蔡益坤臺灣大學:資訊管理學研究所蔡依珊Tsai, Yi-ShanYi-ShanTsai2010-05-052018-06-292010-05-052018-06-292009U0001-3007200916010000http://ntur.lib.ntu.edu.tw//handle/246246/180037身為全球經濟體系基礎建設中的一部分，網站應用程式提供了一個虛擬平台做為使用者之間的溝通橋樑，這使得其地位顯得相當重要。然而，網路安全漏洞的問題卻日益嚴重，並對網站應用程式的發展造成了負面的影響。在應用程式的開發過程中，網站應用程式源碼檢測可做為解決此項問題的其中一項方法。但是人工檢測程式源碼過程費時、費力或因人為疏失而導致不精確的檢測結果；再加上檢測程式源碼人員必須具備資訊安全的專業知識背景。因此，自動化源碼檢測工具的需求，也就因應而生。早期自動化方法與工具僅應用在軟體應用程式上，而後才延伸至網站應用程式，但目前來說，評估靜態工具與方法精確性之研究也較少。換句話說，靜態工具開發者在沒有與其他工具比較之情況下宣稱其靜態方法與工具具有效率與有效性就失去了說服力。篇論文目的在於評估現有四個靜態分析方法與工具之精確性，為此我們設計了一套含有安全漏洞的程式源碼之標準檢查程式(例如跨站腳本攻擊與資料庫安全漏洞的注入)，且標準檢查程式內也含有不同的資料結構與控制流程敘述。更明確地說，透過我們設計的標準檢查程式來評估現有靜態方法與工具之效能，並以統計數據方式呈現工具間於特定安全漏洞類別之精確的處理程度。最後，我們整合這四個靜態分析方法與工具之結果，找出現有靜態方法與工具不足之處，以協助未來靜態方法與工具之開發。As part of the infrastructure of the global economy, Web applications are of the utmost importance because they provide a virtual space where end users can communicate with one another. A negative aspect of this development is that the number of security vulnerabilities is growing constantly. One method used to solve such problems involves reviewing program code as a part of the development process. However, manual code verification is time-consuming, error-prone, and costly; and code auditors need a security background in order to audit the code. Thus, there is an urgent need for automated solutions to check whether Web applications are vulnerable. Verification tools have long implemented analysis methods in software applications and Web applications, but little research has been performed to evaluate the efficacy of each tool. Of course, developers claim that their tools are effective and efficient, but they do not compare their tool with others.n this thesis, our objective is to evaluate the efficacy of existing verification tools. To this end, we build benchmark cases of vulnerable code that may cause security problems, such as cross-site scripting and SQL injection, but some benchmark cases do not consist of vulnerable code to determine if a false positive occurs after the tool scans the code. Specifically, we use the developed benchmark cases to test four static analysis tools that generate reports of vulnerable program locations, and evaluate the performance of the tools statistically. Moreover, the benchmark cases enable us to identify the structures or control flow statements that cause false alarms in the four tools. As a result, we can determine which benchmark cases are not handled in the target tools.1 Introduction 1.1 Background 1.2 Motivation and Objectives 2.3 Thesis Outline 3 Preliminaries 4.1 Web Architecture 4.1.1 Web Applications 4.1.2 Security Problems in PHP 5.2 Common Vulnerabilities in Web Applications 6.2.1 Cross-Site Scripting (XSS) 6.2.2 SQL Injection 7.2.3 Malicious File Execution 8.2.4 Cross Site Request Forgery (CSRF) 9.2.5 HTTP Response Splitting 9.2.6 Resource Injection 10.2.7 Information Leakage 11.3 Regular Expression 12 Benchmark Cases for Evaluating Tools 15.1 Benchmark Overview 15.2 Benchmark Description 17.2.1 Display Handling 17.2.2 Control flow statements 17.2.3 SQL Statements in Database Manipulation 17.2.4 File Operation 18.2.5 Command Execution 19.2.6 File Inclusion 19.2.7 Information Leakage 19 Implementation and Evaluation 22.1 Implementation Overview 22.1.1 System Environment 22.1.2 Vulnerability Categories 22.1.3 Statistics Formulae 23.2 Evaluation by Categories 24.2.1 Cross-Site Scripting 24.2.2 SQL Injection 25.2.3 Resource Injection 25.2.4 Dangerous Functions and Files 26.2.5 Information Leakage 27.3 Summary 28 Methods Tested 29.1 Static Analysis Methods 29.1.1 WebSSARI 29.1.2 Pixy System 37.1.3 Summary 43.2 Supplement Methods 44.2.1 Extracting the Sanitization Graph 44.2.2 Testing the Effectiveness of Sanitization Routines 45 Conclusion 47.1 Contributions 47.2 Future Work 48ibliography 50ppendices 55application/pdf758472 bytesapplication/pdfen-US安全漏洞網站應用程式精確性標準檢查程式程式源碼檢測靜態分析方法與工具Security VulnerabilitiesWeb ApplicationsPrecisionBenchmarkFalse AlarmCode-VerificationStatic Analysis Toolshttp://ntur.lib.ntu.edu.tw/bitstream/246246/180037/1/ntu-98-R96725017-1.pdf