计算机工程与应用 ›› 2010, Vol. 46 ›› Issue (28): 64-69.DOI: 10.3778/j.issn.1002-8331.2010.28.019

• 研发、设计、测试 • 上一篇    下一篇

基于XML的软件安全静态检测方法研究

周宽久,郑红波,赖晓晨,刘春燕,迟宗正   

  1. 大连理工大学 软件学院,辽宁 大连 116620
  • 收稿日期:2010-02-05 修回日期:2010-04-08 出版日期:2010-10-01 发布日期:2010-10-01
  • 通讯作者: 周宽久

Research on static analysis method for software security based on XML

ZHOU Kuan-jiu,ZHENG Hong-bo,LAI Xiao-chen,LIU Chun-yan,CHI Zong-zheng   

  1. Software School,Dalian University of Technology,Dalian,Liaoning 116620,China
  • Received:2010-02-05 Revised:2010-04-08 Online:2010-10-01 Published:2010-10-01
  • Contact: ZHOU Kuan-jiu

PDF

摘要: 安全关键软件设计使用的C/C++语言含有大量未定义行为,使用不当可能产生重大安全隐患。软件静态检测是从软件代码和结构中找出安全缺陷的重要手段。从安全规则的角度,提出了基于XML(eXtensible Markup Language)中间模型的静态检测方法。该方法将C/C++源代码解释为XML中间模型,将安全规则转化为缺陷模式,利用Xquery查询表达式对软件安全缺陷进行定位。基于该方法的原型系统检验结果表明:该方法能够有效地检测出违反安全规则的软件缺陷,并具有安全规则可定制的特点。

关键词: 安全规则, 静态分析, 可扩展标记语言(XML), 缺陷模式, Xquery

Abstract: Fatal security vulnerabilities are caused by undefined behaviors of C/C++ language used in Safety-Critical software design.Software static analysis is an important technique for identifying security vulnerabilities from software code and structure.The static analysis method based on XML intermediate model is proposed in term of safety rules.The source code is interpreted as XML intermediate model,while safety rules are translated into vulnerabilities pattern,and Xquery expression is used to locate security vulnerabilities by this method.The experimental result of a prototype system based on this method shows that this method can effectively detect the software vulnerabilities in violation of safety rules and has the advantage of supporting customization of safety rules.

Key words: safety rules, static analysis, eXtensible Markup Language(XML), vulnerabilities pattern, Xquery

中图分类号: 

京ICP备13024262号-1
Copyright © 《计算机工程与应用》编辑部
技术支持:北京玛格泰克科技发展有限公司
总访问量
今日访问
在线人数