基于权限验证图的Web访问控制漏洞检测方法  

作　　者：郭春霞 GUO Chunxia(Xi’an Siyuan University,Xi’an 710038,China)

机构地区：[1]西安思源学院,西安710038

出　　处：《自动化与仪器仪表》2024年第6期252-256,260,共6页Automation & Instrumentation

摘　　要：在观察Web(网页)访问控制情况时,主要依托于应用保护状态进行漏洞检测,忽略了权限验证处理逻辑不当的情况,导致漏洞检测结果F1分数(精确率和召回率的调和平均值)较低。对此,提出基于权限验证图的Web访问控制漏洞检测方法。运用静态分析工具对Web访问权限验证模式进行递归分析,得到Web访问控制流图,并通过投影实现控制流图简化。在简化后的控制流图中识别出有效的资源节点、权限验证节点、起始节点和终止节点,考虑每个边的权限验证通过情况,将筛选出的节点连接起来,生成访问控制权限验证图。最后,构建包含深层图卷积网络和注意力机制的漏洞检测模型,对权限验证图中资源节点的所有权限验证路径进行遍历学习,对比路径验证权限和节点访问权限,得出漏洞检测结果。实验结果表明:所提方法得出的Web访问控制漏洞检测结果F1分数总是大于0.92,保证了检测结果的有效性。When observing the access control situation of the web(webpage),vulnerability detection mainly relies on the application protection state,ignoring the improper logic of permission verification processing,resulting in a lower F1 score(the harmonic average of accuracy and recall)of vulnerability detection results.A web access control vulnerability detection method based on permission verification graph is proposed.The static analysis tool is used to recursively analyze the Web access permission verification mode,and the Web access Control-flow graph is obtained,and the Control-flow graph is simplified by projection.In the simplified Control-flow graph,effective resource nodes,permission verification nodes,start nodes and end nodes are identified.Considering the permission verification pass of each side,the filtered nodes are connected to generate an access control permission verification diagram.Finally,construct a vulnerability detection model that includes deep graph convolutional networks and attention mechanisms,traverse and learn all permission verification paths of resource nodes in the permission verification graph,compare path verification permissions with node access permissions,and obtain vulnerability detection results.The experimental results show that the F1 score of the proposed method for detecting web access control vulnerabilities is always greater than 0.92,ensuring the effectiveness of the detection results.

关 键 词：权限验证图 WEB访问 权限控制 节点 深层图卷积网络 漏洞检测 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]