政大機構典藏-National Chengchi University Institutional Repository(NCCUR):Item 140.119/59298
English  |  正體中文  |  简体中文  |  Post-Print筆數 : 27 |  全文笔数/总笔数 : 113822/144841 (79%)
造访人次 : 51770985      在线人数 : 568
RC Version 6.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
搜寻范围 查询小技巧:
  • 您可在西文检索词汇前后加上"双引号",以获取较精准的检索结果
  • 若欲以作者姓名搜寻,建议至进阶搜寻限定作者字段,可获得较完整数据
  • 进阶搜寻
    政大機構典藏 > 商學院 > 資訊管理學系 > 學位論文 >  Item 140.119/59298


    请使用永久网址来引用或连结此文件: https://nccur.lib.nccu.edu.tw/handle/140.119/59298


    题名: 程式弱點視覺化技術
    Visualizing Web Application Vulnerabilities
    作者: 董亦揚
    Tung, Yi Yang
    贡献者: 郁方
    Yu, Fang
    董亦揚
    Tung, Yi Yang
    关键词: 視覺化
    網路安全
    字串分析
    程式理解
    Visualization
    Web security
    String Analysis
    Program Comprehension
    日期: 2012
    上传时间: 2013-09-02 16:01:32 (UTC+8)
    摘要: 網路應用程式在網際網路的發展中扮演了很重要的角色,並經常處理客戶敏感資料。
    但網路應用程式開發很容易產生漏洞,並導致網站容易受到駭客的攻擊。並取得網站的管理者存取權限,這是一個極其嚴重的問題。我們提出了一個新的線上服務,檢測網路應用程式中的漏洞,查看和修補。這項服務的後端是建立在一個基於網路應用程式原始碼的靜態字符串分析。我們檢測了數個 open source 的網站,並報告各種未知的漏洞及其修補的程式碼。
    Web application security has become a critical issue as more and more personal and business applications have appeared in recent years. It is known that Web applications are vulnerable due to software defects. Open to public users, vulnerable Websites may experience malicious attacks from the Internet. We present a new Web-service platform with which system developers can detect and patch potential vulnerabilities of their Web applications online. Taking advantage of static string analysis techniques, our analysis ensures that the patched programs are free from vulnerabilities with respect to given attack patterns. Specifically, we integrate the service front end with program-visualization techniques, developing a 3D interface/presentation that allows users to access and view the analysis results in a visualization environment with the aim of improving users’ comprehension of programs, and especially of how vulnerabilities get exploited and patched. We report our analysis results on several open-source applications, finding and patching various previously unknown as well as known vulnerabilities.
    參考文獻: [1] Hamed Ahmadi and Jun Kong. User-centric adaptation of Web information for small screens. Journal of Visual Languages and Computing ,Vol.23, No.1,pages 13-28, 2012.
    [2] Johannes Bohnet and Jürgen Döllner. Visual exploration of function call graphs for feature location in complex software systems. In Proc. of the ACM 2006 Symposium on Software Visualization, SOFTVIS `06, pages 95-104, Brighton, UK, September 4-5, 2006.
    [3] Johannes Bohnet, Stefan Voigt, and Jürgen Döllner. Locating and understanding features of complex software systems by synchronizing time-, collaboration- and code-focused views on execution traces. In Proc. of the 16th IEEE International Conference on Program Comprehension, ICPC `08, pages 268-271, Amsterdam, The Netherlands, June 10-13, 2008.
    [4] Manuel Costa, Miguel Castro, Lidong Zhou, Lintao Zhang, and Marcus Peinado. Bouncer: securing software by blocking bad input. In Proc. of the 21st ACM Symposium on Operating Systems Principles, SOSP `07, pages 117-130, Stevenson, Washington, USA, October 14-17, 2007.
    [5] Aske Simon Christensen, Anders Møller, and Michael I. Schwartzbach. Precise analysis of string expressions. In Proc. of the 10th International Static Analysis Symposium, SAS `03, pages 1-18, San Diego, CA, USA, June 11-13, 2003.
    [6] Kunrong Chen and Vaclav Rajlich. RIPPLES: Tool for Change in Legacy Software. In Proc. of the IEEE International Conference on Software Maintenance, ICSM `01 pages 230-239, Florence, Italy, November 6-10, 2001.

    [7] Tsung-Hsiang Chang, Tom Yeh, and Rob Miller. Associating the visual representation of user interfaces with their internal structures and metadata. In Proc. of the 24th Annual ACM Symposium on User Interface Software and Technology, UIST `11, pages 245-256, Santa Barbara, CA, USA, October 16-19, 2011.
    [8] Pierre Dragicevic, Stéphane Huot, and Fanny Chevalier. Gliimpse:Animating from markup code to rendered documents and vice versa. In Proc. of the 24th annual ACM
    symposium on User interface software and technology, UIST `11, pages 245-256, Santa Barbara, CA, USA, October 16-19, 2011.
    [9] Xiang Fu, Xin Lu, Boris Peltsverger, Shijun Chen, Kai Qian, and Lixin Tao. A static analysis framework for detecting sql injection vulnerabilities. In Proc. of the 31st Annual International Computer Software and Applications Conference, COMPSAC `07, pages 87-96, Beijing, China, , July 24-2, 2007.
    [10] gotoAndPlay(). Smartfoxserver @ONLINE, http://www.smartfoxserver.com/. Jan. 2013.
    [11] David Grove, Greg DeFouw, Jeffrey Dean ,and Craig Chambers. Call Graph Construction in Object-Oriented Languages. In Proc. of the 1997 ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages Applications, OOPSLA `97, pages 108-124, Atlanta, Georgia, USA, October 5-9, 1997.
    [12] Paul A. Gross and Caitlin Kelleher. Non-programmers identifying functionality in unfamiliar code: strategies and barriers. Journal of Visual Languages and Computing, Vol. 21 No. 5, pages263-276, December 2010.
    [13] Susan L. Graham, Peter B. Kessler, and Marshall K. McKusick. gprof: a call graph execution profiler. In Proc. of the SIGPLAN Symposium on Compiler Construction, SIGPLAN `82, pages 120-126, Boston, Massachusetts, USA, June 23-25, 1982.
    [14]Carl Gould, Zhendong Su and Premkumar Devanbu. Static checking of dynamically generated queries in database applications. In Proc. of the 26th International Conference on Software Engineering, ICSE `04, pages 645-654, Edinburgh, United Kingdom, May 23-28, 2004.
    [15] Paul A. Gross, Jennifer Yang, and Caitlin Kelleher. Dinah: an interface to assist non-programmers with selecting program code causing graphical output. In Proc. of the International Conference on Human Factors in Computing Systems, CHI `11, pages 3397-3400, Vancouver, BC, Canada, May 7-12, 2011.
    [16] Liviu Iftode, Cristian Borcea, Nishkam Ravi, Porlin Kang, and Peng Zhou. Smart phone: An embedded system for universal interactions. In Proc. of the 10th IEEE International Workshop on Future Trends of Distributed Computing Systems FTDCS `04, pages 88-94, Suzhou, China, May 26-28, 2004.
    [17] James A. Jones, Mary Jean Harrold and John Stasko. Visualization of test information to assist fault localization. In Proc. of the 24th International Conference on Software Engineering, ICSE `02, pages 467-477, New York, NY, USA, May 19-25, 2002.
    [18] Adam Kiezun, Vijay Ganesh, Philip J. Guo, Pieter Hooimeijer and Michael D. Ernst. Hampi: a solver for string constraints. In Proc. of the 18th International Symposium on Software Testing and Analysis ,ISSTA `09, pages 105-116, Chicago, IL, USA, July 19-23, 2009
    [19] Thorsten Karrer, Jan-Peter Krämer, Jonathan Diehl, Björn Hartmann and Jan Borchers. Stacksplorer: call graph navigation helps increasing code maintenance efficiency. In Proc. of the 24th annual ACM symposium on User interface software and technology, UIST `11, pages 217-224, New York, NY, USA, October 16-19, 2011.
    [20] Kazimiras Lukoit, Norman Wilde, Scott Stowell, and Tim Hennessey. TraceGraph: Immediate Visual Location of Software Features. In Proc. International Conference on Software Maintenance, ICSM `00, pages 33-39, San Jose, California, USA, October 11-14, 2000.
    [21] Bonnie MacKay. The gateway: a navigation technique for migrating to small screens. In the Proc. of Extended abstracts of the 2003 Conference on Human Factors in Computing Systems ,CHI `03, pages 684-685, Ft. Lauderdale, Florida, USA, April 5-10, 2003.
    [22] Alessandro Orso, James A. Jones, Mary Jean Harrold, and John T. Stasko. Gammatella: Visualization of program-execution data for deployed software. In the Proc. of 26th International Conference on Software Engineering, ICSE `04, pages 699-700, Edinburgh, United Kingdom, May 23-28, 2004.
    [23] Karl J. Ottenstein and Linda M. Ottenstein. The Program Dependence Graph in a Software Development Environment. In Proc. of the ACM SIGSOFT/SIGPLAN Software Engineering Symposium on Practical Software Development Environments, SDE `84, pages 177-184, Pittsburgh, Pennsylvania, USA, April 23-25, 1984.
    [24] Michael J. Pacione. Software visualization for object-oriented program comprehension. In Proc. of the 26th International Conference on Software Engineering, ICSE `04, pages 63-65, Edinburgh, United Kingdom, May 23-28, 2004.
    [25] Virpi Roto, Andrei Popescu, Antti Koivisto, and Elina Vartiainen.Minimap: a Web page visualization method for mobile phones. In the Proc. of the 2006 Conference on Human Factors in Computing Systems, CHI `06, pages 35-44, Montreal, Quebec, Canada, April 22-27, 2006.
    [26] Michael Risi and Giuseppe Scanniello. Metricattitude: a visualization tool for the reverse engineering of object oriented software. In the Proc. of International Working Conference on Advanced Visual Interfaces, AVI `12, pages 449-456, Capri Island, Naples, Italy, May 22-25 2012.
    [27] Nicolas Surribas. Wapiti @ONLINE,Jan. 2013.
    [28] Mavituna Security. Netsparker@ONLINE,Jan. 2013.
    [29] D. Shannon, S. Hajra, A. Lee, D. Zhan, and S. Khurshid. Abstracting symbolic execution with string analysis. In the Proc. of Testing: Academic and Industrial Conference Practice and Research Techniques-MUTATION, TAICPART-MUTATION `07, pages 13-22, Washington, DC, USA, September10-14 2007.
    [30] Tarja Systä, Kai Koskimies and Hausi A. Müller. Shimba -an environment for reverse engineering java software systems. Journal of Software: Practice and Experience, Vol.31 No.4, pages 371-394, 2001.
    [31] Unity Technologies. Unity documentation @ONLINE,Jan. 2013.
    [32] Stanford University. IPhone application development @ONLINE, Jan. 2013.
    [33] Fang Yu, Muath Alkhalaf, and Tevfik Bultan. Generating vulnerability signatures for string manipulating programs using automata-based forward and backward symbolic analyses. In Proc. of the 24th IEEE/ACM International Conference on Automated Software Engineering ASE `09, pages 605-609, Auckland, New Zealand, November 16-20, 2009.
    [34] Fang Yu, Muath Alkhalaf, and Tevfik Bultan. Stranger: An automata-based string analysis tool for php. In Proc. of the 16th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, TACAS`10, pages 154-15, Paphos, Cyprus, March 20-28, 2010.
    [35] Fang Yu, Muath Alkhalaf, and Tevfik Bultan. Patching vulnerabilities with sanitization synthesis. In Proc. of the 33rd International Conference on Software Engineering, ICSE `11, pages 251-260, Waikiki, Honolulu , HI, USA, May 21-28, 2011.
    [36] Fang Yu, Tevfik Bultan, Marco Cova, and Oscar H. Ibarra. Symbolic string verification: An automata-based approach. In Proc. of the 15th International SPIN Workshop on Model Checking Software, SPIN `08, pages 306-324 Los Angeles, CA, USA, August 10-12, 2008.
    [37] Fang Yu, Tevfik Bultan, and Ben Hardekopf. String abstractions for string verification. In Proc. of the 15th International SPIN Workshop on Model Checking Software, SPIN `11, pages 20-37, Snowbird, UT, USA, July 14-15, 2011.
    [38] Fang Yu, Tevfik Bultan, and Oscar H. Ibarra. Relational string verification using multi-track.
    In Proc. of the 15th International Conference on Implementation and Application of Automata, CIAA `10, pages 290-299, Winnipeg, MB, Canada, August 12-15, 2010.
    描述: 碩士
    國立政治大學
    資訊管理研究所
    100356021
    101
    資料來源: http://thesis.lib.nccu.edu.tw/record/#G0100356021
    数据类型: thesis
    显示于类别:[資訊管理學系] 學位論文

    文件中的档案:

    档案 大小格式浏览次数
    602101.pdf2142KbAdobe PDF2606检视/开启


    在政大典藏中所有的数据项都受到原著作权保护.


    社群 sharing

    著作權政策宣告 Copyright Announcement
    1.本網站之數位內容為國立政治大學所收錄之機構典藏,無償提供學術研究與公眾教育等公益性使用,惟仍請適度,合理使用本網站之內容,以尊重著作權人之權益。商業上之利用,則請先取得著作權人之授權。
    The digital content of this website is part of National Chengchi University Institutional Repository. It provides free access to academic research and public education for non-commercial use. Please utilize it in a proper and reasonable manner and respect the rights of copyright owners. For commercial use, please obtain authorization from the copyright owner in advance.

    2.本網站之製作,已盡力防止侵害著作權人之權益,如仍發現本網站之數位內容有侵害著作權人權益情事者,請權利人通知本網站維護人員(nccur@nccu.edu.tw),維護人員將立即採取移除該數位著作等補救措施。
    NCCU Institutional Repository is made to protect the interests of copyright owners. If you believe that any material on the website infringes copyright, please contact our staff(nccur@nccu.edu.tw). We will remove the work from the repository and investigate your claim.
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - 回馈