分析JavaScript網頁應用程式之框架

Yung-Jui Chang; 張永叡

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/70866

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	蔡益坤(Yih-Kuen Tsay)
dc.contributor.author	Yung-Jui Chang	en
dc.contributor.author	張永叡	zh_TW
dc.date.accessioned	2021-06-17T04:41:36Z	-
dc.date.available	2018-08-07
dc.date.copyright	2018-08-07
dc.date.issued	2018
dc.date.submitted	2018-08-06
dc.identifier.citation	References [1] 10BestNodeFrameworks2018. https://da-14.com/blog/10-best-nodejs-frameworks. Online; accessed 5-July-2018. [2] 5BestNodeFrameworks2018. https://www.kelltontech.com/kellton-tech-blog/ top-5-nodejs-frameworks-2018. Online; accessed 5-July-2018. [3] Muath Alkhalaf, Abdulbaki Aydin, and Tevfik Bultan. Semantic differential repair for input validation and sanitization. In Proceedings of the 2014 International Symposium on Software Testing and Analysis, ISSTA 2014, pages 225–236, New York, NY, USA, 2014. ACM. [4] Esben Andreasen and Anders Møller. Determinacy in static analysis for jQuery. In Proceedings of the 2014 ACM International Conference on Object Oriented Programming Systems Languages & Applications, OOPSLA ’14, pages 17–31, New York, NY, USA, 2014. ACM. [5] antlr4Grammar. https://github.com/antlr/grammars-v4. Online; accessed 5-July-2018. [6] antlrOfficial. http://www.antlr.org/. Online; accessed 5-July-2018. [7] Ravi Chugh, Jeffrey A. Meister, Ranjit Jhala, and Sorin Lerner. Staged information flow for JavaScript. In Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’09, pages 50–62, New York, NY, USA, 2009. ACM. [8] Wikipedia contributors. Code injection — wikipedia, the free encyclopedia, 2017. [Online; accessed 27-December-2017]. [9] Wikipedia contributors. Javascript — wikipedia, the free encyclopedia, 2017. [Online; accessed 27-December-2017]. [10] Wikipedia contributors. Node.js — wikipedia, the free encyclopedia, 2017. [Online; accessed 27-December-2017]. [11] Wikipedia contributors. Program analysis — wikipedia, the free encyclopedia, 2017. [Online; accessed 27-December-2017]. [12] Patrick Cousot and Radhia Cousot. Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proceedings of the 4th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, POPL ’77, pages 238–252, New York, NY, USA, 1977. ACM. [13] event loop in javascript context \| journeyman. https://gayancliyanage.wordpress.com/ 2015/08/25/event-loop-in-javascript-context/. Online; accessed 27-December-2017. [14] expressGitHub. https://github.com/expressjs/express/. Online; accessed 5-July-2018. [15] expressOfficial. https://expressjs.com/. Online; accessed 5-July-2018. [16] jQueryAjaxDoc. http://api.jquery.com/jquery.ajax/. Online; accessed 5-July-2018. [17] jQueryOfficial. https://jquery.com/. Online; accessed 5-July-2018. [18] Vineeth Kashyap, Kyle Dewey, Ethan A. Kuefner, John Wagner, Kevin Gibbons, John Sarracino, Ben Wiedermann, and Ben Hardekopf. Jsai: A static analysis platform for JavaScript. In Proceedings of the 22Nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, FSE 2014, pages 121–132, New York, NY, USA, 2014. ACM. [19] koaOfficial. https://koajs.com/. Online; accessed 5-July-2018. [20] latentflip. http://latentflip.com/loupe/. Online; accessed 27-December-2017. [21] Closures - JavaScript \| MDN. https://developer.mozilla.org/en-US/docs/Web/ JavaScript/Closures. Online; accessed 27-December-2017. [22] Inheritance and the prototype chain - JavaScript \| MDN. https://developer.mozilla.org/ en-US/docs/Web/JavaScript/Inheritance_and_the_prototype_chain. Online; accessed 27-December-2017. [23] Flemming Nielson and N Jones. Abstract interpretation: a semantics-based tool for program analysis. Handbook of logic in computer science, 4:527–636, 1994. [24] nodeFrameworks. http://nodeframework.com/. Online; accessed 5-July-2018. [25] Node.js. https://nodejs.org/en/. Online; accessed 27-December-2017. [26] OWASP:top10. Category:owasp top ten project - owasp, 2017. [Online; accessed 27- December-2017]. [27] repl.it - JavaScript Compiler, REPL, and IDE. https://repl.it/site/languages/ javascript. Online; accessed 27-December-2017. [28] Gregor Richards, Sylvain Lebresne, Brian Burg, and Jan Vitek. An analysis of the dynamic behavior of JavaScript programs. In Proceedings of the 31st ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’10, pages 1–12, New York, NY, USA, 2010. ACM. [29] Max Schäfer, Manu Sridharan, Julian Dolby, and Frank Tip. Dynamic determinacy analysis. In Proceedings of the 34th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’13, pages 165–174, New York, NY, USA, 2013. ACM. [30] Koushik Sen, Swaroop Kalasapur, Tasneem Brutch, and Simon Gibbs. Jalangi: A selective record-replay and dynamic analysis framework for JavaScript. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering, ESEC/FSE 2013, pages 488–498, New York, NY, USA, 2013. ACM. [31] Kwangwon Sun and Sukyoung Ryu. Analysis of JavaScript programs: Challenges and research trends. ACM Comput. Surv., 50(4):59:1–59:34, August 2017. [32] Omer Tripp, Marco Pistoia, Stephen J. Fink, Manu Sridharan, and Omri Weisman. Taj: Effective taint analysis of web applications. In Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’09, pages 87–97, New York, NY, USA, 2009. ACM. [33] Usage of JavaScript libraries for websites. Online; accessed 25-June-2018. [34] Gary Wassermann and Zhendong Su. Sound and precise analysis of web applications for injection vulnerabilities. In Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’07, pages 32–41, New York, NY, USA, 2007. ACM. [35] Wikipedia contributors. Llvm — Wikipedia, the free encyclopedia. https://en.wikipedia. org/w/index.php?title=LLVM&oldid=846765702, 2018. [Online; accessed 27-June-2018].
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/70866	-
dc.description.abstract	在人們已經非常習慣於網路服務，並且將許多個人機敏資料儲存在雲端的現在，網頁應用程式安全的重要性已是不可言喻，而程式分析是確保網頁應用程式的安全性中，非常有效的一種方法。在網頁應用程式的發展史中，JavaScript自1995年發明之後，現在已經成為了網頁應用程式的前端頁面中，最廣為使用而且不可或缺的語言。 2009年Node.js的問世，讓後端的伺服器也能開始使用JavaScript撰寫， JavaScript的使用率因此更上層樓，分析JavaScript網頁應用程式的重要性也隨之又再提升了一層。但JavaScript極其動態的特性，卻讓程式分析的難度提升不少。如果分析時使用的方法屬於靜態程式分析，因為分析時不實際執行程式，想要得出準確的結果又加倍地不容易。本論文中提出了一個分析JavaScript網頁應用程式的框架，我們非常希望提出的框架，能夠實際應用在真實的網頁應用程式中，而實務上，網頁應用程式通常都會同時包含用戶端以及伺服器端的程式碼，程式設計師可能會將某些檢查變數的函數放在用戶端，而非伺服器端，因此不論是哪一端的程式碼，都有可能會包含我們進行程式分析時，所需的重要資訊。為了能夠有更準確的分析結果，我們的框架會同時收集兩端程式碼的資訊之後再進行分析。我們目前使用了汙點分析方法(taint analysis)作為實作框架時的分析方法。汙點分析方法最主要的功能是能夠偵測OWASP在2017年公布的十大資安風險中的第一名：注入攻擊(Injection)。最後，具備良好的擴充性，也是我們設計框架時的一個重點考量。我們花了非常多的時間，在討論如何能夠讓這套框架需要進行擴充時(比如增加新的分析方法)，能夠更加順利的完成任務。我們很期待這套框架，能夠成為未來打造完整分析工具時的良好基石。	zh_TW
dc.description.abstract	The security of Web applications is very important because numerous people rely on services on the Web daily, storing their private personal data online for convenience. Automatic program analysis is a cost-effective way to secure Web applications. In Web applications development, JavaScript has long been a widely-used language for front-end Web pages. Since Node.js was created in 2009, JavaScript has become a server-side language as well. It is now feasible to build a Web application by using only JavaScript. As the usage of JavaScript increases, the importance of JavaScript Web applications analysis increases. However, it is very hard to analyze JavaScript programs, especially with static program analysis, because of the dynamic nature of JavaScript. In this thesis, we propose a framework for JavaScript Web applications analysis. Making our framework practically usable is our ultimate goal. In real-world Web applications, both client-side code and server-side code usually exist at the same time. Both of them may contain vital information for analysis. For example, an input sanitization function may be placed on the client side instead of the server side. If an analysis tool only analyzes the server-side program, false positives may occur. In order to reduce false positives, we try to collect as much information as we can. Currently, we select taint analysis to demonstrate how the proposed framework may be implemented. Taint analysis is an effective way of detecting `Injection', which is the first on the list of OWASP top 10 security risks in 2017. Good expandability is another emphasis of our framework. We design a structure which is easy to be refined to accommodate other analysis methods. We hope this framework will be a good basis for more comprehensive Web applications analysis tools.	en
dc.description.provenance	Made available in DSpace on 2021-06-17T04:41:36Z (GMT). No. of bitstreams: 1 ntu-107-R05725018-1.pdf: 2127183 bytes, checksum: c5dee42abbbf83296b930be95c90a381 (MD5) Previous issue date: 2018	en
dc.description.tableofcontents	1 Introduction 1 1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Motivation and Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.3 Thesis Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2 Preliminaries 6 2.1 Web Applications Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.2 Common Web Application Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . 6 2.2.1 Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2.2 Cross-Site Scripting (XSS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.2.3 Broken Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.3 Two Categories of Program Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.3.1 Dynamic Program Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.3.2 Static Program Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.4 Features of JavaScript . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.4.1 Dynamic Nature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.4.2 Dynamically typed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.4.3 Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.4.4 Hoisting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.4.5 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2.4.6 Closure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2.4.7 Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.4.8 Callback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.5 Node.js : What Enables Servers to Run JavaScript . . . . . . . . . . . . . . . . . . 20 3 Related Works 22 3.1 Recent Overviews Of JavaScript Program Analyses . . . . . . . . . . . . . . . . . . 22 3.2 Current Implementation of JavaScript Program Analysis . . . . . . . . . . . . . . . 23 3.2.1 A Dynamic Program Analysis Framewrok : Jalangi . . . . . . . . . . . . . . 23 3.2.2 A Platfrom for Static Approaches : JSAI . . . . . . . . . . . . . . . . . . . 24 3.3 Another Work about Web Applications Analysis . . . . . . . . . . . . . . . . . . . 25 4 Framework Introduction 26 4.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 4.2 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 iv 4.2.1 Matching Functions of Client and Server . . . . . . . . . . . . . . . . . . . . 31 4.2.2 Expandability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 4.3 Trust between Client and Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 5 Implementation and Tests 37 5.1 Implementation Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 5.1.1 Overall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 5.1.2 The Client-Side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 5.1.3 The Server-Side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 5.2 Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 5.2.1 The Web Application Code for Tests . . . . . . . . . . . . . . . . . . . . . . 44 5.2.2 Test Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 6 Conclusion 49 6.1 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 6.2 Limitations and Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 References 52
dc.language.iso	en
dc.subject	注入攻擊	zh_TW
dc.subject	JavaScript	zh_TW
dc.subject	程式分析	zh_TW
dc.subject	資安風險	zh_TW
dc.subject	網頁應用程式	zh_TW
dc.subject	Injection	en
dc.subject	JavaScript	en
dc.subject	Program analysis	en
dc.subject	Security risk	en
dc.subject	Web applications	en
dc.title	分析JavaScript網頁應用程式之框架	zh_TW
dc.title	A Framework for JavaScript Web Applications Analysis	en
dc.type	Thesis
dc.date.schoolyear	106-2
dc.description.degree	碩士
dc.contributor.oralexamcommittee	郁方(Fang Yu),陳郁方(Yu-Fang Chen)
dc.subject.keyword	注入攻擊,JavaScript,程式分析,資安風險,網頁應用程式,	zh_TW
dc.subject.keyword	Injection,JavaScript,Program analysis,Security risk,Web applications,	en
dc.relation.page	54
dc.identifier.doi	10.6342/NTU201802555
dc.rights.note	有償授權
dc.date.accepted	2018-08-06
dc.contributor.author-college	管理學院	zh_TW
dc.contributor.author-dept	資訊管理學研究所	zh_TW
顯示於系所單位：	資訊管理學系

文件中的檔案：

檔案	大小	格式
ntu-107-1.pdf 未授權公開取用	2.08 MB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。