The Research of Aspect-Oriented Dynamic Analysis Based on Static Analysis.
Lifang Han,Tingting Hou,Songling Shan,Yikang Li,Baojiang Cui
DOI: https://doi.org/10.1109/BWCCA.2015.72
2015-01-01
Abstract:In recent years, the web security events emerge in endlessly, web security has been widely concerned. Among these web security flaws, defects of unchecked input occupy the majority. The unchecked input defect refers to not reasonable verification of input from users and the environment, which will cause the system to be used by attackers. This paper mainly focuses on the XSS defect and SQL injection defects in Java language. XSS refers to the attacker writing malicious data to the program. When other users access to the page, the malicious data will be executed in the browser, and then get to other permissions. SQL injection refers to that an attacker constructs malicious input to access the database. This may result to changes to the database contents, or access to sensitive data in the case of unauthorized. Common defect detection methods include static analysis and dynamic analysis. The dynamic analysis process is mainly concerned with the behavior of the program, that is, the change of the program's behavior and output caused by the program's input. It is analysis of \"taking the input as the center\". And the static analysis process is mainly concerned with the structure of the program, that is, through the abstract program structure to analyze the procedural defects. It is \"the program as the center\" of the analysis. In comparison, the results of dynamic analysis are more accurate, and the static analysis results has higher false positive rate. This is because the static analysis abstracts the program information in order to ensure the efficiency and effectiveness of the program, which does reduce the load of the program, but increases the false alarm rate. In this paper, we put forward aspect-oriented dynamic analysis technique based on static analysis. Aspect-oriented dynamic analysis is a method of modular cross point. First of all, we perform static analysis for Java source code, to find the Source-sink. Then we use the AspectJ tool to carry out the aspect-oriented dynamic analysis by tracking program.