基于树型自动机的数据库安全理论研究

项目名称： 基于树型自动机的数据库安全理论研究

项目编号： No.61262072

项目类型： 地区科学基金项目

立项/批准年度： 2013

项目学科： 自动化技术、计算机技术

项目作者： 黄保华

作者单位： 广西大学

项目金额： 43万元

中文摘要： 现有数据库和应用系统安全理论分别以SQL语句和应用功能为客体，因不考虑与对方客体的联系而导致安全脱节，给整体安全带来严峻挑战。用树型自动机TsFSM建模应用系统提交DBMS执行的SQL语句序列，从树根出发的路径代表应用功能并刻画DBMS对SQL语句的执行状态，建立了SQL语句与应用功能的联系，并在转移、失效和输出函数中进行访问控制、审计、SQL注入检测和存储加密。访问控制和审计细到SQL语句又可把功能作为客体单位，在保证安全的前提下客体数量显著减少而含义更为具体，空间和时间复杂度降低而可管理性提高，便于建立权限管理和审计基础设施。SQL注入检测利用了上下文SQL语句以提高准确性。基于TsFSM可发现密文连接查询以设计对其支持的存储加密结构和算法。SQL语句抽象化消除不同功能实例的SQL语句差别，是生成TsFSM和控制其规模的基础。项目完善了数据库安全理论体系，具有非常重要的理论和现实意义。

中文关键词： 数据库安全；树型自动机；SQL语句；粗粒度安全审计；密文查询

英文摘要： The existing security theories of database and application take SQL statement and function as object separately, don't take account the relation of object of one another, and introduce rigorous challenge to the security of the whole system. By modeling SQL statements sequence that application submitting to DBMS for executing with TsFSM (Tree-structured FSM), the path from the root of the tree represents application function and depicts SQL statement executing state of DBMS at the same time. This builds the relation between SQL statement and application function; access control, audit, SQL injection detection and storage encryption could be done in transfer function, failure function and output function of TsFSM. The access control and audit are targeted to SQL statement and take application function as object unit, so they reduce the amount of object and increase meaning of object under secure situation, reduce the space and time complexity and increase manageability, and make advantage for building privilege management infrastructure and audit infrastructure. SQL injection detection has high veracity for using SQL statement context. Finding connected query over ciphertext in TsFSM helps designing storage encryption structure and algorithm to support it. SQL statement abstracting which eliminates the difference

英文关键词： Database security；Tree-structured FSM；SQL Statement；Coarse-grade Security Audit；Query over Ciphertext