Please use this identifier to cite or link to this item:
http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/49266
Title: | 為分析動態網頁應用程式設計之框架 A Framework for Dynamic Web Application Code Analysis |
Authors: | Hung-Wei Hsu 許宏瑋 |
Advisor: | 蔡益坤(Yih-Kuen Tsay) |
Keyword: | 分析模組化,程式碼分析工具,動態分析,框架,模組化分析,腳本語言,安全性漏洞,靜態分析,網頁應用程式安全性分析, Analysis Modularity,Code Analyzer,Dynamic Analysis,Framework,Modular Analysis,Scripting Language,Security Vulnerability,Static Analysis,Web Application Security, |
Publication Year : | 2016 |
Degree: | 碩士 |
Abstract: | 由於其重要性,在過去二十多年間網頁應用的安全性已被多所研究。程式分析是強化網頁應用安全性的手段之一。雖然已有眾多程式分析的手法被提出與討論,在「如何能有效漸進地、模組化地獲得與組合程式片段之分析結果,以完成更全面之分析」方面,仍有許多探索研究的價值。在這篇論文中,我們將此考量稱為「模組化分析」議題。掌握如何良好地實現程式模組化分析之知識,在建構分析力或效率更強之分析工具、設計結果可有效重用之分析方法等方面上,是十分關鍵的一環。由於在目前已提出的網頁程式安全性分析手法中,模組化分析的探討不多,我們於是思考如何改動或重新設計這些分析手法以強化其分析之模組化程度、進一步來發展能力更為優秀的分析手段。我們希望設計一個分析框架來引導、規範,使我們於上述議題的探索能夠有系統、並能產出具有良好擴展性的成果。該框架為達此一目標,其本身也必須具良好的通用性與可擴展性。
在此論文中,我們提出一個能支援多語言、動靜態混合分析的分析框架。它將可被用來規範、組織許多不同的動、靜態分析技巧之實作,並用以整合針對不同程式語言所發展的分析手段。我們認為在此設計上發展,能夠達成我們對於通用性與可擴展性的期望。透過在此框架的規範下建構一個分析工具的雛形實作,我們來驗證運用該框架的效果。我們以一個近期被提出之PHP網頁應用安全性污點分析分析手法作為參考對象,顯示在框架的引導下修改與實作之,改動過後的手法較之原版本在處理靜態分析中「難以確定調用對象」的問題上具有更好的準確度與分析模組化程度。實作其他已知的分析手法,並對之進行改動、實驗以發展更具良好分析模組化特性、能力更強之分析手法,在此框架的環境之中,將能夠進行得更加容易。 Because of its importance,Web application security has been researched for over twenty years. Code analysis is one of the approaches to enhance Web application security. Among all the code analysis methods, there is a very valuable part to be improved: the techniques to effectively compose known analysis results of code segments into an informative analysis summary for a larger code segment. In this thesis, we refer to such concern as the analysis modularity issue. The knowledge of analysis modularity plays an important role when one wants the outputs of his analysis routines to be reusable or wants to build a smarter code analyzer with better performance. Since most of the code analysis approaches targeting Web application security do not address the analysis modularity issue, we investigate how to redesign the approaches to improve their level of analysis modularity. We aim at a framework to make the investigations systematic and the outcomes of them sustainable and extendable. To match the goal, the framework itself should also be generic and extendable. In this thesis, we propose a design of a multi-language, hybrid approach framework that can be used to organize the implementations of both static and dynamic analysis techniques, supporting the analyses that cross different dynamic languages. We believe that it fulfills our requirements. We have implemented a prototype that demonstrates some advantages of our design. By taking the latest summary-based security taint analysis approach for PHP Web applications as an example, we show that after being included into our framework and properly adapted, the approach provides better precision and analysis modularity on handling the unknown call site problem. Implementing other kinds of analyses and experimenting on them to find ways to improve analysis modularity and performance can be made easier based on our framework. |
URI: | http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/49266 |
DOI: | 10.6342/NTU201603383 |
Fulltext Rights: | 有償授權 |
Appears in Collections: | 資訊管理學系 |
Files in This Item:
File | Size | Format | |
---|---|---|---|
ntu-105-1.pdf Restricted Access | 889.38 kB | Adobe PDF |
Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.