A method for detecting code security vulnerability based on variables tracking with validated-tree

Zhefei Zhang; Qinghua Zheng; Xiaohong Guan; Qing Wang; Tuo Wang

doi:10.1007/s11460-008-0047-x

A method for detecting code security vulnerability based on variables tracking with validated-tree

Zhefei Zhang
, Qinghua Zheng
, Xiaohong Guan
, Qing Wang
, Tuo Wang

Faculty of Electronic and Information Engineering

Research output: Contribution to journal › Article › peer-review

1 Scopus citations

Abstract

SQL injection poses a major threat to the application level security of the database and there is no systematic solution to these attacks. Different from traditional run time security strategies such as IDS and firewall, this paper focuses on the solution at the outset; it presents a method to find vulnerabilities by analyzing the source codes. The concept of validated tree is developed to track variables referenced by database operations in scripts. By checking whether these variables are influenced by outside inputs, the database operations are proved to be secure or not. This method has advantages of high accuracy and efficiency as well as low costs, and it is universal to any type of web application platforms. It is implemented by the software code vulnerabilities of SQL injection detector (CVSID). The validity and efficiency are demonstrated with an example.

Original language	English
Pages (from-to)	162-166
Number of pages	5
Journal	Frontiers of Electrical and Electronic Engineering in China
Volume	3
Issue number	2
DOIs	https://doi.org/10.1007/s11460-008-0047-x
State	Published - Jun 2008

Keywords

Database security
SQL injection
Vulnerability detection

Access to Document

10.1007/s11460-008-0047-x

Cite this

@article{b1bc299d0a6d4180bdf5364b5be2da51,

title = "A method for detecting code security vulnerability based on variables tracking with validated-tree",

abstract = "SQL injection poses a major threat to the application level security of the database and there is no systematic solution to these attacks. Different from traditional run time security strategies such as IDS and firewall, this paper focuses on the solution at the outset; it presents a method to find vulnerabilities by analyzing the source codes. The concept of validated tree is developed to track variables referenced by database operations in scripts. By checking whether these variables are influenced by outside inputs, the database operations are proved to be secure or not. This method has advantages of high accuracy and efficiency as well as low costs, and it is universal to any type of web application platforms. It is implemented by the software code vulnerabilities of SQL injection detector (CVSID). The validity and efficiency are demonstrated with an example.",

keywords = "Database security, SQL injection, Vulnerability detection",

author = "Zhefei Zhang and Qinghua Zheng and Xiaohong Guan and Qing Wang and Tuo Wang",

year = "2008",

month = jun,

doi = "10.1007/s11460-008-0047-x",

language = "英语",

volume = "3",

pages = "162--166",

journal = "Frontiers of Electrical and Electronic Engineering in China",

issn = "1673-3460",

publisher = "Higher Education Press Limited Company",

number = "2",

}

TY - JOUR

T1 - A method for detecting code security vulnerability based on variables tracking with validated-tree

AU - Zhang, Zhefei

AU - Zheng, Qinghua

AU - Guan, Xiaohong

AU - Wang, Qing

AU - Wang, Tuo

PY - 2008/6

Y1 - 2008/6

N2 - SQL injection poses a major threat to the application level security of the database and there is no systematic solution to these attacks. Different from traditional run time security strategies such as IDS and firewall, this paper focuses on the solution at the outset; it presents a method to find vulnerabilities by analyzing the source codes. The concept of validated tree is developed to track variables referenced by database operations in scripts. By checking whether these variables are influenced by outside inputs, the database operations are proved to be secure or not. This method has advantages of high accuracy and efficiency as well as low costs, and it is universal to any type of web application platforms. It is implemented by the software code vulnerabilities of SQL injection detector (CVSID). The validity and efficiency are demonstrated with an example.

AB - SQL injection poses a major threat to the application level security of the database and there is no systematic solution to these attacks. Different from traditional run time security strategies such as IDS and firewall, this paper focuses on the solution at the outset; it presents a method to find vulnerabilities by analyzing the source codes. The concept of validated tree is developed to track variables referenced by database operations in scripts. By checking whether these variables are influenced by outside inputs, the database operations are proved to be secure or not. This method has advantages of high accuracy and efficiency as well as low costs, and it is universal to any type of web application platforms. It is implemented by the software code vulnerabilities of SQL injection detector (CVSID). The validity and efficiency are demonstrated with an example.

KW - Database security

KW - SQL injection

KW - Vulnerability detection

UR - https://www.scopus.com/pages/publications/41749122356

U2 - 10.1007/s11460-008-0047-x

DO - 10.1007/s11460-008-0047-x

M3 - 文章

AN - SCOPUS:41749122356

SN - 1673-3460

VL - 3

SP - 162

EP - 166

JO - Frontiers of Electrical and Electronic Engineering in China

JF - Frontiers of Electrical and Electronic Engineering in China

IS - 2

ER -

A method for detecting code security vulnerability based on variables tracking with validated-tree

Abstract

Keywords

Access to Document

Other files and links

Fingerprint

Cite this