《電子技術(shù)應(yīng)用》
您所在的位置:首頁 > 其他 > 設(shè)計(jì)應(yīng)用 > 基于代碼重寫的動(dòng)態(tài)污點(diǎn)分析
基于代碼重寫的動(dòng)態(tài)污點(diǎn)分析
信息技術(shù)與網(wǎng)絡(luò)安全 2期
梁 威1,洪 倩2
(1.中原工學(xué)院 彼得堡航空學(xué)院,河南 鄭州450007;2.江西省第五人民醫(yī)院,江西 南昌330046)
摘要: 當(dāng)前,Web技術(shù)更新速度很快,JavaScript(JS)語言應(yīng)用日益廣泛,但同時(shí)也出現(xiàn)了許多安全風(fēng)險(xiǎn),特別是現(xiàn)在的Web應(yīng)用程序響應(yīng)速度要求越來越高,更加劇了Web安全威脅。為此,研究了基于代碼重寫的動(dòng)態(tài)JavaScript污點(diǎn)分析,借助重寫JavaScript在代碼運(yùn)行過程中標(biāo)記并跟蹤敏感數(shù)據(jù),檢測(cè)數(shù)據(jù)泄漏并及時(shí)反饋。與傳統(tǒng)動(dòng)態(tài)污點(diǎn)分析方法不同,該方法無需依賴JS引擎,可以應(yīng)用于各種瀏覽器,能高效精準(zhǔn)地標(biāo)記、跟蹤、檢測(cè)敏感數(shù)據(jù)泄露,提高Web安全性。
中圖分類號(hào): TP393
文獻(xiàn)標(biāo)識(shí)碼: A
DOI: 10.19358/j.issn.2096-5133.2022.02.006
引用格式: 梁威,洪倩. 基于代碼重寫的動(dòng)態(tài)污點(diǎn)分析[J].信息技術(shù)與網(wǎng)絡(luò)安全,2022,41(2):33-38.
Dynamic taint analysis based on code rewriting
Liang Wei1,Hong Qian2
(1.Petersburg Aviation Institute,Zhongyuan University of Technology,Zhengzhou 450007,China; 2.Jiangxi Fifth People′s Hospital,Nanchang 330046,China)
Abstract: At present, the update speed of Web technology is very fast, and JavaScript(JS) language is used more and more widely, at the same time, there are many security risks. In particular, the requirements for the response speed of Web applications are becoming higher and higher, which exacerbates the threat of Web security. Therefore, this paper studies the dynamic JavaScript taint analysis based on code rewriting, marks and tracks sensitive data during code operation with the help of rewriting JavaScript, detects data leakage and gives feedback in time. Different from the traditional dynamic taint analysis method, the proposed method does not need to rely on JS engine, can be applied to various browsers, can efficiently and accurately mark, track and detect sensitive data leakage, and improve Web security.
Key words : code rewriting;JavaScript;dynamic taint;information flow analysis;Web security

0 引言

跨站腳本攻擊是JavaScript漏洞攻擊的常見形式,針對(duì)此類攻擊,常規(guī)應(yīng)對(duì)方法是基于用戶輸入端以及服務(wù)器輸出端進(jìn)行檢測(cè)防范,即使用白名單檢驗(yàn)用戶輸入端,在輸出端做信息轉(zhuǎn)義。這種方法有兩點(diǎn)不足:首先,難以確定應(yīng)該過濾或轉(zhuǎn)義哪些內(nèi)容;其次,難以保證任意用戶輸入端均得到有效處理[1]。動(dòng)態(tài)污點(diǎn)分析方法無需覆蓋所有路徑,只需要?jiǎng)討B(tài)跟蹤當(dāng)前的JavaScript代碼執(zhí)行路徑。通過動(dòng)態(tài)污點(diǎn)分析法跟蹤檢測(cè)JavaScript代碼執(zhí)行,對(duì)于不受信任的數(shù)據(jù)做污染傳播,跟蹤JavaScript行為,并根據(jù)相關(guān)安全定義操作應(yīng)對(duì)異常行為。本次研究提出一種無需依賴JavaScript引擎的動(dòng)態(tài)污染分析算法,通過重寫JavaScript代碼,實(shí)現(xiàn)代碼自跟蹤、自檢測(cè),以便實(shí)時(shí)跟蹤檢測(cè)敏感數(shù)據(jù),有效保障Web安全




本文詳細(xì)內(nèi)容請(qǐng)下載:http://ihrv.cn/resource/share/2000003948





作者信息:

梁  威1,洪  倩2

(1.中原工學(xué)院 彼得堡航空學(xué)院,河南 鄭州450007;2.江西省第五人民醫(yī)院,江西 南昌330046)




微信圖片_20210517164139.jpg

此內(nèi)容為AET網(wǎng)站原創(chuàng),未經(jīng)授權(quán)禁止轉(zhuǎn)載。