国产bbaaaaa片,成年美女黄网站色视频免费,成年黄大片,а天堂中文最新一区二区三区,成人精品视频一区二区三区尤物

首頁> 外文學位 >Inferring Specifications for Web Application Security.
【24h】

Inferring Specifications for Web Application Security.

機譯:推斷Web應用程序安全性的規(guī)范。

獲取原文
獲取原文并翻譯 | 示例
  • 摘要
  • 著錄項
  • 相似文獻
  • 相關主題

摘要

Over the past two decades, we have been witnessing the evolution of the web applications from simple static pages into complex, interactive platforms. With increasing demand to have more features added to the applications, we also have observed an increase in the frequency and significance of data breaches due to web application vulnerabilities. The need to secure the applications, however, has not been met promptly. The current practice of web application development does not address security concerns even against known vulnerabilities, let alone new unknown attacks.;The goal of the thesis is to improve the security of web applications. To achieve this goal, we would like to detect, and retrofit vulnerabilities. In studying the cyber threat landscape, we observed common web development practices and mistakes, which cause security flaws in design and implementation of web applications. By examining the existing security analysis tools, we identify their capabilities and their limitations. Most of these tools require some program specifications to be available to generate sound reports. However, specifications are often missing in web applications due to market demands for fast releases.;The lack of program specification in web applications makes it challenging to analyze and verify web applications. In the absence of program specifications, the only source of information about the web developer's design intentions with respect to security policies in the application source code. While this source code obscures the high-level logic of the application among so many low-level details, there still are some development patterns available to us to infer the intention of the developers. Based on this belief, it is very much possible to infer program specifications from low-level artifacts and leverage them in order to detect and retrofit vulnerabilities in legacy applications. We are also able to use this knowledge to build newer development frameworks for automated synthesis of secure code.;This thesis develops techniques to infer security specifications from the web application source. As a result of using the inferred specifications, we can improve the security of the applications in numerous ways. First, we are able to examine the inferred authentication and authorization policies to find authorization inconsistencies. Such inconsistencies are the main source of privilege escalation vulnerabilities in web applications. To present the effectiveness of our approach, we evaluated it on various web applications. The results suggest that we are able to detect previously unknown vulnerabilities by precise inference of access control policies.;Secondly, we are able to generate security patches for the reported vulnerabilities in web applications. Traditionally, the applications were being patched manually due to the poor quality of the automated generated patches. Using specification inference techniques, we can generate correct security patches for the vulnerable applications and suggest suitable placement of these patches in complex applications, reducing the effort of developers and security analysts.;Lastly, we examine how inferred security specification can be used for synthesis of secure code in web development frameworks. We believe that by automated synthesis of security policies, we reduce the possibility of redundancy and human-error.;Our results in each of the areas mentioned above show that inferring security specifications from the application source code is not only possible but also practical and scalable.
機譯:在過去的二十年中,我們見證了Web應用程序從簡單的靜態(tài)頁面到復雜的交互式平臺的演變。隨著向應用程序添加更多功能的需求不斷增加,我們還發(fā)現(xiàn)由于Web應用程序漏洞而導致數(shù)據(jù)泄露的頻率和重要性增加。但是,尚未立即滿足保護應用程序安全的需要。 Web應用程序開發(fā)的當前實踐甚至沒有針對已知漏洞解決安全性問題,更不用說新的未知攻擊了。本文的目標是提高Web應用程序的安全性。為了實現(xiàn)此目標,我們希望檢測并改進漏洞。在研究網(wǎng)絡威脅形勢時,我們觀察到了常見的Web開發(fā)實踐和錯誤,這些錯誤和錯誤在Web應用程序的設計和實現(xiàn)中造成了安全漏洞。通過檢查現(xiàn)有的安全分析工具,我們確定了它們的功能和局限性。這些工具大多數(shù)都需要一些程序規(guī)范才能生成聲音報告。但是,由于市場對快速發(fā)布的需求,Web應用程序中經(jīng)常缺少規(guī)范。; Web應用程序中缺少程序規(guī)范,使得分析和驗證Web應用程序具有挑戰(zhàn)性。在沒有程序規(guī)范的情況下,有關應用程序源代碼中有關安全策略的Web開發(fā)人員設計意圖的唯一信息源。盡管此源代碼使應用程序的高級邏輯模糊不清,但仍然有許多開發(fā)模式可用于推斷開發(fā)人員的意圖。基于此信念,很有可能從低級工件中推斷出程序規(guī)范并加以利用,以檢測和改進舊版應用程序中的漏洞。我們還能夠利用這些知識來構建用于安全代碼的自動綜合的更新的開發(fā)框架。;本文開發(fā)了從Web應用程序源推斷安全規(guī)范的技術。通過使用推斷的規(guī)范,我們可以通過多種方式提高應用程序的安全性。首先,我們能夠檢查推斷出的身份驗證和授權策略,以找到授權不一致的地方。此類不一致是Web應用程序中特權升級漏洞的主要來源。為了展示我們方法的有效性,我們在各種Web應用程序上對其進行了評估。結果表明,我們能夠通過精確推斷訪問控制策略來檢測以前未知的漏洞。其次,我們能夠為Web應用程序中報告的漏洞生成安全補丁。傳統(tǒng)上,由于自動生成的修補程序的質量較差,因此需要手動修補應用程序。使用規(guī)范推斷技術,我們可以為易受攻擊的應用程序生成正確的安全補丁,并建議將這些補丁適當?shù)胤胖迷趶碗s的應用程序中,從而減少了開發(fā)人員和安全分析師的工作量。最后,我們研究了如何將推斷的安全規(guī)范用于綜合Web開發(fā)框架中的安全代碼。我們相信,通過安全策略的自動綜合,我們可以減少冗余和人為錯誤的可能性。我們在上述每個方面的結果表明,從應用程序源代碼推斷安全規(guī)范不僅是可行的,而且是可行且可擴展的。

著錄項

  • 作者

    Monshizadeh, Maliheh.;

  • 作者單位

    University of Illinois at Chicago.;

  • 授予單位 University of Illinois at Chicago.;
  • 學科 Computer science.
  • 學位 Ph.D.
  • 年度 2017
  • 頁碼 168 p.
  • 總頁數(shù) 168
  • 原文格式 PDF
  • 正文語種 eng
  • 中圖分類 遙感技術;
  • 關鍵詞

相似文獻

  • 外文文獻
  • 中文文獻
  • 專利
獲取原文

客服郵箱:kefu@zhangqiaokeyan.com

京公網(wǎng)安備:11010802029741號 ICP備案號:京ICP備15016152號-6 六維聯(lián)合信息科技 (北京) 有限公司?版權所有

  • 客服微信

  • 服務號