為分析動態網頁應用程式設計之框架

Hung-Wei Hsu; 許宏瑋

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/49266

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	蔡益坤(Yih-Kuen Tsay)
dc.contributor.author	Hung-Wei Hsu	en
dc.contributor.author	許宏瑋	zh_TW
dc.date.accessioned	2021-06-15T11:21:25Z	-
dc.date.available	2018-09-13
dc.date.copyright	2016-09-13
dc.date.issued	2016
dc.date.submitted	2016-08-18
dc.identifier.citation	References [1] S. Artzi, A. Kieżun, J. Dolby, F. Tip, D. Dig, A. Paradkar, and M. D. Ernst. Cross-site scripting prevention with dynamic data tainting and static analysis. In ISSTA, 2008. [2] D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Saner: composing static and dynamic analysis to validate sanitization in web applications. In IEEE Security Privacy, 2008. [3] D. Benslimane, S. Dustdar, and A. Sheth. Services mashups: the new generation of web applications. IEEE Internet Comput., 12(5), 2008. [4] J. Dahse and T. Holz. Simulation of built-in php features for precise static code analysis. In NDSS, 2014. [5] J. Dahse, N. Krein, and T. Holz. Code reuse attacks in php: automated pop chain generation. In CCS, 2014. [6] G. L. Steele Jr. G. J. Sussman. Scheme: a interpreter for extended lambda calculus. Higher-Order and Symbolic Computation, 11(4), 1998. [7] J. C. King. Symbolic execution and program testing. Commun. ACM, 19(7), 1976. [8] Y. Minamide. Static approximation of dynamically generated web pages. In WWW, 2005. [9] P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A symbolic execution framework for javascript. In IEEE Security Privacy, 2010. [10] D. Scott and R. Sharp. Abstracting application-level web security. In WWW, 2002. [11] D. Scott and R. Sharp. Developing secure web applications. ACM Internet Comput., 6(6), 2002. [12] H. Shahriar and M. Zulkernine. Mitigating program security vulnerabilities: approaches and challenges. ACM Comput. Surv., 44(3), 2012. [13] CommonJS. Spec. 1.1 for JavaScript modularization. http://wiki.commonjs.org/wiki/Modules/1.1. (2016-07). [14] Composer—dependency manager for PHP. https://getcomposer.org. (2016-07). [15] Electron—build cross platform desktop apps with web technologies. http://electron.atom.io. (2015-12). [16] The Joomla codebase. https://github.com/joomla/joomla-cms. (2016-07). [17] The Laravel codebase. https://github.com/Laravel/framework. (2016-07). [18] PHP-CFG—a Control Flow Graph implementation in PHP. https://github.com/ircmaxell/php-cfg. (2016-08). [19] PHP-Parser—a PHP parser written in PHP. https://github.com/nikic/PHP-Parser. (2016-08). [20] The WordPress codebase. https://github.com/WordPress/WordPress. (2016-07). [21] RFC 2828. https://tools.ietf.org/html/rfc2828. (2016-03). [22] RFC 6454. https://tools.ietf.org/html/rfc6454. (2015-12). [23] RFC 7034. https://tools.ietf.org/html/rfc7034. (2016-03). [24] Ionic—advanced HTML5 hybrid mobile app framework. http://ionicframework.com. (2015-12). [25] MDN. HTTP access control (CORS). https://developer.mozilla.org/docs/Web/HTTP/Access_control_CORS. (2016-03). [26] Technical explanation of The MySpace Worm. http://samy.pl/popular/tech.html. (2016-04). [27] The Open Web Application Security Project (OWASP). https://www.owasp.org/index.php/Main_Page. (2016-03). [28] OWASP Top 10. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project. (2016-03). [29] PhoneGap—create apps using web technologies. http://phonegap.com. (2015-12). [30] PHP Manual. Autoloading Classes. http://php.net/manual/en/language.oop5.autoload.php. (2016-07). [31] pip—the PyPA recommended tool for installing Python packages. https://pypi.python.org/pypi/pip. (2016-07). [32] RequireJS—a JavaScript file and module loader. http://requirejs.org. (2016-07). [33] Soot—A framework for analyzing and transforming Java and Android Applications. https://sable.github.io/soot. (2016-07). [34] Trello—a web-based project management application. https://trello.com. (2015-05). [35] Twitter. https://twitter.com. (2015-05). [36] W3C. Cross-Origin Resource Sharing. http://www.w3.org/TR/cors. (2015-12). [37] WALA—the T.J. Watson Libraries for Analysis. http://wala.sourceforge.net/wiki/index.php/Main_Page. (2016-07). [38] Wikipedia. https://en.wikipedia.org/wiki/Main_Page. (2015-05). [39] Wikipedia. Origin determination rules of same-origin policy. https://en.wikipedia.org/wiki/Same-origin_policy. (2015-12). [40] Wikipedia. Introduction to single-page application. https://en.wikipedia.org/wiki/Single-page_application. (2016-04). [41] Xdebug—debugger and profiler tool for PHP. https://xdebug.org. (2016-08). [42] Z. Su and G. Wassermann. The essence of command injection attacks in web applications. In POPL, 2006. [43] R. Vallèe-Rai, P. Co, E. Gagnon, L. Hendren, P. Lam, and V. Sundaresan. Soot – a Java bytecode optimization framework. In CASCON, 1999. [44] P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross-site scripting prevention with dynamic data tainting and static analysis. In NDSS, 2007. [45] G. Wassermann and Z. Su. Sound and precise analysis of web applications for injection vulnerabilities. In PLDI, 2007. [46] Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In USENIX Security, 2006. [47] D. Yan, G. Xu, and A. Rountev. Demand-driven context-sensitive alias analysis for Java. In ISSTA, 2011. [48] D. Yan, G. Xu, and A. Rountev. Rethinking soot for summary-based whole-program analysis. In SOAP, 2012. [49] F. Yu, M. Alkhalaf, and T. Bultan. STRANGER: an automata-based string analysis tool for PHP. In TACAS, 2010. [50] J. Yu, B. Benatallah, F. Casati, and F. Daniel. Understanding mashup development. IEEE Internet Comput., 12(5), 2008.
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/49266	-
dc.description.abstract	由於其重要性，在過去二十多年間網頁應用的安全性已被多所研究。程式分析是強化網頁應用安全性的手段之一。雖然已有眾多程式分析的手法被提出與討論，在「如何能有效漸進地、模組化地獲得與組合程式片段之分析結果，以完成更全面之分析」方面，仍有許多探索研究的價值。在這篇論文中，我們將此考量稱為「模組化分析」議題。掌握如何良好地實現程式模組化分析之知識，在建構分析力或效率更強之分析工具、設計結果可有效重用之分析方法等方面上，是十分關鍵的一環。由於在目前已提出的網頁程式安全性分析手法中，模組化分析的探討不多，我們於是思考如何改動或重新設計這些分析手法以強化其分析之模組化程度、進一步來發展能力更為優秀的分析手段。我們希望設計一個分析框架來引導、規範，使我們於上述議題的探索能夠有系統、並能產出具有良好擴展性的成果。該框架為達此一目標，其本身也必須具良好的通用性與可擴展性。在此論文中，我們提出一個能支援多語言、動靜態混合分析的分析框架。它將可被用來規範、組織許多不同的動、靜態分析技巧之實作，並用以整合針對不同程式語言所發展的分析手段。我們認為在此設計上發展，能夠達成我們對於通用性與可擴展性的期望。透過在此框架的規範下建構一個分析工具的雛形實作，我們來驗證運用該框架的效果。我們以一個近期被提出之PHP網頁應用安全性污點分析分析手法作為參考對象，顯示在框架的引導下修改與實作之，改動過後的手法較之原版本在處理靜態分析中「難以確定調用對象」的問題上具有更好的準確度與分析模組化程度。實作其他已知的分析手法，並對之進行改動、實驗以發展更具良好分析模組化特性、能力更強之分析手法，在此框架的環境之中，將能夠進行得更加容易。	zh_TW
dc.description.abstract	Because of its importance,Web application security has been researched for over twenty years. Code analysis is one of the approaches to enhance Web application security. Among all the code analysis methods, there is a very valuable part to be improved: the techniques to effectively compose known analysis results of code segments into an informative analysis summary for a larger code segment. In this thesis, we refer to such concern as the analysis modularity issue. The knowledge of analysis modularity plays an important role when one wants the outputs of his analysis routines to be reusable or wants to build a smarter code analyzer with better performance. Since most of the code analysis approaches targeting Web application security do not address the analysis modularity issue, we investigate how to redesign the approaches to improve their level of analysis modularity. We aim at a framework to make the investigations systematic and the outcomes of them sustainable and extendable. To match the goal, the framework itself should also be generic and extendable. In this thesis, we propose a design of a multi-language, hybrid approach framework that can be used to organize the implementations of both static and dynamic analysis techniques, supporting the analyses that cross different dynamic languages. We believe that it fulfills our requirements. We have implemented a prototype that demonstrates some advantages of our design. By taking the latest summary-based security taint analysis approach for PHP Web applications as an example, we show that after being included into our framework and properly adapted, the approach provides better precision and analysis modularity on handling the unknown call site problem. Implementing other kinds of analyses and experimenting on them to find ways to improve analysis modularity and performance can be made easier based on our framework.	en
dc.description.provenance	Made available in DSpace on 2021-06-15T11:21:25Z (GMT). No. of bitstreams: 1 ntu-105-R02725048-1.pdf: 910720 bytes, checksum: e84f263c5bc63ffe682e2dc059e7ee4f (MD5) Previous issue date: 2016	en
dc.description.tableofcontents	Contents 1 Introduction 1 1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Motivation and Objectives . . . . . . . . . . . . . . . . . . . . . . . 3 1.3 Thesis Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2 Preliminaries 6 2.1 Web Applications Overview. . . . . . . . . . . . . . . . . . . . . . . . 6 2.2 Same-origin Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.2.1 Policy Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.2.2 Workarounds Taken Before. . . . . . . . . . . . . . . . . . . . . . . 11 2.3 Common Web Application Vulnerabilities. . . . . . . . . . . . . . . . . 13 2.3.1 Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.3.2 Cross-site Scripting (XSS). . . . . . . . . . . . . . . . . . . . . . 18 2.4 Vulnerability Mitigation Approaches . . . . . . . . . . . . . . . . . . 23 2.4.1 Program Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . 23 2.5 Static Single Assignment Form (SSA) . . . . . . . . . . . . . . . . . . 24 3 Related Works 26 3.1 Inspiring Works for Our Framework Design. . . . . . . . . . . . . . . . 26 3.1.1 A Discussion on Supporting Summary-based Analyses . . . . . . . . . . 26 3.1.2 A Symbolic Execution Framework for JavaScript . . . . . . . . . . . . 28 3.2 Summary-based Security Analysis in PHP. . . . . . . . . . . . . . . . . 29 3.2.1 A Static Approach by Xie and Aiken. . . . . . . . . . . . . . . . . . 29 4 A Multi-language Analysis Framework 31 4.1 Common Features in Scripting Languages. . . . . . . . . . . . . . . . . 32 4.2 Common Components of Scripting Language Analyzers . . . . . . . . . . . 33 4.3 Construct the Multi-language Analysis Environment . . . . . . . . . . . 35 5 Implementation and Evaluation 40 5.1 The Unknown Call Site Problem . . . . . . . . . . . . . . . . . . . . . 40 5.2 Our Approach and Implementation . . . . . . . . . . . . . . . . . . . . 43 5.3 Evaluation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 5.4 Some More Details of Our Implementation . . . . . . . . . . . . . . . . 50 6 Conclusion 52 6.1 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 6.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Appendices 55 A Other Evaluation Constructs 55 References 65
dc.language.iso	en
dc.title	為分析動態網頁應用程式設計之框架	zh_TW
dc.title	A Framework for Dynamic Web Application Code Analysis	en
dc.type	Thesis
dc.date.schoolyear	104-2
dc.description.degree	碩士
dc.contributor.oralexamcommittee	陳恭(Kung Chen),王柏堯(Bow-Yaw Wang)
dc.subject.keyword	分析模組化,程式碼分析工具,動態分析,框架,模組化分析,腳本語言,安全性漏洞,靜態分析,網頁應用程式安全性分析,	zh_TW
dc.subject.keyword	Analysis Modularity,Code Analyzer,Dynamic Analysis,Framework,Modular Analysis,Scripting Language,Security Vulnerability,Static Analysis,Web Application Security,	en
dc.relation.page	65
dc.identifier.doi	10.6342/NTU201603383
dc.rights.note	有償授權
dc.date.accepted	2016-08-19
dc.contributor.author-college	管理學院	zh_TW
dc.contributor.author-dept	資訊管理學研究所	zh_TW
顯示於系所單位：	資訊管理學系

文件中的檔案：

檔案	大小	格式
ntu-105-1.pdf 目前未授權公開取用	889.38 kB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。