源碼檢測 (Code Review) 是建構與驗證軟體安全的有效方法之一，而目前許多的軟體開發流程或標準，如 McGraw 的 TouchPoint、OWASP 的 CLASP 及 Microsoft 的 SDL 等，都將源碼檢測列為其軟體開發生命週期的一部分，要求在軟體開發的階段中就將安全的需求考慮進來，透過人工或自動化檢測的方式，幫助程式開發人員快速找出潛藏在程式碼的弱點及降低事後修補所耗費的人力與時間成本。

隨著網頁技術的發展，許多企業與組織逐漸提供以網頁為基礎的應用程式，使得網頁應用程式 (Web Application) 在許多地方都扮演著重要的角色，也出現許多針對網頁應用程式的檢測工具。然而，近年來因為網頁應用程式常採用非程式語言本身的架構，因而常會造成檢測工具雖然支援某種語言，但是卻無法檢測該語言採用某種架構開發的程式。

在眾多網頁應用程式的架構中，目前常被採用的一種，就是 MVC (Model-View-Controller)，MVC 架構將網頁應用程式依其商業邏輯、介面設計與程式流程切割成模型 (Model)、視圖 (View) 與控制器 (Controller) 三個主要元件，藉由三個元件間的互動來滿足使用者的需求，然而這些架構的使用，雖然其應用程式仍是使用檢測工具支援的語言來進行開發，但因為其架構本身的函式庫與設定檔，使得檢測工具無法解析出其所開發的應用程式的流程，造成工具的失效。

因此本研究為了讓檢測人員在檢測工具尚未支援其 MVC 架構前，在不大幅變更本身程式架構的情況下，依然能夠透過本研究所發展出來的方法，對於 MVC 架構所開發的網頁應用程式進行檢測，我們藉由分析網頁應用程式的進入點與其流程，自動產生出輔助的程式碼或對於 MVC 架構其特有的程式碼進行轉換，使得既有的檢測工具能夠順利的進行檢測，也可降低開發網頁應用程式時，不需因檢測工具不支援而不採用某種較安全或是較有效率的架構的限制。

Code review is one of the most effective ways to improve security of application software. Several guidelines and best practices for software security development process usually take security code reviews as part of the development life cycle. Code reviews help development teams determine the potential bugs of software which decrease the time consuming for finding bugs and code fixing after application is released.

As the advances in Web technology, many organizations turn their applications into Web-based applications. Several vendors have proposed their Web application source code security analysis tools. The tools usually analyze flows of applications to find vulnerabilities of the applications. However, current Web applications usually adopt different frameworks, such as MVC framework. In addition, different MVC frameworks usually use different approaches to control flows of applications. Even a Web applications source code security analysis tool can be used to analyze applications developed by a program language, the tool may have trouble to understand flows of the applications because the applications uses a MVC framework. Therefore, the applications can not be analyzed by the tool. Consequently, when a new MVC framework is proposed, vendors of Web applications source code security analysis tools usually need to modify their tools to enable the tools to analyze applications followed the framework.

To solve the problem, we use flow-sensitive and analysis of data flow to automatically generate additional code or translate MVC-specific feature to equivalence method for source code analysis tools. The proposed solution can reduce the costs of vendors of Web applications source code security tools to find out walkarounds without updating their tools.

[1] ASP.NET MVC: The Official Microsoft ASP.NET Site. http://www.asp.net/mvc.
[2] CERT Statistics (Historical). http://www.cert.org/stats/.
[3] Common Weakness Enumeration (CWE). http://cwe.mitre.org/.
[4] Java BluePrints: Model-View-Controller. http://java.sun.com/blueprints/patterns/MVC-detailed.html.
[5] Mono. http://www.mono-project.com/.
[6] The Compiler Generator Coco/R. http://www.ssw.uni-linz.ac.at/coco/.
[7] Wikipedia - ASP.NET MVC Framework. http://zh.wikipedia.org/zh/ASP.NET_MVC_Framework.
[8] Wikipedia - Comparison of Web Application Frameworks. http://en.wikipedia.org/wiki/Comparison_of_web_application_frameworks.
[9] Wikipedia - Model-View-Controller. http://en.wikipedia.org/wiki/Model-view-controller.
[10] Servlets and JSP Pages Best Practices. http://java.sun.com/developer/technicalArticles/javaserverpages/servlets_jsp/, 2003.
[11] CLASP version 1.2. http://www.owasp.org/index.php/Category:OWASP_CLASP_Project, 2006.
[12] Web Application Security Statistics. http://projects.webappsec.org/Web-Application-Security-Statistics, 2008.
[13] Payment Card Industry Data Security Standard (PCI DSS). https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml, 2009.
[14] CWE/SANS TOP 25 Most Dangerous Programming Errors. http://www.sans.org/top25-programming-errors/, 2010.
[15] IBM X-Force 2009 Trend and Risk Report. https://www-935.ibm.com/services/au/iss/xforce/trendreports/, 2010.
[16] Microsoft Security Development Lifecycle Version 5.0. http://www.microsoft.com/security/sdl/, 2010.
[17] Microsoft Security Intelligence Report volume 8 (July - December 2009). http://www.microsoft.com/security/about/sir.aspx, 2010.
[18] OWASP Top 10. http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project, 2010.
[19] Shay Artzi, Adam Kiezun, Julian Dolby, Frank Tip, Danny Dig, Amit Paradkar, and Michael D. Ernst. Finding bugs in dynamic web applications. In ISSTA'08: Proceedings of the 2008 international symposium on Software testing and analysis, pages 261–272, New York, NY, USA, 2008. ACM.
[20] Dejan Baca. Automated static code analysis: A tool for early vulnerability detection. Blekinge Institute of Technology, 2009.
[21] Dejan Baca, Bengt Carlsson, and Lars Lundberg. Evaluating the cost reduction of static code analysis for software security. In PLAS'08: Proceedings of the third ACM SIGPLAN workshop on Programming languages and analysis for security, pages 79–88, New York, NY, USA, 2008. ACM.
[22] Thoms Bell. The concept of dynamic analysis. In ESEC/FSE-7: Proceedings of the 7th European software engineering conference held jointly with the 7th ACM SIGSOFT international symposium on Foundations of software engineering, pages 216–234, London, UK, 1999. Springer-Verlag.
[23] Paul E. Black, Elizabeth Fong, Vadim Okun, and Romain Gaucher. Software assurance tools: Web application security scanner functional specification version 1.0. NIST Special Publication 500-269, 2008.
[24] Brian Chess and Jacob West. Dynamic taint propagation: Finding vulnerabilities without attacking. Inf. Secur. Tech. Rep., 13(1):33–39, 2008.
[25] James Clause, Wanchun Li, and Alessandro Orso. Dytan: a generic dynamic taint analysis framework. In ISSTA'07: Proceedings of the 2007 international symposium on Software testing and analysis, pages 196–206, New York, NY, USA, 2007. ACM.
[26] Mark Dowd, John McDonald, and Justin Schuh. The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities. Addison-Wesley Professional, 2006.
[27] Michael D. Ernst. Invited talk static and dynamic analysis: synergy and duality. In PASTE'04: Proceedings of the 5th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering, pages 35–35, New York, NY, USA, 2004. ACM.
[28] Joseph Feiman and Neil MacDonald. Magic quadrant for static application security testing. Gartner RAS Core Research Note G00164100, 2009.
[29] Erich Gamma, Richard Helm, Ralph Johnson, and John Vlissides. Design patterns: elements of reusable object-oriented software. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 1995.
[30] Time Grance, Joan Hash, and Marc Stevens. Security considerations in the information system development life cycle. NIST Special Publication 800-64, 2003.
[31] Vivek Haldar, Deepak Chandra, and Michael Franz. Dynamic taint propagation for java. In ACSAC'05: Proceedings of the 21st Annual Computer Security Applications Conference, pages 303–311, Washington, DC, USA, 2005. IEEE Computer Society.
[32] Gary McGraw. Software Security: Building Security In. Addison-Wesley Professional, 2006.
[33] Gary McGraw. Automated code review tools for security. IEEE Computer, 41(12):108–111, 2008.
[34] Jun-Suk Oh and Ho-Jin Choi. A reflective practice of automated and manual code reviews for a studio project. In ICIS'05: Proceedings of the Fourth Annual ACIS International Conference on Computer and Information Science, pages 37–42, Washington, DC, USA, 2005. IEEE Computer Society.
[35] Trygve Reenskaug. Thing-model-view-editor - an example from a planning system. Xerox PARC technical note, 1979.
[36] Gregory Tassey. The economic impacts of inadequate infrastructure for software testing. NIST RTI Project, 2002.
[37] Karl E. Wiegers. Peer reviews in software: a practical guide. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 2002.