【摘要】：互聯(lián)網(wǎng)時(shí)代促進(jìn)了Web應(yīng)用程序的發(fā)展,然而Web應(yīng)用程序面臨的安全問題越來越嚴(yán)重,程序缺陷和漏洞已經(jīng)成為安全問題的主要根源之一。PHP語(yǔ)言功能強(qiáng)大效率高,是普遍應(yīng)用于服務(wù)器端的動(dòng)態(tài)腳本語(yǔ)言。因此,研究基于PHP程序的安全缺陷分析技術(shù)具有重大的現(xiàn)實(shí)意義。本文使用源代碼靜態(tài)分析技術(shù),借助數(shù)據(jù)流分析的思路,研究擴(kuò)展污點(diǎn)傳播分析技術(shù),重點(diǎn)研究漏洞模型、解析樹、控制流圖、別名分析、量值分析、污點(diǎn)分析等內(nèi)容。本文最終開發(fā)出一款實(shí)用的分析工具Paz,能夠檢測(cè)出PHP源代碼存在的跨站腳本漏洞和SQL注入漏洞。本文污點(diǎn)傳播分析技術(shù)的主體思路為:首先,PHP源代碼先轉(zhuǎn)化為解析樹,再轉(zhuǎn)化為控制流圖作為中間表示,用以描述每個(gè)程序點(diǎn)和代碼執(zhí)行流程。其次,為污點(diǎn)分析引入格定義,用以描述每個(gè)程序點(diǎn)上變量的污點(diǎn)值;再為污點(diǎn)分析引入傳遞函數(shù),用以表示執(zhí)行各種語(yǔ)句后污點(diǎn)值發(fā)生的變化。再次,針對(duì)跨站腳本漏洞和SQL注入漏洞,定義污點(diǎn)數(shù)據(jù)進(jìn)入程序的入口點(diǎn)函數(shù)和觸發(fā)漏洞的出口點(diǎn)函數(shù)。另外,還要定義內(nèi)置函數(shù)的凈化處理能力。最后,保守定義入口點(diǎn)變量都為污染,根據(jù)控制流圖的代碼執(zhí)行流程和傳遞函數(shù)的污點(diǎn)值變化,計(jì)算出在漏洞發(fā)生點(diǎn)上變量的污點(diǎn)值。如果污點(diǎn)值是tainted,則此行代碼可能產(chǎn)生漏洞;如果污點(diǎn)值是untainted,則此行代碼不會(huì)產(chǎn)生漏洞。本文創(chuàng)新性地解決了國(guó)內(nèi)外現(xiàn)有的分析技術(shù)和工具中存在的幾個(gè)問題,有效降低了分析的漏報(bào)率和誤報(bào)率。1)深入研究過程間別名分析,并將別名分析收集的別名信息應(yīng)用于量值分析和污點(diǎn)分析,大大降低了漏報(bào)率,也一定程度上降低了誤報(bào)率。2)通過量值分析基本解決了文件包含問題,尤其是解決了包含文件名是變量的情形,使得整個(gè)控制流圖趨于完整,分析的準(zhǔn)確性顯著提升。3)在量值分析和污點(diǎn)分析中對(duì)多維數(shù)組進(jìn)行細(xì)致剖析,尤其解決了數(shù)組索引是變量的情形,有效降低了分析的誤報(bào)率。
[Abstract]:The Internet era has promoted the development of Web applications. However, the security problems faced by Web applications are becoming more and more serious. Program defects and vulnerabilities have become one of the main sources of security problems. Is a dynamic scripting language that is commonly used on the server side. Therefore, it is of great practical significance to study the security defect analysis technology based on PHP program. In this paper, we use source code static analysis technology, with the help of data flow analysis, to study the extended stain propagation analysis technology, focusing on vulnerability model, parse tree, control flow diagram, alias analysis, quantitative analysis, stain analysis and so on. In this paper, a practical analysis tool, Paz, is developed to detect cross-site script vulnerabilities and SQL injection vulnerabilities in PHP source code. The main ideas of this paper are as follows: first, the PHP source code is transformed into an analytic tree, and then transformed into a control flow graph as an intermediate representation to describe each program point and code execution flow. Secondly, the definition of lattice is introduced to describe the stain value of the variable on each program point, and the transfer function is introduced to describe the change of the stain value after the execution of various statements. Thirdly, for cross-site script vulnerabilities and SQL injection vulnerabilities, we define the entry point function of tainted data entry program and the exit point function to trigger the vulnerability. In addition, define the built-in function of the purification capacity. Finally, it is conservatively defined that the entry point variables are polluted. According to the code execution flow of the control flow diagram and the change of the fouling value of the transfer function, the stain value of the variable on the point where the vulnerability occurs is calculated. This code could be vulnerable if the stain value is tainted, and not if the stain value is untainted,. This paper innovatively solves several problems existing in existing analytical techniques and tools at home and abroad, and effectively reduces the false alarm rate and false alarm rate of analysis. The alias information collected by alias analysis is applied to quantitative analysis and stain analysis, which greatly reduces the false alarm rate and the false alarm rate. 2) the problem of file inclusion is basically solved by quantization analysis. In particular, it solves the situation that the file name is a variable, which makes the whole control flow diagram complete, and the accuracy of analysis is improved significantly. 3) the multidimensional array is analyzed in detail in quantitative analysis and stain analysis. Especially, the case that array index is a variable is solved, and the false alarm rate of analysis is reduced effectively.
【學(xué)位授予單位】：電子科技大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前1條

1 汪小飛;趙克佳;田祖?zhèn)?;數(shù)據(jù)流分析的關(guān)鍵技術(shù)研究[J];計(jì)算機(jī)科學(xué);2005年12期

，

本文編號(hào)：2349382