摘要
动态污点分析是检测Web应用程序漏洞、提高Web服务安全性的一种常用方法,但现有方法大多缺乏完善的信息流策略和模型,对信息流的控制也较为粗糙。提出了一个面向Python的信息流控制模型PIFC,将Python程序中的对象抽象为实体;通过控制方法调用所涉及实体间的信息交互来实施语言级的信息流控制;引入实体的降密及净化能力来防止污点积累。利用Python的装饰器和动态分发机制等高级特性,设计并实现了一个轻量、易用、简洁的Python库LPIFC,以支持模型的污点存储及信息流控制,避免了传统方式中修改解释器的缺陷。测试结果表明,LPIFC很好地满足了Web应用的安全需求,且引入的额外性能开销较小。
Taint analysis is a common approach for spotting potential vulnerabilities of Web application and enhancing security of Web service. Most of the approaches lack of effective policies and model of information flow,with coarse information flow control granularity. This paper proposed an information flow control model for Python( PIFC). It took the object in Python as the entity for information flow control,implemented information flow control on language level by controlling the information interaction between the entities evolved in method call,and introduced declassification and sanitization to avoid taint accumulating. With the advanced features of Python,such as decorators and dynamic dispatch,it realized a lightweight,easy to use and neat library for Python( LPIFC),in order to support the taint storage and information flow control,without modifying the interpreter. The evaluation shows that,LPIFC satisfies the security requirements of Web application well,with little extra performance overhead.
出处
《计算机应用研究》
CSCD
北大核心
2015年第10期3065-3069,共5页
Application Research of Computers
基金
核高基项目(2013ZX01029002-001)