Java代码缺陷检测分析与应用
|
摘要
在互联网通信和全球云计算的大力发展环境下,Java语言连续数年稳居于TIOBE世界编程语言排行榜首位,并保持有着广阔的前景和显著的优势。但是其相关应用所面临的安全威胁也日益增多。比如,SQL注入攻击、程序信息暴露、AJAX漏洞、业务逻辑漏洞、命令注入、跨站脚本攻击、页面层逻辑漏洞利用等,因为很多Java应用与人们的信息、财产息息相关,所以一旦出现安全问题,会造成很严重的后果。若想最大限度的避免这些问题的出现,应该在软件发行前做好缺陷检测工作,其中静态分析Java软件缺陷是一个有效的方法。
本论文针对Java代码缺陷检测问题,对于一些现有代码缺陷种类、静态检测方法进行了研究,并以LAPSE+为基础开发了一款针对Java代码的缺陷检测工具。该工具主要是基于上下文敏感的指针分析算法开发的。通过对大量的缺陷代码进行分析,并且对开发桌面应用进行探索,最终使该缺陷检测工具扩充了LAPSE+可检测缺陷的种类,并且由插件转化RCP桌面应用LAPS,它的配置使用等更为方便。该工具有着较低的误报率,可以检测多种缺陷类型,可用于辅助开发人员进行安全高效的开发。
In recent years, as the perfection of the Internet infrastructure and the rapid de-velopment ef network communication technology, Java language has retained its po-sition at the top of the charts of TIOBE world programming languages for several years。 and has broad prospects and significant advantages.But the security threats of the Java applications are increasing, such as SQL injection attacks, program infor-mation exposure, AJAX vulnerabilities, business logic vulnerabilities, Cross Site Scripting attacks. As there is great business between people's information, properties and the applications. Once going wrong, it may cause serious consequences. We would detect the vulnerabilities before the release of the software rather than supply a gap. For modern Internet development is rapid, large-scale software increased, static detecting Java codes can be regarded as a good method.
In this paper we studied a lot of some existing code defection modes and static detection This topic for some existing code vulnerabilities mode, we also developed a Java code vulnerabilities detection tool based on LAPSE+. This tool is based on a context sensitive pointer analysis algorithm. By studying a large number of codes with vulnerabilities, we expanded the Java code vulnerabilities detection tool in de-tection types and transfered the plugin into a RCP desktop application in Chinese. This tool has a low false positive, and it can detect many kinds Java code vulnerabili-ties and assist the developers in the project safety and efficient development.
本论文针对Java代码缺陷检测问题,对于一些现有代码缺陷种类、静态检测方法进行了研究,并以LAPSE+为基础开发了一款针对Java代码的缺陷检测工具。该工具主要是基于上下文敏感的指针分析算法开发的。通过对大量的缺陷代码进行分析,并且对开发桌面应用进行探索,最终使该缺陷检测工具扩充了LAPSE+可检测缺陷的种类,并且由插件转化RCP桌面应用LAPS,它的配置使用等更为方便。该工具有着较低的误报率,可以检测多种缺陷类型,可用于辅助开发人员进行安全高效的开发。
In recent years, as the perfection of the Internet infrastructure and the rapid de-velopment ef network communication technology, Java language has retained its po-sition at the top of the charts of TIOBE world programming languages for several years。 and has broad prospects and significant advantages.But the security threats of the Java applications are increasing, such as SQL injection attacks, program infor-mation exposure, AJAX vulnerabilities, business logic vulnerabilities, Cross Site Scripting attacks. As there is great business between people's information, properties and the applications. Once going wrong, it may cause serious consequences. We would detect the vulnerabilities before the release of the software rather than supply a gap. For modern Internet development is rapid, large-scale software increased, static detecting Java codes can be regarded as a good method.
In this paper we studied a lot of some existing code defection modes and static detection This topic for some existing code vulnerabilities mode, we also developed a Java code vulnerabilities detection tool based on LAPSE+. This tool is based on a context sensitive pointer analysis algorithm. By studying a large number of codes with vulnerabilities, we expanded the Java code vulnerabilities detection tool in de-tection types and transfered the plugin into a RCP desktop application in Chinese. This tool has a low false positive, and it can detect many kinds Java code vulnerabili-ties and assist the developers in the project safety and efficient development.
引文
[1]郎波.Java语言程序设计[M].清华大学出版社,2007年.3-12.
[2]周畅.论计算机的网络安全.中国科技博览,2012-6.
[3]D. Hovemeyer and W. Pugh. Finding Bugs Is Easy, http://www.cs.umd.edu/~pugh/java/ bugs/docs/findbugsPaper.pdf,2003.
[4]尹传文.基于JPF的软件模型检测分析与应用.南昌大学,2009.
[5]吕旭民.教学平台各系统间交互的设计与实现.北京邮电大学,2010.
[6]刘睿等.Java卡平台安全性研究与应用.计算机工程与设计,2004年10期.
[7]王青等.软件缺陷预测技术.软件学报,2008年7期.
[8]王雨晨.系统漏洞管理与常见攻击方法[J].计算机工程与应用,2001.
[9]C. Anley. Advanced SQL injection in SQL Server applica-tions. http://www.nextgenss.com/papers/advanced_sql_injection.pdf,2002.
[10]古开元,周安民.跨站脚本攻击原理与防范[J].四川大学信息安全研究所.网络安全技术与应用,2005.12.
[11]A. Klein Divide and Conquer:HTTP response splitting,Web cache poisoning attacks, and related topics.[J] http://www.packetstormsecurity.org/papers/general/ whitepaperhttpresponse.pdf,2004.
[12]杨俊等.程序代码运行时缺陷分析及检测.现代电子工程,2008年1期.
[13]孙勇.实时软件故障分析及可靠性设计方法[J].通信对抗,2001年2期.
[14]宫云站,杨朝红等.软件缺陷模式与测试[M].科学出版社,2011.144-147.
[15]季磊.基于模型检验的规划综述.计算机工程与设计,2007年11期.
[16]王春雷等.一种基于模型检测的二进制程序脆弱性分析框架.计算机科学,2010年4期.
[17]杨宇等.程序静态分析技术与工具.计算机科学,2004年2期.
[18]夏一民等.基于静态分析的安全漏洞检测技术研究.计算机科学,2006年10期.
[19]V. Benjamin Livshits Monica S. Lam. Finding Security Vulnerabilities in Java Applica-tions with Static Analysis[J]. USENIX Security 2005.
[20]匡春光等.针对Java程序的一种脆弱性静态分析技术.计算机系统应用,2008年5期.
[21]周二强等.C语言指针变量教学研究.中国教育导刊,2007年17期.
[22]J. Whaley and M. S. Lam. Cloning-based context-sensitive pointer alias analysis using binary decision diagrams[J]. InProceedings of the ACM SIG-PLAN 2004 conference on Programming Language Design and Implemen-tation, pages 131-144, June 2004.
[23]孙洪浩等.过程间指针分析算法的改进.计算机工程,2009年1期.
[24]刘强.考虑指针别名的过程间分析技术研究.中国科学院研究生院(计算技术研究所)博士论文2007-02[25] M. Martin, V. B. Livshits, and M. S. Lam. Finding application errors using PQL:a program query language. InProceedings of the ACM Conference on Object-Oriented Pro-gramming, Systems, Languages, and Applications (OOPSLA), Oct.2005.
[26]梁骞,王威等Eclipse RCP技术内幕.电子工业出版社,20122-3.
[27]金星善.基于Eclipse RCP的应用系统研究与实现.武汉理工大学,2011.
[28]Nick Rutar Christian B. Almazan Jeffrey S. Foster. A Comparison of Bug Finding Tools for Java[J].2004 Article. Bibliometrics Data Bibliometrics.
[2]周畅.论计算机的网络安全.中国科技博览,2012-6.
[3]D. Hovemeyer and W. Pugh. Finding Bugs Is Easy, http://www.cs.umd.edu/~pugh/java/ bugs/docs/findbugsPaper.pdf,2003.
[4]尹传文.基于JPF的软件模型检测分析与应用.南昌大学,2009.
[5]吕旭民.教学平台各系统间交互的设计与实现.北京邮电大学,2010.
[6]刘睿等.Java卡平台安全性研究与应用.计算机工程与设计,2004年10期.
[7]王青等.软件缺陷预测技术.软件学报,2008年7期.
[8]王雨晨.系统漏洞管理与常见攻击方法[J].计算机工程与应用,2001.
[9]C. Anley. Advanced SQL injection in SQL Server applica-tions. http://www.nextgenss.com/papers/advanced_sql_injection.pdf,2002.
[10]古开元,周安民.跨站脚本攻击原理与防范[J].四川大学信息安全研究所.网络安全技术与应用,2005.12.
[11]A. Klein Divide and Conquer:HTTP response splitting,Web cache poisoning attacks, and related topics.[J] http://www.packetstormsecurity.org/papers/general/ whitepaperhttpresponse.pdf,2004.
[12]杨俊等.程序代码运行时缺陷分析及检测.现代电子工程,2008年1期.
[13]孙勇.实时软件故障分析及可靠性设计方法[J].通信对抗,2001年2期.
[14]宫云站,杨朝红等.软件缺陷模式与测试[M].科学出版社,2011.144-147.
[15]季磊.基于模型检验的规划综述.计算机工程与设计,2007年11期.
[16]王春雷等.一种基于模型检测的二进制程序脆弱性分析框架.计算机科学,2010年4期.
[17]杨宇等.程序静态分析技术与工具.计算机科学,2004年2期.
[18]夏一民等.基于静态分析的安全漏洞检测技术研究.计算机科学,2006年10期.
[19]V. Benjamin Livshits Monica S. Lam. Finding Security Vulnerabilities in Java Applica-tions with Static Analysis[J]. USENIX Security 2005.
[20]匡春光等.针对Java程序的一种脆弱性静态分析技术.计算机系统应用,2008年5期.
[21]周二强等.C语言指针变量教学研究.中国教育导刊,2007年17期.
[22]J. Whaley and M. S. Lam. Cloning-based context-sensitive pointer alias analysis using binary decision diagrams[J]. InProceedings of the ACM SIG-PLAN 2004 conference on Programming Language Design and Implemen-tation, pages 131-144, June 2004.
[23]孙洪浩等.过程间指针分析算法的改进.计算机工程,2009年1期.
[24]刘强.考虑指针别名的过程间分析技术研究.中国科学院研究生院(计算技术研究所)博士论文2007-02[25] M. Martin, V. B. Livshits, and M. S. Lam. Finding application errors using PQL:a program query language. InProceedings of the ACM Conference on Object-Oriented Pro-gramming, Systems, Languages, and Applications (OOPSLA), Oct.2005.
[26]梁骞,王威等Eclipse RCP技术内幕.电子工业出版社,20122-3.
[27]金星善.基于Eclipse RCP的应用系统研究与实现.武汉理工大学,2011.
[28]Nick Rutar Christian B. Almazan Jeffrey S. Foster. A Comparison of Bug Finding Tools for Java[J].2004 Article. Bibliometrics Data Bibliometrics.