- 學位論文
網頁程式弱點檢測之動態與靜態演算法
Dynamic and Static Methods for Identifying Web Application Vulnerabilities
若您是本文的作者,可授權文章由華藝線上圖書館中協助推廣。
摘要
網路應用安全一直是使用者接受各類型線上交易網站時的主要疑慮之一,尤其近來發生許多因網路應用程式漏洞造成的重大資安事件,使得此項議題更加受到重視。在軟體開發工程中,開發或是品管人員可使用動態分析或靜態分析等兩種研究已趨於完整的方法以提昇軟體品質,近年來,動態分析方法已在一些商業用途上獲得初步成功,靜態分析方法則已被證明可以偵測出C語言的程式漏洞。 本論文將討論如何將動態與靜態分析方法應用於網路應用程式。腳本注入攻擊(Script Injection,如SQL Injection)與跨站腳本攻擊(XSS)為兩種最常見的網路應用程式漏洞,本論文將此兩種漏洞正規化為資訊流動安全問題,並針對此問題提出兩種工具WAVES(Web Application Vulnerability and Error Scanner)以及WebSSARI( Web Application Security via Static Analysis and Runtime Inspection),兩者皆採用動態與靜態分析方法,其中WAVES主要針對腳本注入攻擊與跨站腳本攻擊,WebSSARI則涵蓋所有網路應用程式安全議題。 文末將呈現本篇所提工具WAVES與WebSSARI應用於現實世界已運行網站後之實驗結果,以證明本篇所提工具之效用,並提供相關領域未來可參考之研究方向。
關鍵字
腳本注入攻擊,跨站腳本攻擊並列摘要
Web application security remains a major roadblock to universal acceptance of the Web for many kinds of online transactions, especially since the recent sharp increase in remotely exploitable vulnerabilities has been attributed to Web application bugs. In software engineering, dynamic and static analysis are two types of established and well-researched methods for improving software quality. Recently, dynamic analysis has proven some initial success in commercial use, and static analysis methods have also shown success in discovering vulnerabilities in C programs. In this thesis we shall discuss how to apply dynamic and static algorithms to Web applications and improve their security attributes. Two of the most common Web application vulnerabilities that are known to date are script injection, e.g., SQL injection, and cross-site scripting (XSS). We will formalize these vulnerabilities as problems related to information flow security—a conventional topic in security research. Using this formalization, we then present two main lines of our research, WAVES (Web Application Vulnerability and Error Scanner) and WebSSARI (Web Application Security via Static Analysis and Runtime Inspection), which respectively utilize dynamic and static methods to deal in particular with script injections and XSS, and address in general the Web application security problems. Finally we will present some results obtained by applying these tools to real-world Web applications that are in use today, and provide our views regarding this area’s future research directions.
並列關鍵字
WAVES,WebSSARI參考文獻
[2] Allen, F. E, Cocke, J. "A Program Data Flow Analysis Procedure." Communications of the ACM, 19(3):13147, March 1976.
[3] Andrews, G. R., Reitman, R. P. "An Axiomatic Approach to Information Flow in Programs." ACM Transactions on Programming Languages and Systems, 2(1), 56-76, 1980.
[9] Balzer, R., “Assuring the safety of opening email attachments.” In: DARPA Information Survivability Conference & Exposition II, 2, 257-262, 2001.
[11] Banerjee, A., Naumann, D.A. "Secure Information Flow and Pointer confinement in a Java-Like Language." In: Proceedings of the 15th Computer Security Foundations Workshop, pages 239-253, Nova Scotia, Canada, 2002.
[12] Barth, J. M. "A Practical Interprocedural Data Flow Analysis Algorithm." Communications of the ACM, 21(9):724-736, 1978.
延伸閱讀
- 陳信文(2014)。網站應用程式弱點偵測之分析研究〔碩士論文,國立虎尾科技大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0028-0307201423362800
- Lin, C. C. (2006). 動態網頁對網頁伺服器負載平衡系統影響之研究 [master's thesis, Tatung University]. Airiti Library. https://www.airitilibrary.com/Article/Detail?DocID=U0081-0607200917240421
- 邱泰豪(2008)。網頁轉向機制偵測之研究〔碩士論文,元智大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0009-2907200821025600
- Chen, J. M. (2009). 網頁應用程式注入攻擊之自動化防禦機制 [doctoral dissertation, Tatung University]. Airiti Library. https://www.airitilibrary.com/Article/Detail?DocID=U0081-3001201315104932
- Yi, C. (2017). Predicting Injection Vulnerabilities in Web Applications [master's thesis, National Tsing Hua University]. Airiti Library. https://www.airitilibrary.com/Article/Detail?DocID=U0016-0401201816001033