簡易檢索 / 詳目顯示

回結果列表
研究生: 游照臨
Chiao-Lin Yu
論文名稱: 基於微服務與執行階段防護系統之誘捕網路設計 — 以 WordPress 為例
A Honeypot Design Based on RASP and Micro Services - An Example of WordPress
指導教授: 陳俊良
Jiann-Liang Chen
口試委員: 郭耀煌
Yau-Hwang Kuo
孫雅麗
Yea-Li Sun
廖婉君
Wan-Jiun Liao
黎碧煌
Bih-Hwang Lee
陳俊良
Jiann-Liang Chen
學位類別: 碩士
Master
系所名稱: 電資學院 - 電機工程系
Department of Electrical Engineering
論文出版年: 2022
畢業學年度: 110
語文別: 中文
論文頁數: 74
中文關鍵詞: 資訊安全微服務執行階段防護系統誘捕網路蜜罐
外文關鍵詞: Micro Services, RASP, Honeypot
相關次數: 點閱:228下載:6
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • 本研究透過 Runtime Application Self Protection (RASP) 技術建立了一款可以偵測未知威脅的 Honeypot 系統,藉由修改及偵測 PHP Kernel 的 Zend VM 實現;並可以藉由微服務的技術將各服務放置於獨立之容器中,透過 Kubernetes 的分散式技術,方便進行大量的部屬、管理及更新。 試圖捕獲攻擊者在進行漏洞利用時之攻擊載荷。 透過 RASP 技術監控 PHP 應用程式的程式控制邏輯,可以鎖定各式規避查緝之技術,可以有效的達到比 WAF 與現有之 Honeypot 技術更好的效果。

    本研究也依據 OWASP Top 10 2021 以及 CWE,提出了在 PHP 系統中常出現的五種漏洞偵測技術, Directory Traversal、 Local / Remote File Inclusion、Command Injection、Web Shell Uploading 以及 SQL Injection。

    在結果呈現上,本研究使用了 RESTful API Server 將資料接收,並透過 Web 介面將所有攻擊資料,包含來源 IP 以及 Function 呼叫之 Debug Function Stack。在效能與結果評估中,我們採用了 25 個 CVE 的漏洞,來自 Exploit-DB、Github 與 WPScan 等網站的漏洞揭露,所有的漏洞以及 PoC 皆可以順利地被我們的 RASP Honeypot 捕獲。

    另外,本研究也透過混淆技術撰寫了可以使所有 VirusTotal 之防毒軟體檢測失效之 WebShell,此惡意之後門程式可輕易被本研究提出之系統捕捉。 本研究也將系統部屬於雲端平台,並成功獲取 5 個 CVE 漏洞的 PoC 以及 1 個 Zero-Day 零時差漏洞。

    In this study, the Runtime Application Self Protection (RASP) technique is used to construct a system to capture unknown vulnerabilities in the web security field. The system applies the micro services method with various containers using Kubernetes and Docker. It prevents attacks and is easily deployed and maintained. RASP techniques for monitoring the control flow of a PHP application can target various defensive and evasive technology.

    The proposed concept can help companies capture cyber threats from their products. The proposed system does not suffer from the common and existing honeypot product weakness - easily to be discovered.

    According to OWASP Top 10 and CWE, this study proposed five kinds of web application vulnerabilities in PHP: Directory Traversal, Local / Remote File Inclusion, Command Injection, Web Shell Uploading, and SQL injection. Map them into MITRE ATT\&CK Enterprise Matrix.

    In this study, the RESTful API Server receives the data from each Honeypot node and throws a web interface to present the system. The data shown in the system contain the source IP, function debug call stack, raw request, and Tactics, Techniques, and Procedures (TTP).

    25 CVE vulnerabilities were applied for testing, and all of the tests in proposed system were captured. This study also deployed the system in the cloud platform and totally captured 6 CVE and 1 Zero-Day vulnerabilities.

    摘要i Abstract ii 致謝ii Contents iv List of Figures vii List of Tables ix 1 Introduction 1 1.1 Motivation 1 1.1.1 The Honeypot Technology 1 1.1.2 Target 1 1.2 Contributions 3 1.3 Organization 5 2 Related Works 6 2.1 Honeypot Design 6 2.2 Wordpress Security 7 2.3 Threat Modeling 7 2.4 Taint Analysis 8 2.5 Command Execution 9 2.6 Container & Micro Services 9 3 Proposed System 11 3.1 System Overview 11 3.2 The PHP Kernel 11 3.2.1 The Zend Virtual Machine 12 3.2.2 The PHP Operation Code 13 3.2.3 The Operation Code and Function Hook 15 3.3 Taint Analysis 18 3.4 Weaknesses Definition and Detection 21 3.4.1 Directory Traversal 24 3.4.2 Local / Remote File Inclusion 27 3.4.3 Command Injection and Execution 30 3.4.4 SQL Injection 33 3.4.5 Web Shell Uploading 36 3.5 Auto Install Script 39 3.6 System Architecture 40 3.6.1 Micro Services and Kubernetes 40 3.6.2 Honeypot Pod 43 3.6.3 Command Pod 44 3.6.4 Dashboard Pod 44 4 System Analysis Methods 47 4.1 Vulnerable Environment Preparation 47 4.2 Aggressive Testing 47 4.3 Passive Testing 49 5 Performance Analysis 50 5.1 Aggressive Testing 50 5.2 Passive Testing 53 5.3 Compare with Other Study 55 6 Conclusions and Future Works 57 6.1 Conclusions 57 6.2 Future Works 57 References 59

    [1] Open Web Application Security Project Team, “Owasp top 10,” September 2021. Accessed: Jun. 28, 2022. [Online]. Available: https://owasp.org/Top10/.
    [2] J. Sherry, C. Lan, R. A. Popa, and S. Ratnasamy, “Blindbox: Deep packet inspection over encrypted traffic,” SIGCOMM Comput. Commun. Rev., vol. 45, p. 213–226, aug 2015. [3] R. M. A. Eric M. Hutchins, Michael J. Cloppert, “Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains,” 2011. [4] K. McCarthy, “Panama papers hack: Un- patched wordpress, drupal bugs to blame?,” April 2016. Accessed: Jun. 28, 2022. [Online]. Available: https://www.theregister.com/2016/04/07/panama_papers_unpatched_wordpress_drupal.
    [5] J. Ma, K. Chai, Y. Xiao, T. Lan, and W. Huang, “High-interaction honeypot system for sql injection analysis,” in 2011 International Conference of Information Technology, Computer Engineering and Management Sciences, vol. 3, pp. 274–277, 2011.
    [6] MartinIngesen, “Honnypotter,” December 2015. Accessed: Jun. 28, 2022. [Online]. Available:https://github.com/MartinIngesen/HonnyPotter.
    [7] Kungfuguapo, “Honeypress,” June 2016. Accessed: Jun. 28, 2022. [Online]. Available: https://github.com/kungfuguapo/HoneyPress.
    [8] R. Johnston, “wp-smart-honeypot,” October 2017. Accessed: Jun. 28, 2022. [Online]. Available:https://github.com/freak3dot/wp-smart-honeypot/.
    [9] I. Cernica and N. Popescu, “Wordpress honeypot module,” in 2018 IEEE 16th International Conference on Embedded and Ubiquitous Computing (EUC), pp. 9–13, 2018.
    [10] J. C. Acosta, A. Basak, C. Kiekintveld, N. Leslie, and C. Kamhoua, “Cybersecurity deception experimentation system,” in 2020 IEEE Secure Development (SecDev), pp. 34–40, 2020. [11] T. Sethi and R. Mathew, “A study on advancement in honeypot based network security model,” in 2021 Third International Conference on Intelligent Communication Technologies and Virtual Mobile Networks (ICICV), pp. 94–97, 2021.
    [12] H. Trunde and E. Weippl, “Wordpress security: An analysis based on publicly available exploits,”in Proceedings of the 17th International Conference on Information Integration and Web-Based Applications amp; Services, iiWAS ’15, (New York, NY, USA), Association for Computing Machinery, 2015.
    [13] O. Mesa, R. Vieira, M. Viana, V. H. S. Durelli, E. Cirilo, M. Kalinowski, and C. Lucena, “Understanding vulnerabilities in plugin-based web systems: An exploratory study of wordpress,” in Proceedings of the 22nd International Systems and Software Product Line Conference - Volume 1, SPLC ’18, (New York, NY, USA), p. 149–159, Association for Computing Machinery, 2018.
    [14] P. Nunes, I. Medeiros, J. C. Fonseca, N. Neves, M. Correia, and M. Vieira, “Benchmarking static analysis tools for web security,” IEEE Transactions on Reliability, vol. 67, no. 3, pp. 1159–1175, 2018.
    [15] D. T. Murphy, M. F. Zibran, and F. Z. Eishita, “Plugins to detect vulnerable plugins: An empirical assessment of the security scanner plugins for wordpress,” in 2021 IEEE/ACIS 19th International Conference on Software Engineering Research, Management and Applications (SERA), pp. 39–44, 2021.
    [16] M. Parmar and A. Domingo, “On the use of cyber threat intelligence (cti) in support of developing the commander’s understanding of the adversary,” in MILCOM 2019 - 2019 IEEE Military Communications Conference (MILCOM), pp. 1–6, 2019.
    [17] O. A. Wenjun Xiong and R. Lagerstrom, “Cyber security threat modeling based on the mitre enterprise attck matrix.,” in Software and Systems Modeling 2021, pp. 157–177, 2021.
    [18] A. Kuppa, L. Aouad, and N.-A. Le-Khac, “Linking cve’s to mitre attamp;ck techniques,” in The 16th International Conference on Availability, Reliability and Security, ARES 2021, (New York, NY, USA), Association for Computing Machinery, 2021.
    [19] B. Dai, Z. Zhang, L. Wang, and Y. Liu, “Apt attack heuristic induction honeypot platform based on snort and openflow,” in Smart Computing and Communication (M. Qiu, K. Gai, and H. Qiu, eds.), (Cham), pp. 340–351, Springer International Publishing, 2022.
    [20] M. Backes, K. Rieck, M. Skoruppa, B. Stock, and F. Yamaguchi, “Efficient and flexible discovery of php application vulnerabilities,” in 2017 IEEE European Symposium on Security and Privacy (EuroSP), pp. 334–349, 2017.
    [21] A. F. Maskur and Y. Dwi Wardhana Asnar, “Static code analysis tools with the taint analysis method for detecting web application vulnerability,” in 2019 International Conference on Data and Software Engineering (ICoDSE), pp. 1–6, 2019.
    [22] J. Zhao, Y. Lu, X. Wang, K. Zhu, and L. Yu, “Wta: A static taint analysis framework for php webshell,” vol. 11, 2021.
    [23] S. Liu, P. Feng, and K. Sun, “Honeybog: A hybrid webshell honeypot framework against command injection,” in 2021 IEEE Conference on Communications and Network Security (CNS), pp. 218–226, 2021.
    [24] M. Wang, C. Jung, A. Ahad, and Y. Kwon, “Spinner: Automated dynamic command subsystem perturbation,” in Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, CCS ’21, (New York, NY, USA), p. 1839–1860, Association for Computing Machinery, 2021.
    [25] D. Sever and T. Kišasondi, “Efficiency and security of docker based honeypot systems,” in 2018 41st International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), pp. 1167–1173, 2018.
    [26] C. Gupta, “Honeykube : designing a honeypot using microservices-based architecture,” August 2021.
    [27] The PHP Group, “Variable functions,” May 2022. Accessed: Jun. 28, 2022. [Online]. Available:https://www.php.net/manual/en/functions.variable-functions.php.
    [28] S. Golemon, “Extending and embedding php,” p. 14, 2006.
    [29] Open Web Application Security Project Team, “Source code analysis tools,” Nov 2021. Accessed:Jun. 28, 2022. [Online]. Available: https://wiki.php.net/rfc/taint.
    [30] W. Venema, “Taint support for php,” Jun 2008. Accessed: Jun. 28, 2022. [Online]. Available: https://owasp.org/www-community/Source_Code_Analysis_Tools.
    [31] Laruence, “taint,” Dec 2021. Accessed: Jun. 28, 2022. [Online]. Available: https://github.com/laruence/taint.
    [32] FIRST.Org, Inc, “Common vulnerability scoring system v3.0: Specification document,” June 2015.
    [33] CWE Content Team, “Cwe-22: Improper limitation of a pathname to a restricted directory (’pathtraversal’),” Apr 2022. Accessed: Jun. 28, 2022. [Online]. Available: https://cwe.mitre.org/data/definitions/22.html.
    [34] CWE Content Team, “Cwe-23: Relative path traversal,” Apr 2022. Accessed: Jun. 28, 2022. [Online]. Available: https://cwe.mitre.org/data/definitions/23.html.
    [35] R. Raducu, R. J. Rodríguez, and P. Álvarez, “Defense and attack techniques against file-based toctou vulnerabilities: A systematic review,” IEEE Access, vol. 10, pp. 21742–21758, 2022.
    [36] Orange Tsai, “Hitcon ctf 2018 - one line php challenge,” Oct 2018. Accessed: Jun. 28, 2022. [Online]. Available: https://blog.orange.tw/2018/10/.
    [37] Wupco, “Php_include_to_shell_char_dict,” Jan 2022. Accessed: Jun. 28, 2022. [Online]. Available:https://github.com/wupco/PHP_INCLUDE_TO_SHELL_CHAR_DICT.
    [38] W. Zhang, Y. Li, X. Li, M. Shao, Y. Mi, H. Zhang, and G. Zhi, “Deep neural network-based sql injection detection method,” Security and Communication Networks, vol. 2022, p. 4836289, Mar 2022.
    [39] Stamparm, “Sqlmap tampers,” Apr 2022. Accessed: Jun. 28, 2022. [Online]. Available: https://github.com/sqlmapproject/sqlmap/tree/master/tamper.
    [40] S. Vyamajala, T. K. Mohd, and A. Javaid, “A real-world implementation of sql injection attack using open source tools for enhanced cybersecurity learning,” in 2018 IEEE International Conference on Electro/Information Technology (EIT), pp. 0198–0202, 2018.
    [41] Y. Wu, Y. Sun, C. Huang, P. Jia, and L. Liu, “Session-based webshell detection using machine learning in web logs,” Security and Communication Networks, vol. 2019, p. 3093809, Nov 2019.
    [42] The PHP Group, “Php tags,” May 2022. Accessed: Jun. 28, 2022. [Online]. Available: https://www.php.net/manual/en/language.basic-syntax.phptags.php.
    [43] C. Polop, “File upload,” May 2022. Accessed: Jun. 28, 2022. [Online]. Available: https://book.hacktricks.xyz/pentesting-web/file-upload.
    [44] A. K. Priyanka and S. S. Smruthi, “Webapplication vulnerabilities:exploitation and prevention,” in 2020 Second International Conference on Inventive Research in Computing Applications (ICIRCA),pp. 729–734, 2020.
    [45] OWASP Foundation, “Owasp web security testing guide,” Dec 2020. Accessed: Mar. 28, 2022. [Online]. Available: https://github.com/OWASP/wstg/releases/download/v4.2/wstg-v4.2.pdf.
    [46] A. K. Phulre, M. Kamble, and S. Phulre, “Content management systems hacking probabilities for admin access with google dorking and database code injection for web content security,” in 2nd International Conference on Data, Engineering and Applications (IDEA), pp. 1–5, 2020.

    QR CODE