Method and device for detecting security flaws of software source codes

A detection device and source code technology, applied in computer security devices, instruments, electrical digital data processing, etc., can solve the problems of insufficient comprehensive detection, limited detection methods, inability to effectively detect security vulnerabilities, etc., and avoid malicious manipulation , the effect of enhancing security

Active Publication Date: 2010-03-03
SIEMENS CHINA
View PDF0 Cites 37 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

However, its disadvantage is that static source code analysis is only suitable for detecting syntax-related security vulnerabilities, such as buffer overflows, race conditions, etc., but it is powerless to analyze semantic-related security vulnerabilities such as command injection and database injection.
[0004] It can be seen from the above that although the current security vulnerability detection methods can detect some security vulnerabilities in the software, due to the limitation of the detection method, the detection is not comprehensive enough, and cannot effectively detect various security vulnerabilities in the software source code. security breach

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and device for detecting security flaws of software source codes
  • Method and device for detecting security flaws of software source codes
  • Method and device for detecting security flaws of software source codes

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0045] In order to make the object, technical solution and advantages of the present invention clearer, the present invention will be further described in detail below with reference to the accompanying drawings and examples.

[0046] In practice, the attacker makes the software execute according to a certain path by inputting carefully designed specific data, which eventually leads to security problems such as buffer overflow and code injection. These execution paths that threaten software security are called Potentially Vulnerable Execution Paths (PVEP, Potential Vulnerable Execution Path), which are the targets of attackers. Therefore, the present invention achieves the purpose of detecting security loopholes by searching potential risk execution paths in software source codes.

[0047]Based on the above considerations, the present invention provides a detection scheme for software security vulnerabilities. The scheme establishes an Abstract Syntax Tree (AST, Abstract Synta...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a method for detecting security flaws of software source codes. The method comprises the following steps: establishing an abstract syntax tree AST corresponding to source codesof software to be detected; determining controllable points and risk points of each node of the established AST according to predefined controllable points and risk points; and searching an executionpath between the controllable points and the risk points in the AST, and if the risk points on the execution path can be controlled by the controllable points on the execution path, the execution path is determined as a potential risk execution path probably causing the security flaws. The invention also discloses a device for detecting the security flaws of the software. The method and the device can effectively detect the security flaws existing in the source codes of the software.

Description

technical field [0001] The invention relates to the technical field of software security, in particular to a detection method and a detection device for security loopholes of software source codes. Background technique [0002] At present, software is increasingly used to process various sensitive and high-value information, such as business information, financial information, etc., which makes software increasingly an attack target for attackers who attempt to obtain such information. Attackers attempt to exploit security holes in the software to interfere with the running of the software and implement malicious operations on the software. Among them, the security loopholes introduced in the source code writing stage are the most common security loopholes. Therefore, it is necessary to develop an effective security vulnerability detection method to detect potential security vulnerabilities existing in the source code. [0003] At present, automatic code security auditing ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/22G06F21/57
Inventor 唐文
Owner SIEMENS CHINA
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap