25.2 用列举法求概率 第1课时

整理文档很辛苦,赏杯茶钱您下走!

免费阅读已结束,点击下载阅读编辑剩下 ...

阅读已结束,您可以下载文档离线阅读编辑

资源描述

WebApplicationSecurity—Past,Present,andFuture*Yao-WenHuang†andD.T.Lee‡InstituteofInformationScience,AcademiaSinicaNankang115,Taipei,Taiwan{ywhuang,dtlee}@iis.sinica.edu.twAbstractWebapplicationsecurityremainsamajorroadblocktouniversalacceptanceoftheWebformanykindsofonlinetransactions,especiallysincetherecentsharpincreaseinremotelyexploitablevulnerabilitieshasbeenattributedtoWebapplicationbugs.Insoftwareengineering,softwaretestingisanestablishedandwell-researchedprocessforimprovingsoftwarequality.RecentlyformalverificationtoolshavealsoshownsuccessindiscoveringvulnerabilitiesinCprograms.InthischapterweshalldiscusshowtoapplysoftwaretestingandverificationalgorithmstoWebapplicationsandimprovetheirsecurityattributes.TwoofthemostcommonWebapplicationvulnerabilitiesthatareknowntodatearescriptinjection,e.g.,SQLinjection,andcross-sitescripting(XSS).Wewillformalizethesevulnerabilitiesasproblemsrelatedtoinformationflowsecurity—aconventionaltopicinsecurityresearch.Usingthisformalization,wethenpresenttwotools,WAVES(WebApplicationVulnerabilityandErrorScanner)andWebSSARI(WebApplicationSecurityviaStaticAnalysisandRuntimeInspection),whichrespectivelyutilizesoftwaretestingandverificationtodealinparticularwithscriptinjectionandXSSandaddressingeneraltheWebapplicationsecurityproblems.Finallywewillpresentsomeresultsobtainedbyapplyingthesetoolstoreal-worldWebapplicationsthatareinusetoday,andgivesomesuggestionsaboutthefutureresearchdirectioninthisarea.1.INTRODUCTIONAsWorldWideWebusageexpandstocoveragreaternumberofB2B(business-to-business),B2C(business-to-client),healthcare,ande-governmentservices,thereliabilityandsecurityofWebapplicationshasbecomeanincreasinglyimportantconcern.InaSymantecanalysisreportofnetwork-basedattacks,knownvulnerabilities,andmaliciouscoderecordedthroughout2003[49],eightofthetoptenattackswereassociatedwithWebapplications;andthereportalsostatedthatport80wasthemostfrequentlyattackedTCPport.InadditiontoholdingWebapplicationsresponsibleforthesharpincreaseinmoderatelyseverevulnerabilitiesfoundin2003,theauthorsofthereportalsosuggestedthatWebapplicationvulnerabilitieswerebyfartheeasiesttoexploit.Webapplicationinsecurityisattributedtoseveralfactors.Firstly,theWeb,whichwasinitiallydesignedasadata-deliveryplatform,hasquicklyevolvedintoacomplexapplicationplatformontopofwhichmoreandmoresophisticatedapplicationshavebeendeveloped.Asaresult,Webspecificationshavegrownrapidlytomeetrisingdemands,andbrowsersandWeb-developmentlanguagesfoughta“featurewar”towinmarketshare.Unfortunately,securityissueshavebeenleftasanafterthought.Thefast-expandedfeaturesdidhelpWebgrowth;however,manysecuritysideeffectstheyinducedhavebecometoday’smajorconcernforWebadoption.Secondly,sincesoftwarevendorsarebecomingmoreadeptatwritingsecurecodeanddevelopinganddistributingpatchestocountertraditionalformsofattack(e.g.,bufferoverflows),hackersareincreasinglytargetingWebapplications.WebapplicationvulnerabilitiesarehardtoeliminatebecausemostWebapplicationsa)gothroughrapiddevelopmentphaseswithextremelyshortturnaroundtime,andb)aredevelopedin-housebycorporateMISengineers,mostofwhomhavelesstrainingandexperienceinsecuresoftwaredevelopmentcomparedtoengineersatIBM,Sun,Microsoft,andotherlargesoftwarefirms.Lastly,currenttechnologiessuchasanti-virussoftwareandnetworkfirewallsoffercomparativelysecureprotectionatthehostandnetworklevels,butnotattheapplicationlevel[24].Whennetworkandhost-levelentrypointsarerelativelysecure,thepublicinterfacestoWebapplicationsbecomethefocusortargetsofattacks[68][24].TwoofthemostcommonWebapplicationvulnerabilitiesarescriptinjection(e.g.,SQLinjection)andcross-site—————————————————†alsowiththeDeptofElectricalEngineering,NationalTaiwanUniversity‡alsowiththeDeptofComputerScienceandInformationEngineering,NationalTaiwanUniversity*ThisworkwassupportedinpartbytheNationalScienceCouncilundertheGrantsNSC-93-2213-E-001-013,NSC-93-2422-H-001-0001,andNSC-93-2752-E-002-005-PAEscripting(XSS).InthischapterweshallfirstprovideabriefdescriptionofXSSandscriptinjectionvulnerabilities.ThereaderisreferredtoScottandSharp[98][99],Curpheyetal.[24],andMeieretal.[68]formoredetails.Wethendescribepossibleautomatedapproachestoeliminatingoratleastdetectingsuchvulnerabilities.Finallywewillgivesomeconcludingremarksandpresentafewpossibleavenuesforfutureworkinthisarea.1.1Cross-SiteScripting(XSS)OnFeb2,2000,CERTCoordinationCenterissuedanadvisory[18]on“cross-sitescripting”(XSS)attacksonWebapplications.Thishard-to-eliminatethreatsoondrewtheattentionandspawnedactivediscussionsamongsecurityresearchers[79].DespitetheeffortsofresearchersintheprivatesectorandacademiatopromotedeveloperawarenessandtodeveloptoolstoeliminateXSSattacks,hackersarestillusingthemtoexploitWebapplications.AstudybyOhmaki(2002)[80]foundthatalmost80percentofalle-commercesitesinJapanwerestillvulnerabletoXSS.AsearchonGoogleNews()forXSSadvisoriesonnewlydiscoveredXSSvulnerabilitieswithinthemonthofMarch2004aloneyielded24reports.AmongthesewereconfirmedvulnerabilitiesinMicrosoftHotmail[108]andYahoo!Mail

1 / 19
下载文档,编辑使用

©2015-2020 m.777doc.com 三七文档.

备案号:鲁ICP备2024069028号-1 客服联系 QQ:2149211541

×
保存成功