基于形式化单子的第三方构件安全性测试模型及其应用  被引量：2

作　　者：陈锦富[1] 赵小磊[1] 刘一松[1] 黄如兵[1] 蔡赛华 郭昱池 CHEN Jin-Fu;ZHAO Xiao-Lei;LIU Yi-Song;HUANG Ru-Bing;CAI Sai-Hua;GUO Yu-Chi(School of Computer Science and Communication Engineering, Jiangsu University, Zhenjiang, Jiangsu 212013)

机构地区：[1]江苏大学计算机科学与通信工程学院

出　　处：《计算机学报》2019年第7期1626-1639,共14页Chinese Journal of Computers

基　　金：国家自然科学基金(61202110,61502205);中国博士后科学基金(2015M571687,2015M581739)资助~~

摘　　要：因第三方构件通常由不同的组织开发完成,相应的需求开发文档及源代码无法获取,传统的软件安全测试方法无法应用.通过分析构件接口信息,借鉴软件数据挖掘技术可以获取构件相应的接口方法运行序列及需求规约等信息,进而也能对测试日志信息进行分析和处理.针对第三方构件安全性难以测试的问题,本文提出了一种采用数据挖掘技术的测试模型及其测试框架.提出的方法首先形式化定义了测试模型的基本元素,然后基于此模型设计了一个测试框架,并采用单子技术对测试流程和数据挖掘算法进行了形式化描述.为了实现该测试框架,论文实现了数据挖掘相关算法并研发了一个测试第三方构件安全性的测试系统(Component Security Testing Systembasedon Data Mining,CSTS-DM),最后对测试模型及CSTS-DM进行了案例分析及实验验证,并通过对商业构件和模拟构件的分析测试,验证了CSTS-DM原型测试系统的效果和效率,也分析了提出的测试框架及测试模型的有效性及可行性。The third-party components have been widely used in software system since the third-party components usually are developed by different organizers. Component-based software engineering (CBSE) has a rapid development with software engineering technology, which enhances the development efficiency for different software. As a result, the time of software development is reduced, and the cost of software maintenance is also cut down to some extent. At current, CBSE is an important development approach of software system in real industry. With the popularization of the third-party components, the research on security testing for third-party components is very important. Component security vulnerabilities mean the flaws in the aspects of component security including all the factors that threatening and destroying component security. Component security vulnerabilities usually include explicit and implicit vulnerabilities. Explicit vulnerabilities are commonly caused by memory leak or buffer overflow;while implicit vulnerabilities are usually caused by violating security requirement specification. Both explicit vulnerabilities and implicit vulnerabilities are very difficult to be detected by traditional approaches, which lack effective detection model and detection means. Due to some components come from third-party providers and their source codes and detailed development documentation cannot be obtained, it is difficult to ensure their security through traditional testing methods. With the technology of data mining, the component methods’ test sequence and component requirements may be obtained through processing large - scale test data. Based on data mining technology, we presented the testing framework and testing model for the component security.(1) We proposed a testing model for component security on the basis of data mining technique. Firstly, the major model elements are created, the model elements include component specification, component testing log, component method sequence, data mining algorithm, security

关 键 词：构件软件 安全性测试 测试模型 接口方法 数据挖掘算法 

分 类 号：TP311[自动化与计算机技术—计算机软件与理论]