基于代碼重寫的動態(tài)污點分析
信息技術(shù)與網(wǎng)絡(luò)安全 2期
梁 威1,洪 倩2
(1.中原工學(xué)院 彼得堡航空學(xué)院,河南 鄭州450007;2.江西省第五人民醫(yī)院,江西 南昌330046)
摘要: 當(dāng)前,Web技術(shù)更新速度很快,JavaScript(JS)語言應(yīng)用日益廣泛,但同時也出現(xiàn)了許多安全風(fēng)險,特別是現(xiàn)在的Web應(yīng)用程序響應(yīng)速度要求越來越高,更加劇了Web安全威脅。為此,研究了基于代碼重寫的動態(tài)JavaScript污點分析,借助重寫JavaScript在代碼運行過程中標記并跟蹤敏感數(shù)據(jù),檢測數(shù)據(jù)泄漏并及時反饋。與傳統(tǒng)動態(tài)污點分析方法不同,該方法無需依賴JS引擎,可以應(yīng)用于各種瀏覽器,能高效精準地標記、跟蹤、檢測敏感數(shù)據(jù)泄露,提高Web安全性。
中圖分類號: TP393
文獻標識碼: A
DOI: 10.19358/j.issn.2096-5133.2022.02.006
引用格式: 梁威,洪倩. 基于代碼重寫的動態(tài)污點分析[J].信息技術(shù)與網(wǎng)絡(luò)安全,2022,41(2):33-38.
文獻標識碼: A
DOI: 10.19358/j.issn.2096-5133.2022.02.006
引用格式: 梁威,洪倩. 基于代碼重寫的動態(tài)污點分析[J].信息技術(shù)與網(wǎng)絡(luò)安全,2022,41(2):33-38.
Dynamic taint analysis based on code rewriting
Liang Wei1,Hong Qian2
(1.Petersburg Aviation Institute,Zhongyuan University of Technology,Zhengzhou 450007,China; 2.Jiangxi Fifth People′s Hospital,Nanchang 330046,China)
Abstract: At present, the update speed of Web technology is very fast, and JavaScript(JS) language is used more and more widely, at the same time, there are many security risks. In particular, the requirements for the response speed of Web applications are becoming higher and higher, which exacerbates the threat of Web security. Therefore, this paper studies the dynamic JavaScript taint analysis based on code rewriting, marks and tracks sensitive data during code operation with the help of rewriting JavaScript, detects data leakage and gives feedback in time. Different from the traditional dynamic taint analysis method, the proposed method does not need to rely on JS engine, can be applied to various browsers, can efficiently and accurately mark, track and detect sensitive data leakage, and improve Web security.
Key words : code rewriting;JavaScript;dynamic taint;information flow analysis;Web security
0 引言
跨站腳本攻擊是JavaScript漏洞攻擊的常見形式,針對此類攻擊,常規(guī)應(yīng)對方法是基于用戶輸入端以及服務(wù)器輸出端進行檢測防范,即使用白名單檢驗用戶輸入端,在輸出端做信息轉(zhuǎn)義。這種方法有兩點不足:首先,難以確定應(yīng)該過濾或轉(zhuǎn)義哪些內(nèi)容;其次,難以保證任意用戶輸入端均得到有效處理[1]。動態(tài)污點分析方法無需覆蓋所有路徑,只需要動態(tài)跟蹤當(dāng)前的JavaScript代碼執(zhí)行路徑。通過動態(tài)污點分析法跟蹤檢測JavaScript代碼執(zhí)行,對于不受信任的數(shù)據(jù)做污染傳播,跟蹤JavaScript行為,并根據(jù)相關(guān)安全定義操作應(yīng)對異常行為。本次研究提出一種無需依賴JavaScript引擎的動態(tài)污染分析算法,通過重寫JavaScript代碼,實現(xiàn)代碼自跟蹤、自檢測,以便實時跟蹤檢測敏感數(shù)據(jù),有效保障Web安全。
本文詳細內(nèi)容請下載:http://www.xxav2194.com/resource/share/2000003948
作者信息:
梁 威1,洪 倩2
(1.中原工學(xué)院 彼得堡航空學(xué)院,河南 鄭州450007;2.江西省第五人民醫(yī)院,江西 南昌330046)
此內(nèi)容為AET網(wǎng)站原創(chuàng),未經(jīng)授權(quán)禁止轉(zhuǎn)載。