混合式的Java網頁應用程式分析工具 / A hybrid security analyzer for Java web applications

江尚倫

Unknown Date

近年來網路應用蓬勃的發展，經由網頁應用程式提供服務或從事商業行為已經成為趨勢，因此網頁應用程式自然而然成為網路攻擊者的目標，攻擊手法也隨著時間不斷的翻新。已經有許多的方法被提出用來防範這些攻擊，增加網頁應用程式的安全性，如防火牆的機制以及加密連線，但是這些方法所帶來的效果有限，最根本的方法應為回歸原始的網頁應用程式設計，確實的找出應用程式本身的弱點，才能杜絕不斷變化的攻擊手法。以程式分析的技術來發現這些弱點是常見的方法之一，程式分析又分為靜態分析和動態分析，兩種分析技術都能有效的找出這些弱點。我們整理了近幾年的網頁應用程式分析技術，多採用靜態分析，然而比較後發現靜態分析的技術對於Java的網頁應用程式的分析，無法達到精確的分析結果，原因在於Java語言所具有的特性，如：變數的多型、反射機制的應用等。靜態分析在處理這些問題具有先天上的缺陷，由於並沒有實際的去執行程式，所以無法獲得這些執行時期才有的資訊。 本研究的重點將放在動態的程式分析技術上，也就是於程式執行期間所進行的分析，來解決分析Java網頁應用程式的上述問題。為了在程式執行期間得到可利用的分析資訊，我們運用了AspectJ的插碼技術。我們的工具會先將負責收集資訊的模組插入應用程式的源碼，並以單元測試的方式執行程式，於程式執行的過程中將分析資訊傳遞給分析模組，利用Java 語言的特性進行汙染資料的追蹤 。另外，我們考慮到以動態分析的方式偵測弱點會因為執行的路徑，導致一些潛在的弱點無法被發現，所以我們利用了線上分析的概念，設計出了線上的污染資料流分析模組，我們的工具結合了上述兩個分析模組所產生的分析結果，提供開網頁應用程式弱點資訊。 / In recent years, development of web application is flourishing and the increasing population of using internet, providing customer service and making business through network has been a prevalent trend. Consequently, the web applications have become the targets of the web hackers. With the progress of information technology, the technique of web attack becomes timeless and widespread. Some approaches have been taken to prevent from web attacks, such as firewall and encrypted connection. But these approaches have a limited effect against these attack techniques. The basic method should be taken is to eliminate the vulnerabilities inside the web application. Program analysis is common technique for detecting these vulnerabilities. There are two major program analysis approaches: static analysis and dynamic analysis. Both these approaches can detect vulnerabilities effectively. We reviewed several program analysis tools. Most of them are static analysis tool. However, we noticed that it is insufficient to analysis Java program in a static way due to the characteristic of Java language, e.g., polymorphism, reflection and more. Static has its congenital defects in examining these features, because static analysis happens when the program is not executing and lacks of runtime information. In this thesis, we focus on dynamic analysis of programs, where the analysis occurs when the program is executing, to solve the problems mentioned above in Java web application. In order to retrieving the runtime analysis information, we utilize the instrumentation mechanism provided by AspectJ. We instrument designed module in to the program and gather the needed information and execute the program in a unit testing approach. Our dynamic analysis module retrieves the information from instrumented executing program and utilizes the characteristic of Java to perform the tainted data tracking. We considered the dynamic tracking mechanism will leave some vulnerabilities undiscovered when the program is not completely executed. Hence we adopt the online analysis concept and design an online analysis module to find out the potential vulnerabilities which cannot be detected by dynamically tracking the tainted data. Our analysis tool finally integrates these two analysis results and provides the most soundness analysis result for developers.

動態分析

線上分析

資料流分析

網頁應用程式

安全性弱點

Dynamic Analysis

Online Analysis

Dataflow Analysis

Web Application

Security Vulnerabilities

Java網頁程式安全弱點驗證之測試案例產生工具 / Test Case Generation for Verifying Security Vulnerabilities in Java Web Applications

黃于育, Huang, Yu Yu

Unknown Date

近年來隨著網路的發達，網頁應用程式也跟著快速且普遍化地發展。網頁應用程式快速盛行卻忽略程式設計時的安全性考量，進而成為網路駭客的攻擊目標。因此，網頁應用程式的安全議題日益重要。目前已有許多網頁應用程式安全弱點的相關研究，以程式分析的技術找出弱點，主要分成靜態分析與動態分析兩大類。但無論是使用靜態或是動態的分析方法，仍有其不完美的地方。其中靜態分析結果完備但會產生過多弱點誤報；動態分析結果準確率高但會因為測試案例的不完備而造成弱點的漏報。因此，本論文研究結合了動靜態分析，利用靜態分析方法發展一套測試案例產生工具；再結合動態分析方法隨著測試案例的執行來追蹤測試資料並作弱點的驗證，以達到沒有弱點漏報的產生以及改善弱點誤報的目標。 本論文研究的重點集中在以靜態分析技術產生涵蓋目標程式中所有可執行路徑的測試案例。我們應用測試案例產生常見的符號化執行技巧，利用程式的路徑限制蒐集與解決來達成測試案例產生。實作上我們利用跨程序性路徑分析找出目標程式中所有潛在弱點的路徑，再以反向路徑限制蒐集將限制資訊完整蒐集；最後交給限制分析器解限制並產生測試案例。接著利用剖面導向程式語言AspectJ的程式插碼技術實現動態的汙染資料流分析，配合產生的測試案執行程式觸發動態的汙染資料流分析並產生可信賴的弱點分析結果。 / Due to the rapid development of the internet in recent years, web applications have become very popular and ubiquitous. However, developers may neglect the issues of security while designing a program so that web applications become the targets of attackers. Hence, the issue of web application vulnerabilities has become very crucial. There have been many research results of web application security vulnerabilities and many of them exploit the technique of program analysis to detect vulnerabilities. These analysis approaches can be can basically be categorized into dynamic analysis and static analysis. However, both of them still have their own problems to be improved. Specifically static analysis supports high coverage of vulnerabilities, but causes too many false positives. As for the dynamic analysis, although it produces high confident results, yet it may cause false negatives without complete test cases. In this thesis, we integrate both static analysis and dynamic analysis to achieve the objectives that no false negatives are produced and reduce false positives. We develop a test case generation tool by the static analysis approach and a program execution tool that dynamically track the execution of the target program with those test data to detect its vulnerabilities. Our test case generation tool first employs both intra- and inter-procedural analysis to cover all vulnerable paths in a program, and then apply the symbolic execution technique to collect all path constraints. With these collected constraints, we use a constraint solver to solve them and finally generate the test cases. As to the execution tool, it utilizes the instrumentation mechanism provided by the aspect-oriented programming language AspectJ to implement a dynamic taint analysis that tracks the flow of tainted data derived from those generated test cases. As a result, all vulnerable program paths will be detected by our tools.

測試案例產生

符號化執行

網頁應用程式

靜態分析

動態分析

汙染資料流分析

Test case generation

Symbolic execution

Web application

Static analysis

Dynamic analysis

Taint analysis