{"updated":"2025-01-20T01:39:56.624684+00:00","metadata":{"_oai":{"id":"oai:ipsj.ixsq.nii.ac.jp:00189328","sets":["1164:4088:9383:9455"]},"path":["9455"],"owner":"11","recid":"189328","title":["Webアプリケーションテストを用いたSQLクエリのホワイトリスト自動作成手法"],"pubdate":{"attribute_name":"公開日","attribute_value":"2018-05-10"},"_buckets":{"deposit":"05a9776e-e590-4c48-a8d2-03d19533bed4"},"_deposit":{"id":"189328","pid":{"type":"depid","value":"189328","revision_id":0},"owners":[11],"status":"published","created_by":11},"item_title":"Webアプリケーションテストを用いたSQLクエリのホワイトリスト自動作成手法","author_link":["430440","430442","430444","430439","430443","430441"],"item_titles":{"attribute_name":"タイトル","attribute_value_mlt":[{"subitem_title":"Webアプリケーションテストを用いたSQLクエリのホワイトリスト自動作成手法"},{"subitem_title":"Automatic Whitelist Generation for SQL Queries Using Web Application Test","subitem_title_language":"en"}]},"item_keyword":{"attribute_name":"キーワード","attribute_value_mlt":[{"subitem_subject":"情報システム運用","subitem_subject_scheme":"Other"}]},"item_type_id":"4","publish_date":"2018-05-10","item_4_text_3":{"attribute_name":"著者所属","attribute_value_mlt":[{"subitem_text_value":"GMOペパボ株式会社ペパボ研究所"},{"subitem_text_value":"GMOペパボ株式会社ペパボ研究所／力武健次技術士事務所"},{"subitem_text_value":"GMOペパボ株式会社ペパボ研究所"}]},"item_4_text_4":{"attribute_name":"著者所属(英)","attribute_value_mlt":[{"subitem_text_value":"Pepabo R&D Institute, GMO Pepabo, Inc.","subitem_text_language":"en"},{"subitem_text_value":"Pepabo R&D Institute, GMO Pepabo, Inc. / Kenji Rikitake Professional Engineer's Office","subitem_text_language":"en"},{"subitem_text_value":"Pepabo R&D Institute, GMO Pepabo, Inc.","subitem_text_language":"en"}]},"item_language":{"attribute_name":"言語","attribute_value_mlt":[{"subitem_language":"jpn"}]},"item_publisher":{"attribute_name":"出版者","attribute_value_mlt":[{"subitem_publisher":"情報処理学会","subitem_publisher_language":"ja"}]},"publish_status":"0","weko_shared_id":-1,"item_file_price":{"attribute_name":"Billing file","attribute_type":"file","attribute_value_mlt":[{"url":{"url":"https://ipsj.ixsq.nii.ac.jp/record/189328/files/IPSJ-IOT18041024.pdf","label":"IPSJ-IOT18041024.pdf"},"date":[{"dateType":"Available","dateValue":"2020-05-10"}],"format":"application/pdf","billing":["billing_file"],"filename":"IPSJ-IOT18041024.pdf","filesize":[{"value":"409.5 kB"}],"mimetype":"application/pdf","priceinfo":[{"tax":["include_tax"],"price":"660","billingrole":"5"},{"tax":["include_tax"],"price":"330","billingrole":"6"},{"tax":["include_tax"],"price":"0","billingrole":"43"},{"tax":["include_tax"],"price":"0","billingrole":"44"}],"accessrole":"open_date","version_id":"b22eb096-cbe7-407b-9030-82d72faa6f7f","displaytype":"detail","licensetype":"license_note","license_note":"Copyright (c) 2018 by the Information Processing Society of Japan"}]},"item_4_creator_5":{"attribute_name":"著者名","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"野村, 孔命"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"力武, 健次"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"松本, 亮介"}],"nameIdentifiers":[{}]}]},"item_4_creator_6":{"attribute_name":"著者名(英)","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"Komei, Nomura","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Kenji, Rikitake","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Ryosuke, Matsumoto","creatorNameLang":"en"}],"nameIdentifiers":[{}]}]},"item_4_source_id_9":{"attribute_name":"書誌レコードID","attribute_value_mlt":[{"subitem_source_identifier":"AA12326962","subitem_source_identifier_type":"NCID"}]},"item_4_textarea_12":{"attribute_name":"Notice","attribute_value_mlt":[{"subitem_textarea_value":"SIG Technical Reports are nonrefereed and hence may later appear in any journals, conferences, symposia, etc."}]},"item_resource_type":{"attribute_name":"資源タイプ","attribute_value_mlt":[{"resourceuri":"http://purl.org/coar/resource_type/c_18gh","resourcetype":"technical report"}]},"item_4_source_id_11":{"attribute_name":"ISSN","attribute_value_mlt":[{"subitem_source_identifier":"2188-8787","subitem_source_identifier_type":"ISSN"}]},"item_4_description_7":{"attribute_name":"論文抄録","attribute_value_mlt":[{"subitem_description":"データベースの情報を利用して動作する Web アプリケーションでは，入力検証やクエリ発行処理の脆弱性により，開発者の想定していない不正クエリがデータベースに発行され機密情報を窃取される攻撃が発生する．このような攻撃に対して，Web アプリケーションがデータベースに発行するクエリのホワイトリストを作成し不正クエリの検知を行う方法がとられてきたが，Web アプリケーションの大規模化や実装言語の多様化に伴いホワイトリストの作成が難しくなっている．そのため，Web アプリケーション解析や運用時のクエリを用いた学習により生成を用いてホワイトリスト作り，検知する手法が提案されている．しかし，手法が実装言語依存の問題や Web アプリケーションの仕様変更の頻度が高いことによるホワイトリストの管理が難しい問題がある．本稿では，Web アプリケーションの動作を保証するためのテストがあり，Web アプリケーションの更新に追従してテストの更新が行われる開発プロセスが採用されていることを前提とし，テスト時に発行されるクエリからホワイトリストを自動作成する手法を提案する．Web アプリケーションの運用時には作成されたホワイトリストを用いて不正クエリを検知する．提案手法は，Web アプリケーションの複雑性や実装言語に依存せずにクエリのホワイトリストを自動作成することができ，新クエリが実装された場合もテストの更新に伴いホワイトリストが更新される．また，検知されたクエリはテストされていないクエリもしくは不正クエリであり，これらを早期に発見することで原因となる Web アプリケーションの脆弱性が長期化することを防ぐことができる．","subitem_description_type":"Other"}]},"item_4_description_8":{"attribute_name":"論文抄録(英)","attribute_value_mlt":[{"subitem_description":"Database-driven Web applications are vulnerable to the attacks by the malicious queries which are not expected by the developers and are not correctly processed due to the incomplete input processing and the query issuing process. Defining the whitelist of the database queries issued by the Web applications has been conducted to detect the malicious queries. However, as the Web applications themselves become more complex and the implementation programming languages become more diverse, the whitelisting approach becomes more challenging to implement. In this paper, we propose a method to automatically generate a whitelist of database queries from those generated by the Web applications during the testing phase, provided that the application development process includes the operation testing. In the proposed method, the malicious queries are detected using the generated whitelist during the Web application is executed. Our method can automatically generate the whitelist of the queried regardless of the Web application complexity and independent of the implementation language and can update the whitelist as the test cases are updated when new queries are implemented. The detected queries are either untested or malicious and detecting the queries in the early stage of the attack may help an early removal of the respective Web application defects.","subitem_description_type":"Other"}]},"item_4_biblio_info_10":{"attribute_name":"書誌情報","attribute_value_mlt":[{"bibliographicPageEnd":"6","bibliographic_titles":[{"bibliographic_title":"研究報告インターネットと運用技術（IOT）"}],"bibliographicPageStart":"1","bibliographicIssueDates":{"bibliographicIssueDate":"2018-05-10","bibliographicIssueDateType":"Issued"},"bibliographicIssueNumber":"24","bibliographicVolumeNumber":"2018-IOT-41"}]},"relation_version_is_last":true,"weko_creator_id":"11"},"created":"2025-01-19T00:55:24.104233+00:00","id":189328,"links":{}}