共查询到20条相似文献,搜索用时 15 毫秒
1.
Christian Payne 《Information Systems Journal》2002,12(1):61-78
Abstract With the rising popularity of so‐called ‘open source’ software there has been increasing interest in both its various benefits and disadvantages. In particular, despite its prominent use in providing many aspects of the Internet's basic infrastructure, many still question the suitability of such software for the commerce‐oriented Internet of the future. This paper evaluates the suitability of open source software with respect to one of the key attributes that tomorrow's Internet will require, namely security. It seeks to present a variety of arguments that have been made, both for and against open source security and analyses in relation to empirical evidence of system security from a previous study. The results represent preliminary quantitative evidence concerning the security issues surrounding the use and development of open source software, in particular relative to traditional proprietary software. 相似文献
2.
《Information Security Journal: A Global Perspective》2013,22(6):346-352
ABSTRACT Software security helps in identifying and managing risks. One of the effective ways to identify software vulnerabilities is to analyze its code. Code analysis (Chess & West, 2007) helps in catching common coding mistakes such as buffer overflow, unused variables, memory leaks, and various race conditions, which in turn optimizes computer programs, both in storage and computation aspects. Software developers use either open source tools or commercial tools for verification and validation of software. Without proper validation of a software/system using some standard guidelines, potential attackers can find ways to exploit vulnerabilities and bugs and then can gain control over a system, if they are successful. In this paper, we discuss some of the open source static code analysis and dynamic analysis tools, their merits, and limitations with respect to some target codes that contain possible threats. We consider C/C++ and Java programming languages for our experiments. For static code analyzers, we consider Flawfinder, Splint, and Cppcheck; PMD, Findbugs, and Valgrind for dynamic code analysis, and its plug-in, Memcheck, to perform dynamic analysis on executables. We provide our observations in a comparison table, highlighting these tools strengths and weaknesses. 相似文献
3.
软件静态缺陷检测是软件安全领域中的一个研究热点.随着使用C/C++语言编写的软件规模和复杂度的逐渐提高, 软件迭代速度的逐渐加快, 由于静态软件缺陷检测不需要运行目标代码即可发现其中潜藏的缺陷, 因而在工业界和学术界受到了更广泛的关注.近年来涌现大量使用软件静态分析技术的检测工具, 并在不同领域的软件项目中发挥了不可忽视的作用, 但是开发者仍然对静态缺陷检测工具缺乏信心.高误报率是C/C++静态缺陷检测工具难以普及的首要原因.因此, 我们选择现有较为完善的开源C/C++静态缺陷检测工具, 在Juliet基准测试集和37个良好维护的开源软件项目上对特定类型缺陷的检测效果进行了深入研究, 结合检测工具的具体实现归纳了导致静态缺陷检测工具产生误报的关键原因.同时, 我们通过研究静态缺陷检测工具的版本迁移轨迹, 总结出了当下静态分析工具的发展方向和未来趋势, 有助未来静态分析技术的优化和发展, 从而实现静态缺陷检测工具的普及应用. 相似文献
4.
本研究旨在探讨计算机软件当中的安全漏洞检测技术及其应用。在简要介绍计算机软件安全漏洞相关内容的基础上,针对计算机软件中安全漏洞的动态、静态检测技术作了一些详细的探讨。 相似文献
5.
6.
软件与网络安全研究综述 总被引:2,自引:0,他引:2
互联网已经渗入人类社会的各个方面,极大地推动了社会进步。与此同时,各种形式的网络犯罪、网络窃密等问题频频发生,给社会和国家安全带来了极大的危害。网络安全已经成为公众和政府高度关注的重大问题。由于互联网的大量功能和网络上的各种应用都是由软件实现的,软件在网络安全的研究与实践中扮演着至关重要的角色。事实上,几乎所有的网络攻击都是利用系统软件或应用软件中存在的安全缺陷实施的。研究新形势下的软件安全问题日益迫切。本文从恶意软件、软件漏洞和软件安全机制三个方面综述国内外研究现状,进而分析软件生态系统面临的全新安全挑战与发展趋势。 相似文献
7.
软件安全漏洞测试技术属于信息安全领域中一个非常重要的内容,本文对其概念进行了分析,并在此基础上探讨了当前的软件安全漏洞挖掘技术以及其流程,最终总结了其发展方向,希望给我们的工作起到一定的指导和促进作用。 相似文献
8.
《Information Security Journal: A Global Perspective》2013,22(1):8-25
ABSTRACT This paper provides a taxonomy of secure software systems engineering (SSE) by surveying and organizing relevant SSE research and presents current trends in SSE, on-going challenges, and models for reasoning about threats and vulnerabilities. Several challenging questions related to risk assessment/mitigation (e.g., “what is the likelihood of attack”) as well as practical questions (e.g., “where do vulnerabilities originate” and “how can vulnerabilities be prevented”) are addressed. 相似文献
9.
随着移动互联网的快速发展,智能手机特别是Android智能手机的用户日益增多,Android应用的安全缺陷层出不穷。将Android应用安全缺陷分为漏洞缺陷、组件缺陷和配置缺陷等三方面,针对这些安全缺陷,对字节码文件进行静态分析,将解析的Android字节码作为检查载体,采用访问者模式为每一种脆弱性检测设计检测器。最后给出了部分代码实现,实践证明能够满足Android应用安全缺陷的静态检测需求。 相似文献
10.
针对克隆代码与非克隆代码产生\"漏洞\"倾向性的问题进行了研究,基于\"漏洞\"对不同类型克隆和非克隆代码进行了比较分析。首先提取软件系统中具有漏洞的代码,并使用克隆检测工具检测出软件的克隆代码;其次分别提取能够产生\"漏洞\"的克隆和非克隆代码,并分别计算不同克隆类型和非克隆的BOC漏洞密度和LOC漏洞密度;最后对type-1、pure type-2、pure-type3的克隆和非克隆漏洞密度进行了对比分析,并对代码中产生的\"漏洞\"类型进行分类分析,使用曼—惠特尼检验(WMM)验证了结果的有效性。实验结果表明type-1类型的克隆更容易产生\"漏洞\",pure type-3类型的克隆引入漏洞的几率相对较小。研究还得出在克隆和非克隆代码中分别存在出现频率较高的\"漏洞\"集合,增加了对克隆特性的理解,帮助软件设计和开发人员减少代码克隆对软件造成的负面影响。 相似文献
11.
随着全球信息化的迅猛发展,计算机软件已成为世界经济、科技、军事和社会发展的重要引擎。信息安全的核心在于其所依附的操作系统的安全机制以及软件本身存在的漏洞。软件漏洞本身无法构成攻击,软件漏洞利用使得把漏洞转化为攻击变为可能。文章立足于Windows操作系统,主要分析了一些常用软件的典型漏洞原理以及常见的利用方法,比较了不同利用方法在不同环境下的性能优劣,并简单分析了Windows的安全机制对软件的防护作用以及对软件漏洞利用的阻碍作用。文章着重对几种典型漏洞进行了软件漏洞利用的探索和实践,并使用当前流行的对安全机制的绕过方法分析了Windows几种安全机制的脆弱性。 相似文献
12.
吕云芳 《电脑编程技巧与维护》2012,22(22):100-101,114
计算机网络技术的日益发展和普及在为人们带来极大的便利的同时,其安全方面存在的问题及隐患也给人们带来了很大困扰.为了避免各种不安全因素对计算机软件所带来的危害,必须进行有效安全体系的构建,以实现对计算机软件安全漏洞的有效检测和防护.鉴于此,重点就计算机软件安全漏洞的动态检测技术进行系统分析,为计算机软件安全体系的构建提供理论依据. 相似文献
13.
缓冲区溢出目前已成为最常见的软件安全漏洞之一,从源代码形式来看,常见的缓冲区溢出漏洞主要有两种类型:数据拷贝和格式化字符串造成的缓冲区溢出.分析了常见缓冲区溢出漏洞发生的原因,给出了格式化字符串存储长度的计算方法,介绍了一种基于源代码静态分析的缓冲区溢出检测算法,该算法首先对源代码进行建模,构造其抽象语法树、符号表、控制流图、函数调用图,在此基础上运用区间运算技术来分析和计算程序变量及表达式的取值范围,并在函数间分析中引入函数摘要来代替实际的函数调用.最后使用该方法对开源软件项目进行检测,结果表明该方法能够有效地、精确地检测缓冲区溢出. 相似文献
14.
Web工程中存在的后门给网站安全带来极大风险,针对日益猖獗的后门攻击,文章提出了一种基于静态分析的后门检测技术,该技术通过分析源代码,可以检测出Java语言Web工程中存在的主要后门漏洞,并结合流分析及关键数据传播分析,给出漏洞的完整攻击路径。 相似文献
15.
程序缺陷分析与安全保护技术研究 总被引:2,自引:0,他引:2
程序安全是信息安全研究的一个重要方向,主要研究程序缺陷分析和安全保护技术等.介绍程序缺陷分析研究及其分类方法,然后将程序安全保护研究分为三类主要途径进行重点阐述和分析,最后讨论程序安全研究的发展趋势. 相似文献
16.
Software assurance tools – tools that scan the source or binary code of a program to find weaknesses – are the first line of defense in assessing the security of a software project. Even though there are a plethora of such tools available, with multiple tools for almost every programming language, adoption of these tools is spotty at best. And even though different tools have distinct abilities to find different kinds of weaknesses, the use of multiple tools is even less common. And when the tools are used (or attempted to be used), they are often used in ways that reduce their effectiveness. We present a step‐by‐step discussion of how to use a software assurance tool, describing the challenges that can occur in this process. We also present quantitative evidence about the effects that can occur when assurance tools are applied in a simplistic or naive way. We base this presentation on our direct experiences with using a wide variety of assurance tools. We then present the US Department of Homeland Security funded Software Assurance Marketplace (SWAMP), an open facility where users can upload their software to have it automatically and continually assessed by a variety of tools. The goal of the SWAMP is to simplify the task of the programmer in using assurance tools, thereby removing many of the obstacles to their adoption. Copyright © 2016 The Authors. Software: Practice and Experience Published by John Wiley & Sons, Ltd. 相似文献
17.
源代码分析技术对于软件安全缺陷分析是一项非常重要的手段.分析了软件源代码分析工具的技术手段和发展过程,最后对源代码分析的理论和实践进行了分析总结. 相似文献
18.
软件安全漏洞的静态检测技术 总被引:2,自引:3,他引:2
软件安全漏洞问题日益严重,静态漏洞检测提供从软件结构和代码中寻找漏洞的方法。该文研究软件漏洞静态检测的两个主要方面:静态分析和程序验证,重点分析词法分析、规则检查、类型推导、模型检测、定理证明和符号执行等方法,将常用的静态检测工具按方法归类,讨论、总结静态检测技术的优势、适用性和发展趋势。 相似文献
19.
OSGi platforms are extensible component platforms, i.e. they support the dynamic and transparent installation of components that are provided by third party providers at runtime. This feature makes systems built using OSGi extensible and adaptable, but opens a dangerous attack vector that has not been considered as such until recently. Performing a security benchmark of the OSGi platform is therefore necessary to gather knowledge related to the weaknesses it introduces as well as to propose enhancements. A suitable Vulnerability Pattern is defined. The attacks that can be performed through malicious OSGi components are identified. Quantitative analysis is then performed so as to characterize the origin of the vulnerabilities and the target and consequences of the attacks. The assessment of the security status of the various implementations of the OSGi platform and of existing security mechanisms is done through a metric we introduce, the Protection rate (PR). Based on these benchmarks, OSGi‐specific security enhancements are identified and evaluated. First recommendations are given. Then evaluation is performed through the PR metric and performance analysis. Lastly, further requirements for building secure OSGi platforms are identified. Copyright © 2008 John Wiley & Sons, Ltd. 相似文献
20.