SQLMVED: SQL injection runtime prevention system based on multi-variant execution
The effectiveness of combining SQL statement parsing with randomization to defend against SQL injection attack (SQLIA) was based on the fact that attackers did not know about the current method of randomization adopted by system.Therefore, once attackers had mastered the current method of randomizat...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | zho |
| Published: |
Editorial Department of Journal on Communications
2021-04-01
|
| Series: | Tongxin xuebao |
| Subjects: | |
| Online Access: | http://www.joconline.com.cn/zh/article/doi/10.11959/j.issn.1000-436x.2021046/ |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1841539280763092992 |
|---|---|
| author | Bolin MA Zheng ZHANG Hao LIU Jiangxing WU |
| author_facet | Bolin MA Zheng ZHANG Hao LIU Jiangxing WU |
| author_sort | Bolin MA |
| collection | DOAJ |
| description | The effectiveness of combining SQL statement parsing with randomization to defend against SQL injection attack (SQLIA) was based on the fact that attackers did not know about the current method of randomization adopted by system.Therefore, once attackers had mastered the current method of randomization who can launch effective SQLIA.In order to solve this problem, a SQL injection runtime prevention system based on multi-variant execution was designed, the multi-variant apply randomization methods from any other, so that illegal SQL statements could not be parsed successfully by all variants.Even if attackers had mastered the method of randomization, illegal SQL statements could only be parsed successfully by a certain variant at most, meanwhile the parsing results of multiple variants were voted to find the abnormality in time and block attack path.The prototype system SQLMVED is implemented for Web services and experiments show that the prototype can effectively defeat SQLIA. |
| format | Article |
| id | doaj-art-6e9ccf1a016344edbc0f3e6a898905e3 |
| institution | Kabale University |
| issn | 1000-436X |
| language | zho |
| publishDate | 2021-04-01 |
| publisher | Editorial Department of Journal on Communications |
| record_format | Article |
| series | Tongxin xuebao |
| spelling | doaj-art-6e9ccf1a016344edbc0f3e6a898905e32025-01-14T07:21:59ZzhoEditorial Department of Journal on CommunicationsTongxin xuebao1000-436X2021-04-014212713859741519SQLMVED: SQL injection runtime prevention system based on multi-variant executionBolin MAZheng ZHANGHao LIUJiangxing WUThe effectiveness of combining SQL statement parsing with randomization to defend against SQL injection attack (SQLIA) was based on the fact that attackers did not know about the current method of randomization adopted by system.Therefore, once attackers had mastered the current method of randomization who can launch effective SQLIA.In order to solve this problem, a SQL injection runtime prevention system based on multi-variant execution was designed, the multi-variant apply randomization methods from any other, so that illegal SQL statements could not be parsed successfully by all variants.Even if attackers had mastered the method of randomization, illegal SQL statements could only be parsed successfully by a certain variant at most, meanwhile the parsing results of multiple variants were voted to find the abnormality in time and block attack path.The prototype system SQLMVED is implemented for Web services and experiments show that the prototype can effectively defeat SQLIA.http://www.joconline.com.cn/zh/article/doi/10.11959/j.issn.1000-436x.2021046/SQL injection attackruntime preventionmulti-variant executionrandomization |
| spellingShingle | Bolin MA Zheng ZHANG Hao LIU Jiangxing WU SQLMVED: SQL injection runtime prevention system based on multi-variant execution Tongxin xuebao SQL injection attack runtime prevention multi-variant execution randomization |
| title | SQLMVED: SQL injection runtime prevention system based on multi-variant execution |
| title_full | SQLMVED: SQL injection runtime prevention system based on multi-variant execution |
| title_fullStr | SQLMVED: SQL injection runtime prevention system based on multi-variant execution |
| title_full_unstemmed | SQLMVED: SQL injection runtime prevention system based on multi-variant execution |
| title_short | SQLMVED: SQL injection runtime prevention system based on multi-variant execution |
| title_sort | sqlmved sql injection runtime prevention system based on multi variant execution |
| topic | SQL injection attack runtime prevention multi-variant execution randomization |
| url | http://www.joconline.com.cn/zh/article/doi/10.11959/j.issn.1000-436x.2021046/ |
| work_keys_str_mv | AT bolinma sqlmvedsqlinjectionruntimepreventionsystembasedonmultivariantexecution AT zhengzhang sqlmvedsqlinjectionruntimepreventionsystembasedonmultivariantexecution AT haoliu sqlmvedsqlinjectionruntimepreventionsystembasedonmultivariantexecution AT jiangxingwu sqlmvedsqlinjectionruntimepreventionsystembasedonmultivariantexecution |