社交网络开放平台漏洞挖掘及威胁评估方法研究

项目名称： 社交网络开放平台漏洞挖掘及威胁评估方法研究

项目编号： No.61303239

项目类型： 青年科学基金项目

立项/批准年度： 2014

项目学科： 自动化技术、计算机技术

项目作者： 刘奇旭

作者单位： 中国科学院大学

项目金额： 23万元

中文摘要： 社交网络正深度影响人们的交流方式，其网络安全问题也成为信息安全研究的重要问题之一。开放平台作为社交网络下一步发展的必然趋势，其中潜在的安全漏洞严重威胁社交网络隐私安全。然而，开放平台的漏洞挖掘与威胁评估尚未引起国内外研究的足够重视。本项目以"社交网络开放平台"为研究对象，旨在深入分析社交网络安全事件的基础上，挖掘开放平台潜在的注入型漏洞。针对开放平台数据输出处理客户端化、与第三方应用交互紧密化等新特性，采用客户端符号执行与服务端API参数动态测试相结合的方法进行漏洞挖掘。重点研究基于服务端和客户端过滤机制分析的变异型测试向量生成算法。通过研究漏洞评估方法，重点分析开放平台漏洞在生命周期不同阶段，给用户、社交网站及第三方应用带来的危害，将漏洞生命周期以"时间影响因子"的形式增加到评估过程中，为漏洞修复提供合理的优先级建议。最终提出开放平台第三方应用安全解决方案，进而保障用户隐私安全奠定基础。

中文关键词： 安全漏洞；漏洞挖掘；社交网络开放平台；第三方追踪；隐私安全

英文摘要： Social network service (SNS) has significantly changed the way people communicate with each other. Consistently, security issues associated with social networks have attracted more and more attentions. Open platform has been an inevitable trend with the development of SNS. However, potential security vulnerabilities inside the platform will become a direct threat to all the users, third-party applications and social networking sites themselves. Unfortunately, until now, security vulnerabilities detection and threat assessment for open platform have not yet received enough awareness from either domestic or foreign research. As a result, our project focuses on the security of SNS open platform and aims at discovering and assessing latent injection vulnerabilities within it. The goal is based on a comprehensive understanding of SNS security incidents. First of all, since open platform outputs and processes data on the client side and frequently interacts with third-party applications, we will utilize the combination of client-side symbolic execution technique and server-side dynamic fuzzing test on API parameters to detect possible vulnerabilities. Specifically, we will concentrate on studying variant test pattern generation methods on the basic of analyzing filtering mechanism at both client and server side. Then,

英文关键词： Vulnerability；Vulnerability Detection；Social Network Service Open Platform；Third-Party Tracking；Web Privacy Security