1. NCCU Academic Hub
  2. Publications
  3. College of Informatics
  4. Theses
  5. Item

Publications-Theses

Article View/Open

Publication Export

Google ScholarTM

NCCU Library

Citation Infomation

Related Publications in TAIR

題名 Java網頁程式安全弱點驗證之測試案例產生工具
Test Case Generation for Verifying Security Vulnerabilities in Java Web Applications
作者 黃于育
Huang, Yu Yu
貢獻者 陳恭
Chen, Kung
黃于育
Huang, Yu Yu
關鍵詞 測試案例產生
符號化執行
網頁應用程式
靜態分析
動態分析
汙染資料流分析
Test case generation
Symbolic execution
Web application
Static analysis
Dynamic analysis
Taint analysis
日期 2010
上傳時間 4-Sep-2013 17:06:20 (UTC+8)
摘要 近年來隨著網路的發達,網頁應用程式也跟著快速且普遍化地發展。網頁應用程式快速盛行卻忽略程式設計時的安全性考量,進而成為網路駭客的攻擊目標。因此,網頁應用程式的安全議題日益重要。目前已有許多網頁應用程式安全弱點的相關研究,以程式分析的技術找出弱點,主要分成靜態分析與動態分析兩大類。但無論是使用靜態或是動態的分析方法,仍有其不完美的地方。其中靜態分析結果完備但會產生過多弱點誤報;動態分析結果準確率高但會因為測試案例的不完備而造成弱點的漏報。因此,本論文研究結合了動靜態分析,利用靜態分析方法發展一套測試案例產生工具;再結合動態分析方法隨著測試案例的執行來追蹤測試資料並作弱點的驗證,以達到沒有弱點漏報的產生以及改善弱點誤報的目標。
本論文研究的重點集中在以靜態分析技術產生涵蓋目標程式中所有可執行路徑的測試案例。我們應用測試案例產生常見的符號化執行技巧,利用程式的路徑限制蒐集與解決來達成測試案例產生。實作上我們利用跨程序性路徑分析找出目標程式中所有潛在弱點的路徑,再以反向路徑限制蒐集將限制資訊完整蒐集;最後交給限制分析器解限制並產生測試案例。接著利用剖面導向程式語言AspectJ的程式插碼技術實現動態的汙染資料流分析,配合產生的測試案執行程式觸發動態的汙染資料流分析並產生可信賴的弱點分析結果。
Due to the rapid development of the internet in recent years, web applications have become very popular and ubiquitous. However, developers may neglect the issues of security while designing a program so that web applications become the targets of attackers. Hence, the issue of web application vulnerabilities has become very crucial. There have been many research results of web application security vulnerabilities and many of them exploit the technique of program analysis to detect vulnerabilities. These analysis approaches can be can basically be categorized into dynamic analysis and static analysis. However, both of them still have their own problems to be improved. Specifically static analysis supports high coverage of vulnerabilities, but causes too many false positives. As for the dynamic analysis, although it produces high confident results, yet it may cause false negatives without complete test cases.
In this thesis, we integrate both static analysis and dynamic analysis to achieve the objectives that no false negatives are produced and reduce false positives. We develop a test case generation tool by the static analysis approach and a program execution tool that dynamically track the execution of the target program with those test data to detect its vulnerabilities. Our test case generation tool first employs both intra- and inter-procedural analysis to cover all vulnerable paths in a program, and then apply the symbolic execution technique to collect all path constraints. With these collected constraints, we use a constraint solver to solve them and finally generate the test cases. As to the execution tool, it utilizes the instrumentation mechanism provided by the aspect-oriented programming language AspectJ to implement a dynamic taint analysis that tracks the flow of tainted data derived from those generated test cases. As a result, all vulnerable program paths will be detected by our tools.
參考文獻 [1]Artzi, S., Kiezun, A., Dolby, J., Tip, F., Dig, D., Paradkar, A., Ernst, M. D. “Finding bugs in dynamic Web applications.” In Proc. 2008 international symposium on Software testing and analysis(ISSTA), July 20-24, 2008, Seattle, WA, USA.
[2]Chiang, C. L. “A Hybrid Security Analyzer for Java Web Application.” Master’s thesis, In Department of Computer Science, National Chengchi University, 2010.
[3]Fu, X., Qian, K. “SAFELI: SQL injection scanner using symbolic execution.”
In Proc. 2008 workshop on testing, analysis, and verification of web services and applications (TAV-WEB 2008), pages 34-39, 2008.
[4]Haldar, V., Chandra, D., Franz, M. “Dynamic Taint Propagation for Java.” In 21st Annual Computer Security Applications Conference (ACSAC), pages 303–311, December 2005.
[5]Huang, Y. W., Tsai, C. H., Lin, T. P., Huang, S. K., Lee, D. T., Kuo, S. Y. “A testing framework for Web application security assessment.” Computer Networks: The International Journal of Computer and Telecommunications Networking, pages 739-761, August 2005
[6]Huang, Y. W., Yu, F., Hang , C., Tsai, C. H., Lee, D. T., Kuo, S. Y. “Securing Web Application Code by Static Analysis and Runtime Protection.” In Proc. 13th International World Wide Web Conference (WWW2004), May 2004.
[7]Kiezun, A., Guo, P. J., Jayaraman, K., Ernst, M. D. “Automatic creation of SQL injection and cross-site scripting attacks.” In Proc. 2009 IEEE 31st International Conference on Software Engineering(ICSE), pages 199-209, IEEE Computer Science, 2009.
[8]Lin, J. C., Chen, J. M. “An Automated Mechanism for Secure Input Handling.” Journal of Computers, v.4 n.9, September 2009.
[9]Lokuciejewski P., Cordes, D., Falk, H., Marwedel, P. “A Fast and Precise Static Loop Analysis Based on Abstract Interpretation, Program Slicing and Polytope Models.” In Proc. 2009 International Symposium on Code Generation and Optimization, pages 136-146, March 22-25, 2009.
[10]Masuhara, H., Kawauchi, K. “Dataflow Pointcut in Aspect-Oriented Programming.” In APLAS`03 - the First Asian Symposium on Programming Languages and Systems, pages 105-121, 2003.
[11]Muchnick, S.S. Advanced Compiler Design and Implementation, 1997.
[12]Nguyen-Tuong, A., Guarnieri, S., Greene, D., Evans, D. “Automatically Hardening Web Applications Using Precise Tainting.” In Proc. 20th IFIP International Information Security Conference, 2005.
[13]OWASP Top 10 – 2010 the ten most critical Web application security risks, https://www.owasp.org/index.php/Top_10_2010-Main.
[14]Saxena, P., Akhawe, D., Hanna, S., Mao, F., McCamant, S., Song, D. “A symbolic execution framework for javascript.” Technical Report UCB/EECS-2010-26, EECS Department, University of California, Berkeley, 2010.
[15]Saxena, P., Poosankam, P., McCamant, S., Song, D.” Loop-extended symbolic execution on binary programs.” In Proc. ISSTA, 2009, pp.225-236.
[16]Soot, A Java Optimization Framework, http://www.sable.mcgill.ca/soot/.
[17]Standford SecuriBench Micro, 2006, http://suif.stanford.edu/~livshits/work/securibench-micro/.
[18]Xu, W., Bhatkar, S., Sekar, R. “Practical Dynamic Taint Analysis for
Countering Input Validation Attacks on Web Applications.” Technical Report SECLAB-05-04, Department of Computer Science, Stony Brook University, May 2005.
[19]Yu, S. F. “Automatic Generation of Penetration Test Cases for Web Applications.” Master’s thesis, In Department of Information Management, National Taiwan University, 2010.
描述 碩士
國立政治大學
資訊科學學系
97753022
99
資料來源 http://thesis.lib.nccu.edu.tw/record/#G0097753022
資料類型 thesis
dc.contributor.advisor 陳恭zh_TW
dc.contributor.advisor Chen, Kungen_US
dc.contributor.author (Authors) 黃于育zh_TW
dc.contributor.author (Authors) Huang, Yu Yuen_US
dc.creator (作者) 黃于育zh_TW
dc.creator (作者) Huang, Yu Yuen_US
dc.date (日期) 2010en_US
dc.date.accessioned 4-Sep-2013 17:06:20 (UTC+8)-
dc.date.available 4-Sep-2013 17:06:20 (UTC+8)-
dc.date.issued (上傳時間) 4-Sep-2013 17:06:20 (UTC+8)-
dc.identifier (Other Identifiers) G0097753022en_US
dc.identifier.uri (URI) http://nccur.lib.nccu.edu.tw/handle/140.119/60241-
dc.description (描述) 碩士zh_TW
dc.description (描述) 國立政治大學zh_TW
dc.description (描述) 資訊科學學系zh_TW
dc.description (描述) 97753022zh_TW
dc.description (描述) 99zh_TW
dc.description.abstract (摘要) 近年來隨著網路的發達,網頁應用程式也跟著快速且普遍化地發展。網頁應用程式快速盛行卻忽略程式設計時的安全性考量,進而成為網路駭客的攻擊目標。因此,網頁應用程式的安全議題日益重要。目前已有許多網頁應用程式安全弱點的相關研究,以程式分析的技術找出弱點,主要分成靜態分析與動態分析兩大類。但無論是使用靜態或是動態的分析方法,仍有其不完美的地方。其中靜態分析結果完備但會產生過多弱點誤報;動態分析結果準確率高但會因為測試案例的不完備而造成弱點的漏報。因此,本論文研究結合了動靜態分析,利用靜態分析方法發展一套測試案例產生工具;再結合動態分析方法隨著測試案例的執行來追蹤測試資料並作弱點的驗證,以達到沒有弱點漏報的產生以及改善弱點誤報的目標。
本論文研究的重點集中在以靜態分析技術產生涵蓋目標程式中所有可執行路徑的測試案例。我們應用測試案例產生常見的符號化執行技巧,利用程式的路徑限制蒐集與解決來達成測試案例產生。實作上我們利用跨程序性路徑分析找出目標程式中所有潛在弱點的路徑,再以反向路徑限制蒐集將限制資訊完整蒐集;最後交給限制分析器解限制並產生測試案例。接著利用剖面導向程式語言AspectJ的程式插碼技術實現動態的汙染資料流分析,配合產生的測試案執行程式觸發動態的汙染資料流分析並產生可信賴的弱點分析結果。		zh_TW
dc.description.abstract (摘要) Due to the rapid development of the internet in recent years, web applications have become very popular and ubiquitous. However, developers may neglect the issues of security while designing a program so that web applications become the targets of attackers. Hence, the issue of web application vulnerabilities has become very crucial. There have been many research results of web application security vulnerabilities and many of them exploit the technique of program analysis to detect vulnerabilities. These analysis approaches can be can basically be categorized into dynamic analysis and static analysis. However, both of them still have their own problems to be improved. Specifically static analysis supports high coverage of vulnerabilities, but causes too many false positives. As for the dynamic analysis, although it produces high confident results, yet it may cause false negatives without complete test cases.
In this thesis, we integrate both static analysis and dynamic analysis to achieve the objectives that no false negatives are produced and reduce false positives. We develop a test case generation tool by the static analysis approach and a program execution tool that dynamically track the execution of the target program with those test data to detect its vulnerabilities. Our test case generation tool first employs both intra- and inter-procedural analysis to cover all vulnerable paths in a program, and then apply the symbolic execution technique to collect all path constraints. With these collected constraints, we use a constraint solver to solve them and finally generate the test cases. As to the execution tool, it utilizes the instrumentation mechanism provided by the aspect-oriented programming language AspectJ to implement a dynamic taint analysis that tracks the flow of tainted data derived from those generated test cases. As a result, all vulnerable program paths will be detected by our tools.		en_US
dc.description.tableofcontents 第一章 導論 1
1-1 研究之背景 1
1-2 研究動機 2
1-3研究目的 4
1-4 論文之章節架構 5
第二章 相關研究與背景技術 6
2-1相關研究 6
2-1-1 靜態分析方法(Static Approach) 6
2-1-2 動態分析方法( Dynamic Approach) 8
2-1-3 混合式分析方法(Hybrid Approach) 9
2-1-4 測試為基礎分析方法(Testing-based Approach) 11
2-2背景技術 18
2-2-1常見網頁應用程式弱點介紹 18
2-2-2 分析方法 20
第三章 系統架構 24
3-1系統設計考量與目標 24
3-2系統架構概觀 27
3-3系統主要元件介紹 30
第四章 系統實作方法 33
4-1測試案例產生的實作(Test Case Generation) 33
4-1-1測試案例產生演算法(Algorithm for test case generation) 33
4-1-2跨程序性的路徑分析(Inter-Procedural Path Analysis) 35
4-1-3路徑限制解(Solving path constraints&Path constraint solution) 59
4-2測試案例執行(Test Case Execution) 62
4-2-1 汙染資料流追蹤器(AspectJ Taint Tracker) 63
4-2-2 程式執行器(Program Executor) 64
第五章 實驗評估 67
5-1 標竿程式介紹 67
5-2 實驗結果 69
5-3 討論 70
第六章 結論與未來研究方向 72
6-1 結論 72
6-2 未來研究方向 73
參考文獻 74
附錄 77		zh_TW
dc.format.extent 1295855 bytes-
dc.format.mimetype application/pdf-
dc.language.iso en_US-
dc.source.uri (資料來源) http://thesis.lib.nccu.edu.tw/record/#G0097753022en_US
dc.subject (關鍵詞) 測試案例產生zh_TW
dc.subject (關鍵詞) 符號化執行zh_TW
dc.subject (關鍵詞) 網頁應用程式zh_TW
dc.subject (關鍵詞) 靜態分析zh_TW
dc.subject (關鍵詞) 動態分析zh_TW
dc.subject (關鍵詞) 汙染資料流分析zh_TW
dc.subject (關鍵詞) Test case generationen_US
dc.subject (關鍵詞) Symbolic executionen_US
dc.subject (關鍵詞) Web applicationen_US
dc.subject (關鍵詞) Static analysisen_US
dc.subject (關鍵詞) Dynamic analysisen_US
dc.subject (關鍵詞) Taint analysisen_US
dc.title (題名) Java網頁程式安全弱點驗證之測試案例產生工具zh_TW
dc.title (題名) Test Case Generation for Verifying Security Vulnerabilities in Java Web Applicationsen_US
dc.type (資料類型) thesisen
dc.relation.reference (參考文獻) [1]Artzi, S., Kiezun, A., Dolby, J., Tip, F., Dig, D., Paradkar, A., Ernst, M. D. “Finding bugs in dynamic Web applications.” In Proc. 2008 international symposium on Software testing and analysis(ISSTA), July 20-24, 2008, Seattle, WA, USA.
[2]Chiang, C. L. “A Hybrid Security Analyzer for Java Web Application.” Master’s thesis, In Department of Computer Science, National Chengchi University, 2010.
[3]Fu, X., Qian, K. “SAFELI: SQL injection scanner using symbolic execution.”
In Proc. 2008 workshop on testing, analysis, and verification of web services and applications (TAV-WEB 2008), pages 34-39, 2008.
[4]Haldar, V., Chandra, D., Franz, M. “Dynamic Taint Propagation for Java.” In 21st Annual Computer Security Applications Conference (ACSAC), pages 303–311, December 2005.
[5]Huang, Y. W., Tsai, C. H., Lin, T. P., Huang, S. K., Lee, D. T., Kuo, S. Y. “A testing framework for Web application security assessment.” Computer Networks: The International Journal of Computer and Telecommunications Networking, pages 739-761, August 2005
[6]Huang, Y. W., Yu, F., Hang , C., Tsai, C. H., Lee, D. T., Kuo, S. Y. “Securing Web Application Code by Static Analysis and Runtime Protection.” In Proc. 13th International World Wide Web Conference (WWW2004), May 2004.
[7]Kiezun, A., Guo, P. J., Jayaraman, K., Ernst, M. D. “Automatic creation of SQL injection and cross-site scripting attacks.” In Proc. 2009 IEEE 31st International Conference on Software Engineering(ICSE), pages 199-209, IEEE Computer Science, 2009.
[8]Lin, J. C., Chen, J. M. “An Automated Mechanism for Secure Input Handling.” Journal of Computers, v.4 n.9, September 2009.
[9]Lokuciejewski P., Cordes, D., Falk, H., Marwedel, P. “A Fast and Precise Static Loop Analysis Based on Abstract Interpretation, Program Slicing and Polytope Models.” In Proc. 2009 International Symposium on Code Generation and Optimization, pages 136-146, March 22-25, 2009.
[10]Masuhara, H., Kawauchi, K. “Dataflow Pointcut in Aspect-Oriented Programming.” In APLAS`03 - the First Asian Symposium on Programming Languages and Systems, pages 105-121, 2003.
[11]Muchnick, S.S. Advanced Compiler Design and Implementation, 1997.
[12]Nguyen-Tuong, A., Guarnieri, S., Greene, D., Evans, D. “Automatically Hardening Web Applications Using Precise Tainting.” In Proc. 20th IFIP International Information Security Conference, 2005.
[13]OWASP Top 10 – 2010 the ten most critical Web application security risks, https://www.owasp.org/index.php/Top_10_2010-Main.
[14]Saxena, P., Akhawe, D., Hanna, S., Mao, F., McCamant, S., Song, D. “A symbolic execution framework for javascript.” Technical Report UCB/EECS-2010-26, EECS Department, University of California, Berkeley, 2010.
[15]Saxena, P., Poosankam, P., McCamant, S., Song, D.” Loop-extended symbolic execution on binary programs.” In Proc. ISSTA, 2009, pp.225-236.
[16]Soot, A Java Optimization Framework, http://www.sable.mcgill.ca/soot/.
[17]Standford SecuriBench Micro, 2006, http://suif.stanford.edu/~livshits/work/securibench-micro/.
[18]Xu, W., Bhatkar, S., Sekar, R. “Practical Dynamic Taint Analysis for
Countering Input Validation Attacks on Web Applications.” Technical Report SECLAB-05-04, Department of Computer Science, Stony Brook University, May 2005.
[19]Yu, S. F. “Automatic Generation of Penetration Test Cases for Web Applications.” Master’s thesis, In Department of Information Management, National Taiwan University, 2010.		zh_TW