【作者】 杜经农；

【导师】 卢炎生；

【作者基本信息】 华中科技大学 ， 计算机软件与理论， 2010， 博士

【摘要】 随着互联网和电子商务、电子政务的广泛使用,针对web应用软件的攻击快速增长,导致研究者们越来越关注web应用软件安全性的研究。与普通的应用程序相比,Web应用软件的运行特点决定了它在安全性上更为脆弱,主要是由于两个方面的原因所导致。一是由于web应用软件客户端运行环境不可信任,Web应用软件的客户端运行在浏览者的机器上,其运行环境数据容易被伪造或修改,同时黑客们很容易精心构造恶意数据进行攻击。二是由于其运行状态是开放的。http协议是无状态的,Web应用软件的开发人员需要自己记录程序运行的状态信息,并在客户端和服务器端进行保存和传输。这些信息对终端用户公开,容易被恶意更改和伪造。此外其客户端脚本的原代码对用户是可见的,容易被修改。其页面执行顺序也很容易被打乱和跳过,如果程序处理不当,将导致安全问题的发生。当前,对web应用系统的安全性研究主要集中于对web应用软件的运行环境例如服务器操作系统、数据库系统、web服务器软件的安全评估和分析,以及web系统的入侵容忍技术等等,这些研究都是立足于web应用系统整体运行的层面上进行安全性研究,缺少对web应用软件自身安全性的深入分析。而当前开展的一些有关web应用软件自身的安全性的研究,主要关注的是对部分特定的web应用软件漏洞进行分析和防范,尚未见到对web应用软件安全性测试理论和技术的全面、系统性研究。因此,研究web应用软件安全性测试的理论与技术具有重要的理论和实践意义。对web应用软件的各类安全漏洞进行研究并分类是做好安全性测试的基础,它可以帮助研究者了解web应用软件安全问题的特点,指导有效生成安全性测试用例,提出科学实用的安全性测试方法。通过研究环境错误与状态错误引发web应用软件安全漏洞的模式,提出了一种用于进行web应用软件安全漏洞分类的方法,给出了漏洞分类的层次结构,对层次结构中的各类漏洞进行了定义和分析,并提出了基于分类树的安全漏洞编码方法。使用该分类方法对来自OWASP的web应用软件安全漏洞进行了分类,并与使用EAI模型分类的结果做了对比。评估结果表明,该模型具备良好的漏洞分类能力,适用于指导web应用软件的安全测试和安全防御工作。环境错误注入是一种有效的软件安全性测试方法,该方法人为制造错误并注入到程序的运行环境中,观察程序的反馈并判断是否存在安全问题。但是,使用传统的错误注入方法进行web应用软件安全漏洞检测时,存在较大不足。因为它仅考虑环境错误对软件安全性的影响,没有考虑到另一重要方面,即内部运行状态错误对web应用软件安全性的影响。在综合考虑环境错误与状态错误对安全性影响的基础上,提出了一种适用于web安全性测试的环境与状态错误模型(EAS模型)。基于该模型提出了错误注入点判定规则库和错误构造算子,并提出了应用该模型进行安全性测试的具体方法和步骤。使用该模型对web应用软件PEGames进行了测试,有效地测试出了该软件在CVE漏洞库中已收录的所有漏洞,并发现了新的漏洞。实验表明EAS模型具有良好的漏洞揭示能力,能有效指导web应用软件安全性测试。在进行安全性测试时,需要选择合适的测试用例集,以便在时间和费用有限的情况下,尽可能充分地测试软件安全漏洞。为了量化评价测试用例集的充分性,提出了一种基于层次分析法的软件安全性测试充分性评价方法。建立了测试用例集的层次分析结构和两两比较矩阵,求出了各类测试用例的重要性权值,定义了测试效果评价函数。使用该评价方法对BBS软件IPB的实际测试效果进行了评价计算。实验表明,评价函数计算出的测试充分性评价值与实际测试中发现的漏洞个数是正相关的,说明该评价方法能正确反映测试用例集的测试效果,所提出的评价方法是实用和有效的。更多还原

【Abstract】 With the widespread use of the internet、e-commerce and e-government system, the number of attacks against web applications are growing fast, which has resulted in increasingly concerns on web application security among reaserchers. Compared with common applications, web applications are more insecure because of two facts:their trustless runtime environment and open runtime state. A web application is composed of sever part and client part. The client part runs on the explorer’s computer. Its environment is easy to be perturbed and forged by a malicious attacker. Besides the environmental perturbation, the web application’s internal state is also prone to be attacked. First, the sever part of the web application must transfer its internal state information to the client part because the http protocol is stateless. Thus a malicious user can view the internal state information and modify it. Second, the source code of the client part is open to the explorer and easy to be forged. Last, the execution of a web application is composed of many requests of web pages. A malicious attacker can change the sequence of these requests or ignore some execution steps by jump to the later part of the execution sequence. Thus cause security violations. Currently, the reaserch on web system security focus on the vulnerability of operation systems, database and web server softwares, or the technology of Intrusion Tolerance rather than the security of the web application itself. Lots of reaserches on the security of web application only focus on some special vulnerability. To the best of our knowledge, there is not a Comprehensive study on the web application security testing.The study and classification of security vulnerabilities is the important basis for reaserching the technology of web applications security testing. It can help to build an effective test model and design good test cases. This paper proposes a taxonomy model using analytic hierarchy process for classifying security flaws of web application, and defines all kinds of vulnerabilities classfied by the taxonomy model. Then apply the taxonomy model to classifying 87 security flaws from the OWASP security flaw database, and compare the classification results with that of using EAI model to classify. The result of the experiment reveals that the taxonomy model is effective.Fault injection is an effective method for security test of software. It injects Faults into the application’s environment to see how the application responds and whether there is a security violation. Environment fault injection method is easy to define common procedure to make appropriate test cases. It is suitable to security testing of web applications. However, when used to test the web application, environment fault injection method has a weakness. It only considers the perturbation from the web application’s environment, but ignores internal status disturbances which also play an important role in the security attribute of web applications. To overcome this weakness, this paper proposes a test model named EAS fault model, provides an vulnerability determine rule base, and designs Error constructor operators. Then we test a web application named PEGames using EAS model. The experiment revealed that the fault coverage of EAS model is high.When testing a web application for security purpose, testers have to select a test case set with appropriate scale because of the limit of time and money. In order to quantify the evaluation of the adequacy of the selected test set, this paper propose a test effect evaluation model based on the Analytic Hierarchy Process, and define a test effect evaluation function. An experiment was made by using the evaluation model to evaluate the vulnerability test effect of a BBS application name IPB. The experiment result revealed that the evaluation value calculated by the evaluation function is positively correlated with the number of vulnerabilities found in the real test. It proves that the evaluation method proposed by this paper is practical and reliable.更多还原