Source code anti-quantum vulnerability detection method and device, equipment and medium
By combining static code analysis and large language models, a quantum security knowledge base is constructed to identify quantum-resistant vulnerabilities in source code. This overcomes the limitations of existing technologies in cross-language and cross-encapsulation layer detection, and achieves highly accurate and broad-coverage vulnerability assessment.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- INSTITUTE OF INFORMATION ENGINEERING CHINESE ACADEMY OF SCIENCES
- Filing Date
- 2026-01-30
- Publication Date
- 2026-06-19
AI Technical Summary
Existing technologies have limitations in detecting quantum vulnerability in source code, making it difficult to accurately identify the use of cryptographic algorithms across languages and encapsulation levels, leading to missed or false alarms. Furthermore, they are costly to implement and cannot fully detect dynamic configurations and reflections.
By combining static code analysis with Large Language Model (LLM), a quantum-safe knowledge base is constructed to extract program facts, propagation graphs, and program slices, identify library calls, self-implemented algorithms, and encapsulated calls, and generate a quantum vulnerability resistance report.
It improves the accuracy and coverage of quantum vulnerability detection, provides quantum vulnerability assessment reports, and helps develop effective cryptographic migration strategies.
Smart Images

Figure CN122241695A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of information security technology, and in particular to a method, apparatus, device, and medium for detecting the quantum vulnerability of source code. Background Technology
[0002] With the development of quantum computing capabilities, traditional cryptographic systems face new security challenges. Existing research and publicly available information indicate that, under ideal fault-tolerant quantum computing models, Shor's algorithm can solve integer factorization and elliptic curve discrete logarithm problems in polynomial time. This makes it difficult for public-key cryptosystems based on these mathematically difficult problems (such as RSA, DH, ECDH, DSA, ECDSA, etc.) to continue providing their original security guarantees under quantum threat models. Simultaneously, quantum search algorithms such as Grover can reduce the effective security strength of some symmetric algorithms and hash functions. In addition to theoretical risks, there is also the "HNDL (Harvest Now, Decrypt Later)" scenario in engineering practice: attackers can intercept and store ciphertext in the current stage, decrypting it later when quantum computing power matures, thus threatening data and business systems with high long-term confidentiality requirements.
[0003] On the engineering side, there are limitations to the identification and compliance checks of cryptographic algorithms / parameters in large-scale projects. Firstly, keyword / simple rule-based scanning methods struggle to accurately handle multi-layered encapsulation, aliases, cross-process propagation, and configuration / default value sources, easily leading to false negatives or false negatives. Secondly, relying solely on library symbol matching is insufficient for scenarios involving self-implemented cryptographic algorithms or algorithms with hidden semantics after secondary encapsulation, often yielding only fragmented conclusions. Thirdly, robust data flow / slicing analysis can incur high engineering costs and performance overhead in multi-language, multi-module, and complex dependency projects, and static evidence acquisition inherently involves uncertainty when key parameters are injected via runtime combination, reflection, or external configuration. Therefore, existing technologies still have room for improvement in terms of consistency, auditability, and engineering usability in "cross-language, cross-encapsulation level, interpretable identification and quantification of system dependencies on non-quantum primitives." Summary of the Invention
[0004] To address the problems existing in the prior art, this invention provides a method, apparatus, device, and medium for detecting the quantum vulnerability of source code.
[0005] This invention provides a method for detecting quantum vulnerability in source code, comprising: Obtain the source code, and based on the source code, obtain the corresponding program facts, propagation graph, program slices, and data streams; Based on the program facts, propagation graph, program slices, data stream, and the preset quantum safety knowledge base, the library call record content, the self-implemented algorithm usage record content, and the encapsulated call propagation path summary are obtained. Based on the library call log content, the self-implemented algorithm usage log content, and the encapsulated call propagation path summary, a quantum vulnerability report of the source code is determined.
[0006] The quantum vulnerability detection method for source code provided by the present invention, which obtains corresponding program facts, propagation graphs, program slices, and data streams based on the source code, includes: Perform static code analysis on the source code to extract program facts from the source code; A propagation graph is constructed based on the program facts, the propagation graph including a control flow structure graph and a call graph; Based on the call point information in the program facts as the slicing criteria, program slices and data flows are constructed.
[0007] According to the quantum vulnerability detection method for source code provided by the present invention, based on the program facts, propagation graph, program slices, data stream, and a preset quantum safety knowledge base, the method obtains library call record content, self-implemented algorithm usage record content, and encapsulated call propagation path digest, including: Identify library functions based on the call point information of the stated program facts; The library functions are mapped to cryptographic algorithms and algorithm parameters through the language API mapping layer in the quantum security knowledge base; By matching the mapped cryptographic algorithms and their parameters through the algorithm rule layer in the quantum security knowledge base, the quantum security level of the cryptographic algorithms is determined. The cryptographic algorithm, its parameters, and its quantum security level are included in the library call record.
[0008] According to the quantum vulnerability detection method for source code provided by the present invention, based on the program facts, propagation graph, program slices, data stream, and a preset quantum safety knowledge base, the method obtains library call record content, self-implemented algorithm usage record content, and encapsulated call propagation path digest, including: Identify self-implementing algorithms from the stated program facts; Based on the program slice, backslicing technique is used to backtrack and extract the code fragments corresponding to the self-implementing algorithm; Perform semantic reasoning on the code snippet to determine the algorithm type of the code snippet; The algorithm types are matched using the algorithm rule layer in the quantum security knowledge base to determine the quantum security level corresponding to each algorithm type. The self-realizing algorithm, algorithm type, and the quantum security level corresponding to the algorithm type are recorded as the usage content of the self-realizing algorithm.
[0009] According to the quantum vulnerability detection method for source code provided by the present invention, based on the program facts, propagation graph, program slices, data stream, and a preset quantum safety knowledge base, the method obtains library call record content, self-implemented algorithm usage record content, and encapsulated call propagation path digest, including: Based on the control flow structure diagram and call diagram corresponding to the cryptographic algorithm or self-implemented algorithm of the library function, the propagation path of the algorithm is traced to identify the usage of the underlying algorithm; Based on the data flow of the algorithm's propagation path, identify the algorithm type and algorithm parameters of the underlying algorithm; By matching the algorithm type and parameters of the underlying algorithms through the algorithm rule layer in the quantum security knowledge base, the quantum security level of the underlying algorithms is determined. The usage of the underlying algorithm, its algorithm type and parameters, and its quantum security level are used as a digest of the encapsulated call propagation path.
[0010] The quantum vulnerability detection method according to the source code provided by the present invention further includes: By utilizing the organizational strategy layer within the quantum security knowledge base, alternative solutions are recommended for algorithms with different quantum security levels.
[0011] According to the quantum vulnerability detection method for source code provided by the present invention, a quantum vulnerability report for the source code is determined based on the library call record content, the self-implemented algorithm usage record content, and the encapsulated call propagation path digest, including: Based on the library call record content, the self-implemented algorithm usage record content, and the encapsulated call propagation path summary, specific weak call or weak parameter evidence, algorithm profile and strategy explanation, algorithm impact and key call chain are determined, where the call chain is the call path from the entry point to the algorithm call point in the propagation graph; Based on specific vulnerability calls or weak parameter evidence, algorithm profiles and strategy explanations, algorithm impact surfaces and key call chains, a quantum vulnerability report of the source code is generated.
[0012] The present invention also provides a quantum vulnerability detection device for source code, comprising: A construction module is used to obtain source code and, based on the source code, obtain the corresponding program facts, propagation graph, program slices, and data streams. The detection module is used to obtain library call record content, self-implemented algorithm usage record content, and encapsulated call propagation path summary based on the program facts, propagation spectrum, program slices, data stream, and a preset quantum safety knowledge base; The generation module is used to determine the quantum vulnerability report of the source code based on the library call record content, the self-implemented algorithm usage record content, and the encapsulated call propagation path digest.
[0013] The present invention also provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the program to implement a quantum vulnerability detection method as described in any of the above source codes.
[0014] The present invention also provides a non-transitory computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements a quantum vulnerability detection method as described above in any of the source codes.
[0015] The present invention also provides a computer program product, including a computer program that, when executed by a processor, implements a quantum vulnerability detection method as described in any of the above source codes.
[0016] This invention provides a method, apparatus, device, and medium for detecting quantum vulnerability in source code. It obtains corresponding program facts, propagation graphs, program slices, and data streams from the source code. Based on these facts, propagation graphs, program slices, data streams, and a quantum security knowledge base, it obtains library call records, self-implemented algorithm usage records, and a digest of the encapsulated call propagation path. Then, based on these records, the quantum vulnerability report is determined. This overcomes the limitations of traditional techniques in comprehensively detecting dynamic configurations and reflections, significantly improving the accuracy and coverage of quantum vulnerability detection. It provides organizations with quantum vulnerability assessment reports, helping them develop effective cryptographic migration strategies. Attached Figure Description
[0017] To more clearly illustrate the technical solutions in this invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of this invention. For those skilled in the art, other drawings can be obtained from these drawings without creative effort.
[0018] Figure 1 This is a flowchart illustrating the quantum vulnerability detection method provided in the source code of this invention.
[0019] Figure 2 This is an overall flowchart of the quantum vulnerability detection method provided by the source code of this invention.
[0020] Figure 3 This is a schematic diagram of the structure of the quantum vulnerability detection device provided in the source code of this invention.
[0021] Figure 4 This is a schematic diagram of the structure of the electronic device provided by the present invention. Detailed Implementation
[0022] To make the objectives, technical solutions, and advantages of this invention clearer, the technical solutions of this invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of this invention. All other embodiments obtained by those skilled in the art based on the embodiments of this invention without creative effort are within the scope of protection of this invention.
[0023] Figure 1 This diagram illustrates a flow chart of a quantum vulnerability detection method based on source code provided by the present invention. (See attached diagram.) Figure 1 The method includes the following steps: Step 11: Obtain the source code, and based on the source code, obtain the corresponding program facts, propagation graph, program slices, and data streams.
[0024] Step 12: Based on the program facts, propagation graph, program slices, data flow, and the preset quantum safety knowledge base, obtain the library call record content, the self-implemented algorithm usage record content, and the encapsulated call propagation path summary.
[0025] Step 13: Determine the quantum vulnerability report of the source code based on the library call record content, the self-implemented algorithm usage record content, and the encapsulated call propagation path digest.
[0026] Regarding steps 11 to 13, it should be noted that in this invention, the aim is to combine static code analysis with a knowledge-guided method—PQScan (Post-Quantum Cryptography Scanning)—based on Large Language Models (LLM) to detect potential quantum vulnerabilities in software source code. This method extracts and analyzes the use of cryptographic algorithms from the source code through unified program fact representation, restricted slicing, and cross-process propagation modeling, in order to systematically assess quantum vulnerability.
[0027] In this invention, a programming language-independent quantum security knowledge base is first constructed. This knowledge base contains the quantum security (equivalent security bits – such as “secure,” “transitionally secure,” or “quantum fragile”) of common cryptographic primitives and their recommended alternatives. This knowledge base serves as the theoretical basis and evaluation standard in subsequent analysis, providing a clear security benchmark for quantum vulnerability detection.
[0028] In this invention, the quantum-safe knowledge base comprises an algorithm rule layer, a language API mapping layer, and an organization strategy layer. The algorithm rule layer includes quantum-safe attributes and parameter domains. The language API mapping layer contains the mapping relationship between library function symbols, cryptographic algorithms, and algorithm parameters. The organization strategy layer includes a transitional whitelist, hybrid schemes, and parameter constraints.
[0029] PQScan starts with the source code (C / Java / Go / Python), first entering the syntax parsing stage, which parses the source code into a unified, traversable syntax tree structure. Then, the program abstraction component extracts key information from the syntax tree into a set of program facts usable for analysis, such as function definitions, call sites, call symbols, call relationships, parameter lists (args / keywords), receiver objects, line numbers, and code snippets. The output of this step doesn't directly make a judgment, but rather forms a unified list of features / calls for subsequent analyzers—essentially structuring the source code, abstracting these program facts into a unified intermediate representation for cross-language processing.
[0030] After obtaining the program facts, PQScan further constructs a propagation graph (CFG + CG): CFG captures the basic control flow structure within a function (used to limit the slice range and conditional branches), while CG (call graph) records cross-function / cross-module call relationships, used to track callers and callees, as well as subsequent impact backtracking and encapsulation propagation. The core function of the graph is to provide reachability information and path skeletons, determining the boundaries of subsequent data flow propagation.
[0031] Next comes the process of slicing and constructing data flows. This process uses call point information (such as call points / key variables) as the slicing criteria to construct program slices around the call point information. Program slicing is a core program analysis technique that precisely narrows down the scope of code analysis. Starting with the core call point in the detection (slicing criteria), it extracts all code fragments, variables, assignment relationships, and subsets of call chains that directly or indirectly affect that call point from massive amounts of source code, eliminating irrelevant business code, and ultimately forming a minimal analysis scope focused on the detection target. Simultaneously, it also acquires all data flows that directly or indirectly pass through that call point from massive amounts of source code, surrounding the call point information. This program slice and data flow can serve as an evidentiary window into the source code, providing an auditable basis for subsequent quantum vulnerability assessments.
[0032] A further step in the above method mainly explains the process of obtaining library call record content, self-implemented algorithm usage record content, and encapsulated call propagation path digest based on program facts, propagation graphs, program slices, data streams, and a pre-set quantum security knowledge base. The details are as follows: Identify library functions based on the call point information in the program. The library functions are mapped to cryptographic algorithms and algorithm parameters through the language API mapping layer in the quantum security knowledge base; By matching the mapped cryptographic algorithms and their parameters through the algorithm rule layer in the quantum security knowledge base, the quantum security level of the cryptographic algorithms is determined. The cryptographic algorithm, its parameters, and its quantum security level are included in the library call record.
[0033] It's important to note that library calls refer to directly using APIs provided by official cryptographic libraries or third-party libraries. This is the most common, and relatively robust and secure, usage method in the current open-source ecosystem. In this mode, PQScan employs static analysis, starting from the function call point, to identify library functions (such as OpenSSL, GmSSL, Bouncy Castle, etc.) and map them to cryptographic algorithms (such as ALG.AES, ALG.SM2, etc.) through API mapping. PQScan further matches these libraries' API signatures, algorithm identifiers, and parameter settings with the algorithm rule layer of the quantum security knowledge base to determine the algorithm's quantum security level. For example, if an RSA library call is detected, PQScan will assess its security level based on the quantum vulnerability of the RSA algorithm and output a report detailing the library call record.
[0034] In this invention, self-implementing algorithms are identified from program facts; Based on the program slices, backslicing techniques are used to backtrack and extract the code snippets corresponding to the self-implemented algorithm. Perform semantic reasoning on code snippets to determine the algorithm type of the code snippets; The algorithm types are matched using the algorithm rule layer in the quantum security knowledge base to determine the quantum security level corresponding to each algorithm type. The self-realizing algorithm, algorithm type, and the quantum security level corresponding to the algorithm type are recorded as the usage content of the self-realizing algorithm.
[0035] It's important to note that self-implementing cryptographic algorithms emerge when specific needs cannot be met or when developers require tailoring of algorithmic details. The code representation of self-implementing algorithms includes computational structures such as large integer arithmetic, modular exponentiation, Boolean logic, and round functions. Key information such as the algorithm name and key length typically lacks explicit constants, instead being implicitly defined through control structures and constant arrays. To identify these self-implementing algorithms, PQScan combines static code analysis with a Large Language Model (LLM) to identify characteristic patterns in the program, such as large integer calculations and modular arithmetic. Starting from these candidate self-implementing algorithms, PQScan uses backward slicing techniques to backtrack and extract computational code fragments related to the cryptographic algorithm, based on program slicing. Then, it uses the LLM for semantic reasoning to determine the specific algorithm type implemented by the code segment. Finally, it combines this with the algorithm rule layer of the quantum security knowledge base to assess its quantum vulnerability, thereby determining the quantum security level corresponding to the self-implementing algorithm.
[0036] In this invention, during the encapsulation and calling process, the propagation path of the algorithm is traced according to the control flow structure diagram and call diagram corresponding to the cryptographic algorithm or the self-implemented algorithm of the library function, and the usage of the underlying algorithm is identified. Based on the data flow of the algorithm's propagation path, identify the algorithm type and algorithm parameters of the underlying algorithm; By matching the algorithm type and parameters of the underlying algorithms through the algorithm rule layer in the quantum security knowledge base, the quantum security level of the underlying algorithms is determined. The usage of the underlying algorithm, its algorithm type and parameters, and its quantum security level are used as a digest of the encapsulated call propagation path.
[0037] It's important to note that encapsulation and abstraction refer to further encapsulating and abstracting library calls or self-implemented algorithms for reuse in higher-level interfaces. These algorithms manifest as an interface, but may use insecure encryption algorithms or parameter configurations at the underlying level. PQScan traces the propagation path of encryption algorithms through control flow graphs (CFG) and call graphs (CG), identifying cases where the interface appears generic but actually uses vulnerable underlying algorithms. By tracing data flow, PQScan can identify algorithms and their key parameters propagating across modules in complex systems. Through the algorithm rule layer in the quantum safety knowledge base, it reveals their potential quantum vulnerability resistance, thus determining the quantum security level of the underlying algorithm.
[0038] In this invention, an organizational strategy layer within the quantum safety knowledge base can recommend alternative solutions for algorithms with different quantum safety levels. These recommended alternatives are also stored in the library's call records, self-implemented algorithm usage records, or encapsulated call propagation path summaries.
[0039] In this invention, based on the library call record content, the self-implemented algorithm usage record content, and the encapsulated call propagation path summary, specific vulnerability calls or weak parameter evidence, algorithm profiles and strategy explanations, algorithm impact surfaces, and key call chains are determined; based on the specific vulnerability calls or weak parameter evidence, algorithm profiles and strategy explanations, algorithm impact surfaces, and key call chains, a quantum vulnerability report of the source code is generated.
[0040] See Figure 2 This is an overall flowchart of the quantum vulnerability detection method in the source code of this invention.
[0041] The quantum vulnerability detection method for source code provided by this invention obtains corresponding program facts, propagation graphs, program slices, and data streams from the source code. Based on these facts, propagation graphs, program slices, data streams, and a quantum security knowledge base, it obtains library call records, self-implemented algorithm usage records, and a digest of the encapsulated call propagation path. Then, based on these library call records, self-implemented algorithm usage records, and the digest of the encapsulated call propagation path, a quantum vulnerability report for the source code is determined. This method overcomes the limitations of traditional techniques in comprehensively detecting dynamic configurations and reflections, significantly improving the accuracy and coverage of quantum vulnerability detection. It can provide organizations with quantum vulnerability assessment reports, helping them develop effective cryptographic migration strategies.
[0042] The quantum vulnerability detection device for source code provided by the present invention will be described below. The quantum vulnerability detection device for source code described below can be referred to in correspondence with the quantum vulnerability detection method for source code described above.
[0043] Figure 3 This invention provides a schematic diagram of the structure of a quantum vulnerability detection device based on source code. (See attached diagram.) Figure 3 The device includes a construction module 31, a detection module 32, and a generation module 33, wherein: The building module is used to obtain the source code and, based on the source code, obtain the corresponding program facts, propagation graph, program slices, and data flow. The detection module is used to obtain library call record content, self-implemented algorithm usage record content, and encapsulated call propagation path summary based on program facts, propagation graph, program slices, data stream, and a preset quantum safety knowledge base; The generation module is used to determine the quantum vulnerability report of the source code based on the library call record content, the self-implemented algorithm usage record content, and the encapsulated call propagation path digest.
[0044] Since the apparatus of this embodiment is based on the same principle as the method of the above embodiment, more detailed explanations will not be repeated here.
[0045] It should be noted that, in the embodiments of the present invention, the relevant functional modules can be implemented by a hardware processor.
[0046] The quantum vulnerability detection device for source code provided by this invention obtains corresponding program facts, propagation graphs, program slices, and data streams from the source code. Based on these facts, propagation graphs, program slices, data streams, and a quantum security knowledge base, it obtains library call records, self-implemented algorithm usage records, and a digest of the encapsulated call propagation path. Then, based on these records, the device determines a quantum vulnerability report for the source code. This overcomes the limitations of traditional technologies in comprehensively detecting dynamic configurations and reflections, significantly improving the accuracy and coverage of quantum vulnerability detection. It can provide organizations with quantum vulnerability assessment reports, helping them develop effective cryptographic migration strategies.
[0047] Figure 4 An example is a schematic diagram of the physical structure of an electronic device, such as... Figure 4 As shown, the electronic device may include: a processor 41, a communication interface 42, a memory 43, and a communication bus 44, wherein the processor 41, the communication interface 42, and the memory 43 communicate with each other via the communication bus 44. The processor 41 can call logical instructions in the memory 43 to execute a quantum vulnerability detection method of the source code, the method including: Obtain the source code, and based on the source code, obtain the corresponding program facts, propagation graph, program slices, and data streams; based on the program facts, propagation graph, program slices, data streams, and a preset quantum safety knowledge base, obtain the library call record content, the self-implemented algorithm usage record content, and the encapsulated call propagation path summary; based on the library call record content, the self-implemented algorithm usage record content, and the encapsulated call propagation path summary, determine the quantum vulnerability report of the source code.
[0048] Furthermore, the logical instructions in the aforementioned memory 43 can be implemented as software functional units and, when sold or used as independent products, can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention, or the part that contributes to the prior art, or a part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0049] On the other hand, the present invention also provides a computer program product, the computer program product comprising a computer program that can be stored on a non-transitory computer-readable storage medium, wherein when the computer program is executed by a processor, the computer is capable of executing the above-described source code-based quantum vulnerability detection method, the method comprising: Obtain the source code, and based on the source code, obtain the corresponding program facts, propagation graph, program slices, and data streams; based on the program facts, propagation graph, program slices, data streams, and a preset quantum safety knowledge base, obtain the library call record content, the self-implemented algorithm usage record content, and the encapsulated call propagation path summary; based on the library call record content, the self-implemented algorithm usage record content, and the encapsulated call propagation path summary, determine the quantum vulnerability report of the source code.
[0050] In another aspect, the present invention also provides a non-transitory computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements a quantum vulnerability detection method for executing the aforementioned source code, the method comprising: Obtain the source code, and based on the source code, obtain the corresponding program facts, propagation graph, program slices, and data streams; based on the program facts, propagation graph, program slices, data streams, and a preset quantum safety knowledge base, obtain the library call record content, the self-implemented algorithm usage record content, and the encapsulated call propagation path summary; based on the library call record content, the self-implemented algorithm usage record content, and the encapsulated call propagation path summary, determine the quantum vulnerability report of the source code.
[0051] The device embodiments described above are merely illustrative. The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs. Those skilled in the art can understand and implement this without any creative effort.
[0052] Through the above description of the embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus necessary general-purpose hardware platforms, and of course, it can also be implemented by hardware. Based on this understanding, the above technical solutions, in essence or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product can be stored in a computer-readable storage medium, such as ROM / RAM, magnetic disk, optical disk, etc., and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute the methods described in the various embodiments or some parts of the embodiments.
[0053] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims
1. A method for detecting quantum vulnerability in source code, characterized in that, include: Obtain the source code, and based on the source code, obtain the corresponding program facts, propagation graph, program slices, and data streams; Based on the program facts, propagation graph, program slices, data stream, and the preset quantum safety knowledge base, the library call record content, the self-implemented algorithm usage record content, and the encapsulated call propagation path summary are obtained. Based on the library call log content, the self-implemented algorithm usage log content, and the encapsulated call propagation path summary, a quantum vulnerability report of the source code is determined.
2. The method for detecting quantum vulnerability of source code according to claim 1, characterized in that, Based on the source code, the corresponding program facts, propagation graph, program slices, and data streams are obtained, including: Perform static code analysis on the source code to extract program facts from the source code; A propagation graph is constructed based on the program facts, the propagation graph including a control flow structure graph and a call graph; Based on the call point information in the program facts as the slicing criteria, program slices and data flows are constructed.
3. The method for detecting quantum vulnerability of source code according to claim 2, characterized in that, Based on the program facts, propagation graph, program slices, data stream, and a pre-defined quantum safety knowledge base, the library call record content, the self-implemented algorithm usage record content, and the encapsulated call propagation path summary are obtained, including: Identify library functions based on the call point information of the stated program facts; The library functions are mapped to cryptographic algorithms and algorithm parameters through the language API mapping layer in the quantum security knowledge base; By matching the mapped cryptographic algorithms and their parameters through the algorithm rule layer in the quantum security knowledge base, the quantum security level of the cryptographic algorithms is determined. The cryptographic algorithm, its parameters, and its quantum security level are included in the library call record.
4. The method for detecting quantum vulnerability of source code according to claim 3, characterized in that, Based on the program facts, propagation graph, program slices, data stream, and a pre-defined quantum safety knowledge base, the library call record content, the self-implemented algorithm usage record content, and the encapsulated call propagation path summary are obtained, including: Identify self-implementing algorithms from the stated program facts; Based on the program slice, backslicing technique is used to backtrack and extract the code fragments corresponding to the self-implementing algorithm; Perform semantic reasoning on the code snippet to determine the algorithm type of the code snippet; The algorithm types are matched using the algorithm rule layer in the quantum security knowledge base to determine the quantum security level corresponding to each algorithm type. The self-realizing algorithm, algorithm type, and the quantum security level corresponding to the algorithm type are recorded as the usage content of the self-realizing algorithm.
5. The method for detecting quantum vulnerability of source code according to claim 4, characterized in that, Based on the program facts, propagation graph, program slices, data stream, and a pre-defined quantum safety knowledge base, the library call record content, the self-implemented algorithm usage record content, and the encapsulated call propagation path summary are obtained, including: Based on the control flow structure diagram and call diagram corresponding to the cryptographic algorithm or self-implemented algorithm of the library function, the propagation path of the algorithm is traced to identify the usage of the underlying algorithm; Based on the data flow of the algorithm's propagation path, identify the algorithm type and algorithm parameters of the underlying algorithm; By matching the algorithm type and parameters of the underlying algorithms through the algorithm rule layer in the quantum security knowledge base, the quantum security level of the underlying algorithms is determined. The usage of the underlying algorithm, the algorithm type and parameters of the underlying algorithm, and the quantum security level of the underlying algorithm are used as a digest of the encapsulated call propagation path.
6. The method for detecting quantum vulnerability of source code according to claim 5, characterized in that, The method further includes: By utilizing the organizational strategy layer within the quantum security knowledge base, alternative solutions are recommended for algorithms with different quantum security levels.
7. The method for detecting quantum vulnerability of source code according to claim 1 or 6, characterized in that, Based on the library call log content, the self-implemented algorithm usage log content, and the encapsulated call propagation path digest, a quantum vulnerability report of the source code is determined, including: Based on the library call record content, the self-implemented algorithm usage record content, and the encapsulated call propagation path summary, specific weak call or weak parameter evidence, algorithm profile and strategy explanation, algorithm impact surface and key call chain are determined; where the call chain is the call path from the entry point to the algorithm call point in the propagation graph. Based on specific vulnerability calls or weak parameter evidence, algorithm profiles and strategy explanations, algorithm impact surfaces and key call chains, a quantum vulnerability report of the source code is generated.
8. A quantum vulnerability detection device for source code, characterized in that, include: A construction module is used to obtain source code and, based on the source code, obtain the corresponding program facts, propagation graph, program slices, and data streams. The detection module is used to obtain library call record content, self-implemented algorithm usage record content, and encapsulated call propagation path summary based on the program facts, propagation spectrum, program slices, data stream, and a preset quantum safety knowledge base; The generation module is used to determine the quantum vulnerability report of the source code based on the library call record content, the self-implemented algorithm usage record content, and the encapsulated call propagation path digest.
9. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, When the processor executes the program, it implements the quantum vulnerability detection method of the source code as described in claims 1-7.
10. A non-transitory computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by a processor, it implements the quantum vulnerability detection method of the source code as described in claims 1-7.