| With the Web applications flourish, more and more people take part in the Web applications. However, there are a variety of dangerous Web applications’vulnerabilities become more frequent and intense, and the security requirements of the access control become stronger. Although, the old RBAC model and PBAC model could effectively manage the user permissions on the service side, they all have disadvantage of security and the complexity of control in different level. On the other side, to solve the W3c’s Same-Origin Policy’s vulnerability, another design use a client side access control model which called ECSUDO and a services side access control model which called SCUTA cooperatively. They can give corresponding privilege to a function and come into different ring levels. We give these functions needed to be invoked by another ring level’s functions a GATE label which indicates these functions could be invoked by all the functions in this range.However, in SCUTA, this method’s granularity, which use GATE label, is too big to ensure the needed fine granularity privilege management which is function to function. Because it designs a technology whose granularity is ring level to function which could introduce unsafe function invoking privilege. In this thesis, we design and implement a new access control technology which is function to function, with the Apache, Mysql, PHP and many other tools, to fix this vulnerability. We also modify the source code of PHP core at the service side to accept and deal with the Cookie information from client side, control the Web page nod and PHP function’s access control. We can use the access control of Mysql database itself to implement the whole access control of Mysql module of this thesis. To any PHP project, this technology implements modules which can analysis project structure, detect vulnerabilities and report vulnerabilities information of this project, analysis the vulnerabilities and assess the ring score level of the project’s pages and functions, auto or manually revise the access control ring level of the project. At the last, we implement a technology which can auto assess the ring score base on the vulnerabilities’information and auto revise the access control ring level of code by revising the privilege’s configuration files automatically. We also use a project with real vulnerabilities to test and detected this technology’s performance and precision with the experimental results and data. The results show that, compares with those old technologies, this technology has the characters that more accurate, more flexible, easier and faster. This technology could be used in different access control mission include access control detection, management and repair job. It has better applicability and revised many vulnerabilities of old technologies. It also greatly strengthens the controllable ability to the control permission which determines who can access the Web applications. |
PDF Full Text Request