On the security of open source software

Abstract With the rising popularity of so‐called ‘open source’ software there has been increasing interest in both its various benefits and disadvantages. In particular, despite its prominent use in providing many aspects of the Internet's basic infrastructure, many still question the suitability of such software for the commerce‐oriented Internet of the future. This paper evaluates the suitability of open source software with respect to one of the key attributes that tomorrow's Internet will require, namely security. It seeks to present a variety of arguments that have been made, both for and against open source security and analyses in relation to empirical evidence of system security from a previous study. The results represent preliminary quantitative evidence concerning the security issues surrounding the use and development of open source software, in particular relative to traditional proprietary software.     

Android应用安全缺陷的静态分析技术研究

随着移动互联网的快速发展,智能手机特别是Android智能手机的用户日益增多,Android应用的安全缺陷层出不穷。将Android应用安全缺陷分为漏洞缺陷、组件缺陷和配置缺陷等三方面,针对这些安全缺陷,对字节码文件进行静态分析,将解析的Android字节码作为检查载体,采用访问者模式为每一种脆弱性检测设计检测器。最后给出了部分代码实现,实践证明能够满足Android应用安全缺陷的静态检测需求。     

基于XML的软件安全静态检测方法研究

安全关键软件设计使用的C/C++语言含有大量未定义行为,使用不当可能产生重大安全隐患。软件静态检测是从软件代码和结构中找出安全缺陷的重要手段。从安全规则的角度,提出了基于XML（eXtensible Markup Language）中间模型的静态检测方法。该方法将C/C++源代码解释为XML中间模型,将安全规则转化为缺陷模式,利用Xquery查询表达式对软件安全缺陷进行定位。基于该方法的原型系统检验结果表明：该方法能够有效地检测出违反安全规则的软件缺陷,并具有安全规则可定制的特点。     

Integrated static code analysis and runtime verification

Static code analysis tools automatically generate alerts for potential software faults that can lead to failures. However, these tools usually generate a very large number of alerts, some of which are subject to false positives. Because of limited resources, it is usually hard to inspect all the alerts. As a complementary approach, runtime verification techniques verify dynamic system behavior with respect to a set of specifications. However, these specifications are usually created manually based on system requirements and constraints. In this paper, we introduce a noval approach and a toolchain for integrated static code analysis and runtime verification. Alerts that are generated by static code analysis tools are utilized for automatically generating runtime verification specifications. On the other hand, runtime verification results are used for automatically generating filters for static code analysis tools to eliminate false positives. The approach is illustrated for the static analysis and runtime verification of an open‐source bibliography reference manager software. Copyright © 2014 John Wiley & Sons, Ltd.     

软件安全性的静态分析

提出了基于整数区间和控制依赖图,通过静态分析来检测C语言源代码中安全漏洞的新方法.该方法在引入整数区间概念及其运算规则的基础上,把C语言中的数组、指针和整型表达式都抽象成整数区间,从而把相关安全性判断转换成整数区间之间的关系判断.最后讨论了该方法的具体算法.     

基于静态分析技术的源代码安全检测模型*

介绍了当前主流的静态代码分析技术,在分析讨论其优缺点的基础上提出了一种新的静态代码检测模型。该模型结合了当前成熟的静态分析技术,并借鉴了编译器中数据流和控制流分析的思想,获取上下文关联的数据信息,从而更加准确地分析代码中存在的安全问题。     

面向源代码的软件漏洞静态检测综述

软件静态漏洞检测依据分析对象主要分为二进制漏洞检测和源代码漏洞检测。由于源代码含有更为丰富的语义信息而备受代码审查人员的青睐。针对现有的源代码漏洞检测研究工作，从基于代码相似性的漏洞检测、基于符号执行的漏洞检测、基于规则的漏洞检测以及基于机器学习的漏洞检测4个方面进行了总结，并以基于源代码相似性的漏洞检测系统和面向源代码的软件漏洞智能检测系统两个具体方案为例详细介绍了漏洞检测过程。     

代码质量静态度量的研究与应用

代码质量度量是软件质量分析的一个重要研究方向。静态分析方法因其具有成本低、容易实现而且不依赖于程序特定的运行环境的优点,在当前软件网络化、服务化的趋势下倍受关注。针对Java代码质量度量进行研究,使用Ant工具整合各种开源的静态测试工具,并制定基于静态分析的Java代码质量综合评价方案,可支持包括代码规模、规范性、可维护性、可扩展性和潜在危险等方面的综合检测,为项目的开发者、管理者和使用者提供了实用的代码质量评价方法。     

基于结构特征的二进制代码安全缺陷分析模型

针对现有方法检测复杂结构二进制代码安全缺陷的不足,提出新的分析模型,并给出其应用方法。首先以缺陷的源代码元素集合生成特征元素集合,抽取代码结构信息,构建分析模型。然后依据各类中间表示（IR,intermediate representation）语句的统计概率计算分析模型,查找满足特征模型的IR代码组,通过IR代码与二进制代码的转换关系,实现对二进制程序中代码安全缺陷的有效检测。分析模型可应用于二进制单线程程序和并行程序。实验结果表明,相对于现有方法,应用该分析模型能够更全面深入地检测出各类结构复杂的二进制代码安全缺陷,且准确率更高。     

Web安全性测试技术综述

对Web应用程序进行有效彻底的测试是及早发现安全漏洞、提高Web应用安全质量的一种重要手段。首先介绍了Web应用安全威胁分类,总结了常见的Web应用安全漏洞;然后对当前Web安全性测试技术的研究进行了全面概述,比较了静态技术和动态技术各自的优缺点,同时对在Web安全性测试中新兴涌现的模糊测试技术进行了详细的介绍和总结;最后指出了Web安全测试中有待解决的问题以及未来的研究方向。     

源代码分析技术的理论与实践发展

源代码分析技术对于软件安全缺陷分析是一项非常重要的手段.分析了软件源代码分析工具的技术手段和发展过程,最后对源代码分析的理论和实践进行了分析总结.     

基于模糊测试的软件安全漏洞发掘技术研究

近年来,随着计算机网络技术的不断推广和应用的普及人们生活和工作越来越离不开计算机技术。目前,各行各业的发展都逐渐实现信息化。在当今互联网络时代,计算计研究工作仍然在不断深入,很多新专业软件层出不穷,但是软件的安全性是人们高度重视和思考的问题。因此,本文主要分析了模糊测试的定义,阐述了软件安全漏洞存在的危害性。针对模糊测试的软件安全性进行深入的研究,最后,通过软件安全测试试验分析静态测试和动态测试状态下,并且通过本文的研究,对未来模糊软件安全漏洞发掘技术的相关研究进行展望。希望通过本文的分析能为模糊软件安全漏洞发掘技术的研究和推广奠定坚实的基础。     

Experience with logical code analysis in software maintenance

Formal program specification and logical analysis are often used for program derivation and proofs of correctness. The basic tools include the logic of predicate calculus and Dijkstra's weakest precondition calculations. Recent work has shown that these tools are also very useful in the maintenance phase of the software life-cycle. This paper reports experience working with software maintenance teams to apply formal methods. Formal logical analysis is invaluable for isolating defects, determining code corrections, eliminating side-effects, and code re-engineering. Logical analysis works well in software maintenance because many defects can be isolated to small segments of code. These small segments can then be analyzed manually or with code analysis tools. The result is lowered software maintenance costs due to the benefits of defect prevention, reduction of code complexity metrics, productivity improvements, and better specifications and documentation. It would be beneficial to use logical code analysis in the earlier phases of the software life-cycle, such as quality assurance and inspection.     

基于静态检测工具的源代码安全缺陷检测研究*

针对已有的使用单个静态检测工具进行源代码安全缺陷检测存在的漏报率和误报率很高的问题,提出了一种基于多种静态检测工具的检测方法。该方法通过对多种工具的检测结果进行统计分析,有效地降低了漏报率和误报率。设计和实现了一个可扩展的源代码静态分析工具平台,并通过实验表明,相对于单个工具的检测结果而言,该平台明显降低了漏报率和误报率。     

A systematic literature review of actionable alert identification techniques for automated static code analysis

Context

Automated static analysis (ASA) identifies potential source code anomalies early in the software development lifecycle that could lead to field failures. Excessive alert generation and a large proportion of unimportant or incorrect alerts (unactionable alerts) may cause developers to reject the use of ASA. Techniques that identify anomalies important enough for developers to fix (actionable alerts) may increase the usefulness of ASA in practice.

Objective

The goal of this work is to synthesize available research results to inform evidence-based selection of actionable alert identification techniques (AAIT).

Method

Relevant studies about AAITs were gathered via a systematic literature review.

Results

We selected 21 peer-reviewed studies of AAITs. The techniques use alert type selection; contextual information; data fusion; graph theory; machine learning; mathematical and statistical models; or dynamic detection to classify and prioritize actionable alerts. All of the AAITs are evaluated via an example with a variety of evaluation metrics.

Conclusion

The selected studies support (with varying strength), the premise that the effective use of ASA is improved by supplementing ASA with an AAIT. Seven of the 21 selected studies reported the precision of the proposed AAITs. The two studies with the highest precision built models using the subject program’s history. Precision measures how well a technique identifies true actionable alerts out of all predicted actionable alerts. Precision does not measure the number of actionable alerts missed by an AAIT or how well an AAIT identifies unactionable alerts. Inconsistent use of evaluation metrics, subject programs, and ASAs in the selected studies preclude meta-analysis and prevent the current results from informing evidence-based selection of an AAIT. We propose building on an actionable alert identification benchmark for comparison and evaluation of AAIT from literature on a standard set of subjects and utilizing a common set of evaluation metrics.     

浅谈网络应用程序的安全性开发

随着计算机网络的迅速发展,越来越多的人在使用互联网。网络应用使人们的生活更加丰富、工作更加便利。然而,网络应用的安全问题也日益凸显其重要性。该文浅谈了网络应用程序的安全性开发。     

Bad and good news about using software assurance tools

Software assurance tools – tools that scan the source or binary code of a program to find weaknesses – are the first line of defense in assessing the security of a software project. Even though there are a plethora of such tools available, with multiple tools for almost every programming language, adoption of these tools is spotty at best. And even though different tools have distinct abilities to find different kinds of weaknesses, the use of multiple tools is even less common. And when the tools are used (or attempted to be used), they are often used in ways that reduce their effectiveness. We present a step‐by‐step discussion of how to use a software assurance tool, describing the challenges that can occur in this process. We also present quantitative evidence about the effects that can occur when assurance tools are applied in a simplistic or naive way. We base this presentation on our direct experiences with using a wide variety of assurance tools. We then present the US Department of Homeland Security funded Software Assurance Marketplace (SWAMP), an open facility where users can upload their software to have it automatically and continually assessed by a variety of tools. The goal of the SWAMP is to simplify the task of the programmer in using assurance tools, thereby removing many of the obstacles to their adoption. Copyright © 2016 The Authors. Software: Practice and Experience Published by John Wiley & Sons, Ltd.     

一种基于LDA和静态分析的代码功能识别方法

近年来,随着代码复用技术不断成熟和Internet上开源项目不断丰富,软件开发人员的开发行为也逐渐发生了变化。如今,软件开发人员在编程过程中越来越多地依赖于开源软件项目提供的功能。然而,在软件复用活动中,由于开源项目文档的不全面以及代码结构的复杂性,软件开发人员往往只能片面地了解项目的某些功能点,使得复用效率不高。针对开源项目代码丰富而文档较少这一现状,提出了一种基于LDA（Latent Dirichlet Allocation）和静态分析的代码功能识别方法,对传统LDA方法进行了扩展,帮助软件开发人员更全面地了解项目的功能点,从而更好地支持代码复用活动。     

软件源码上的数据挖掘应用综述

数据挖掘技术可以从大量的数据中发现某些有价值的知识.而将软件源码作为一种特殊的数据,在其上应用数据挖掘技术进行源码层次上的信息挖掘,已成为一个新颖而重要的课题.将对软件源码上的数据挖掘技术从各领域的应用、数据挖掘方法以及当前发展水平等主要方面展开介绍,并详细剖析当前此领域的制约因素,提出未来此领域的发展方向.