本文選題：數(shù)據(jù)流分析 + AST　； 參考：《北京郵電大學(xué)》2017年碩士論文

【摘要】：隨著互聯(lián)網(wǎng)的快速發(fā)展,中國(guó)網(wǎng)民規(guī)模日益擴(kuò)張,網(wǎng)站總量日益增多,Web應(yīng)用與人民的生活越來(lái)越密切,web頁(yè)面不再只是簡(jiǎn)單的靜態(tài)html頁(yè)面,而是由各種動(dòng)態(tài)腳本語(yǔ)言開(kāi)發(fā),PHP由于語(yǔ)法簡(jiǎn)單上手容易,是目前web應(yīng)用開(kāi)發(fā)中占比最大的編程語(yǔ)言。然而,Web系統(tǒng)由于存儲(chǔ)了大量用戶數(shù)據(jù)而遭受越來(lái)越多的黑客攻擊,不時(shí)有大量用戶信息泄露的事件發(fā)生。許多初級(jí)開(kāi)發(fā)人員都不具備基本的安全知識(shí),所以在產(chǎn)品上線前都得經(jīng)過(guò)安全人員的代碼審計(jì)。然而人工審計(jì)的效率實(shí)在太低,而且典型的開(kāi)源靜態(tài)代碼工具Rips和商業(yè)工具Fortify的檢測(cè)效果都不太好,誤報(bào)率太高,同時(shí)動(dòng)態(tài)工具既不適合某些特定場(chǎng)景又需要大量人工干預(yù),也沒(méi)有理想的開(kāi)源動(dòng)態(tài)分析工具,因此,研究并設(shè)計(jì)一款準(zhǔn)確可靠的代碼審計(jì)系統(tǒng)是當(dāng)前國(guó)內(nèi)外研究的一個(gè)熱點(diǎn)。本文在對(duì)詞法分析、語(yǔ)法分析、數(shù)據(jù)流分析、Fuzzing技術(shù)和反射技術(shù)進(jìn)行研究后,結(jié)合作者遇到的實(shí)際場(chǎng)景以及做滲透測(cè)試時(shí)的實(shí)際經(jīng)驗(yàn),提出了一種靜態(tài)分析與動(dòng)態(tài)分析相結(jié)合的代碼缺陷檢測(cè)技術(shù)。靜態(tài)分析相對(duì)效率較高,主要用于分析代碼語(yǔ)法,根據(jù)自定義的安全規(guī)則,通過(guò)遍歷分析PHP-Parser生成的抽象語(yǔ)法樹(shù),準(zhǔn)確定位危險(xiǎn)函數(shù)并進(jìn)行污點(diǎn)回溯,詳細(xì)輸出污點(diǎn)傳播路徑。動(dòng)態(tài)分析主要基于反射技術(shù)與Fuzzing技術(shù)來(lái)實(shí)現(xiàn),利用反射技術(shù)來(lái)動(dòng)態(tài)調(diào)用用戶自定義的過(guò)濾函數(shù),根據(jù)預(yù)先定義的安全規(guī)則,通過(guò)對(duì)比輸入與輸出來(lái)判斷是否為凈化函數(shù)。
[Abstract]:With the rapid development of the Internet, the scale of Chinese Internet users is expanding day by day, and the total number of web sites is increasing the number of web applications and people's lives is getting closer and closer. The web pages are no longer just simple static html pages. It is developed by all kinds of dynamic scripting languages. It is the largest programming language in the application development of web because of its simple syntax and easy to use. However, more and more hackers attack the Web system because of storing a large amount of user data. From time to time, a large number of user information leaks occur. Many junior developers do not have a basic knowledge of security, so they have to be audited by a security officer before the product goes online. However, the efficiency of manual audit is too low, and the detection effect of Rips, a typical open source static code tool, and Fortify, a commercial tool, is not very good, the false alarm rate is too high, and dynamic tools are not suitable for certain scenarios and require a lot of human intervention. There is no ideal open source dynamic analysis tool. Therefore, the research and design of an accurate and reliable code audit system is a hot topic at home and abroad. After studying lexical analysis, grammatical analysis, data flow analysis and fuzzing and reflection techniques, this paper combines the actual situation encountered by the author and the practical experience in the penetration test. A code defect detection technique combining static analysis and dynamic analysis is proposed. Static analysis is relatively efficient, which is mainly used to analyze code syntax. By traversing the abstract syntax tree generated by PHP-Parser according to the self-defined security rules, the risk function can be accurately located and the stain trace can be traced back, and the contamination propagation path can be outputted in detail. Dynamic analysis is mainly based on reflection technology and fuzzing technology. The reflection technology is used to dynamically call the user-defined filter function. According to the pre-defined security rules, the input and output are compared to determine whether the filter function is a purification function.
【學(xué)位授予單位】：北京郵電大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2017
【分類(lèi)號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前7條

1 王強(qiáng);蔡皖東;姚燁;;基于滲透測(cè)試的跨站腳本漏洞檢測(cè)方法研究[J];計(jì)算機(jī)技術(shù)與發(fā)展;2013年03期

2 王曉聰;張冉;黃峧東;;滲透測(cè)試技術(shù)淺析[J];計(jì)算機(jī)科學(xué);2012年S1期

3 時(shí)志偉;趙亮;;一種關(guān)于PHP源代碼安全漏洞的靜態(tài)檢測(cè)方法[J];信息安全與通信保密;2011年11期

4 吳志勇;王紅川;孫樂(lè)昌;潘祖烈;劉京菊;;Fuzzing技術(shù)綜述[J];計(jì)算機(jī)應(yīng)用研究;2010年03期

5 鄭群;李耀峰;;Ajax蠕蟲(chóng)檢測(cè)系統(tǒng)的設(shè)計(jì)與實(shí)現(xiàn)[J];熱電技術(shù);2010年01期

6 邵林;張小松;蘇恩標(biāo);;一種基于fuzzing技術(shù)的漏洞發(fā)掘新思路[J];計(jì)算機(jī)應(yīng)用研究;2009年03期

7 褚誠(chéng)云;;跨站請(qǐng)求偽造攻擊:CSRF安全漏洞[J];程序員;2009年03期

相關(guān)碩士學(xué)位論文 前7條

1 吳松澤;基于Web安全的滲透測(cè)試技術(shù)研究[D];哈爾濱師范大學(xué);2015年

2 張瑩瑩;Web應(yīng)用系統(tǒng)漏洞定位技術(shù)研究與實(shí)現(xiàn)[D];廣東工業(yè)大學(xué);2015年

3 魏星;基于手工SQL注入的Web滲透測(cè)試技術(shù)研究[D];中北大學(xué);2015年

4 羅琴靈;基于靜態(tài)檢測(cè)的代碼審計(jì)技術(shù)研究[D];貴州大學(xué);2015年

5 周瓚;一種PHP程序自動(dòng)化缺陷分析工具的設(shè)計(jì)與開(kāi)發(fā)[D];電子科技大學(xué);2014年

6 趙博;基于靜態(tài)代碼分析的Web應(yīng)用安全漏洞檢測(cè)系統(tǒng)的設(shè)計(jì)與實(shí)現(xiàn)[D];北京郵電大學(xué);2012年

7 聶世超;PHP程序靜態(tài)分析系統(tǒng)的設(shè)計(jì)與實(shí)現(xiàn)[D];吉林大學(xué);2011年

，

本文編號(hào)：2009644