一個根植於作業系統核心之防止網頁竄改機制

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：5

、訪客IP：13.59.61.119

姓名

吳孟容(Meng-jung Wu) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

一個根植於作業系統核心之防止網頁竄改機制
(WsP: A Websites Protector against Web Defacement Attacks)

相關論文

★ USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm	★ Discoverer- Rootkit即時偵測系統
★ 一項Android手機上詐騙簡訊的偵測與防禦機制	★ SRA系統防禦ARP欺騙劫持路由器
★ A Solution for Detecting and Defending ARP Spoofing on Virtual Machines	★ 針對遠端緩衝區溢位攻擊之自動化即時反擊系統
★ 即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統	★ DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection
★ TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks	★ A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection
★ Shark: Phishing Information Recycling from Spam Mails	★ FFRTD: Beat Fast-Flux by Response Time Differences
★ Antivirus Software Shield against Antivirus Terminators	★ MAC-YURI : My ACcount, YoUr ResponsIbility
★ KKBB: Kernel Keylogger Bye-Bye	★ CIDP Treatment: An Innovative Mobile Botnet Covert Channel based on Caller IDs with P8 Treatment

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

隨著網際網路的快速發展，使得網頁伺服器成為學習、教育、娛樂、資訊交換、商業服務的重要平臺。也隨著網頁的重要性與日俱增，竄改網頁便成為攻擊者破壞企業形象或表達不同意識型態的方式[1]。此外，越來越多的攻擊者侵入網頁伺服器後，在不改變網頁在瀏覽器上呈現畫面的前提下，透過網頁竄改使得原網頁成為一個釣魚網頁(phishing)[12]，或於網頁內加入下載檔案的指令。只要使用者瀏覽到該被竄改的網頁，其瀏覽器就自動地將攻擊者設定的惡意程式下載至其主機內，而這些惡意程式可能會執行破壊、偷竊資料的行為或奪取使用者主機的控制權，得使用者的主機成為下一波攻擊的跳板。基於以上的理由，如何快速且有效地防止網頁竄改，變成為一件很重要的事。
本篇論文，我們提出一個根植於作業系統核心內之防止網頁竄改的機制-- WsP(Websites Protector)。WsP是以malbehavior-based的方式來偵測攻擊，所以，攻擊者即使利用網頁伺服器漏洞，如apache網頁伺服器緩衝區溢位弱點，發動攻擊，取得伺服器的Super User 權限，仍無法直接竄改網頁，除非攻擊者重新起始新的作業系統，而此動作很可能會引起原有系統管理者的注意。而在此同時除了確保網頁伺服器不會在不安全的環境下操作，WsP並不會改變網站系統管理者原有的管理網頁的方式，也就是說，我們的機制對使用者而言是完全透明的、感受不到的，但對攻擊者而言，WsP能準確地阻擋攻擊者的攻擊。

摘要(英)

Along with the fast development of Internet, the web servers become the important platforms of learning, educating, entertainment, information exchange and commercial service. Because of the growing importance of the web pages, altering web pages becomes the way that the attackers destroy the image of enterprises or expresses different ideology.
In addition, more and more attackers intrude the web server and do not change web pages appear on the browser, but to alter the web pages make the original web pages become fishing pages or insert the command of downloading files in the web pages. As the user browses the web pages its browser downloads the malware which the attackers set up to user’s computer automatically and the malware may carry out broken or stolen the user’s data or even capture the control of user’’s computer and then user’’s computer becomes the springboard of next attacks. On the basis of the reasons of the above, how to prevent web pages to be defaced fast and effectively turn into a very important thing.
In this research ,we propose a protect mechanism which is based on operating system kernel against web defacement attacks-- WsP(Websites Protector). WsP is base on malbehavior approach to detect attacks, even the attackers utilizes the loophole of web servers, eg.the buffer overflow vulnerability of Apache web server, to attack web servers and then gain Super User privileges of the servers.The attacker still unable to deface web pages directly unless the attacker start new operating system but this action will possibly cause the systematic administrator’s attention. Our mechanism at the same time dose not change the existing administrator’’s management, that is to say, our mechanism is totally transparent and unfeeling for user but WsP can resist the attacker’s attacks accurately.

關鍵字(中)

★ 網頁竄改
★ 網頁保護
★ 網路釣魚
★ 惡意軟體

關鍵字(英)

★ phishing
★ web protection
★ web defacement
★ malware

論文目次

摘要 i
Abstract ii
誌謝 iii
目錄 iv
圖目錄 vi
表目錄 viii
第一章緒論 1
1.1 研究背景 1
1.2 研究動機與目的 1
1.3 方法概述 2
1.4 章節架構 3
第二章網頁竄改技術 4
2.1 網頁伺服器軟體及其外掛程式漏洞攻擊 4
2.1.1 緩衝區溢位漏洞 5
2.1.2 目錄權限設定之漏洞 8
2.1.3 Unicode編碼解碼漏洞 8
2.2 phpBB軟體漏洞攻擊 9
2.3 URL指令漏洞攻擊 10
第三章相關研究 12
3.1 傳統防禦方法 12
3.2 完整性評估防禦方法 13
3.2.1 Tripwire 13
3.2.2 Dynamic web page protection 14
3.2.3 Webagain 16
3.2.4 SigNet 17
3.2.5 KNOPPIX 17
3.2.6 Curtailing web defacement using read-only strategy 18
3.2.7 Goldrake 18
3.2.8 完整性評估方法之比較 19
第四章 WsP系統設計 20
4.1 Apache相關說明 20
4.2 網頁竄攻擊行為分析 21
4.3 WsP系統設計 23
4.3.1 Wsp運作流程 23
4.3.2 作業系統核心修改 25
第五章實驗與討論 27
5.1 實驗環境 27
5.2 防禦測試 27
5.3 效能測試 30
5.3.1 Micro benchmark 30
5.3.2 Macro benchmark 31
5.4 誤判情形分析 34
5.4.1 false positive 34
5.4.2 false negative 37
第六章結論與未來展望 38
參考文獻 39
附錄 WsP程式碼 43

參考文獻

[1] Woo, Hyung-Jin, "Propaganda Wars in Cyberspace: A Content Analysis of Web Defacement Strategies among Politically Motivated Hacker Groups,"In the annual meeting of the International Communication Association, San Diego, CA, May 27, 2003.
[2] Gene H. Kim and Eugene H. Spafford, “Writing, Supporting, and Evaluating Tripwire: A Publicly Available Security Tool,” In Proceedings of USENIX Applications Development Symposium, Toronto, Canada, April 1994.
[3] Da-Wei Lin and Yi-Min Chen, “Dynamic Webpage protection based on Content integrity,” Int. J. Management and Enterprise Development, 2008, Vol. 5, No.1, pp. 63 - 76.
[4] Web Again, http://www.lockstep.com/webagain/index.html
[5] W. Fone and P. Gregory, "Web page defacement countermeasures," In Proceedings of the 3rd International Symposium on Communication Systems Networks and Digital Signal Processing, pages 26–29, Newcastle, UK, July 2002.IEE/IEEE/BCS.
[6] A. Cooks and M. S. Olivier, “Curtailing web defacement using a read-only strategy,” in Proceedings of the 4th Annual Information Security South Africa Conference, Midrand, South Africa, June/July 2004.
[7] A. Bartoli, E. Medvet, "Automatic Integrity Checks for Remote Web Resources," IEEE Internet Computing, vol. 10, no.6, pp. 56-62, Nov/Dec, 2006
[8] Ashish Gehani, Surendar Chandra and Gershon Kedem "Augmenting storage with an intrusion response primitive to ensure the security of critical data," ACM Conference on Computer Communications Security , Taipei, Taiwan, 2006
[9] Hollander, Yona, Prevent Web Site Defacement,
http://www.mcafee.com/us/local_content/white_papers/wp_2000hollanderdefacement.pdf
[10] Hollander, Yona, The Future of Web Server Security,
http://www.mcafee.com/us/local_content/white_papers/wp_future.pdf
[11] Web Site Defacement, http://www.infinityforensics.com/defacement.pdf
[12] R. Dhamija, J. D. Tygar, and M. Hearst, “Why phishing works,” In Proceedings of the SIGCHI conference on Human Factors in computing systems, Montréal, Québec, Canada, April, 2006.
[13] Statistics on Web Server Attacks for 2005 -2007, http://www.zone-h.org/content/view/14928/30
[14] 東森新聞陳曉藍, 台灣駭客攻擊事件四小龍之冠，90%銀行曾遭入侵http://www.nownews.com/2007/03/08/339-2063921.htm
[15] Netcraft,May 2008 Web Server servey, http://news.netcraft.com/archives/web_server_survey.html
[16] 呂芳懌、楊子逸，“IIS 網頁伺服器Unicode 漏洞探討”，第五屆資訊管理學術暨政資訊實務研討會，警察大學，2001 年，94-100頁。
[17] Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability, http://www.securityfocus.com/bid/1806/info
[18] CERT® Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability,
http://www.cert.org/advisories/CA-2002-17.html
[19] Apache Chunked-Encoding Memory Corruption Vulnerability, http://www.securityfocus.com/bid/5033/info
[20] Apache remote exploit, http://www.derkeiler.com/Mailing-Lists/Securiteam/2005-04/0096.html
[21] CERT® Advisory CA-2002-27 Apache/mod_ssl Worm, http://www.cert.org/advisories/CA-2002-27.html
[22] Frédéric Perriot and Peter Szor, An Analysis of the Slapper Worm Exploit, http://www.symantec.com/avcenter/reference/analysis.slapper.worm.pdf
[23] Symeantect, CodeRed worm, http://www.symantec.com/security_response/writeup.jsp?docid=2001-071911-5755-99
[24] Microsoft, Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise, http://www.microsoft.com/technet/security/bulletin/MS01-033.mspx
[25] phpBB, howdark.com exploits, http://www.phpbb.com/community/viewtopic.php?f=14&t=240513
[26] US-CERT, phpBB viewtopic.php fails to properly sanitize input passed to the "highlight" parameter,
http://www.kb.cert.org/vuls/id/497400
[27] Symeantect, Perl.Santy.A., http://www.symantec.com/security_response/writeup.jsp?docid=2004-122109-4444-99
[28] Robert Lemos, Net worm using Google to spread, http://news.zdnet.com/2100-1009_22-5499725.html
[29] SQL Injection Walkthrough, http://www.securiteam.com/securityreviews/5DP0N1P76E.html
[30] Microsoft『資料隱碼』SQL Injection的源由與防範之道, http://www.microsoft.com/taiwan/sql/SQL_Injection.htm
[31] 恆逸資訊胡百敬, SQL Injection (資料隱碼)– 駭客的 SQL填空遊戲(上),
http://www.microsoft.com/taiwan/sql/SQL_Injection_G1.htm
[32] KNOPPIX, http://www.knopper.net/knoppix/index-en.html
[33] Fielding, et al, part of Hypertext Transfer Protocol -- HTTP/1.1 RFC 2616, http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
[34] LinuxQuestions.org,
http://wiki.linuxquestions.org/wiki/Securing_Apache#Dangerous_HTTP
[35] ApacheWeek, Publishing Pages with PUT, http://www.apacheweek.com/features/put
[36] Accessory Scripts,
http://www.w3.org/Daemon/User/Config/Accessories.html#POST-Script
[37] Wikipedia,Web-hosting service,
http://en.wikipedia.org/wiki/Web_hosting
[38] Web Hosting 檔案傳輸,
http://big5.website-solution.net/support_tutorial.html#da
[39] Web Hosting 網頁上傳,
http://www.webhosting.com.hk/menu.php
[40] Windows SharePoint Services,
http://technet.microsoft.com/zh-tw/windowsserver/sharepoint/bb267377
(en-us).aspx
[41] 微軟 IIS 5.0 緩衝區滿溢漏洞,
http://www.hkcert.org/archive/salert/chinese/s030318_win_webdav.html
[42] CVE-2003-0109,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0109

指導教授

許富皓(Fu-hau Hsu)

審核日期

2008-7-22

推文