基于程序分析的SQL注入防御系统的设计与实现
|
摘要
随着计算机技术和网络技术的飞速发展,基于B/S模式的Web应用程序越来越普及。SQL注入攻击是目前Web应用程序面临的主要安全威胁之一,因此SQL注入攻击防御技术与漏洞检测技术的研究,对于加强Web应用程序的安全具有十分重要的意义。目前提出的一些防御SQL注入攻击的方法主要有输入过滤、渗透测试、异常检测和指令集随机化等。这些方法不能成功防范所有类型的SQL注入攻击、而且部署复杂。近年来,程序分析技术在防御SQL注入方面的优势日渐突出,新的研究成果不断出现。然而以往的程序分析方法在设计和实现中存在着诸如静态分析的可靠性和动态分析的精确性之间难以权衡和折衷处理的问题,而且有着较高的误报率和漏报率。
针对上述问题,本文提出了一种基于程序分析技术的SQL注入防御系统SQLProbe(Preventing SQL Injection Attacks Based on Program Analysis)。SQLProbe系统的特色在于:使用数据流跟踪技术静态跟踪程序运行过程中污点数据的传播路径,指出应用程序中可能存在的注入点;通过词法分析和语法分析得到应用程序的抽象表示形式,然后在注入点根据有穷状态自动机原理生成合法查询语句的状态模型;向被测程序中插入自动机模型,动态监测程序运行过程中动态生成的SQL语句和相应污染数据入口点模型的匹配情况来发现安全漏洞;系统的实现针对Java的Web应用程序,不需要修改服务器以及数据库平台的配置,因而完全不影响应用服务器和数据库服务器的正常功能,对系统的性能影响也很小。
实验表明,与类似的系统相比,本文的SQLProbe系统具有自动化程度高和检测速度快的优点,并且具有较好的防范SQL注入的效果和较低的运行开销。
With the rapid development of computer technology and network technology, Web application based on B/S model is becoming increasingly popular. SQL injection attack is one of primary threat to Web application security, so the study of SQL injection attack protection technology is very meaningful to Web application security. The existing security technologies of defensing SQL injection attacks, including input filter, penetration test, anomaly detection and instruction set randomization, can not be successful against all types of SQL injection attacks and complex to deploy. Recently, program analysis technology has experienced a rebirth of popularity due to its many excellent features in the area of preventing SQL injection attacks and plenty of studies have arisen. However, previous program analysis methods in the design and implementation exit some problems, such as how to balance and compromise between the reliability of static analysis and accuracy of dynamic analysis, and have a high rate of false positive and false negative.
Therefore, a system of preventing SQL injection attacks based on program Analysis (SQLProbe) is developed. The most prominent feature of this system is as follow:First, it utilizes data-flow-trace technology to track the path of taint data and point out all injection points that may exist in the application. Then, the abstract representation of the application is abtained through the lexical analysis and syntax analysis, and then genaretes automata models of legal query for the SQL statement contained injection points. Finally, automaton as probe is inserted into the Web applications for dynamic testing, then inspects the dynamically-generated queries and checks them against the statically-built model and records the implementations of the procedures. Aiming at the Java-based Web applications, the prototype needs no change to the configuration of server and database. Therefore, without sacrificing any normal functionality of server and database, it incurs little overhead to the system.
Compared with similar systems, our evaluation demonstrates that SQLProbe with higher degree of automation and faster speed of detection is much more effective to prevent SQL injection attacks and imposes negligible performance overhead.
针对上述问题,本文提出了一种基于程序分析技术的SQL注入防御系统SQLProbe(Preventing SQL Injection Attacks Based on Program Analysis)。SQLProbe系统的特色在于:使用数据流跟踪技术静态跟踪程序运行过程中污点数据的传播路径,指出应用程序中可能存在的注入点;通过词法分析和语法分析得到应用程序的抽象表示形式,然后在注入点根据有穷状态自动机原理生成合法查询语句的状态模型;向被测程序中插入自动机模型,动态监测程序运行过程中动态生成的SQL语句和相应污染数据入口点模型的匹配情况来发现安全漏洞;系统的实现针对Java的Web应用程序,不需要修改服务器以及数据库平台的配置,因而完全不影响应用服务器和数据库服务器的正常功能,对系统的性能影响也很小。
实验表明,与类似的系统相比,本文的SQLProbe系统具有自动化程度高和检测速度快的优点,并且具有较好的防范SQL注入的效果和较低的运行开销。
With the rapid development of computer technology and network technology, Web application based on B/S model is becoming increasingly popular. SQL injection attack is one of primary threat to Web application security, so the study of SQL injection attack protection technology is very meaningful to Web application security. The existing security technologies of defensing SQL injection attacks, including input filter, penetration test, anomaly detection and instruction set randomization, can not be successful against all types of SQL injection attacks and complex to deploy. Recently, program analysis technology has experienced a rebirth of popularity due to its many excellent features in the area of preventing SQL injection attacks and plenty of studies have arisen. However, previous program analysis methods in the design and implementation exit some problems, such as how to balance and compromise between the reliability of static analysis and accuracy of dynamic analysis, and have a high rate of false positive and false negative.
Therefore, a system of preventing SQL injection attacks based on program Analysis (SQLProbe) is developed. The most prominent feature of this system is as follow:First, it utilizes data-flow-trace technology to track the path of taint data and point out all injection points that may exist in the application. Then, the abstract representation of the application is abtained through the lexical analysis and syntax analysis, and then genaretes automata models of legal query for the SQL statement contained injection points. Finally, automaton as probe is inserted into the Web applications for dynamic testing, then inspects the dynamically-generated queries and checks them against the statically-built model and records the implementations of the procedures. Aiming at the Java-based Web applications, the prototype needs no change to the configuration of server and database. Therefore, without sacrificing any normal functionality of server and database, it incurs little overhead to the system.
Compared with similar systems, our evaluation demonstrates that SQLProbe with higher degree of automation and faster speed of detection is much more effective to prevent SQL injection attacks and imposes negligible performance overhead.
引文
[1]CNCERT/CC.中国互联网网络安全报告.http://www.cert.org.cn,2009-5-4
[2]Scott D, Sharp R. Abstracting Application-Level Web Security. In:Proc of 11th Int'l World Wide Web Conf. New York, USA:ACM,2002,396-407
[3]WebCohort. WebCohort's application defense center reports results of vulnerability testing on Web applications.http://www.imperva.com/company/news/2010-feb-02. html,2010-3-25
[4]OWASP. OWASP_T10_-_2010_rcl.http://www.owasp.org/index.php/Main_Page, 2010-4-19
[5]SNORT. The open source network ids.http://www.snort.org,2010-2-17
[6]Antunes N, Vieira M. Comparing the Effectiveness of Penetration Testing and Static Code Analysis on the Detection of SQL Injection Vulnerabilities in Web Services. In: Proceedings of the 2009 15th IEEE Pacific Rim International Symposium on Dependable Computing. Washington, DC, USA:IEEE,2009,301-306
[7]Valeur F, Mutz D, Vigna G. A learning-based approach to the detection of SQL attacks. Journal of Intrusion and Malware Detection and Vulnerability Assessment, 2005,3548(3349):123-140
[8]戴华,秦小麟,刘亮,等.基于OCAR挖掘的数据库异常检测模型.通信学报,2009,30(9):7-14
[9]Bisht P, Madhusudan P, Venkatakrishnan V N. Candid:Dynamic candidate valuations for automatic prevention of SQL injection attacks. Jorunal of ACM Trans, 2010,13(2):1-39
[10]BERTINO E, KAMRA A. Intrusion detection in RBAC-administered databases. In: Proceedings of the 21st Annual Computer Security Applications Conference. Washington, DC, USA:IEEE,2005,170-182
[11]FONSECA J, VIEIRA M, MADEIRA H. Integrated intrusion detection in databases. Journal of Dependable Computing,2007,4746(978):198-211
[12]SIELKEN R S. Application Intrusion Detection. In:Technical Report CS-99-17. Charlottesville. USA:University of Virginia,1999,1-50
[13]Web Firewall.http://www.webfirewall.org,2010-2-14
[14]Thomas S, Williams L. Using Automated Fix Generation to Secure SQL Statements. In:Proceedings of the Third International Workshop on Software Engineering for Secure Systems Washington, DC, USA:IEEE,2007,9-9
[15]Boyd S W, Keromytis A D. SQLrand:Preventing SQL injection attacks. Journal of Applied Cryptography and Network Security,2004,3089(4):292-302
[16]Microsoft SQL Server安全回顾.http://www.microsoft.com/china/ctc/Newsletter/ 09/ctc2.htm,2009-6-14
[17]Kost S. An Introduction to SQL injection Attacks for Oracle developers. http://www.integrigy.corm/papers.htm,2010-3-25
[18]Fu X, Lu X, Peltsverger B, et al. A static analysis framework for detecting SQL injection vulnerabilities. In:Proceedings of the 31st Annual International Computer Software and Applications Conference. Washington, DC, USA:IEEE,2007,87-96
[19]Cheng W, Zhao Q, Yu B, et al. TaintTrace:efficient flow tracing with dynamic binary rewriting. In:Proceedings of the 11th IEEEE Symposium on Computers and Communications. Washington, DC, USA:IEEE,2006,749-754
[20]Yichen X, CHOU A, ENGLER D. ARCHER:using symbolic pathsensitive analysis to detect memory access errors. Journal of Sigsoft Softw,2003,28(5):327-336
[21]Kemalis K, Tzouramanis T. SQL-IDS:a specification-based approach for SQL-injection detection. In:Proceedings of the 2008 ACM symposium on Applied computing. New York, USA:ACM,2008,2153-2158
[22]AIKEN A. Introduction to set constraint based program analysis. Journal of Science of Computer Programing,1999,35(6):79-111
[23]陈林,徐宝文.基于源代码静态分析的C++Ox泛型概念抽取.计算机学报,2009,32(9):1792-1803
[24]Kiani M, Clark A, Mohay G. Evaluation of Anomaly Based Character Distribution Models in the Detection of SQL Injection Attacks. In:Proceedings of the 2008 Third International Conference on Availability, Reliability and Security. Washington, DC, USA:IEEE,2008,47-55
[25]Javassist. Japan Science and Technology Corporation.http://www.jboss.org/ javassist,2009-7-2
[26]OW2, ASM. http://asm.ow2.org,2009-6-11
[27]Qianxiang W, Aditya M. Interceptor based constraint violation detection. In: Proceedings of the IEEE International Conference and Workshop on the Engineering of Computer Based Systems. Washington, DC, USA:IEEE,2005,457-464
[28]Wassermann G, Su Z. An Analysis Framework for Security in Web Applications. In: Proceedings of the FSE Workshop on Specification and Verification of Component-Based Systems. New York, USA:ACM,2004,70-78
[29]Gould C, Su Z, Devanbu P. JDBC Checker:A Static Analysis Tool for SQL/JDBC Applications. In:Proceedings of the 26th International Conference on Software Engineering. Washington, DC, USA:IEEE,2004,697-698
[30]Nguyen-Tuong A, Guarnieri S, Greene D, Shirley J, et al. Automatically Hardening Web Applications Using Precise Tainting Information. Journal of Security and Privacy in the Age of Ubiquitous,2005,181(20):372-382
[31]Pietraszek T, Berghe C V. Defending Against Injection Attacks through Context-Sensitive String Evaluation. Journal of Recent Advances in Intrusion Detection, 2005,3858(4):1-26
[32]Halfond W G J, Orso A. AMNESIA:analysis and monitoring for neutralizing SQL-injection attacks. In:Proc of the'20th IEEE/ACM international Conference on Automated software engineering. New York, USA:ACM,2005,174-183
[33]Buehrer G T, Weide B W, Sivilotti P A G. Using Parse Tree Validation to Prevent SQL Injection Attacks. In:Proceedings of the 5th international workshop on Software engineering and middleware. New York, USA:ACM,2005,106-113
[34]Su Z, Wassermann G. The Essence of Command Injection Attacks in Web Applications. In:Proceedings of the 33rd Annual Symposium on Principles of Programming Languages. New York, USA:ACM,2006,372-382
[35]The Java Language:A White Paper. Sun Microsystems, Inc. http://java.sun.com /docs/White/langenv,1996-3-1
[36]Cheng W, Zhao Q, Yu B, et al. Taint trace:efficient flow tracing with dynamic binary rewriting. In:Proceedings of the 11th IEEE Symposium on Computers and Communications. Washington, DC, USA:IEEE,2006,749-754
[37]Haibo C, Liwei Y, Xi W, et al. Control flow obfuscation with information flow tracking. In:Proceedings of 42nd Annual IEEE/ACM international symposium. New York, USA:ACM,2009,391-400
[38]Egele M, Kruegel C, Kirda E, et al. Dynamic spyware analysis. In:Proc. of the 2007 USENIX Annual Technical Conference on Proc. of the USENIX Annual Technical Conference. Berkeley, CA, USA:USENIX Association,2007,233-246
[39]Cadar C, Genesh V, Pawlowski P M, et al. EXE:Automatitally generating inputs of death. In:Proceedings of ACM Transactions on Informarion and System Security. New York, USA:ACM,2008,322-335
[40]Livshits V B, Lam M S. Finding security vulnerabilities in Java applications with static analysis. In:Proceedings of the 14th conference on USENIX Security Symposium. Berkeley, CA, USA:USENIX Association,2005,18-18
[41]梅宏,王千祥,张路,等.软件分析技术进展.计算机学报,2009,32(9):1697-1710
[42]张鹏程,李必信,周宇.模型检验软件体系结构研究与进展.计算机科学,2007,34(4):7-12
[43]刘晖,张翀斌,张晓敏.模型检验技术在软件漏洞自动挖掘中的应用.华中科技大学学报,2008,36(2):70-73
[44]Clarke E, Grumberg O, Peled D. NuSMV 2:An OpenSource Tool for Symbolic Model Checking. Journal of Computer Aided Verification,2002,2404(4):241-268
[45]梁彬,侯看看,石文昌,等.一种基于安全状态跟踪检查的漏洞静态检测方法.计算机学报,2009,32(5):899-909
[46]McMillan K L. Symbolic Model Checking, Springer Berlin:Heidelberg,1996, 419-422
[47]Holzmann G J. SPIN Model Checker. USA:Addison-Wesley Press,2003,608-608
[48]Giannakopoulou D. Model checking for concurrent software architectures. United Kingdom:University of London,1999,1-221
[49]CLavel M. Maude manual (version 2.1.1). Springer Berlin:Heidelberg,2005,1-297
[50]Lewis H R, Christos P H. Elements of the theory of computation (second edition). Beijing:Prentice Hall,2002,34-37
[51]于冬琦,彭鑫,赵文耘.使用抽象语法树和静态分析的克隆代码自动重构方法.小型微型计算机系统,2009,30(9):1752-1760
[52]Minamide Y. Static approximation of dynamically generated web pages. In: Proceedings of the 14th international conference on World Wide Web. New York, USA:ACM,2005,432-441
[53]Huang J C. Program instrumentation and software testing. USA:IEEE Press,1978, 25-32
[54]Hunt G, Brubacher D. Detours:Binary Interception of Win32 Functions. In:proc. of the 3rd USENIX. Berkeley, CA, USA:USENIX Association,1999,1-9
[55]SPEC. Standard Performance Evaluation Corporation.http://www.spec.org/ benchmarks.html,2006-11-13
[56]OWASP WebGoat. http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project,2009-11-10
[57]Christensen A S, Moller A, Schwartzbach M I. Precise Analysis of String Expressions. Journal of Static Analysis,2003,2694(8):1-18
[58]Liu A, Yuan Y, Wijesekera D, et al. Sqlprob:a proxy-based architecture towards preventing sql injection attacks. In:ACM symposium on Applied Computing.New York, USA:ACM,2009,2054-2061
[59]TESTBED. Virginia.http://www-rcf.usc.edu/~halfond/testbed.html,2002-5-13
[60]Halfond W G J, Orso A, Manolios P. WASP:Protecting Web applications using positive tainting and syntax-aware evaluation. In:Proceedings of the IEEE Transactions on Software Engineering. Washington, DC, USA:IEEE,2008,65-81
[61]Halfond W, Viegas J, Orso A. A Classification of SQL-Injection Attacks and Countermeasures. In:Proceedings of the IEEE International Symposium on Secure Software Engineering. Washington, DC, USA:IEEE,2006,1-11
[2]Scott D, Sharp R. Abstracting Application-Level Web Security. In:Proc of 11th Int'l World Wide Web Conf. New York, USA:ACM,2002,396-407
[3]WebCohort. WebCohort's application defense center reports results of vulnerability testing on Web applications.http://www.imperva.com/company/news/2010-feb-02. html,2010-3-25
[4]OWASP. OWASP_T10_-_2010_rcl.http://www.owasp.org/index.php/Main_Page, 2010-4-19
[5]SNORT. The open source network ids.http://www.snort.org,2010-2-17
[6]Antunes N, Vieira M. Comparing the Effectiveness of Penetration Testing and Static Code Analysis on the Detection of SQL Injection Vulnerabilities in Web Services. In: Proceedings of the 2009 15th IEEE Pacific Rim International Symposium on Dependable Computing. Washington, DC, USA:IEEE,2009,301-306
[7]Valeur F, Mutz D, Vigna G. A learning-based approach to the detection of SQL attacks. Journal of Intrusion and Malware Detection and Vulnerability Assessment, 2005,3548(3349):123-140
[8]戴华,秦小麟,刘亮,等.基于OCAR挖掘的数据库异常检测模型.通信学报,2009,30(9):7-14
[9]Bisht P, Madhusudan P, Venkatakrishnan V N. Candid:Dynamic candidate valuations for automatic prevention of SQL injection attacks. Jorunal of ACM Trans, 2010,13(2):1-39
[10]BERTINO E, KAMRA A. Intrusion detection in RBAC-administered databases. In: Proceedings of the 21st Annual Computer Security Applications Conference. Washington, DC, USA:IEEE,2005,170-182
[11]FONSECA J, VIEIRA M, MADEIRA H. Integrated intrusion detection in databases. Journal of Dependable Computing,2007,4746(978):198-211
[12]SIELKEN R S. Application Intrusion Detection. In:Technical Report CS-99-17. Charlottesville. USA:University of Virginia,1999,1-50
[13]Web Firewall.http://www.webfirewall.org,2010-2-14
[14]Thomas S, Williams L. Using Automated Fix Generation to Secure SQL Statements. In:Proceedings of the Third International Workshop on Software Engineering for Secure Systems Washington, DC, USA:IEEE,2007,9-9
[15]Boyd S W, Keromytis A D. SQLrand:Preventing SQL injection attacks. Journal of Applied Cryptography and Network Security,2004,3089(4):292-302
[16]Microsoft SQL Server安全回顾.http://www.microsoft.com/china/ctc/Newsletter/ 09/ctc2.htm,2009-6-14
[17]Kost S. An Introduction to SQL injection Attacks for Oracle developers. http://www.integrigy.corm/papers.htm,2010-3-25
[18]Fu X, Lu X, Peltsverger B, et al. A static analysis framework for detecting SQL injection vulnerabilities. In:Proceedings of the 31st Annual International Computer Software and Applications Conference. Washington, DC, USA:IEEE,2007,87-96
[19]Cheng W, Zhao Q, Yu B, et al. TaintTrace:efficient flow tracing with dynamic binary rewriting. In:Proceedings of the 11th IEEEE Symposium on Computers and Communications. Washington, DC, USA:IEEE,2006,749-754
[20]Yichen X, CHOU A, ENGLER D. ARCHER:using symbolic pathsensitive analysis to detect memory access errors. Journal of Sigsoft Softw,2003,28(5):327-336
[21]Kemalis K, Tzouramanis T. SQL-IDS:a specification-based approach for SQL-injection detection. In:Proceedings of the 2008 ACM symposium on Applied computing. New York, USA:ACM,2008,2153-2158
[22]AIKEN A. Introduction to set constraint based program analysis. Journal of Science of Computer Programing,1999,35(6):79-111
[23]陈林,徐宝文.基于源代码静态分析的C++Ox泛型概念抽取.计算机学报,2009,32(9):1792-1803
[24]Kiani M, Clark A, Mohay G. Evaluation of Anomaly Based Character Distribution Models in the Detection of SQL Injection Attacks. In:Proceedings of the 2008 Third International Conference on Availability, Reliability and Security. Washington, DC, USA:IEEE,2008,47-55
[25]Javassist. Japan Science and Technology Corporation.http://www.jboss.org/ javassist,2009-7-2
[26]OW2, ASM. http://asm.ow2.org,2009-6-11
[27]Qianxiang W, Aditya M. Interceptor based constraint violation detection. In: Proceedings of the IEEE International Conference and Workshop on the Engineering of Computer Based Systems. Washington, DC, USA:IEEE,2005,457-464
[28]Wassermann G, Su Z. An Analysis Framework for Security in Web Applications. In: Proceedings of the FSE Workshop on Specification and Verification of Component-Based Systems. New York, USA:ACM,2004,70-78
[29]Gould C, Su Z, Devanbu P. JDBC Checker:A Static Analysis Tool for SQL/JDBC Applications. In:Proceedings of the 26th International Conference on Software Engineering. Washington, DC, USA:IEEE,2004,697-698
[30]Nguyen-Tuong A, Guarnieri S, Greene D, Shirley J, et al. Automatically Hardening Web Applications Using Precise Tainting Information. Journal of Security and Privacy in the Age of Ubiquitous,2005,181(20):372-382
[31]Pietraszek T, Berghe C V. Defending Against Injection Attacks through Context-Sensitive String Evaluation. Journal of Recent Advances in Intrusion Detection, 2005,3858(4):1-26
[32]Halfond W G J, Orso A. AMNESIA:analysis and monitoring for neutralizing SQL-injection attacks. In:Proc of the'20th IEEE/ACM international Conference on Automated software engineering. New York, USA:ACM,2005,174-183
[33]Buehrer G T, Weide B W, Sivilotti P A G. Using Parse Tree Validation to Prevent SQL Injection Attacks. In:Proceedings of the 5th international workshop on Software engineering and middleware. New York, USA:ACM,2005,106-113
[34]Su Z, Wassermann G. The Essence of Command Injection Attacks in Web Applications. In:Proceedings of the 33rd Annual Symposium on Principles of Programming Languages. New York, USA:ACM,2006,372-382
[35]The Java Language:A White Paper. Sun Microsystems, Inc. http://java.sun.com /docs/White/langenv,1996-3-1
[36]Cheng W, Zhao Q, Yu B, et al. Taint trace:efficient flow tracing with dynamic binary rewriting. In:Proceedings of the 11th IEEE Symposium on Computers and Communications. Washington, DC, USA:IEEE,2006,749-754
[37]Haibo C, Liwei Y, Xi W, et al. Control flow obfuscation with information flow tracking. In:Proceedings of 42nd Annual IEEE/ACM international symposium. New York, USA:ACM,2009,391-400
[38]Egele M, Kruegel C, Kirda E, et al. Dynamic spyware analysis. In:Proc. of the 2007 USENIX Annual Technical Conference on Proc. of the USENIX Annual Technical Conference. Berkeley, CA, USA:USENIX Association,2007,233-246
[39]Cadar C, Genesh V, Pawlowski P M, et al. EXE:Automatitally generating inputs of death. In:Proceedings of ACM Transactions on Informarion and System Security. New York, USA:ACM,2008,322-335
[40]Livshits V B, Lam M S. Finding security vulnerabilities in Java applications with static analysis. In:Proceedings of the 14th conference on USENIX Security Symposium. Berkeley, CA, USA:USENIX Association,2005,18-18
[41]梅宏,王千祥,张路,等.软件分析技术进展.计算机学报,2009,32(9):1697-1710
[42]张鹏程,李必信,周宇.模型检验软件体系结构研究与进展.计算机科学,2007,34(4):7-12
[43]刘晖,张翀斌,张晓敏.模型检验技术在软件漏洞自动挖掘中的应用.华中科技大学学报,2008,36(2):70-73
[44]Clarke E, Grumberg O, Peled D. NuSMV 2:An OpenSource Tool for Symbolic Model Checking. Journal of Computer Aided Verification,2002,2404(4):241-268
[45]梁彬,侯看看,石文昌,等.一种基于安全状态跟踪检查的漏洞静态检测方法.计算机学报,2009,32(5):899-909
[46]McMillan K L. Symbolic Model Checking, Springer Berlin:Heidelberg,1996, 419-422
[47]Holzmann G J. SPIN Model Checker. USA:Addison-Wesley Press,2003,608-608
[48]Giannakopoulou D. Model checking for concurrent software architectures. United Kingdom:University of London,1999,1-221
[49]CLavel M. Maude manual (version 2.1.1). Springer Berlin:Heidelberg,2005,1-297
[50]Lewis H R, Christos P H. Elements of the theory of computation (second edition). Beijing:Prentice Hall,2002,34-37
[51]于冬琦,彭鑫,赵文耘.使用抽象语法树和静态分析的克隆代码自动重构方法.小型微型计算机系统,2009,30(9):1752-1760
[52]Minamide Y. Static approximation of dynamically generated web pages. In: Proceedings of the 14th international conference on World Wide Web. New York, USA:ACM,2005,432-441
[53]Huang J C. Program instrumentation and software testing. USA:IEEE Press,1978, 25-32
[54]Hunt G, Brubacher D. Detours:Binary Interception of Win32 Functions. In:proc. of the 3rd USENIX. Berkeley, CA, USA:USENIX Association,1999,1-9
[55]SPEC. Standard Performance Evaluation Corporation.http://www.spec.org/ benchmarks.html,2006-11-13
[56]OWASP WebGoat. http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project,2009-11-10
[57]Christensen A S, Moller A, Schwartzbach M I. Precise Analysis of String Expressions. Journal of Static Analysis,2003,2694(8):1-18
[58]Liu A, Yuan Y, Wijesekera D, et al. Sqlprob:a proxy-based architecture towards preventing sql injection attacks. In:ACM symposium on Applied Computing.New York, USA:ACM,2009,2054-2061
[59]TESTBED. Virginia.http://www-rcf.usc.edu/~halfond/testbed.html,2002-5-13
[60]Halfond W G J, Orso A, Manolios P. WASP:Protecting Web applications using positive tainting and syntax-aware evaluation. In:Proceedings of the IEEE Transactions on Software Engineering. Washington, DC, USA:IEEE,2008,65-81
[61]Halfond W, Viegas J, Orso A. A Classification of SQL-Injection Attacks and Countermeasures. In:Proceedings of the IEEE International Symposium on Secure Software Engineering. Washington, DC, USA:IEEE,2006,1-11