- 學位論文
一個分析網站應用安全之整合環境
An Integrated Environment for Analyzing Web Application Security
摘要
近年來,網站應用服務蓬勃發展,越來越多重要的個人資料與交易透過網站服務完成,網站應用安全已變得越來越重要。在學界與業界中有許多技術與工具輔助網站應用的開發者偵測網站應用安全弱點,例如跨站腳本攻擊與 SQL注入攻擊。透過逼近的技術,業界與學界開發研究的工具幾乎已能認列大部份的弱點而少有遺漏,但是同時間卻產生誤報之弱點案例,而這些誤報的弱點案例往往需要花費大量人工與時間重新審查,非常地耗費成本。 在這篇論文中,我們針對跨站腳本攻擊與SQL注入攻擊,處理來自於不完整的資料流分析的誤報案例。對一個網站應用而言,不完整的資料流分析起因有三:一、分析技術未能跨越伺服端與客戶端的程式語言;二、分析技術未能跨越資料庫;三、分析技術未能將系統設定檔 納入考慮。 為了解決不完整的資料流分析,我們將網站應用伺服端程式、客戶端程式、資料庫與系統設定檔轉換成單一程式語言的整合環境,此單一程式語言即為CIL。CIL擁有許多靜態分析的模組,例如控制流程分析模組與資料流分析模組,一旦我們將網站轉換成CIL結構的程式碼,我們即可使用CIL所提供的分析模組。為了將網站轉換成CIL為基礎的整合環境,我們試著從伺服端的程式碼粹取出客戶端的程式碼,並分別將伺服端程式碼與客戶端的程式碼轉換成CIL程式碼,並且,我們將資料庫轉成某種CIL的資料結構,試著用CIL資料結構去模擬資料庫的儲存行為,更進一步,我們將系統設定檔轉成CIL中資料流的限制條件,最後,將網站各元素所轉換成的CIL元素整合,形成單一的CIL程式,透過分析此CIL程式,即可得到較為完整的資料流,並且更進一步減低不完整資料流分析所帶來的誤報案例。
並列摘要
Web application security has become more and more important in recent years. There are several analysis techniques and tools in industry helping Web application developers to detect a variety of security vulnerabilities, such as Cross-Site Scripting and SQL Injection. There are also several static analysis techniques and tools proposed by the academia for Web application security. By over approximation, these analysis techniques and tools can identify almost all security vulnerabilities, but produce excessive numbers of false positives. This causes a serious problem, as code reviewers will have to manually remove these false positives, which is very time-consuming. In this thesis, we focus on reducing false positives which result from incomplete dataflow analysis for two kinds of vulnerabilities, Cross-Site Scripting and SQL Injection. The main cause of incomplete dataflow analysis is that client-side programs including client-side scripts and HTML code are dynamically generated by server-side programs. The recent analysis techniques and tools do not trace dataflows across the boundary between the server-side and client-side programs. Moreover, the analysis techniques and tools do not trace dataflows across the database and do not take configuration files into consideration. To solve these problems, we propose to translate server-side programs, client-side programs, database and configuration files of Web applications into a one-language representation, namely CIL (C Intermediate Language). CIL comes with a library of analysis modules for C programs which we can leverage to perform different kinds of program analyses, including control ow analysis and dataflow analysis. We extract a client- side program for each webpage by static analysis and invoke it when the corresponding server-side program executes. Besides, we maintain structures in CIL that simulate the database and the HTML DOM. Finally, we define entry points of the Web application according to configuration files. Through analyzing the comprehensive suite of CIL programs translated from a website, we can identify Web application security vulnerabilities more precisely, and therefore solve the problem of false positives that come from incom- plete dataflow analysis.
參考文獻
延伸閱讀
- Shih, J. F. (2011). 一套整合的網路應用安全分析與驗證工具 [master's thesis, National Taiwan University]. Airiti Library. https://doi.org/10.6342/NTU.2011.01077
- Chen, C. Y. (2015). 整合多雲端儲存空間系統之安全與同步的應用程式 [master's thesis, National Tsing Hua University]. Airiti Library. https://www.airitilibrary.com/Article/Detail?DocID=U0016-0312201510304410
- 林靖(2008)。個人化知識管理平台安全機制之研究〔碩士論文,大同大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0081-0607200917245067
- 張立長(2009)。以環境風險分析為基礎之適應性網路入侵回應系統之使用者風險模型〔碩士論文,中原大學〕。華藝線上圖書館。https://doi.org/10.6840/CYCU.2009.00909
- 王茂吉(2003)。An Application-Based Intrusion Detection System for Web Server〔碩士論文,中原大學〕。華藝線上圖書館。https://doi.org/10.6840/cycu200300147