Software security flaw discovering system

Abstract

The invention discloses a software security flaw discovering system. The system of the invention could be used for performing static analysis, behavior monitor, fuzz testing and penetration testing to software to be tested. The test mode is complete, so the system of the invention could completely and accurately search the security flaw of the software and improve the detection speed. A static analysis module is used for storing the obtained security flaw data in a flaw database according to set database format by performing the static analysis firstly, and then a behavior monitoring module, a fuzz testing module and a penetration testing module are separately used for detecting the security flaw obtained by the static analysis module, and simultaneously performing conventional detection to the software to be tested, and storing a system call sequence, a fuzz testing case or a penetration testing case, which will cause abnormal behavior and security problem to the problem in the flaw database. The system of the invention could realize the complete and powerful flaw detecting process, and reduce the use difficulty of security flaw testing personnel because of the automatic detecting process.

Description

technical field [0001] The invention relates to the technical field of software safety testing, in particular to a software safety defect discovery system. Background technique [0002] At present, there are many kinds of software security defect detection technologies and scattered. The main detection methods are static analysis, behavior monitoring, fuzz testing and penetration testing. However, the above four types of detection methods have completely different detection methods for software. For example, using static analysis to detect software security flaws is usually aimed at the source code of the software, and there are also some tools that can decompile executable files of Java and .NET programs for static analysis. The current static analysis security defect detection tools are all aimed at some mainstream programming languages, and different programming languages ​​have their corresponding static analysis tools. For example, there are CppCheck and Antic for C / C+...

AI Technical Summary

Problems solved by technology

This has resulted in a high learning cost for software security defect detection. For a large-scale project with mixed languages, it is necessary to be proficient in various testing tools to achieve a relatively complete security defect detection. During software development, there is little testing for security flaws

[0007] Secondly, the defect reports generated by existing defect detection tools are difficult to understand and have inconsistent formats. Even if a relatively complete security defect detection is carried out on a software project, it will be very difficult to read all kinds of reports quickly and easily, and Due to the scattered defect reports, it is not convenient to have an overall understanding of software security defects

[0008] Thirdly, current defect detection usually only provides detection and vi

Images