網站應用程式安全分析工具CANTU功能模組之整合與改進

Wei-Hsien Chang; 張暐獻

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/60855

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	蔡益坤(Yih-Kuen Tsay)
dc.contributor.author	Wei-Hsien Chang	en
dc.contributor.author	張暐獻	zh_TW
dc.date.accessioned	2021-06-16T10:33:16Z	-
dc.date.available	2013-08-20
dc.date.copyright	2013-08-20
dc.date.issued	2013
dc.date.submitted	2013-08-14
dc.identifier.citation	[1] Davide Balzarotti, Marco Cova, Vika Felmetsger, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. Saner: Composing static and dynamic analysis to validate sanitization in Web applications. In Proceedings of the 2008 IEEE Symposium on Security and Privacy, pages 387-401. IEEE Computer Society, 2008. [2] Davide Balzarotti, Marco Cova, Viktoria Felmetsger, and Giovanni Vigna. Multimodule vulnerability analysis of Web-based applications. In Proceedings of the 14th ACM Conference on Computer and Communications Security, pages 25-35, 2007. [3] Wontae Choi, Baris Aktemur, Kwangkeun Yi, and Makoto Tatsuta. Static analysis of multi-staged programs via unstaging translation. In Proceedings of the 38th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 81-92, 2011. [4] Chen-I Chung. A static analyzer for PHP Web applications. Master's thesis, National Taiwan University, 2009. [5] Laurent Deniau. The C object system: Using C as a high-level object-oriented language. CoRR, abs/1003.2547, 2010. [6] Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. Pixy: A static analysis tool for detecting Web application vulnerabilities (short paper). In Proceedings of the 2006 IEEE Symposium on Security and Privacy, pages 258-263. IEEE Computer Society, 2006. [7] Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. Precise alias analysis for static detection of Web application vulnerabilities. In Proceedings of the 2006 Workshop on Programming Languages and Analysis for Security PLAS '06, pages 27-36. ACM, 2006. [8] Adam Kiezun, Philip J. Guo, Karthick Jayaraman, and Michael D. Ernst. Automatic creation of SQL injection and Cross-site scripting attacks. In Proceedings of the 2009 IEEE 31st International Conference on Software Engineering, pages 199-209. IEEE Computer Society, 2009. [9] George C. Necula, Scott Mcpeak, S. P. Rahul, and Westley Weimer. CIL: Intermediate language and tools for analysis and transformation of C programs. In International Conference on Compiler Construction, pages 213-228, 2002. [10] Ocaml. Ocaml programming language. http://caml.inria.fr/, 2008. [11] OWASP. Top 10 2007. https://www.owasp.org/index.php/Top_10_2007, 2007. [12] OWASP. Top 10 2010. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project, 2010. [13] Jen-Feng Shih. An integrated analyzer for verifying Web application security. Master's thesis, National Taiwan University, 2010. [14] TIOBE Software. Tiobe programming community index for december 2012. http://www.tiobe.com/index.php/content/paperinfo/tpci/index.html, 2012. [15] Internet World Stats. Internet usage statistics. http://www.internetworldstats.com/stats.htm, 2012. [16] Chih-Pin Tai. An integrated environment for analyzing Web application security. Master's thesis, National Taiwan University, 2010. [17] Wikipedia. Client-side scripting. http://en.wikipedia.org/wiki/Client-side_scripting. [18] Wikipedia. Facebook. http://en.wikipedia.org/wiki/Facebook. [19] Wikipedia. PHP. http://en.wikipedia.org/wiki/PHP. [20] Wikipedia. Server-side scripting. http://en.wikipedia.org/wiki/Server-side_scripting. [21] Wikipedia. Yahoo! http://en.wikipedia.org/wiki/Yahoo. [22] Yichen Xie and Alex Aiken. Static detection of security vulnerabilities in scripting languages. In USENIX-SS'06: Proceedings of the 15th Conference on USENIX Security Symposium, pages 179-192. USENIX Association, 2006. [23] Rui-Yuan Yeh. An improved static analyzer for verifying PHP Web application security. Master's thesis, National Taiwan University, 2009. [24] Fang Yu, Muath Alkhalaf, and Tev k Bultan. Generating vulnerability signatures for string manipulating programs using automata-based forward and backward symbolic analyses. In Automated Software Engineering, pages 605-609, 2009. [25] Fang Yu, Muath Alkhalaf, and Tev k Bultan. Stranger: An automata-based string analysis tool for PHP. In Tools and Algorithms for the Construction and Analysis of Systems, pages 154-157, 2010. [26] Sheng-Feng Yu. Automatic generation of penetration test cases for Web applications. Master's thesis, National Taiwan University, 2010.
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/60855	-
dc.description.abstract	這幾年來，眾多網路應用程式蓬勃發展並服務網際網路的使用者。而網路應用程式上的安全問題也隨著網路應用程式的普及越來越重要。如今已有許多相關研究如何偵測出一個網路應用程式是否含有安全弱點，雖然這些分析研究已可以找出很多種不同的安全弱點，其準確性上仍有進步空間。我們實驗室多年來一直在研發一個網路應用程式分析工具CANTU，CANTU嘗試合併靜態分析與動態分析的方法來增加準確性。在靜態分析部分，CANTU轉換目標語言並盡量維持程式其完整的資料流並對其進行資料流分析；在動態分析部分，CANTU試著動態尋找攻擊情境來確認靜態分析所找出來的安全弱點為真。然而這些功能是被分別研究與開發，並沒有完整的被整合在CANTU平台上。在這篇論文中，我們會試圖將這些功能在CANTU上實際整合起來。在靜態分析部分，我們使用PHP程式碼的分析工具來進行函數內以及函數間的資料流分析，包含同名(alias)問題的處理，從中偵測SQL資料隱碼攻擊(SQL Injection)和跨網站腳本攻擊(XSS)的安全弱點；除此之外，我們透過原有的PHP分析工具建構出JavaScript程式碼分析工具，試圖找出同個檔案中可能屬於DOM的跨網站腳本攻擊。在動態分析部分，我們將簡單的動態分析確認與靜態分析結合。同時為了讓PHP程式碼和JavaScript程式碼的分析工具能夠被CANTU立即使用，我們採用一個過渡時期的分析結構對受測程式進行分析，讓CANTU可以分析PHP應用程式中嵌入JavaScript程式碼的情況。	zh_TW
dc.description.abstract	Numerous Web applications have emerged in recent years to serve the Internet users. As the number of users of Web applications dramatically grows, security of Web applications becomes more and more important as well. There have been many researches about detecting vulnerabilities of Web applications. Although the proposed approaches could detect a lot of vulnerabilities, there is still room for improvement in terms of precision. Aiming at an analysis tool that can detect vulnerabilities of Web applications as precisely as possible, our laboratory has been developing a tool called CANTU for several years. CANTU tries to combine static analysis and dynamic analysis. In the static analysis phase, CANTU tries to compute the complete dataflow of a program and perform analysis upon it. In the dynamic analysis phase, CANTU tries to generate and execute the corresponding attack scenarios of the program under analysis so that it can confirm the true positives reported by static analysis. However, the various components of CANTU were implemented separately and not integrated fully. In this thesis, we put some of these functionalities together. In the static analysis phase, we use a PHP analyzer that performs intra-procedural and inter-procedural dataflow analysis and alias analysis for SQL injection and cross-site scripting vulnerabilities. And we construct a JavaScript analyzer based on the same structure of the PHP analyzer to perform the same analysis procedure for DOM-based cross-site scripting vulnerabilities. In the dynamic analysis phase, we integrate the generation of test cases with the static analysis. To put both PHP and JavaScript analyzers into immediate use, we design an interim analysis architecture so that CANTU can analyze PHP Web applications embedded with JavaScript code.	en
dc.description.provenance	Made available in DSpace on 2021-06-16T10:33:16Z (GMT). No. of bitstreams: 1 ntu-102-R00725018-1.pdf: 2294603 bytes, checksum: 4f92b8fc1223b0bcce5b50b37b7b200d (MD5) Previous issue date: 2013	en
dc.description.tableofcontents	1 Introduction 1 1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Motivation and Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.3 Thesis Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2 Preliminaries 4 2.1 Web Application Security Vulnerabilities . . . . . . . . . . . . . . . . . . 4 2.1.1 Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.1.2 Cross Site Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2 Web Application Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2.1 Server-side Scripting . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.2.2 Client-side Scripting . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.3 Analysis Approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.3.1 Static Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.3.2 Dynamic Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 3 Related Work 11 3.1 Analysis Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 3.1.1 A Static Analysis Algorithm by Xie and Aiken . . . . . . . . . . . 12 3.1.2 Pixy: An Open Source Static Analysis Tool . . . . . . . . . . . . 14 3.1.3 Saner: Composing Static and Dynamic Analysis . . . . . . . . . . 15 3.1.4 Stranger: An Automata-Based PHP String Analysis Tool . . . . . 16 3.2 Multi-Module Application . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3.2.1 Multi-Module Vulnerability Analysis of Web-based Applications . 17 3.2.2 Static Analysis of Multi-Staged Programs via Unstaging Translation 18 3.3 Automatic Test Case Creation . . . . . . . . . . . . . . . . . . . . . . . . 18 4 Approach 20 4.1 CANTU Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 4.1.1 Static Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 4.1.2 Multi-module Analyzer . . . . . . . . . . . . . . . . . . . . . . . . 21 4.1.3 Automatic Generation of Penetration Test Cases . . . . . . . . . . 22 4.1.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 4.2 CIL Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 4.2.1 Introduction to CIL . . . . . . . . . . . . . . . . . . . . . . . . . . 23 4.2.2 Translation from PHP to CIL . . . . . . . . . . . . . . . . . . . . 25 4.2.3 Translation from JavaScript to CIL . . . . . . . . . . . . . . . . . 27 4.3 Vulnerabilities Detection of CANTU . . . . . . . . . . . . . . . . . . . . 31 4.3.1 Taint Data flow Analysis . . . . . . . . . . . . . . . . . . . . . . . 31 4.3.2 Dynamic Analysis Confirmation . . . . . . . . . . . . . . . . . . . 34 5 Implementation and Experiments 43 5.1 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 5.2 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 6 Conclusion 49 6.1 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 6.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Bibliography 54
dc.language.iso	en
dc.subject	動態分析	zh_TW
dc.subject	資料流分析	zh_TW
dc.subject	靜態分析	zh_TW
dc.subject	驗證	zh_TW
dc.subject	網路應用程式安全	zh_TW
dc.subject	Web Applications Security	en
dc.subject	Dynamic Analysis	en
dc.subject	Static Analysis	en
dc.subject	Verfication	en
dc.subject	Web Applications	en
dc.subject	Data flow Analysis	en
dc.title	網站應用程式安全分析工具CANTU功能模組之整合與改進	zh_TW
dc.title	CANTU Improved for Integrated Analysis of Web Application Security	en
dc.type	Thesis
dc.date.schoolyear	101-2
dc.description.degree	碩士
dc.contributor.oralexamcommittee	王柏堯(Bow-Yaw Wang),陳郁方(Yu-Fang Chen)
dc.subject.keyword	資料流分析,動態分析,靜態分析,驗證,網路應用程式安全,	zh_TW
dc.subject.keyword	Data flow Analysis,Dynamic Analysis,Static Analysis,Verfication,Web Applications,Web Applications Security,	en
dc.relation.page	54
dc.rights.note	有償授權
dc.date.accepted	2013-08-14
dc.contributor.author-college	管理學院	zh_TW
dc.contributor.author-dept	資訊管理學研究所	zh_TW
顯示於系所單位：	資訊管理學系

文件中的檔案：

檔案	大小	格式
ntu-102-1.pdf 未授權公開取用	2.24 MB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。