工业嵌入式软件开发安全漏洞模式研究  被引量：4

作　　者：高庆 陈静 许平 张世琨[1] Gao Qing;Chen Jing;Xu Ping;Zhang Shikun(National Engineering Research Center for Software Engineering,Peking University,Beijing 100871;Beijing Beida Software Engineering Co.,Ltd.,Beijing 100080;No.30 Institute of CETC,Chengdu 610041)

机构地区：[1]北京大学软件工程国家工程研究中心,北京100871 [2]北京北大软件工程股份有限公司,北京100080 [3]中国电子科技集团公司第三十研究所,成都610041

出　　处：《信息安全研究》2022年第6期595-604,共10页Journal of Information Security Research

基　　金：国家重点研发计划项目(2021YFB3101802)。

摘　　要：随着工业化和信息化的深度融合,针对工业互联网的安全事件频发,越来越多的攻击者把攻击目标锁定在国家关键基础设施上.近年来,嵌入式软件的规模及复杂程度急剧增大,尤其在国防、轨道交通、汽车、民航以及工业控制等领域的用户对嵌入式软件质量要求更加严格,要求嵌入式软件更加安全.在收集和分析嵌入式软件安全编码标准的基础上,对嵌入式软件安全漏洞模式进行梳理,提出国内首套比较全面的嵌入式软件开发安全漏洞模式清单,包括嵌入式特有的安全漏洞模式、导致嵌入式系统崩溃或者拒绝服务等严重后果的漏洞模式以及其他缺陷模式.最后,针对这些安全漏洞模式简要介绍了使用这些安全漏洞模式如何保障嵌入式软件安全的静态分析技术,从而在软件开发过程的源头发现安全问题并得到及时解决,确保证工业软件的安全.With the deep integration of industrialization and informatization, the industrial Internet security incidents occur frequently. More and more attackers focus on the critical national infrastructure. In recent years, the scale and complexity of embedded software have increased sharply, especially in the fields of national defense, rail transit, automobile, civil aviation, and industrial control. Users have more strict requirements on the quality of embedded software and require embedded software to be more secure. Based on the collection and analysis of embedded software security coding standards, this article arranges the first all-around list of security vulnerability patterns for embedded software development in China. This list includes the unique security vulnerability patterns of embedded systems, the vulnerability patterns that will cause serious consequences, such as the crash of embedded systems or denial of service, and other vulnerability patterns. Finally, this article briefly introduces the static analysis technology of how to ensure the security of embedded software by using these security vulnerability patterns. Thus, security problems are found at the beginning of the software development process and will be solved in time, so as to better ensure the security of industrial software.

关 键 词：工业互联网 嵌入式软件 安全编码标准 静态分析 漏洞模式 

分 类 号：TP311.52[自动化与计算机技术—计算机软件与理论]