本文選題：數(shù)據(jù)流分析 + AST��； 參考：《北京郵電大學(xué)》2017年碩士論文

【摘要】：隨著互聯(lián)網(wǎng)的快速發(fā)展,中國網(wǎng)民規(guī)模日益擴(kuò)張,網(wǎng)站總量日益增多,Web應(yīng)用與人民的生活越來越密切,web頁面不再只是簡單的靜態(tài)html頁面,而是由各種動(dòng)態(tài)腳本語言開發(fā),PHP由于語法簡單上手容易,是目前web應(yīng)用開發(fā)中占比最大的編程語言。然而,Web系統(tǒng)由于存儲了大量用戶數(shù)據(jù)而遭受越來越多的黑客攻擊,不時(shí)有大量用戶信息泄露的事件發(fā)生。許多初級開發(fā)人員都不具備基本的安全知識,所以在產(chǎn)品上線前都得經(jīng)過安全人員的代碼審計(jì)。然而人工審計(jì)的效率實(shí)在太低,而且典型的開源靜態(tài)代碼工具Rips和商業(yè)工具Fortify的檢測效果都不太好,誤報(bào)率太高,同時(shí)動(dòng)態(tài)工具既不適合某些特定場景又需要大量人工干預(yù),也沒有理想的開源動(dòng)態(tài)分析工具,因此,研究并設(shè)計(jì)一款準(zhǔn)確可靠的代碼審計(jì)系統(tǒng)是當(dāng)前國內(nèi)外研究的一個(gè)熱點(diǎn)。本文在對詞法分析、語法分析、數(shù)據(jù)流分析、Fuzzing技術(shù)和反射技術(shù)進(jìn)行研究后,結(jié)合作者遇到的實(shí)際場景以及做滲透測試時(shí)的實(shí)際經(jīng)驗(yàn),提出了一種靜態(tài)分析與動(dòng)態(tài)分析相結(jié)合的代碼缺陷檢測技術(shù)。靜態(tài)分析相對效率較高,主要用于分析代碼語法,根據(jù)自定義的安全規(guī)則,通過遍歷分析PHP-Parser生成的抽象語法樹,準(zhǔn)確定位危險(xiǎn)函數(shù)并進(jìn)行污點(diǎn)回溯,詳細(xì)輸出污點(diǎn)傳播路徑。動(dòng)態(tài)分析主要基于反射技術(shù)與Fuzzing技術(shù)來實(shí)現(xiàn),利用反射技術(shù)來動(dòng)態(tài)調(diào)用用戶自定義的過濾函數(shù),根據(jù)預(yù)先定義的安全規(guī)則,通過對比輸入與輸出來判斷是否為凈化函數(shù)。
[Abstract]:With the rapid development of the Internet, the scale of Chinese Internet users is expanding day by day, and the total number of web sites is increasing the number of web applications and people's lives is getting closer and closer. The web pages are no longer just simple static html pages. It is developed by all kinds of dynamic scripting languages. It is the largest programming language in the application development of web because of its simple syntax and easy to use. However, more and more hackers attack the Web system because of storing a large amount of user data. From time to time, a large number of user information leaks occur. Many junior developers do not have a basic knowledge of security, so they have to be audited by a security officer before the product goes online. However, the efficiency of manual audit is too low, and the detection effect of Rips, a typical open source static code tool, and Fortify, a commercial tool, is not very good, the false alarm rate is too high, and dynamic tools are not suitable for certain scenarios and require a lot of human intervention. There is no ideal open source dynamic analysis tool. Therefore, the research and design of an accurate and reliable code audit system is a hot topic at home and abroad. After studying lexical analysis, grammatical analysis, data flow analysis and fuzzing and reflection techniques, this paper combines the actual situation encountered by the author and the practical experience in the penetration test. A code defect detection technique combining static analysis and dynamic analysis is proposed. Static analysis is relatively efficient, which is mainly used to analyze code syntax. By traversing the abstract syntax tree generated by PHP-Parser according to the self-defined security rules, the risk function can be accurately located and the stain trace can be traced back, and the contamination propagation path can be outputted in detail. Dynamic analysis is mainly based on reflection technology and fuzzing technology. The reflection technology is used to dynamically call the user-defined filter function. According to the pre-defined security rules, the input and output are compared to determine whether the filter function is a purification function.
【學(xué)位授予單位】：北京郵電大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2017
【分類號】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前7條

1 王強(qiáng);蔡皖東;姚燁;;基于滲透測試的跨站腳本漏洞檢測方法研究[J];計(jì)算機(jī)技術(shù)與發(fā)展;2013年03期

2 王曉聰;張冉;黃峧東;;滲透測試技術(shù)淺析[J];計(jì)算機(jī)科學(xué);2012年S1期

3 時(shí)志偉;趙亮;;一種關(guān)于PHP源代碼安全漏洞的靜態(tài)檢測方法[J];信息安全與通信保密;2011年11期

4 吳志勇;王紅川;孫樂昌;潘祖烈;劉京菊;;Fuzzing技術(shù)綜述[J];計(jì)算機(jī)應(yīng)用研究;2010年03期

5 鄭群;李耀峰;;Ajax蠕蟲檢測系統(tǒng)的設(shè)計(jì)與實(shí)現(xiàn)[J];熱電技術(shù);2010年01期

6 邵林;張小松;蘇恩標(biāo);;一種基于fuzzing技術(shù)的漏洞發(fā)掘新思路[J];計(jì)算機(jī)應(yīng)用研究;2009年03期

7 褚誠云;;跨站請求偽造攻擊:CSRF安全漏洞[J];程序員;2009年03期

相關(guān)碩士學(xué)位論文 前7條

1 吳松澤;基于Web安全的滲透測試技術(shù)研究[D];哈爾濱師范大學(xué);2015年

2 張瑩瑩;Web應(yīng)用系統(tǒng)漏洞定位技術(shù)研究與實(shí)現(xiàn)[D];廣東工業(yè)大學(xué);2015年

3 魏星;基于手工SQL注入的Web滲透測試技術(shù)研究[D];中北大學(xué);2015年

4 羅琴靈;基于靜態(tài)檢測的代碼審計(jì)技術(shù)研究[D];貴州大學(xué);2015年

5 周瓚;一種PHP程序自動(dòng)化缺陷分析工具的設(shè)計(jì)與開發(fā)[D];電子科技大學(xué);2014年

6 趙博;基于靜態(tài)代碼分析的Web應(yīng)用安全漏洞檢測系統(tǒng)的設(shè)計(jì)與實(shí)現(xiàn)[D];北京郵電大學(xué);2012年

7 聶世超;PHP程序靜態(tài)分析系統(tǒng)的設(shè)計(jì)與實(shí)現(xiàn)[D];吉林大學(xué);2011年

，

本文編號：2009644