1. Field of the Invention
The present invention relates to an information processing device, and information processing method intended for detection or the like of an injection attack against a computer system, and computer readable recording medium recording a program for realizing the information processing device and method.
2. Description of the Related Art
An injection attack against a computer system implies an attack to force the computer to execute an attack code or an attack command injected into the computer system from outside by utilizing vulnerabilities of the computer system.
At the beginning, the injection attacks were mainly ones against native code programs executed on clients, such as buffer overflow attacks. However, recently, attacks against server programs written in script languages, such as Perl, PHP, Java (registered trade name), have become more serious. It includes cross-site scripting (XSS), SQL injection, and the like. As in the former case, an attack dependent on the structure of the native code is called a low-level attack, and as in the latter case, an attack independent of the structure of the native code is called a high-level attack.
In order to detect such injection attacks, a group of techniques called Dynamic Taint Propagation (DTP) and Dynamic Information Flow Tracking (DIFT) have been proposed. DTP/DIFT adds tracking information to data handled by programs in order to indicate whether data is dependent on input. Utilizing this taint information, data dependent on input from outside is tracked dynamically, i.e., at the time of program execution, whereby injection attacks will be detected.
In the most basic method, the taint information of a data item is represented by one taint bit. Although description will be given on a taint bit used case, a substantially corresponding case will be included. And hereinafter data of which the taint bit is set is referred to as taint data.
More specifically, the following three processes (1-1) to (1-3) are performed.
(1-1) The taint bit of data is set when the data is given to a program from outside.
(1-2) The taint bits are propagated from sources to destinations according to dependence in the executed program.
(1-3) When the program produces output data, the taint bit of the data is inspected. If there is a taint bit set, it is determined that it is possibly an attack.
As will be described later, DTP/DIFT can be implemented in various ways with respect to the execution core of the processing.
Language-level DTPs, including the taint mode of Perl, define handling of the taint bits as part of the language specification. Accordingly, handling of the taints bit is defined with respect to the language structure of sentences or the like. In a typical case of an assignment statement, the taint bits of data items in the right-hand side are logically ORed and then propagated to the taint bit of the data item indicated by the left-hand side. This processing can be executed by an interpreter, by native code embedded by a compiler, by a processor or the like.
DIFT is a technique established by applying the taint mode of Perl to a processor in order to detect low-level injection attacks, and the execution core of the processing of above (1-2) is the processor. That is, handling of the taint bit is defined for an instruction executed by the processor. Typically, when the processor executes the instruction, the contents of the taint bits of the source operands are logically ORed and then propagated to the taint bit of the destination operand.
Although such DIFT is originally proposed to detect low-level injection attacks, DIFT can also detect high-level injection attacks. In DIFT, the processing of the above items (1-1) and (1-3) cannot be executed by the processor alone, and thus cooperation with components of the computer system other than the processor is made.
(2-1) The taint bit of data is set if the data is input from outside the computer system through a network or the like (not from outside the program).
(2-2) Taint information is propagated from the source to the destination in accordance with the dependence of the data.
(2-3) When data is output from the program, it is inspected not merely whether or not a taint bit of the data is set, but also of which part of the data taint bits are set. Some critical parts of the output should not be specified directly from outside of the computer system. If the output data is a character string for system call or a SQL command, for example, syntactic analysis of the output string is performed, and it is inspected whether a taint bit of critical parts, such as a command name or a file name, is not set.
As described before, DTP/DIFT can be implemented in various levels other than above, such as in the processor emulators, or in intermediate language interpreters such as Java (registered trade name) VM.
It should be noted that DTP/DIFT techniques independent on the specific language have the merit of being comprehensive. Language-level techniques can only be applied to programs described in the specific language as a matter of course. On the other hand, language-independent techniques can be applied to all the programs which are executed thereon.
In a program that provides meaningful service, the output thereof is dependent on the input. Otherwise the program always produces the same output. Such a program is actually useless. As a result, if completely strict DTP/DIFT is applied for a meaningful program, the taint bits of every output data items will be set because the output thereof is somehow dependent on the input, which is meaningless. Consequently, in order to make DTP/DIFT meaningful, a non-propagation rule of not performing propagation of taint bits when a certain condition is satisfied is important.
There is no room for contrivance for direct dependence caused by data dependence, while handling of indirect dependences caused by conditional branching or indirect reference are difficult. Conventional DTP/DIFT techniques define non-propagation rules for indirect dependences mechanically and thus suffer from tradeoff between false detections (false positive) and detection leakages (false negative).
In DIFT, in which the propagation is performed by the processor, it is particularly difficult. To begin with, it is difficult to specify the range of the dependence destination of the branch condition in a conditional branch.
Even in the language-level DTPs, the non-propagation rule is mechanically defined on the language grammar. Perl taint mode, for example, does not propagate taint information through regular expression matches. Even in a case of a match replacing a plus sign with a blank character, which has no effect on the injection attack, propagation is not performed.
As prior art technical document information, there is Document 1, (Michael Dalton, et al. “Raksha: A Flexible Information Flow Architecture for Software Security)”, International Symposium on Computer Architecture, 2007, pp. 227-232).