一個進階的PHP網頁應用程式安全驗證之靜態分析工具

Rui-Yuan Yeh; 葉睿元

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/10675

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	蔡益坤
dc.contributor.author	Rui-Yuan Yeh	en
dc.contributor.author	葉睿元	zh_TW
dc.date.accessioned	2021-05-20T21:49:04Z	-
dc.date.available	2010-08-06
dc.date.available	2021-05-20T21:49:04Z	-
dc.date.copyright	2010-08-06
dc.date.issued	2010
dc.date.submitted	2010-08-02
dc.identifier.citation	[1] OWASP Top 10 - 2010 the ten most critical Web application security risks. http://www.owasp.org/index.php, April 19, 2010. [2] Alfred V. Aho, Monica S. Lam, Ravi Sethi, and Je rey D. Ullman. Compilers: Princiles, Techniques, and Tools. Addison-Wesley, 2006. [3] John Aycock and R. Nigel Horspool. Simple generation of static single-assignment form. In Proceedings of the 9th International Conference on Compiler Construction CC '00, pages 110-124. Springer-Verlag, 2000. [4] Davide Balzarotti, Marco Cova, Vika Felmetsger, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. Saner: Composing static and dynamic analysis to validate sanitization in Web applications. In Proceedings of the 2008 IEEE Symposium on Security and Privacy, pages 387-401. IEEE Computer Society,2008. [5] Brian Chess and Jacob West. Secure Programming with Static Analysis. Addison-Wesley, 2007. [6] Aske Simon Christensen, Anders M ller, and Michael I. Schwartzbach. Precise analysis of string expressions. In Proc. 10th International Static Analysis Symposium, SAS '03, volume 2694 of LNCS, pages 1-18. Springer-Verlag, 2003. [7] Chen-I Chung. A static analyzer for PHP Web applications. Master's thesis, National Taiwan University, 2009. [8] Adam M. Costello and Cosmin Truta. Exception-handling interface for C. http://www.nicemice.net/cexcept/, 2008. [9] Nico L. de Poel. Automated security review of PHP Web applications with static code analysis. 2010. [10] Laurent Deniau. Object Oriented Programming in C, 2001. [11] Nenad Jovanovic. Web application security. PhD thesis, Technical University of Vienna, 2007. [12] Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. Pixy: A static analysis tool for detecting Web application vulnerabilities. Technical report, Secure Systems Lab Vienna University of Technology, 2006. [13] Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. Pixy: A static analysis tool for detecting Web application vulnerabilities (short paper). In Proceedings of the 2006 IEEE Symposium on Security and Privacy, pages 258-263. IEEE Computer Society, 2006. [14] Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. Precise alias analysis for static detection of Web application vulnerabilities. In Proceedings of the 2006 Workshop on Programming Languages and Analysis for Security PLAS '06, pages 27-36. ACM, 2006. [15] Yasuhiko Minamide. Static approximation of dynamically generated Web pages. In WWW '05: Proceedings of the 14th International Conference on World Wide Web, pages 432-441. ACM, 2005. [16] George C. Necula, Scott Mcpeak, S. P. Rahul, and Westley Weimer. CIL: Intermediate language and tools for analysis and transformation of C programs. In International Conference on Compiler Construction, pages 213-228, 2002. [17] Ocaml. Ocaml programming language. http://caml.inria.fr/, 2008. [18] National Institute of Standards and Technology. National vulnerability database. http://nvd.nist.gov/. [19] Vadim Okun, Romain Gaucher, and Paul E. Black. Static Analysis Tool Exposition (SATE) 2008. NIST:National Institute of Standards and Technology, June 2009. [20] OWASP. Common types of software vulnerabilities. http://www.owasp.org/index.php/Category:Vulnerability, 2008. [21] OWASP. Top 10 2010. http://www.owasp.org/index.php/Top 10 2010, 2010. [22] PHP. References explained. http://tw.php.net/manual/en/language.references.php. [23] Chris Shiett. Essential PHP Security. O'Reilly, 2005. [24] TIOBE Software. Tiobe programming community index for june 2009. http://www.tiobe.com/index.php/content/paperinfo/tpci/index.html, 2010. [25] Chih-Pin Tai. An integrated environment for analyzing Web application security. Master's thesis, National Taiwan University, 2010. [26] Wikipedia. Abstract syntax tree. http://en.wikipedia.org/wiki/Abstract syntax tree. [27] Wikipedia. Cross-site scripting. http://en.wikipedia.org/wiki/Cross-site scripting. [28] Wikipedia. Facebook. http://en.wikipedia.org/wiki/Facebook. [29] Wikipedia. SQL injection. http://en.wikipedia.org/wiki/SQL injection. [30] Wikipedia. SSA form. http://en.wikipedia.org/wiki/Static single assignment form. [31] Yichen Xie and Alex Aiken. Static detection of security vulnerabilities in scripting languages. In USENIXSS'06: Proceedings of the 15th Conference on USENIX Security Symposium. USENIX Association, 2006. [32] Fang Yu, Muath Alkhalaf, and Tev k Bultan. Generating vulnerability signatures for string manipulating programs using automata-based forward and backward symbolic analyses. In ASE, pages 605-609, 2009. [33] Fang Yu, Muath Alkhalaf, and Tev k Bultan. Stranger: An automata-based string analysis tool for php. In TACAS, pages 154-157, 2010. [34] Fang Yu, Tev k Bultan, Narco Cova, and Oscal H.Ibarra. Symbolic string verification: An automata-based approach. In Proceedings of the 15th International SPIN Workshop on Model Checking of Software, pages 306-324. SPIN, 2008. [35] Sheng-Feng Yu. Automatic generation of penetration test cases for Web applications. Master's thesis, National Taiwan University, 2010.
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/10675	-
dc.description.abstract	The importance of Web applications has increased continually in recent years. As more and more services are delivered through Web applications, they have become a major target of security attacks. In addition, Web applications are often implemented by programmers with time-to-market pressure and limited security skills. These situations result in an increasing security threat that may lead to the compromise of sensitive information. Due to the fact that security vulnerabilities are often rather intricate, especially when the relevant code spans many different functions and source files,finding all potential vulnerabilities without the assistance of an automated tool is impractical. PHP is one of the most popular languages for Web application development. To detect security vulnerabilities in PHP Web applications, many program analysis techniques, in particular by static analysis approaches, have been developed. In this thesis, we design and implement a static code analysis tool for PHP that improves over an existing analyzer. Our tool translates a PHP program into a CIL program and applies taint analysis on the CIL representation. We support most PHP5 features and preserve the semantics of the source program in our translation. The new object-oriented features in PHP5 bring new vulnerable points in programs. We also design and implement interprocedural analysis and alias analysis algorithms which provide support for object-oriented features of PHP. Our interprocedural analysis allows taint analysis to cross function boundaries and provide more precise and complete analysis results. Alias analysis can discover the relationship between variables that are mapped to the same memory location in program. Finally, we demonstrate the effectiveness of our approach by detecting XSS vulnerabilities that cross object and alias relationships. We also confirm these vulnerabilities by executing our CIL representation as well as the original PHP source programs.	en
dc.description.provenance	Made available in DSpace on 2021-05-20T21:49:04Z (GMT). No. of bitstreams: 1 ntu-99-R97725042-1.pdf: 16981782 bytes, checksum: fc83c3640978e68a88e5c6f5c5bae1ce (MD5) Previous issue date: 2010	en
dc.description.tableofcontents	1 Introduction 1 1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Motivation and Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.3 Thesis Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2 Related Work 4 2.1 Pixy: An Open Source Static Analysis Tool . . . . . . . . . . . . . . . . 4 2.1.1 Aliases in PHP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1.2 Intraprocedural Alias Analysis . . . . . . . . . . . . . . . . . . . . 5 2.1.3 Interprocedural Alias Analysis . . . . . . . . . . . . . . . . . . . . 6 2.1.4 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.2 A Static Analysis Algorithm by Xie and Aiken . . . . . . . . . . . . . . . 10 2.2.1 Intrablock Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.2.2 Intraprocedural Analysis . . . . . . . . . . . . . . . . . . . . . . . 14 2.2.3 Interprocedural Analysis . . . . . . . . . . . . . . . . . . . . . . . 15 2.2.4 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.3 Saner: Composing Static and Dynamic Analysis . . . . . . . . . . . . . . 17 2.3.1 Sanitization-Aware Static Analysis . . . . . . . . . . . . . . . . . 17 2.3.2 Testing Sanitation Routines . . . . . . . . . . . . . . . . . . . . . 17 2.3.3 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.4 Stranger: An Automata-Based PHP String Analysis Tool . . . . . . . . . 19 2.4.1 Stranger Architecture . . . . . . . . . . . . . . . . . . . . . . . . 19 2.4.2 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 2.5 A Static Analyzer by Chung . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.5.1 Conversion of PHP Variables and Arrays . . . . . . . . . . . . . . 21 2.5.2 Conversion of Accessing and Assigning Variables . . . . . . . . . . 22 2.5.3 Conversion of PHP Foreach Statement . . . . . . . . . . . . . . . 22 2.5.4 Conversion of PHP User-Defined Functions and Built-In Functions 23 2.5.5 PHP Dynamic File Inclusion . . . . . . . . . . . . . . . . . . . . . 23 2.5.6 Taint Data flow Analysis . . . . . . . . . . . . . . . . . . . . . . . 23 2.6 Summary of related tools . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 3 Preliminaries 26 3.1 Critical Web Application Security Vulnerabilities . . . . . . . . . . . . . 26 3.1.1 Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 3.1.2 Cross-Site Scripting (XSS) . . . . . . . . . . . . . . . . . . . . . . 28 3.1.3 Effective Defenses for SQL Injection and XSS . . . . . . . . . . . 29 3.1.4 Security Misconfiguration . . . . . . . . . . . . . . . . . . . . . . 30 3.1.5 Unvalidated Redirects and Forwards . . . . . . . . . . . . . . . . 31 3.2 Static Single Assignment Form . . . . . . . . . . . . . . . . . . . . . . . . 31 3.3 The C Intermediate Language . . . . . . . . . . . . . . . . . . . . . . . . 32 3.3.1 Control Flow Graph . . . . . . . . . . . . . . . . . . . . . . . . . 33 3.3.2 Data Flow Analysis Framework . . . . . . . . . . . . . . . . . . . 33 3.3.3 Points-to Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 3.4 Abstract Syntax Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 4 Translation and Static Analysis 39 4.1 Translation of PHP5 Language Features to CIL . . . . . . . . . . . . . . . 40 4.1.1 Adjustments for Basic Structures and Auxiliary Functions . . . . . 41 4.1.2 Translation of Class and Object . . . . . . . . . . . . . . . . . . . 42 4.1.3 Translation of Inheritance . . . . . . . . . . . . . . . . . . . . . . 44 4.1.4 Translation of Magic Functions . . . . . . . . . . . . . . . . . . . 46 4.1.5 Translation of Try-Catch Exception . . . . . . . . . . . . . . . . . 48 4.1.6 Translation of Reference Assignment and Object Assignment . . . 50 4.1.7 Translation of Static Member and Class Constant . . . . . . . . . 52 4.1.8 Translation of Namespace . . . . . . . . . . . . . . . . . . . . . . 54 4.2 Interprocedural Analysis and Alias Analysis . . . . . . . . . . . . . . . . 55 4.2.1 Interprocedural Taint Analysis . . . . . . . . . . . . . . . . . . . . 55 4.2.2 Alias Taint Analysis . . . . . . . . . . . . . . . . . . . . . . . . . 64 4.2.3 Basic Dynamic Vulnerability Confirmation . . . . . . . . . . . . . 66 5 Implementation and Experiments 67 5.1 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 5.2 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 6 Conclusion 71 6.1 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 6.2 Further Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Appendix . . . . . . . . . . . . . . . . 73 Bibliography . . . . . . . . . . . . . . . . 79
dc.language.iso	en
dc.title	一個進階的PHP網頁應用程式安全驗證之靜態分析工具	zh_TW
dc.title	An Improved Static Analyzer for Verifying PHP Web Application Security	en
dc.type	Thesis
dc.date.schoolyear	98-2
dc.description.degree	碩士
dc.contributor.oralexamcommittee	陳恭,查士朝
dc.subject.keyword	靜態分析,資料流分析,網站應用程式安全,別名分析,安全性弱點,驗證,	zh_TW
dc.subject.keyword	Static Analysis,Dataflow Analysis,Web Application Security,Alias Analysis,Security Vulnerability,Verification,	en
dc.relation.page	80
dc.rights.note	同意授權(全球公開)
dc.date.accepted	2010-08-03
dc.contributor.author-college	管理學院	zh_TW
dc.contributor.author-dept	資訊管理學研究所	zh_TW
顯示於系所單位：	資訊管理學系

文件中的檔案：

檔案	大小	格式
ntu-99-1.pdf	16.58 MB	Adobe PDF	檢視/開啟

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。