摘要
随着互联网和电子商务、电子政务的广泛使用,针对web应用软件的攻击快速增长,导致研究者们越来越关注web应用软件安全性的研究。与普通的应用程序相比,Web应用软件的运行特点决定了它在安全性上更为脆弱,主要是由于两个方面的原因所导致。一是由于web应用软件客户端运行环境不可信任,Web应用软件的客户端运行在浏览者的机器上,其运行环境数据容易被伪造或修改,同时黑客们很容易精心构造恶意数据进行攻击。二是由于其运行状态是开放的。http协议是无状态的,Web应用软件的开发人员需要自己记录程序运行的状态信息,并在客户端和服务器端进行保存和传输。这些信息对终端用户公开,容易被恶意更改和伪造。此外其客户端脚本的原代码对用户是可见的,容易被修改。其页面执行顺序也很容易被打乱和跳过,如果程序处理不当,将导致安全问题的发生。
当前,对web应用系统的安全性研究主要集中于对web应用软件的运行环境例如服务器操作系统、数据库系统、web服务器软件的安全评估和分析,以及web系统的入侵容忍技术等等,这些研究都是立足于web应用系统整体运行的层面上进行安全性研究,缺少对web应用软件自身安全性的深入分析。而当前开展的一些有关web应用软件自身的安全性的研究,主要关注的是对部分特定的web应用软件漏洞进行分析和防范,尚未见到对web应用软件安全性测试理论和技术的全面、系统性研究。因此,研究web应用软件安全性测试的理论与技术具有重要的理论和实践意义。
对web应用软件的各类安全漏洞进行研究并分类是做好安全性测试的基础,它可以帮助研究者了解web应用软件安全问题的特点,指导有效生成安全性测试用例,提出科学实用的安全性测试方法。通过研究环境错误与状态错误引发web应用软件安全漏洞的模式,提出了一种用于进行web应用软件安全漏洞分类的方法,给出了漏洞分类的层次结构,对层次结构中的各类漏洞进行了定义和分析,并提出了基于分类树的安全漏洞编码方法。使用该分类方法对来自OWASP的web应用软件安全漏洞进行了分类,并与使用EAI模型分类的结果做了对比。评估结果表明,该模型具备良好的漏洞分类能力,适用于指导web应用软件的安全测试和安全防御工作。
环境错误注入是一种有效的软件安全性测试方法,该方法人为制造错误并注入到程序的运行环境中,观察程序的反馈并判断是否存在安全问题。但是,使用传统的错误注入方法进行web应用软件安全漏洞检测时,存在较大不足。因为它仅考虑环境错误对软件安全性的影响,没有考虑到另一重要方面,即内部运行状态错误对web应用软件安全性的影响。在综合考虑环境错误与状态错误对安全性影响的基础上,提出了一种适用于web安全性测试的环境与状态错误模型(EAS模型)。基于该模型提出了错误注入点判定规则库和错误构造算子,并提出了应用该模型进行安全性测试的具体方法和步骤。使用该模型对web应用软件PEGames进行了测试,有效地测试出了该软件在CVE漏洞库中已收录的所有漏洞,并发现了新的漏洞。实验表明EAS模型具有良好的漏洞揭示能力,能有效指导web应用软件安全性测试。
在进行安全性测试时,需要选择合适的测试用例集,以便在时间和费用有限的情况下,尽可能充分地测试软件安全漏洞。为了量化评价测试用例集的充分性,提出了一种基于层次分析法的软件安全性测试充分性评价方法。建立了测试用例集的层次分析结构和两两比较矩阵,求出了各类测试用例的重要性权值,定义了测试效果评价函数。使用该评价方法对BBS软件IPB的实际测试效果进行了评价计算。实验表明,评价函数计算出的测试充分性评价值与实际测试中发现的漏洞个数是正相关的,说明该评价方法能正确反映测试用例集的测试效果,所提出的评价方法是实用和有效的。
With the widespread use of the internet、e-commerce and e-government system, the number of attacks against web applications are growing fast, which has resulted in increasingly concerns on web application security among reaserchers. Compared with common applications, web applications are more insecure because of two facts:their trustless runtime environment and open runtime state. A web application is composed of sever part and client part. The client part runs on the explorer's computer. Its environment is easy to be perturbed and forged by a malicious attacker. Besides the environmental perturbation, the web application's internal state is also prone to be attacked. First, the sever part of the web application must transfer its internal state information to the client part because the http protocol is stateless. Thus a malicious user can view the internal state information and modify it. Second, the source code of the client part is open to the explorer and easy to be forged. Last, the execution of a web application is composed of many requests of web pages. A malicious attacker can change the sequence of these requests or ignore some execution steps by jump to the later part of the execution sequence. Thus cause security violations. Currently, the reaserch on web system security focus on the vulnerability of operation systems, database and web server softwares, or the technology of Intrusion Tolerance rather than the security of the web application itself. Lots of reaserches on the security of web application only focus on some special vulnerability. To the best of our knowledge, there is not a Comprehensive study on the web application security testing.
The study and classification of security vulnerabilities is the important basis for reaserching the technology of web applications security testing. It can help to build an effective test model and design good test cases. This paper proposes a taxonomy model using analytic hierarchy process for classifying security flaws of web application, and defines all kinds of vulnerabilities classfied by the taxonomy model. Then apply the taxonomy model to classifying 87 security flaws from the OWASP security flaw database, and compare the classification results with that of using EAI model to classify. The result of the experiment reveals that the taxonomy model is effective.
Fault injection is an effective method for security test of software. It injects Faults into the application's environment to see how the application responds and whether there is a security violation. Environment fault injection method is easy to define common procedure to make appropriate test cases. It is suitable to security testing of web applications. However, when used to test the web application, environment fault injection method has a weakness. It only considers the perturbation from the web application's environment, but ignores internal status disturbances which also play an important role in the security attribute of web applications. To overcome this weakness, this paper proposes a test model named EAS fault model, provides an vulnerability determine rule base, and designs Error constructor operators. Then we test a web application named PEGames using EAS model. The experiment revealed that the fault coverage of EAS model is high.
When testing a web application for security purpose, testers have to select a test case set with appropriate scale because of the limit of time and money. In order to quantify the evaluation of the adequacy of the selected test set, this paper propose a test effect evaluation model based on the Analytic Hierarchy Process, and define a test effect evaluation function. An experiment was made by using the evaluation model to evaluate the vulnerability test effect of a BBS application name IPB. The experiment result revealed that the evaluation value calculated by the evaluation function is positively correlated with the number of vulnerabilities found in the real test. It proves that the evaluation method proposed by this paper is practical and reliable.
引文
[1]O. H., Alhazmi and Y. K., Malaiya. Application of Vulnerability Discovery Models to Major Operating Systems. IEEE Transactions on Reliability,2008,57(1):14-22
[2]O. H., Alhazmi and Y. K., Malaiya. Quantitative vulnerability assessment of systems software. in:Proceedings of the IEEE Reliability and Maintainability Symposium (RAMS'05). Alexandria, VA, USA:IEEE CS,2005,615-620
[3]R. J., Anderson, "Security in open versus closed systems-The dance of Boltzmann, Coase and Moore," in:Open Source Software:Economics, Law and Policy. Toulouse, France,2002,20-21
[4]D. Chays, S. Dan, P. G., Frankl, F. I., Vokolos and E. J., Weyuker. A framework for testing database applications. in:Proceedings of the 2000 International Symposium on Software Testing and Analysis,2000,147-157
[5]D., Chays, Y., Deng, S., Dan, et al. An agenda to test relational database application. Journal of Software Testing, Verification and Reliability,2004,14:17-44
[6]王艺超,冯玉,王珊.数据库安全评测系统研究.计算机科学,2005,32(2):5-8
[7]Alhazmi, O. H. and Malaiya, Y. K., Measuring and enhancing prediction capabilities of vulnerabilities discovery models for Apache and IIS HTTP servers. in:17th IEEE International Symposium on Software Reliability Engineering (ISSRE'06). Raleigh, North Carolina, USA:IEEE CS,2006,343-352
[8]Apache Software Foundation Bug System, http://issues.apache.org/bugzilla/
[9]Sung-Whan, W., Alhazmi,O.H., and Malaiya, Y. K., Assessing Vulnerabilities in Apache and IIS HTTP Servers.in:IEEE International Symposium on Dependable Autonomic and Secure Computing (DASC'06), Indianapolis, Indiana, USA:IEEE CS,2006,103-110
[10]Pal, P., Webber, F., Schantz, R. E., et al. Intrusion Tolerant Systems. Proceedings of the IEEE Information Survivability Workshop (ISW22000). Boston, Massachusetts, 2000,24-26
[11]Paulo, S., Alysson N., Bessan, I., Miguel C., et al. Resilient Intrusion Tolerance through Proactive and Reactive Recovery. In:Proceedings of the 13th IEEE Pacific Rim International Symposium on Dependable Computing. Washington, DC, USA: IEEE Computer Society,2007,373-380
[12]A. A., Alfantookh. An Automated Universal Server Level Solution for SQL Injection Security Flaw. In:Proceedings of the 2004 International Conference on Electrical, Electronic and Computer Engineering (ICEEC'04), Cairo, Egypt,2004, 131-135
[13]O. Hallaraker and G. Vigna. Detecting Malicious JavaScript Code in Mozilla. In: Proceeding of 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS 2005), Shanghai, China:IEEE CS,2005,85-94
[14]D. J., Chen, C.C., Hwang, S. K., Huang, et al. A Testing Framework for Web Application Security Assessment. Journal of Computer Networks, 2005,48(5):739-761
[15]Kearney P. Message Level Security for Web Services. Information Security Technical Report,2005, (10):41-50
[16]施寅生,邓世伟,谷天阳.web服务安全性测试技术研究,计算机工程与科学.2007,29(10):11-13
[17]R. R., Linde. Operating System Penetration. in:Proceedings of the AFIPS National Computer Conference, Anaheim, CA, USA, AFIPS Press.1975,361-368
[18]Jody Melbourne, David Jorn. Penetration Testing for Web Applications. http://www.securityfocus.com/infocus/1704
[19]Weissman, C. Penetration Testing. In:Information Security Essays. Abrams M.D., Jajodia, S., Podell, H. eds. IEEE Computer Society Press,1994
[20]J. P., McDermott. Attack Net Penetration Testing. In:Proceedings of the 2000 Workshop on New Security Paradigms (NSPW 2000), Ballycotton, Ireland,2000, 15-21
[21]O. Dahl and S. Wolthusen. Modeling and execution of complex attack scenarios using interval timed colored petri nets. in:Proceedings of the Fourth IEEE International Workshop on Information Assurance (IWIA'06), Washington, DC, USA:IEEE CS,2006,157-168
[22]张继业,谢小权.基于攻击图的渗透测试模型的设计.计算机工程与设计,2005,26(6):1516-1518
[23]杨涛,郭义喜,张弘.有色Petri网在渗透测试中的应用.计算机工程.2009,35(1):156-158
[24]Towards a taxonomy of techniques to detect cross-site scripting and SQL injection vulnerabilities. http://repository2.lib.ncsu.edu/dr/bitstream/1840.4/1978/1/ TR-2008-4.pdf
[25]OWASP Top 10 Application Security Risks. http://www.owasp. org/images/0/Of/ OWASP_T10_-_2010_rcl.pdf.2010
[26]G. T., Buehrer, B. W., Weide, and P. A. G., Sivilotti. Using Parse Tree Validation to Prevent SQL Injection Attacks. in:Proceedings of the 5th International Workshop on Software Engineering and Middleware (SEM'05), Lisbon, Portugal,2005, 106-113
[27]W. G. J., Halfond and A., Orso, AMNESIA:Analysis and Monitoring for NEutralizing SQL-Injection Attacks.in:Proceedings of 20th ACM International Conference on Automated Software Engineering (ASE'05), Long Beach, CA, USA: ACM,2005,174-183
[28]W. G. J., Halfond, A., Orso, and P., Manolios. Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks. in:Proceedings of the 14th ACM SIGSOFT International Symposium on Foundations of Software Engineering SIGSOFT'06/FSE-14, Portland, OR, USA:ACM,2006,175-185
[29]K., Wei, M., Muthuprasanna, and S., Kothari. Preventing SQL Injection Attacks in Stored Procedures. in:Proceedings of the 2006 Australian Software Engineering Conference (ASWEC'06), Sydney, Australia:IEEE CS,2006,191-198
[30]S. W., Boyd and A. D., Keromytis, SQLrand:Preventing SQL Injection Attacks.in: Proceedings of the 2nd International Conference on Applied Cryptography and Network Security (ACNS'04), Yellow Mountain, China,2004,292-302
[31]G. S., Kc, A. D., Keromytis, and V., Prevelakis. Countering Code-injection Attacks with Instruction-set Randomization. In:Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS'03), Washington, DC, USA: ACM,2003,272-280
[32]Z., Su and G., Wassermann. The Essence of Command Injection Attacks in Web Applications. in:Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL'06), Charleston, SC, U.S.A.,2006,372-382
[33]J.C., Lin and J.M., Chen. An Automatic Revised Tool for Anti-Malicious Injection. In:Proceedings of the Sixth IEEE International Conference on Computer and Information Technology (CIT'06) Seoul, Korea,2006,164-169
[34]R. A., McClure and I. H., Kruger. SQL DOM:Compile Time Checking of Dynamic SQL Statements. In:Proceedings of the 27th International Conference on Software Engineering (ICSE 2005), St. Louis, MO, U.S.A.,2005,88-96
[35]D., Scott, R., Sharp. Abstracting Application-Level Web Security. In:Proceedings of the 11th International Conference on World Wide Web, Honolulu, Hawaii,2002, 396-407
[36]Y., Minamide. Static Approximation of Dynamically Generated Web Pages. In: Proceedings of the 14th International Conference on World Wide Web, Chiba, Japan, 2005,432-441
[37]G. A. D., Lucca, A. R., Fasolino, M., Mastroianni, and P., Tramontana. Identifying Cross Site Scripting Vulnerabilities in Web Applications.in:Proceedings Sixth IEEE International Workshop on Web Site Evolution (WSE 2004), Chicago, IL, U.S.A.,2004,71-80
[38]Y.W., Huang, F., Yu, C., Hang, C.H., Tsai, D.T., Lee and S.Y., Kuo. Securing Web Application Code by Static Analysis and Runtime Protection. In:Proceedings of the 13th International Conference on World Wide Web, New York, NY, U.S.A.,2004, 40-52
[39]O., Ismail, M., Etoh, Y., Kadobayashi, and S., Yamaguchi. A Proposal and Implementation of Automatic Detection/Collection System for Cross-site Scripting Vulnerability. In:Proceedings of the 18th International Conference on Advanced Information Networking and Applications (AINA 2004), Fukuoka, Japan,2004, 145-151
[40]S., Kals, E., Kirda, C., Kruegel, and N., Jovanovic. SecuBat:A Web Vulnerability Scanner. In:Proceedings of the 15th International World Wide Web Conference, Edinburgh, UK,2006,247-257
[41]C., Kruegel and G., Vigna, "Anomaly Detection of Web-based Attacks.in: Proceedings of the 10th ACM Conference on Computer and Communications Security, Washington, DC, USA:ACM,2003,251-261
[42]F., Valeur, D., Mutz, and G., Vigna. A Learning-Based Approach to the Detection of SQL Attacks.in:Proceedings of the Conference on Detection of Intrusions and Malware Vulnerability Assessment (DIMVA), Vienna, Austria:Springer,2005, 123-140
[43]屠海滢、吴芳美.面向软件黑箱测试的仿真环境嵌入故障研究.软件学报,1999,5,516-520
[44]DeMillo, R. A., Lipton, R. J., Sayward, F. G. Hints on Test Data Selection:Help for the Practicing Programmer. IEEE Computer,1978,11(4):34-41
[45]Kanawati G. A., KanawatiN A. FERRAR I:a flexible software-based fault and error injection system. IEEE Transactions on Computer,1995,44 (2):248-259
[46]Delamam, M.E., Maidonado, J.C., Mathur, A.P. Interface Mutation:an approach for integration testing. IEEE Transactions on Software Engineering,2001,27(3): 228-247
[47]Jinfu Chen, Yansheng Lu, Wei Zhang et al. A fault injection model-oriented testing strategy for component security. Journal of Central South University of Technology, 2009,16(2):258-264
[48]Avresky,D.,Arlat,J., Laprie, J.C., et al. Fault Injection for Formal Testing of Fault Tolerance. IEEE Transactions on reliability,1996,45(3):443-455
[49]吴蕾,李心科,汪洪.基于错误注入技术的Web服务可靠性测试研究.小型微型计算机系统,2007,28(1):127-130
[50]Regina, L. O. M., Eliane, M., Naaliel Vicente, M., Fault Injection Approach Based on Dependence Analysis, in Proceedings of the 29th International Software and Applications Conference. IEEE Computer Society:Scotland.2005,181-188
[51]W.L.,Du, P.,Mathur. Vulnerability Testing of Software System Using Fault Injection, Technical Purdue University:West Lafayette,1998,1-20
[52]Huang Y.W.,Huang S.K.,Lin T.P.etc. Web Application Security Assessment by Fault Injection and Behavior Monitoring, in:proceedings of the Twelfth International World Wide Web Conference, Budapest, Hungary,2003,21-25
[53]单国栋,连一峰.环境错误注入测试机制.计算机工程,2004,30(19),113-114
[54]Abbott R. P., Chin J. S., Donnelley J. E., et al. Security analysis and enhancements of computer operating system. http://www.stormingmedia.us/67/6786/A678634.html, 1976
[55]Carlstead J., Bibsey R., Popek G. Pattern-directed Protection Evaluation. Technical Report, Information Sciences Institute, University of Southern California, Marina Del Rey, CA,1975
[56]Landwehr C. E., Bull A. R., Mcdermoll J. P. et al. A Taxonomy of Computer Program Security Flaws. Information Technology Division, Naval Research Laboratory, Washington D. C.,1994
[57]Krsul I. V. Software Vulnerability Analysis:[Ph.D. Thesis]. Purdue University, Computer Sciences Department,1998
[58]Aslam, T., Krsul, I., Spafford E. Use of a taxonomy of security faults, in: Proceedings of 19th National Information Systems Security Conference. Baltimore, 1996
[59]Bishop M. A taxonomy ofUnix system and network vulnerabilities. Technical Report, Department of Computer Science, University of California at Davis, CA, 1995
[60]Howared J. D. An analysis of security incidents on the Internet. Technical Report, Carnegie Mellon University,1997
[61]Common Vulnerability Enumeration, http://cve.mitre.org/cve/index.html
[62]The Open Web Application Security Project. http://www.owasp. org/index.php/ Main_Page
[63]Chris Anley. Advanced SQL Injection In SQL Server Applications. An NGSSoftware Insight Security Reaserch(NISR) Publication,2002
[64]Jeremiah Grossman. Cross-Site Scripting Worms And Viruses:The Impending Threat and the Best Defense.http://www.whitehatsec.com/downloads/ WHXSSThreats.pdf
[65]Frank Piessens. A taxonomy of causes of software vulnerabilities in internet software, in:Supplementary Proceedings of the 13th International Symposium on Software Reliability Engineering,2002,47-52
[66]Kanta Jiwnani, Marvin Zelkowitz. Susceptibility matrix:a new aid to software auditing. IEEE Security and Privacy, March 2004,2(2):16-21
[67]Weber, S., Karger, P. A., Paradkar, A. A software flaw taxonomy:Aiming tools at security. Software Engineering at Secure Systems-Building Trustworthy Applications (SESS'05). ACM Press,2005,1-7
[68]Bazaz, A., Arthur, J. Towards a taxonomy of vulnerabilities. in:Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS'07), Hawaii, USA:IEEE CS,2007,163-173
[69]Matt Bishop. Vulnerabilities analysis. in:Proceedings of Recent Advances in Intrusion Detection,1999,125-136
[70]Barton, P. M., Louis, F., Bryan, S. An empirical study of the reliability of UNIX utilities. Commun. ACM,1990,33(12):32-44
[71]B., Miller, D., Koski, C.,lee, V.Maganty, R., Murthy and J., Steid. Fuzz revisited:A re-examination of the reliability of unix utilities and services. Technical report, Computer Sciences Department, University of Wisconsin,1995
[72]宁伟华,陈永革,田新华.软件可靠性与费用权衡.《系统工程与电子技术》,2002,24(11):117-119
[73]C., Gould, Z., Su, and P., Devanbu. Static checking of dynamically generated queries in database applications. in:Proceedings of the 26th International Conference on Software Engineering,2004,645-654
[74]K., Spett. Cross-site scripting:are your Web applications vulnerable. http://www.spidynamics.com/support/whitepapers/SPIcross-sitescripting.pdf,2002
[75]U., Shankar, K., Talwar, J. S., Foster, and D., Wagner. Detecting format string vulnerabilities with type qualifiers. In Proceedings of the 2001 Usenix Security Conference,2001,201-220
[76]V. B., Livshits and M. S., Lam. Detecting security vulnerabilities in Java applications with static analysis. Technical report. Stanford University. http://suif.stanford. edu/_livshits/papers/tr/web-appsectr.pdf,2005
[77]B., Buege, R., Layman, and A., Taylor. Hacking Exposed:J2EE and Java: Developing Secure Applications with Java Technology. McGraw-Hill/Osborne, 2002
[78]S., Kost. An introduction to SQL injection attacks for Oracle developers. http://www.net-security.org/dl/articles/IntegrigyIntroto-SQLInjectionAttacks.pdf, 2004
[79]Goodenough, J. B., Gerhert, S.L. Toward a theory of test data selection. IEEE Transactions on Software Engineering,1975, SE23:156-173
[80]李秋英,陆民燕,阮镰.软件可靠性测试充分性问题的理论研究.北京航空航天大学学报,2003,29(4):312-316
[81]Whittaker, J., A., Thomason, M.G. A Markov chain model for statistical software testing. IEEE Transactions on Software Engineering,1994,20 (10):812-824
[82]Rosaria, S., Robinson, H. Applying models in your testing process. Information and Software Technology,2000,42 (12):815-824
[83]Howden, W.E. Confidence-based reliability and statistical coverage estimation, in: the 8th International Symposium on Software Reliability Engineering (ISSRE 1997). Albuquerque:Computer Society Press,1997,283-291
[84]Howden, W. E. Good enough versus high assurance software testing and analysis methods. in:The 3rd International High Assurance Systems Engineering Symposium. Washington:IEEE Computer Society,1998,166-175
[85]Miller, K. W., Morell, L. J., Noonan, R.E., et al. Estimating the probability of failure when testing reveals no failures. IEEE Transactions on Software Engineering,1992, 18(1):33-43
[86]Littlewood, B., David, W. Some conservative stopping rules for the operational testing of safety critical software. IEEE Transactions on software Engineering, 1997,23 (11):673-683
[87]Lyu, M.R. Handbook of software reliability engineering. New York:IEEE Computer Society and McGraw2Hill,1996
[88]Stephen, H.K., Metrics and models in software quality engineering. Boston: Addison Wesley,2003
[89]Howden, W. E. Functional program testing and analysis. New York:McGraw-Hill, 1987.51-55
[90]刘剑豪,刘晓明,黄松.软件可靠性测试充分性的多准则判定及应用.华中科技大学学报(自然科学版),2007,35(9):129-132
[91]程卫民,曹庆贵,王毅.安全综合评价中的若干问题及其改进方法.中国安全科学学报,1999,9(4):75-78
[92]李敏,费耀平.一种分层的网络安全评价方法.微机发展,2003,13(6):106-108
[93]Quintana, R.,Camet, M. Application of a predictive safety model in a combustion testing environment. Safety Science,2001,38(3):183-209
[94]王莲芬,许树柏.层次分析法引论.北京:中国人民大学出版社,1996.42-43
