一种PHP程序自动化缺陷分析工具的设计与开发

发布时间：2018-11-22 12:31

【摘要】：互联网时代促进了Web应用程序的发展,然而Web应用程序面临的安全问题越来越严重,程序缺陷和漏洞已经成为安全问题的主要根源之一。PHP语言功能强大效率高,是普遍应用于服务器端的动态脚本语言。因此,研究基于PHP程序的安全缺陷分析技术具有重大的现实意义。本文使用源代码静态分析技术,借助数据流分析的思路,研究扩展污点传播分析技术,重点研究漏洞模型、解析树、控制流图、别名分析、量值分析、污点分析等内容。本文最终开发出一款实用的分析工具Paz,能够检测出PHP源代码存在的跨站脚本漏洞和SQL注入漏洞。本文污点传播分析技术的主体思路为:首先,PHP源代码先转化为解析树,再转化为控制流图作为中间表示,用以描述每个程序点和代码执行流程。其次,为污点分析引入格定义,用以描述每个程序点上变量的污点值;再为污点分析引入传递函数,用以表示执行各种语句后污点值发生的变化。再次,针对跨站脚本漏洞和SQL注入漏洞,定义污点数据进入程序的入口点函数和触发漏洞的出口点函数。另外,还要定义内置函数的净化处理能力。最后,保守定义入口点变量都为污染,根据控制流图的代码执行流程和传递函数的污点值变化,计算出在漏洞发生点上变量的污点值。如果污点值是tainted,则此行代码可能产生漏洞;如果污点值是untainted,则此行代码不会产生漏洞。本文创新性地解决了国内外现有的分析技术和工具中存在的几个问题,有效降低了分析的漏报率和误报率。1)深入研究过程间别名分析,并将别名分析收集的别名信息应用于量值分析和污点分析,大大降低了漏报率,也一定程度上降低了误报率。2)通过量值分析基本解决了文件包含问题,尤其是解决了包含文件名是变量的情形,使得整个控制流图趋于完整,分析的准确性显著提升。3)在量值分析和污点分析中对多维数组进行细致剖析,尤其解决了数组索引是变量的情形,有效降低了分析的误报率。
[Abstract]:The Internet era has promoted the development of Web applications. However, the security problems faced by Web applications are becoming more and more serious. Program defects and vulnerabilities have become one of the main sources of security problems. Is a dynamic scripting language that is commonly used on the server side. Therefore, it is of great practical significance to study the security defect analysis technology based on PHP program. In this paper, we use source code static analysis technology, with the help of data flow analysis, to study the extended stain propagation analysis technology, focusing on vulnerability model, parse tree, control flow diagram, alias analysis, quantitative analysis, stain analysis and so on. In this paper, a practical analysis tool, Paz, is developed to detect cross-site script vulnerabilities and SQL injection vulnerabilities in PHP source code. The main ideas of this paper are as follows: first, the PHP source code is transformed into an analytic tree, and then transformed into a control flow graph as an intermediate representation to describe each program point and code execution flow. Secondly, the definition of lattice is introduced to describe the stain value of the variable on each program point, and the transfer function is introduced to describe the change of the stain value after the execution of various statements. Thirdly, for cross-site script vulnerabilities and SQL injection vulnerabilities, we define the entry point function of tainted data entry program and the exit point function to trigger the vulnerability. In addition, define the built-in function of the purification capacity. Finally, it is conservatively defined that the entry point variables are polluted. According to the code execution flow of the control flow diagram and the change of the fouling value of the transfer function, the stain value of the variable on the point where the vulnerability occurs is calculated. This code could be vulnerable if the stain value is tainted, and not if the stain value is untainted,. This paper innovatively solves several problems existing in existing analytical techniques and tools at home and abroad, and effectively reduces the false alarm rate and false alarm rate of analysis. The alias information collected by alias analysis is applied to quantitative analysis and stain analysis, which greatly reduces the false alarm rate and the false alarm rate. 2) the problem of file inclusion is basically solved by quantization analysis. In particular, it solves the situation that the file name is a variable, which makes the whole control flow diagram complete, and the accuracy of analysis is improved significantly. 3) the multidimensional array is analyzed in detail in quantitative analysis and stain analysis. Especially, the case that array index is a variable is solved, and the false alarm rate of analysis is reduced effectively.
【学位授予单位】：电子科技大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】