Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Software security test method based on global data structure description

A technology of software security and testing method, which is applied in the field of software security testing, and can solve the problems of complicated application, PEACH cannot be described, description rules and tests cannot target network packets, etc.

Active Publication Date: 2011-11-16
ZHEJIANG TMALL TECH CO LTD
View PDF4 Cites 26 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

But the disadvantage of this technology is that the first is the need for source code, but in many cases the source code is difficult to obtain
The second is that it can only target relatively simple forms of security vulnerabilities with certain characteristics, and it is difficult to describe and thus detect many complex forms of security vulnerabilities.
The third is that it can only target the source code, and it is impossible to find security holes caused by factors such as compilation optimization during the compilation process.
This technology has always been the focus of research at home and abroad, but it is difficult to be practical at present. The existing problems are: the application is very complicated, a large number of execution paths need to be covered, and it is difficult to analyze
For example, for the XLS file structure of Microsoft Office's EXCEL, physically, each record needs to be within 0x8020 bytes. If a record is larger than 0x8020 bytes, it must be divided into two physical records, but in the data structure In the logical view, these two physical records belong to one record, which needs to be physically merged first, and then processed by the logical view of the data structure. Such a rule cannot be described by PEACH at all.
[0010] 2) Description rules and tests cannot target network packets
Therefore PEACH is also difficult to describe these rules and methods
[0012] 3) It is impossible to describe complex field relationships, but only for simple length relationships
[0013] PEACH only supports a simple length relationship description for field relationships, that is, the length of the B field is the A field, but more complex relationships between fields are difficult to describe, for example, the length of the B field is the case of the A field*C field
At the same time, there are many other calculation relationships between fields that can affect security issues
[0014] 4) It is impossible to realize the overall data view, and there is no test strategy for the overall data view
[0015] Since PEACH can only simply describe the structure, it cannot form an overall data view, nor can it perform more advanced tests on the overall height of the data, so it cannot break through the limitation that traditional fuzz testing can only test for fields
[0016] 5) Rely on the data area covered by the original sample and cannot break through

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Software security test method based on global data structure description
  • Software security test method based on global data structure description
  • Software security test method based on global data structure description

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0024] Various embodiments of the present invention will be described in detail below with reference to the accompanying drawings. Please note that throughout the specification and claims, software includes both system software and application software. Furthermore, "application" and "application program" have the same meaning, are given as examples of software, and can be used interchangeably.

[0025] refer to figure 1 , which shows a flowchart of a software security testing method 100 based on global data structure description according to an embodiment of the present invention.

[0026] In step 102, based on the description document of the data structure and rules of the software under test, the data structure description file of the software under test is written according to the unified description rules of the data structure. Sources for documentation describing the data structures and rules of the software under test may be:

[0027] a) The technical development doc...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a software security test method (100) based on global data structure description. The software security test method (100) comprises the following steps of: writing a data structure description file (102) of tested software on the basis of a file for describing a data structure and a rule of the tested software according to a data structure uniform description rule; acquiring a global data view (104) of a basic sample by using the data structure description file; starting to analyze the basic sample from a test point step by step to generate a local data view, and generating a test sample group (104) from the basic sample on the basis of the global data view and the local data view according to a test strategy; and performing a security test (108) on the tested software by using the test sample group. The software security test method (100) is higher in coverage rate and more precise in test samples; and a test result can be data-index quantified.

Description

technical field [0001] The invention relates to software safety testing, in particular to a software safety testing method based on global data structure description. Background technique [0002] Software security loopholes have become the most important basic factor for its security threats. Existing technologies for security testing by mining security vulnerabilities mainly include black-box fuzzy (FUZZ) testing technology, white-box source code auditing technology, and gray-box path testing technology. [0003] Black-box fuzz testing technology generates a large number of new test samples by deforming the given data samples according to a certain strategy, and then starts the tested application to process these test samples to detect whether the application is abnormal. The advantage of this technology is that the threshold is low, no source code and related technical information are required, and it can be realized only with applications and corresponding data samples....

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): G06F11/36
Inventor 方兴
Owner ZHEJIANG TMALL TECH CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com