基于Web的工程管理软件的软件安全设计与实现

发布时间：2018-04-01 21:12

本文选题：安全　切入点：访问控制　出处：《电子科技大学》2014年硕士论文

【摘要】：随着互联网技术的快速发展,Web系统得到了广泛的使用,与人们生活息息相关的Web站点呈现爆发式增长。不仅如此,基于Web的管理系统也不断被企业所使用,为企业提供了在线办公的便利,有效地提高了企业的管理效率。但基于B/S架构的Web系统由于其开放性和HTTP通信协议的无状态性,使其面临极大的安全威胁,越来越多的Web站点都曾受到过黑客的攻击,所以Web系统的安全研究如今显得尤为重要。访问控制以及SQL防注入在Web系统的安全研究中占据非常重要的位置,已成为Web系统安全研究的两个主要方向。本论文以Web系统安全为课题对象,重点研究访问控制和SQL防注入的设计及实现方法。在访问控制方面,本论文先介绍访问控制的概念、基本原理、常用的访问控制技术及其优缺点,然后重点分析RBAC96访问控制模型,分析模型特点、模型应用范围。本论文在RBAC96模型分析的基础上,针对该RBAC模型的局限性,提出了一种改进型的RBAC模型——可代理RBAC模型,这一访问控制模型可以让角色在用户间适当的转移。最后,本论文结合具体的Web系统在访问控制方面的安全需求,采用了一种基于可代理RBAC模型的三层访问控制方案,并且在ASP.NET的开发平台上,结合SQL Server数据库的使用,实现该三层的访问控制方案。在SQL防注入方面,本论文先介绍SQL注入攻击的基本概念,然后分析SQL注入攻击的特点、主流的攻击方式和常用的攻击流程。在深入理解SQL注入攻击原理的基础上,本论文还重点分析基于ISAPI技术的SQL防注入方法。本论文将ISAPI程序与传统的CGI程序进行对比,分析ISAPI技术的技术特点、技术优势,明确ISAPI技术所能解决的问题。最后,本论文结合具体的Web系统在SQL防注入方面的安全需求,采用了一种基于ISAPI Filter技术的SQL注入攻击防火墙方案,并且借助MFC类库的支持,结合VC++开发工具的使用,实现了该SQL防注入方案,成功开发出了一种专用的SQL注入攻击防火墙,并以动态链接库的形式将其加载到网站服务器IIS上。
[Abstract]:With the rapid development of Internet technology, Web systems have been widely used, and the Web sites, which are closely related to people's lives, have been explosively growing. Not only that, but also the management system based on Web has been continuously used by enterprises. The Web system based on B / S architecture is faced with a great security threat because of its openness and the stateless nature of HTTP communication protocol. More and more Web sites have been attacked by hackers, so the research on the security of Web system is especially important nowadays. Access control and SQL anti-injection play a very important role in the security research of Web system. This paper focuses on the design and implementation of access control and SQL anti-injection. In the aspect of access control, this paper first introduces the concept of access control. The basic principle, common access control technology and its advantages and disadvantages are analyzed, and then the RBAC96 access control model, the characteristics of the model, and the application range of the model are analyzed. Based on the analysis of the RBAC96 model, this paper aims at the limitations of the RBAC model. In this paper, an improved RBAC model, the proxable RBAC model, is proposed. This access control model can make the roles transfer appropriately between users. Finally, this paper combines the security requirements of the specific Web system in access control. A three-layer access control scheme based on proxable RBAC model is adopted. On the platform of ASP.NET and the use of SQL Server database, the three-layer access control scheme is implemented. In the aspect of anti-injection of SQL, a three-layer access control scheme is implemented. This paper first introduces the basic concept of SQL injection attack, then analyzes the characteristics of SQL injection attack, the main attack methods and common attack flow. This paper also analyzes the anti-injection method of SQL based on ISAPI technology. This paper compares the ISAPI program with the traditional CGI program, analyzes the technical characteristics and technical advantages of ISAPI technology, and clarifies the problems that can be solved by ISAPI technology. In this paper, according to the security requirements of the specific Web system in SQL anti-injection, a scheme of SQL injection attack firewall based on ISAPI Filter technology is adopted, and with the support of MFC class library, combined with the use of VC development tools. The SQL anti-injection scheme is implemented, and a special SQL injection attack firewall is developed successfully, which is loaded into the IIS server in the form of dynamic link library.
【学位授予单位】：电子科技大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.09;TP311.52

【参考文献】