請用此 Handle URI 來引用此文件:
http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/47334
完整後設資料紀錄
DC 欄位 | 值 | 語言 |
---|---|---|
dc.contributor.advisor | 蔡益坤 | |
dc.contributor.author | Chih-Pin Tai | en |
dc.contributor.author | 戴智斌 | zh_TW |
dc.date.accessioned | 2021-06-15T05:55:26Z | - |
dc.date.available | 2014-08-20 | |
dc.date.copyright | 2010-08-20 | |
dc.date.issued | 2010 | |
dc.date.submitted | 2010-08-17 | |
dc.identifier.citation | [1] John Aycock and R. Nigel Horspool. Simple generation of static single-assignment form. In CC '00: Proceedings of the 9th International Conference on Compiler Construction, pages 110-124, 2000.
[2] D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Saner: Composing static and dynamic analysis to validate sanitization in Web applications. In Security and Privacy, IEEE Symposium on, pages 387-401. IEEE Computer Society, 2008. [3] David Binkley and Keith Brian Gallagher. Program slicing. Advances in Computers, 43:1-50, 1996. [4] Chen-I Chung. A static analyzer for PHP Web applications. Master's thesis, National Taiwan University, 2009. [5] Arjun Guha, Shriram Krishnamurthi, and Trevor Jim. Using static analysis for ajax intrusion detection. In WWW '09: Proceedings of the 18th International Conference on World Wide Web, pages 561-570. ACM, 2009. [6] Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, D. T. Lee, and Sy-Yen Kuo. Verifying web applications using bounded model checking. In DSN, pages 199-208, 2004. [7] Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai Lee, and Sy-Yen Kuo. Securing web application code by static analysis and runtime protection. In WWW '04: Proceedings of the 13th International Conference on World Wide Web, pages 40-52. ACM, 2004. [8] Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In 2006 IEEE Symposium on Security and Privacy, pages 258-263. IEEE Computer Society, 2006. [9] Adam Kiezun, Philip J. Guo, Karthick Jayaraman, and Michael D. Ernst. Automatic creation of sql injection and cross-site scripting attacks. In ICSE, pages 199-209, 2009. [10] Yasuhiko Minamide. Static approximation of dynamically generated web pages. In WWW, pages 432{441, 2005. [11] George C. Necula, Scott McPeak, Shree Prakash Rahul, and Westley Weimer. CIL: Intermediate language and tools for analysis and transformation of C programs. In CC '02: Proceedings of the 11th International Conference on Compiler Construction, pages 213-228, 2002. [12] George C. Necula, Scott McPeak, Westley Weimer, Ben Liblit, Matt Harren, Raymond To, and Aman Bhargava. CIL Documentation (v. 1.3.7). http://www.eecs.berkeley.edu/ necula/cil/, 2007. [13] Ocaml. Ocaml programming language. http://caml.inria.fr/, 2008. [14] SooHyoung Oh. Ocamlyacc Tutorial. http://plus.kaist.ac.kr/ shoh/ocaml/ocamllex-ocamlyacc/ocamlyacc-tutorial/, 2004. [15] Vern Paxson. Ocamllex Tutorial. http://plus.kaist.ac.kr/ shoh/ocaml/ocamllex-ocamlyacc/ocamllex-tutorial/ocamllex-tutorial.html, 1990. [16] Michael Sipser. Introduction to the Theory of Computation, Second Edition International Edition. Thomson Course Technology, 2006. [17] Paolo Tonella and Filippo Ricca. Web application slicing in presence of dynamic code generation. Autom. Softw. Eng., 12(2):259-288, 2005. [18] Yu-Chieh Tu. A static analysis tool for asp.net web applications. Master's thesis, National Taiwan University, 2009. [19] Wikipedia. Abstract syntax tree. http://en.wikipedia.org/wiki/Abstract syntax tree. [20] Wikipedia. Cross-site scripting. http://en.wikipedia.org/wiki/Cross-site scripting. [21] Wikipedia. Dataflow analysis. http://en.wikipedia.org/wiki/Dataflow analysis. [22] Wikipedia. SQL injection. http://en.wikipedia.org/wiki/SQL injection. [23] Wikipedia. SSA form. http://en.wikipedia.org/wiki/Static single assignment form. [24] Yichen Xie and Alex Aiken. Static detection of security vulnerabilities in scripting languages. In USENIX-SS'06: Proceedings of the 15th Conference on USENIX Security Symposium, pages 179-192. USENIX Association, 2006. [25] Rui-Yuan Yeh. An improved static analyzer for verifying php web application security. Master's thesis, National Taiwan University, 2010. [26] Fang Yu, Muath Alkhalaf, and Tevfk Bultan. Generating vulnerability signatures for string manipulating programs using automata-based forward and backward symbolic analyses. In ASE '09: Proceedings of the 24th IEEE/ACM International Conference on Automated Software Engineering, pages 605-609, 2009. [27] Fang Yu, Tevfk Bultan, Marco Cova, and Oscar H. Ibarra. Symbolic string verification: An automata-based approach. In SPIN '08: Proceedings of the 15th International SPIN Workshop, pages 306-324, 2008. [28] Sheng-Feng Yu. Automatic generation of penetration test cases for web applications. Master's thesis, National Taiwan University, 2010. | |
dc.identifier.uri | http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/47334 | - |
dc.description.abstract | 近年來,網站應用服務蓬勃發展,越來越多重要的個人資料與交易透過網站服務完成,網站應用安全已變得越來越重要。在學界與業界中有許多技術與工具輔助網站應用的開發者偵測網站應用安全弱點,例如跨站腳本攻擊與 SQL注入攻擊。透過逼近的技術,業界與學界開發研究的工具幾乎已能認列大部份的弱點而少有遺漏,但是同時間卻產生誤報之弱點案例,而這些誤報的弱點案例往往需要花費大量人工與時間重新審查,非常地耗費成本。
在這篇論文中,我們針對跨站腳本攻擊與SQL注入攻擊,處理來自於不完整的資料流分析的誤報案例。對一個網站應用而言,不完整的資料流分析起因有三:一、分析技術未能跨越伺服端與客戶端的程式語言;二、分析技術未能跨越資料庫;三、分析技術未能將系統設定檔 納入考慮。 為了解決不完整的資料流分析,我們將網站應用伺服端程式、客戶端程式、資料庫與系統設定檔轉換成單一程式語言的整合環境,此單一程式語言即為CIL。CIL擁有許多靜態分析的模組,例如控制流程分析模組與資料流分析模組,一旦我們將網站轉換成CIL結構的程式碼,我們即可使用CIL所提供的分析模組。為了將網站轉換成CIL為基礎的整合環境,我們試著從伺服端的程式碼粹取出客戶端的程式碼,並分別將伺服端程式碼與客戶端的程式碼轉換成CIL程式碼,並且,我們將資料庫轉成某種CIL的資料結構,試著用CIL資料結構去模擬資料庫的儲存行為,更進一步,我們將系統設定檔轉成CIL中資料流的限制條件,最後,將網站各元素所轉換成的CIL元素整合,形成單一的CIL程式,透過分析此CIL程式,即可得到較為完整的資料流,並且更進一步減低不完整資料流分析所帶來的誤報案例。 | zh_TW |
dc.description.abstract | Web application security has become more and more important in recent years. There are several analysis techniques and tools in industry helping Web application developers to detect a variety of security vulnerabilities, such as Cross-Site Scripting and SQL Injection. There are also several static analysis techniques and tools proposed by the academia for Web application security. By over approximation, these analysis techniques and tools can identify almost all security vulnerabilities, but produce excessive numbers of false positives. This causes a serious problem, as code reviewers will have to manually remove
these false positives, which is very time-consuming. In this thesis, we focus on reducing false positives which result from incomplete dataflow analysis for two kinds of vulnerabilities, Cross-Site Scripting and SQL Injection. The main cause of incomplete dataflow analysis is that client-side programs including client-side scripts and HTML code are dynamically generated by server-side programs. The recent analysis techniques and tools do not trace dataflows across the boundary between the server-side and client-side programs. Moreover, the analysis techniques and tools do not trace dataflows across the database and do not take configuration files into consideration. To solve these problems, we propose to translate server-side programs, client-side programs, database and configuration files of Web applications into a one-language representation, namely CIL (C Intermediate Language). CIL comes with a library of analysis modules for C programs which we can leverage to perform different kinds of program analyses, including control ow analysis and dataflow analysis. We extract a client- side program for each webpage by static analysis and invoke it when the corresponding server-side program executes. Besides, we maintain structures in CIL that simulate the database and the HTML DOM. Finally, we define entry points of the Web application according to configuration files. Through analyzing the comprehensive suite of CIL programs translated from a website, we can identify Web application security vulnerabilities more precisely, and therefore solve the problem of false positives that come from incom- plete dataflow analysis. | en |
dc.description.provenance | Made available in DSpace on 2021-06-15T05:55:26Z (GMT). No. of bitstreams: 1 ntu-99-R97725024-1.pdf: 2558024 bytes, checksum: 26ab4695677fbd45aa3ae7f4bbf554ff (MD5) Previous issue date: 2010 | en |
dc.description.tableofcontents | 1 Introduction 1
1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2.1 Incomplete Data ow Analysis . . . . . . . . . . . . . . . . . . . . 1 1.2.2 A Motivating Example . . . . . . . . . . . . . . . . . . . . . . . . 3 1.3 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2 Related work 9 2.1 Translating server-side languages into CIL . . . . . . . . . . . . . . . . . 9 2.1.1 Handling Variables of Type Mixed . . . . . . . . . . . . . . . . . 10 2.1.2 Handling Variable Variables . . . . . . . . . . . . . . . . . . . . . 11 2.1.3 Handling arrays of string index . . . . . . . . . . . . . . . . . . . 13 2.2 Web Application Slicing . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.3 Static Analysis Techniques for Web Application Security . . . . . . . . . 23 2.3.1 Automata-Based Static Analysis Technique . . . . . . . . . . . . . 23 2.3.2 Grammar-Based Static Analysis Technique . . . . . . . . . . . . . 25 2.3.3 Other Static Analysis Technique . . . . . . . . . . . . . . . . . . . 29 3 An Overview of the Integrated Environment 34 3.1 The Architecture of the Environment . . . . . . . . . . . . . . . . . . . . 34 3.2 The Intermediate Representation of a Website . . . . . . . . . . . . . . . 35 3.3 The Simulation of Visiting a Website . . . . . . . . . . . . . . . . . . . . 35 3.4 The Process of Building up the Intermediate Representation . . . . . . . 38 4 Techniques of Translation 42 4.1 Translate Javascript into CIL . . . . . . . . . . . . . . . . . . . . . . . . 42 4.1.1 Conversion of Javascript Variables . . . . . . . . . . . . . . . . . . 42 4.1.2 Conversion of Javascript Constants . . . . . . . . . . . . . . . . . 43 4.1.3 Conversion of Javascript Assignments . . . . . . . . . . . . . . . . 44 4.1.4 Conversion of Javascript Operators . . . . . . . . . . . . . . . . . 45 4.1.5 Conversion of Javascript Functions . . . . . . . . . . . . . . . . . 47 4.1.6 Conversion of Javascript Objects . . . . . . . . . . . . . . . . . . 48 4.2 Translate HTML DOM into CIL . . . . . . . . . . . . . . . . . . . . . . . 50 4.2.1 Conversion of HTML DOM Objects . . . . . . . . . . . . . . . . . 50 4.2.2 Conversion of the Tree-Structure of HTML DOM Document . . . 53 4.3 Translate MySQL Database Schema into CIL . . . . . . . . . . . . . . . 56 4.4 Translate SQL into CIL . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 4.5 Translate Congurations into CIL . . . . . . . . . . . . . . . . . . . . . . 62 5 Code Extraction of Client-Side Programs 64 5.1 The Classication of CIL Statements . . . . . . . . . . . . . . . . . . . . 64 5.2 The Hypothesis for Code Extraction in the Environment . . . . . . . . . 65 5.3 Code Extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 5.3.1 Code Extraction for Function Calls for Atomic Output Functions 67 5.3.2 Code Extraction for Control Flow Blocks . . . . . . . . . . . . . . 68 5.3.3 Code Extraction for Function Calls for User-Dened Output Func- tions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 5.3.4 Code Extraction for Variables . . . . . . . . . . . . . . . . . . . . 71 6 Implementation and Experiments 75 6.1 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 6.2 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 7 Conclusion 81 7.1 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 7.2 Further work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Bibliography 85 | |
dc.language.iso | en | |
dc.title | 一個分析網站應用安全之整合環境 | zh_TW |
dc.title | An Integrated Environment for Analyzing Web Application Security | en |
dc.type | Thesis | |
dc.date.schoolyear | 98-2 | |
dc.description.degree | 碩士 | |
dc.contributor.oralexamcommittee | 陳恭,查士朝 | |
dc.subject.keyword | 安全弱點,網站應用,靜態分析,資料流,整合環境,CIL, | zh_TW |
dc.subject.keyword | Security Vulnerabilities,Web Applications,Dataflow,Integrated Environment,CIL,Static Analysis, | en |
dc.relation.page | 87 | |
dc.rights.note | 有償授權 | |
dc.date.accepted | 2010-08-18 | |
dc.contributor.author-college | 管理學院 | zh_TW |
dc.contributor.author-dept | 資訊管理學研究所 | zh_TW |
顯示於系所單位: | 資訊管理學系 |
文件中的檔案:
檔案 | 大小 | 格式 | |
---|---|---|---|
ntu-99-1.pdf 目前未授權公開取用 | 2.5 MB | Adobe PDF |
系統中的文件,除了特別指名其著作權條款之外,均受到著作權保護,並且保留所有的權利。