一個PHP網頁應用程式的靜態分析工具

Chen-I Chung; 鍾正一

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/42377

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	蔡益坤
dc.contributor.author	Chen-I Chung	en
dc.contributor.author	鍾正一	zh_TW
dc.date.accessioned	2021-06-15T01:12:51Z	-
dc.date.available	2009-07-31
dc.date.copyright	2009-07-31
dc.date.issued	2008
dc.date.submitted	2009-07-29
dc.identifier.citation	[1] John Aycock and R. Nigel Horspool. Simple generation of static single-assignment form. In CC '00: Proceedings of the 9th International Conference on Compiler Construction, pages 110-124. Springer-Verlag, 2000. [2] Aske Simon Christensen, Anders Moller, and Michael I. Schwartzbach. Precise analysis of string expressions. In Proc. 10th International Static Analysis Symposium, SAS '03, volume 2694 of LNCS, pages 1-18. Springer-Verlag, 2003. [3] D. E. Denning. A lattice model of secure information ow. Communications of the ACM, 19(5):236-243, 1976. [4] Hanne Riis Nielson Flemming Nielson and Chris Hankin. Principles of Program Analysis. Springer, 2005. [5] C. A. R. Hoare. An axiomatic basis for computer programming. Communications of the ACM, 12(10):576-580, 1969. [6] Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, D. T. Lee, and Sy-Yen Kuo. Verifying web applications using bounded model checking. In DSN '04: Pro-ceedings of the 2004 International Conference on Dependable Systems and Networks, pages 199-208. IEEE Computer Society, 2004. [7] Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai Lee, and Sy-Yen Kuo. Securing web application code by static analysis and runtime protection. In WWW '04: Proceedings of the 13th International Conference on World Wide Web, pages 40-52. ACM, 2004. [8] Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In 2006 IEEE Symposium on Security and Privacy, pages 258-263. IEEE Computer Society, 2006. [9] Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. Precise alias analysis for static detection of web application vulnerabilities. In PLAS '06: Proceedings of the 2006 Workshop on Programming Languages and Analysis for Security, pages 27-36. ACM, 2006. [10] David Melski and Thomas Reps. Interconvertibility of a class of set constraints and context-free language reachability. Theoret. Comput. Sci, 248:248-1, 2000. [11] Yasuhiko Minamide. Static approximation of dynamically generated web pages. In WWW '05: Proceedings of the 14th International Conference on World Wide Web, pages 432-441. ACM, 2005. [12] Mehryar Mohri and Richard Sproat. An e_cient compiler for weighted rewrite rules. In Proceedings of the 34th Annual Meeting on Association for Computational Lin-guistics, pages 231-238. Association for Computational Linguistics, 1996. [13] George C. Necula, Scott Mcpeak, S. P. Rahul, and Westley Weimer. CIL: Intermediate language and tools for analysis and transformation of C programs. In Interna- tional Conference on Compiler Construction, pages 213-228, 2002. [14] Ocaml. Ocaml programming language. http://caml.inria.fr/, 2008. [15] OWASP. Common types of software vulnerabilities. http://www.owasp.org/index.php/Category:Vulnerability, 2008. [16] OWASP. Top 10 2007. http://www.owasp.org/index.php/Top 10 2007, 2008. [17] PHP. References explained. http://tw.php.net/manual/en/language.references.php. [18] Emmanuel Roche and Yves Schabes. Finite-State Language Processing. MIT Press, 1997. [19] B. K. Rosen, M. N.Wegman, and F. K. Zadeck. Global value numbers and redundant computations. In POPL '88: Proceedings of the 15th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 12-27. ACM, 1988. [20] David Scott and Richard Sharp. Abstracting application-level web security. Pro- ceedings of the 11th International Conference on World Wide Web, pages 396-407, 2002. [21] David Scott and Richard Sharp. Developing secure web applications. IEEE Internet Computing, 6(6):38-45, 2002. [22] U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting format string vulnerabilities with type quali_ers. Proc. 10th USENIX Security Symposium, pages 201-220, 2002. [23] TIOBE Software. Tiobe programming community index for december 2008. http://www.tiobe.com/index.php/content/paperinfo/tpci/index.html, 2008. [24] R.E. Strom and S. A. Yemini. Typestate: a programming language concept for enhancing software reliability. IEEE Transactions on Software Engineering, 12(1):157-171, 1986. [25] Zhendong Su and Gary Wassermann. The essence of command injection attacks in web applications. In POPL '06: Conference record of the 33rd ACM SIGPLAN- SIGACT symposium on Principles of programming languages, pages 372-382. ACM, 2006. [26] Gary Wassermann and Zhendong Su. Sound and precise analysis of web applications for injection vulnerabilities. In PLDI '07: Proceedings of the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 32-41. ACM, 2007. [27] Gary Wassermann and Zhendong Su. Static detection of cross-site scripting vulnerabilities. In ICSE '08: Proceedings of the 30th International Conference on Software Engineering, pages 171-180. ACM, 2008. [28] Yichen Xie and Alex Aiken. Static detection of security vulnerabilities in scripting languages. In USENIX-SS'06: Proceedings of the 15th Conference on USENIX Security Symposium, pages 179-192. USENIX Association, 2006.
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/42377	-
dc.description.abstract	近幾年來，網頁應用程式的數量及其重要性有著迅速的成長，有越來越多的服務和商業活動都是透過網頁應用程式來完成。因此，網頁應用程式自然成為網路攻擊者的目標。雖然有許多作法像是防火牆和連線加密，都試著要解決這類型的問題，但是這些方法沒辦法解決網頁應用程式本身的弱點。根據OWASP的統計，目前有相當多種類型的網頁應用程式的弱點，而且數量還在持續增加中。程式分析可以用來解決這類型的弱點，不論是靜態分析或動態分析都能夠用來偵測和防範這些弱點。在本篇論文中，我們將重點放在靜態分析，也就是在不執行程式的情況之下進行程式分析。我們相信在程式開發階段就將弱點排除是一個較為有效的作法。為了達成這個目的，我們整理了近幾年的網頁應用程式靜態分析演算法的並試著比較他們的優缺點。這些演算法都是以分析PHP網頁應用程式為目標，然而仍有一些議題還沒有被考慮到，如PHP變動變數的alias分析、字串索引陣列的分析。在進行靜態分析的時候若沒有考慮這些問題的話，有可能會產生誤報以及漏報。我們設計了一個演算法來解決這些問題。我們的工具會先將PHP原始程式轉換成中介表示 (intermediate representation)。我們選擇CIL作為中介語言，因為CIL能去除程式中語意不清的部分，幫助我們進行靜態分析。我們根據PHP的語言特性提出了一個將PHP原始碼精準轉換為CIL的作法。除此之外，我們設計了一些資料結構和輔助函數來確保語意的精準。這個轉換不只能將PHP以CIL的方式呈現，還能夠清楚的表現每一個PHP變數的型態。我們在CIL上實作了一個能夠處理PHP變動變數以及字串索引陣列的污染資料流分析。即使變動變數的索引是一個固定字串值，許多現階段的工具在處理仍會產生誤報或是漏報。我們分析了十個網頁應用程式，並且發現一些從變動變數以及字串索引陣列所產生的網頁應用程式弱點。	zh_TW
dc.description.abstract	The number and importance of Web applications have grown rapidly in recent years, as more and more services and business activities are accomplished through these applications. Consequently, Web applications have become the targets of security attacks. Although several mechanisms, such as firewalls and connection encryption, have been developed to solve the problem, they cannot eliminate Web application vulnerabilities because the vulnerabilities are inherent in Web application programs. According to statistics published by OWASP, there are many kinds of Web application vulnerabilities, and the number is growing continuously. Program analysis techniques can be used to solve these problems. Both static and dynamic approaches have been proposed to detect or prevent vulnerabilities. In this thesis, we focus on static analysis of programs, where the analysis is performed without actually executing the programs. We believe that eliminating vulnerabilities during the program development stage is a relatively cost-effective method. To this end, we review several recently proposed static analysis algorithms for Web applications and summarize their pros and cons. The approaches focus on the analysis of PHP Web applications; however, there are still some issues that have not been considered, e.g., alias analysis of PHP variable variables and arrays with string indices. Performing static analysis without considering these issues may generate some false negatives or false positives. We design an algorithm to solve these problems and implement it in our static analyzer, which first translates PHP programs into an intermediate representation. We chose CIL as the intermediate language which helped us perform program analysis by clarifying ambiguous constructs and removing redundant constructors. We review the language features of PHP and propose a precise semantic conversion to CIL. In addition, we devise some data structures and auxiliary functions to ensure that the semantics are as precise as possible. The conversion not only represents PHP in CIL, but also clarifies the type of PHP variable. We also implement a taint dataflow analysis on CIL that can handle the alias relationships of PHP variable variables and arrays with string indices correctly. Many tools yield a false positive or false negative result even if a variable variable stores a constant string value. Through our analysis of ten Web applications, we found that some vulnerabilities are caused by variable variables and arrays with string indices.	en
dc.description.provenance	Made available in DSpace on 2021-06-15T01:12:51Z (GMT). No. of bitstreams: 1 ntu-97-R96725006-1.pdf: 766355 bytes, checksum: 5b6fd370c1ed5eda14bdcd35dd3c45ce (MD5) Previous issue date: 2008	en
dc.description.tableofcontents	Contents 1 Introduction 1 1.1 Background . . . . . 1 1.2 Motivation and Objectives . . . . . 2 1.3 Thesis Outline . . . . . 3 2 Related Work 5 2.1 The WebSSARI System . . . . . 5 2.1.1 System Overview . . . . . 6 2.1.2 Type Based Approach . . . . . 6 2.1.3 Bounded Model Checking . . . . . 9 2.1.4 Discussion . . . . . 12 2.2 Alias Analysis in Pixy . . . . . 13 2.2.1 Aliases in PHP . . . . . 13 2.2.2 Analysis overview . . . . . 14 2.2.3 Aliases between Global Variables . . . . . 15 2.2.4 Discussion. . . . . . . . 16 2.3 Static String Analysis . . . . . 16 2.3.1 Static String Analysis Overview . . . . . 17 2.3.2 Discussion . . . . . 20 2.4 Vulnerabilities Detection by Static String Analysis . . . . . . 21 2.4.1 Algorithm for Detecting Injection Vulnerabilities . . . . . 21 2.4.2 Algorithm for Detecting XSS Vulnerabilities . . . . . . . 24 2.4.3 Discussion . . . . . . . . . . 24 2.5 Summary . . . . . . . . 24 3 Preliminaries 26 3.1 Web Application Security Vulnerabilities. . . . . . 26 3.1.1 Cross Site Scripting Vulnerability (XSS). . . . . . 27 3.1.2 Injection Flaws Vulnerability . . . . . . . . 29 3.1.3 Malicious File Execution Vulnerability . . . . . . 30 3.2 Context-Free Grammars. . . . . . . . . 30 3.2.1 Formal Definition . . . . . . . . 30 3.3 Regular Expressions . . . . . . . 31 3.3.1 Formal Definition . . . . . . 32 3.4 Static Single Assignment Form. . . . . . . 33 4 Parsing and Static Analysis 34 4.1 Parse PHP to CIL . . . . . . . . . . . 34 4.1.1 Conversion of PHP Variables . . . . . . . . 34 4.1.2 Conversion of PHP Arrays . . . . . . . 35 4.1.3 Conversion of PHP Variable Variables and Variable Functions . . 37 4.1.4 Conversion of Accessing and Assigning Variables . . 39 4.1.5 Conversion of PHP Foreach Statement . . . . . 41 4.1.6 Conversion of PHP User-Defined Functions . . . . . 42 4.1.7 Conversion of PHP Built-In Functions . . . . . . 43 4.1.8 Conversion of PHP Class Objects . . . . . . . 44 4.1.9 PHP Dynamic File Inclusion . . . . . . . . 44 4.2 Analysis Algorithms . . . . . . . . . . 45 4.2.1 Taint Dataflow Analysis . . . . . . . 46 4.2.2 Alias of PHP Variable Variables . . . . . 48 4.2.3 Analysis of Arrays with String Indices . . . . . . 49 5 Implementation and Evaluation 51 5.1 Implementation . . . . . . . . . . 51 5.1.1 PHP Parser and File Inclusion Preprocessor . . . . 52 5.1.2 The Converter of PHP AST to C AST . . . . 52 5.1.3 Auxiliary Functions Written in C . . . . . . . 56 5.2 Evaluation . . . . . . . 56 6 Conclusion 59 6.1 Contributions . . . . . . . . . 59 6.2 Future Work . . . . . . . . . 60 Bibliography 62 Appendix 66
dc.language.iso	en
dc.title	一個PHP網頁應用程式的靜態分析工具	zh_TW
dc.title	A Static Analyzer for PHP Web Applications	en
dc.type	Thesis
dc.date.schoolyear	97-2
dc.description.degree	碩士
dc.contributor.oralexamcommittee	莊庭瑞,陳恭
dc.subject.keyword	靜態分析,資&#63934,&#63946,分析,網頁應用程式,PHP 變動變&#63849,安全性弱點,	zh_TW
dc.subject.keyword	Static Analysis,Dataflow Analysis,Web Applications,PHP Variable Variables,Security Vulnerabilities,Verification,	en
dc.relation.page	69
dc.rights.note	有償授權
dc.date.accepted	2009-07-30
dc.contributor.author-college	管理學院	zh_TW
dc.contributor.author-dept	資訊管理學研究所	zh_TW
顯示於系所單位：	資訊管理學系

文件中的檔案：

檔案	大小	格式
ntu-97-1.pdf 目前未授權公開取用	748.39 kB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。