A method for detecting code security vulnerability based on variables tracking with validated-tree
| Autor: | Xiaohong Guan, Qing Wang, Qinghua Zheng, Tuo Wang, Zhefei Zhang |
|---|---|
| Rok vydání: | 2008 |
| Předmět: |
Source code
Database business.industry Computer science media_common.quotation_subject Detector computer.software_genre Electronic Optical and Magnetic Materials Firewall (construction) Software Scripting language SQL injection Web application Electrical and Electronic Engineering business Database security computer media_common |
| Zdroj: | Frontiers of Electrical and Electronic Engineering in China. 3:162-166 |
| ISSN: | 1673-3584 1673-3460 |
| DOI: | 10.1007/s11460-008-0047-x |
| Popis: | SQL injection poses a major threat to the application level security of the database and there is no systematic solution to these attacks. Different from traditional run time security strategies such as IDS and firewall, this paper focuses on the solution at the outset; it presents a method to find vulnerabilities by analyzing the source codes. The concept of validated tree is developed to track variables referenced by database operations in scripts. By checking whether these variables are influenced by outside inputs, the database operations are proved to be secure or not. This method has advantages of high accuracy and efficiency as well as low costs, and it is universal to any type of web application platforms. It is implemented by the software code vulnerabilities of SQL injection detector (CVSID). The validity and efficiency are demonstrated with an example. |
| Databáze: | OpenAIRE |
| Externí odkaz: |
|
Full text from SpringerLink