一个安全性分析框架的Web应用程序
摘要:软件系统与外部环境,关于这些环境通常有特殊的假设。未检查或不当检查的假设能影响系统的安全性和可靠性的系统。一个产生这样问题的主要的类是对用户输入的不当验证。在本文中,我们本设计的静态分析框架,以解决这些意见中的有关问题方面的Web应用程序。 尤其是,我们研究如何防止SQL命令的类注入攻击。在我们的框架内,我们使用一个抽象的模型源程序考虑用户的输入以动态构造SQL查询。特别是,我们保守近似集的SQL查询一个程序可能会产生一个有限状态自动机。我们的框架,然后检查适用于一些新颖的算法这个自动显示或核实没有安全违反原来的应用程序。工作中进展建立原型的分析。
An Analysis Framework for Security in Web Applications
Abstract: Software systems interact with outside environments (e.g.,by taking inputs from a user) and usually have particular assumptions about these environments. Unchecked or improperly checked assumptions can a_ect security and reliability of the systems. A major class of such problems is the improper validation of user inputs. In this paper, we present the design of a static analysis framework to address these input related problems in the context of web applications. In particular, we study how to prevent the class of SQL command injection attacks. In our framework, we use an abstract model of a source program that takes user inputs and dynamically constructs SQL queries. In particular, we conservatively approximate the set of SQL queries that a program may generate as a _nite state automaton. Our framework then applies some novel checking algorithms on this automaton to indicate or verify the absence of security violations in the original application program. Work is in progress to build a prototype of our analysis. [资料来源:https://www.doc163.com]
7000字
[资料来源:http://www.doc163.com]