期刊文献+

基于语法解析树的函数漏洞发现方法 被引量:1

Function Vulnerability Detection Method Based on Parse Tree
下载PDF
导出
摘要 大多数行业定制软件的漏洞检测较困难,而传统的静态漏洞检测方法会产生很多错误的和虚假的信息。针对函数调用前后存在的漏洞问题,提出了基于上下文无关的自顶向下与自底向上相结合的语法解析树的方法,它能够在对函数内部定义不了解或者部分了解的情况下,解析函数调用前后安全契约规则:前置规则和后置规则。同时通过扩展规则表示的XML文法来表示面向对象下,规则中的属性存在继承关系下的契约规则。实验表明,与同类型安全分析工具比较,该方法具有避免函数重复分析、规则可扩展性良好、尤其在自定义对象类和特定环境下自定义参数准确率高等优点。 Custom software vulnerability detection is difficult. Most of static vulnerability detection approach usually produces large amount of false information and positives results. A new method is able to understand the analyzed source code when a function is called. This paper proposed a method of combination top-down and bottom-up parsing tree which is based on CFL(context-free language). In a case of not understanding or partially understanding inside code of a function definition, it can analyze function contract before or after function called, named precondition and post- condition. Extending the rules of XML grammar on object-oriented, pre-eondition and post-condition can deal with ob- jects belonging to inheritance relationship' s class. The experiments show that, compared with the same type of security analysis tools, it can avoid repeat function analysis, has good rules scalability and high accuracy for custom defined ob- ject classes and parameters in custom environmental especially.
出处 《计算机科学》 CSCD 北大核心 2013年第8期119-123,135,共6页 Computer Science
基金 国家自然科学基金项目(11103005)资助
关键词 函数弱点 继承关系 契约规则 语法解析树 Function vulnerability Inheritance relationship Contract rules in inherent Parse tree
  • 相关文献

参考文献16

二级参考文献39

  • 1Kaushik R,Shenoy P,Bohannon P,et al.Exploiting Local Similarity for Efficient Indexing of Paths in Graph Structured Data[C]//10th International Conference on Database Theory,San Jose,California,USA,2002:129-140.
  • 2Chen Q,Lim A,Ong K W.D(k)-index:An adaptive structural summary for graph-structured data[C]//Proc.of the 2003 ACM SIGMOD Intl.Conf.on Management of Data,San Diego,California,USA,2003:134-144.
  • 3Chung C,Min J,Shim K.APEX:An adaptive path index for XML data[C]//Proc.of the 2002 ACM SIGMOD Intl.Conf.on Management of Data,Madison,Wisconsin,2002:121-132.
  • 4Milo T,Suciu D.Index structures for path expressions[C]//7th International Conference on Database Theory,Jerusalem,Israel,1999:277-255.
  • 5Quanzhong Li,Bongki Moon.Indexing and Querying XML Data for Regular Path Expressions[C]//Proceedings of the 27th VLDB Conference,Roma,Italy,2001:361-370.
  • 6Roy Goldman,Jennifer Widom.DataGuide:enabling query formulation and optimization in semistructured databases[C]//23th International Conference on Very Large Data Bases,pages,Athens,Greece,1997:436-445.
  • 7Al-khalifa Bruno N,Koudas N,Srivastava D.Holistic Twig Joins:Optimal XML Pattern Matching[C]//Franklin M J et al Eds.Proceedings of the 21th ACM SIGMOD International Conference on Management of Data.Madison,Wisconsin,USA,2002:310-321.S,Jagadish HV,Koudas N.Structural Joins:A Primitive for Efficient XML Query Pattern Matching.In:Hiong Ngu A H et al Eds.Proceedings of the 18th IEEE ICDE International Conference on Data Engineering.California,USA,2002:141-152.
  • 8Chien S Y,Vagena Z,Zhang Donghui,et al.Efficient Structural Joins on Indexed XML Document[C]//Papadias D et al Eds.Proceedings of the 28th VLDB International Conference on Very Large Database.Hong Kong,China,2002:263-274.
  • 9Bruno N,Koudas N,Srivastava D.Holistic Twig Joins:Optimal XML Pattern Matching[C]//Franklin M J et al Eds.Proceedings of the 21th ACM SIGMOD International Conference on Management of Data.Madison,Wisconsin,USA,2002:310-321.
  • 10莎士比亚戏剧集XML数据集.Shakespeare XML data sets.Available at:ftp:// sunsite.unc.edu/pub/sun info/standards/XML/egs/.

共引文献39

同被引文献23

  • 1Sandu R S,Samaratiy P.Access Control Principles and Practice[J].IEEE Communications Magazine,1994,32(9):40-48.
  • 2Krsul I V.Software Vulnerability Analysis[D].West Lafayette:Purdue University,1998.
  • 3Li Peng,Cui Bao-jiang.A Comparative Study on Software Vulnerability Static Analysis Techniques and Tools[C]∥2010 IEEE International Conference on Information Theory and Information Security.Beijing,China:IEEE Press,2010:521-524.
  • 4Chess B,McGraw G.Static Analysis for Security[J].IEEE Security & Privacy,2004,10(3):53-56.
  • 5Viega J,Bloch J T,Kohno Y,et al.ITS4:A Static Vulnerability Scanner for C and C++code[C]∥16th Annual Conference on Computer Security Applications.Piscataway,USA:IEEE,2000:257-267.
  • 6Flanagan C,Leino K R M,Lillibridge M,et al.Extended Static Checking for Java[C]∥2002 ACM SIGPLAN Conference on Programming Language Design and Implementation.Berlin,Germany:ACM Press,2002:234-245.
  • 7Clarke E,Grumberg O,Peled D.Model Checking[M].Cam-bridge:MIT Press,1999.
  • 8Quinlan D,Panas T.Source Code and Binary Analysis of Softw are defects[C]∥5th Annual Workshop on Cyber Security and Information Intelligence Challenges and Strategies.New York,USA:AMC Press,2009:1-4.
  • 9Wilander J.Modeling and Visualizing Security Properties ofCode Using Dependence Graphs[C]∥5th Conference on Software Engineering Research and Practice in Sweden(SERPS’05).Vasteras,Sweden:ACM Press,2005:65-74.
  • 10Qin Xia-jun,Gan Shui-tao,Chen Zuo-ning.A Static DetectionTechnoogy of Software Code Secure Vulnerabiity Based on First-order Logic[J].Scientia Sinica Informationis,2014,44:108-219(in Chinese).

引证文献1

二级引证文献4

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部