基于策略推导的访问控制漏洞测试用例生成方法  被引量：2

作　　者：文硕 许静 苑立英 李晓虹 徐思涵 司冠南[2] WEN Shuo;XU Jing;WUAN Li-Ying;LI Xiao-Hong;XU Si-Han;SI Guan-Nan(College of Computer and Control Engineering,Nankai University,Tianjin300071;School of Information Science and Electrical Engineering, Shandong Jiaotong University, Jinan250357)

机构地区：[1]南开大学计算机与控制工程学院,天津300071 [2]山东交通学院信息科学与电气工程学院,济南250357

出　　处：《计算机学报》2017年第12期2658-2670,共13页Chinese Journal of Computers

基　　金：天津市自然科学基金重点项目(12JCZDJC20800);天津市科技计划项目(13ZCZDGX01098);国家科技支撑计划项目(2013BAH01B05);国家自然科学基金青年基金项目(61402264)资助~~

摘　　要：Web应用已经成为越来越流行的信息传输媒介.为了保护重要信息不被泄漏,许多Web应用设计了针对不同角色不同用户的访问控制机制.然而由于不完善的访问控制机制,使得访问控制漏洞仍普遍存在,攻击者可对Web应用的敏感数据进行非法访问.为了获得准确的访问控制机制,测试用例的准确性和有效性至关重要.然而,现有的测试用例生成方法存在漏报、冗余度高等缺陷.文中根据Web应用程序的访问控制模型,提出一种基于策略推导的测试用例生成方法.此方法从角色和用户两个级别发现对应的授权操作集合,推导Web应用程序的访问控制策略,并利用推导所得访问控制策略生成合法与非法两类测试用例.其中,合法用例用以对推导所得策略的正确性进行验证,非法用例通过违背授权约束生成,用以检测Web应用程序的访问控制漏洞.为了对方法的有效性进行验证,我们设计并实现原型系统ACV-Scanner,并将其运行在开源Web应用上.实验结果表明该方法在能全面检测各种类型的访问控制漏洞的前提下,对测试用例进行了精简,与同类研究对比,减少漏报,提高了效率.Abstract Web applications have become more and more popular for delivering information over the Internet.Although most of web applications implement access control mechanisms that restrict the data access privileges of different roles and users,access control vulnerabilities still exist due to incomplete design of access control mechanisms,in which case attackers could access sensitive data illegally.To achieve accurate access control mechanisms,it is significant to generate accurate and efficient test cases.However,existing test case generation approaches have high redundancy and false negatives.In this paper,we propose a novel test case generation approach based on policy inference,which is according to access control models of web applications,to discover access control vulnerabilities within web applications.This approach identifies the sets of authorized operations from two levels,i.e.,role and user,then infers access control policy,and finally utilizes the inferred policy to generate legal and illegal test cases.The legal test cases aim to verify the legality of the inferred policy,while the illegal test cases generated by violating authorized constraints are utilized for exploiting access control vulnerabilities within web applications.A prototype system ACV-Scanner is also implemented for evaluation over a set of web applications.The experiment results demonstrate that our method can effectively decrease test cases,reduce false negative and improve the efficiency while comprehensively exploiting different categories of access control vulnerabilities.

关 键 词：软件测试 WEB应用 访问控制漏洞 访问控制策略 测试用例生成 

分 类 号：TP311[自动化与计算机技术—计算机软件与理论]