-Trojans of website directory files. Finally, in the fourth part of this paper it verify the multi-level protection system through experiments. The experimental results show that the system in this paper can achieve the sound protection against the common website attacks, and the interaction of multiple levels can give a general protection effects on website security.
引文
[1]CNNIC第26次中国互联网络发展状况统计报告[R/OL].2010-7-15.http://www.cnnic.net.cn/uploadfiles/pdf/2010/7/15/100708.pdf.
[2]CNCERT/CC中国互联网网络安全报告(2010年上半年)[R/OL].2010-09-29.http://www.cert.org.cn/UserFiles/File/2010%20first%20half.pdf.
[3]Wikipedia.Denial-of-service attack[DB/OL]. http://en.wikipedia.org/wiki/Denial_of_Service.
[4]OWASP. OWASP Top 10 for 2010[R/OL].2010-4-19. http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf,2010.
[5]Sam M.S. N.G. SQLBlock:SQL Injection Protection by Variable Normalization of SQL Statement[DB/OL].2005-6-17. http://www.securitydocs.com/library/3388.
[6]William G.J. Halfond, Alessandro Orso. Preventing SQL injection attacks using AMNESIA[C]. Proceedings of the 28th international conference on Software engineering. New York, NY, USA:ACM,2006:795-798.
[7]R.McClure, I. Kruger. SQL DOM:Compile Time Checking of Dynamic SQL Statements[C]. Proceedings of the 27th International Conference on Software Engineering. New York, NY, USA:ACM,2005:88-96.
[8]Stephen W. Boyd, Angelos D. Keromytis. SQLrand:Preventing SQL Injection Attacks[C]. Proceedings of the 2nd Applied Cryptography and Network Security (ACNS) Conference. 2004:292-302.
[9]William G.J. Halfond, Alessandro Orso. AMNESIA:analysis and monitoring for NEutralizing SQL-injection attacks[C]. Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering. New York, NY, USA:ACM,2005:174-183.
[10]Wikipedia.Cross-site scripting[DB/OL].http://en.wikipedia.org/wiki/Cross-site_scripting.
[11]Peter Wurzinger.SWAP:Mitigating XSS Attacks using a Reverse Proxy[C]. The 5th International Workshop on Software Engineering for Secure Systems (SESS'09),31st International Conference on Software Engineering (ICSE).Vancouver, Canada:IEEE Computer Society,2009:33-39.
[12]Microsoft.UrIScan Security Tool[DB/OL]. http://technet.microsoft.com/zh-cn/security/cc242650.aspx.
[13]杨飞.网页防篡改技术[J].计算机安全,2008,(9):76-77.
[14]吴标.具备综合安全防范能力的网页防篡改软件的研究[D].[硕士学位论文].北京:北京林业大学,2009.
[15]深空网页防篡改系统研发团队.深入解析网页防篡改技术[DB/OL].2010-12-23.http://www.sky-deep.com/html/info/225/2732.html.
[16]崔明,刘兴华.网络入侵及其防范[J].辽宁警专学报,2004,(02).
[17]百度百科.Webshell[DB/OL].http://baike.baidu.com/view/53110.html.
[18]Microsoft. You cannot delete a file or a foIder on an NTFS file system volume[DB/OL]. http://support. microsoft. com/?kbid=320081.
[19]郝永清[藏锋者].黑客Web脚本攻击与防御技术核心剖析[M].北京:科学出版社,2010.1-175.
[20]A. Kie|un, P. J. Guo, K. Jayaraman et all. Automatic Creation of SQL Injection and Cross-Site Scripting Attacks[C]. Proceedings of the 31st International Conference on Software Engineering. Washington, DC, USA:IEEE Computer Society,2009:199-209.
[21]HttpModule的认识[DB/OL].2010-03-11. http://www.cnblogs.com/luckdv/articles/1683194.html.
[22]Microsoft.lmplementing Intercepting Filter in ASP.NET Using HTTP Module[DB/OL]. http://msdn.microsoft.com/en-us/library/ff649096.aspx.
[23]李民,方勇,刘林超等.文件过滤驱动及应用[J].信息与电子工程,2005,3(4):290-292.
[24]王雷.主动式网络安全监控系统的设计与实现[D].[硕士学位论文].南京:南京航空航天大学,2007.
[25]Rajeev Nagar.Windows NT File System Internals[M].O'REILLY 1997:20-113.
[26]谭文,杨潇,邵坚磊等.寒江独钓-Windows内核安全编程[M].北京:电子工业出版社,2010.162-295.
[27]楚狂人Windows过滤驱动开发教程(第二版)[DB/OL].2007-2-6.http://www.vckbase.com/tools/downtools.asp?id=202.
[28]王洪艳.基于文件系统过滤驱动的信息安全防护技术研究[J].科技创新导报,2007,(33):9-10.
[29]谢梦.文件级I/O监控系统的设计与实现[D].[硕士学位论文].武汉:华中科技大学,2008.
[2]CNCERT/CC中国互联网网络安全报告(2010年上半年)[R/OL].2010-09-29.http://www.cert.org.cn/UserFiles/File/2010%20first%20half.pdf.
[3]Wikipedia.Denial-of-service attack[DB/OL]. http://en.wikipedia.org/wiki/Denial_of_Service.
[4]OWASP. OWASP Top 10 for 2010[R/OL].2010-4-19. http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf,2010.
[5]Sam M.S. N.G. SQLBlock:SQL Injection Protection by Variable Normalization of SQL Statement[DB/OL].2005-6-17. http://www.securitydocs.com/library/3388.
[6]William G.J. Halfond, Alessandro Orso. Preventing SQL injection attacks using AMNESIA[C]. Proceedings of the 28th international conference on Software engineering. New York, NY, USA:ACM,2006:795-798.
[7]R.McClure, I. Kruger. SQL DOM:Compile Time Checking of Dynamic SQL Statements[C]. Proceedings of the 27th International Conference on Software Engineering. New York, NY, USA:ACM,2005:88-96.
[8]Stephen W. Boyd, Angelos D. Keromytis. SQLrand:Preventing SQL Injection Attacks[C]. Proceedings of the 2nd Applied Cryptography and Network Security (ACNS) Conference. 2004:292-302.
[9]William G.J. Halfond, Alessandro Orso. AMNESIA:analysis and monitoring for NEutralizing SQL-injection attacks[C]. Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering. New York, NY, USA:ACM,2005:174-183.
[10]Wikipedia.Cross-site scripting[DB/OL].http://en.wikipedia.org/wiki/Cross-site_scripting.
[11]Peter Wurzinger.SWAP:Mitigating XSS Attacks using a Reverse Proxy[C]. The 5th International Workshop on Software Engineering for Secure Systems (SESS'09),31st International Conference on Software Engineering (ICSE).Vancouver, Canada:IEEE Computer Society,2009:33-39.
[12]Microsoft.UrIScan Security Tool[DB/OL]. http://technet.microsoft.com/zh-cn/security/cc242650.aspx.
[13]杨飞.网页防篡改技术[J].计算机安全,2008,(9):76-77.
[14]吴标.具备综合安全防范能力的网页防篡改软件的研究[D].[硕士学位论文].北京:北京林业大学,2009.
[15]深空网页防篡改系统研发团队.深入解析网页防篡改技术[DB/OL].2010-12-23.http://www.sky-deep.com/html/info/225/2732.html.
[16]崔明,刘兴华.网络入侵及其防范[J].辽宁警专学报,2004,(02).
[17]百度百科.Webshell[DB/OL].http://baike.baidu.com/view/53110.html.
[18]Microsoft. You cannot delete a file or a foIder on an NTFS file system volume[DB/OL]. http://support. microsoft. com/?kbid=320081.
[19]郝永清[藏锋者].黑客Web脚本攻击与防御技术核心剖析[M].北京:科学出版社,2010.1-175.
[20]A. Kie|un, P. J. Guo, K. Jayaraman et all. Automatic Creation of SQL Injection and Cross-Site Scripting Attacks[C]. Proceedings of the 31st International Conference on Software Engineering. Washington, DC, USA:IEEE Computer Society,2009:199-209.
[21]HttpModule的认识[DB/OL].2010-03-11. http://www.cnblogs.com/luckdv/articles/1683194.html.
[22]Microsoft.lmplementing Intercepting Filter in ASP.NET Using HTTP Module[DB/OL]. http://msdn.microsoft.com/en-us/library/ff649096.aspx.
[23]李民,方勇,刘林超等.文件过滤驱动及应用[J].信息与电子工程,2005,3(4):290-292.
[24]王雷.主动式网络安全监控系统的设计与实现[D].[硕士学位论文].南京:南京航空航天大学,2007.
[25]Rajeev Nagar.Windows NT File System Internals[M].O'REILLY 1997:20-113.
[26]谭文,杨潇,邵坚磊等.寒江独钓-Windows内核安全编程[M].北京:电子工业出版社,2010.162-295.
[27]楚狂人Windows过滤驱动开发教程(第二版)[DB/OL].2007-2-6.http://www.vckbase.com/tools/downtools.asp?id=202.
[28]王洪艳.基于文件系统过滤驱动的信息安全防护技术研究[J].科技创新导报,2007,(33):9-10.
[29]谢梦.文件级I/O监控系统的设计与实现[D].[硕士学位论文].武汉:华中科技大学,2008.