A Framework for Dynamic Web Application Code Analysis
碩士 === 國立臺灣大學 === 資訊管理學研究所 === 104 === Because of its importance,Web application security has been researched for over twenty years. Code analysis is one of the approaches to enhance Web application security. Among all the code analysis methods, there is a very valuable part to be improved: the tech...
| Main Authors: | , |
|---|---|
| Other Authors: | |
| Format: | Others |
| Language: | en_US |
| Published: |
2016
|
| Online Access: | http://ndltd.ncl.edu.tw/handle/75147256208170223862 |
| id |
ndltd-TW-104NTU05396018 |
|---|---|
| record_format |
oai_dc |
| spelling |
ndltd-TW-104NTU053960182017-05-27T04:35:41Z http://ndltd.ncl.edu.tw/handle/75147256208170223862 A Framework for Dynamic Web Application Code Analysis 為分析動態網頁應用程式設計之框架 Hung-Wei Hsu 許宏瑋 碩士 國立臺灣大學 資訊管理學研究所 104 Because of its importance,Web application security has been researched for over twenty years. Code analysis is one of the approaches to enhance Web application security. Among all the code analysis methods, there is a very valuable part to be improved: the techniques to effectively compose known analysis results of code segments into an informative analysis summary for a larger code segment. In this thesis, we refer to such concern as the analysis modularity issue. The knowledge of analysis modularity plays an important role when one wants the outputs of his analysis routines to be reusable or wants to build a smarter code analyzer with better performance. Since most of the code analysis approaches targeting Web application security do not address the analysis modularity issue, we investigate how to redesign the approaches to improve their level of analysis modularity. We aim at a framework to make the investigations systematic and the outcomes of them sustainable and extendable. To match the goal, the framework itself should also be generic and extendable. In this thesis, we propose a design of a multi-language, hybrid approach framework that can be used to organize the implementations of both static and dynamic analysis techniques, supporting the analyses that cross different dynamic languages. We believe that it fulfills our requirements. We have implemented a prototype that demonstrates some advantages of our design. By taking the latest summary-based security taint analysis approach for PHP Web applications as an example, we show that after being included into our framework and properly adapted, the approach provides better precision and analysis modularity on handling the unknown call site problem. Implementing other kinds of analyses and experimenting on them to find ways to improve analysis modularity and performance can be made easier based on our framework. Yih-Kuen Tsay 蔡益坤 2016 學位論文 ; thesis 65 en_US |
| collection |
NDLTD |
| language |
en_US |
| format |
Others
|
| sources |
NDLTD |
| description |
碩士 === 國立臺灣大學 === 資訊管理學研究所 === 104 === Because of its importance,Web application security has been researched for over twenty years. Code analysis is one of the approaches to enhance Web application security. Among all the code analysis methods, there is a very valuable part to be improved: the techniques to effectively compose known analysis results of code segments into an informative analysis summary for a larger code segment. In this thesis, we refer to such concern as the analysis modularity issue. The knowledge of analysis modularity plays an important role when one wants the outputs of his analysis routines to be reusable or wants to build a smarter code analyzer with better performance. Since most of the code analysis approaches targeting Web application security do not address the analysis modularity issue, we investigate how to redesign the approaches to improve their level of analysis modularity. We aim at a framework to make the investigations systematic and the outcomes of them sustainable and extendable. To match the goal, the framework itself should also be generic and extendable.
In this thesis, we propose a design of a multi-language, hybrid approach framework that can be used to organize the implementations of both static and dynamic analysis techniques, supporting the analyses that cross different dynamic languages. We believe that it fulfills our requirements. We have implemented a prototype that demonstrates some advantages of our design. By taking the latest summary-based security taint analysis approach for PHP Web applications as an example, we show that after being included into our framework and properly adapted, the approach provides better precision and analysis modularity on handling the unknown call site problem. Implementing other kinds of analyses and experimenting on them to find ways to improve analysis modularity and performance can be made easier based on our framework.
|
| author2 |
Yih-Kuen Tsay |
| author_facet |
Yih-Kuen Tsay Hung-Wei Hsu 許宏瑋 |
| author |
Hung-Wei Hsu 許宏瑋 |
| spellingShingle |
Hung-Wei Hsu 許宏瑋 A Framework for Dynamic Web Application Code Analysis |
| author_sort |
Hung-Wei Hsu |
| title |
A Framework for Dynamic Web Application Code Analysis |
| title_short |
A Framework for Dynamic Web Application Code Analysis |
| title_full |
A Framework for Dynamic Web Application Code Analysis |
| title_fullStr |
A Framework for Dynamic Web Application Code Analysis |
| title_full_unstemmed |
A Framework for Dynamic Web Application Code Analysis |
| title_sort |
framework for dynamic web application code analysis |
| publishDate |
2016 |
| url |
http://ndltd.ncl.edu.tw/handle/75147256208170223862 |
| work_keys_str_mv |
AT hungweihsu aframeworkfordynamicwebapplicationcodeanalysis AT xǔhóngwěi aframeworkfordynamicwebapplicationcodeanalysis AT hungweihsu wèifēnxīdòngtàiwǎngyèyīngyòngchéngshìshèjìzhīkuāngjià AT xǔhóngwěi wèifēnxīdòngtàiwǎngyèyīngyòngchéngshìshèjìzhīkuāngjià AT hungweihsu frameworkfordynamicwebapplicationcodeanalysis AT xǔhóngwěi frameworkfordynamicwebapplicationcodeanalysis |
| _version_ |
1718454049975566336 |