本文選題：安全　切入點(diǎn)：訪問控制　出處：《電子科技大學(xué)》2014年碩士論文

【摘要】：隨著互聯(lián)網(wǎng)技術(shù)的快速發(fā)展,Web系統(tǒng)得到了廣泛的使用,與人們生活息息相關(guān)的Web站點(diǎn)呈現(xiàn)爆發(fā)式增長。不僅如此,基于Web的管理系統(tǒng)也不斷被企業(yè)所使用,為企業(yè)提供了在線辦公的便利,有效地提高了企業(yè)的管理效率。但基于B/S架構(gòu)的Web系統(tǒng)由于其開放性和HTTP通信協(xié)議的無狀態(tài)性,使其面臨極大的安全威脅,越來越多的Web站點(diǎn)都曾受到過黑客的攻擊,所以Web系統(tǒng)的安全研究如今顯得尤為重要。訪問控制以及SQL防注入在Web系統(tǒng)的安全研究中占據(jù)非常重要的位置,已成為Web系統(tǒng)安全研究的兩個(gè)主要方向。本論文以Web系統(tǒng)安全為課題對(duì)象,重點(diǎn)研究訪問控制和SQL防注入的設(shè)計(jì)及實(shí)現(xiàn)方法。在訪問控制方面,本論文先介紹訪問控制的概念、基本原理、常用的訪問控制技術(shù)及其優(yōu)缺點(diǎn),然后重點(diǎn)分析RBAC96訪問控制模型,分析模型特點(diǎn)、模型應(yīng)用范圍。本論文在RBAC96模型分析的基礎(chǔ)上,針對(duì)該RBAC模型的局限性,提出了一種改進(jìn)型的RBAC模型——可代理RBAC模型,這一訪問控制模型可以讓角色在用戶間適當(dāng)?shù)霓D(zhuǎn)移。最后,本論文結(jié)合具體的Web系統(tǒng)在訪問控制方面的安全需求,采用了一種基于可代理RBAC模型的三層訪問控制方案,并且在ASP.NET的開發(fā)平臺(tái)上,結(jié)合SQL Server數(shù)據(jù)庫的使用,實(shí)現(xiàn)該三層的訪問控制方案。在SQL防注入方面,本論文先介紹SQL注入攻擊的基本概念,然后分析SQL注入攻擊的特點(diǎn)、主流的攻擊方式和常用的攻擊流程。在深入理解SQL注入攻擊原理的基礎(chǔ)上,本論文還重點(diǎn)分析基于ISAPI技術(shù)的SQL防注入方法。本論文將ISAPI程序與傳統(tǒng)的CGI程序進(jìn)行對(duì)比,分析ISAPI技術(shù)的技術(shù)特點(diǎn)、技術(shù)優(yōu)勢,明確ISAPI技術(shù)所能解決的問題。最后,本論文結(jié)合具體的Web系統(tǒng)在SQL防注入方面的安全需求,采用了一種基于ISAPI Filter技術(shù)的SQL注入攻擊防火墻方案,并且借助MFC類庫的支持,結(jié)合VC++開發(fā)工具的使用,實(shí)現(xiàn)了該SQL防注入方案,成功開發(fā)出了一種專用的SQL注入攻擊防火墻,并以動(dòng)態(tài)鏈接庫的形式將其加載到網(wǎng)站服務(wù)器IIS上。
[Abstract]:With the rapid development of Internet technology, Web systems have been widely used, and the Web sites, which are closely related to people's lives, have been explosively growing. Not only that, but also the management system based on Web has been continuously used by enterprises. The Web system based on B / S architecture is faced with a great security threat because of its openness and the stateless nature of HTTP communication protocol. More and more Web sites have been attacked by hackers, so the research on the security of Web system is especially important nowadays. Access control and SQL anti-injection play a very important role in the security research of Web system. This paper focuses on the design and implementation of access control and SQL anti-injection. In the aspect of access control, this paper first introduces the concept of access control. The basic principle, common access control technology and its advantages and disadvantages are analyzed, and then the RBAC96 access control model, the characteristics of the model, and the application range of the model are analyzed. Based on the analysis of the RBAC96 model, this paper aims at the limitations of the RBAC model. In this paper, an improved RBAC model, the proxable RBAC model, is proposed. This access control model can make the roles transfer appropriately between users. Finally, this paper combines the security requirements of the specific Web system in access control. A three-layer access control scheme based on proxable RBAC model is adopted. On the platform of ASP.NET and the use of SQL Server database, the three-layer access control scheme is implemented. In the aspect of anti-injection of SQL, a three-layer access control scheme is implemented. This paper first introduces the basic concept of SQL injection attack, then analyzes the characteristics of SQL injection attack, the main attack methods and common attack flow. This paper also analyzes the anti-injection method of SQL based on ISAPI technology. This paper compares the ISAPI program with the traditional CGI program, analyzes the technical characteristics and technical advantages of ISAPI technology, and clarifies the problems that can be solved by ISAPI technology. In this paper, according to the security requirements of the specific Web system in SQL anti-injection, a scheme of SQL injection attack firewall based on ISAPI Filter technology is adopted, and with the support of MFC class library, combined with the use of VC development tools. The SQL anti-injection scheme is implemented, and a special SQL injection attack firewall is developed successfully, which is loaded into the IIS server in the form of dynamic link library.
【學(xué)位授予單位】：電子科技大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類號(hào)】：TP393.09;TP311.52

【參考文獻(xiàn)】

相關(guān)期刊論文 前1條

1 蒙彪;劉俊景;;SQL注入攻擊的分類防御模型的研究[J];信息技術(shù)與標(biāo)準(zhǔn)化;2008年11期

，

本文編號(hào)：1697309