帳號:guest(3.91.106.157)          離開系統
字體大小: 字級放大   字級縮小   預設字形  

詳目顯示

以作者查詢圖書館館藏以作者&題名查詢臺灣博碩士以作者查詢全國書目
作者:施筱瑜
作者(英文):Shih, Hsiao-Yu
論文名稱(中文):多樣化 Web 程式攻擊生成方法
論文名稱(英文):A Generic Web Application Attack Generation Method
指導教授(中文):黃世昆
指導教授(英文):Huang, Shih-Kun
口試委員:許富皓
孔崇旭
黃世昆
口試委員(英文):Hsu, Fu-Hau
Koong, Chorng-Shiuh
Huang, Shih-Kun
學位類別:碩士
校院名稱:國立交通大學
系所名稱:資訊科學與工程研究所
學號:0456043
出版年(民國):106
畢業學年度:105
語文別:英文
論文頁數:41
中文關鍵詞:網頁安全符號執行軟體測試
外文關鍵詞:web securitysymbolic executionsoftware testing
相關次數:
  • 推薦推薦:0
  • 點閱點閱:495
  • 評分評分:*****
  • 下載下載:0
  • 收藏收藏:0
隨著萬物互聯與多元化線上服務的發展趨勢,網頁應用程式的需求也與日俱增。然而,大多數的軟體都存在可能影響安全性的嚴重漏洞。軟體弱點的揭發常常引起使用者與開發者的恐慌。軟體的漏洞檢測不易,開發者經常是透過使用者回報錯誤訊息或是透過第三方漏洞揭露才能得知問題。在本篇論文中,延續符號化執行(Symbolic Execution)網頁攻擊框架 – CRAXWeb,提出利用追蹤網頁應用程式執行位址與檢測符號化變數的方式,達到更多種網頁攻擊型態偵測的目標。使用者可透過撰寫 Python 腳本選擇偵測的攻擊型態,動態控制系統的偵測目標。相較於先前的系統和其他同為採用符號化執行的網頁檢測系統,更增進了攻擊型態多樣化與系統使用彈性。此框架以數種開源的大型網頁應用程式及CTF(Capture The Flag)比賽題目為測試目標,已能偵測多種型態的攻擊。
With the thriving of The Internet of Everything (IoE) and diversified online services, there is an increasing demand for web applications. However, most web applications have critical bugs affecting their security. The exposure of software vulnerabilities always causes damage to not only the web programmers but also the users. It is not easy for the programmers to figure out the potential vulnerabilities in their applications before release. They often notice the hidden defect by the feedback from users or the risk exposure from third parties.
In this paper, we implement a detection method for multiple vulnerability types of detection for web applications, by extending the former web attack generation framework called CRAXWeb. Based on the technique of symbolic execution, our work tracks the address of program instruction and checks the arguments of dangerous functions to discover different types of web vulnerabilities. Compared to the former framework and the other analysis tools that also use symbolic execution, our work supports more types of web attacks and improve the system flexibility for users. We have evaluated our solution by applying this detecting process to several known vulnerabilities on open-source web applications and problems of CTF (Capture The Flag), and detected various types of web attacks successfully.
摘要 i
Abstract ii
誌謝 iii
Contents iv
List of Figures vi
List of Tables vii
1. Introduction 1
1.1 Motivation 1
1.2 Objective 1
1.3 Overview 2
2. Background 3
2.1 Symbolic Execution 3
2.2 Web Security Issues 4
2.2.1 Cross Site Scripting (XSS) 4
2.2.2 Cross-site Request Forgery (CSRF) 4
2.2.3 SQL Injection 5
2.2.4 Command Injection 5
2.2.5 File Inclusion 5
3. Related Work 7
3.1 Symbolic Execution based Test Generation 7
3.2 Static/Dynamic Analysis based Attack Detection 8
3.3 Symbolic Execution based Attack Detection 9
4. Method 11
4.1 Symbolic Environment 12
4.1.1 Make Variable Symbolic 12
4.1.2 Symbolic Socket 13
4.2 Dangerous Function Analysis 14
4.2.1 Target Function Detection 14
4.2.2 Symbolic Argument Checking 16
4.3. Host Management 20
4.3.1 Dangerous Function List 20
5. Implementation 21
5.1 Symbolic Environment 21
5.1.1 System Architecture 21
5.1.2 Symbolic Socket 22
5.2 Dangerous Function Analysis 23
5.2.1 Target Function Detection 23
5.2.2 Symbolic Argument Checking 27
5.3 Host Management 28
5.3.1 Dangerous Function List 28
5.3.2 Configuration Control 29
6. Evaluation 31
6.1 Research on Dangerous Functions 31
6.1.1 PHP 31
6.1.2 JSP 33
6.1.2 Python 34
6.2 Evaluation of Vulnerable Applications 35
6.2.1 Experimental Environment 35
6.2.2 Experimental Result 35
7. Conclusion and Future Work 37
7.1 Conclusion 37
7.2 Future Work 37
Reference 39
[1] S.-K. Huang, H.-L. Lu, W.-M. Leong, and H. Liu, "Craxweb: Automatic web application testing and attack generation," in Software Security and Reliability (SERE), 2013 IEEE 7th International Conference on, 2013, pp. 208-217: IEEE.
[2] P. Bisht, T. Hinrichs, N. Skrupsky, and V. Venkatakrishnan, "WAPTEC: whitebox analysis of web applications for parameter tampering exploit construction," in Proceedings of the 18th ACM conference on Computer and communications security, 2011, pp. 575-586: ACM.
[3] M. Martin and M. S. Lam, "Automatic generation of XSS and SQL injection attacks with goal-directed model checking," in Proceedings of the 17th conference on Security symposium, 2008, pp. 31-43: USENIX Association.
[4] T. Avgerinos, S. K. Cha, A. Rebert, E. J. Schwartz, M. Woo, and D. Brumley, "Automatic exploit generation," Communications of the ACM, vol. 57, no. 2, pp. 74-84, 2014.
[5] J. C. King, "Symbolic execution and program testing," Communications of the ACM, vol. 19, no. 7, pp. 385-394, 1976.
[6] E. J. Schwartz, T. Avgerinos, and D. Brumley, "All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask)," in Security and privacy (SP), 2010 IEEE symposium on, 2010, pp. 317-331: IEEE.
[7] W. G. Halfond, J. Viegas, and A. Orso, "A classification of SQL-injection attacks and countermeasures," in Proceedings of the IEEE International Symposium on Secure Software Engineering, 2006, vol. 1, pp. 13-15: IEEE.
[8] S. Artzi et al., "Finding bugs in dynamic web applications," in Proceedings of the 2008 international symposium on Software testing and analysis, 2008, pp. 261-272: ACM.
[9] K. Sen, S. Kalasapur, T. Brutch, and S. Gibbs, "Jalangi: A selective record-replay and dynamic analysis framework for JavaScript," in Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering, 2013, pp. 488-498: ACM.
[10] G. Li, E. Andreasen, and I. Ghosh, "SymJS: automatic symbolic testing of JavaScript web applications," in Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, 2014, pp. 449-459: ACM.
[11] J. P. Near and D. Jackson, "Derailer: interactive security analysis for web applications," in Proceedings of the 29th ACM/IEEE international conference on Automated software engineering, 2014, pp. 587-598: ACM.
[12] S. Bucur, J. Kinder, and G. Candea, "Prototyping symbolic execution engines for interpreted languages," ACM SIGARCH Computer Architecture News, vol. 42, no. 1, pp. 239-254, 2014.
[13] V. Chipounov, V. Kuznetsov, and G. Candea, "S2E: A platform for in-vivo multi-path analysis of software systems," ACM SIGPLAN Notices, vol. 46, no. 3, pp. 265-278, 2011.
[14] K. Sen, G. Necula, L. Gong, and W. Choi, "MultiSE: Multi-path symbolic execution using value summaries," in Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering, 2015, pp. 842-853: ACM.
[15] N. Jovanovic, C. Kruegel, and E. Kirda, "Pixy: A static analysis tool for detecting web application vulnerabilities," in Security and Privacy, 2006 IEEE Symposium on, 2006, pp. 6 pp.-263: IEEE.
[16] P. Bisht and V. Venkatakrishnan, "XSS-GUARD: precise dynamic prevention of cross-site scripting attacks," in International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 2008, pp. 23-43: Springer.
[17] N. Li, T. Xie, M. Jin, and C. Liu, "Perturbation-based user-input-validation testing of web applications," Journal of Systems and Software, vol. 83, no. 11, pp. 2263-2274, 2010.
[18] A. B. M. Ali, M. S. Abdullah, and J. Alostad, "SQL-injection vulnerability scanning tool for automatic creation of SQL-injection attacks," Procedia Computer Science, vol. 3, pp. 453-458, 2011.
[19] W. Tian, J.-F. Yang, J. Xu, and G.-N. Si, "Attack model based penetration test for SQL injection vulnerability," in Computer Software and Applications Conference Workshops (COMPSACW), 2012 IEEE 36th Annual, 2012, pp. 589-594: IEEE.
[20] Y. Zheng and X. Zhang, "Path sensitive static analysis of web applications for remote code execution vulnerability detection," in Proceedings of the 2013 International Conference on Software Engineering, 2013, pp. 652-661: IEEE Press.
[21] M. K. Gupta, M. C. Govil, G. Singh, and P. Sharma, "XSSDM: Towards detection and mitigation of cross-site scripting vulnerabilities in web applications," in Advances in Computing, Communications and Informatics (ICACCI), 2015 International Conference on, 2015, pp. 2010-2015: IEEE.
[22] A. Naderi-Afooshteh, A. Nguyen-Tuong, M. Bagheri-Marzijarani, J. D. Hiser, and J. W. Davidson, "Joza: Hybrid Taint Inference for Defeating Web Application SQL Injection Attacks," in Dependable Systems and Networks (DSN), 2015 45th Annual IEEE/IFIP International Conference on, 2015, pp. 172-183: IEEE.
[23] R. Sekar, "An Efficient Black-box Technique for Defeating Web Application Attacks," in NDSS, 2009.
[24] A. Nguyen-Tuong et al., "To B or not to B: Blessing OS commands with software DNA shotgun sequencing," in Dependable Computing Conference (EDCC), 2014 Tenth European, 2014, pp. 238-249: IEEE.
[25] I. Medeiros, N. Neves, and M. Correia, "DEKANT: a static analysis tool that learns to detect web application vulnerabilities," in Proceedings of the 25th International Symposium on Software Testing and Analysis, 2016, pp. 1-11: ACM.
[26] X. Fu and K. Qian, "SAFELI: SQL injection scanner using symbolic execution," in Proceedings of the 2008 workshop on Testing, analysis, and verification of web services and applications, 2008, pp. 34-39: ACM.
[27] A. Kieyzun, P. J. Guo, K. Jayaraman, and M. D. Ernst, "Automatic creation of SQL injection and cross-site scripting attacks," in Software Engineering, 2009. ICSE 2009. IEEE 31st International Conference on, 2009, pp. 199-209: IEEE.
[28] P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song, "A symbolic execution framework for javascript," in Security and Privacy (SP), 2010 IEEE Symposium on, 2010, pp. 513-528: IEEE.
[29] A. Chaudhuri and J. S. Foster, "Symbolic security analysis of ruby-on-rails web applications," in Proceedings of the 17th ACM conference on Computer and communications security, 2010, pp. 585-594: ACM.
[30] Y.-Y. Huang, K. Chen, and S.-L. Chiang, "Finding Security Vulnerabilities in Java Web Applications with Test Generation and Dynamic Taint Analysis," in Proceedings of the 2011 2nd International Congress on Computer Applications and Computational Science, 2012, pp. 133-138: Springer.
[31] G. Agosta, A. Barenghi, A. Parata, and G. Pelosi, "Automated security analysis of dynamic web applications through symbolic code execution," in Information Technology: New Generations (ITNG), 2012 Ninth International Conference on, 2012, pp. 189-194: IEEE.
 
 
 
 
第一頁 上一頁 下一頁 最後一頁 top
* *