一套整合的網路應用安全分析與驗證工具

Abstract

目前已有超過二十億人使用網際網路，加上社群網路的興起，許多人更將個人資料放置在網路上。以便於親朋好友的彼此互通資訊，因此，網 路應用程式的安全性也越來越重要了，必須保障使用者的個人資料不致外洩。學、業界已有許多技術與工具用來分析網站應用程式的安全性，這些 工具已經能辨別出多數的弱點，但仍然受到許多限制，造成誤報與漏報的不精準。 舉例來說，這些工具並沒有能力分析網路應用程式完整的資料流動，由於網路應用程式不只是在伺服器執行運算，同時也有部分程式會在瀏覽 器運算或顯示，因此若無法分析資料在伺服端與客戶端的流動關係的話，就將會造成分析的不精準狀況。常見網路技術AJAX 就是一個明顯例子， 由JavaScript 發送要求給伺服器，再將伺服器回傳的內容，經由運算處理過後，顯示結果給使用者看，這整個資料流動，若不同時分析伺服端程式 與客戶端程式，是無法有精準的分析的。 由於我們的分析著重於資料流分析，因此我們的目標弱點也以資料流產生的弱點為主，主要有兩項1.跨站腳本攻擊，和2.注入攻擊。同時這 兩項也是在OWASP 中列為目前網路安全最重要的兩項弱點，我們將會將整個網路應用轉化成CIL，這是一個C 的中介語言，在統一的語言平台下， 我們將可以對網站的資料流，進行完整的分析。

More than two billion people accessed the Internet in 2010. With the rise of social networks, more and more Internet users put their personal information on Web applications. Consequently, the importance of Web application security has greatly increased in recent years. There are many techniques and tools for detecting Web application security vulnerabilities, both in industry and in academia. Though they can identify almost all vulnerabilities, their analysis results still contain excessive false positives that need to be veri ed by human experts. This problem may be attributed to several factors. One of these factors is that current analyzers cannot analyze the data flow of a Web application completely. The main difficulty is that Web applications are multi-staged programs. The rst-stage programs are server-side programs which execute on the server-side and dynamically generate client-side programs. These client-side programs are second-stage programs which run on the user's browser and can interact with the users. Vulnerabilities may occur either on the client side or the server side. However, the client-side programs sometimes interact with the server, for example when using AJAX. Such data flows between the client and the server are usually not detected by current analyzers. In this thesis, we aim at analyzing the data flow of Web applications more completely. The major vulnerabilities that we focus on are Cross-Site Scripting and SQL Injection. They are the top two of the risks faced by businesses, according to the latest OWASP Top 10. Both of them are results from using tainted data without validation. To solve the problem of incomplete data flow analysis, we translate all the server-side and client-side programs into a one-language representation CIL (C Intermediate Language). We present an approach to simulating the actions of a Web application on the CIL representation. We then apply control flow analysis and data flow analysis on the representation. We show by experiments that our analyzer can cross the server and the client programs to provide more precise and complete analysis results.