基于静态代码分析的Web应用安全漏洞检测系统的设计与实现
|
摘要
应用级安全属于信息系统安全层次划分中的主机安全级别,和操作系统安全一起,构成了主机安全的核心。随着网络技术的高速发展,Web应用在组织和企业业务管理、商业决策等方面发挥着越来越重要的作用,应用级安全在组织和企业的信息系统安全中的地位也日渐凸显。本项课题针对应用级安全问题的分析和检测,目的在于实现易用性强、可重用性强、具有高性能的自动化应用安全分析工具,打破应用安全检测领域主要由外国产品占据的局面,更好的适应于国内市场需求,对软件开发生命周期各阶段中各种角色的涉众提供代码安全指导,使其都能从中受益。
本文从研究常用Web应用技术的安全问题入手,总结了常见的Web应用安全风险,列举了一些较容易实现的Web应用安全风险防范措施。在研究Web应用安全问题的基础上,设计了基于静态代码分析的Web应用安全漏洞检测系统,实现了系统数据库,编码实现了反编译、任务调度和JSP页面解析的功能,编写了Web Service接口,完善了安全规则,完成了对系统数据库、用户界面和检测模块的集成,实现了对JSP应用安全漏洞的检测。该检测系统使用静态代码分析技术,针对源代码的同时也可将Web应用直接作为检测对象,根据制定的数百条安全规则,实现对Web应用前端页面到后台处理逻辑的全面的安全分析,使用可配置的报告展示检测结果。
该系统在架构方面相比常用代码分析工具有所改进,使用J2EE框架,采用多用户多任务的管理方式,增强了对相关检测数据的统一管理,同时也减低了系统配置的复杂度。增加了后门检测功能,安全规则更加完善。系统集成了反编译功能,可直接针对应用程序进行检测,扩大了检测对象的范围。通过系统性能测试,系统符合设计规定的性能指标,在服务器硬件配置符合的情况下,检测任务能在较短时间内执行,不会出现服务器卡死、系统错误退出等问题,检测结果的误报率低于10%。
Application-level security belongs to the level of host security in information system security architecture, along with operating system security, constitute the core components of host security. With the rapid development of network technology, web applications have played increasingly important roles in the enterprise business management and business decision-making activities. The position of application-level security in the enterprise and organization's information systems security has become more prominent. Aiming at application-level security analysis, the project is to achieve an easy-use, highly reused automated application security analysis tool with high-performance, which can break the situation that the area occupied mainly by foreign products, thus well adapted to the domestic market demand. The stakeholders throughout the whole software development life cycle can get code-level security guidance, which they can benefit from.
This paper starts from studying the safety of commonly used Web application technology problems, then sums up the common Web application security risks, and lists some of the more easy to implement risk prevention measures. With study on web application security issues, this paper designs a Web application security vulnerability detection system based on static code analysis, assumes a part of the system development task and the whole project management functions including designing and implementing the system database, coding to achieve de-compilation, task scheduling, and analysis of JSP pages, writing a Web Service interface, improving security rules, completing system database, user interface and integration testing module and achieving the JSP application security vulnerability detection. The detection system uses static code analysis, can detect not only source code but also web applications, according to hundreds of safety rules, to achieve a comprehensive safety analysis, finally a configurable report is used to display the results.
There are improvements in the system architecture compared to the commonly used code analysis tools. Using J2EE framework and multi-user multi-task management, support for unified management of data related is enhanced, but also to reduce the complexity of the system configuration. By increasing the backdoor detection, safety rules becomes more perfect. The function of de-compilation is integrated to expanding the scope of the detection object. According to the system performance testing, system performance meets the design requirements. As long as server hardware configuration satisfies the requirements, the detection task can be successfully executed in a short period of time, the server stuck, system error exit problems will not appear, and the false rate of detection results are less than 10%.
本文从研究常用Web应用技术的安全问题入手,总结了常见的Web应用安全风险,列举了一些较容易实现的Web应用安全风险防范措施。在研究Web应用安全问题的基础上,设计了基于静态代码分析的Web应用安全漏洞检测系统,实现了系统数据库,编码实现了反编译、任务调度和JSP页面解析的功能,编写了Web Service接口,完善了安全规则,完成了对系统数据库、用户界面和检测模块的集成,实现了对JSP应用安全漏洞的检测。该检测系统使用静态代码分析技术,针对源代码的同时也可将Web应用直接作为检测对象,根据制定的数百条安全规则,实现对Web应用前端页面到后台处理逻辑的全面的安全分析,使用可配置的报告展示检测结果。
该系统在架构方面相比常用代码分析工具有所改进,使用J2EE框架,采用多用户多任务的管理方式,增强了对相关检测数据的统一管理,同时也减低了系统配置的复杂度。增加了后门检测功能,安全规则更加完善。系统集成了反编译功能,可直接针对应用程序进行检测,扩大了检测对象的范围。通过系统性能测试,系统符合设计规定的性能指标,在服务器硬件配置符合的情况下,检测任务能在较短时间内执行,不会出现服务器卡死、系统错误退出等问题,检测结果的误报率低于10%。
Application-level security belongs to the level of host security in information system security architecture, along with operating system security, constitute the core components of host security. With the rapid development of network technology, web applications have played increasingly important roles in the enterprise business management and business decision-making activities. The position of application-level security in the enterprise and organization's information systems security has become more prominent. Aiming at application-level security analysis, the project is to achieve an easy-use, highly reused automated application security analysis tool with high-performance, which can break the situation that the area occupied mainly by foreign products, thus well adapted to the domestic market demand. The stakeholders throughout the whole software development life cycle can get code-level security guidance, which they can benefit from.
This paper starts from studying the safety of commonly used Web application technology problems, then sums up the common Web application security risks, and lists some of the more easy to implement risk prevention measures. With study on web application security issues, this paper designs a Web application security vulnerability detection system based on static code analysis, assumes a part of the system development task and the whole project management functions including designing and implementing the system database, coding to achieve de-compilation, task scheduling, and analysis of JSP pages, writing a Web Service interface, improving security rules, completing system database, user interface and integration testing module and achieving the JSP application security vulnerability detection. The detection system uses static code analysis, can detect not only source code but also web applications, according to hundreds of safety rules, to achieve a comprehensive safety analysis, finally a configurable report is used to display the results.
There are improvements in the system architecture compared to the commonly used code analysis tools. Using J2EE framework and multi-user multi-task management, support for unified management of data related is enhanced, but also to reduce the complexity of the system configuration. By increasing the backdoor detection, safety rules becomes more perfect. The function of de-compilation is integrated to expanding the scope of the detection object. According to the system performance testing, system performance meets the design requirements. As long as server hardware configuration satisfies the requirements, the detection task can be successfully executed in a short period of time, the server stuck, system error exit problems will not appear, and the false rate of detection results are less than 10%.
引文
[1]石文昌,梁朝晖,沈昌祥.信息系统安全概论.电子工业出版社,2009:50-54.
[2]Christopher Steel, Ramesh Nagappan, Ray Lai安全模式J2EE、Web服务和身份管理最佳实践与策略.机械工业出版社,2006.9:35-42.
[3]Chess.B, McGraw.G Static analysis for security. IEEE Secur. Priv.2004.2:76-79.
[4]HP Fortify Static Code Analyzer (SCA)[EB/OL]. https://www.fortify.com/products/hpfssc/source-code-analyzer.html.
[5]JavaServer Pages Technology[EB/OL]. http://www.oracle.com/technetwork/java/javaee/jsp/index.html.
[6]JavaServer Pages Specification Version 2.2 Maintenace Release2 [EB/OL]. http://jcp.org/aboutJava/communityprocess/mrel/jsr245/index.html,2009.10.10.
[7]左烨,黄上腾.JSP应用的安全问题研究[J].计算机工程,2004(S1).
[8]Davey Shafik, Matthew Weier O'hinney, Ligaya Turmelle等.PHP深度分析101个核心技巧、窍门和问题解决方法.中国水利水电出版社,2010.1:70-72.
[9]LAMP: The Open Source Web Platfom[EB/OL]. http://onlamp.com/pub/a/onlamp/2001/01/25/lamp.html.
[10]孟祥宏.开源软件技术安全性研究[J].信息网络安全,2007(7).
[11]王艳红.ASP安全技术研究[J].北京电子科技学院学报,2004(04).
[12]许烁娜.浅谈ASP的安全漏洞及相关对策[J].电脑知识与技术,2005(29).
[13]黄庆生.ASP安全漏洞及其防护[J].网络安全技术与应用,2005(09).
[14]OWASP Top 10 2010 [EB/OL]. https://www.owasp.org.
[15]徐翔.网络信息安全风险评估建模及研究[J].实验科学与技术,2011(04).
[16]OWASP Top 10 2010 [EB/OL]. https://www.owasp.org/images/a/a9/OWASP_Top_10_201O_Chinese_V 1.0_Released.p df,2010.
[17]武新华,王英英,安向东等.完全掌握黑客攻防实战超级手册.机械工业出版社,2010.5:44-48.
[18]蒋继娅,刘彤,王树威.Web应用中的SQL注入攻击与防护方案研究[J].计算机安全,2008(05).
[19]黄康宇,贺正求,赖海光等.Web服务攻击技术研究综述[J].计算机应用研究,2010(01).
[20]王静.JSP网络应用程序安全漏洞防护及实例解析[J].软件导刊,2007(06).
[21]王瑛华.JSP应用的安全问题[J].中国科技信息,2005(9).
[22]孙梅.JSP应用的安全性研究.佳木斯大学学报:自然科学版,2003(04).
[23]R.Hansen. XSS(Cross-Site-Scripting) Cheat Sheet Esp:for filter evasion[EB/OL]. http://ha.ckers.org/xss.html,2011-10-09.
[24]樊时凯,王敏.SSL通信的中间人攻击与防范[J].信息网络安全,2004(09).
[25]褚英国.关于Web应用层深度防御系统的研究与实践[J].计算机时代,2009(11).
[26]王光卫,范明钰.源代码分析技术的理论与实践发展[J].计算机安全,2011(1).
[27]张云岗,刘春茂.软件测试技术浅析[J].技术与市场.2011(02).
[28]Checkstyle-checkstyle5.5[EB/OL]. http://checkstyle.sourceforge.net/.
[29]Findbugs-find bugs in Java Programs[EB/OL]. http://findbugs.sourceforge.net/.
[30]PMD-PMD[EB/OL]. http://pmd.sourceforge.net/.
[31]Java testing tools:Static code analysis. Code review, unit testing, Runtime Error Detection[EB/OL]. http://www.parasoft.com/jsp/products/jtest.jsp?itemld=14.
[32]Santanu Chattopadhyay. Compiler Design清华大学出版社,2009.1:34-37.
[33]王馨梅,王冬芳.编译器前端自动构造的研究与实现[J].微机发展,2004(04).
[34]使用Anltr开发领域语言[EB/OL].http://www.ibm.com/developerworks/cn/java/j-lo-antlr/.
[35]Antlr document [EB/OL]. http://www.antlr.org/wiki/display/ANTLR3/ANTLR+v3+documentation,2009-09-23.
[36]Eric Jendrock, Ian Evans, Devika Gollapudi. Addison-Wesley,2010.
[37]JSR-000316 Java Platform. Enterprise Edition 6[EB/OL]. http://jcp.org/aboutJava/communityprocess/pr/jsr316/index.html,2009.2.23.
[38]Steven Gould. Develop n-tier application using J2EE.2002(12).
[39]高浩岩Java EE实用开发指南(基于WebLogic+EJB3+Struts2+Hibernate+ Spring)化学工业出版社,2011.8:80-85.
[40]寇毅,吴力文.基于MVC设计模式的Struts框架的应用方法[J].计算机应用,2003(11).
[41]W3C-Web services architecture[EB/OL]. http://www.w3.org/TR/ws-arch/. 2009-04-20.
[42]胡大权.数据库概念模型的分析与应用[J].计算机工程与应用,2002(22).
[43]王丽珍.一种面向对象的数据库设计方法[J].计算机应用,1993(04).
[44]何玉洁,梁琦等.数据库原理与应用(第二版).机械工业出版社,2011.4:23-26.
[45]严冬梅.数据库原理.清华大学出版社,2011.9:43-47.
[46]曹文平,闫金梅.数据库综述[J].科技管理研究,2006(09).
[47]Jess Garms, Somerfield D. Java Security Programming Guide. Publishing House of Electronics Industry,2002.1.
[48]Gary McGraw, Greg Hoglund. Exploiting Software. Addison-Wesley,2004.
[49]JavaScript Hijacking [EB/OL]. https://www.fortify.com/fortify/getform/reg/JavaScript_Hijacking,2007.312.
[2]Christopher Steel, Ramesh Nagappan, Ray Lai安全模式J2EE、Web服务和身份管理最佳实践与策略.机械工业出版社,2006.9:35-42.
[3]Chess.B, McGraw.G Static analysis for security. IEEE Secur. Priv.2004.2:76-79.
[4]HP Fortify Static Code Analyzer (SCA)[EB/OL]. https://www.fortify.com/products/hpfssc/source-code-analyzer.html.
[5]JavaServer Pages Technology[EB/OL]. http://www.oracle.com/technetwork/java/javaee/jsp/index.html.
[6]JavaServer Pages Specification Version 2.2 Maintenace Release2 [EB/OL]. http://jcp.org/aboutJava/communityprocess/mrel/jsr245/index.html,2009.10.10.
[7]左烨,黄上腾.JSP应用的安全问题研究[J].计算机工程,2004(S1).
[8]Davey Shafik, Matthew Weier O'hinney, Ligaya Turmelle等.PHP深度分析101个核心技巧、窍门和问题解决方法.中国水利水电出版社,2010.1:70-72.
[9]LAMP: The Open Source Web Platfom[EB/OL]. http://onlamp.com/pub/a/onlamp/2001/01/25/lamp.html.
[10]孟祥宏.开源软件技术安全性研究[J].信息网络安全,2007(7).
[11]王艳红.ASP安全技术研究[J].北京电子科技学院学报,2004(04).
[12]许烁娜.浅谈ASP的安全漏洞及相关对策[J].电脑知识与技术,2005(29).
[13]黄庆生.ASP安全漏洞及其防护[J].网络安全技术与应用,2005(09).
[14]OWASP Top 10 2010 [EB/OL]. https://www.owasp.org.
[15]徐翔.网络信息安全风险评估建模及研究[J].实验科学与技术,2011(04).
[16]OWASP Top 10 2010 [EB/OL]. https://www.owasp.org/images/a/a9/OWASP_Top_10_201O_Chinese_V 1.0_Released.p df,2010.
[17]武新华,王英英,安向东等.完全掌握黑客攻防实战超级手册.机械工业出版社,2010.5:44-48.
[18]蒋继娅,刘彤,王树威.Web应用中的SQL注入攻击与防护方案研究[J].计算机安全,2008(05).
[19]黄康宇,贺正求,赖海光等.Web服务攻击技术研究综述[J].计算机应用研究,2010(01).
[20]王静.JSP网络应用程序安全漏洞防护及实例解析[J].软件导刊,2007(06).
[21]王瑛华.JSP应用的安全问题[J].中国科技信息,2005(9).
[22]孙梅.JSP应用的安全性研究.佳木斯大学学报:自然科学版,2003(04).
[23]R.Hansen. XSS(Cross-Site-Scripting) Cheat Sheet Esp:for filter evasion[EB/OL]. http://ha.ckers.org/xss.html,2011-10-09.
[24]樊时凯,王敏.SSL通信的中间人攻击与防范[J].信息网络安全,2004(09).
[25]褚英国.关于Web应用层深度防御系统的研究与实践[J].计算机时代,2009(11).
[26]王光卫,范明钰.源代码分析技术的理论与实践发展[J].计算机安全,2011(1).
[27]张云岗,刘春茂.软件测试技术浅析[J].技术与市场.2011(02).
[28]Checkstyle-checkstyle5.5[EB/OL]. http://checkstyle.sourceforge.net/.
[29]Findbugs-find bugs in Java Programs[EB/OL]. http://findbugs.sourceforge.net/.
[30]PMD-PMD[EB/OL]. http://pmd.sourceforge.net/.
[31]Java testing tools:Static code analysis. Code review, unit testing, Runtime Error Detection[EB/OL]. http://www.parasoft.com/jsp/products/jtest.jsp?itemld=14.
[32]Santanu Chattopadhyay. Compiler Design清华大学出版社,2009.1:34-37.
[33]王馨梅,王冬芳.编译器前端自动构造的研究与实现[J].微机发展,2004(04).
[34]使用Anltr开发领域语言[EB/OL].http://www.ibm.com/developerworks/cn/java/j-lo-antlr/.
[35]Antlr document [EB/OL]. http://www.antlr.org/wiki/display/ANTLR3/ANTLR+v3+documentation,2009-09-23.
[36]Eric Jendrock, Ian Evans, Devika Gollapudi. Addison-Wesley,2010.
[37]JSR-000316 Java Platform. Enterprise Edition 6[EB/OL]. http://jcp.org/aboutJava/communityprocess/pr/jsr316/index.html,2009.2.23.
[38]Steven Gould. Develop n-tier application using J2EE.2002(12).
[39]高浩岩Java EE实用开发指南(基于WebLogic+EJB3+Struts2+Hibernate+ Spring)化学工业出版社,2011.8:80-85.
[40]寇毅,吴力文.基于MVC设计模式的Struts框架的应用方法[J].计算机应用,2003(11).
[41]W3C-Web services architecture[EB/OL]. http://www.w3.org/TR/ws-arch/. 2009-04-20.
[42]胡大权.数据库概念模型的分析与应用[J].计算机工程与应用,2002(22).
[43]王丽珍.一种面向对象的数据库设计方法[J].计算机应用,1993(04).
[44]何玉洁,梁琦等.数据库原理与应用(第二版).机械工业出版社,2011.4:23-26.
[45]严冬梅.数据库原理.清华大学出版社,2011.9:43-47.
[46]曹文平,闫金梅.数据库综述[J].科技管理研究,2006(09).
[47]Jess Garms, Somerfield D. Java Security Programming Guide. Publishing House of Electronics Industry,2002.1.
[48]Gary McGraw, Greg Hoglund. Exploiting Software. Addison-Wesley,2004.
[49]JavaScript Hijacking [EB/OL]. https://www.fortify.com/fortify/getform/reg/JavaScript_Hijacking,2007.312.
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |