Method and device for detecting integrated or customized open source project bugs in software

Abstract

The invention provides a method and device for detecting integrated or customized open source project bugs in software and relates to the technical field of software bug detecting. The method includes the steps that original bug information of an open source project is obtained from a preset gather library; according to the original bug information of the open source project, bug description information, bug influenced software or component version information and bug detection detail feature information of the open source project are extracted; according to the bug description information, bug influenced software or component version information and bug detection detail feature information of the open source project, a bug detection database is established; the bug detection database comprises all detection items which are arrayed according to a preset index sequence; a code and an executable file of software to be detected are extracted from the software to be detected; according to all the detection items in the bug detection database, the code and the executable file of the software to be detected are sequentially matched and detected according to the preset index sequence so as to determine whether the bugs exist in the integrated or customized open source project in the software to be detected or not.

Description

technical field [0001] The invention relates to the technical field of software loophole detection, in particular to a method and device for detecting loopholes of integrated or customized open source projects in software. Background technique [0002] Open source projects are registered as certification marks by non-profit software organizations and formally defined to describe software whose source code can be used by the public. The use, modification and distribution of open source projects are not restricted by licenses. At present, with the vigorous development of open source projects on the Internet, excellent open source software has been widely integrated or custom-developed into components by other software projects, such as linux, openssl, webkit, etc. At the same time, the number of integrated or customized open source projects in a piece of software has greatly increased, such as Google Chrome browser integration and customized open source software have exceeded ...

AI Technical Summary

Problems solved by technology

[0004] At present, there are few vulnerability detection schemes for integrated or customized open source projects in software, and most of them detect vulnerabilities through component version comparison, that is, search for component names and version number strings in software files and compare them with the version affected by the vulnerability To determine whether a vulnerability exists, and to avoid incompatibilities caused by version update iterations, the integrated or customized software of open source projects generally only repairs the code with vulnerabilities and does not update the component version. Therefore, general detection methods or tools cannot accurately determine the existence of vulnerabilities. Whether the code of the vulnerability has been patched, so that the vulnerability cannot be accurately detected. In addition, the component name and version number string may be removed from the software of some integrated or customized open source projects, so the vulnerability cannot be detected through the method of component version comparison

However, general software vulnerability detection methods, such as fuzzing technology that detects software anomalies by constructing random test cases according to strategies, and code audits that manually read audit codes to detect vulnerabilities in software integration and customized components, are relatively slow and complicated, and lack efficiency

It can be seen that there is currently a lack of methods for quickly and accurately detecting the vulnerabilities of integrated or customized open source projects in software

Images