AppScan:手機應用程式行為靜態偵測掃描-以iOS為例 / AppScan : Static mobile application behavior scanning on iOS executable

王韋仁, Wang, Wei Ren

Unknown Date

行動應用程式是當今最受歡迎和最主要的軟體應用程式，因此應用程式的實際行為以及相關的安全和隱私問題變得越來越重要。另一方面，隨著時間的推移，AppStore上有越來越多的應用程式已經停止更新或停止服務，但沒有從AppStore中刪除。然而，用戶對於缺少維護問題一無所知，仍然下載並使用它。在本研究中，我們將解決在應用程式中檢查特定屬性方法序列的問題。通過使用IDApro生成Function call dependency graph和Subroutine control flow graph，我們使用語法分析方式來進行跨子程式的序列檢查方案。我們將通過預先定義屬性的方法序列作為模型來檢查應用程式行為。這個分析方法可以說明在App Store中可用的應用程式中是否存在屬性方法序列。有助於我們在應用程式中檢查一些惡意行為屬性方法序列或特定行為方法序列（例如使用不推薦的api方法）。 我們的網絡爬蟲從官方文件中摘取了的所有可用的iOS SDK方法，並從中提取做為我們的模型序列。我們將檢查應用程式是否包含所準備的模型序列。如果應用程式中存在該序列，我們將在應用程式中記錄子程式中包含的方法序列調用。然後將結果數據匯總到我們的數據庫中，並將結果視覺化、數據化，並建立系統的的API服務。最後，我們構建了一個使用上述檢查功能所識做的的分析系統，並以Web服務形式顯示結果。 / Mobile application is the most popular and dominant software applications nowadays, so the actual behaviors of the application and the related security and privacy issues become more and more important. On the other hand, as time goes by, there are more and more applications on the AppStore stop to update or being abandoned but not removed from AppStore. However, the users know nothing about the lack of maintenance problems and still download and use it. In this research, we will resolve the issue for checking specific property method sequence within an application. By using IDApro to generate function call graph and the subroutine control flow graphs, we use syntax checking strategy to perform a across subroutines sequential checking solution. We will check the application behavior by predefining a property method sequence as pattern and then check with applications’. The analysis method can illustrate whether a property method sequence exists in the application which is available on App Store. This may help us to check some malicious behavior property method sequence or specific behavior method sequence (ex. using deprecated api methods) in the applications. We have prepared some property method sequence as our system input pattern extracted from all the available iOS SDK methods fetching by our web crawler. We will check whether an application contains the prepared method sequence or not. If the sequence exists in the application, we would record the method sequence call included in the subroutine within the application. Then the results data will be aggregated in our database, and export as api service for visualizing and statistic uses. Finally, we construct a call sequence analysis system for the above checking functions and show the result in a web service form

行動應用程式

靜態分析

行為分析

語法分析

Mobile apps

Static analysis

Behavior analysis

Syntax analysis

安全多方計算協定描述語言之設計與實作 / A Protocol Description Language for Secure Multi-Party Computation

黃文楷, Huang, Wen Kai

Unknown Date

安全多方計算的研究主要是針對在分散環境下的兩造(或多方)之間，如何在不透露彼此私有的資料的情況下，計算一個約定函數的問題，並要確保除了計算結果及其可能推導出的資訊，不會洩漏額外的私有資料。依此設計出來的函數算法，稱為安全的多方計算協定(protocol)。 過去兩年本實驗室根據一套基於向量內積運算(scalar product)發展出的安全多方計算方法，設計了一個雛型的分散式系統框架，開發了一套符合其安全要求的常用算數運算函數庫。 但目前個別的應用問題在此系統上發展安全協定的程式時，使用者必須相當熟悉其架構與程式庫細節，才能開發所需程式，造成推廣上的障礙。有鑑於此，本論文採用領域專屬語言(domain-specific language)的方法與技術，針對一般安全多方協定程式的特徵來進行歸納與分析，找出協助其表達計算步驟的適當抽象機制，並在設計上訂定了以下目標： 1. 設計一高階語言用以描述多方安全計算，以提供使用者撰寫安全多方計算程式。 2. 檢查並確保使用者撰寫的程式不會有資訊洩漏。 3. 多方安全運算執行上能保持一定的效率。 4. 建立多方安全計算的運算流程，讓PDL與現有的運作環境配合，達到各伺服器合作運行多方安全計算的目的。 朝向這四個目標發展出一套協定描述語言與其編譯器。以便與SMC-Protocol以及其環境合作，協助領域專家以更簡便的方式來設計與實驗更多的安全多方協定。我們稱此語言為多方安全計算協定描述語言(Protocol Description Language, PDL)。 / Protocols for secure multi-party computation (SMC) allow participants to share a computation while each party learns only what can be inferred from their own inputs and the output of the computation. In the past two years, we developed an SMC implementation framework for both integers and floating numbers which comprises a set of arithmetic operations that manipulate secret values among involved parties using the scalar product protocol as the basis. Such a library of arithmetic operations is call building blocks. But using this library is not easy. To solve individual SMC problem, programmer should knowing the given framework and protocol detail very well. This difficulty makes them won't consider this framework while facing the need of SMC. To ease the writing of more complex user-defined protocols, using the technique of domain-specific language, this thesis analysis the general needs of SMC, develop a domain-specific language of SMC, and implement a compiler that coverts this language to SMC code, which is executable code composed of the protocols of given framework. We called this language Protocol Description Language, PDL.

安全多方計算

隱私保護

領域專屬語言

靜態分析

Secure multi-party computation

privacy protection

domain-specific language

static analysis

Java網頁程式安全弱點驗證之測試案例產生工具 / Test Case Generation for Verifying Security Vulnerabilities in Java Web Applications

黃于育, Huang, Yu Yu

Unknown Date

近年來隨著網路的發達，網頁應用程式也跟著快速且普遍化地發展。網頁應用程式快速盛行卻忽略程式設計時的安全性考量，進而成為網路駭客的攻擊目標。因此，網頁應用程式的安全議題日益重要。目前已有許多網頁應用程式安全弱點的相關研究，以程式分析的技術找出弱點，主要分成靜態分析與動態分析兩大類。但無論是使用靜態或是動態的分析方法，仍有其不完美的地方。其中靜態分析結果完備但會產生過多弱點誤報；動態分析結果準確率高但會因為測試案例的不完備而造成弱點的漏報。因此，本論文研究結合了動靜態分析，利用靜態分析方法發展一套測試案例產生工具；再結合動態分析方法隨著測試案例的執行來追蹤測試資料並作弱點的驗證，以達到沒有弱點漏報的產生以及改善弱點誤報的目標。 本論文研究的重點集中在以靜態分析技術產生涵蓋目標程式中所有可執行路徑的測試案例。我們應用測試案例產生常見的符號化執行技巧，利用程式的路徑限制蒐集與解決來達成測試案例產生。實作上我們利用跨程序性路徑分析找出目標程式中所有潛在弱點的路徑，再以反向路徑限制蒐集將限制資訊完整蒐集；最後交給限制分析器解限制並產生測試案例。接著利用剖面導向程式語言AspectJ的程式插碼技術實現動態的汙染資料流分析，配合產生的測試案執行程式觸發動態的汙染資料流分析並產生可信賴的弱點分析結果。 / Due to the rapid development of the internet in recent years, web applications have become very popular and ubiquitous. However, developers may neglect the issues of security while designing a program so that web applications become the targets of attackers. Hence, the issue of web application vulnerabilities has become very crucial. There have been many research results of web application security vulnerabilities and many of them exploit the technique of program analysis to detect vulnerabilities. These analysis approaches can be can basically be categorized into dynamic analysis and static analysis. However, both of them still have their own problems to be improved. Specifically static analysis supports high coverage of vulnerabilities, but causes too many false positives. As for the dynamic analysis, although it produces high confident results, yet it may cause false negatives without complete test cases. In this thesis, we integrate both static analysis and dynamic analysis to achieve the objectives that no false negatives are produced and reduce false positives. We develop a test case generation tool by the static analysis approach and a program execution tool that dynamically track the execution of the target program with those test data to detect its vulnerabilities. Our test case generation tool first employs both intra- and inter-procedural analysis to cover all vulnerable paths in a program, and then apply the symbolic execution technique to collect all path constraints. With these collected constraints, we use a constraint solver to solve them and finally generate the test cases. As to the execution tool, it utilizes the instrumentation mechanism provided by the aspect-oriented programming language AspectJ to implement a dynamic taint analysis that tracks the flow of tainted data derived from those generated test cases. As a result, all vulnerable program paths will be detected by our tools.

測試案例產生

符號化執行

網頁應用程式

靜態分析

動態分析

汙染資料流分析

Test case generation

Symbolic execution

Web application

Static analysis

Dynamic analysis

Taint analysis