一套整合的網路應用安全分析與驗證工具

Jen-Feng Shih; 施任峰

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/66723

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	蔡益坤
dc.contributor.author	Jen-Feng Shih	en
dc.contributor.author	施任峰	zh_TW
dc.date.accessioned	2021-06-17T00:53:37Z	-
dc.date.available	2012-01-17
dc.date.copyright	2012-01-17
dc.date.issued	2011
dc.date.submitted	2011-10-14
dc.identifier.citation	[1] International Components for Unicode. The World in 2010. http://site.icu- project.org/, Oct 20, 2010. [2] D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Saner: Composing static and dynamic analysis to validate sanitization in Web applications. In Security and Privacy, IEEE Symposium on, pages 387{401. IEEE Computer Society, 2008. [3] Davide Balzarotti, Marco Cova, Viktoria Felmetsger, and Giovanni Vigna. Multi- module vulnerability analysis of web-based applications. In ACM Conference on Computer and Communications Security, pages 25{35, 2007. [4] Wontae Choi, Baris Aktemur, Kwangkeun Yi, and Makoto Tatsuta. Static analysis of multi-staged programs via unstaging translation. In POPL, 2011. [5] Chen-I Chung. A static analyzer for PHP Web applications. Master's thesis, National Taiwan University, 2009. [6] Arjun Guha, Shriram Krishnamurthi, and Trevor Jim. Using static analysis for ajax intrusion detection. In WWW, pages 561{570, 2009. [7] Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, D. T. Lee, and Sy- Yen Kuo. Verifying web applications using bounded model checking. In DSN, pages 199{208, 2004. [8] Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. Pixy: A static analysis tool for detecting Web application vulnerabilities. Technical report, Secure Systems Lab Vienna University of Technology, 2006. [9] Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. Precise alias analysis for static detection of Web application vulnerabilities. In Proceedings of the 2006 Workshop on Programming Languages and Analysis for Security PLAS '06, pages 27{36. ACM, 2006. [10] George C. Necula, Scott McPeak, Shree Prakash Rahul, and Westley Weimer. CIL: Intermediate language and tools for analysis and transformation of C programs. In CC '02: Proceedings of the 11th International Conference on Compiler Construction, pages 213{228, 2002. [11] George C. Necula, Scott McPeak, Westley Weimer, Ben Liblit, Matt Har- ren, Raymond To, and Aman Bhargava. CIL Documentation (v. 1.3.7). http://www.eecs.berkeley.edu/ necula/cil/, 2007. [12] OWASP. Top 10 2010. http://www.owasp.org/index.php/Top 10 2010, 2010. [13] Prateek Saxena, Devdatta Akhawe, Steve Hanna, Feng Mao, Stephen McCamant, and Dawn Song. A symbolic execution framework for javascript. In IEEE Symposium on Security and Privacy, pages 513{528, 2010. [14] TIOBE Software. Tiobe programming community index for december 2010. http://www.tiobe.com/index.php/content/paperinfo/tpci/index.html, 2010. [15] Chih-Pin Tai. An integrated environment for analyzing Web application security. Master's thesis, National Taiwan University, 2010. [16] Wikipedia. Client-side scripting. http://en.wikipedia.org/wiki/Client-side scripting. [17] Wikipedia. Cross-site scripting. http://en.wikipedia.org/wiki/Cross-site scripting. [18] Wikipedia. Facebook. http://en.wikipedia.org/wiki/Facebook. [19] Wikipedia. Php. http://en.wikipedia.org/wiki/PHP. [20] Wikipedia. Server-side scripting. http://en.wikipedia.org/wiki/Server-side scripting. [21] Wikipedia. SQL injection. http://en.wikipedia.org/wiki/SQL injection. [22] Wikipedia. Wikipedia. http://en.wikipedia.org/wiki/Wikipedia. [23] Wikipedia. Yahoo. http://en.wikipedia.org/wiki/Yahoo. [24] Yichen Xie and Alex Aiken. Static detection of security vulnerabilities in script- ing languages. In USENIX-SS'06: Proceedings of the 15th Conference on USENIX Security Symposium, pages 179{192. USENIX Association, 2006. [25] Rui-Yuan Yeh. An improved static static analyzer for verifying PHP Web application security. Master's thesis, National Taiwan University, 2010. [26] Fang Yu, Muath Alkhalaf, and Tev k Bultan. Generating vulnerability signatures for string manipulating programs using automata-based forward and backward symbolic analyses. In ASE, pages 605{609, 2009. [27] Fang Yu, Muath Alkhalaf, and Tev k Bultan. Stranger: An automata-based string analysis tool for php. In TACAS, pages 154{157, 2010. [28] Sheng-Feng Yu. Automatic generation of penetration test cases for Web applications. Master's thesis, National Taiwan University, 2010.
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/66723	-
dc.description.abstract	目前已有超過二十億人使用網際網路，加上社群網路的興起，許多人更將個人資料放置在網路上。以便於親朋好友的彼此互通資訊，因此，網路應用程式的安全性也越來越重要了，必須保障使用者的個人資料不致外洩。學、業界已有許多技術與工具用來分析網站應用程式的安全性，這些工具已經能辨別出多數的弱點，但仍然受到許多限制，造成誤報與漏報的不精準。舉例來說，這些工具並沒有能力分析網路應用程式完整的資料流動，由於網路應用程式不只是在伺服器執行運算，同時也有部分程式會在瀏覽器運算或顯示，因此若無法分析資料在伺服端與客戶端的流動關係的話，就將會造成分析的不精準狀況。常見網路技術AJAX 就是一個明顯例子，由JavaScript 發送要求給伺服器，再將伺服器回傳的內容，經由運算處理過後，顯示結果給使用者看，這整個資料流動，若不同時分析伺服端程式與客戶端程式，是無法有精準的分析的。由於我們的分析著重於資料流分析，因此我們的目標弱點也以資料流產生的弱點為主，主要有兩項1.跨站腳本攻擊，和2.注入攻擊。同時這兩項也是在OWASP 中列為目前網路安全最重要的兩項弱點，我們將會將整個網路應用轉化成CIL，這是一個C 的中介語言，在統一的語言平台下，我們將可以對網站的資料流，進行完整的分析。	zh_TW
dc.description.abstract	More than two billion people accessed the Internet in 2010. With the rise of social networks, more and more Internet users put their personal information on Web applications. Consequently, the importance of Web application security has greatly increased in recent years. There are many techniques and tools for detecting Web application security vulnerabilities, both in industry and in academia. Though they can identify almost all vulnerabilities, their analysis results still contain excessive false positives that need to be veri ed by human experts. This problem may be attributed to several factors. One of these factors is that current analyzers cannot analyze the data flow of a Web application completely. The main difficulty is that Web applications are multi-staged programs. The rst-stage programs are server-side programs which execute on the server-side and dynamically generate client-side programs. These client-side programs are second-stage programs which run on the user's browser and can interact with the users. Vulnerabilities may occur either on the client side or the server side. However, the client-side programs sometimes interact with the server, for example when using AJAX. Such data flows between the client and the server are usually not detected by current analyzers. In this thesis, we aim at analyzing the data flow of Web applications more completely. The major vulnerabilities that we focus on are Cross-Site Scripting and SQL Injection. They are the top two of the risks faced by businesses, according to the latest OWASP Top 10. Both of them are results from using tainted data without validation. To solve the problem of incomplete data flow analysis, we translate all the server-side and client-side programs into a one-language representation CIL (C Intermediate Language). We present an approach to simulating the actions of a Web application on the CIL representation. We then apply control flow analysis and data flow analysis on the representation. We show by experiments that our analyzer can cross the server and the client programs to provide more precise and complete analysis results.	en
dc.description.provenance	Made available in DSpace on 2021-06-17T00:53:37Z (GMT). No. of bitstreams: 1 ntu-100-R98725050-1.pdf: 5430872 bytes, checksum: 406797a0dc7b825dbed00d4e166d0f13 (MD5) Previous issue date: 2011	en
dc.description.tableofcontents	1 Introduction 1 1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2.1 Event Sequence Generation . . . . . . . . . . . . . . . . . . . . . 2 1.2.2 Motivation Example of Event Sequence Generation . . . . . . . . 2 1.2.3 Incomplete Data flow Analysis . . . . . . . . . . . . . . . . . . . . 3 1.2.4 Motivating Example of Incomplete Data flow Analysis . . . . . . . 6 1.3 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2 Preliminaries 12 2.1 Web Application Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.1.1 Server-Side Scripting . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.1.2 Client-Side Scripting . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.2 Critical Web Security Vulnerabilities . . . . . . . . . . . . . . . . . . . . 15 2.2.1 Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.2.2 Cross-Site Scripting (XSS) . . . . . . . . . . . . . . . . . . . . . . 17 2.3 Analysis Approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.3.1 Static Program Analysis . . . . . . . . . . . . . . . . . . . . . . . 18 2.3.2 Dynamic Program Analysis . . . . . . . . . . . . . . . . . . . . . 19 2.3.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 3 Related Work 20 3.1 Analysis Tools for Web Applications . . . . . . . . . . . . . . . . . . . . 21 3.1.1 Pixy: An Open Source Static Analysis Tool . . . . . . . . . . . . 21 3.1.2 Saner: Composing Static and Dynamic Analysis . . . . . . . . . . 22 3.1.3 Stranger: An Automata-Based PHP String Analysis Tool . . . . . 23 3.1.4 Summary of Related Tools . . . . . . . . . . . . . . . . . . . . . . 24 3.2 Static Analysis for Multi-Module Applications . . . . . . . . . . . . . . . 25 3.2.1 Multi-Module Vulnerability Analysis of Web-based Applications . 25 3.2.2 Using Static Analysis for Ajax Intrusion Detection . . . . . . . . . 26 3.2.3 Static Analysis of Multi-Staged Programs via Unstaging Translation 27 3.2.4 Summary of Static Analysis for Multi-Module Application . . . . 28 3.3 CANTU:Analyzer by Tai et al. . . . . . . . . . . . . . . . . . . . . . . . 29 3.3.1 A Static Analyzer for PHP . . . . . . . . . . . . . . . . . . . . . . 30 3.3.2 An Integrated Environment for Analyzing Web Application Security 31 3.3.3 Automatic Generation of Penetration Test Cases for Web Applications . . . . . . . 31 3.3.4 Summary of CANTU . . . . . . . . . . . . . . . . . . . . . . . . . 33 4 Complete Analysis 34 4.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 4.2 Event Sequence Generation . . . . . . . . . . . . . . . . . . . . . . . . . 37 4.3 Inter Page Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 4.3.1 File Inclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 4.3.2 AJAX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 4.3.3 Page Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 5 Implementation and Experiments 53 5.1 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 5.2 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 6 Conclusion 56 6.1 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 6.2 Further Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Bibliography 61 Appendix 62
dc.language.iso	en
dc.subject	資料流分析	zh_TW
dc.subject	靜態分析	zh_TW
dc.subject	網站應用安全	zh_TW
dc.subject	驗證	zh_TW
dc.subject	Data flow Analysis	en
dc.subject	Static Analysis	en
dc.subject	Security Vulnerability	en
dc.title	一套整合的網路應用安全分析與驗證工具	zh_TW
dc.title	An Integrated Analyzer for Verifying Web Application Security	en
dc.type	Thesis
dc.date.schoolyear	100-1
dc.description.degree	碩士
dc.contributor.oralexamcommittee	陳恭,查士朝
dc.subject.keyword	資料流分析,靜態分析,網站應用安全,驗證,	zh_TW
dc.subject.keyword	Data flow Analysis,Static Analysis,Security Vulnerability,	en
dc.relation.page	63
dc.rights.note	有償授權
dc.date.accepted	2011-10-17
dc.contributor.author-college	管理學院	zh_TW
dc.contributor.author-dept	資訊管理學研究所	zh_TW
顯示於系所單位：	資訊管理學系

文件中的檔案：

檔案	大小	格式
ntu-100-1.pdf 未授權公開取用	5.3 MB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。