【作者】 赵博；

【导师】 牛少彰；

【作者基本信息】 北京邮电大学 ， 信息安全， 2012， 硕士

【摘要】 应用级安全属于信息系统安全层次划分中的主机安全级别,和操作系统安全一起,构成了主机安全的核心。随着网络技术的高速发展,Web应用在组织和企业业务管理、商业决策等方面发挥着越来越重要的作用,应用级安全在组织和企业的信息系统安全中的地位也日渐凸显。本项课题针对应用级安全问题的分析和检测,目的在于实现易用性强、可重用性强、具有高性能的自动化应用安全分析工具,打破应用安全检测领域主要由外国产品占据的局面,更好的适应于国内市场需求,对软件开发生命周期各阶段中各种角色的涉众提供代码安全指导,使其都能从中受益。本文从研究常用Web应用技术的安全问题入手,总结了常见的Web应用安全风险,列举了一些较容易实现的Web应用安全风险防范措施。在研究Web应用安全问题的基础上,设计了基于静态代码分析的Web应用安全漏洞检测系统,实现了系统数据库,编码实现了反编译、任务调度和JSP页面解析的功能,编写了Web Service接口,完善了安全规则,完成了对系统数据库、用户界面和检测模块的集成,实现了对JSP应用安全漏洞的检测。该检测系统使用静态代码分析技术,针对源代码的同时也可将Web应用直接作为检测对象,根据制定的数百条安全规则,实现对Web应用前端页面到后台处理逻辑的全面的安全分析,使用可配置的报告展示检测结果。该系统在架构方面相比常用代码分析工具有所改进,使用J2EE框架,采用多用户多任务的管理方式,增强了对相关检测数据的统一管理,同时也减低了系统配置的复杂度。增加了后门检测功能,安全规则更加完善。系统集成了反编译功能,可直接针对应用程序进行检测,扩大了检测对象的范围。通过系统性能测试,系统符合设计规定的性能指标,在服务器硬件配置符合的情况下,检测任务能在较短时间内执行,不会出现服务器卡死、系统错误退出等问题,检测结果的误报率低于10%。更多还原

【Abstract】 Application-level security belongs to the level of host security in information system security architecture, along with operating system security, constitute the core components of host security. With the rapid development of network technology, web applications have played increasingly important roles in the enterprise business management and business decision-making activities. The position of application-level security in the enterprise and organization’s information systems security has become more prominent. Aiming at application-level security analysis, the project is to achieve an easy-use, highly reused automated application security analysis tool with high-performance, which can break the situation that the area occupied mainly by foreign products, thus well adapted to the domestic market demand. The stakeholders throughout the whole software development life cycle can get code-level security guidance, which they can benefit from.This paper starts from studying the safety of commonly used Web application technology problems, then sums up the common Web application security risks, and lists some of the more easy to implement risk prevention measures. With study on web application security issues, this paper designs a Web application security vulnerability detection system based on static code analysis, assumes a part of the system development task and the whole project management functions including designing and implementing the system database, coding to achieve de-compilation, task scheduling, and analysis of JSP pages, writing a Web Service interface, improving security rules, completing system database, user interface and integration testing module and achieving the JSP application security vulnerability detection. The detection system uses static code analysis, can detect not only source code but also web applications, according to hundreds of safety rules, to achieve a comprehensive safety analysis, finally a configurable report is used to display the results. There are improvements in the system architecture compared to the commonly used code analysis tools. Using J2EE framework and multi-user multi-task management, support for unified management of data related is enhanced, but also to reduce the complexity of the system configuration. By increasing the backdoor detection, safety rules becomes more perfect. The function of de-compilation is integrated to expanding the scope of the detection object. According to the system performance testing, system performance meets the design requirements. As long as server hardware configuration satisfies the requirements, the detection task can be successfully executed in a short period of time, the server stuck, system error exit problems will not appear, and the false rate of detection results are less than 10%.更多还原