現今網際網路已成為生活中不可或缺的溝通媒介，人們透過網頁應用程式存取及瀏覽各種資訊。但由於程式開發人員的疏忽，造成可能影響安全性的漏洞，駭客可藉由漏洞取得權限，進行非法資料存取或破壞。
我們所提出的方法為跨網頁語言平台的 SQL隱碼攻擊系統，已整合至先前的 CRAXweb 網頁攻擊平台中，能針對目標網頁應用程式自動產生脅迫(exploit)資料，達到滲透測試的效果。本系統架構於S2E 符號執行環境，先透過網路爬蟲取得目標網頁應用程式的頁面網址，再於HTTP請求中安插符號變數，送往部署有符號資料偵測器的伺服器。符號執行過程中，我們採用單一路徑擬真執行方式來取得路徑限制式，以增加效能，並藉此進行脅迫產生。現已測試多種網頁語言之開源網頁應用程式，使用語言包括 PHP,Perl,C/C++ 與 Python，已能成功產生對應的攻擊字串或漏洞偵測。

Internet has been an important communication media for our daily life. Most of us access information and save our personal private data in the database through web applications. However, due to the ignorance of secure programming practice of web programmers, hackers may be able to access or destroy data through potential web vulnerabilities.
We developed a web platform independent SQL injection attack generation method to improve our former web attack framework called CRAXweb. The system is able to generate exploit for the target web application automatically and acts as a penetration test. CRAXweb is based on S2E, a symbolic execution platform. We accumulate the URLs of target web application through web crawler and send the HTTP request with symbolic variable to the symbolic sensor embedded in the server. For the purpose of improving efficiency of symbolic execution, we adopt the single path concolic execution mode to collect path constraint and generate the exploit. We have applied this method to several known vulnerabilities on open source web applications. The results reveal that CRAXweb is a practical exploit generation tool supporting different web platforms, including PHP, C/C++, Perl, and Python.

摘要 I
誌謝 III
目錄 IV
表目錄 VI
圖目錄 VII
第一章 緒論 1
1-1 研究動機 1
1-2 研究目標 1
1-3 論文大綱 2
第二章 研究背景 3
2-1 符號執行 3
2-2 擬真執行 5
2-3 單一路徑擬真執行 6
2-4 符號環境 7
2-5 前十大網站安全弱點 8
2-5-1 注入攻擊 9
第三章 研究方法 11
3-1 系統架構 11
3-1-1 AutoCRAX架構 13
3-2 符號資料發送器及偵測器 14
3-3 脅迫產生器 16
第四章 實驗結果與分析 21
4-1 實驗環境建置 21
4-2 脅迫產生結果 21
第五章 相關研究 23
5-1 自動產生網頁應用程式攻擊系統 23
5-1-1 使用符號執行引擎 23
5-1-2 使用其他方法 23
5-2 比較 24
第六章 結論與未來展望 26
6-1 結論 26
6-2 未來展望 26
參考文獻 27

[1] W.-M. Leong, "自動化網頁測試與攻擊產生 Automatic Web Testing and Attack Generation," 國立交通大學資訊科學與工程研究所學位論文, 2012.
[2] V. Chipounov, V. Kuznetsov, and G. Candea, "S2E: A platform for in-vivo multi-path analysis of software systems," ACM SIGARCH Computer Architecture News, vol. 39, pp. 265-278, 2011.
[3] H. Liu, "跨平台 Web程式測試與攻擊產生系統 A Generic Web Application Testing and Attack Generation Framework," 國立交通大學資訊科學與工程研究所學位論文, 2013.
[4] E. J. Schwartz, T. Avgerinos, and D. Brumley, "All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask)," in Security and Privacy (SP), 2010 IEEE Symposium on, 2010, pp. 317-331.
[5] J. C. King, "Symbolic execution and program testing," Communications of the ACM, vol. 19, pp. 385-394, 1976.
[6] K. Sen, "Concolic testing," in Proceedings of the twenty-second IEEE/ACM international conference on Automated software engineering, 2007, pp. 571-572.
[7] F. Bellard, "QEMU, a Fast and Portable Dynamic Translator," in USENIX Annual Technical Conference, FREENIX Track, 2005, pp. 41-46.
[8] C. Lattner and V. Adve, "LLVM: A compilation framework for lifelong program analysis & transformation," in Code Generation and Optimization, 2004. CGO 2004. International Symposium on, 2004, pp. 75-86.
[9] C. Cadar, D. Dunbar, and D. R. Engler, "KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs," in OSDI, 2008, pp. 209-224.
[10] OWASP Top Ten Project. Available: https://www.owasp.org/index.php/Main_Page
[11] S.-K. Huang, M.-H. Huang, P.-Y. Huang, C.-W. Lai, H.-L. Lu, and W.-M. Leong, "CRAX: Software Crash Analysis for Automatic Exploit Generation by Modeling Attacks as Symbolic Continuations," in Software Security and Reliability (SERE), 2012 IEEE Sixth International Conference on, 2012, pp. 78-87.
[12] C.-Y. Chao, "雲端軟體弱點探索分析資料庫 A Cloud-based Benchmark Database for Software Vulnerability Analysis and Discovery," 國立交通大學資訊科學與工程研究所學位論文, 2013.
[13] J. Vanegue, S. Heelan, and R. Rolles, "SMT Solvers in Software Security," WOOT, pp. 85-96, 2012.
[14] A. Kieyzun, P. J. Guo, K. Jayaraman, and M. D. Ernst, "Automatic creation of SQL injection and cross-site scripting attacks," in Software Engineering, 2009. ICSE 2009. IEEE 31st International Conference on, 2009, pp. 199-209.
[15] X. Fu and K. Qian, "SAFELI: SQL injection scanner using symbolic execution," in Proceedings of the 2008 workshop on Testing, analysis, and verification of web services and applications, 2008, pp. 34-39.
[16] S. Artzi, A. Kiezun, J. Dolby, F. Tip, D. Dig, A. Paradkar, et al., "Finding bugs in dynamic web applications," in Proceedings of the 2008 international symposium on Software testing and analysis, 2008, pp. 261-272.
[17] P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song, "A symbolic execution framework for javascript," in Security and Privacy (SP), 2010 IEEE Symposium on, 2010, pp. 513-528.
[18] Y.-Y. Huang, K. Chen, and S.-L. Chiang, "Finding Security Vulnerabilities in Java Web Applications with Test Generation and Dynamic Taint Analysis," in Proceedings of the 2011 2nd International Congress on Computer Applications and Computational Science, 2012, pp. 133-138.
[19] N. Li, T. Xie, M. Jin, and C. Liu, "Perturbation-based user-input-validation testing of web applications," Journal of Systems and Software, vol. 83, pp. 2263-2274, 2010.
[20] A. Bashah Mat Ali, A. Yaseen Ibrahim Shakhatreh, M. Syazwan Abdullah, and J. Alostad, "SQL-injection vulnerability scanning tool for automatic creation of SQL-injection attacks," Procedia Computer Science, vol. 3, pp. 453-458, 2011.
[21] T. Wei, Y. Ju-Feng, X. Jing, and S. Guan-Nan, "Attack model based penetration test for SQL injection vulnerability," in Computer Software and Applications Conference Workshops (COMPSACW), 2012 IEEE 36th Annual, 2012, pp. 589-594.