检索规则说明:AND代表“并且”;OR代表“或者”;NOT代表“不包含”;(注意必须大写,运算符两边需空一格)
检 索 范 例 :范例一: (K=图书馆学 OR K=情报学) AND A=范并思 范例二:J=计算机应用与软件 AND (U=C++ OR U=Basic) NOT M=Visual
名 称:
注 释:
机构地区:[1]重庆邮电大学网络与信息安全技术重庆市工程实验室,重庆400065
出 处:《计算机系统应用》2017年第9期253-258,共6页Computer Systems & Applications
摘 要:本文讨论应用代码审计技术,分析OpenSSL源代码,进行脆弱性分析,并作出针对性修补建议.在进行源码级分析时,主要采用数据流分析技术,动态污点分析技术,定理证明等.各类代码审计技术由于都主要采用形式化手段分析软件构架的安全需求,通常都对某种特定场景有较好效果,但实用性较差.在审计linux,xen等大型成熟软件项目时,存在效率低下,误报率高等缺陷,甚至可能根本无法挖掘出有效漏洞.为此通过采用搭配使用各种不同代码审计技术,同时使用一种新的安全属性定义手法,从底层角度定义安全属性,以提升其对软件安全需求描述的准确度,避免其审计缺陷.在保留代码审计技术自动化程度高的优点同时提升其审计效率以及降低误报率,深层次发掘代码脆弱性.This paper discusses the process of applying code audit to analyze the vulnerabilities of OpenSSL source codes and proposes some specific fixing advice for OpenSSL. Source level analysis mainly contains data flow analysis, dynamic taint analysis and path constraint solving proof method, etc. Because various code audit techniques adopt formal analysis on software architecture based on their own security requirements, they usually produce good effects when aiming at some particular scenes, but they lack universality. When auditing important mature projects like linux and xen, it is even impossible to exploit vulnerabilities efficiently with using these code audit techniques with high false rate. In this case, the collocation use of different code audit techniques is applied, as well as a new method of the security attributes definition from the bottom to improve the accuracy of software security requirements description and to avoid the defects in its audit. These methods increase audit efficiency, decrease false positive and process deep vulnerability exploitation while retaining the advantages of the high degree of automation of code audit.
分 类 号:TP393.08[自动化与计算机技术—计算机应用技术]
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在链接到云南高校图书馆文献保障联盟下载...
云南高校图书馆联盟文献共享服务平台 版权所有©
您的IP:216.73.216.30