本文選題：自動修復 + 漏洞掃描　； 參考：《北京郵電大學》2015年碩士論文

【摘要】：隨著Web應用的蓬勃發(fā)展,越來越多的人投身于Web應用中。但隨著這種應用的漏洞層出不窮,其準入控制方面的安全需求亦越來越強烈。前人的基于屬性或策略的準入控制技術(shù)雖然可以有效控制服務端的用戶權(quán)限,但在安全性和控制的復雜程度上都有不同程度的缺點；另一種控制方法是針對W3C同源策略的不足,在客戶端的ESCUDO準入控制技術(shù)和在服務端的SCUTA準入控制技術(shù)配合使用,它能夠給函數(shù)以對應權(quán)限,形成不同層次的權(quán)限層級,對于需要被跨權(quán)限層級調(diào)用的函數(shù),授予相應的權(quán)限層級范圍的GATE標簽,表示這個函數(shù)可以使在這個權(quán)限層級范圍內(nèi)的所有函數(shù)都有調(diào)用權(quán)限。 但是SCUTA中有個致命的缺陷,那就是使用GATE標簽的方法的粒度過于粗,它只是設(shè)計了整個權(quán)限層級到函數(shù)的權(quán)限管理,這樣可能會引入同權(quán)限層級中不安全的函數(shù)調(diào)用權(quán)限。針對這個問題,本文設(shè)計了更細粒度的從函數(shù)到函數(shù)的權(quán)限管理方式較好地彌補了這個漏洞。并且,本文使用Apache、Mysql、PHP等工具創(chuàng)建實現(xiàn)了新的準入控制技術(shù),在服務端經(jīng)過修改的PHP內(nèi)核可以接受客戶端發(fā)送的特定Cookie,來利用其頁面節(jié)點和函數(shù)的信息進行準入控制,使其可以利用Mysql自己的準入控制功能來實現(xiàn)整個準入控制技術(shù)數(shù)據(jù)端的準入控制。對于任意PHP項目,該技術(shù)實現(xiàn)了對項目結(jié)構(gòu)進行分析、漏洞掃描、漏洞評估、頁面節(jié)點和調(diào)用函數(shù)的權(quán)限評分、自動或者手動修復權(quán)限配置等功能模塊。最終實現(xiàn)了可以根據(jù)代碼漏洞自動評估打分,通過自動修改權(quán)限配置文件,自動化地對代碼的權(quán)限進行配置的技術(shù)。最后用帶有真實漏洞的項目進行測試,用實驗結(jié)果和數(shù)據(jù)檢測了這種技術(shù)的性能和準確性。實驗結(jié)果表明,與之前的服務端應用準入控制技術(shù)相比較,本文的技術(shù)對權(quán)限的控制具有更好的準確性、靈活性和簡易快捷等特性,可以適用于各種準入控制監(jiān)測、控制和修復任務,修補了前人技術(shù)存在的安全漏洞,增強了對控制權(quán)限的可控能力。
[Abstract]:With the rapid development of Web applications, more and more people devote themselves to Web applications. However, as the vulnerabilities of this kind of application emerge in endlessly, the security demand of its access control becomes more and more intense. Although the previous access control technology based on attribute or policy can effectively control the user rights of the server, it has some shortcomings in terms of security and complexity of control. The ESCUDO admission control technology on the client side and the SCUTA admission control technology on the server side are used together. It can give the function corresponding permissions and form different levels of permission levels, for functions that need to be called across the permission level. The gate tag that grants the corresponding permission level range, indicating that this function can make all functions within this permission level have access to call. But there is a fatal flaw in SCUTA, that is, the granularity of the method using gate tag is too coarse, it only designs the whole permission level to function's permission management, which may introduce the unsafe function call permission in the same permission level. In order to solve this problem, a more fine-grained privilege management method from function to function is designed to make up for this loophole. In addition, this paper uses Apache MySQL PHP and other tools to create and implement a new access control technology. The modified PHP kernel on the server side can accept specific Cookies sent by the client, which can use the information of its page nodes and functions for access control. It can make use of MySQL's own access control function to realize the access control of the whole access control technology data terminal. For any PHP project, this technology implements functions such as analyzing project structure, vulnerability scanning, vulnerability evaluation, page node and calling function permission score, automatic or manual repair permission configuration and so on. Finally, the technology of automatically evaluating and scoring the code vulnerability and automatically modifying the permission configuration file is realized. Finally, the performance and accuracy of the technique are tested with real-hole items, and the experimental results and data are used to test the performance and accuracy of the technique. The experimental results show that compared with the previous application of admission control technology, the technology in this paper has better accuracy, flexibility, simplicity and rapidity, and can be applied to all kinds of access control monitoring. The control and repair tasks repair the security holes existing in previous technologies and enhance the ability to control the control rights.
【學位授予單位】：北京郵電大學
【學位級別】：碩士
【學位授予年份】：2015
【分類號】：TP393.09;TP273

【參考文獻】

相關(guān)期刊論文 前1條

1 閆萍;呂騰;;基于XML的Web訪問控制策略描述語言[J];計算機工程與應用;2006年29期

，

本文編號：2106001