網站應用程式安全性弱點分析方法與工具之研究

Yi-Shan Tsai; 蔡依珊

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/44489

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	蔡益坤
dc.contributor.author	Yi-Shan Tsai	en
dc.contributor.author	蔡依珊	zh_TW
dc.date.accessioned	2021-06-15T03:00:44Z	-
dc.date.available	2009-08-21
dc.date.copyright	2009-08-21
dc.date.issued	2009
dc.date.submitted	2009-07-31
dc.identifier.citation	[1] D. Baca, B. Carlsson, and L. Lundberg. Evaluating the cost reduction of static code analysis for software security. In Proceedings of the 3rd ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pages 79-88. ACM New York, NY, USA, 2008. [2] D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Saner: Composing static and dynamic analysis to validate sanitization in Web applications. In Security and Privacy, IEEE Symposium on, pages 387-401. IEEE Computer Society, 2008. [3] G. Banks, M. Cova, V. Felmetsger, K. Almeroth, R. Kemmerer, and G. Vigna. SNOOZE: Toward a stateful network protocol fuzzer. In 9th Information Security Conference, pages 343-358, 2006. [4] B. Chess and G. McGraw. Static analysis for security. IEEE Security and Privacy, pages 76-79, 2004. [5] E. Clarke, D. Kroening, and K. Yorav. Behavioral consistency of C and Verilog programs using bounded model checking. In Proceedings of the 40th Conference on Design Automation, pages 368-371. ACM New York, NY, USA, 2003. [6] F. Coelho. PHP-related vulnerabilities on the national vulnerability database. http://www.coelho.net/php cve.html, 2009. [7] CWE. Common weakness enumeration. http://cwe.mitre.org/, 2009. [8] D. E. Denning. A lattice model of secure information flow. Communications of the ACM, pages 236-243, 1976. [9] J.S. Foster, M. Fahndrich, and A. Aiken. A theory of type qualifiers. In Proceedings of ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 192-203. ACM New York, NY, USA, 1999. [10] The PHP Group. Usage stats for April 2007. http://www.php.net/usage.php, 2009. [11] V. Haldar, D. Chandra, and M. Franz. Dynamic taint propagation for Java. In Proceedings of the 21st Annual Computer Security Applications Conference, pages 303-311. IEEE Computer Society Washington, DC, USA, 2005. [12] W.G.J. Halfond and A. Orso. AMNESIA: Analysis and monitoring for neutralizing SQL-injection attacks. In Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, pages 174-183. ACM New York, NY, USA, 2005. [13] Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing Web application code by static analysis and runtime protection. In Proceedings of the 13th conference on World Wide Web, pages 40-52. ACM Press, 2004. [14] Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Verifying Web applications using bounded model checking. In Proceedings of the 2004 International Conference on Dependable Systems and Networks, pages 199-208. IEEE Computer Society, 2004. [15] IMMUNITY. Spike. http://www.immunitysec.com/resources-freesoftware.shtml, 2004. [16] R. Johnson and D. Wagner. Finding user/kernel pointer bugs with type inference. In Proceedings of the 2004 Usenix Security Conference, pages 119-134, 2004. [17] N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting Web application vulnerabilities. In Proceedings of the 2006 IEEE Symposium on Security and Privacy, pages 258-263. IEEE Computer Society, 2006. [18] N. Jovanovic, C. Kruegel, and E. Kirda. Precise alias analysis for static detection of Web application vulnerabilities. In Proceedings of the 2006 Workshop on Programming Languages and Analysis for Security, pages 27-36. ACM New York, NY, USA, 2006. [19] S. Kals, E. Kirda, C. Kruegel, and N. Jovanovic. SecuBat: A Web vulnerability scanner. In Proceedings of the 15th International Conference on World Wide Web, pages 247-256. ACM New York, NY, USA, 2006. [20] M.S. Lam, M. Martin, B. Livshits, and J. Whaley. Securing Web applications with static and dynamic information flow tracking. In Proceedings of the 2008 ACM SIGPLAN Symposium on Partial Evaluation and Semantics-based Program Manipulation, pages 3-12. ACM New York, NY, USA, 2005. [21] V.B. Livshits and M. S. Lam. Finding security vulnerabilities in Java applications with static analysis. In Proceedings of the 14th Conference on USENIX Security Symposium. USENIX Association Berkeley, CA, USA, 2005. [22] J. Martin and B. Christian. SMask: Preventing injection attacks in Web applications by approximating automatic data/code separation. In 22nd ACM Symposium on Applied Computing, pages 284-291, 2007. [23] M. Martin, B. Livshits, and M. S. Lam. Finding application errors and security flaws using PQL: a program query language. In Proceedings of the 20th Annual ACM SIGPLAN Conference on Object Oriented Programming, Systems, Languages, and Applications, pages 365-383. ACM New York, NY, USA, 2005. [24] F. Mavituna. SQL injection cheat sheet, version 1.4. http://ferruh.mavituna.com/makale/sql-injection-cheatsheet/, 2007. [25] Y. Minamide. Static approximation of dynamically generated Web pages. In Proceedings of the 14th International Conference on World Wide Web, pages 432-441. ACM New York, NY, USA, 2005. [26] M.W. Moskewicz, C.F. Madigan, Y. Zhao, L. Zhang, and S. Malik. Cha_: Engineering an efficient SAT solver. In Proceedings of 38th Design Automation Conference, pages 530-535. IEEE, 2001. [27] A. C. Myers. JFlow: Practical mostly-static information flow control. In Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 228-241, 1999. [28] J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the 12th Annual Network and Distributed System Security Symposium, pages 131-144. San Diego, IEEE Computer Society, 2005. [29] A. Nguyen-tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening Web applications using precise tainting. In 20th IFIP International Information Security Conference, pages 295-307, 2005. [30] OWASP. Top 10 2007. http://www.owasp.org/index.php/Top 10 2007, 2008. [31] PHP. PHP: Hypertext preprocessor. http://www.php.net, 2008. [32] T. Pietraszek and C.V. Berghe. Defending against injection attacks through contextsensitive string evaluation. In Recent Advances in Intrusion Detection, pages 124-145, 2005. [33] RSnake. XSS (cross site scripting) cheat sheet. http://ha.ckers.org/xss.html/, 2007. [34] SAMATE. NIST. http://samate.nist.gov/index.php/Source Code Security Analyzers.html, 2009. [35] SecurityFocus. Flawed USC admissions site allowed access to applicant data. http://www.securityfocus.com/news/11239, 2005. [36] U. Shankar, K. Talwar, J.S. Foster, and D. Wagner. Detecting format string vulnerabilities with type qualifiers. In Proceedings of the 10th USENIX Security Symposium, pages 201-220. USENIX Association Berkeley, CA, USA, 2001. [37] TIOBE Software. TIOBE programming community index for June 2009. http://www.tiobe.com/index.php/content/paperinfo/tpci/index.html, 2009. [38] R.E. Strom and S. Yemini. Typestate: A programming language concept for enhancing software reliability. In IEEE Transactions on Software Engineering, pages 157-171. IEEE Press, 1986. [39] Syhunt. Product updates. http://www.syhunt.com/, 2009. [40] Symantec. Internet security threat report volume XIII: April, 2008. http://www.symantec.com/business/theme.jsp?themeid=threatreport, 2008. [41] VNUNET. Monster.com hid site hack for _five days. http://www.vnunet.com/vnunet/news/2197408/monster-keptreach-secret-five, 2007. [42] G. Wassermann and Z. Su. Sound and precise analysis of Web applications for injection vulnerabilities. In Proceedings of the 2007 PLDI Conference, pages 22-41. ACM New York, NY, USA, 2007. [43] J. Whaley and M.S. Lam. Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. In Proceedings of the ACM SIGPLAN 2004 Conference on Programming Language Design and Implementation, pages 131-144. ACM New York, NY, USA, 2004. [44] J. Wilander and M. Kamkar. A comparison of publicly available tools for static intrusion prevention. In Proceedings of 7th Nordic Workshop on Secure IT Systems, pages 68-84, 2002. [45] Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In Proceedings of the 15th Conference on USENIX Security Symposium, pages 179-192. USENIX Association Berkeley, CA, USA, 2006.
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/44489	-
dc.description.abstract	身為全球經濟體系基礎建設中的一部分，網站應用程式提供了一個虛擬平台做為使用者之間的溝通橋樑，這使得其地位顯得相當重要。然而，網路安全漏洞的問題卻日益嚴重，並對網站應用程式的發展造成了負面的影響。在應用程式的開發過程中，網站應用程式源碼檢測可做為解決此項問題的其中一項方法。但是人工檢測程式源碼過程費時、費力或因人為疏失而導致不精確的檢測結果；再加上檢測程式源碼人員必須具備資訊安全的專業知識背景。因此，自動化源碼檢測工具的需求，也就因應而生。早期自動化方法與工具僅應用在軟體應用程式上，而後才延伸至網站應用程式，但目前來說，評估靜態工具與方法精確性之研究也較少。換句話說，靜態工具開發者在沒有與其他工具比較之情況下宣稱其靜態方法與工具具有效率與有效性就失去了說服力。本篇論文目的在於評估現有四個靜態分析方法與工具之精確性，為此我們設計了一套含有安全漏洞的程式源碼之標準檢查程式(例如跨站腳本攻擊與資料庫安全漏洞的注入)，且標準檢查程式內也含有不同的資料結構與控制流程敘述。更明確地說，透過我們設計的標準檢查程式來評估現有靜態方法與工具之效能，並以統計數據方式呈現工具間於特定安全漏洞類別之精確的處理程度。最後，我們整合這四個靜態分析方法與工具之結果，找出現有靜態方法與工具不足之處，以協助未來靜態方法與工具之開發。	zh_TW
dc.description.abstract	As part of the infrastructure of the global economy, Web applications are of the utmost importance because they provide a virtual space where end users can communicate with one another. A negative aspect of this development is that the number of security vulnerabilities is growing constantly. One method used to solve such problems involves reviewing program code as a part of the development process. However, manual code verification is time-consuming, error-prone, and costly; and code auditors need a security background in order to audit the code. Thus, there is an urgent need for automated solutions to check whether Web applications are vulnerable. Verification tools have long implemented analysis methods in software applications and Web applications, but little research has been performed to evaluate the efficacy of each tool. Of course, developers claim that their tools are effective and efficient, but they do not compare their tool with others. In this thesis, our objective is to evaluate the efficacy of existing verification tools. To this end, we build benchmark cases of vulnerable code that may cause security problems, such as cross-site scripting and SQL injection, but some benchmark cases do not consist of vulnerable code to determine if a false positive occurs after the tool scans the code. Specifically, we use the developed benchmark cases to test four static analysis tools that generate reports of vulnerable program locations, and evaluate the performance of the tools statistically. Moreover, the benchmark cases enable us to identify the structures or control flow statements that cause false alarms in the four tools. As a result, we can determine which benchmark cases are not handled in the target tools.	en
dc.description.provenance	Made available in DSpace on 2021-06-15T03:00:44Z (GMT). No. of bitstreams: 1 ntu-98-R96725017-1.pdf: 758472 bytes, checksum: 93da5bbbaaada38e44aaa1c922d48f90 (MD5) Previous issue date: 2009	en
dc.description.tableofcontents	1 Introduction 1 1.1 Background 1 1.2 Motivation and Objectives 2 1.3 Thesis Outline 3 2 Preliminaries 4 2.1 Web Architecture 4 2.1.1 Web Applications 4 2.1.2 Security Problems in PHP 5 2.2 Common Vulnerabilities in Web Applications 6 2.2.1 Cross-Site Scripting (XSS) 6 2.2.2 SQL Injection 7 2.2.3 Malicious File Execution 8 2.2.4 Cross Site Request Forgery (CSRF) 9 2.2.5 HTTP Response Splitting 9 2.2.6 Resource Injection 10 2.2.7 Information Leakage 11 2.3 Regular Expression 12 3 Benchmark Cases for Evaluating Tools 15 3.1 Benchmark Overview 15 3.2 Benchmark Description 17 3.2.1 Display Handling 17 3.2.2 Control flow statements 17 3.2.3 SQL Statements in Database Manipulation 17 3.2.4 File Operation 18 3.2.5 Command Execution 19 3.2.6 File Inclusion 19 3.2.7 Information Leakage 19 4 Implementation and Evaluation 22 4.1 Implementation Overview 22 4.1.1 System Environment 22 4.1.2 Vulnerability Categories 22 4.1.3 Statistics Formulae 23 4.2 Evaluation by Categories 24 4.2.1 Cross-Site Scripting 24 4.2.2 SQL Injection 25 4.2.3 Resource Injection 25 4.2.4 Dangerous Functions and Files 26 4.2.5 Information Leakage 27 4.3 Summary 28 5 Methods Tested 29 5.1 Static Analysis Methods 29 5.1.1 WebSSARI 29 5.1.2 Pixy System 37 5.1.3 Summary 43 5.2 Supplement Methods 44 5.2.1 Extracting the Sanitization Graph 44 5.2.2 Testing the Effectiveness of Sanitization Routines 45 6 Conclusion 47 6.1 Contributions 47 6.2 Future Work 48 Bibliography 50 Appendices 55
dc.language.iso	en
dc.subject	靜態分析方法與工具	zh_TW
dc.subject	安全漏洞	zh_TW
dc.subject	網站應用程式	zh_TW
dc.subject	精確性	zh_TW
dc.subject	標準檢查程式	zh_TW
dc.subject	程式源碼檢測	zh_TW
dc.subject	False Alarm	en
dc.subject	Static Analysis Tools	en
dc.subject	Code-Verification	en
dc.subject	Security Vulnerabilities	en
dc.subject	Web Applications	en
dc.subject	Precision	en
dc.subject	Benchmark	en
dc.title	網站應用程式安全性弱點分析方法與工具之研究	zh_TW
dc.title	A Study of Methods and Tools for Analyzing Security Vulnerabilities in Web Applications	en
dc.type	Thesis
dc.date.schoolyear	97-2
dc.description.degree	碩士
dc.contributor.oralexamcommittee	莊庭瑞,陳恭
dc.subject.keyword	安全漏洞,網站應用程式,精確性,標準檢查程式,程式源碼檢測,靜態分析方法與工具,	zh_TW
dc.subject.keyword	Security Vulnerabilities,Web Applications,Precision,Benchmark,False Alarm,Code-Verification,Static Analysis Tools,	en
dc.relation.page	103
dc.rights.note	有償授權
dc.date.accepted	2009-07-31
dc.contributor.author-college	管理學院	zh_TW
dc.contributor.author-dept	資訊管理學研究所	zh_TW
顯示於系所單位：	資訊管理學系

文件中的檔案：

檔案	大小	格式
ntu-98-1.pdf 未授權公開取用	740.7 kB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。