A Study of Automated Verifiers for Security Protocols and Web Applications

Date Issued
2008
Date
2008
Author(s)
Chen, Wen-Zen
URI
Abstract
Network security is essential because networks have become a basic element of communications. There are two critical parts of network security: security protocols and web applications. For security protocols, secrecy and authentication are two common properties that are usually checked by security protocol verifiers. Secrecy means that no unexpected agents could get the secret contents of messages. Authentication basically indicates that a message which appears to be from some agent is actually sent by the same agent. For web applications, there are many kinds of vulnerabilities. Between them, cross site scripting and injection flaws like SQL injection are the most common vulnerabilities summarized by OWASP. Cross site scripting allows attackers to execute script in the victim''s browser, which can steal user sessions, insert malicious context, and even control the browser. SQL injection inputs unexpected string as queries and can be used to operate the database without authorization.n this thesis, we review several representative verification methods for security protocols and web applications in detail. For security protocols, we study two projects in depth: AVISPA and ProVerif. The commonality of these two projects is that they are both state-exploration methods. However, the AVISPA project has some additional assistant mechanisms such as the lazy intruder to control over the state exploration. We also survey other methods using theorem proving, first-order logic, and model checking. For web applications, the two systems, PQL and WebSSARI, are summarized and discussed. PQL has its own query language to specify vulnerable patterns and utilizes static analysis, which guarantee no false negatives, and dynamic monitoring, which is based on the result of the static analysis. WebSSARI defines the tainted data and sinks in advance and transforms the verification into SAT. It also provides a strategy of efficiently sanitizing. Other related works like AspectJ, SQLCheck, and PTQL are also briefly explained. Finally, we compare AVISPA with ProVerif, and PQL with WebSSARI.
Subjects
Security Protocols
Web Applications
Formal Verification
Automated Verifier
File(s)
Loading...
Thumbnail Image
Name

ntu-97-R95725025-1.pdf

Size

23.32 KB

Format

Adobe PDF

Checksum

(MD5):58cb8fa11c1a5778e5184888571c4add

臺大位居世界頂尖大學之列,為永久珍藏及向國際展現本校豐碩的研究成果及學術能量,圖書館整合機構典藏(NTUR)與學術庫(AH)不同功能平台,成為臺大學術典藏NTU scholars。期能整合研究能量、促進交流合作、保存學術產出、推廣研究成果。

To permanently archive and promote researcher profiles and scholarly works, Library integrates the services of “NTU Repository” with “Academic Hub” to form NTU Scholars.

總館學科館員 (Main Library)
醫學圖書館學科館員 (Medical Library)
社會科學院辜振甫紀念圖書館學科館員 (Social Sciences Library)

開放取用是從使用者角度提升資訊取用性的社會運動,應用在學術研究上是透過將研究著作公開供使用者自由取閱,以促進學術傳播及因應期刊訂購費用逐年攀升。同時可加速研究發展、提升研究影響力,NTU Scholars即為本校的開放取用典藏(OA Archive)平台。(點選深入了解OA)

  • 請確認所上傳的全文是原創的內容,若該文件包含部分內容的版權非匯入者所有,或由第三方贊助與合作完成,請確認該版權所有者及第三方同意提供此授權。
    Please represent that the submission is your original work, and that you have the right to grant the rights to upload.
  • 若欲上傳已出版的全文電子檔,可使用Open policy finder網站查詢,以確認出版單位之版權政策。
    Please use Open policy finder to find a summary of permissions that are normally given as part of each publisher's copyright transfer agreement.

Built with DSpace-CRIS software - Extension maintained and optimized by 4Science