網頁內嵌JavaScript即時側錄

Chuan-Ju Chou; 周詮儒

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/77667

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	孫雅麗(Yea-Li Sun)
dc.contributor.author	Chuan-Ju Chou	en
dc.contributor.author	周詮儒	zh_TW
dc.date.accessioned	2021-07-10T22:14:43Z	-
dc.date.available	2021-07-10T22:14:43Z	-
dc.date.copyright	2017-09-03
dc.date.issued	2017
dc.date.submitted	2017-09-01
dc.identifier.citation	[1] Trend Micro TrendLabs 2015 Annual Security Roundup. Available from: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt-setting-the-stage.pdf [2] Document Object Model. Available from: https://developer.mozilla.org/zh-TW/docs/Web/API/Document_Object_Model [3] Same-origin policy. Available from: https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy [4] Strict mode. Available from: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Strict_mode [5] Jian Chiang, Krishna K. Venkatasubramanian, Andrew G. West, Insup Lee, Analyzing and Defending Against Web-Based Malware. ACM Computing Surveys (CSUR), 2013. [6] Google v8 engine. Available from: https://developers.google.com/v8 [7] Oystein Hallaraker and Giovanni Vigna, Detecting Malicious JavaScript Code in Mozilla. 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS), 2005. [8] Marco Cova, Christopher Kruegel, and Giovanni Vigna, Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code. 19th international conference on World wide web, 2010. [9] Daniel Hedin and Andrei Sabelfeld, Information-Flow Security for a Core of JavaScript. IEEE 25th Computer Security Foundations Symposium (CSF), 2012. [10] Daniel Hedin, Arnar Birgisson, Luciano Bello, and Andrei Sabelfeld , JSFlow: Tracking Information Flow in JavaScript and its APIs. 29th Annual ACM Symposium on Applied Computing, 2014. [11] Jonas Magazinius, Daniel Hedin, and Andrei Sabelfeld, Architectures for Inlining Security Monitors in Web Applications. 6th International Symposium on Engineering Secure Software and Systems (ESSoS), 2014. [12] Alexandros Kapravelos,¬ Chris Grier, Neha Chachra, Christopher Kruegel, Giovanni Vigna¬, Vern Paxson, Hulk: Eliciting Malicious Behavior in Browser Extensions. 23rd USENIX conference on Security Symposium, 2014. [13] Junjie Wang, Yinxing Xue, Yang Liu, Tian Huat Tan, JSDC: A Hybrid Approach for JavaScript Malware Detection and Classification. 10th ACM Symposium on Information, Computer and Communications Security (ASIA CCS), 2015. [14] NPAPI Wikipedia. Available from: https://zh.wikipedia.org/wiki/NPAPI [15] Yaoqi Jia, Xinshu Dong, Zhenkai Liang, Prateek Saxena, I Know Where You’ve Been: Geo-Inference Attacks via the Browser Cache. IEEE Internet Computing, 2014. [16] Sebastian Lekies, Ben Stock, Martin Wentzel, Martin Johns, The Unexpected Dangers of Dynamic JavaScript. 24th USENIX Security Symposium, 2015. [17] Yossef Oren, Vasileios Kemerlis, Simha Sethumadhavan, Angelos Keromytis, The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications. 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015. [18] Omar Ismail, Masashi Etoh, Youki Kadobayashi, Suguru Yamaguchi, A Proposal and Implementation of Automatic Detection/Collection System for Cross-Site Scripting Vulnerability. 18th International Conference on Advanced Information Networking and Applications (AINA), 2004. [19] Salvatore Guarnieri and Benjamin Livshits, GATEKEEPER: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code. 18th conference on USENIX security symposium, 2009. [20] Leo A. Meyerovich and Benjamin Livshits, CONSCRIPT: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser. IEEE SymposWium on Security and Privacy, 2010. [21] Davide Canali, Marco Cova, Giovanni Vigna, Christopher Kruegel, Prophiler: A Fast Filter for the Large-Scale Detection of Malicious Web Pages. Proceedings of the 20th international conference on World wide web (WWW '11), 2011. [22] Nick Nikiforakis, Luca Invernizzi, Alexandros Kapravelos, Steven Van Acker, Wouter Joosen, Christopher Kruegel, Frank Piessens, Giovanni Vigna, You Are What You Include: Large-scale Evaluation of Remote JavaScript Inclusions. ACM conference on Computer and communications security (CCS), 2012. [23] Alexandros Kapravelos, Yan Shoshitaishvili, Marco Cova, Christopher Kruegel, Giovanni Vigna, Revolver: An Automated Approach to the Detection of Evasive Web-based Malware. 22nd USENIX Security Symposium, 2013. [24] Alexa top 500 sites. Available from: http://www.alexa.com/topsites
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/77667	-
dc.description.abstract	現代的Web技術日漸發達，主要歸功於JavaScript語言的發展，讓Web應用能做出的功能也越來越多，各軟體軟體開發商逐漸將戰場從電腦應用軟體轉到行動裝置APP和Web應用上，而Web應用相對於行動裝置APP而言多了跨平台支援這項特性，使得它的使用者族群非常廣大，且未來JavaScript的發展趨勢只會越來越方便、簡單，但這也提供了攻擊者一個散佈惡意程式的媒介。對此本論文設計以及開發出一個系統，能夠對目標網頁頁面中JavaScript程式之執行進行側錄並產生一份profile，這份profile可以代表目標網頁的JavaScript程式執行之行為，並期望可以提供未來惡意程式分析、檢測程式碼抄襲、或是debug之使用。	zh_TW
dc.description.abstract	Web applications are getting more and more popular in these day. The language “JavaScript” plays an important role in the evolution of Web technology. Developers can include third-party codes to reduce development effort or profit from online ads. However, this may allow attackers publish their malicious codes on the Internet. This will expose users to risky situations. We design and develop a system which generates a profile of JavaScript execution on a web page. This profile can describe the behavior of the JavaScript code’s behaviors. We hope the profile can be used for malware analysis, code plagiarism, or debugging in the future.	en
dc.description.provenance	Made available in DSpace on 2021-07-10T22:14:43Z (GMT). No. of bitstreams: 1 ntu-106-R04725019-1.pdf: 1711661 bytes, checksum: cca817022450745c5f66f19f52de074f (MD5) Previous issue date: 2017	en
dc.description.tableofcontents	誌謝 I 中文摘要 II ABSTRACT III 目錄 IV 圖目錄 VI 表目錄 VII 第一章介紹 1 第一節研究動機 1 第二節研究目的 2 第三節研究貢獻 2 第二章背景知識 3 第一節 JavaScript基本介紹 3 第二節 JavaScript在網頁中的引用 5 第三節 JavaScript程式碼的偽裝手法 6 第四節 Same-origin Policy 7 第五節 JavaScript的strict mode 7 第三章文獻探討 9 第一節惡意JavaScript分析概述 9 第二節 JavaScript分析方法 10 1. Google v8引擎 10 2. Hallaraker’s Work 11 3. Cova’s Work 12 4. JSFlow 14 5. Hulk 15 6. JSDC 16 7. 總結 17 第三節 JavaScript攻擊手法 18 1. Cross-site scripting 18 2. Drive-by Download 18 3. Geo-inference Attack 19 4. Cross-site Script Inclusion 19 5. Cache Attack in JavaScript 20 第四節其他網頁安全相關研究 21 1. Ismail’s Work 21 2. GATEKEEPER 21 3. CONSCRIPT 22 4. Prophiler 22 5. Nikiforakis’s Work 23 6. Revolver 23 第四章系統設計與實作 25 第一節系統架構 25 1. Intercept full HTML at the proxy 25 2. Inject Profiler’s code 26 3. Run the Modified HTML on the proxy 30 第二節 Profiler的實作 31 1. Tokenization 32 2. Parsing 32 3. Execution and Profiling 33 4. Saving Profile as a file 37 第三節關鍵API 38 1. Dynamic Code Execution 39 2. DOM Operation 40 3. XMLHttpRequest 41 4. Window 41 5. Event Listener 42 6. Time 42 第五章實驗 43 第一節實驗設計 43 第二節實驗步驟 45 第三節實驗結果 46 第六章結論與展望 49 參考資料 50
dc.language.iso	zh-TW
dc.subject	JavaScript直譯器	zh_TW
dc.subject	網頁安全	zh_TW
dc.subject	惡意網頁	zh_TW
dc.subject	JavaScript API側錄	zh_TW
dc.subject	程式行為剖析	zh_TW
dc.subject	JavaScript interpreter	en
dc.subject	JavaScript API profiling	en
dc.subject	malicious webpage	en
dc.subject	program behavior profile	en
dc.subject	Web security	en
dc.title	網頁內嵌JavaScript即時側錄	zh_TW
dc.title	Real-time Profiling of Embedded JavaScript APIs in Web Pages	en
dc.type	Thesis
dc.date.schoolyear	105-2
dc.description.degree	碩士
dc.contributor.oralexamcommittee	陳孟彰(Meng-Chang Chen),蕭舜文(Shun-Wen Hsiao),郁方(Fang Yu)
dc.subject.keyword	網頁安全,惡意網頁,JavaScript API側錄,JavaScript直譯器,程式行為剖析,	zh_TW
dc.subject.keyword	Web security,malicious webpage,JavaScript API profiling,JavaScript interpreter,program behavior profile,	en
dc.relation.page	52
dc.identifier.doi	10.6342/NTU201704194
dc.rights.note	未授權
dc.date.accepted	2017-09-01
dc.contributor.author-college	管理學院	zh_TW
dc.contributor.author-dept	資訊管理學研究所	zh_TW
顯示於系所單位：	資訊管理學系

文件中的檔案：

檔案	大小	格式
ntu-106-R04725019-1.pdf 未授權公開取用	1.67 MB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。