标题: 自动化网页测试与攻击产生
Automatic Web Testing and Attack Generation
作者: 梁伟明
Leong, Wai-Meng
黄世昆
Huang, Shih-Kun
网路工程研究所
关键字: 网页安全;符号执行;自动化攻击码产生;web security;symbolic execution;automatic exploit generation
公开日期: 2011
摘要: 在资讯科技发达的年代,人们透过网页方便的浏览或取得丰富的网路资源,但在急促的开发脚步下,开发者在开发过程中往往容易忽略安全的考量,导致骇客们能透过开发者的粗心,非法地存取或破坏资源。为了减少与弥补这类的安全问题,在网页安全的领域上,已有各种不同的方法尝试去防止或找出这类问题。本论文尝试扮演攻击者的角色,以自动产生攻击字串为目标,达到骇客手动攻击的相同效果。相较于其他传统的检测方法,更能确定漏洞的存在与证明攻击的可行性。这样的自动产生过程主要是基于一种动态的软体测试方法-符号执行(symbolic execution)。最后以此自动化过程,测试几个开源的大型网页应用程式,针对已知的漏洞进行实验,能成功产生相对应的攻击字串。
In the well-developed information age, people are easy to get the rich internet resource through web pages. However, in the rapid development process, developers often tend to ignore the security concern carelessly. This leads to access or destroy the resource illegally by hackers. In order to reduce and fix these types of security issues, various methods have been proposed and attempted to locate or prevent them in the field of web security. This thesis attempts to act as an attacker and exploit web applications directly. Our target is to automatically generate the attack string and reproduce the results, emulating the manual attack behavior. In contrast with other traditional detection and prevention methods, this thesis can certainly determine the presence of vulnerabilities and prove the feasibility of attacks. This automatic generation process is mainly based on a dynamic software testing method-symbolic execution. Finally, we have applied this automatic process to several known vulnerabilities on large-scale open source web applications, and generated the attack strings successfully.
URI: http://140.113.39.130/cdrfb3/record/nctu/#GT079956543
http://hdl.handle.net/11536/50576
显示于类别:Thesis


文件中的档案:

  1. 654301.pdf

If it is a zip file, please download the file and unzip it, then open index.html in a browser to view the full text content.