Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Software security testing system and method based on dynamic taint propagation

A software security and testing system technology, applied in software testing/debugging, platform integrity maintenance, etc., can solve problems such as increased false positive rate and false negative rate, incomplete dynamic taint propagation, and inability to detect security vulnerabilities.

Active Publication Date: 2015-05-20
阿里巴巴华北技术有限公司
View PDF4 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0008] 1. Fortify Tracer needs to statically analyze the binary code of the software before checking to find out the Source code and Sink code. This is an extra workload, and the false positive rate and false negative rate depend heavily on finding out the Source code. and the algorithm of the Sink code;
[0009] 2. Since Fortify Tracer only analyzes a limited number of instrumentation points for software binary code, and the propagation and termination of a taint may be at a non-instrumentation point, dynamic taint propagation will be incomplete, resulting in false positives and missed increase in rate of return;
[0010] 3. Fortify Tracer cannot detect security vulnerabilities that require the support of the instruction tracking framework, such as Heap Buffer Overflow, Stack Buffer Overflow, Format String Overflow, and Integer Overflow (Integer Overflow), except 0 denial of service (Div Zero), etc.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Software security testing system and method based on dynamic taint propagation
  • Software security testing system and method based on dynamic taint propagation
  • Software security testing system and method based on dynamic taint propagation

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0019] Various embodiments of the present invention will be described in detail below with reference to the accompanying drawings.

[0020] refer to figure 1 , which shows a block diagram of a software security testing system 100 based on dynamic taint propagation according to an embodiment of the present invention. Please note that throughout the specification and claims, "application" and "software" have the same meaning and can be used interchangeably. In an embodiment of the present invention, the software security testing system 100 runs on a Windows operating system. However, as a general software security testing system, the software security testing system 100 can run on any operating system.

[0021] The software security testing system 100 includes a self-modifying code module 104, a RING3 virtual machine module 106, a mark pollution source module 108, a checker module 110, and a log module 112, wherein the self-modifying code module 104 and the RING3 virtual machi...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a software security testing system and method based on dynamic taint propagation. The system comprises a taint source marking module (108) used for generating a taint source marking rule, a detector module (110) used for generating a detection rule, a self-correction code module (104) used for dynamically tracing each binary command of software to be tested by using a self-correction code technology, an RING3 virtual machine module (106) used for analyzing each binary command of the software to be tested by using an RING3 virtual machine and analyzing the flowing direction of the data carried by the command so as to realize taint propagation, as well as calling the taint source marking rule to mark a taint source and calling the detection rule to detect each binary command of the software to be tested, and a log module (112) used for outputting related information violating the detection rule. The software security testing system and method provided by the invention can be used for improving the detection rate of software and reducing false alarm rate and missed alarm rate.

Description

technical field [0001] The invention relates to software safety testing, in particular to a software safety testing system and method based on Dynamic Taint Propagation. Background technique [0002] Software security testing is an important means to ensure software security and reduce software security risks. The main purpose of software security assurance is to prevent hackers or malicious insiders from attacking software, and to ensure that the software can still run normally even when it is attacked maliciously. Since the attacker mainly attacks the software by inputting malicious data, the security problem of the software mainly comes from the external input data. [0003] At present, the techniques for implementing software security testing by performing security testing on external input data mainly include static source code security testing techniques and dynamic penetration testing techniques. Static source code security testing technology mainly scans the source...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Patents(China)
IPC IPC(8): G06F21/57G06F11/36
Inventor 王伟
Owner 阿里巴巴华北技术有限公司
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products