發(fā)布時(shí)間：2018-07-07 19:23

  本文選題：自動(dòng)修復(fù) + 漏洞掃描��； 參考：《北京郵電大學(xué)》2015年碩士論文

【摘要】：隨著Web應(yīng)用的蓬勃發(fā)展,越來越多的人投身于Web應(yīng)用中。但隨著這種應(yīng)用的漏洞層出不窮,其準(zhǔn)入控制方面的安全需求亦越來越強(qiáng)烈。前人的基于屬性或策略的準(zhǔn)入控制技術(shù)雖然可以有效控制服務(wù)端的用戶權(quán)限,但在安全性和控制的復(fù)雜程度上都有不同程度的缺點(diǎn)；另一種控制方法是針對W3C同源策略的不足,在客戶端的ESCUDO準(zhǔn)入控制技術(shù)和在服務(wù)端的SCUTA準(zhǔn)入控制技術(shù)配合使用,它能夠給函數(shù)以對應(yīng)權(quán)限,形成不同層次的權(quán)限層級,對于需要被跨權(quán)限層級調(diào)用的函數(shù),授予相應(yīng)的權(quán)限層級范圍的GATE標(biāo)簽,表示這個(gè)函數(shù)可以使在這個(gè)權(quán)限層級范圍內(nèi)的所有函數(shù)都有調(diào)用權(quán)限。 但是SCUTA中有個(gè)致命的缺陷,那就是使用GATE標(biāo)簽的方法的粒度過于粗,它只是設(shè)計(jì)了整個(gè)權(quán)限層級到函數(shù)的權(quán)限管理,這樣可能會(huì)引入同權(quán)限層級中不安全的函數(shù)調(diào)用權(quán)限。針對這個(gè)問題,本文設(shè)計(jì)了更細(xì)粒度的從函數(shù)到函數(shù)的權(quán)限管理方式較好地彌補(bǔ)了這個(gè)漏洞。并且,本文使用Apache、Mysql、PHP等工具創(chuàng)建實(shí)現(xiàn)了新的準(zhǔn)入控制技術(shù),在服務(wù)端經(jīng)過修改的PHP內(nèi)核可以接受客戶端發(fā)送的特定Cookie,來利用其頁面節(jié)點(diǎn)和函數(shù)的信息進(jìn)行準(zhǔn)入控制,使其可以利用Mysql自己的準(zhǔn)入控制功能來實(shí)現(xiàn)整個(gè)準(zhǔn)入控制技術(shù)數(shù)據(jù)端的準(zhǔn)入控制。對于任意PHP項(xiàng)目,該技術(shù)實(shí)現(xiàn)了對項(xiàng)目結(jié)構(gòu)進(jìn)行分析、漏洞掃描、漏洞評估、頁面節(jié)點(diǎn)和調(diào)用函數(shù)的權(quán)限評分、自動(dòng)或者手動(dòng)修復(fù)權(quán)限配置等功能模塊。最終實(shí)現(xiàn)了可以根據(jù)代碼漏洞自動(dòng)評估打分,通過自動(dòng)修改權(quán)限配置文件,自動(dòng)化地對代碼的權(quán)限進(jìn)行配置的技術(shù)。最后用帶有真實(shí)漏洞的項(xiàng)目進(jìn)行測試,用實(shí)驗(yàn)結(jié)果和數(shù)據(jù)檢測了這種技術(shù)的性能和準(zhǔn)確性。實(shí)驗(yàn)結(jié)果表明,與之前的服務(wù)端應(yīng)用準(zhǔn)入控制技術(shù)相比較,本文的技術(shù)對權(quán)限的控制具有更好的準(zhǔn)確性、靈活性和簡易快捷等特性,可以適用于各種準(zhǔn)入控制監(jiān)測、控制和修復(fù)任務(wù),修補(bǔ)了前人技術(shù)存在的安全漏洞,增強(qiáng)了對控制權(quán)限的可控能力。
[Abstract]:With the rapid development of Web applications, more and more people devote themselves to Web applications. However, as the vulnerabilities of this kind of application emerge in endlessly, the security demand of its access control becomes more and more intense. Although the previous access control technology based on attribute or policy can effectively control the user rights of the server, it has some shortcomings in terms of security and complexity of control. The ESCUDO admission control technology on the client side and the SCUTA admission control technology on the server side are used together. It can give the function corresponding permissions and form different levels of permission levels, for functions that need to be called across the permission level. The gate tag that grants the corresponding permission level range, indicating that this function can make all functions within this permission level have access to call. But there is a fatal flaw in SCUTA, that is, the granularity of the method using gate tag is too coarse, it only designs the whole permission level to function's permission management, which may introduce the unsafe function call permission in the same permission level. In order to solve this problem, a more fine-grained privilege management method from function to function is designed to make up for this loophole. In addition, this paper uses Apache MySQL PHP and other tools to create and implement a new access control technology. The modified PHP kernel on the server side can accept specific Cookies sent by the client, which can use the information of its page nodes and functions for access control. It can make use of MySQL's own access control function to realize the access control of the whole access control technology data terminal. For any PHP project, this technology implements functions such as analyzing project structure, vulnerability scanning, vulnerability evaluation, page node and calling function permission score, automatic or manual repair permission configuration and so on. Finally, the technology of automatically evaluating and scoring the code vulnerability and automatically modifying the permission configuration file is realized. Finally, the performance and accuracy of the technique are tested with real-hole items, and the experimental results and data are used to test the performance and accuracy of the technique. The experimental results show that compared with the previous application of admission control technology, the technology in this paper has better accuracy, flexibility, simplicity and rapidity, and can be applied to all kinds of access control monitoring. The control and repair tasks repair the security holes existing in previous technologies and enhance the ability to control the control rights.
【學(xué)位授予單位】：北京郵電大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2015
【分類號】：TP393.09;TP273

【參考文獻(xiàn)】

相關(guān)期刊論文 前1條

1 閆萍;呂騰;;基于XML的Web訪問控制策略描述語言[J];計(jì)算機(jī)工程與應(yīng)用;2006年29期

，

本文編號：2106001