JP2014174577A - Verification device, verification method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To appropriately dispose a sanitizer while reducing operation man-hours.SOLUTION: The verification device includes: a data flow analysis unit that extracts an input point node, an output point node, and a sanitization node to analyze a data flow of a source code, and generates a digraph representing a data flow including nodes from the input point node to the output point node; a first extraction unit that extracts, in the nodes included in the digraph, a taint node that is on a route not passing through the sanitization node, a downstream node that is disposed at a downstream side of the sanitization node, and an upstream node that is disposed in the upstream side of the sanitization node, on the basis of the digraph and the sanitization node; and a second extraction unit that extracts a candidate node representing a candidate of a node to which sanitization processing is allocated on the basis of the taint node, the downstream node, and the upstream node, and outputs information representing a position on the source code corresponding to the extracted candidate node, to an output unit.

Description

  The present invention relates to a verification device, a verification method, and a program.

  2. Description of the Related Art In recent years, a technology for performing static analysis (static analysis) at a program development stage (for example, a source code stage) is known for security vulnerabilities (see, for example, Patent Document 1). In the technique described in Patent Document 1, the data flow of the source code is analyzed, and security vulnerabilities are extracted based on the analysis result.

JP 2008-502046 A

  By the way, in the technique for performing the static analysis as described above, a verification apparatus as a static analysis tool specialized for security is widely known as a technique for verifying the vulnerability of a Web application at the source code level. Such a verification device is, for example, an output point that should be considered for security, such as a point where a screen output point or a processing request (query) to a database is transmitted from an external input point (Source) on the source code. Analyzes the data flow to (Sink). Then, the verification device verifies whether or not escape processing (Sanitizer) corresponding to the output point is applied to all the paths in the data flow, and identifies a place where there is a possibility of vulnerability in the source code. Output. Such an analysis method is called contamination analysis.

  However, in the above-described verification apparatus, when a location that may be vulnerable is found as a result of the contamination analysis, it is necessary for humans to carefully perform the work of correcting the sanitizer so that it is properly arranged. . In the verification device described above, for example, the path from the input point to the output point may be detected enormously depending on the size and complexity of the source code. In such a case, the sanitizer is modified so that it is appropriately arranged. There is a problem that the number of work steps required for the work to be performed becomes enormous. In the above-described verification device, for example, when the sanitizer is manually arranged, the sanitizer may be mistakenly arranged in one path. In such a case, since the sanitizer is inserted twice and the escape process is executed twice, the program may not be able to correctly output the data that should be output. As described above, the above-described verification apparatus has a problem that a sanitizer may be mistakenly arranged in one path.

  The present invention has been made to solve the above problems, and an object of the present invention is to provide a verification device, a verification method, and a program capable of appropriately arranging a sanitizer while reducing the number of work steps.

  In order to solve the above problem, according to one aspect of the present invention, the source code is acquired from the source code storage unit that stores the source code, and the input point node that inputs the data included in the acquired source code, data Output point nodes, and detoxification nodes corresponding to processing for detoxifying special characters that cause vulnerabilities included in data, respectively, the input point node, the output point node, and the detoxification node Is extracted based on the description information acquired from the rule information storage unit that stores the description information indicating the description corresponding to, the data flow of the source code is analyzed, and from the input point node to the output point node A data flow analysis unit that generates a directed graph showing the data flow including nodes, and analyzes the data flow of the source code And a data flow analysis unit that generates a directed graph indicating the data flow including nodes from the input point node to the output point node, the directed graph generated by the data flow analysis unit, and the detoxification node. Based on the node included in the directed graph, a contaminated node that is a node on a path that does not pass through the detoxification node, a downstream node that is a node disposed downstream of the detoxification node, and the harmless Based on the first extraction unit that extracts an upstream node that is a node arranged upstream of the conversion node, the contaminated node, the downstream node, and the upstream node extracted by the first extraction unit, Extract a candidate node indicating a candidate of a node where a process to be rendered harmless is arranged, and on the source code corresponding to the extracted candidate node The verification device characterized by comprising a second extracting unit for outputting information indicating the location in the output section.

  Further, according to one aspect of the present invention, in the verification device, the second extraction unit includes nodes that are included in a candidate set that excludes the set of downstream nodes and the set of upstream nodes from the set of contaminated nodes. Are extracted as the candidate nodes.

  Further, according to one aspect of the present invention, in the verification device, the second extraction unit selects a node closest to the output point node in the route on the directed graph among the extracted candidate nodes as a highest priority. It is characterized by extracting as a candidate node.

  In addition, according to one aspect of the present invention, in the verification device, the second extraction unit determines, as the candidate node, a node that is a branch destination in the route on the directed graph among the extracted candidate nodes. It is characterized by lowering the priority.

  In addition, according to another aspect of the present invention, in the verification device, the second extraction unit is configured to select the candidate for a node that is a convergence destination of a branch on the route on the directed graph among the extracted candidate nodes. It is characterized by raising the priority as a node.

  Further, according to one aspect of the present invention, in the verification device, the second extraction unit includes the input point node and the output point when the directed graph includes a plurality of input point nodes or a plurality of output point nodes. The candidate nodes are extracted for each combination with a node.

  Further, according to one aspect of the present invention, in the verification apparatus, when the candidate nodes extracted for each of the combinations overlap, the second extraction unit performs The priority order as the candidate node is increased.

  Further, according to one embodiment of the present invention, the data flow analysis unit acquires the source code from the source code storage unit that stores the source code, and includes an input point node that inputs data included in the acquired source code, data Output point nodes, and detoxification nodes corresponding to processing for detoxifying special characters that cause vulnerabilities included in data, respectively, the input point node, the output point node, and the detoxification node Is extracted based on the description information acquired from the rule information storage unit that stores the description information indicating the description corresponding to, the data flow of the source code is analyzed, and from the input point node to the output point node A data flow analyzing step for generating a directed graph indicating the data flow including nodes, and a first extraction unit comprising: -Based on the directed graph generated by the analysis step and the detoxification node, among the nodes included in the directed graph, a contaminated node that is a node on a path that does not pass through the detoxification node; A first extraction step of extracting a downstream node that is a node arranged downstream of the decontamination node and an upstream node that is a node arranged upstream of the detoxification node; and a second extraction unit, Based on the contaminated node, the downstream node, and the upstream node extracted by one extraction step, a candidate node indicating a candidate of a node where the processing to be rendered harmless is extracted, and corresponds to the extracted candidate node And a second extraction step of causing the output unit to output information indicating the position on the source code.

  Further, according to one embodiment of the present invention, a data flow analysis unit acquires the source code from a source code storage unit that stores a source code, and stores data included in the acquired source code in a computer as a verification device. An input point node to input, an output point node to output data, and a detoxification node corresponding to a process for detoxifying special characters that cause a vulnerability included in data, the input point node, the output point node, And extracting based on the description information acquired from the rule information storage unit storing description information indicating the description corresponding to each of the detoxification nodes, analyzing the data flow of the source code, and the input point node Data flow analysis step for generating a directed graph indicating the data flow including nodes from the output point node to the output point node The first extraction unit is on a path that does not pass through the detoxification node among the nodes included in the directed graph based on the directed graph generated by the data flow analysis step and the detoxification node. A first extraction step of extracting a contaminated node, a downstream node that is a node disposed downstream of the detoxification node, and an upstream node that is a node disposed upstream of the detoxification node; The second extraction unit selects candidate nodes indicating candidate nodes for arranging the detoxifying process based on the contaminated node, the downstream node, and the upstream node extracted in the first extraction step. And performing a second extraction step of causing the output unit to output information indicating a position on the source code corresponding to the extracted candidate node. It is because of the program.

  According to the present invention, the sanitizer can be appropriately arranged while reducing the work man-hours. In addition, since an appropriate candidate node that does not place a sanitizer in duplicate is extracted, it is possible to avoid double insertion of a sanitizer.

It is a schematic diagram which shows an example of the contamination analysis which concerns on this invention. It is a figure which shows an example of the detoxification process (escape process) by the special character and sanitizer which cause a vulnerability. It is a block diagram which shows an example of the verification apparatus by 1st Embodiment. It is a figure which shows an example of a data structure of the rule information storage part in this embodiment. It is a figure which shows an example of a data structure of the graph information storage part in this embodiment. It is a figure which shows an example of a data structure of the extraction information storage part in this embodiment. It is a figure which shows an example of a data structure of the candidate information storage part in this embodiment. It is a flowchart which shows an example of operation | movement of the verification apparatus in this embodiment. It is a schematic diagram which shows an example of the data flow analysis in this embodiment. It is a schematic diagram which shows an example of the directed graph in this embodiment. It is a schematic diagram which shows an example of the list information which shows the directed graph in this embodiment. It is a figure which shows an example of the data flow analysis result in this embodiment. It is a flowchart which shows an example of the sanitizer candidate extraction process in 1st Embodiment. It is a 1st figure explaining an example of the procedure (extraction of a downstream node) of the candidate extraction process of the sanitizer in this embodiment. It is a 2nd figure explaining an example of the procedure (extraction of an upstream node) of the candidate extraction process of the sanitizer in this embodiment. It is a 3rd figure explaining an example of the procedure (extraction of a contamination node) of the sanitizer candidate extraction process in this embodiment. It is a 4th figure explaining an example of the procedure (extraction of a candidate node) of the candidate extraction process of the sanitizer in this embodiment. It is a figure explaining the effect of the verification apparatus in this embodiment. It is a figure which shows an example of the double insertion of the sanitizer by the conventional pollution analysis. It is a figure explaining an example of the sanitizer candidate extraction process in 2nd Embodiment. It is a flowchart which shows an example of the candidate extraction process of the sanitizer in 2nd Embodiment. It is a figure explaining an example of the sanitizer candidate extraction process in 3rd Embodiment. It is a flowchart which shows an example of the sanitizer candidate extraction process in 3rd Embodiment.

First, before describing embodiments of the present invention, terms used in this specification are defined below.
“Static analysis” refers to analysis performed on source code without operating a program, and “data flow analysis” described later is one of “static analysis”.
“Data flow analysis” is an analysis for tracking the flow of processing related to data when attention is given to certain data (variables, objects, etc.) in the program.

  “Taint analysis” is a kind of data flow analysis, and is an analysis method for analyzing a data flow between a source and a sink. In the “contamination analysis”, all sources are considered to be contaminated, and if they pass the sanitizer in the middle of the data flow path, they are considered to be harmless. Based on this idea, in the “contamination analysis”, it is determined that “safe” is performed when detoxified data reaches the sink in all possible paths from the source to the sink. If there is any route that does not pass through the sanitizer, it is determined as “dangerous”.

For example, the directed graph shown in FIG. 1 shows an example of contamination analysis.
In FIG. 1, a data flow graph (directed graph G1) is a directed graph showing a data flow between a source node sc1 (“Source1”) and a sink node sk1 (“Sink1”). This data flow graph (directed graph G1) includes nodes n01 to n30, and among these nodes n01 to n30, nodes n05, n06, node n16, and nodes n30 corresponding to the sanitizer (detoxification nodes). ). Here, each “node” corresponds to processing related to data in the source code. The “node” included in the data flow graph (directed graph G1) includes a source node sc1, a sink node sk1, and a detoxification node.

  In the example illustrated in FIG. 1, there is a path that does not pass through the sanitizer, and the nodes n12 to n14 may process data that does not pass through the sanitizer. Therefore, the sink node sk1 is determined to be “dangerous”.

  “Source” indicates a process in which data input from the outside is taken into the program, or a position on the program where the process is described. The position of the source code corresponding to “Source” may be referred to as “Source Node” (input point node) in the following description.

  “Sink” indicates a process in which a user input is processed in a program and output to a screen or a database, or a position on the program in which the process is described. Specifically, a “sink” is a process that may cause an unintended security breach when a dangerous character string is output, or a position on the program where the process is described. It is. Note that the position of the source code corresponding to “Sink” may be referred to as “sink node” (output point node) in the following description.

  “Sanitizer” indicates a process of escaping a specific character that may cause a vulnerability if it is output to a sink as it is among characters included in the user's input. Specifically, “Sanitizer” has a special meaning at the output destination of the sink so that data that may be passed to the sink does not cause an unintended security breach after it is output at the sink. A function (or method) for converting a character string (special character) into an escaped character string, or a position on the program where it is described. In other words, “Sanitizer” is a process of detoxifying special characters that cause vulnerability in data. Note that the location of the source code corresponding to “Sanitizer” may be referred to as “sanitizer node” (detoxification node) in the following description.

As shown in FIG. 2, the “sanitizer” performs different processing depending on the type of sink.
FIG. 2 is a diagram illustrating an example of a harmless process (escape process) using special characters and sanitizers that cause vulnerability.
In this figure, the items in the column of the table are (a) “output destination”, (b) “escape processing name”, (c) “target vulnerability”, (d) “escape target character”, (e) “Escape result” and (f) “Double escape result” are shown. Here, (a) “output destination” indicates the type of sink, and (c) “target vulnerability” indicates the type of vulnerability. In addition, (d) “escape target character” indicates a special character that causes a vulnerability, and (e) “escape result” indicates a result when sanitizer processing is executed (detoxified result). Yes.
Also, in this figure, the table shows (a) “HTML” (Hyper Text Markup Language), “Javascript (registered trademark)” (Javascript), and “SQL sentence” (Escuel sentence) as “output destination”. These three types are shown.
Also,

  In the example shown in FIG. 2, (b) “escape processing name” corresponding to “HTML” is “HTML escape”, and (c) “target vulnerability” is “cross-site scripting”. Also, (d) “escape target characters” (special characters) corresponding to “HTML” are “&”, “<”, “<”, “” ”, and“ ′ ”. On the other hand, the character string as a result of executing the sanitizer processing indicates “&amp;”, “&lt;”, “&gt;”, “&quot;”, and “&#39;” in order. . For example, the sanitizer process corresponding to “HTML” is a process of converting the character string “&” into a character string “&amp;” when the character “&” is included in the data.

In addition, (b) “escape processing name” corresponding to “Javascript” is “Javascript escape”, and (c) “target vulnerability” is “cross-site scripting”. Also, (d) “escape target characters” (special characters) corresponding to “Javascript” are “′”, “” ”,“ ¥ ”,“ 0x0d ”,“ 0x0a ”,“ / ”,“> ”, And “<”, and the character string resulting from the sanitizer processing for each special character is “\ ′”, “¥” ”,“ ¥¥ ”,“ ¥ r ”,“ ¥ ”in order. n ”,“ ¥ / ”,“ ¥ x3e ”, and“ ¥ x3c ”. For example, the sanitizer process corresponding to “Javascript” is a process of converting a character string “¥” into a character string “¥” when the character “′” is included in the data.
Further, (b) “escape processing name” corresponding to “SQL sentence” is “SQL escape”, and (c) “target vulnerability” is “SQL injection”. In addition, (d) “escape target character” (special character) corresponding to “SQL sentence” is “′”, and the character string obtained as a result of executing the sanitizer process for this special character is “′”. "".

Based on such definitions, a verification apparatus 1 according to an embodiment of the present invention will be described below with reference to the drawings.
[First Embodiment]
FIG. 3 is a block diagram illustrating an example of the verification apparatus 1 according to the first embodiment.
In FIG. 3, the verification apparatus 1 includes an input unit 10, a source code storage unit 20, a verification storage unit 30, a display unit 40, and a control unit 50.
The verification apparatus 1 according to the present embodiment extracts a path in which a sanitizer is not inserted from all paths in the data flow by data flow analysis, and a candidate position (source code file) to insert the sanitizer on the source code. Name and line number).

  The input unit 10 is, for example, an input device such as a keyboard, and various information for operating the verification device 1 is input based on a user operation. The input unit 10 outputs information input by the user to the control unit 50.

  The source code storage unit 20 stores a source code to be verified. Here, the source code is a file describing a program, and the source code may be divided into a plurality of files and stored in the source code storage unit 20.

  The verification storage unit 30 stores various information for the verification device 1 to verify the vulnerability of the program. The verification storage unit 30 includes a rule information storage unit 31, a graph information storage unit 32, an extraction information storage unit 33, and a candidate information storage unit 34.

  The rule information storage unit 31 stores diagnostic rule information for verifying vulnerability. For example, as illustrated in FIG. 4, the rule information storage unit 31 stores “source information”, “sink information”, and “sanitizer information” in advance.

FIG. 4 is a diagram illustrating an example of a data configuration of the rule information storage unit 31 in the present embodiment.
In the example illustrated in FIG. 4, “source information” (source description information) is description information of a process (function or method) corresponding to the source, for example, “getParameter ()”.
Further, “sink information” (sink description information) is description information of a process (function or method) corresponding to a sink, for example, “getWriter ()”, “getOutputStream ()”, and the like.
“Sanitizer information” (detoxification description information) is description information of a process (function or method) corresponding to the sanitizer, for example, “sanitizeString ()”.

  Returning to FIG. 3, the graph information storage unit 32 stores a data flow graph (directed graph) generated by the control unit 50 through data flow analysis. For example, as illustrated in FIG. 5, the graph information storage unit 32 stores “source node information”, “sink node information”, and “directed graph information” in association with each other.

FIG. 5 is a diagram illustrating an example of a data configuration of the graph information storage unit 32 in the present embodiment.
In this figure, “source node information” indicates information for identifying the source node. The “sink node information” indicates information for identifying a sink node. “Directed graph information” indicates information that represents a directed graph, which is a data flow graph, as a list of data. The “directed graph information” expresses the directed graph by a list including a plurality of pieces of information in which the edge connection source node and the connection destination node are associated with each other. Details of the “directed graph information” will be described later.

  Returning to FIG. 3 again, the extraction information storage unit 33 stores various types of information used for processing to extract sanitizer nodes that are sanitizer candidates. For example, as illustrated in FIG. 6, the extraction information storage unit 33 stores “source node information”, “sink node information”, and “extraction information” in association with each other.

FIG. 6 is a diagram illustrating an example of a data configuration of the extraction information storage unit 33 in the present embodiment.
In this figure, “source node information” indicates information for identifying the source node. The “sink node information” indicates information for identifying a sink node. The “extraction information” includes “sanitizer node information”, “contaminated node information”, “upstream node information”, and “downstream node information”. That is, the extraction information storage unit 33 stores “sanitizer node information”, “contaminated node information”, and “upstream node information” as “extraction information” in association with each other.
Here, “sanitizer node information” is information indicating a node corresponding to the sanitizer, and “contaminated node information” passes through the sanitizer node among a plurality of paths between the source node and the sink node. This is information indicating a node included in a route not to be transmitted. The “upstream node information” is information indicating a node located upstream of the sanitizer node among the nodes between the source node and the sink node, and the “downstream node information” is information on the source node and the sink node. Information indicating a node located downstream of the sanitizer node among the nodes between.

  In the example illustrated in FIG. 6, for example, the “source node information” is “Source1 (sc1)” and the “sink node information” is “Sink1 (sk1)”. n05, n06, n16, n30,..., and “contaminated node information” indicates “n01, n02, n03, n08,. In this case, “upstream node information” is “n01, n02, n03, n04,...” And “downstream node information” is “n07, n12, n13, n14”. .

  Returning to FIG. 3 again, the candidate information storage unit 34 stores information indicating candidate nodes into which the sanitizer extracted by the control unit 50 is inserted. For example, as illustrated in FIG. 7, the candidate information storage unit 34 stores “source node information”, “sink node information”, and “candidate node information” in association with each other.

FIG. 7 is a diagram illustrating an example of a data configuration of the candidate information storage unit 34 in the present embodiment.
In this figure, “source node information” indicates information for identifying the source node. The “sink node information” indicates information for identifying a sink node. The “candidate node information” is information indicating candidate nodes into which the sanitizer is inserted.
In the example illustrated in FIG. 7, for example, the “candidate node information” corresponding to the case where the “source node information” is “Source1 (sc1)” and the “sink node information” is “Sink1 (sk1)” is “n08”. , N09, n10, and n11 ″.

  Returning to FIG. 3 again, the display unit 40 is a display device such as a display, for example, and displays information such as a result of analysis by the control unit 50 and a candidate position to insert a sanitizer.

The control unit 50 is, for example, a processor including a CPU (Central Processing Unit) and the like, and comprehensively controls the verification device 1. For example, the verification apparatus 1 performs data flow analysis based on the source code stored in the source code storage unit 20 and extracts a path in which the sanitizer is not inserted from all paths of the analyzed data flow. At the same time, a candidate position (source code file name and line number position) for inserting the sanitizer on the source code is output.
The control unit 50 includes a data flow analysis unit 51, a node extraction unit 60, a candidate extraction unit 55, and a result output unit 56.

  The data flow analysis unit 51 analyzes the data flow of the source code and generates a directed graph corresponding to the data flow from the source node to the sink node. Specifically, the data flow analysis unit 51 reads a source code (source code file) stored in the source code storage unit 20 and extracts a source node, a sink node, and a sanitizer node. The data flow analysis unit 51 determines the source node on the source code based on the source description information stored in the rule information storage unit 31 (see “source information” in FIG. 4) when extracting the source node. To do. Further, when extracting the sync node, the data flow analyzing unit 51 determines the sync node on the source code based on the sync description information (see “sink information” in FIG. 4). Further, when extracting the sanitizer node, the data flow analysis unit 51 determines the sanitizer node on the source code based on the detoxification description information (see “sanitizer information” in FIG. 4).

  As shown in FIG. 6, the data flow analysis unit 51 stores the “sanitizer node information” of the extracted sanitizer node in the extraction information storage unit 33 in association with “source node information” and “sink node information”. . Here, “sanitizer node information” indicates a sanitizer node arranged in the path between the source node indicated by the corresponding “source node information” and the node indicated by “sink node information”. Yes.

In addition, the data flow analysis unit 51 tracks the flow of processing related to data based on the read source code and the extracted source node, sink node, and sanitizer node, and the path of the path that the data flow of the source code has Analyze the route (dangerous route) that does not pass through our sanitizer (perform data flow analysis). Further, the data flow analysis unit 51 generates a data flow graph (directed graph) corresponding to the data flow including the analyzed nodes from the source node to the sink node, and stores the generated data flow graph in the graph information storage unit 32. . For example, as illustrated in FIG. 5, the data flow analysis unit 51 stores “source node information”, “sink node information”, and “directed graph information” of the generated data flow graph in association with each other.
Details of data flow analysis processing and directed graph generation processing by the data flow analysis unit 51 will be described later.

Based on the directed graph stored in the graph information storage unit 32 and the sanitizer node extracted by the data flow analysis unit 51, the node extraction unit 60 (first extraction unit) is a contamination of the nodes included in the directed graph. Nodes, downstream nodes, and upstream nodes are extracted. Here, the contaminated node is a node on a path that does not pass through the sanitizer node among the nodes included in the directed graph. The downstream node is a node arranged downstream of the detoxification node among the nodes included in the directed graph. Further, the upstream node is a node arranged upstream of the harmless node among the nodes included in the directed graph.
As illustrated in FIG. 6, the node extraction unit 60 associates the extracted contaminated node, the downstream node, and the upstream node with each other and stores them in the extraction information storage unit 33.
The node extraction unit 60 includes a contaminated node extraction unit 52, a downstream node extraction unit 53, and an upstream node extraction unit 54.

  Based on the directed graph acquired from the graph information storage unit 32 and the sanitizer node acquired from the extracted information storage unit 33, the contaminated node extraction unit 52 extracts a contaminated node from the nodes included in the directed graph. Specifically, the contamination node extraction unit 52 excludes a route passing through the sanitizer node from all the routes of the data flow included in the directed graph, and extracts the remaining route as a dangerous route (contamination route). Then, the contaminated node extraction unit 52 extracts nodes other than the source node and the sink node among the nodes included in the extracted dangerous route as the contaminated nodes.

  The downstream node extraction unit 53 extracts a downstream node among the nodes included in the directed graph based on the directed graph acquired from the graph information storage unit 32 and the sanitizer node acquired from the extraction information storage unit 33. Specifically, the downstream node extraction unit 53 extracts nodes included in all routes from one sanitizer node to the sink node included in the directed graph as downstream nodes. Further, the downstream node extraction unit 53 performs the processing for extracting the downstream node for one sanitizer node in the same manner for all the sanitizers, and extracts the downstream nodes for all the sanitizers among the nodes included in the directed graph. To do.

  The upstream node extraction unit 54 extracts an upstream node based on the directed graph acquired from the graph information storage unit 32 and the sanitizer node acquired from the extraction information storage unit 33. Specifically, the upstream node extraction unit 54 extracts, as upstream nodes, nodes included in all paths that go back from one sanitizer node included in the directed graph to the source node. Further, the upstream node extraction unit 54 executes the process of extracting the upstream node for this single sanitizer similarly for all the sanitizers, and extracts the upstream nodes for all the sanitizers among the nodes included in the directed graph. To do.

  The candidate extraction unit 55 (second extraction unit) extracts a candidate node indicating a candidate node for arranging the sanitizer based on the contaminated node, the downstream node, and the upstream node stored in the extraction information storage unit 33. Specifically, the candidate extraction unit 55 extracts, as candidate nodes, nodes included in the candidate set obtained by excluding the set of downstream nodes and the set of upstream nodes from the set of contaminated nodes. Further, as illustrated in FIG. 7, the candidate extraction unit 55 associates “candidate node information” indicating the extracted candidate node, “source node information”, and “sink node information” with each other, and stores the candidate information storage unit 34. Remember me. In addition, the node candidate extraction unit 55 causes the result output unit 56 to output information indicating the position on the source code corresponding to the extracted candidate node (candidate node position information). Here, the position of the source code (candidate node position information) is information including the file name of the source code and the line number on the source code.

In addition, the candidate extraction unit 55 may execute prioritization of arranging the sanitizer node among the nodes extracted as candidate nodes. For example, the candidate extraction unit 55 extracts a node closest to the sink node in the route on the directed graph among the extracted candidate nodes as the candidate node having the highest priority. In addition, for example, the candidate extraction unit 55 lowers the priority as a candidate node for a node that is a branch destination in a route on the directed graph among the extracted candidate nodes. This is because when a sanitizer is placed at a branch destination node, the sanitizer needs to be placed at a plurality of nodes, so the candidate extraction unit 55 lowers the priority order as a candidate node.
Further, for example, the candidate extraction unit 55 increases the priority as a candidate node with respect to a node that becomes a branch convergence destination in a route on the directed graph among the extracted candidate nodes. This is because when a sanitizer is arranged at a node that is a convergence destination of a branch, a single sanitizer can be used to detoxify a plurality of paths, so that the candidate extraction unit 55 sets the priority as a candidate node. increase.

  The result output unit 56 (output unit) displays information (candidate node position information) indicating the position on the source code corresponding to the candidate node extracted by the candidate extraction unit 55 based on the instruction from the candidate extraction unit 55 The candidate node position information is displayed on the display unit 40.

Next, operation | movement of the verification apparatus 1 in this embodiment is demonstrated with reference to drawings.
First, the overall operation of the verification apparatus 1 will be described.
FIG. 8 is a flowchart showing an example of the operation of the verification apparatus 1 in the present embodiment.
The verification device 1 starts the verification process when the source code to be verified is specified from the input unit 10 by the user.

  In FIG. 8, the verification apparatus 1 first acquires a source code and performs data flow analysis (step S101). That is, the data flow analysis unit 51 of the verification apparatus 1 acquires the source code (source code file) to be verified from the source code storage unit 20, and the source node, sink node, and sanitizer included in the acquired source code Extract nodes. The data flow analysis unit 51 searches the source description, the sink description information, and the detoxification description information stored in the rule information storage unit 31 from the description of the source code, thereby obtaining the source node, the sink node, And sanitizer nodes. As shown in FIG. 6, the data flow analysis unit 51 stores the “sanitizer node information” of the extracted sanitizer node in the extraction information storage unit 33 in association with “source node information” and “sink node information”. .

In addition, the data flow analysis unit 51 traces the processing flow (data flow) related to the data of the source code, extracts a route that does not pass through the sanitizer among routes that the data flow has, and determines whether the source code is safe. Determine whether.
Here, the data flow analysis processing by the data flow analysis unit 51 will be described in detail with reference to FIG.

FIG. 9 is a schematic diagram illustrating an example of data flow analysis in the present embodiment.
In FIG. 9, a source code S1 indicates a source code to be analyzed. In the example shown in this figure, the source code S1 is a 12-line program from the line number “01” to the line number “12”, and the node N1 corresponding to the line number “01” indicates the source node. A node N2 corresponding to the row number “07” indicates a sanitizer node, and a node N4 corresponding to the row number “12” indicates a sink node.
For such source code S1, the data flow analysis unit 51 first refers to the rule information storage unit 31 and extracts a source node, a sink node, and a sanitizer node. For example, “req.getParameter (“ name ”);” of the node N1 matches “getParameter ()” of the source description information of “source information” shown in FIG. Is extracted as a source node. Similarly, the data flow analysis unit 51 extracts the node N2 as a sanitizer node and extracts the node N4 as a sink node.

  As described above, after extracting the source node, the sink node, and the sanitizer node, the data flow analysis unit 51 tracks the flow of processing regarding data as data flow analysis. In this example, the flow of processing related to data is a route K1 of data D1 (source) → data D2 → data D3 → data D4 → data D7 (sink) and data D1 (source) → data D2 → data D5 → data. There are two paths, a path K2 that becomes D6 → data D7 (sink). In this case, the data flow analysis unit 51 analyzes the data flow and generates a directed graph such as the data flow graph F1. That is, the data flow analysis unit 51 generates a directed graph having two paths of a path K1 of node N1 → node N2 → node N4 and a path K2 of node N1 → node N3 → node N4 as the data flow graph F1. . In this example, since the line number “06” of the source code S1 is a branch instruction, the data flow graph F1 branches to the node N2 of the line number “07” and the node N3 of the line number “09”. To do.

  In the example of this figure, the route K1 is a safe route because it passes through the sanitizer node (node N2), but the route K2 is a dangerous route because it does not pass through the sanitizer node. As a result, the data flow analyzing unit 51 determines that the source code S1 as a whole is “dangerous”.

Returning to the flow of FIG. 8, in step S102, the data flow analysis unit 51 generates a directed graph. Specifically, the data flow analysis unit 51 generates a data flow graph (directed graph) corresponding to the data flow from the analyzed source node to the sink node, and stores the generated data flow graph in the graph information storage unit 32. For example, as illustrated in FIG. 5, the data flow analysis unit 51 stores “source node information”, “sink node information”, and “directed graph information” of the generated data flow graph in association with each other.
Here, a process of generating a directed graph and “directed graph information” by the data flow analysis unit 51 will be described with reference to FIG.

FIG. 10 is a schematic diagram illustrating an example of a directed graph in the present embodiment.
FIG. 10 is a schematic diagram illustrating an example of list information (“directed graph information”) indicating a directed graph in the present embodiment.

In FIG. 10, the directed graph F2 has a node n1 to a node n6, and shows a data flow graph in which data processing flows from the node n1 to the node n6.
Moreover, the list information L1 shown in FIG. 11 is information expressing the directed graph F2 shown in FIG. In FIG. 11, the list information L1 includes a configuration in which a connection source node and a connection destination node are associated with each other.

  For example, the first line of the list information L1 indicates each node (here, the node n2 and the node n3) connected from the node n1 with the node n1 as a connection source. The second line of the list information L1 indicates each node (here, the node n4 and the node n5) connected from the node n2 with the node n2 as the connection source. Similarly, the third line of the list information L1 indicates each node (here, the node n6) connected from the node n3 with the node n3 as a connection source, and the fourth line of the list information L1 connects the node n4. As a source, each node connected from the node n4 (here, the node n6) is shown. The fifth line of the list information L1 indicates each node (here, node n6) connected from the node n5 with the node n5 as a connection source.

  Thus, the list information L1 is information representing the directed graph F2, and the data flow analysis unit 51 generates information such as the list information L1 based on the directed graph F2, and the generated information is referred to as “directed graph information”. Is stored in the graph information storage unit 32.

  In step S102 of FIG. 8, the data flow analysis unit 51 displays the generated directed graph (data flow graph) on the display unit 40 via the result output unit 56 as a data flow analysis result. When displaying the data flow analysis result, the data flow analysis unit 51 may display only the dangerous route so as to facilitate the user's confirmation as shown in FIG.

FIG. 12 is a diagram illustrating an example of a data flow analysis result in the present embodiment.
In this figure, the directed graph G1 has the same configuration as the directed graph shown in FIG. 1, and includes a source node sc1, a node n01 to a node n30, and a sink node sk1. Moreover, in this figure, subgraph SG1 is a dangerous route, and nodes included in area NA1 and area NA1 are nodes whose safety has been confirmed.
In the example illustrated in FIG. 12, the data flow analysis unit 51 displays the subgraph SG1 on the display unit 40 as the data flow analysis result.

  Returning to the flow of FIG. 8 again, in step S103, the verification apparatus 1 executes candidate node extraction processing (sanitizer candidate extraction processing). That is, the node extraction unit 60 and the candidate extraction unit 55 of the verification apparatus 1 extract candidate nodes on which the sanitizer is arranged (inserted). This candidate node extraction processing will be described later with reference to the flowchart of FIG.

Next, the verification apparatus 1 outputs the position information on the source code of the candidate node extracted in step S103 (step S104). That is, the result output unit 56 of the verification apparatus 1 displays information (position information) indicating the position on the source code corresponding to the candidate node extracted by the candidate extraction unit 55 based on the instruction from the candidate extraction unit 55. The position information is displayed on the display unit 40. Here, the information indicating the position on the source code corresponding to the candidate node is, for example, the file name of the source code including the candidate node and the line number corresponding to the candidate node. The display unit 40 is caused to display the file name of the source code including the line number corresponding to the candidate node.
When displaying the position information on the display unit 40, the result output unit 56 may display the position information together with the result of the data flow analysis and the data flow graph. Further, when displaying the position information on the display unit 40, the result output unit 56 displays the description content of the source code including the corresponding candidate node, and displays information such as a mark at the position corresponding to the candidate node. You may let them.
The verification apparatus 1 ends the verification process after executing the process of step S104.

Next, a sanitizer candidate extraction process by the control unit 50, which is one of the verification processes of the verification apparatus 1 in the present embodiment (the process of step S103 in FIG. 8), will be described.
FIG. 13 is a flowchart illustrating an example of sanitizer candidate extraction processing according to the present embodiment.
14 to 17 are diagrams for explaining an example of a sanitizer candidate extraction process according to the present embodiment.

14 to 17, the directed graph G1 has the same configuration as the directed graph shown in FIG. 1, and includes a source node sc1, a node n01 to a node n30, and a sink node sk1. Hereinafter, the sanitizer candidate extraction process shown in FIG. 13 will be described with reference to the directed graph G1 of FIGS.
In the present embodiment, an example of candidate extraction processing when there is one source node and one sink node will be described. As shown in FIG. 2, the sanitizer has different processing depending on the type of sink that is the output destination. In this embodiment, the sanitizer is a sanitizer corresponding to one type of sink.

  In FIG. 13, first, the node extraction unit 60 of the control unit 50 extracts a downstream node (step S201). Specifically, the downstream node extraction unit 53 of the node extraction unit 60 includes, based on the directed graph acquired from the graph information storage unit 32 and the sanitizer node acquired from the extraction information storage unit 33, among the nodes included in the directed graph. The downstream node is extracted.

  For example, in the example illustrated in FIG. 14, the downstream node extraction unit 53 acquires “directed graph information” corresponding to the source node sc1 and the sink node sk2 from the graph information storage unit 32, and corresponds to the source node sc1 and the sink node sk2. "Sanitizer node information" to be acquired from the extracted information storage unit 33. The downstream node extraction unit 53 searches for the sanitizer node corresponding to the “sanitizer node information” from the acquired “directed graph information”, and is arranged downstream on the path of the directed graph starting from the searched sanitizer node. All nodes (downstream nodes) are extracted. The downstream node extraction unit 53 associates the extracted set of downstream nodes (referred to as set A) with the source node sc1 and the sink node sk2 and stores them in the extraction information storage unit 33. In the example illustrated in FIG. 14, the subgraph SG2 is a set of downstream nodes (set A).

  Next, the node extraction unit 60 extracts an upstream node (step S202). Specifically, the upstream node extraction unit 54 of the node extraction unit 60 includes, based on the directed graph acquired from the graph information storage unit 32 and the sanitizer node acquired from the extraction information storage unit 33, among the nodes included in the directed graph. The upstream node is extracted.

  For example, in the example illustrated in FIG. 15, the upstream node extraction unit 54 acquires “directed graph information” corresponding to the source node sc1 and the sink node sk2 from the graph information storage unit 32 and corresponds to the source node sc1 and the sink node sk2. "Sanitizer node information" to be acquired from the extracted information storage unit 33. The upstream node extraction unit 54 searches the sanitizer node corresponding to the “sanitizer node information” from the acquired “directed graph information”, and is arranged upstream on the route of the directed graph with the searched sanitizer node as the end point. All nodes (upstream nodes) are extracted. The upstream node extraction unit 54 associates the extracted set of upstream nodes (referred to as set B) with the source node sc1 and the sink node sk2 and stores them in the extraction information storage unit 33. In the example illustrated in FIG. 15, the subgraph SG3 is a set of upstream nodes (set B).

  Next, the node extraction unit 60 extracts a contaminated node (step S203). Specifically, the contaminated node extraction unit 52 of the node extraction unit 60 is based on the directed graph acquired from the graph information storage unit 32 and the sanitizer node acquired from the extraction information storage unit 33, among the paths included in the directed graph. A route (dangerous route) that does not pass through the sanitizer is extracted, and a node on this dangerous route is extracted as a contaminated node.

For example, in the example illustrated in FIG. 16, the contaminated node extraction unit 52 acquires “directed graph information” corresponding to the source node sc1 and the sink node sk2 from the graph information storage unit 32, and corresponds to the source node sc1 and the sink node sk2. "Sanitizer node information" to be acquired from the extracted information storage unit 33. The contaminated node extraction unit 52 searches the acquired “directed graph information” for a sanitizer node corresponding to the “sanitizer node information”, and extracts a route (dangerous route) that does not pass through the searched sanitizer node. The contaminated node extraction unit 52 extracts all nodes (contaminated nodes) arranged on this dangerous route. The contaminated node extraction unit 52 stores the extracted set of contaminated nodes (referred to as set C) in the extracted information storage unit 33 in association with the source node sc1 and the sink node sk2. In the example shown in FIG. 16, the subgraph SG1 is a set of contaminated nodes (set C).
Note that the contaminated node extraction unit 52 may extract the contaminated node using the dangerous route extracted by the data flow analysis unit 51.

  Next, the candidate extraction unit 55 of the control unit 50 extracts candidate nodes (step S204). That is, the candidate extraction unit 55 extracts a candidate node indicating a candidate node for arranging the sanitizer based on the contaminated node, the downstream node, and the upstream node stored in the extraction information storage unit 33. Specifically, the candidate extraction unit 55 excludes a set of downstream nodes (set A) and a set of upstream nodes (set B) from the set of contaminated nodes (set C) (set D = set C− ( Nodes included in set A∪set B)) are extracted as candidate nodes.

  For example, in the example illustrated in FIG. 17, the candidate extraction unit 55 extracts “contamination node information”, “upstream node information”, and “downstream node information” corresponding to the source node sc1 and the sink node sk2 from the extraction information storage unit 33. get. The candidate extraction unit 55 sets a set of candidate nodes (set D) based on the acquired “contaminated node information” (set C), “upstream node information” (set B), and “downstream node information” (set A). To extract. The candidate extraction unit 55 stores the extracted set of candidate nodes (set D) in the candidate information storage unit 34 in association with the source node sc1 and the sink node sk2. In the example shown in FIG. 17, the subgraph SG4 is a set of candidate nodes (set D).

Next, the candidate extraction unit 55 determines the priority order of candidate nodes (step S205). Specifically, the candidate extraction unit 55 determines a node closest to the sink node in the route on the directed graph among the extracted candidate nodes as the highest priority candidate node. Note that the candidate extraction unit 55 causes the data flow analysis unit 51 to perform data flow analysis when the sanitizer is arranged at the node determined as the highest priority candidate node for the subgraph SG1 that is the directed graph of the path of the contaminated node. It may be determined whether or not the dangerous route has been resolved. If the risk route is not resolved as a result of the determination, the candidate extraction unit 55 sets another candidate node having the next highest priority among the candidate node set (set D) as the highest priority candidate node. decide.
For example, in the example illustrated in FIG. 17, the candidate extraction unit 55 determines the node n11 as the highest priority candidate node. In addition, for example, the candidate extraction unit 55 determines the priority order of the candidate nodes in order from the highest order: node n11 → node n08 → node n09 or node n10.

Since the data length of the data to which the sanitizer is applied is larger than the data before the data is applied, the sanitizer is preferably arranged at a position close to the sink node. Therefore, for example, the candidate extraction unit 55 increases the priority order of candidate nodes closer to the sink node in the set of candidate nodes (set D). In addition, the candidate extraction unit 55 lowers the priority order of candidate nodes that are branch destinations in the route on the directed graph among the set of candidate nodes (set D). In addition, the candidate extraction unit 55 increases the priority as a candidate node for a node that is a convergence destination of a branch on a route on a directed graph among a set of candidate nodes (set D).
After executing the process of step S205, the control unit 50 ends the sanitizer candidate extraction process.

FIG. 18 is a diagram for explaining the effect of the verification apparatus 1 in the present embodiment.
In this figure, the directed graph G1 has the same configuration as the directed graphs shown in FIGS. 1 and 14 to 17, and includes a source node sc1, a node n01 to a node n30, and a sink node sk1. In this figure, node n11 indicates the highest priority candidate node, and shows the result of data flow analysis when a sanitizer is arranged at node n11.

In the example illustrated in FIG. 18, the sanitizer is arranged in the node n11 that is the candidate node extracted by the verification device 1, and the result of the data flow analysis of the source code is changed from “danger” to “safe”. . Thus, the verification apparatus 1 in this embodiment can arrange a sanitizer appropriately.
Further, when the verification apparatus 1 displays only the dangerous route (subgraph SG1) on the display unit 40 as a result of the data flow analysis as shown in FIG. 12, the arrangement position of the sanitizer manually as in the conventional technique. If it is determined, sanitizers may be inserted twice.

  For example, FIG. 19 is a diagram showing an example of double insertion of a sanitizer by conventional contamination analysis. In this figure, the directed graph G1 has the same configuration as the directed graph shown in FIG. 12, and includes a source node sc1, a node n01 to a node n30, and a sink node sk1. Moreover, in this figure, subgraph SG1 is a dangerous route, and nodes included in area NA1 and area NA1 are nodes whose safety has been confirmed.

  As shown in FIG. 19, when only the dangerous route (subgraph SG1) is displayed on the display unit 40 as a result of the data flow analysis, the user may recognize a sanitizer that is already arranged such as the node n05. Can not. Therefore, in the conventional contamination analysis technique, when the position of the sanitizer is manually determined, the sanitizer may be inserted twice as in the subgraph SG5.

As described above, when the sanitizer is inserted twice, the data converted by the sanitizer is converted into the description shown in (f) “double escape result” in FIG. When data is output to the sink in the description of (f) of FIG. 2, the output data (character string) is not the character string of (d) of FIG. ) Character string. For example, when the sanitizer process is executed twice for “&”, “&amp;amp;” is generated, and this character string is output as “&amp;” by the sync, and the original “&” is not output.
As described above, when the position of the sanitizer is determined manually, there is a problem that the sanitizer may be inserted twice, and data cannot be output correctly.
On the other hand, the verification device 1 according to the present embodiment extracts an appropriate candidate node that does not duplicately arrange sanitizers by the above-described candidate node extraction process. Therefore, the verification apparatus 1 in the present embodiment can avoid the double insertion of the sanitizer as described above.

  As described above, the verification apparatus 1 according to the present embodiment includes the data flow analysis unit 51, the node extraction unit 60 (first extraction unit), and the candidate extraction unit 55 (second extraction unit). Yes. The data flow analysis unit 51 acquires the source code from the source code storage unit 20, inputs the data included in the acquired source code, the sink node that outputs the data, and the cause of the vulnerability included in the data The description information acquired from the rule information storage unit 31 that stores the description information indicating the description corresponding to each of the source node, the sink node, and the sanitizer node is added to the sanitizer node corresponding to the processing for detoxifying the special character. Extract based on and analyze the data flow of the source code. Further, the data flow analysis unit 51 generates a directed graph indicating a data flow including nodes from the source node to the sink node. Based on the directed graph generated by the data flow analyzing unit 51 and the sanitizer node, the node extracting unit 60 extracts a contaminated node, a downstream node, and an upstream node among the nodes included in the directed graph. Here, the contaminated node is a node on a route that does not pass through the sanitizer node. The downstream node is a node arranged downstream of the sanitizer node, and the upstream node is a node arranged upstream of the sanitizer node. Then, the candidate extraction unit 55 extracts candidate nodes indicating candidate nodes for arranging the sanitizer based on the contaminated node, the downstream node, and the upstream node extracted by the node extraction unit 60, and corresponds to the extracted candidate node. Information indicating a position on the source code is output to the result output unit 56.

Thereby, since the verification apparatus 1 in this embodiment can extract an appropriate candidate node for arranging the sanitizer, the user can appropriately arrange the sanitizer when the source code is vulnerable. it can.
In addition, since it is not necessary for a human to carefully determine the position at which the sanitizer is disposed, the verification apparatus 1 according to the present embodiment can reduce the number of work steps for correcting the source code so that the sanitizer is appropriately disposed. For example, even when the source code is large or complicated and the path from the source to the sink is detected enormously, the verification apparatus 1 in this embodiment corrects the manipulator to properly arrange the sanitizer. (Human correction cost) can be reduced. That is, the verification apparatus 1 according to the present embodiment can reduce the number of work steps required for verification of the source code by static analysis.
Therefore, the verification apparatus 1 in this embodiment can arrange a sanitizer appropriately, reducing work man-hours.

  In addition, since the verification apparatus 1 in this embodiment extracts a candidate node based on an upstream node and a downstream node, it is possible to extract an appropriate candidate node including a route whose safety has already been confirmed. . Therefore, the verification apparatus 1 in the present embodiment can avoid the double insertion of the sanitizer as described above.

Further, in the present embodiment, the candidate extraction unit 55 sets a candidate set (set D) by excluding the set of downstream nodes (set B) and the set of upstream nodes (set A) from the set of contaminated nodes (set C). The included nodes are extracted as candidate nodes.
Thereby, since a node that does not pass the sanitizer can be appropriately extracted from the set of contaminated nodes by a simple means, the verification apparatus 1 in the present embodiment can appropriately extract a candidate node on which the sanitizer is arranged. .

In the present embodiment, the candidate extraction unit 55 extracts a node closest to the sink node in the route on the directed graph among the extracted candidate nodes as the candidate node having the highest priority.
Since the sanitizer is preferably arranged at a position close to the sink node as described above, the verification apparatus 1 in the present embodiment appropriately proposes the candidate node with the highest priority for arranging the sanitizer for the user. can do.

Further, in the present embodiment, the candidate extraction unit 55 lowers the priority as a candidate node with respect to a node that becomes a branch destination in the route on the directed graph among the extracted candidate nodes.
When a sanitizer is arranged at a branch destination node, it is necessary to arrange a sanitizer at a plurality of nodes. Accordingly, the verification apparatus 1 according to the present embodiment can appropriately reduce the number of sanitizers arranged for the user. Candidate nodes can be proposed.

Further, in the present embodiment, the candidate extraction unit 55 increases the priority as a candidate node with respect to a node that is a convergence destination of a branch on a route on the directed graph among the extracted candidate nodes.
When a sanitizer is arranged at a node that is a convergence destination of a branch, a sanitizer can be efficiently arranged at one node. Thus, the verification device 1 according to the present embodiment can effectively arrange a sanitizer for a user. It is possible to propose an appropriate candidate node having a high (high efficiency).

  In this embodiment, as an example, the candidate extraction unit 55 has been described as performing processing until extraction is performed as a candidate node with the highest priority. However, the source code for arranging the sanitizer at the candidate node with the highest priority. The candidate extraction unit 55 or the control unit 50 may execute up to the correction process. In this case, since the correction process for inserting the sanitizer into the source code can be executed without manual intervention, the verification apparatus 1 can further reduce the work man-hours.

Next, a second embodiment will be described with reference to the drawings.
[Second Embodiment]
In the second embodiment, as illustrated in FIG. 20, when the directed graph includes a plurality of sources and one sink, the verification device 1 executes candidate node extraction processing (sanitizer candidate extraction processing). An example will be described.

Note that the configuration of the verification apparatus 1 in the present embodiment is the same as that in the first embodiment, and the description thereof is omitted here. Further, the basic operation of the verification apparatus 1 in this embodiment is the same as that of the first embodiment shown in FIG.
In this embodiment, the procedure of the sanitizer candidate extraction process is different from that of the first embodiment, and the sanitizer candidate extraction process will be described below.

FIG. 20 is a diagram illustrating an example of sanitizer candidate extraction processing according to the present embodiment.
In this figure, the directed graph G2 includes a source node sc1 (“Source1”), a source node sc2 (“Source2”),..., A source node scN (“SourceN”), and a sink node sk1 (“Sink1”). It is a data flow graph which shows the data flow between. The directed graph G2 includes nodes n02 to n16 and n18 to n30, and of these nodes n02 to n16 and n18 to n30, the node n05, the node n06, the node n16, and the node n30 correspond to the sanitizer. It is a node.

  As shown in FIG. 20, in this embodiment, the directed graph G2 has a plurality of source nodes. In the sanitizer candidate extraction process in the present embodiment, the verification apparatus 1 performs all the processes for extracting the sanitizer candidate nodes in the subgraph between one of the plurality of source nodes and one sink node (sk1). The node included in the union of the candidate nodes extracted in each process is extracted as a candidate node.

Next, sanitizer candidate extraction processing according to the present embodiment will be described with reference to FIG.
FIG. 21 is a flowchart illustrating an example of sanitizer candidate extraction processing according to the present embodiment.
In this figure, first, the candidate extraction unit 55 of the control unit 50 substitutes “1” for the source number n (step S301). That is, the candidate extraction unit 55 selects the source node sc1 (“Source1”) shown in FIG. 20, and selects the subgraph SG21 between the source node sc1 (“Source1”) and the sink node sk1 (“Sink1”). To do.

Next, the candidate extraction unit 55 sets the nth source (step S302).
The subsequent processing from step S303 to step S306 is the same as the processing from step S201 to step S204 in FIG. When the source number n is “1”, the node extraction unit 60 and the candidate extraction unit 55 of the control unit 50 extract candidate nodes corresponding to the above-described subgraph SG21 in steps S303 to S306. The candidate extraction unit 55 associates the extracted candidate node with the set information of “source node information” indicating the nth source node and “sink node information” indicating the sink node sk1, and stores the candidate information storage unit 34. Remember me.

  Next, in step S307, the candidate extraction unit 55 of the control unit 50 determines whether or not the source number n is “N” or more. If the source number n is “N” or more (step S307: YES), the candidate extraction unit 55 advances the process to step S309. If the source number n is less than “N” (step S307: NO), the candidate extraction unit 55 advances the process to step S308.

  In step S308, the candidate extraction unit 55 adds “1” to the source number n, updates the source number n, and advances the processing to step S302. That is, the candidate extraction unit 55 generates a subgraph between the next source node (for example, the source node sc2 (“Source2”,..., The source node scN (“SourceN”)) and the sink node sk1 (“Sink1”). In the same manner, extraction of candidate nodes is repeated.

In step S309, the candidate extraction unit 55 determines the priority order of the candidate nodes. Here, the candidate extraction unit 55 performs the same processing as step S205 of FIG. 13 on the union of the sets of candidate nodes extracted in each subgraph. Specifically, the candidate extraction unit 55 associates with the set information of “source node information” indicating the nth source node and “sink node information” indicating the sink node sk1 and stores them in the candidate information storage unit 34. Nodes are acquired in order from the first to the Nth, and a union of a set of candidate nodes is generated.
In addition, in the union of the above candidate nodes, when the candidate nodes extracted for each combination of the source and the sink overlap, the candidate extraction unit 55 determines the candidate node as a candidate node. Increase priority.
After executing the process of step S309, the control unit 50 ends the sanitizer candidate extraction process.

As described above, in this embodiment, the candidate extraction unit 55 extracts a candidate node for each combination of a source node and a sink node when the directed graph includes a plurality of input point nodes. And the candidate extraction part 55 extracts the union of each extracted candidate node as a candidate node.
As a result, the verification apparatus 1 according to the present embodiment is suitable as in the first embodiment even when the source code has a plurality of sources and data is output in one sink. Candidate nodes can be extracted. Therefore, the verification apparatus 1 in this embodiment can arrange a sanitizer appropriately, reducing work man-hours.

Further, in the present embodiment, the candidate extraction unit 55 determines whether a candidate node extracted for each combination of source and sink overlaps in the union set of candidate nodes described above. , Raise the priority as a candidate node.
When a sanitizer is arranged in a node where candidate nodes overlap, the sanitizer can be efficiently arranged in one node. Thus, the verification apparatus 1 in this embodiment has an effect of arranging the sanitizer for the user. High (efficient) suitable candidate nodes can be proposed.

Next, a third embodiment will be described with reference to the drawings.
[Third Embodiment]
In the third embodiment, as illustrated in FIG. 22, when the directed graph includes a plurality of sources and a plurality of sinks, the verification apparatus 1 executes candidate node extraction processing (sanitizer candidate extraction processing). An example will be described.

Note that the configuration of the verification apparatus 1 in the present embodiment is the same as that in the first embodiment, and the description thereof is omitted here. Further, the basic operation of the verification apparatus 1 in the present embodiment is the same as that of the first embodiment shown in FIG.
In the present embodiment, the sanitizer candidate extraction process is different from the first and second embodiments, and the sanitizer candidate extraction process will be described below.

FIG. 22 is a diagram illustrating an example of sanitizer candidate extraction processing according to this embodiment.
In this figure, the directed graph G3 includes a source node sc1 (“Source1”), a source node sc2 (“Source2”),..., A source node scN (“SourceN”), a sink node sk1 (“Sink1”), a sink 6 is a data flow graph showing a data flow between a node sk2 (“Sink2”),..., And a sink node sk1 (“SinkM”). This directed graph G3 includes nodes n02 to n16 and n18 to n30, and of these nodes n02 to n16 and n18 to n30, the node n05, the node n06, the node n16, and the node n30 correspond to the sanitizer. It is a node.

  As shown in FIG. 22, in the present embodiment, the directed graph G3 has a plurality of source nodes and a plurality of sinks. In the sanitizer candidate extraction process according to the present embodiment, the verification apparatus 1 uses a sanitizer candidate node in a subgraph between one of the plurality of source nodes and one sink node (sk1) of the plurality of sink nodes. Is extracted for all source nodes, and nodes included in the union of candidate nodes extracted in each process are extracted as candidate nodes (subgraph SG31 in FIG. 22). Further, the verification device 1 changes the sink node, executes the same processing for all the sink nodes, and sets a node included in the union of candidate nodes extracted in each processing as a candidate node. Extract.

Next, sanitizer candidate extraction processing according to the present embodiment will be described with reference to FIG.
FIG. 23 is a flowchart illustrating an example of sanitizer candidate extraction processing according to the present embodiment.
In this figure, first, the candidate extraction unit 55 of the control unit 50 substitutes “1” for the source number n and “1” for the sync number m (step S401). That is, the candidate extraction unit 55 selects the source node sc1 (“Source1”) and the sink node sk1 (“Sink1”) shown in FIG.

Next, the candidate extraction unit 55 sets the nth source and the mth sink (step S402).
The subsequent processing from step S403 to step S406 is the same as the processing from step S302 to step S306 in FIG.

  Next, in step S407, the candidate extraction unit 55 of the control unit 50 determines whether or not the source number n is “N” or more. If the source number n is “N” or more (step S407: YES), the candidate extraction unit 55 advances the process to step S409. If the source number n is less than “N” (step S407: NO), the candidate extraction unit 55 advances the process to step S408.

  In step S408, the candidate extraction unit 55 adds “1” to the source number n, updates the source number n, and advances the process to step S402. That is, the candidate extraction unit 55 selects the next source node (for example, the source node sc2 (“Source2”,...), The subgraph between the source node scN (“SourceN”) and the sink node, and similarly The extraction of candidate nodes is repeated.

  In step S409, the candidate extraction unit 55 determines whether the sync number m is “M” or more. If the sync number m is “M” or more (step S409: YES), the candidate extraction unit 55 advances the process to step S411. If the sync number m is less than “M” (step S409: NO), the candidate extraction unit 55 advances the process to step S410.

  In step S410, the candidate extraction unit 55 adds “1” to the sync number m to update the sync number m, and after substituting “1” for the source number n, the process proceeds to step S402. That is, the candidate extraction unit 55 returns the source node to the source node sc1 (“Source1”), and the next sink node (for example, the sink node sk2 (“Sink2”,..., The sink node skM (“SinkM”)). In the same manner, extraction of candidate nodes is repeated.

In step S411, the candidate extraction unit 55 determines the priority order of the candidate nodes. Here, the candidate extraction unit 55 performs the same processing as step S205 of FIG. 13 on the union of the sets of candidate nodes extracted in each subgraph. In addition, in the union of the above candidate nodes, when the candidate nodes extracted for each combination of the source and the sink overlap, the candidate extraction unit 55 determines the candidate node as a candidate node. Increase priority.
After executing the process of step S411, the control unit 50 ends the sanitizer candidate extraction process.

  In the procedure shown in FIG. 23, the candidate extracting unit 55 generates a union of candidate nodes extracted in each combination after the extraction of candidate nodes for all combinations of the source and sink is completed. However, each time the change of the source node sc1 to the source node scN is completed, the union may be generated. That is, the candidate extraction unit 55 may perform the same processing as that of the second embodiment for each sink node, and generate the union again after all the sink nodes have been changed.

As described above, in the present embodiment, the candidate extraction unit 55 selects the candidate node for each combination of the source node and the sink node when the directed graph includes a plurality of input point nodes or a plurality of sink nodes. To extract. And the candidate extraction part 55 extracts the union of each extracted candidate node as a candidate node.
As a result, the verification apparatus 1 according to the present embodiment is suitable as in the first embodiment even when the source code has a plurality of sources and data is output at a plurality of sinks. Candidate nodes can be extracted. Therefore, the verification apparatus 1 in this embodiment can arrange a sanitizer appropriately, reducing work man-hours.

The present invention is not limited to the above embodiments, and can be modified without departing from the spirit of the present invention.
For example, in each of the embodiments described above, the case where the verification device 1 includes the source code storage unit 20 and the verification storage unit 30 has been described. However, the source code storage unit 20 and the verification storage unit 30 may be configured as, for example, a server device. Such an external device may be provided. The control unit 50 may be a computer device such as a client terminal or an application server, for example. Further, the input unit 10 or the display unit 40 may be provided outside the verification apparatus 1. For example, the input unit 10 and the display unit 40 may be provided in a computer device such as a client terminal connected to the verification device 1 via a network.

In each of the above embodiments, the result output unit 56 outputs information such as the data flow analysis result, the data flow graph, and information indicating the position on the source code corresponding to the candidate node to the display unit 40. However, the result output unit 56 may output the information as a data file to a file server device or the like.
Further, in the candidate extraction process of each embodiment described above, the node extraction unit 60 has been described as performing the process in the order of the downstream node extraction process, the upstream node extraction process, and the contaminated node extraction process. The order in which these processes are executed is not limited to this. The node extraction unit 60 may execute any one of the above three processes first.

  Further, in each of the above-described embodiments, the case where (a) “output destination” in FIG. 2 is one type (in the case of one type of sink) has been described, but a plurality of types of sinks are included in the source code. In the case where it exists, the verification apparatus 1 can cope with each type of sink by executing the verification process shown in FIG. For example, if the source code includes both an HTML sink and a Javascript sink, the verification apparatus 1 executes the dataflow analysis corresponding to HTML and the extraction of the sanitizer candidate nodes, and then the JavaScript. The data flow analysis corresponding to the above and the extraction of the sanitizer candidate nodes are executed in the same manner.

The above-described verification is performed by recording a program for realizing the function of the verification apparatus 1 in the present invention on a computer-readable recording medium, causing the computer system to read and execute the program recorded on the recording medium. The processing of the device 1 may be performed. Here, “loading and executing a program recorded on a recording medium into a computer system” includes installing the program in the computer system. The “computer system” here includes an OS and hardware such as peripheral devices.
Further, the “computer system” may include a plurality of computer devices connected via a network including a communication line such as the Internet, WAN, LAN, and dedicated line. The “computer-readable recording medium” refers to a storage device such as a flexible medium, a magneto-optical disk, a portable medium such as a ROM and a CD-ROM, and a hard disk incorporated in a computer system. As described above, the recording medium storing the program may be a non-transitory recording medium such as a CD-ROM. The recording medium also includes a recording medium provided inside or outside that is accessible from the distribution server in order to distribute the program.
Note that the program may be divided into a plurality of parts, downloaded at different timings, and combined in the verification apparatus 1 or the distribution server that distributes each of the divided programs may be different. Furthermore, the “computer-readable recording medium” holds a program for a certain period of time, such as a volatile memory (RAM) inside a computer system that becomes a server or a client when the program is transmitted via a network. Including things. The program may be for realizing a part of the functions described above. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer system, what is called a difference file (difference program) may be sufficient.

  Moreover, you may implement | achieve part or all of the function mentioned above as integrated circuits, such as LSI (Large Scale Integration). Each function described above may be individually made into a processor, or a part or all of them may be integrated into a processor. Further, the method of circuit integration is not limited to LSI, and may be realized by a dedicated circuit or a general-purpose processor. In addition, when an integrated circuit technology that replaces LSI appears due to the advancement of semiconductor technology, an integrated circuit based on the technology may be used.

DESCRIPTION OF SYMBOLS 1 Verification apparatus 10 Input part 20 Source code storage part 30 Verification storage part 31 Rule information storage part 32 Graph information storage part 33 Extraction information storage part 34 Candidate information storage part 40 Display part 50 Control part 51 Data flow analysis part 52 Contamination node extraction Unit 53 downstream node extraction unit 54 upstream node extraction unit 55 candidate extraction unit 56 result output unit 60 node extraction unit

Claims (9)

The source code is acquired from the source code storage unit storing the source code, and the input point node for inputting data, the output point node for outputting data, and the vulnerability included in the data included in the acquired source code A rule information storage unit for storing a detoxification node corresponding to a process for detoxifying a special character that causes a descriptive information indicating a description corresponding to each of the input point node, the output point node, and the detoxification node Data flow analysis that extracts based on the description information acquired from the source and analyzes the data flow of the source code and generates a directed graph showing the data flow including nodes from the input point node to the output point node And
Based on the directed graph generated by the data flow analysis unit and the detoxification node, a contamination node that is a node on a path that does not pass through the detoxification node among the nodes included in the directed graph; and A first extraction unit that extracts a downstream node that is a node disposed downstream of the detoxification node and an upstream node that is a node disposed upstream of the detoxification node;
Based on the contaminated node, the downstream node, and the upstream node extracted by the first extraction unit, a candidate node indicating a candidate of a node where the processing to be rendered harmless is arranged, and the extracted candidate node A verification apparatus comprising: a second extraction unit that causes an output unit to output information indicating a corresponding position on the source code. The second extraction unit extracts, as the candidate nodes, nodes included in a candidate set excluding the set of downstream nodes and the set of upstream nodes from the set of contaminated nodes. The verification apparatus according to 1. The second extraction unit includes
3. The verification device according to claim 1, wherein, among the extracted candidate nodes, a node closest to the output point node in a route on the directed graph is extracted as a candidate node having the highest priority. 4. . The second extraction unit includes
4. The priority as the candidate node is lowered with respect to a node that becomes a branch destination in the route on the directed graph among the extracted candidate nodes. 5. The verification device described. The second extraction unit includes
5. The priority as the candidate node is increased with respect to a node that is a convergence destination of a branch in the route on the directed graph among the extracted candidate nodes. The verification device according to item. The second extraction unit includes
The candidate node is extracted for each combination of the input point node and the output point node when the directed graph includes a plurality of input point nodes or a plurality of output point nodes. The verification device according to any one of claims 1 to 5. The second extraction unit includes
The verification apparatus according to claim 6, wherein, when the candidate nodes extracted for each of the combinations overlap, the priority as the candidate node is increased with respect to the overlapping candidate nodes. A data flow analysis unit acquires the source code from a source code storage unit that stores the source code, and is included in the acquired source code, an input point node that inputs data, an output point node that outputs data, and data Descriptive information indicating detoxification nodes corresponding to processing for detoxifying special characters that cause vulnerabilities included in the input point node, the output point node, and the detoxification node. A directed graph that is extracted based on the description information acquired from the stored rule information storage unit, analyzes the data flow of the source code, and shows the data flow including nodes from the input point node to the output point node A data flow analysis step to generate
The first extraction unit is on a path that does not pass through the detoxification node among the nodes included in the directed graph based on the directed graph generated by the data flow analysis step and the detoxification node. A first extraction step of extracting a contamination node that is a node, a downstream node that is a node disposed downstream of the detoxification node, and an upstream node that is a node disposed upstream of the detoxification node;
A second extraction unit extracts candidate nodes indicating candidate nodes for disposing of the detoxifying process based on the contaminated node, the downstream node, and the upstream node extracted in the first extraction step. And a second extraction step of causing the output unit to output information indicating the position on the source code corresponding to the extracted candidate node. In the computer as a verification device,
A data flow analysis unit acquires the source code from a source code storage unit that stores the source code, and is included in the acquired source code, an input point node that inputs data, an output point node that outputs data, and data Descriptive information indicating detoxification nodes corresponding to processing for detoxifying special characters that cause vulnerabilities included in the input point node, the output point node, and the detoxification node. A directed graph that is extracted based on the description information acquired from the stored rule information storage unit, analyzes the data flow of the source code, and shows the data flow including nodes from the input point node to the output point node A data flow analysis step to generate
The first extraction unit is on a path that does not pass through the detoxification node among the nodes included in the directed graph based on the directed graph generated by the data flow analysis step and the detoxification node. A first extraction step of extracting a contamination node that is a node, a downstream node that is a node disposed downstream of the detoxification node, and an upstream node that is a node disposed upstream of the detoxification node;
A second extraction unit extracts candidate nodes indicating candidate nodes for disposing of the detoxifying process based on the contaminated node, the downstream node, and the upstream node extracted in the first extraction step. And a second extraction step for causing the output unit to output information indicating a position on the source code corresponding to the extracted candidate node.

Images