請用此 Handle URI 來引用此文件:
http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/96706完整後設資料紀錄
| DC 欄位 | 值 | 語言 |
|---|---|---|
| dc.contributor.advisor | 王凡 | zh_TW |
| dc.contributor.advisor | Farn Wang | en |
| dc.contributor.author | 林俊逸 | zh_TW |
| dc.contributor.author | Chun-Yi Lin | en |
| dc.date.accessioned | 2025-02-21T16:11:19Z | - |
| dc.date.available | 2025-02-22 | - |
| dc.date.copyright | 2025-02-21 | - |
| dc.date.issued | 2025 | - |
| dc.date.submitted | 2025-01-22 | - |
| dc.identifier.citation | [1] OWASP Vaibhav Malik, “Insecure Deserialization”, https://owasp.org/www-community/vulnerabilities/Insecure_Deserialization.
[2] Sunnyeo Park and Daejun Kim, KAIST, “FUGIO: Automatic Exploit Generation for PHP Object Injection Vulnerabilities”, in Proceedings of the 31st USENIX Security Symposium, 2022 [3] Johannes Dahse, Nikola Kreini, and Thorsten Holz, “Code reuse attacks in PHP: Automated POP chain generation”, in Proceedings of the ACM Conference on Computer and Communications Security, 2014 [4] nikic, “PHP Parser”, https://github.com/nikic/PHP-Parser [5] ambionics, “PHPGGC: PHP Generic Gadget Chains”, https://github.com/ambionics/phpggc/tree/master [6] w3Techs, “Usage Statistics and Market Share of PHP for Websites”, December 2024,https://w3techs.com/technologies/details/pl-php [7] PHP manual, “Predefined constants”, https://www.php.net/manual/en/reserved.constants.php#constant.php-os | - |
| dc.identifier.uri | http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/96706 | - |
| dc.description.abstract | 本研究提出自動找 PHP 屬性導向編程鏈的新工具 ChainChecker。這個工具實現符號執行引擎來提取限制式,並且使用 Z3 和 ChatGPT 來解限制式。經過分析實驗後結果,ChainChecker 和最新工具 FUGIO 相比有相當高的精確性,並且大幅改善執行時間。我們也發現 ChatGPT 和 Z3 在解限制式有不錯的效果,若考慮到建模所需花費時間,在找 PHP POP Chain 這類條件數量相對少的應用情景上是可以考慮用 ChatGPT 來替代 Z3。 | zh_TW |
| dc.description.abstract | This study presents a new tool, ChainChecker, for discovering PHP property-oriented programming chains. This tool implements a symbolic execution engine to extract constraints and uses Z3 and ChatGPT to solve the constraints. After analyzing the experimental results, ChainChecker demonstrates a relatively high level of accuracy compared to the latest tool, FUGIO, and significantly improves execution time. We also found that both ChatGPT and Z3 perform well in solving constraints. Considering the time required for modeling, we can consider ChatGPT as an alternative to Z3 in a scenario with relatively fewer constraints, such as finding PHP property-oriented programming chains. | en |
| dc.description.provenance | Submitted by admin ntu (admin@lib.ntu.edu.tw) on 2025-02-21T16:11:19Z No. of bitstreams: 0 | en |
| dc.description.provenance | Made available in DSpace on 2025-02-21T16:11:19Z (GMT). No. of bitstreams: 0 | en |
| dc.description.tableofcontents | 口試委員會審定書 #
誌謝 i 中文摘要 ii ABSTRACT iii CONTENTS iv LIST OF FIGURES vii LIST OF TABLES viii Chapter 1 Introduction 1 1.1 Serialization and Deserialization 1 1.2 Insecure Deserialization in PHP 1 1.3 Manual Way to Find POP Chain 2 Step1. Enumerate a possible chain 2 Step 2. Simulate the PHP Execution Process of possible POP Chain 2 Step 3 Check if Chain is exploitable 2 1.4 Motivation 3 1.5 Research Question 3 Chapter 2 Related Work 4 Chapter 3 Methodology 5 3.1 Preprocessor 5 3.1.1 PHP Parser 5 3.1.2 Noder 6 3.1.3 Searcher 6 3.2 Symbolic Execution Engine 6 3.2.1 ChainChecker 6 3.3 Constraint Solver 9 3.3.1 Z3 Solver 9 3.3.2 ChatGPT Solver 9 Chapter 4 Experiment 11 4.1 Dataset 11 4.2 Hyperparameter 11 4.3 Environment 12 Chapter 5 Experiment Result 13 5.1 Trueness and Precision Analysis 13 5.1.1 Trueness Analysis 13 5.1.2 Precision Analysis 13 5.2 Comparison to FUGIO 14 5.2.1 Performance 15 5.2.2 Coverage 16 Chapter 6 Discussion 19 6.1 Comparison across ChainChecker and FUGIO 19 6.2 Adaptability and Environment-Independent 19 6.3 Comparison across SMT Solver and LLM Solver 20 Chapter 7 Conclusion 21 Chapter 8 Limitation and Future Research 22 Chapter 9 Appendix 23 9.1 Entry functions of PHP deserialization 23 9.2 Dangerous functions 23 REFERENCE 24 | - |
| dc.language.iso | en | - |
| dc.title | PHP 屬性導向編程鏈自動化檢測機 | zh_TW |
| dc.title | ChainChecker: Automatic Checker for PHP Property-Oriented Programming Chain | en |
| dc.type | Thesis | - |
| dc.date.schoolyear | 113-1 | - |
| dc.description.degree | 碩士 | - |
| dc.contributor.oralexamcommittee | 江介宏;雷欽隆;蕭旭君;陳郁方 | zh_TW |
| dc.contributor.oralexamcommittee | Jie-Hong Jiang;Chin-Laung Lei;Hsu-Chun Hsiao;Yu-Fang Chen | en |
| dc.subject.keyword | 自動化,屬性導向編程鏈,PHP,符號執行引擎,Z3,ChatGPT, | zh_TW |
| dc.subject.keyword | Automation,Property-Oriented Programming Chain,Symbolic Execution Engine,PHP,Z3,ChatGPT, | en |
| dc.relation.page | 24 | - |
| dc.identifier.doi | 10.6342/NTU202500231 | - |
| dc.rights.note | 未授權 | - |
| dc.date.accepted | 2025-01-23 | - |
| dc.contributor.author-college | 電機資訊學院 | - |
| dc.contributor.author-dept | 電機工程學系 | - |
| dc.date.embargo-lift | N/A | - |
| 顯示於系所單位: | 電機工程學系 | |
文件中的檔案:
| 檔案 | 大小 | 格式 | |
|---|---|---|---|
| ntu-113-1.pdf 目前未授權公開取用 | 877.63 kB | Adobe PDF |
系統中的文件,除了特別指名其著作權條款之外,均受到著作權保護,並且保留所有的權利。