基于博弈的Web应用程序中访问控制漏洞检测方法

何海涛; 许可; 杨帅林; 张炳; 赵宇轩; 李嘉政

doi:10.11959/j.issn.1000-436x.2024078

您当前的位置：

首页 >

文章列表页 >

基于博弈的Web应用程序中访问控制漏洞检测方法

专题：工业互联网安全技术 | 更新时间：2024-08-08

- 基于博弈的Web应用程序中访问控制漏洞检测方法
- Game-based detection method of broken access control vulnerabilities in Web application
- 通信学报 2024年45卷第6期页码：117-130
- 作者机构：
  
  燕山大学信息科学与工程学院，河北秦皇岛 066004
- 作者简介：
  
  [ "何海涛（1968- ），女，云南禄丰人，博士，燕山大学教授、博士生导师，主要研究方向为人工智能、数据挖掘、软件安全和网络安全。" ]
  [ "许可（1997- ），女，山西晋中人，燕山大学博士生，主要研究方向为网络安全。" ]
  [ "杨帅林（1997- ），男，河北秦皇岛人，燕山大学博士生，主要研究方向为软件安全。" ]
  [ "张炳（1989- ），男，湖北黄冈人，博士，燕山大学副教授、博士生导师，主要研究方向为网络安全。" ]
  [ "赵宇轩（1997- ），男，河北秦皇岛人，燕山大学博士生，主要研究方向为时序数据挖掘。" ]
  [ "李嘉政（1998- ），男，河北邢台人，燕山大学博士生，主要研究方向为网络安全和软件安全。" ]
- 基金信息：
  
  国家自然科学基金资助项目(62376240);河北省省级科技计划基金资助项目(226Z0701G;236Z0702G;236Z0304G);河北省自然科学基金资助项目(F2022203026;F2022203089);河北省软件工程重点实验室基金资助项目;Project of Hebei Key Laboratory of Software Engineering(22567637H);河北省高等学校科学技术研究基金资助项目(BJK2022029)
- DOI：10.11959/j.issn.1000-436x.2024078
  中图分类号： TP393
- 收稿日期：2023-10-31，
  
  修回日期：2024-02-01，
  
  纸质出版日期：2024-06-25
- 稿件说明：
移动端阅览
何海涛,许可,杨帅林等.基于博弈的Web应用程序中访问控制漏洞检测方法[J].通信学报,2024,45(06):117-130.

HE Haitao,XU Ke,YANG Shuailin,et al.Game-based detection method of broken access control vulnerabilities in Web application[J].Journal on Communications,2024,45(06):117-130.
何海涛,许可,杨帅林等.基于博弈的Web应用程序中访问控制漏洞检测方法[J].通信学报,2024,45(06):117-130. DOI： 10.11959/j.issn.1000-436x.2024078.

HE Haitao,XU Ke,YANG Shuailin,et al.Game-based detection method of broken access control vulnerabilities in Web application[J].Journal on Communications,2024,45(06):117-130. DOI： 10.11959/j.issn.1000-436x.2024078.

摘要

针对工业互联网中程序的访问控制策略隐藏在源码中难以提取，以及用户的访问操作难以触发所有访问路径而导致逻辑漏洞的通用化检测难以实现的问题，将博弈思想应用于访问控制逻辑漏洞检测中，通过分析不同参与者在Web应用程序中对资源页面的博弈结果来识别漏洞，使得不同用户的访问逻辑能被有针对性地获取。实验结果表明，所提方法在开源的11个程序中检测出31个漏洞，其中8个为未公开的漏洞，漏洞检测覆盖率均超过90%。

Abstract

To solve the problem that the access control strategy of the program in the industrial Internet was difficult to extract from the source code

and that the user’s access operation was difficult to trigger all access paths

which led to the difficulty of universal detection of logical vulnerabilities

game theory was applied to the access control logic vulnerability detection for the first time. The vulnerabilities were identified by analyzing the game results of different participants on resource pages in the Web application

so that the access logic of different users could be targeted to obtain. Experimental results demonstrate that the proposed method successfully detect 31 vulnerabilities

including 8 unreported ones

out of 11 open-source applications

with a detection range exceeding 90%.

关键词

Keywords

references

中国信息安全测评中心 . 2022年网络空间安全漏洞分析研究报告 [R ] . 2022 .

China Information Technology Security Evaluation Center . 2022 cyberspace security vulnerability analysis and research report [R ] . 2022 .

SHAHID J , HAMEED M K , JAVED I T , et al . A comparative study of Web application security parameters: current trends and future directions [J ] . Applied Sciences , 2022 , 12 ( 8 ): 4077 - 4100 .

BENANTAR M . Access control systems: security, identity management and trust models [M ] . Berlin : Springer , 2010 .

BLUNDO C , CIMATO S , SINISCALCHI L . Managing constraints in role based access control [J ] . IEEE Access , 2020 , 8 : 140497 - 140511 .

ZAIDI T , USMAN M , AFTAB M U , et al . Fabrication of flexible role-based access control based on blockchain for Internet of things use cases [J ] . IEEE Access , 2023 , 11 : 106315 - 106333 .

MA B L , LIU Y , CHI C , et al . Research on access control and authority management of industrial Internet identification and resolution system [C ] // Proceedings of the 2022 3rd International Conference on Electronics, Communications and Information Technology (CECIT) . Piscataway : IEEE Press , 2022 : 78 - 82 .

ZHONG L . A survey of prevent and detect access control vulnerabilities [J ] . arXiv Preprint , arXiv: 2304.10600 , 2023 .

LI X W , YAN W , XUE Y . SENTINEL: securing database from logic flaws in Web applications [C ] // Proceedings of the Second ACM Conference on Data and Application Security and Privacy . New York : ACM Press , 2012 : 25 - 36 .

DEEPA G , THILAGAM P S , PRASEED A , et al . DetLogic: a black-box approach for detecting logic vulnerabilities in Web applications [J ] . Journal of Network and Computer Applications , 2018 , 109 : 89 - 109 .

LI X W , XUE Y . LogicScope: automatic discovery of logic vulnerabilities within Web applications [C ] // Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security . New York : ACM Press , 2013 : 481 - 486 .

LE H T , SHAR L K , BIANCULLI D , et al . Automated reverse engineering of role-based access control policies of Web applications [J ] . Journal of Systems and Software , 2022 , 184 : 111109 .

文硕 , 许静 , 苑立英 , 等 . 基于策略推导的访问控制漏洞测试用例生成方法 [J ] . 计算机学报 , 2017 , 40 ( 12 ): 2658 - 2670 .

WEN S , XU J , YUAN L Y , et al . A test case generation approach for exploiting access control vulnerabilities based on policy inference [J ] . Chinese Journal of Computers , 2017 , 40 ( 12 ): 2658 - 2670 .

夏志坚 , 彭国军 , 胡鸿富 . 基于权限验证图的Web应用访问控制漏洞检测 [J ] . 计算机工程与应用 , 2018 , 54 ( 12 ): 63 - 68 .

XIA Z J , PENG G J , HU H F . Detection of access control vulnerabilities in Web applications based on privilege verification graph [J ] . Computer Engineering and Applications , 2018 , 54 ( 12 ): 63 - 68 .

SON S , MCKINLEY K S , SHMATIKOV V . RoleCast: finding missing security checks when you do not know what checks are [C ] // Proceedings of the 2011 ACM International Conference on Object Oriented Programming Systems Languages and Applications . New York : ACM Press , 2011 : 1069 - 1084 .

MONSHIZADEH M , NALDURG P , VENKATAKRISHNAN V N . MACE: detecting privilege escalation vulnerabilities in Web applications [C ] // Proceedings of the Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security . New York : ACM Press , 2014 : 690 - 701 .

PAN K F , WANG Q . Static detection of access control vulnerabilities in vue applications [J ] . Journal of Physics: Conference Series . 2020 , 1646 ( 1 ): 012021 .

LI Q Y , LI Y , LIU S C , et al . Incomplete information stochastic game theoretic vulnerability management for wide-area damping control against cyber attacks [J ] . IEEE Journal on Emerging and Selected Topics in Circuits and Systems , 2022 , 12 ( 1 ): 124 - 134 .

WANG J , GONG J X , LIN Z Q , et al . Multidimensional depth oriented fuzzing method of java Web applications [J ] . Netinfo Security , 2024 , 24 ( 2 ): 282 - 292 .

SADINENI G , ARCHANA M , TANGUTURI R C . A highly efficient intrusion detection and packet tracking based on game theory approach [C ] // Proceedings of the 2021 Emerging Trends in Industry 4.0 (ETI 4.0) . Piscataway : IEEE Press , 2021 : 1 - 5 .

ARISDAKESSIAN S , ABDEL W O , MOURAD A , et al . A survey on IoT intrusion detection: federated learning, game theory, social psychology, and explainable AI as future directions [J ] . IEEE Internet of Things Journal , 2023 , 10 ( 5 ): 4059 - 4092 .

SUN F Q , XU L , SU Z D . Static detection of access control vulnerabilities in Web applications [C ] // Proceedings of the 20th USENIX Conference on Security . Berkeley : USENIX Association , 2011 : 1 - 16 .

GAUTHIER F , MERLO E . Fast detection of access control vulnerabilities in PHP applications [C ] // Proceedings of the 2012 19th Working Conference on Reverse Engineering . Piscataway : IEEE Press , 2012 : 247 - 256 .

REN J D , WU M Y , ZHANG B , et al . DetAC: approach to detect access control vulnerability in Web application based on sitemap model with global information representation [J ] . International Journal of Software Engineering and Knowledge Engineering , 2023 , 33 ( 9 ): 1327 - 1354 .

ZHOU W , CAO C , HUO D D , et al . Reviewing IoT security via logic bugs in IoT platforms and systems [J ] . IEEE Internet of Things Journal , 2021 , 8 ( 14 ): 11621 - 11639 .

浏览量

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于预训练与新型时序图神经网络的智能合约漏洞检测方法

基于贝叶斯博弈的MP2P高性能安全资源节点选择策略

基于拍卖的物联网搜索数据提供机制

基于多方议价博弈的机会网络高吞吐量低开销概率路由算法

基于系统动力学的网络安全攻防演化博弈模型