针对Web应用的服务端准入控制技术的研究

发布时间：2018-07-07 19:23

本文选题：自动修复 + 漏洞扫描　；参考：《北京邮电大学》2015年硕士论文

【摘要】：随着Web应用的蓬勃发展,越来越多的人投身于Web应用中。但随着这种应用的漏洞层出不穷,其准入控制方面的安全需求亦越来越强烈。前人的基于属性或策略的准入控制技术虽然可以有效控制服务端的用户权限,但在安全性和控制的复杂程度上都有不同程度的缺点；另一种控制方法是针对W3C同源策略的不足,在客户端的ESCUDO准入控制技术和在服务端的SCUTA准入控制技术配合使用,它能够给函数以对应权限,形成不同层次的权限层级,对于需要被跨权限层级调用的函数,授予相应的权限层级范围的GATE标签,表示这个函数可以使在这个权限层级范围内的所有函数都有调用权限。但是SCUTA中有个致命的缺陷,那就是使用GATE标签的方法的粒度过于粗,它只是设计了整个权限层级到函数的权限管理,这样可能会引入同权限层级中不安全的函数调用权限。针对这个问题,本文设计了更细粒度的从函数到函数的权限管理方式较好地弥补了这个漏洞。并且,本文使用Apache、Mysql、PHP等工具创建实现了新的准入控制技术,在服务端经过修改的PHP内核可以接受客户端发送的特定Cookie,来利用其页面节点和函数的信息进行准入控制,使其可以利用Mysql自己的准入控制功能来实现整个准入控制技术数据端的准入控制。对于任意PHP项目,该技术实现了对项目结构进行分析、漏洞扫描、漏洞评估、页面节点和调用函数的权限评分、自动或者手动修复权限配置等功能模块。最终实现了可以根据代码漏洞自动评估打分,通过自动修改权限配置文件,自动化地对代码的权限进行配置的技术。最后用带有真实漏洞的项目进行测试,用实验结果和数据检测了这种技术的性能和准确性。实验结果表明,与之前的服务端应用准入控制技术相比较,本文的技术对权限的控制具有更好的准确性、灵活性和简易快捷等特性,可以适用于各种准入控制监测、控制和修复任务,修补了前人技术存在的安全漏洞,增强了对控制权限的可控能力。
[Abstract]:With the rapid development of Web applications, more and more people devote themselves to Web applications. However, as the vulnerabilities of this kind of application emerge in endlessly, the security demand of its access control becomes more and more intense. Although the previous access control technology based on attribute or policy can effectively control the user rights of the server, it has some shortcomings in terms of security and complexity of control. The ESCUDO admission control technology on the client side and the SCUTA admission control technology on the server side are used together. It can give the function corresponding permissions and form different levels of permission levels, for functions that need to be called across the permission level. The gate tag that grants the corresponding permission level range, indicating that this function can make all functions within this permission level have access to call. But there is a fatal flaw in SCUTA, that is, the granularity of the method using gate tag is too coarse, it only designs the whole permission level to function's permission management, which may introduce the unsafe function call permission in the same permission level. In order to solve this problem, a more fine-grained privilege management method from function to function is designed to make up for this loophole. In addition, this paper uses Apache MySQL PHP and other tools to create and implement a new access control technology. The modified PHP kernel on the server side can accept specific Cookies sent by the client, which can use the information of its page nodes and functions for access control. It can make use of MySQL's own access control function to realize the access control of the whole access control technology data terminal. For any PHP project, this technology implements functions such as analyzing project structure, vulnerability scanning, vulnerability evaluation, page node and calling function permission score, automatic or manual repair permission configuration and so on. Finally, the technology of automatically evaluating and scoring the code vulnerability and automatically modifying the permission configuration file is realized. Finally, the performance and accuracy of the technique are tested with real-hole items, and the experimental results and data are used to test the performance and accuracy of the technique. The experimental results show that compared with the previous application of admission control technology, the technology in this paper has better accuracy, flexibility, simplicity and rapidity, and can be applied to all kinds of access control monitoring. The control and repair tasks repair the security holes existing in previous technologies and enhance the ability to control the control rights.
【学位授予单位】：北京邮电大学
【学位级别】：硕士
【学位授予年份】：2015
【分类号】：TP393.09;TP273

【参考文献】