面向数据泄漏的Web沙箱测试方法

数据泄漏是导致Web沙箱逃逸的重要原因,即在未授权情况下,程序可以访问系统的敏感数据。已有的Web应用安全分析方法不完全适用于发现Web沙箱的数据泄漏。设计一种面向数据泄漏的Web沙箱测试方法,在JavaScript对象建模的基础上,首先,采用深度优先的策略遍历浏览器的原生对象,获取程序可直接访问的对象集合；其次,设计敏感点导向的封装对象测试算法,获取程序间接访问的对象集合；再次,设计了多程序数据泄漏的测试算法,获取程序间可能的通信路径；最后,对比测试结果和Web沙箱的规格,以识别Web沙箱的数据泄漏。设计并实现了Web沙箱测试系统(WSTS),同时测试了不同版本的ADsafe沙箱,实验结果显示,所提方法具有良好的数据泄漏发现能力。

Data Leakage Oriented Testing Method for Web Sandbox

Data Leakage is an important cause of Web sandbox escape.Namely,unauthorized programs can access sensitive data of system.The existed security analysis methods of Web application are not applicable to detect data leakage of Web sandboxes.In this paper,a Web sandbox test method was proposed to detect Web sandbox data leakage.Based on the model of JavaScript object,first,the method uses depth-first strategy to traversal native objects of browser and gets the collection of directly access object.Then,the method designs sensitive-point oriented test algorithm of encapsulated objects and gets the collection of indirectly access object.Next,the method designs data leakage test algorithm of multiple applications and gets the possible communication paths of programs.Finally,the method compares the test results and the specification of tested web sandbox to detect data leakage.This paper designed and implemented a Web sandbox test system (WSTS),and tested the different versions of ADsafe.The experimental results show that the method has good ability to detect data leakage of Web sandbox.