Software security test method based on global data structure description

Abstract

The invention discloses a software security test method (100) based on global data structure description. The software security test method (100) comprises the following steps of: writing a data structure description file (102) of tested software on the basis of a file for describing a data structure and a rule of the tested software according to a data structure uniform description rule; acquiring a global data view (104) of a basic sample by using the data structure description file; starting to analyze the basic sample from a test point step by step to generate a local data view, and generating a test sample group (104) from the basic sample on the basis of the global data view and the local data view according to a test strategy; and performing a security test (108) on the tested software by using the test sample group. The software security test method (100) is higher in coverage rate and more precise in test samples; and a test result can be data-index quantified.

Description

technical field [0001] The invention relates to software safety testing, in particular to a software safety testing method based on global data structure description. Background technique [0002] Software security loopholes have become the most important basic factor for its security threats. Existing technologies for security testing by mining security vulnerabilities mainly include black-box fuzzy (FUZZ) testing technology, white-box source code auditing technology, and gray-box path testing technology. [0003] Black-box fuzz testing technology generates a large number of new test samples by deforming the given data samples according to a certain strategy, and then starts the tested application to process these test samples to detect whether the application is abnormal. The advantage of this technology is that the threshold is low, no source code and related technical information are required, and it can be realized only with applications and corresponding data samples....

AI Technical Summary

Problems solved by technology

But the disadvantage of this technology is that the first is the need for source code, but in many cases the source code is difficult to obtain

The second is that it can only target relatively simple forms of security vulnerabilities with certain characteristics, and it is difficult to describe and thus detect many complex forms of security vulnerabilities.

The third is that it can only target the source code, and it is impossible to find security holes caused by factors such as compilation optimization during the compilation process.

This technology has always been the focus of research at home and abroad, but it is difficult to be practical at present. The existing problems are: the application is very complicated, a large number of execution paths need to be covered, and it is difficult to analyze

For example, for the XLS file structure of Microsoft Office's EXCEL, physically, each record needs to be within 0x8020 bytes. If a record is larger than 0x8020 bytes, it must be divided into two physical records, but in the data structure In the logical view, these two physical records belong to one record, which needs to be physically merged first, and then processed by the logic

Images