蔡益坤臺灣大學:資訊管理學研究所鍾正一Chung, Chen-IChen-IChung2010-05-052018-06-292010-05-052018-06-292008U0001-2907200913453601http://ntur.lib.ntu.edu.tw//handle/246246/180026近幾年來，網頁應用程式的數量及其重要性有著迅速的成長，有越來越多的服務和商業活動都是透過網頁應用程式來完成。因此，網頁應用程式自然成為網路攻擊者的目標。雖然有許多作法像是防火牆和連線加密，都試著要解決這類型的問題，但是這些方法沒辦法解決網頁應用程式本身的弱點。根據OWASP的統計，目前有相當多種類型的網頁應用程式的弱點，而且數量還在持續增加中。程式分析可以用來解決這類型的弱點，不論是靜態分析或動態分析都能夠用來偵測和防範這些弱點。在本篇論文中，我們將重點放在靜態分析，也就是在不執行程式的情況之下進行程式分析。我們相信在程式開發階段就將弱點排除是一個較為有效的作法。為了達成這個目的，我們整理了近幾年的網頁應用程式靜態分析演算法的並試著比較他們的優缺點。這些演算法都是以分析PHP網頁應用程式為目標，然而仍有一些議題還沒有被考慮到，如PHP變動變數的alias分析、字串索引陣列的分析。在進行靜態分析的時候若沒有考慮這些問題的話，有可能會產生誤報以及漏報。我們設計了一個演算法來解決這些問題。我們的工具會先將PHP原始程式轉換成中介表示 (intermediate representation)。我們選擇CIL作為中介語言，因為CIL能去除程式中語意不清的部分，幫助我們進行靜態分析。我們根據PHP的語言特性提出了一個將PHP原始碼精準轉換為CIL的作法。除此之外，我們設計了一些資料結構和輔助函數來確保語意的精準。這個轉換不只能將PHP以CIL的方式呈現，還能夠清楚的表現每一個PHP變數的型態。我們在CIL上實作了一個能夠處理PHP變動變數以及字串索引陣列的污染資料流分析。即使變動變數的索引是一個固定字串值，許多現階段的工具在處理仍會產生誤報或是漏報。我們分析了十個網頁應用程式，並且發現一些從變動變數以及字串索引陣列所產生的網頁應用程式弱點。The number and importance of Web applications have grown rapidly in recent years, as more and more services and business activities are accomplished through these applications.onsequently, Web applications have become the targets of security attacks. Although several mechanisms, such as firewalls and connection encryption, have been developed to solve the problem, they cannot eliminate Web application vulnerabilities because the vulnerabilities are inherent in Web application programs. According to statistics published by OWASP, there are many kinds of Web application vulnerabilities, and the number is growing continuously.rogram analysis techniques can be used to solve these problems. Both static and dynamic approaches have been proposed to detect or prevent vulnerabilities.n this thesis, we focus on static analysis of programs, where the analysis is performed without actually executing the programs. We believe that eliminating vulnerabilities during the program development stage is a relatively cost-effective method.o this end, we review several recently proposed static analysis algorithms for Web applications and summarize their pros and cons. The approaches focus on the analysis ofHP Web applications; however, there are still some issues that have not been considered, e.g., alias analysis of PHP variable variables and arrays with string indices. Performing static analysis without considering theseissues may generate some false negatives or false positives.e design an algorithm to solve these problems and implement it in our static analyzer, which first translates PHP programs into an intermediate representation.e chose CIL as the intermediate language which helped us perform program analysis by clarifying ambiguous constructs and removing redundant constructors.e review the language features of PHP and propose a precise semantic conversion to CIL. In addition, we devise some data structures and auxiliary functions to ensure that the semantics are as precise as possible. The conversion not only represents PHP in CIL, but also clarifies the type of PHP variable.e also implement a taint dataflow analysis on CIL that can handle the alias relationships of PHP variable variables and arrays with string indices correctly. Many toolsield a false positive or false negative result even if a variable variable stores a constant string value. Through our analysis of ten Web applications, we found that some vulnerabilities are caused by variable variables and arrays with string indices.Contents Introduction 1.1 Background . . . . . 1.2 Motivation and Objectives . . . . . 2.3 Thesis Outline . . . . . 3 Related Work 5.1 The WebSSARI System . . . . . 5.1.1 System Overview . . . . . 6.1.2 Type Based Approach . . . . . 6.1.3 Bounded Model Checking . . . . . 9.1.4 Discussion . . . . . 12.2 Alias Analysis in Pixy . . . . . 13.2.1 Aliases in PHP . . . . . 13.2.2 Analysis overview . . . . . 14.2.3 Aliases between Global Variables . . . . . 15.2.4 Discussion. . . . . . . . 16.3 Static String Analysis . . . . . 16.3.1 Static String Analysis Overview . . . . . 17.3.2 Discussion . . . . . 20.4 Vulnerabilities Detection by Static String Analysis . . . . . . 21.4.1 Algorithm for Detecting Injection Vulnerabilities . . . . . 21.4.2 Algorithm for Detecting XSS Vulnerabilities . . . . . . . 24.4.3 Discussion . . . . . . . . . . 24.5 Summary . . . . . . . . 24 Preliminaries 26.1 Web Application Security Vulnerabilities. . . . . . 26.1.1 Cross Site Scripting Vulnerability (XSS). . . . . . 27.1.2 Injection Flaws Vulnerability . . . . . . . . 29.1.3 Malicious File Execution Vulnerability . . . . . . 30.2 Context-Free Grammars. . . . . . . . . 30.2.1 Formal Definition . . . . . . . . 30.3 Regular Expressions . . . . . . . 31.3.1 Formal Definition . . . . . . 32.4 Static Single Assignment Form. . . . . . . 33 Parsing and Static Analysis 34.1 Parse PHP to CIL . . . . . . . . . . . 34.1.1 Conversion of PHP Variables . . . . . . . . 34.1.2 Conversion of PHP Arrays . . . . . . . 35.1.3 Conversion of PHP Variable Variables and Variable Functions . . 37.1.4 Conversion of Accessing and Assigning Variables . . 39.1.5 Conversion of PHP Foreach Statement . . . . . 41.1.6 Conversion of PHP User-Defined Functions . . . . . 42.1.7 Conversion of PHP Built-In Functions . . . . . . 43.1.8 Conversion of PHP Class Objects . . . . . . . 44.1.9 PHP Dynamic File Inclusion . . . . . . . . 44.2 Analysis Algorithms . . . . . . . . . . 45.2.1 Taint Dataflow Analysis . . . . . . . 46.2.2 Alias of PHP Variable Variables . . . . . 48.2.3 Analysis of Arrays with String Indices . . . . . . 49 Implementation and Evaluation 51.1 Implementation . . . . . . . . . . 51.1.1 PHP Parser and File Inclusion Preprocessor . . . . 52.1.2 The Converter of PHP AST to C AST . . . . 52.1.3 Auxiliary Functions Written in C . . . . . . . 56.2 Evaluation . . . . . . . 56 Conclusion 59.1 Contributions . . . . . . . . . 59.2 Future Work . . . . . . . . . 60ibliography 62ppendix 66application/pdf766355 bytesapplication/pdfen-US靜態分析資料流分析網頁應用程式PHP 變動變數安全性弱點Static AnalysisDataflow AnalysisWeb ApplicationsPHP Variable VariablesSecurity VulnerabilitiesVerificationhttp://ntur.lib.ntu.edu.tw/bitstream/246246/180026/1/ntu-97-R96725006-1.pdf