政大機構典藏-National Chengchi University Institutional Repository(NCCUR):Item 140.119/53455
English  |  正體中文  |  简体中文  |  Post-Print筆數 : 27 |  Items with full text/Total items : 113313/144292 (79%)
Visitors : 50944679      Online Users : 663
RC Version 6.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
Scope Tips:
  • please add "double quotation mark" for query phrases to get precise results
  • please goto advance search for comprehansive author search
  • Adv. Search
    HomeLoginUploadHelpAboutAdminister Goto mobile version
    Please use this identifier to cite or link to this item: https://nccur.lib.nccu.edu.tw/handle/140.119/53455


    Title: 符號式字串驗證:對網路應用程式自動化弱點掃描與補正的正規方法研究與工具開發
    Other Titles: Symbolic String Verification: a Formal Approach for Automatic Web Application Vulnerability Detection and Sanitization Synthesis
    Authors: 郁方
    Contributors: 國立政治大學資訊管理學系
    行政院國家科學委員會
    Keywords: 符號式字串驗證
    Date: 2012
    Issue Date: 2012-08-30 15:49:47 (UTC+8)
    Abstract: 本計畫將探討符號式字串分析的相關技術,運用自動機表示字串變數的可能值來 進行字串運算程式的驗證。以此技術為基礎,開發全自動化的程式分析工具,針對網 路應用程式可能存在的安全漏洞(弱點)進行正規化的掃描與補正。 我們的方法包含三個步驟:首先,我們先以正向分析辨識應用程式內所有可能的安全 漏洞。一個安全漏洞表式程式的某個敏感函數可能在執行時使用不適當(給定)的字 串值,從而允許使用者對應用程式進行惡意攻擊。針對每一個安全漏洞,我們接著計 算所有可能會導致此惡意攻擊的使用者輸入值。我們稱此為漏洞表徵。要避免使用者 攻擊,我們自動化產生淨化程式。此淨化程式會在應用程式執行時,對符合漏洞表徵 的使用者輸入值進行(最少化的)修改,從而避免可能的惡意攻擊發生。對多個輸入 源的安全漏洞,我們運用多軌自動機描述輸入值之間的關連性,從而產生更有效率的 淨化程式。我們也將探討與整合靜態字串分析的先進技術,包含字串抽象化、符號式 自動機、語言替代運算與最小終結點運算加速。這增強我們分析的實用性。 我們將發展一開放的網路平台提供嚴謹的字串分析服務。針對目前最嚴重的惡意攻擊 (如SQL Injection, XSS),偵測與移除網路應用程式可能的安全漏洞。
    We investigate automata‐based string verification techniques and apply the techniques for automatic vulnerability detection and sanitization synthesis for Web applications. Our approach consists of three phases: Given an attack pattern we first conduct a vulnerability analysis to identify if strings that match the attack pattern can reach the security‐sensitive functions. Next, we compute vulnerability signatures that characterize all input strings that can exploit the discovered vulnerability. Given the vulnerability signatures, we then construct sanitization statements that 1) check if a given input matches the vulnerability signature and 2) modify the input in a minimal way so that the modified input does not match the vulnerability signature. Particularly, we are interested in generating relational vulnerability signatures (and corresponding sanitization statements) for vulnerabilities that are due to more than one input. Our approach also features other advance techniques including string abstractions, symbolic automata encoding, fixpoint acceleration, and language‐based replacement. We provide a scalable web service using cloud‐computing techniques. Public users can find and eliminate string‐related security vulnerabilities, such as SQL Injections and XSS attacks, in their Web applications. Based on our automata‐based string analysis, the service is capable of identifying potential vulnerabilities, generating effective patches for vulnerable applications, and proving the absence of vulnerabilities in well‐developed applications.
    Relation: 基礎研究
    學術補助
    研究期間:10108~ 10207
    研究經費:577仟元
    Data Type: report
    Appears in Collections:[Department of MIS] NSC Projects

    Files in This Item:

    File Description SizeFormat
    99-2218-E004-002-MY3.pdf18935KbAdobe PDF2541View/Open


    All items in 政大典藏 are protected by copyright, with all rights reserved.


    社群 sharing

    著作權政策宣告 Copyright Announcement
    1.本網站之數位內容為國立政治大學所收錄之機構典藏,無償提供學術研究與公眾教育等公益性使用,惟仍請適度,合理使用本網站之內容,以尊重著作權人之權益。商業上之利用,則請先取得著作權人之授權。
    The digital content of this website is part of National Chengchi University Institutional Repository. It provides free access to academic research and public education for non-commercial use. Please utilize it in a proper and reasonable manner and respect the rights of copyright owners. For commercial use, please obtain authorization from the copyright owner in advance.

    2.本網站之製作,已盡力防止侵害著作權人之權益,如仍發現本網站之數位內容有侵害著作權人權益情事者,請權利人通知本網站維護人員(nccur@nccu.edu.tw),維護人員將立即採取移除該數位著作等補救措施。
    NCCU Institutional Repository is made to protect the interests of copyright owners. If you believe that any material on the website infringes copyright, please contact our staff(nccur@nccu.edu.tw). We will remove the work from the repository and investigate your claim.
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - Feedback