共查询到20条相似文献,搜索用时 15 毫秒
1.
2.
3.
《Journal of Systems Architecture》2013,59(9):731-739
Web services are becoming the critical components of business application, but they are often invoked with critical software and application bugs that can be explored by malicious users. Because the existing centralized vulnerability scanning systems often face performance bottleneck because of huge amount of tasks, a novel service vulnerability scanning scheme is high desirable. In this paper, we propose a service vulnerability scanning scheme based on service-oriented architecture (SoA) in Web service environments. The scanning scheme contains three components, i.e., domain-oriented distributed architecture, service providing mode based on SoA and hierarchical strategy scheduling model. The hierarchical strategy scheduling model is the key of the scanning scheme, which is used to solve the problems of distributed scheduling management in vulnerability scanning process for Web service environments. We conduct a centralized scanner to compare our scheme with other schemes by the implement of prototype system. Experimental results show that our proposed scheme outperforms other schemes with respect to time cost, accuracy and load. 相似文献
4.
Kirkegaard C. Moller A. Schwartzbach M.I. 《IEEE transactions on pattern analysis and machine intelligence》2004,30(3):181-192
XML documents generated dynamically by programs are typically represented as text strings or DOM trees. This is a low-level approach for several reasons: 1) traversing and modifying such structures can be tedious and error prone, 2) although schema languages, e.g., DTD, allow classes of XML documents to be defined, there are generally no automatic mechanisms for statically checking that a program transforms from one class to another as intended. We introduce XACT, a high-level approach for Java using XML templates as a first-class data type with operations for manipulating XML values based on XPath. In addition to an efficient runtime representation, the data type permits static type checking using DTD schemas as types. By specifying schemes for the input and output of a program, our analysis algorithm will statically verify that valid input data is always transformed into valid output data and that the operations are used consistently. 相似文献
5.
6.
Sharp M. Rountev A. 《IEEE transactions on pattern analysis and machine intelligence》2006,32(9):664-681
Distributed applications provide numerous advantages related to software performance, reliability, interoperability, and extensibility. This paper focuses on distributed Java programs built with the help of the remote method invocation (RMI) mechanism. We consider points-to analysis for such applications. Points-to analysis determines the objects pointed to by a reference variable or a reference object field. Such information plays a fundamental role as a prerequisite for many other static analyses. We present the first theoretical definition of points-to analysis for RMI-based Java applications, and we present an algorithm for implementing a flow- and context-insensitive points-to analysis for such applications. We also discuss the use of points-to information for corrupting call graph information, for understanding data dependencies due to remote memory locations, and for identifying opportunities for improving the performance of object serialization at remote calls. The work described in this paper solves one key problem for static analysis of RMI programs and provides a starting point for future work on improving the understanding, testing, verification, and performance of RMI-based software 相似文献
7.
JAVA语言是目前一种主要的面向对象编程语言,由于JAVA语言复杂的结构,使得对JAVA程序进行程序切片非常困难.本文提出一种层次的构造JAVA系统依赖图的算法,基于JAVA程序本身的层次结构,自顶向下构造系统依赖图,然后基于构造的系统依赖图,用一种改进的两阶段算法得到JAVA程序切片. 相似文献
8.
编程中的资源泄露是关系到软件性能的关键问题,如果处理不当,会大大降低软件的性能。文章阐述了Java语言编程中常见的资源泄露原因,并详细分析了容易产生资源泄露的几种情况。 相似文献
9.
10.
Long B. Hoffman D. Strooper P. 《IEEE transactions on pattern analysis and machine intelligence》2003,29(6):555-566
Concurrent programs are hard to test due to the inherent nondeterminism. This paper presents a method and tool support for testing concurrent Java components. Tool support is offered through ConAn (Concurrency Analyser), a tool for generating drivers for unit testing Java classes that are used in a multithreaded context. To obtain adequate controllability over the interactions between Java threads, the generated driver contains threads that are synchronized by a clock. The driver automatically executes the calls in the test sequence in the prescribed order and compares the outputs against the expected outputs specified in the test sequence. The method and tool are illustrated in detail on an asymmetric producer-consumer monitor. Their application to testing over 20 concurrent components, a number of which are sourced from industry and were found to contain faults, is presented and discussed. 相似文献
11.
Web工程中存在的后门给网站安全带来极大风险,针对日益猖獗的后门攻击,文章提出了一种基于静态分析的后门检测技术,该技术通过分析源代码,可以检测出Java语言Web工程中存在的主要后门漏洞,并结合流分析及关键数据传播分析,给出漏洞的完整攻击路径。 相似文献
12.
13.
Today, most middle-end mobile phones embed a Java runtime environment that can execute programs downloaded on the network by the user. This new functionality creates great opportunities for new services but also brings the full range of risks that existed on the personal computer to the phone.Telecommunication operators are the last warrant of the quality of the software downloaded by their customers and might sign the applications they trust. Unfortunately they have little evidence to check the quality of the contents of the jammed bytecode they receive from developers. The traditional evaluation process relies mostly on the manual testing of the software on actual terminals. But this is not adapted for security properties.MATOS (Midlet Analysis TOol Suite) is a static analysis tool that checks the possible values passed to some identified methods directly on the compiled application. It is used by the test teams of the mobile operator Orange to check what kind of connections are opened by MIDP applications. We will present the security requirements we want to check, how MATOS helps to ensure them and how the necessary analysis are performed using a combination of (rather) well-known analysis techniques. 相似文献
14.
15.
16.
基于Java Web组件技术的毕业设计管理系统 总被引:1,自引:0,他引:1
针对上海理工大学校园数字化管理现状及毕业管理工作的实际需求,设计了基于Java Web组件技术的毕业设计管理系统的基本模块,阐述了毕业设计管理系统的基本流程,设计了用于数据处理、文件管理及生成用户身份校验码的JavaBeans,提出了学生选题的随机方法. 相似文献
17.
18.
Backdoors in legitimate software, whether maliciously inserted or carelessly introduced, are a risk that should be detected prior to the affected software or system being deployed. Automated static analysis of executable code can detect many classes of malicious behavior. This paper will cover the techniques that can be employed to detect special credentials, hidden commands, information leakage, rootkit behavior, anti-debugging, and time bombs. 相似文献
19.
Ruoyu Zhang Shiqiu Huang Zhengwei Qi Haibing Guan 《Computers & Mathematics with Applications》2012,63(2):469-480
The evolution of computer science has exposed us to the growing gravity of security problems and threats. Dynamic taint analysis is a prevalent approach to protect a program from malicious behaviors, but fails to provide any information about the code which is not executed. This paper describes a novel approach to overcome the limitation of traditional dynamic taint analysis by integrating static analysis into the system and presents framework SDCF to detect software vulnerabilities with high code coverage. Our experiments show that SDCF is not only able to provide efficient runtime protection by introducing an overhead of 4.16× based on the taint tracing technique, but is also capable of discovering latent software vulnerabilities which have not been exploited, and achieve code coverage of more than 90%. 相似文献
20.
Fang Yu Muath Alkhalaf Tevfik Bultan Oscar H. Ibarra 《Formal Methods in System Design》2014,44(1):44-70
Verifying string manipulating programs is a crucial problem in computer security. String operations are used extensively within web applications to manipulate user input, and their erroneous use is the most common cause of security vulnerabilities in web applications. We present an automata-based approach for symbolic analysis of string manipulating programs. We use deterministic finite automata (DFAs) to represent possible values of string variables. Using forward reachability analysis we compute an over-approximation of all possible values that string variables can take at each program point. Intersecting these with a given attack pattern yields the potential attack strings if the program is vulnerable. Based on the presented techniques, we have implemented Stranger, an automata-based string analysis tool for detecting string-related security vulnerabilities in PHP applications. We evaluated Stranger on several open-source Web applications including one with 350,000+ lines of code. Stranger is able to detect known/unknown vulnerabilities, and, after inserting proper sanitization routines, prove the absence of vulnerabilities with respect to given attack patterns. 相似文献