Research on SSTI attack defense technology based on instruction set randomization

被引：0

作者：

Wang, Jiang ^{[1
]}

Zhang, Zheng ^{[1
]}

Ma, Bolin ^{[1
]}

Yao, Yuan ^{[1
]}

Ji, Xinsheng ^{[2
]}

机构：

[1] State Key Lab Math Engn & Adv Comp, Zhengzhou, Peoples R China

[2] Informat Engn Univ, Zhengzhou, Peoples R China

来源：

PROCEEDINGS OF 2021 2ND INTERNATIONAL CONFERENCE ON ARTIFICIAL INTELLIGENCE AND INFORMATION SYSTEMS (ICAIIS '21) | 2021年

基金：

中国国家自然科学基金; 国家重点研发计划;

关键词：

SSTI; injection; template engine;

D O I：

10.1145/3469213.3471315

中图分类号：

TP18 [人工智能理论];

学科分类号：

081104 ; 0812 ; 0835 ; 1405 ;

摘要：

With the rapid development of the Internet industry, and because scripting languages such as Python, PHP, Ruby have the characteristics of rapid development and easy learning, they are often used in the development process of application programs. Template engine technology can realize the separation of front and back ends in the development process., So it is often used in the development process, but if the developer does not perform strict filtering during the development process of the template engine, the attacker can use the vulnerability to launch a server-side template injection attack (Server-Side-Template-Injection, SSTI), and the current defense methods are too passive because they rely on the detection rate and the prior knowledge of the attacker, so a SSTI defense technology based on randomization technology is proposed.

引用

页数：5

共 50 条

[21] Protecting Instruction Set Randomization from Code Reuse Attacks
Guanciale, Roberto
SECURE IT SYSTEMS, 2018, 11252 : 421 - 436
[22] Fast and Practical Instruction-Set Randomization for Commodity Systems
Portokalidis, Georgios
Keromytis, Angelos D.
26TH ANNUAL COMPUTER SECURITY APPLICATIONS CONFERENCE (ACSAC 2010), 2010, : 41 - 48
[23] Loongson Instruction Set Architecture Technology
Hu W.
Wang W.
Wu R.
Wang H.
Zeng L.
Xu C.
Gao X.
Zhang F.
Jisuanji Yanjiu yu Fazhan/Computer Research and Development, 2023, 60 (01): : 2 - 16
[24] THINK TANK LAUNCHES ATTACK ON DEFENSE TECHNOLOGY
不详
NEW SCIENTIST, 1989, 122 (1666) : 33 - 33
[25] Research on IP Traceback Technology Based on DDoS Attack
Tian Zhuo
Li Baicheng
MODERN TECHNOLOGIES IN MATERIALS, MECHANICS AND INTELLIGENT SYSTEMS, 2014, 1049 : 1820 - 1823
[26] The research of Network Attack and Defense Training Based on Enterprise Scenario Teaching
Du Huan-qiang
Zhu Zhi-mou
Xu Fang-heng
Yuan si-da
NATIONAL TEACHING SEMINAR ON CRYPTOGRAPHY AND INFORMATION SECURITY (2010NTS-CIS), PROCEEDINGS, 2010, : 117 - +
[27] Research on Defense Model and Detection of Abnormal Characteristics of Network Attack Based on
Zhao, Xiu Mei
FRONTIERS OF MANUFACTURING SCIENCE AND MEASURING TECHNOLOGY V, 2015, : 577 - 581
[28] Research on sybil attack in defense blockchain based on improved PBFT algorithm
Lai Y.
Bo Z.
Liu J.
Tongxin Xuebao/Journal on Communications, 2020, 41 (09): : 104 - 117
[29] Known/chosen key attacks against software instruction set randomization
Weiss, Yoav
Barrantes, Elena Gabriela
22ND ANNUAL COMPUTER SECURITY APPLICATIONS CONFERENCE, PROCEEDINGS, 2006, : 349 - +
[30] An Instruction-set Randomization Using Length-preserving Permutation
Fu, Jianming
Zhang, Xu
Lin, Yan
2015 IEEE TRUSTCOM/BIGDATASE/ISPA, VOL 1, 2015, : 376 - 383

← 1 2 3 4 5 →