CN101017458A - Software safety code analyzer based on static analysis of source code and testing method therefor - Google Patents
Software safety code analyzer based on static analysis of source code and testing method therefor Download PDFInfo
- Publication number
- CN101017458A CN101017458A CN 200710064155 CN200710064155A CN101017458A CN 101017458 A CN101017458 A CN 101017458A CN 200710064155 CN200710064155 CN 200710064155 CN 200710064155 A CN200710064155 A CN 200710064155A CN 101017458 A CN101017458 A CN 101017458A
- Authority
- CN
- China
- Prior art keywords
- analysis
- code
- safety
- security
- rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Debugging And Monitoring (AREA)
- Stored Programmes (AREA)
Abstract
This invention relates to one software analyzer and its test method based on source codes static analysis, wherein the analysis device comprises five function modules of code analysis device, codes analysis engine, safety risk report device, safety rules database and user interface; this invention gets programs safety risk to user according to the source program and grammar and meanings and delivers the safety leak to the user for audit and evaluation.
Description
Technical field
The present invention relates to a kind of technology that in software source code, detects security breaches, exactly, relate to a kind of software security code profiler and detection method thereof, belong to the technical field of software security in the information security based on source code static analysis technology.
Background technology
At present, the research of code analysis techniques is a lot, and the open source software of main flow comprises: ITS4, BOON, CQual, MOPS, RATS, FlawFinder etc.Below these softwares are carried out brief introduction:
ITS4: a kind of instrument that is used for Static Detection C and C++ source code security loophole.Compare with other similar techniques, the accuracy of ITS4 is higher, can feed back to the developer to testing result in real time in programming process; Can support simultaneously the detection of C++ code like a cork.ITS4 supports the order line form, can run on Windows and Unix platform.ITS4 seeks dangerous function call in C or C++ source code.Call for some, ITS4 can be analyzed, to determine its hazard level.ITS4 also can provide simple description that comprises leak and the analysis report of improving one's methods.ITS4 carries out code scans based on the function coupling, is indifferent to context.It just searches for function or the application programming interfaces API (Application Program Interface) that is complementary with the leak database in C or the C++ source code.If the leak function exists, ITS4 can give a warning, and provides amending advice to the programmer, to improve code safety.The programmer can select danger classes (0-5), thereby reduces rate of false alarm.ITS4 also allows the programmer to ignore inspection to certain specific function name, as scanf.
RATS: a kind of security audit instrument that is used for C, C++, Python, Per and PHP code.It can scan source code, finds out potential dangerous function and calls.The final goal of this instrument is not to find out the code leak, but provides a convenient and reasonable starting point for artificial security audit.RATS combines the static check technology of ITS4 and the degree of depth semantic analysis technology of MOPS is checked buffer-overflow vulnerability.RATS observes general public licence GPL.Compare with ITS4, RATS can check whole engineering code, rather than single file.Simultaneously, RATS can also check the border of array.
BOON:BOON uses the buffer-overflow vulnerability that exists in the degree of depth semantic analysis technology autoscan C language source code.Whether thereby BOON can analyze the array of determining in the c program to integer range crosses the border.Although the leak that BOON can find many other analysis tools to omit, still out of true.
Except above-mentioned main tool, also done big quantity research in the safety analysis field of software both at home and abroad, propose the safety analysis method of some feasible static state, and constructed corresponding software security analysis tool.At present static safety analysis method can be divided into: model testing, carry code verification, and lexical analysis, simple semantic analysis is based on the safety analysis of information flow etc.Below it is briefly introduced respectively:
Model testing, its basis is a finite-state automata.It enumerates the possible state of institute that a system can be in, and checks whether each state violates rule and the condition of being formulated by the user, and causes the step of illegal state according to analysis result information.The theoretical foundation of model testing is sequential logic and automaton theory.It is shown as the sequential logic formula with the attribute list that will check, and system representation becomes finite-state automata, when the traversal finite-state automata, checks whether all states of automat satisfy the attribute of giving.
Can there be complicated mistake semantically in model testing in the discovery procedure, thereby potential security hole in the accurate discovery procedure, but existing model testing instrument is normally analyzed the formal expression (mathematical description) of source program, rather than with source program as input.As need the mathematical model of source program, can finish the generation of source program model automatically by process analysis (as data flow analysis, control flow analysis, program slice) instrument usually.Be not difficult to find out that from simplifying the model of program slice extraction procedure process analysis is the basis.Process analysis herein except grammatical analysis, more needs to relate to semantic analysis, comprises control flow analysis and data-flow analysis.
The basic thought that carries Validation Code PCC (Proof-Carrying Code) extremely is similar to password.At first, be one group of security strategy of code definition.Then, the code supplier must observe these security strategies when programming, and adds the code of checking in program source code, has observed these security strategies with the code of proof source program; Confirm the security of these codes at last by the code user.
Lexical scan is based on the safety scanning of lexical analysis.Source code is only carried out lexical analysis.Find out potential security breaches by the static scanning source code, in case find just to provide warning message.Basic skills be with one or more source code file as input, and each file is decomposed into morphology mark stream, relatively identifier and the predefined security hole dictionary in the mark stream.For example in case find to have strcpy in the C source program, string operation functions such as strcat are promptly thought the security hole that exists buffer zone to overflow, because these functions may cause that buffer zone overflows, the security hole dictionary of this moment comprises strcpy, strcat etc.
Simple semantic analysis is based on the security inspection of grammer and simple semantic analysis, its principle of work is very similar to compiler system, it is based on grammatical analysis and semantic rules, add simple control flow analysis and data-flow analysis simultaneously, therefore have higher analysis efficiency and extensibility, and can find the extensive security hole that exists in the software by the mode that in program, adds the data-flow analysis annotation information in the object-oriented program section, as occurring the maximum internal storage access leak of probability in the program, comprise the illegal use of memory block, taking off of null pointer quoted, buffer zone overflows or the like.Its another advantage is applicable to the analysis to extensive program.
Information flow analysis: for a long time, particularly along with development of internet technology, the information security in the computer system receives much attention always, and main stream approach is based on the information flow checking of type inferencing and detects.Information flow checking and detection method have proposed the security that a kind of authentication mechanism is guaranteed information flow in the program by the lattice model (latice model) of setting up the security information flow verification.This method is " security classes " that information is specified a set, and with the information flow that allows between " flow relation " definition security classes, each storage object in the program is tied to specific security classes.Use the value of some object (as x) when an operation (or a series of operation), obtain the value of other objects (as y), then cause the information flow from x to y.The security classes of x can flow to the security classes of y in and if only if the given Flow Policy, and the information flow from x to y allows.
Comprehensively above-mentioned, the static code analysis engine of main flow substantially all is based on suspicious API string matching at present, some algorithm is also done a lot on context relation, but as a whole, the deficiency that these prior aries exist is: function or limitation that each algorithm can be realized are bigger.Such as
(1) deficiency of string matching: is that present code analysis techniques is used the most general algorithm with the string matching for the based rule matching technique, its main thought is the rule by pre-establishing, according to keyword matching, find out corresponding code, and the prompting user.For example, when using the ITC4 scan code, can use the code of strcpy all to report all, think that it is dangerous, need to use strncpy to replace.But this method rate of false alarm is too high, and it is dangerous that the API that a lot of processes detect also is considered to, and where the very difficult resolution of developer is only and really has safety problem.
(2) the present deficiency of context relation algorithm: have some programs can accomplish to a certain degree based on context related, for example RATS and BOON.Here be example with BOON, it can convert correlative code to specific descriptive language, and whether is judging through checking whether code exists buffer zone to overflow in full by detecting correlated variables.Like this, solve the wrong report problem to a certain extent, but also had some problems.For example can not detected handle (dual pointer), (strcpy (a+5, form b)) etc., and can only solve the character string buffer zone and overflow with integer and overflow can not solve problems such as boundary condition, input validation can not to detect the character string skew.
Because at present the security threat of software is very many, comprise that common buffer zone overflows, contest condition, input validation etc.These security threats under development are very easy to be utilized by the hacker, and are not easy to be developed personnel's discovery.Therefore how the technology that detects security breaches in the software source code is improved, just become the focus that those skilled in the art pay close attention to.
Summary of the invention
In view of this, the purpose of this invention is to provide a kind of software security code profiler and detection method thereof based on source code static analysis technology, this software security code profiler SSCA (Software Security CodeAnalyzer) is to start with from source code, solves the safety problem that software faces.This software security code profiler is according to the source program of input, according to grammer with semantic, the structure of routine analyzer and key feature, thereby the security risk of the program of acquisition, and report to the user.In addition, it can also pass through form with the result of code analysis, the security breaches of finding is submitted to the user examine and assess.
In order to achieve the above object, the invention provides a kind of software security code profiler based on source code static analysis technology, it is characterized in that: described software security code profiler includes following five functional modules and forms:
Code parser is responsible for source program code is carried out morphology, grammatical analysis.Take out abundant information then and convert abstract syntax tree AST (Abstract Syntax Tree) to and represent, send into the code analysis engine again, for follow-up analysis facilitates; This module can also be supported to resolve the project project file, obtains whole source code information in the engineering;
The code analysis engine, by finishing five sub-function module of function separately respectively: data stream analyzer, control flow analysis device, structure analyzer, safety analysis scheduler and safety analysis interface are formed, be responsible for structure and key feature according to the rule base routine analyzer, the security risk of acquisition program, and the result is submitted to user interface by security risk report device;
Security risk report device is responsible for the result according to the code analysis engine, and the dependent parser and the semanteme that refer again to rule base are compared, and the security risk of finding is submitted to user interface;
Security rule base is responsible for the code analysis engine code analysis rules of using the expandable mark language XML configuration is provided, and the security risk support of corresponding different security hole; Risk improvement strategy report can also be provided, promptly can expand at the diversity and the complicacy of the software systems of varying environment;
User interface is responsible for carrying out alternately with the user, and one side is accepted the request of scanning input code, then the result of scanning analysis is exported to the user on the other hand.
The function of five submodules is in the described code analysis engine:
Data stream analyzer is used for the basis at code analysis, the traffic flow information of extraction procedure; It is by traversal abstract syntax tree AST, extracts to comprise pointer variable, memory block, constant, and the data message of function structure is brushed choosing according to user policy to these information again, and provides interface to the program structure analyzer, to read these information;
The control flow analysis device is used on the code analysis basis, the control stream information of extraction procedure; It is according to rule with by traversal abstract syntax tree AST, generates corresponding programmed control dependency graph, and provides interface to the safety analysis scheduler, to read these information;
Structure analyzer, be used for the syntax tree basis that extracts at the code analysis engine, the code analysis rules that provides according to security rule base, the primary structure information that includes stomion, main function name and funtcional relationship of extraction procedure, data dispatching stream analyzer and control flow analysis device again, finish the analysis to the key variables of regular appointment, and call the safety analysis interface, the security of finishing correlative code detects;
The safety analysis scheduler as the main scheduler module of code analysis engine, is used for the information that provides according to security rule base, and the scheduling structure analyzer carries out safety analysis, and generates account, provides interface to call for the safety analysis report device;
The safety analysis interface is responsible for calling specific safety analytical method according to safety rule, and these methods are utilized syntax tree and flow analysis result, carry out safety analysis, and analysis result is submitted to security risk report device.
Described source program code is the main flow development language that comprises C, C++, C#, JAVA and Perl.
The software security flaw that described software security code profiler can detect comprises following multiclass:
Input validation Input Validation, comprise: buffer zone overflows Buffer Overflow, Command Injection is injected in order, cross site scripting Cross-Site Scripting, format character string Format String, illegal pointer Illegal Pointer Value, integer overflows Integer Overflow, Log Forging is forged in daily record, Path Manipulation is handled in the path, process control Process Control, resource leakage ResourceInjection, SQL injects SQL Injection, and the character string mistake is ended String Termination Error;
API misuse, i.e. API Abuse comprises: dangerous function Dangerous Function, catalogue restriction Directory Restriction does not detect rreturn value Unchecked Return Value, heapcheck HeapInspection;
Security feature Security Features comprises: unsafe random number Insecure Randomness, least privilege be Least Privilege Violation in violation of rules and regulations;
Time and state Time and State comprise: file access contest condition File Access RaceCondition:TOCTOU, unsafe temporary file Insecure Temporary File;
Code quality Code Quality, comprise: dual release Double Free, memory overflow MemoryLeak, null pointer is checked Null Dereference, discarded function Obsolete, uninitialized variable Uninitialized Variable does not discharge resource Unreleased Resource, discharges the back and uses Use AfterFree.
In order to achieve the above object, the present invention also provides a kind of method of detection software security flaw of the software security code profiler based on source code static analysis technology, it is characterized in that: comprise following operation steps:
(1) after the source code directory, code language, the header file catalogue that detect of the needs that the user is configured sent into the software security code profiler, this pick-up unit was started working;
(2) earlier the source code of input is carried out pre-service,, be substituted in the source code on the corresponding position header file and grand the untiing that has defined in the program;
(3) read rule file, resolve the employed expandable mark language XML file of storage rule, obtain needed safety analysis rule;
(4) each source file of handling is carried out syntax parsing, after handling, carry out syntax parsing, resolve to source code from left to right that LL describes grammatical described data, after this resolve to the AST syntax tree of standard through grand parsing and header file;
(5), the source code of target engineering is carried out preanalysis according to safety rule and AST syntax tree; If finding does not need to carry out flow analysis with regard to detectable safety problem, then directly analysis result is submitted to the result treatment module; Otherwise, give control flow analysis device, data stream analyzer and safety analysis scheduler with the AST tree with safety rule, be for further processing;
(6) respectively further control flow analysis and data-flow analysis made in the AST syntax tree, wherein data-flow analysis is in data centralization to a Buffer Pool of allocating in advance with the call relation of all variablees in the code, tell the variable name and the number of being expert at during use, so that search its function call table; Control flow analysis then is that the control relation of particular row is added up, can be with any delegation's Be Controlled and which row control all to be submitted to relevant interface by whether in the code;
(7) according to the analysis class name that disposes in the rule, by analyzing scheduler the safety problem of code to be analyzed, each class safety problem is carried out safety analysis corresponding to a safety analytical method by these safety analytical methods of safety analysis interface dynamic call; These analytical approachs at security breaches comprise at least: buffer zone overflows, resource leakage, dangerous API and format character string, these structure analyzers utilize the result of safety rule, AST syntax tree and flow analysis to make a concrete analysis of, in case after the discovery safety problem, be about to analysis result and be filled into as a result in the Buffer Pool;
(8) after safety analysis finishes, the analysis result that is stored in the Buffer Pool is as a result taken out, be stored in local disk, and submit to the user and check;
Described step 4 further comprises following content of operation:
(41) elder generation of the syntax parsing module in the code parser filters the type of the source file of input, extracts required source code according to extension name;
(42) source code that extracts is carried out pre-service, all header file information and grand information in the resolving code, and it is unlock in the file of appointment;
(43) carry out lexical analysis, source code is converted to the LL syntax;
(44) carry out grammatical analysis, convert the result of syntax analysis to the AST syntax tree.
Described step 6 further comprises following content of operation:
(61) carry out control flow analysis earlier, promptly, seek and obtain control statement comprising if, while, for, switch by software security code profiler traversal AST syntax tree;
(62) if there is the control statement of the described if of comprising, while, for, switch, then carry out recursive calculation, the record controls relation is till can not find control relation; If there is no described control statement then carries out record to the control relation of analyzing out;
(63) arrive/data-flow analysis of definite value, obtain the behaviour in service of each parameter;
(64) if the situation that exists parameter to quote is then carried out pointer/alias analysis, obtain the actual sensing of these parameters;
(65), carry out variable query, internal memory inquiry or functional query respectively according to the difference of parameter;
(66) Query Result is stored in the corresponding data list, make things convenient for next step use.
Alias analysis in the described step 64 is to analyze the situation that two or more different variablees point to same blocks of data district.
The present invention is a kind of software security code profiler and detection method thereof based on source code static analysis technology, and the security code analysis engine in this software security code profiler can extract program structure and by based on grammer in full, the safety problem that semanteme comes code analysis.The source code by input and the grammer of code be with semantic, analyzes the structure and the key feature of code by this engine, obtains the security risk of program thus and report to the user.
With respect to present other correlation techniques, innovation point of the present invention mainly is: 1, safety rule wherein is configured by XML, so the software security flaw that SSCA supports can expand.2, open-ended many programming languages support: source code is to be converted to the AST syntax tree through converter independently, analyzes again, and promptly programming language is open-ended.3, understand technology based on contextual code implication: the present invention has used data-flow analysis technology and control flow analysis technology when code analysis, thereby understands and analysis through context implication when guaranteeing code analysis.4, safety analyzer dynamic load: after flow analysis according to regular dynamic load safety analyzer.Therefore, advantage of the present invention and effect are:
(1) correctness used of the omnidistance API of investigation parameter: for example: simply according to the use of suspicious API whether processing whether parameter having made somewhere before using crosses the border etc., rather than only limit to current line and make judgement more be not.
The present invention extracts key message and is converted to specific form by analyzing specific API or variable, and the constraint condition by pre-establishing is analyzed code in context again, thereby determines the safety problem of code.For example, for the string overflow problem, program is by analyzing specific API (as strcpy, strncpy, sprintf etc.), its variable that calls is checked, based on context detect it and whether passed through detection (for example whether judged string length, whether limited string length etc.), and, judge whether to take place buffer zone and overflow according to the constraint condition of this function.
(2) based on meaning of one's words depth detection: with respect to other technologies, the present invention is the code logic according to program, understands the implication of code, thereby makes the most appropriate judgement.For example when the processing buffer zone overflows, no longer only detect according to crucial API Name, and can the upper and lower relation of API be analyzed, by the flow analysis technology, whether the variable of finding out its use has been judged, thereby improves the accuracy rate that detects greatly.
(3) multilingual support and expansion capacity: other technologies can only be supported the language that a few is fixing at present, and for example RATS supports C, C++, Python, Per and PHP, and BOON can only support C/C++.The present invention can support main flow development languages such as C, C++, C#, JAVA, Perl, and can support the expansion capacity to new language.
(4) detection of various features leak and expansion capacity: other instruments can only be supported specific leak at present, and for example BOON can only detect buffer zone and overflows, and RATS also can only detect minority code leak.The present invention has supported tens of kinds of software security flaws at present, and can be by pre-configured safety rule, the security breaches that dynamic interpolation can detect.
(5) multiple operating system support: other software security instruments relatively, native system can be supported present most mainstream operation system, comprising: Windows series, Unix, Linux, FreeBSD etc.
Therefore, the present invention has good popularization and application prospect.
Description of drawings
Fig. 1 is the composition block diagram of software security code profiler of the present invention.
Fig. 2 is the process flow diagram of the detection method of software security code profiler of the present invention.
Fig. 3 is the syntax parsing process flow diagram in the software security code profiler detection method of the present invention.
Fig. 4 is the flow analysis process flow diagram in the software security code profiler detection method of the present invention.
Fig. 5 is to use the present invention to carry out the embodiment process flow diagram of software development.
Fig. 6 is to use the present invention to carry out the embodiment process flow diagram of access assessment.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, the present invention is described in further detail below in conjunction with accompanying drawing.
Referring to Fig. 1, introduce the structure of the software security code profiler SSCA that the present invention is based on source code static analysis technology and form, mainly include following five functional modules:
1, code parser is responsible for source program is carried out morphology, grammatical analysis.Take out abundant information then and convert abstract syntax tree AST to and represent, send into the code analysis engine again, for follow-up analysis facilitates; This module can also be supported to resolve the project project file, obtains whole source code information in the engineering;
2, code analysis engine is responsible for structure and key feature according to the rule base routine analyzer, obtains the security risk of program, and by security risk report device the result is submitted to user interface; By finishing five sub-function module of function separately respectively: data stream analyzer, control flow analysis device, structure analyzer, safety analysis scheduler and safety analysis interface are formed; Introduce this five sub-function module below respectively:
Data stream analyzer is on the basis of code analysis, the traffic flow information of extraction procedure; It is by traversal abstract syntax tree AST, extracts to comprise pointer variable, memory block, constant, and the data message of function structure is brushed choosing according to user policy to these information again, and provides interface to the program structure analyzer, to read these information;
The control flow analysis device is on the code analysis basis, the control stream information of extraction procedure; It is according to rule with by traversal abstract syntax tree AST, generates corresponding programmed control dependency graph, and provides interface to the safety analysis scheduler, to read these information;
Structure analyzer is on the syntax tree basis that the code analysis engine extracts, the code analysis rules that provides according to security rule base, the primary structure of extraction procedure (as entrance, main function name and funtcional relationship etc.) information, data dispatching stream analyzer and control flow analysis device again, finish analysis to the key variables of regular appointment, and call the safety analysis interface, the security of finishing correlative code detects;
The safety analysis scheduler is the main scheduler module of code analysis engine, and the information that provides according to security rule base is provided, and the scheduling structure analyzer carries out safety analysis, and generates account, provides interface to call for the safety analysis report device;
The safety analysis interface is to be responsible for calling specific safety analytical method according to safety rule.These methods are utilized syntax tree and flow analysis result, carry out safety analysis, and analysis result is submitted to security risk report device.
3, security risk report device is responsible for the result according to the code analysis engine, and the dependent parser and the semanteme that refer again to rule base are compared, and the security risk of finding is submitted to user interface;
4, security rule base is responsible for the code analysis engine code analysis rules of using the expandable mark language XML configuration is provided, and the security risk support of corresponding different security hole; Risk improvement strategy report also can be provided, promptly can expand at the diversity and the complicacy of the software systems of varying environment;
5, user interface is responsible for carrying out alternately with the user, and one side is accepted the request of scanning input code, then the result of scanning analysis is exported to the user on the other hand.
The key of software security code profiler SSCA of the present invention is the security code analysis engine, and this engine can be according to the source program of input, according to grammer with semantic, the structure of routine analyzer and key feature, thereby the security risk of the program of acquisition, and report to the user.Wherein source code at first considers to support main flow development languages such as C/C++/C#/JAVA/Perl.
By above as can be known, the content of program analysis method and safety rule has determined result and the efficient analyzed.Process analysis is the basis of security inspection, is responsible for extraction procedure information so that and the security rule be complementary, thereby scan wherein security hole.In the present invention, process analysis is from data-flow analysis and two angle incisions of control flow analysis.The structure of safety rule is to seek the safe mode of different security hole.
Because the diversity and the complicacy of software systems (the particularly software systems of distributed environment) make security hole of a great variety, can not address all of these issues.At present, the software security flaw primary categories that can support of apparatus of the present invention has: Input Validation, API Abuse, Security Features, Time and State, Code Quality etc.
Referring to Fig. 2, introduce the main treatment step of SSCA detecting operation method flow:
(1) after the source code directory, code language, the header file catalogue that detect of the needs that the user is configured sent into the software security code profiler, this pick-up unit was started working;
(2) earlier the source code of input is carried out pre-service,, be substituted in the source code on the corresponding position header file and grand the untiing that has defined in the program;
(3) read rule file, resolve the expandable mark language XML file that storage rule uses, obtain required safety analysis rule;
(4) each source file of handling is carried out syntax parsing, after through grand parsing and header file processing, carry out the syntax and resolve, source code is resolved to the data that the LL syntax are described, after this resolve to the AST syntax tree of standard; This step can be subdivided into following each concrete operations content (referring to shown in Figure 3):
(41) elder generation of the syntax parsing module in the code parser filters the type of the source file of input, extracts required source code according to extension name;
(42) the extraction source code is carried out pre-service, all header file information and grand information in the resolving code, and it is unlock in the file of appointment;
(43) carry out lexical analysis, source code is converted to the LL syntax;
(44) carry out grammatical analysis, convert the result of syntax analysis to the AST syntax tree.
(5), the source code of target engineering is carried out preanalysis according to safety rule and AST syntax tree; If finding does not need to carry out flow analysis with regard to detectable safety problem, then directly analysis result is submitted to the result treatment module; Otherwise, give control flow analysis device, data stream analyzer and safety analysis scheduler with the AST tree with safety rule, be for further processing;
(6) respectively further control flow analysis and data-flow analysis made in the AST syntax tree, wherein data-flow analysis is in data centralization to a Buffer Pool of allocating in advance with the call relation of all variablees in the code, tell the variable name and the number of being expert at during use, so that search its function call table; Control flow analysis then is that the control relation of particular row is added up, can be with any delegation's Be Controlled and which row control all to be submitted to relevant interface by whether in the code; This step is subdivided into following each concrete operations content (as shown in Figure 4):
(61) carry out control flow analysis earlier, promptly, seek and obtain Control Node comprising the control statement of if, while, for, switch by software security code profiler traversal AST syntax tree;
(62) if there is the control statement of the described if of comprising, while, for, switch, then carry out recursive calculation, the record controls relation is till can not find control relation; If there is no described control statement then carries out record to the Control Node of the control relation analyzing out;
(63) arrive/data-flow analysis of definite value, obtain the behaviour in service of each parameter;
(64) if the situation that exists parameter to quote is then carried out pointer/alias analysis, obtain the actual sensing of these parameters;
(65), carry out variable query, internal memory inquiry or functional query respectively according to the difference of parameter;
(66) Query Result is stored in the corresponding data list, make things convenient for next step use.
(7) according to the analysis class name that disposes in the rule, by analyzing scheduler the safety problem of code to be analyzed, each class safety problem is carried out safety analysis corresponding to a safety analytical method by these safety analytical methods of safety analysis interface dynamic call; These analytical approachs at security breaches comprise at least: buffer zone overflows, resource leakage, dangerous API and format character string, these structure analyzers utilize the result of safety rule, AST syntax tree and flow analysis to make a concrete analysis of, in case after the discovery safety problem, be about to analysis result and be filled into as a result in the Buffer Pool;
(8) after safety analysis finishes, the analysis result that is stored in the Buffer Pool is as a result taken out, be stored in local disk, and submit to the user and check;
The present invention has carried out the enforcement test of two aspects, and one is software development: the enterprises and individuals who carries out software development can use the present invention to split the source code that distributes and detect, therefrom find out the risk of existence, and improve.The improvement flow process of its code research and development as shown in Figure 5 like this.Another is the access assessment: as the unit of test and appraisal mechanism and final deployment software product, owing to do not understand the flow process of software development, can only carry out black box to software detects, the potential safety hazard that exists in the software can not in time find, the safe operation of these units has been caused great threat.The present invention can effectively address this problem, and can clearly find the risk that exists in the software by code scans, guarantees the safety and stablization of software.Its application flow as shown in Figure 6.
Claims (8)
1, a kind of software security code profiler based on source code static analysis technology is characterized in that: described software security code profiler includes following five functional modules and forms:
Code parser is responsible for source program code is carried out morphology, grammatical analysis.Take out abundant information then and convert abstract syntax tree AST to and represent, send into the code analysis engine again, for follow-up analysis facilitates; This module can also be supported to resolve the project project file, obtains whole source code information in the engineering;
The code analysis engine, by finishing five sub-function module of function separately respectively: data stream analyzer, control flow analysis device, structure analyzer, safety analysis scheduler and safety analysis interface are formed, be responsible for structure and key feature according to the rule base routine analyzer, the security risk of acquisition program, and the result is submitted to user interface by security risk report device;
Security risk report device is responsible for the result according to the code analysis engine, and the dependent parser and the semanteme that refer again to rule base are compared, and the security risk of finding is submitted to user interface;
Security rule base is responsible for the code analysis engine code analysis rules of using the expandable mark language XML configuration is provided, and the security risk support of corresponding different security hole; Risk improvement strategy report can also be provided, promptly can expand at the diversity and the complicacy of the software systems of varying environment;
User interface is responsible for carrying out alternately with the user, and one side is accepted the request of scanning input code, then the result of scanning analysis is exported to the user on the other hand.
2, software security code profiler according to claim 1 is characterized in that: the function of five submodules is in the described code analysis engine:
Data stream analyzer is used for the basis at code analysis, the traffic flow information of extraction procedure; It is by traversal abstract syntax tree AST, extracts to comprise pointer variable, memory block, constant, and the data message of function structure is brushed choosing according to user policy to these information again, and provides interface to the program structure analyzer, to read these information;
The control flow analysis device is used on the code analysis basis, the control stream information of extraction procedure; It is according to rule with by traversal abstract syntax tree AST, generates corresponding programmed control dependency graph, and provides interface to the safety analysis scheduler, to read these information;
Structure analyzer, be used for the syntax tree basis that extracts at the code analysis engine, the code analysis rules that provides according to security rule base, the primary structure information that includes stomion, main function name and funtcional relationship of extraction procedure, data dispatching stream analyzer and control flow analysis device again, finish the analysis to the key variables of regular appointment, and call the safety analysis interface, the security of finishing correlative code detects;
The safety analysis scheduler as the main scheduler module of code analysis engine, is used for the information that provides according to security rule base, and the scheduling structure analyzer carries out safety analysis, and generates account, provides interface to call for the safety analysis report device;
The safety analysis interface is responsible for calling specific safety analytical method according to safety rule, and these methods are utilized syntax tree and flow analysis result, carry out safety analysis, and analysis result is submitted to security risk report device.
3, software security code profiler according to claim 1 is characterized in that: described source program code is the main flow development language that comprises C, C++, C#, JAVA and Perl.
4, software security code profiler according to claim 1 is characterized in that: the software security flaw that described software security code profiler can detect comprises following multiclass:
Input validation Input Validation, comprise: buffer zone overflows Buffer Overflow, Command Injection is injected in order, cross site scripting Cross-Site Scripting, format character string Format String, illegal pointer Illegal Pointer Value, integer overflows Integer Overflow, Log Forging is forged in daily record, Path Manipulation is handled in the path, process control Process Control, resource leakage ResourceInjection, SQL injects SQL Injection, and the character string mistake is ended String Termination Error;
API misuse, i.e. API Abuse comprises: dangerous function Dangerous Function, catalogue restriction Directory Restriction does not detect rreturn value Unchecked Return Value, heapcheck HeapInspection;
Security feature Security Features comprises: unsafe random number Insecure Randomness, least privilege be Least Privilege Violation in violation of rules and regulations;
Time and state Time and State comprise: file access contest condition File Access RaceCondition:TOCTOU, unsafe temporary file Insecure Temporary File;
Code quality Code Quality, comprise: dual release Double Free, memory overflow MemoryLeak, null pointer is checked Null Dereference, discarded function Obsolete, uninitialized variable Uninitialized Variable does not discharge resource Unreleased Resource, discharges the back and uses Use AfterFree.
5, a kind of method of detection software security flaw of the software security code profiler based on source code static analysis technology is characterized in that: comprise following operation steps:
(1) after the source code directory, code language, the header file catalogue that detect of the needs that the user is configured sent into the software security code profiler, this pick-up unit was started working;
(2) earlier the source code of input is carried out pre-service,, be substituted in the source code on the corresponding position header file and grand the untiing that has defined in the program;
(3) read rule file, resolve the employed expandable mark language XML file of storage rule, obtain needed safety analysis rule;
(4) each source file of handling is carried out syntax parsing, after handling, carry out syntax parsing, resolve to source code from left to right that LL describes grammatical described data, after this resolve to the AST syntax tree of standard through grand parsing and header file;
(5), the source code of target engineering is carried out preanalysis according to safety rule and AST syntax tree; If finding does not need to carry out flow analysis with regard to detectable safety problem, then directly analysis result is submitted to the result treatment module; Otherwise, give control flow analysis device, data stream analyzer and safety analysis scheduler with the AST tree with safety rule, be for further processing;
(6) respectively further control flow analysis and data-flow analysis made in the AST syntax tree, wherein data-flow analysis is in data centralization to a Buffer Pool of allocating in advance with the call relation of all variablees in the code, tell the variable name and the number of being expert at during use, so that search its function call table; Control flow analysis then is that the control relation of particular row is added up, can be with any delegation's Be Controlled and which row control all to be submitted to relevant interface by whether in the code;
(7) according to the analysis class name that disposes in the rule, by analyzing scheduler the safety problem of code to be analyzed, each class safety problem is carried out safety analysis corresponding to a safety analytical method by these safety analytical methods of safety analysis interface dynamic call; These analytical approachs at security breaches comprise at least: buffer zone overflows, resource leakage, dangerous API and format character string, these structure analyzers utilize the result of safety rule, AST syntax tree and flow analysis to make a concrete analysis of, in case after the discovery safety problem, be about to analysis result and be filled into as a result in the Buffer Pool;
(8) after safety analysis finishes, the analysis result that is stored in the Buffer Pool is as a result taken out, be stored in local disk, and submit to the user and check;
6, the method for detection software security flaw according to claim 5 is characterized in that: described step 4 further comprises following content of operation:
(41) elder generation of the syntax parsing module in the code parser filters the type of the source file of input, extracts required source code according to extension name;
(42) source code that extracts is carried out pre-service, all header file information and grand information in the resolving code, and it is unlock in the file of appointment;
(43) carry out lexical analysis, source code is converted to the LL syntax;
(44) carry out grammatical analysis, convert the result of syntax analysis to the AST syntax tree.
7, the method for detection software security flaw according to claim 5 is characterized in that: described step 6 further comprises following content of operation:
(61) carry out control flow analysis earlier, promptly, seek and obtain control statement comprising if, while, for, switch by software security code profiler traversal AST syntax tree;
(62) if there is the control statement of the described if of comprising, while, for, switch, then carry out recursive calculation, the record controls relation is till can not find control relation; If there is no described control statement then carries out record to the control relation of analyzing out;
(63) arrive/data-flow analysis of definite value, obtain the behaviour in service of each parameter;
(64) if the situation that exists parameter to quote is then carried out pointer/alias analysis, obtain the actual sensing of these parameters;
(65), carry out variable query, internal memory inquiry or functional query respectively according to the difference of parameter;
(66) Query Result is stored in the corresponding data list, make things convenient for next step use.
8, the method for detection software security flaw according to claim 5 is characterized in that: the alias analysis in the described step 64 is to analyze the situation that two or more different variablees point to same blocks of data district.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2007100641551A CN100461132C (en) | 2007-03-02 | 2007-03-02 | Software safety code analyzer based on static analysis of source code and testing method therefor |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2007100641551A CN100461132C (en) | 2007-03-02 | 2007-03-02 | Software safety code analyzer based on static analysis of source code and testing method therefor |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101017458A true CN101017458A (en) | 2007-08-15 |
| CN100461132C CN100461132C (en) | 2009-02-11 |
Family
ID=38726482
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2007100641551A Expired - Fee Related CN100461132C (en) | 2007-03-02 | 2007-03-02 | Software safety code analyzer based on static analysis of source code and testing method therefor |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100461132C (en) |
Cited By (154)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101377759B (en) * | 2008-08-26 | 2010-06-09 | 中国工商银行股份有限公司 | Automatic interface test system |
| CN101286133B (en) * | 2008-06-02 | 2010-06-16 | 北京邮电大学 | Software test method applying interval operation |
| CN101894239A (en) * | 2010-08-12 | 2010-11-24 | 武汉大学 | Method and system for auditing and distributing sensitive data based on evolution strategy |
| CN101894236A (en) * | 2010-07-28 | 2010-11-24 | 北京华夏信安科技有限公司 | Software homology detection method and device based on abstract syntax tree and semantic matching |
| CN102012895A (en) * | 2010-08-19 | 2011-04-13 | 上海酷吧信息技术有限公司 | Method for analyzing data |
| CN102012991A (en) * | 2010-11-09 | 2011-04-13 | 北京神舟航天软件技术有限公司 | Static analysis-based checking method of safety rules of C language |
| CN102073588A (en) * | 2010-12-28 | 2011-05-25 | 北京邮电大学 | Code static analysis based multithread deadlock detection method and system |
| CN102073589A (en) * | 2010-12-29 | 2011-05-25 | 北京邮电大学 | Code static analysis-based data race detecting method and system thereof |
| CN102148844A (en) * | 2010-02-09 | 2011-08-10 | 深圳市金蝶中间件有限公司 | Memory leak positioning method, server, client and system |
| CN102193859A (en) * | 2010-03-03 | 2011-09-21 | 腾讯科技(深圳)有限公司 | Code analysis method and system |
| CN102279792A (en) * | 2011-07-25 | 2011-12-14 | 大连理工大学 | Method for establishing security testing rule base based on extensive makeup language (XML) intermediate model |
| CN102411690A (en) * | 2011-12-31 | 2012-04-11 | 中国信息安全测评中心 | Safety loophole mining method and device of application software under Android platform |
| CN102419730A (en) * | 2011-12-08 | 2012-04-18 | 北京控制工程研究所 | Automatic checking method of safety coding rule of 51 assembly language software |
| CN102426550A (en) * | 2011-10-26 | 2012-04-25 | 中国信息安全测评中心 | Source code analysis method and system |
| CN102541614A (en) * | 2011-12-31 | 2012-07-04 | 南京师范大学 | Code analysis-based method for automatically analyzing input-output data of calculation module |
| CN102629213A (en) * | 2012-02-21 | 2012-08-08 | 北京经纬恒润科技有限公司 | Analysis method and monitoring method for C language simulation model |
| CN101901184B (en) * | 2009-05-31 | 2012-09-19 | 西门子(中国)有限公司 | Method, device and system for inspecting vulnerability of application program |
| CN102750220A (en) * | 2011-12-31 | 2012-10-24 | 中国信息安全测评中心 | Method and device for analyzing safety defects of software source code |
| CN101448007B (en) * | 2008-12-31 | 2012-11-21 | 中国电力科学研究院 | Attack prevention system based on structured query language (SQL) |
| CN102799822A (en) * | 2012-07-11 | 2012-11-28 | 中国信息安全测评中心 | Software running security measurement and estimation method based on network environment |
| CN102855183A (en) * | 2012-04-18 | 2013-01-02 | 清华大学 | Static test method and device for misquotation of inner variables by outer pointers |
| CN102902820A (en) * | 2012-10-31 | 2013-01-30 | 华为技术有限公司 | Method and device for identifying database type |
| CN102955914A (en) * | 2011-08-19 | 2013-03-06 | 百度在线网络技术(北京)有限公司 | Method and device for detecting security flaws of source files |
| CN102968367A (en) * | 2012-08-28 | 2013-03-13 | 华南理工大学 | Static detection method on basis of embedded software and system thereof |
| CN103077064A (en) * | 2012-12-31 | 2013-05-01 | 北京配天大富精密机械有限公司 | Method and interpretation device for analyzing and executing program language |
| CN101446968B (en) * | 2008-12-10 | 2013-07-17 | 上海闻泰电子科技有限公司 | Method for parsing extend markup language |
| CN103226488A (en) * | 2013-05-06 | 2013-07-31 | 中国农业银行股份有限公司 | Method and device for efficiency control in formalized code generation |
| CN103257913A (en) * | 2013-04-18 | 2013-08-21 | 西安交通大学 | System and method for detecting and removing fault of software in operation |
| CN103294598A (en) * | 2013-05-28 | 2013-09-11 | 华为技术有限公司 | Method and device for source code inspection |
| CN103309747A (en) * | 2013-05-20 | 2013-09-18 | 青岛海信传媒网络技术有限公司 | Method and device for allocation of code file statistics task |
| CN102272738B (en) * | 2008-12-29 | 2013-11-13 | Sk普兰尼特有限公司 | Method for separately executing software, apparatus, and computer-readable recording medium |
| CN103870382A (en) * | 2012-12-10 | 2014-06-18 | 百度在线网络技术(北京)有限公司 | Code risk detection method and device |
| CN103927212A (en) * | 2013-01-11 | 2014-07-16 | 腾讯科技(深圳)有限公司 | Method and device for automatically analyzing source file information |
| CN103927473A (en) * | 2013-01-16 | 2014-07-16 | 广东电网公司信息中心 | Method, device and system for detecting source code safety of mobile intelligent terminal |
| CN103996006A (en) * | 2013-02-17 | 2014-08-20 | 中国移动通信集团山西有限公司 | Information system security risk assessment method and device |
| WO2015007166A1 (en) * | 2013-07-15 | 2015-01-22 | Tencent Technology (Shenzhen) Company Limited | Method and apparatus for detecting security vulnerability for animation source file |
| CN104318162A (en) * | 2014-09-27 | 2015-01-28 | 深信服网络科技(深圳)有限公司 | Source code leakage detection method and device |
| CN104462981A (en) * | 2013-09-12 | 2015-03-25 | 深圳市腾讯计算机系统有限公司 | Detecting method and device for vulnerabilities |
| CN104462983A (en) * | 2013-09-22 | 2015-03-25 | 深圳市腾讯计算机系统有限公司 | PHP source code processing method and system |
| CN104503917A (en) * | 2015-01-04 | 2015-04-08 | 牟永敏 | Method and system for analyzing change impact domain based on data flow function invoking path |
| CN104572470A (en) * | 2015-01-26 | 2015-04-29 | 中国人民解放军理工大学 | Integer overflow fault detection method based on metamorphic relation |
| CN104636252A (en) * | 2015-01-04 | 2015-05-20 | 浪潮软件股份有限公司 | Online code reviewing method and system based on SonarQube |
| CN104662547A (en) * | 2012-10-19 | 2015-05-27 | 迈克菲股份有限公司 | Mobile application management |
| CN101661543B (en) * | 2008-08-28 | 2015-06-17 | 西门子(中国)有限公司 | Method and device for detecting security flaws of software source codes |
| CN104933368A (en) * | 2014-03-21 | 2015-09-23 | 腾讯科技(深圳)有限公司 | Network security vulnerability detection method and apparatus |
| CN105022958A (en) * | 2015-07-11 | 2015-11-04 | 复旦大学 | Android application used application program vulnerability detection and analysis method based on code library security specifications |
| CN105095079A (en) * | 2015-07-27 | 2015-11-25 | 电子科技大学 | Method and device for hot spot module instruction tracking |
| CN105229661A (en) * | 2013-07-31 | 2016-01-06 | 惠普发展公司,有限责任合伙企业 | Malware is determined based on signal mark |
| CN105278929A (en) * | 2014-06-16 | 2016-01-27 | 腾讯科技(深圳)有限公司 | Application program audit data processing method, device and system |
| CN105302707A (en) * | 2014-06-06 | 2016-02-03 | 腾讯科技(深圳)有限公司 | Application vulnerability detection method and apparatus |
| CN105335652A (en) * | 2015-11-24 | 2016-02-17 | 小米科技有限责任公司 | Debug method and debug device of application process of mobile terminal |
| CN105354137A (en) * | 2015-09-30 | 2016-02-24 | 国家电网公司 | Static model detection method based on IEC61850 protocol |
| CN105404584A (en) * | 2015-11-25 | 2016-03-16 | 广州博冠信息科技有限公司 | LPC static code inspection method, apparatus and system |
| CN105786710A (en) * | 2016-03-22 | 2016-07-20 | 中国银行股份有限公司 | Program code review method and engine |
| CN105867906A (en) * | 2016-03-22 | 2016-08-17 | 东南大学 | Software evolution-oriented code replaceability assessment method |
| US9426177B2 (en) | 2013-07-15 | 2016-08-23 | Tencent Technology (Shenzhen) Company Limited | Method and apparatus for detecting security vulnerability for animation source file |
| CN105893106A (en) * | 2016-04-25 | 2016-08-24 | 北京智能综电信息技术有限责任公司 | Alias analysis method of pointer in program |
| CN105912381A (en) * | 2016-04-27 | 2016-08-31 | 华中科技大学 | Compile-time code security detection method based on rule base |
| CN105956468A (en) * | 2016-04-22 | 2016-09-21 | 中国科学院信息工程研究所 | Method and system for detecting Android malicious application based on file access dynamic monitoring |
| US9454659B1 (en) | 2014-08-15 | 2016-09-27 | Securisea, Inc. | Software vulnerabilities detection system and methods |
| CN106033394A (en) * | 2015-03-13 | 2016-10-19 | 北京奇虎测腾科技有限公司 | Method and device for analyzing software source code |
| CN106155892A (en) * | 2015-04-03 | 2016-11-23 | 腾讯科技(深圳)有限公司 | Judge method and the program test equipment of Application testing coverage |
| CN106155880A (en) * | 2015-03-27 | 2016-11-23 | 中国科学院信息工程研究所 | A kind of automated procedures based on strategy analyze system and method |
| CN106155893A (en) * | 2015-04-03 | 2016-11-23 | 腾讯科技(深圳)有限公司 | Judge method and the program test equipment of Application testing coverage |
| CN106227812A (en) * | 2016-07-21 | 2016-12-14 | 杭州安恒信息技术有限公司 | A kind of auditing method of database object script security risk |
| CN106294156A (en) * | 2016-08-11 | 2017-01-04 | 北京邮电大学 | A kind of static code fault detection analysis method and device |
| CN106295322A (en) * | 2016-07-26 | 2017-01-04 | 北京航空航天大学 | A kind of hardware protection model for buffer overflow attack |
| CN106339313A (en) * | 2016-08-12 | 2017-01-18 | 南京航空航天大学 | Method for automatically detecting inconsistency of Java API program exception and document description |
| CN106354632A (en) * | 2016-08-24 | 2017-01-25 | 北京奇虎测腾科技有限公司 | Source code detecting system and method based on static analysis technology |
| CN106371997A (en) * | 2016-09-07 | 2017-02-01 | 网易(杭州)网络有限公司 | Code checking method and device |
| CN106372511A (en) * | 2016-08-24 | 2017-02-01 | 北京奇虎测腾安全技术有限公司 | Source code detection system and method |
| CN106411855A (en) * | 2016-09-06 | 2017-02-15 | 北京邮电大学 | Vulnerability directory search method and apparatus |
| CN106911686A (en) * | 2017-02-20 | 2017-06-30 | 杭州迪普科技股份有限公司 | WebShell detection methods and device |
| CN106940647A (en) * | 2017-03-20 | 2017-07-11 | 广州视源电子科技股份有限公司 | Code administration method and apparatus |
| CN106970819A (en) * | 2017-03-28 | 2017-07-21 | 清华大学 | A kind of c program code specification check device based on the regular description languages of PRDL |
| CN107045477A (en) * | 2016-12-30 | 2017-08-15 | 上海富聪金融信息服务有限公司 | A kind of quality evaluation platform for carrying out various dimensions detection |
| CN107103239A (en) * | 2017-04-10 | 2017-08-29 | 中国民生银行股份有限公司 | Source code based on application system business processing logic is gone beyond one's commission detection method and device |
| CN107133518A (en) * | 2017-04-10 | 2017-09-05 | 中国民生银行股份有限公司 | Source code based on parameter and information flow is gone beyond one's commission detection method and device |
| US9798981B2 (en) | 2013-07-31 | 2017-10-24 | Entit Software Llc | Determining malware based on signal tokens |
| CN107315961A (en) * | 2017-07-11 | 2017-11-03 | 北京奇虎科技有限公司 | Bug detection method and device, computing device, storage medium |
| US9813450B1 (en) | 2015-02-16 | 2017-11-07 | Amazon Technologies, Inc. | Metadata-based verification of artifact quality policy compliance |
| US9824214B2 (en) | 2014-08-15 | 2017-11-21 | Securisea, Inc. | High performance software vulnerabilities detection system and methods |
| CN107506304A (en) * | 2017-08-24 | 2017-12-22 | 方智林 | Code detection method, device, electronic equipment and storage medium |
| CN107516040A (en) * | 2017-07-25 | 2017-12-26 | 中国人民解放军63928部队 | A kind of Vulnerability Characteristics analysis and acquisition methods based on data controlling stream graph |
| CN107659555A (en) * | 2016-08-30 | 2018-02-02 | 北京长亭科技有限公司 | Detection method and device, terminal device and the computer-readable storage medium of network attack |
| CN107704382A (en) * | 2017-09-07 | 2018-02-16 | 北京信息科技大学 | Towards Python function call path generating method and system |
| CN107766728A (en) * | 2017-08-28 | 2018-03-06 | 国家电网公司 | Mobile application security managing device, method and mobile operation safety protection system |
| CN107862327A (en) * | 2017-10-26 | 2018-03-30 | 华中科技大学 | A kind of safety defect identifying system and method based on multiple features |
| CN107895115A (en) * | 2017-12-04 | 2018-04-10 | 北京元心科技有限公司 | Method and device for preventing stack overflow and terminal equipment |
| CN107943481A (en) * | 2017-05-23 | 2018-04-20 | 清华大学 | C programmer code specification building method based on multi-model |
| CN108132999A (en) * | 2017-12-21 | 2018-06-08 | 恒宝股份有限公司 | The processing method and system of a kind of masurium |
| CN108153666A (en) * | 2016-12-06 | 2018-06-12 | 北京奇虎科技有限公司 | A kind of method and apparatus of resource reclaim loophole in static detection Android code |
| CN108153664A (en) * | 2016-12-06 | 2018-06-12 | 北京奇虎科技有限公司 | A kind of static code scan method and device |
| CN108459954A (en) * | 2017-02-22 | 2018-08-28 | 腾讯科技(深圳)有限公司 | Vulnerability of application program detection method and device |
| CN108595952A (en) * | 2018-03-30 | 2018-09-28 | 全球能源互联网研究院有限公司 | A kind of detection method and system of electric power mobile application software loophole |
| CN108803561A (en) * | 2018-05-22 | 2018-11-13 | 广州明珞汽车装备有限公司 | The program automatic check method and system of program are controlled for white body wire body |
| CN108874396A (en) * | 2018-05-31 | 2018-11-23 | 苏州蜗牛数字科技股份有限公司 | The cross-compiler and Compilation Method of multi-platform multiple target language based on HLSL |
| CN109033843A (en) * | 2018-08-02 | 2018-12-18 | 南瑞集团有限公司 | Java file dependencies analysis method and module for distributed static detection system |
| CN109241104A (en) * | 2018-10-12 | 2019-01-18 | 北京聚云位智信息科技有限公司 | The resolver and its implementation of AISQL in decision type distributed data base system |
| CN109246113A (en) * | 2018-09-21 | 2019-01-18 | 郑州云海信息技术有限公司 | A kind of the SQL injection leak detection method and device of REST API |
| CN109426723A (en) * | 2017-09-01 | 2019-03-05 | 深圳市源伞新科技有限公司 | Use the detection method, system, equipment and storage medium of memory after release |
| CN109471634A (en) * | 2018-08-28 | 2019-03-15 | 上海思立微电子科技有限公司 | The inspection method and equipment of source code format |
| CN109784048A (en) * | 2018-12-12 | 2019-05-21 | 江苏大学 | A kind of stack buffer spilling vulnerability checking method based on programme diagram |
| CN109857648A (en) * | 2019-01-14 | 2019-06-07 | 复旦大学 | A kind of change mode excavation method of API misuse |
| CN109992970A (en) * | 2018-01-03 | 2019-07-09 | 北京京东尚科信息技术有限公司 | JAVA unserializing leakage location and method |
| CN110069250A (en) * | 2019-04-30 | 2019-07-30 | 联陆智能交通科技(上海)有限公司 | LTE-V2X standard application layer data decoding method, system and medium |
| CN110149800A (en) * | 2015-04-07 | 2019-08-20 | 华为技术有限公司 | It is a kind of for handling the device of abstract syntax tree associated with the source code of source program |
| CN110188029A (en) * | 2019-03-15 | 2019-08-30 | 中山大学 | A kind of Java null pointer analysis system reaching analysis method based on definite value |
| CN110286891A (en) * | 2019-06-25 | 2019-09-27 | 中国科学院软件研究所 | A kind of program source code coding method based on code attribute tensor |
| CN110348226A (en) * | 2019-07-12 | 2019-10-18 | 北京字节跳动网络技术有限公司 | A kind of scan method of project file, device, electronic equipment and storage medium |
| CN110377276A (en) * | 2019-07-19 | 2019-10-25 | 潍柴动力股份有限公司 | Source code file management method and equipment |
| CN110399156A (en) * | 2019-07-26 | 2019-11-01 | 华东师范大学 | In-orbit upgrade method towards Space Mission Software |
| CN110532015A (en) * | 2019-07-26 | 2019-12-03 | 华东师范大学 | In-orbit upgrade-system towards Space Mission Software |
| CN110618809A (en) * | 2019-08-08 | 2019-12-27 | 北京大学 | Front-end webpage input constraint extraction method and device |
| TWI686170B (en) * | 2017-09-26 | 2020-03-01 | 美商蘋果公司 | Device for optical sensing and method for operating the device |
| US10599852B2 (en) | 2014-08-15 | 2020-03-24 | Securisea, Inc. | High performance software vulnerabilities detection system and methods |
| CN110990281A (en) * | 2019-12-04 | 2020-04-10 | 中国直升机设计研究所 | Automatic static analysis method |
| CN111104335A (en) * | 2019-12-25 | 2020-05-05 | 清华大学 | C language defect detection method and device based on multi-level analysis |
| CN111240982A (en) * | 2020-01-09 | 2020-06-05 | 华东师范大学 | Static analysis method for source code |
| CN111240687A (en) * | 2020-01-09 | 2020-06-05 | 华东师范大学 | Source code static analysis device |
| CN111309589A (en) * | 2019-11-29 | 2020-06-19 | 中国电力科学研究院有限公司 | Code security scanning system and method based on code dynamic analysis |
| CN111382427A (en) * | 2020-01-06 | 2020-07-07 | 宁波中科天齐信息技术有限公司 | Buffer overflow detection method based on variable association rule |
| CN111488155A (en) * | 2020-06-15 | 2020-08-04 | 完美世界(北京)软件科技发展有限公司 | Coloring language translation method |
| CN111611158A (en) * | 2020-05-08 | 2020-09-01 | 中国原子能科学研究院 | Application performance analysis system and method |
| CN111611153A (en) * | 2019-02-26 | 2020-09-01 | 阿里巴巴集团控股有限公司 | Method and device for detecting excessive drawing of user interface |
| CN111709026A (en) * | 2020-06-10 | 2020-09-25 | Xc5香港有限公司 | Static security detection method and device, computer equipment and storage medium |
| CN112100626A (en) * | 2020-09-24 | 2020-12-18 | 成都信息工程大学 | Development method for improving source code audit vulnerability hit rate |
| CN112148602A (en) * | 2020-09-17 | 2020-12-29 | 云南电网有限责任公司信息中心 | Source code security analysis method based on history optimization feature intelligent learning |
| CN112162777A (en) * | 2020-09-27 | 2021-01-01 | 北京软安科技有限公司 | Source code feature extraction method and device |
| CN112181858A (en) * | 2020-11-09 | 2021-01-05 | 东北大学 | Automatic detection method for Java software project dependent conflict semantic consistency |
| CN112231212A (en) * | 2020-10-16 | 2021-01-15 | 湖南皖湘科技有限公司 | Method for detecting syntax error of program code |
| CN112328256A (en) * | 2020-11-19 | 2021-02-05 | 四川创智联恒科技有限公司 | Method for automatically generating structure body parser source code |
| CN112416337A (en) * | 2020-11-11 | 2021-02-26 | 北京京航计算通讯研究所 | Software architecture development system for aerospace embedded system |
| CN112527674A (en) * | 2020-12-22 | 2021-03-19 | 苏州三六零智能安全科技有限公司 | Safety evaluation method, device, equipment and storage medium of AI (Artificial Intelligence) framework |
| CN112597446A (en) * | 2020-12-14 | 2021-04-02 | 中国航发控制系统研究所 | Method for screening safety subset of safety key software modeling language |
| CN112639745A (en) * | 2018-08-24 | 2021-04-09 | 甲骨文国际公司 | Scalable pre-analysis of dynamic applications |
| CN112650675A (en) * | 2020-12-23 | 2021-04-13 | 广州汉全信息科技股份有限公司 | Code detection method and device of block chain and computer equipment |
| CN112784290A (en) * | 2021-01-28 | 2021-05-11 | 湖北宸威玺链信息技术有限公司 | Data export tool security analysis method and system and data export method |
| WO2021120538A1 (en) * | 2019-12-19 | 2021-06-24 | 支付宝(杭州)信息技术有限公司 | Applet code scanning method and apparatus |
| US11050777B2 (en) | 2018-11-20 | 2021-06-29 | Saudi Arabian Oil Company | Method and system for remediating cybersecurity vulnerabilities based on utilization |
| CN113220724A (en) * | 2014-12-19 | 2021-08-06 | 斯普兰克公司 | Data stream processing language for analytical instrumentation software |
| CN113391817A (en) * | 2021-06-16 | 2021-09-14 | 中国海洋大学 | ANTLR 4-based header file replacement method and device |
| CN113407442A (en) * | 2021-05-27 | 2021-09-17 | 杭州电子科技大学 | Pattern-based Python code memory leak detection method |
| CN113742732A (en) * | 2020-05-27 | 2021-12-03 | 南京大学 | Code vulnerability scanning and positioning method |
| CN113806715A (en) * | 2020-06-16 | 2021-12-17 | 上海交通大学 | SDK security analysis method for embedded equipment |
| CN114595482A (en) * | 2022-03-10 | 2022-06-07 | 北京邮电大学 | Software source code privacy detection method and system based on static detection |
| CN115167834A (en) * | 2022-09-08 | 2022-10-11 | 杭州新中大科技股份有限公司 | Automatic source code generation method and device based on code datamation |
| CN115495745A (en) * | 2022-10-14 | 2022-12-20 | 国家工业信息安全发展研究中心 | Industrial software source code static detection method and system based on risk function |
| CN115617352A (en) * | 2022-12-02 | 2023-01-17 | 中汽研软件测评(天津)有限公司 | C code detection method, equipment and storage medium based on safety coding standard |
| CN115718696A (en) * | 2022-10-18 | 2023-02-28 | 国网智能电网研究院有限公司 | Source code cryptography misuse detection method and device, electronic equipment and storage medium |
| CN116756048A (en) * | 2023-08-16 | 2023-09-15 | 北京安普诺信息技术有限公司 | Code analysis method, device, computer equipment and storage medium |
| WO2023197397A1 (en) * | 2022-04-13 | 2023-10-19 | 堡垒科技有限公司 | Decentralized trusted tokenization protocol for open source software |
| US11809847B2 (en) | 2022-03-16 | 2023-11-07 | International Business Machines Corporation | Hardcoded string detection |
| WO2023241046A1 (en) * | 2022-06-16 | 2023-12-21 | 中兴通讯股份有限公司 | Code management method and apparatus, and electronic device and storage medium |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3610395A4 (en) | 2017-05-31 | 2020-09-30 | Shiftleft Inc. | System and method for application security profiling |
| US10956574B2 (en) | 2017-10-07 | 2021-03-23 | Shiftleft Inc. | System and method for securing applications through an application-aware runtime agent |
| US11074362B2 (en) | 2017-12-04 | 2021-07-27 | ShiftLeft, Inc. | System and method for code-based protection of sensitive data |
| US11514172B2 (en) | 2018-11-15 | 2022-11-29 | Grabango Co. | System and method for information flow analysis of application code |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH0793144A (en) * | 1993-09-20 | 1995-04-07 | Fujitsu Ltd | Program analyzer |
| US7047523B1 (en) * | 1999-06-02 | 2006-05-16 | Siemens Aktiengesellschaft | System for determining a total error description of at least one part of a computer program |
| US7207065B2 (en) * | 2004-06-04 | 2007-04-17 | Fortify Software, Inc. | Apparatus and method for developing secure software |
| US7549144B2 (en) * | 2005-02-22 | 2009-06-16 | Microsoft Corporation | Custom API modeling for source code static analysis simulator |
| US20060212859A1 (en) * | 2005-03-18 | 2006-09-21 | Microsoft Corporation | System and method for generating XML-based language parser and writer |
-
2007
- 2007-03-02 CN CNB2007100641551A patent/CN100461132C/en not_active Expired - Fee Related
Cited By (244)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101286133B (en) * | 2008-06-02 | 2010-06-16 | 北京邮电大学 | Software test method applying interval operation |
| CN101377759B (en) * | 2008-08-26 | 2010-06-09 | 中国工商银行股份有限公司 | Automatic interface test system |
| CN101661543B (en) * | 2008-08-28 | 2015-06-17 | 西门子(中国)有限公司 | Method and device for detecting security flaws of software source codes |
| CN101446968B (en) * | 2008-12-10 | 2013-07-17 | 上海闻泰电子科技有限公司 | Method for parsing extend markup language |
| CN102272738B (en) * | 2008-12-29 | 2013-11-13 | Sk普兰尼特有限公司 | Method for separately executing software, apparatus, and computer-readable recording medium |
| CN101448007B (en) * | 2008-12-31 | 2012-11-21 | 中国电力科学研究院 | Attack prevention system based on structured query language (SQL) |
| CN101901184B (en) * | 2009-05-31 | 2012-09-19 | 西门子(中国)有限公司 | Method, device and system for inspecting vulnerability of application program |
| CN102148844B (en) * | 2010-02-09 | 2014-08-27 | 深圳市金蝶中间件有限公司 | Memory leak positioning method, server, client and system |
| CN102148844A (en) * | 2010-02-09 | 2011-08-10 | 深圳市金蝶中间件有限公司 | Memory leak positioning method, server, client and system |
| CN102193859A (en) * | 2010-03-03 | 2011-09-21 | 腾讯科技(深圳)有限公司 | Code analysis method and system |
| CN102193859B (en) * | 2010-03-03 | 2014-09-10 | 深圳市世纪光速信息技术有限公司 | Code analysis method and system |
| CN101894236A (en) * | 2010-07-28 | 2010-11-24 | 北京华夏信安科技有限公司 | Software homology detection method and device based on abstract syntax tree and semantic matching |
| CN101894239A (en) * | 2010-08-12 | 2010-11-24 | 武汉大学 | Method and system for auditing and distributing sensitive data based on evolution strategy |
| CN102012895A (en) * | 2010-08-19 | 2011-04-13 | 上海酷吧信息技术有限公司 | Method for analyzing data |
| CN102012991A (en) * | 2010-11-09 | 2011-04-13 | 北京神舟航天软件技术有限公司 | Static analysis-based checking method of safety rules of C language |
| CN102073588A (en) * | 2010-12-28 | 2011-05-25 | 北京邮电大学 | Code static analysis based multithread deadlock detection method and system |
| CN102073588B (en) * | 2010-12-28 | 2013-11-20 | 北京邮电大学 | Code static analysis based multithread deadlock detection method and system |
| CN102073589A (en) * | 2010-12-29 | 2011-05-25 | 北京邮电大学 | Code static analysis-based data race detecting method and system thereof |
| CN102073589B (en) * | 2010-12-29 | 2013-07-03 | 北京邮电大学 | Code static analysis-based data race detecting method and system thereof |
| CN102279792A (en) * | 2011-07-25 | 2011-12-14 | 大连理工大学 | Method for establishing security testing rule base based on extensive makeup language (XML) intermediate model |
| CN102955914B (en) * | 2011-08-19 | 2015-11-25 | 百度在线网络技术(北京)有限公司 | The detection method of one source file security breaches and pick-up unit |
| CN102955914A (en) * | 2011-08-19 | 2013-03-06 | 百度在线网络技术(北京)有限公司 | Method and device for detecting security flaws of source files |
| CN102426550A (en) * | 2011-10-26 | 2012-04-25 | 中国信息安全测评中心 | Source code analysis method and system |
| CN102426550B (en) * | 2011-10-26 | 2014-05-14 | 中国信息安全测评中心 | Source code analysis method and system |
| CN102419730A (en) * | 2011-12-08 | 2012-04-18 | 北京控制工程研究所 | Automatic checking method of safety coding rule of 51 assembly language software |
| CN102750220B (en) * | 2011-12-31 | 2015-06-17 | 中国信息安全测评中心 | Method and device for analyzing safety defects of software source code |
| CN102411690B (en) * | 2011-12-31 | 2014-07-23 | 中国信息安全测评中心 | Safety loophole mining method and device of application software under Android platform |
| CN102541614A (en) * | 2011-12-31 | 2012-07-04 | 南京师范大学 | Code analysis-based method for automatically analyzing input-output data of calculation module |
| CN102411690A (en) * | 2011-12-31 | 2012-04-11 | 中国信息安全测评中心 | Safety loophole mining method and device of application software under Android platform |
| CN102541614B (en) * | 2011-12-31 | 2014-05-28 | 南京师范大学 | Code analysis-based method for automatically analyzing input-output data of calculation module |
| CN102750220A (en) * | 2011-12-31 | 2012-10-24 | 中国信息安全测评中心 | Method and device for analyzing safety defects of software source code |
| CN102629213A (en) * | 2012-02-21 | 2012-08-08 | 北京经纬恒润科技有限公司 | Analysis method and monitoring method for C language simulation model |
| CN102629213B (en) * | 2012-02-21 | 2015-02-04 | 北京经纬恒润科技有限公司 | Analysis method and monitoring method for C language simulation model |
| CN102855183A (en) * | 2012-04-18 | 2013-01-02 | 清华大学 | Static test method and device for misquotation of inner variables by outer pointers |
| CN102799822B (en) * | 2012-07-11 | 2015-06-17 | 中国信息安全测评中心 | Software running security measurement and estimation method based on network environment |
| CN102799822A (en) * | 2012-07-11 | 2012-11-28 | 中国信息安全测评中心 | Software running security measurement and estimation method based on network environment |
| CN102968367A (en) * | 2012-08-28 | 2013-03-13 | 华南理工大学 | Static detection method on basis of embedded software and system thereof |
| CN104662547A (en) * | 2012-10-19 | 2015-05-27 | 迈克菲股份有限公司 | Mobile application management |
| US11157616B2 (en) | 2012-10-19 | 2021-10-26 | Mcafee, Llc | Mobile application management |
| US10114950B2 (en) | 2012-10-19 | 2018-10-30 | McAFEE, LLC. | Mobile application management |
| CN102902820A (en) * | 2012-10-31 | 2013-01-30 | 华为技术有限公司 | Method and device for identifying database type |
| CN102902820B (en) * | 2012-10-31 | 2015-09-09 | 华为技术有限公司 | The recognition methods of type of database and device |
| CN103870382B (en) * | 2012-12-10 | 2018-11-09 | 百度在线网络技术(北京)有限公司 | A kind of detection method and device of code risk |
| CN103870382A (en) * | 2012-12-10 | 2014-06-18 | 百度在线网络技术(北京)有限公司 | Code risk detection method and device |
| CN103077064A (en) * | 2012-12-31 | 2013-05-01 | 北京配天大富精密机械有限公司 | Method and interpretation device for analyzing and executing program language |
| CN103077064B (en) * | 2012-12-31 | 2016-03-02 | 北京配天技术有限公司 | A kind of parsing also executive language method and interpreting means |
| CN103927212B (en) * | 2013-01-11 | 2018-06-12 | 腾讯科技(深圳)有限公司 | Automatically analyze the method and device of source file information |
| CN103927212A (en) * | 2013-01-11 | 2014-07-16 | 腾讯科技(深圳)有限公司 | Method and device for automatically analyzing source file information |
| CN103927473A (en) * | 2013-01-16 | 2014-07-16 | 广东电网公司信息中心 | Method, device and system for detecting source code safety of mobile intelligent terminal |
| CN103996006B (en) * | 2013-02-17 | 2018-09-04 | 中国移动通信集团山西有限公司 | A kind of method and apparatus of Evaluation of Information System Security Risk |
| CN103996006A (en) * | 2013-02-17 | 2014-08-20 | 中国移动通信集团山西有限公司 | Information system security risk assessment method and device |
| CN103257913A (en) * | 2013-04-18 | 2013-08-21 | 西安交通大学 | System and method for detecting and removing fault of software in operation |
| CN103257913B (en) * | 2013-04-18 | 2015-10-28 | 西安交通大学 | Software fault detection removal system and method during a kind of operation |
| CN103226488B (en) * | 2013-05-06 | 2016-08-24 | 中国农业银行股份有限公司 | A kind of efficiency control method formalized in code building and device |
| CN103226488A (en) * | 2013-05-06 | 2013-07-31 | 中国农业银行股份有限公司 | Method and device for efficiency control in formalized code generation |
| CN103309747B (en) * | 2013-05-20 | 2016-09-28 | 青岛海信传媒网络技术有限公司 | The distribution method of a kind of code file statistics task and device |
| CN103309747A (en) * | 2013-05-20 | 2013-09-18 | 青岛海信传媒网络技术有限公司 | Method and device for allocation of code file statistics task |
| CN103294598A (en) * | 2013-05-28 | 2013-09-11 | 华为技术有限公司 | Method and device for source code inspection |
| CN103294598B (en) * | 2013-05-28 | 2016-02-03 | 华为技术有限公司 | A kind of source code inspection method and device |
| US9426177B2 (en) | 2013-07-15 | 2016-08-23 | Tencent Technology (Shenzhen) Company Limited | Method and apparatus for detecting security vulnerability for animation source file |
| WO2015007166A1 (en) * | 2013-07-15 | 2015-01-22 | Tencent Technology (Shenzhen) Company Limited | Method and apparatus for detecting security vulnerability for animation source file |
| CN105431859A (en) * | 2013-07-31 | 2016-03-23 | 惠普发展公司,有限责任合伙企业 | Signal tokens indicative of malware |
| US9798981B2 (en) | 2013-07-31 | 2017-10-24 | Entit Software Llc | Determining malware based on signal tokens |
| CN105229661B (en) * | 2013-07-31 | 2018-10-09 | 安提特软件有限责任公司 | Method, computing device and the storage medium for determining Malware are marked based on signal |
| CN105229661A (en) * | 2013-07-31 | 2016-01-06 | 惠普发展公司,有限责任合伙企业 | Malware is determined based on signal mark |
| CN104462981B (en) * | 2013-09-12 | 2019-01-04 | 深圳市腾讯计算机系统有限公司 | leak detection method and device |
| CN104462981A (en) * | 2013-09-12 | 2015-03-25 | 深圳市腾讯计算机系统有限公司 | Detecting method and device for vulnerabilities |
| CN104462983B (en) * | 2013-09-22 | 2019-04-26 | 深圳市腾讯计算机系统有限公司 | A kind of PHP source code processing method and system |
| CN104462983A (en) * | 2013-09-22 | 2015-03-25 | 深圳市腾讯计算机系统有限公司 | PHP source code processing method and system |
| CN104933368A (en) * | 2014-03-21 | 2015-09-23 | 腾讯科技(深圳)有限公司 | Network security vulnerability detection method and apparatus |
| CN105302707B (en) * | 2014-06-06 | 2019-01-08 | 腾讯科技(深圳)有限公司 | The leak detection method and device of application program |
| CN105302707A (en) * | 2014-06-06 | 2016-02-03 | 腾讯科技(深圳)有限公司 | Application vulnerability detection method and apparatus |
| CN105278929A (en) * | 2014-06-16 | 2016-01-27 | 腾讯科技(深圳)有限公司 | Application program audit data processing method, device and system |
| US9824214B2 (en) | 2014-08-15 | 2017-11-21 | Securisea, Inc. | High performance software vulnerabilities detection system and methods |
| US10599852B2 (en) | 2014-08-15 | 2020-03-24 | Securisea, Inc. | High performance software vulnerabilities detection system and methods |
| US9715593B2 (en) | 2014-08-15 | 2017-07-25 | Securisea, Inc. | Software vulnerabilities detection system and methods |
| US9454659B1 (en) | 2014-08-15 | 2016-09-27 | Securisea, Inc. | Software vulnerabilities detection system and methods |
| CN104318162A (en) * | 2014-09-27 | 2015-01-28 | 深信服网络科技(深圳)有限公司 | Source code leakage detection method and device |
| CN113220724A (en) * | 2014-12-19 | 2021-08-06 | 斯普兰克公司 | Data stream processing language for analytical instrumentation software |
| CN113220724B (en) * | 2014-12-19 | 2024-04-16 | 斯普兰克公司 | Method, system and computer readable storage medium for processing a data stream |
| CN104503917A (en) * | 2015-01-04 | 2015-04-08 | 牟永敏 | Method and system for analyzing change impact domain based on data flow function invoking path |
| CN104503917B (en) * | 2015-01-04 | 2017-07-07 | 牟永敏 | Change domain of influence analysis method and system based on data flow function call path |
| CN104636252A (en) * | 2015-01-04 | 2015-05-20 | 浪潮软件股份有限公司 | Online code reviewing method and system based on SonarQube |
| CN104572470A (en) * | 2015-01-26 | 2015-04-29 | 中国人民解放军理工大学 | Integer overflow fault detection method based on metamorphic relation |
| CN104572470B (en) * | 2015-01-26 | 2017-10-03 | 中国人民解放军理工大学 | A kind of integer overflow fault detection method based on transformation relation |
| US9813450B1 (en) | 2015-02-16 | 2017-11-07 | Amazon Technologies, Inc. | Metadata-based verification of artifact quality policy compliance |
| CN106033394A (en) * | 2015-03-13 | 2016-10-19 | 北京奇虎测腾科技有限公司 | Method and device for analyzing software source code |
| CN106033394B (en) * | 2015-03-13 | 2019-05-17 | 北京奇虎测腾科技有限公司 | The analysis method and device of software source code |
| CN106155880B (en) * | 2015-03-27 | 2019-07-30 | 中国科学院信息工程研究所 | A kind of automated procedures analysis system and method based on strategy |
| CN106155880A (en) * | 2015-03-27 | 2016-11-23 | 中国科学院信息工程研究所 | A kind of automated procedures based on strategy analyze system and method |
| CN106155892A (en) * | 2015-04-03 | 2016-11-23 | 腾讯科技(深圳)有限公司 | Judge method and the program test equipment of Application testing coverage |
| CN106155893B (en) * | 2015-04-03 | 2021-03-02 | 腾讯科技(深圳)有限公司 | Method for judging application program test coverage and program test equipment |
| CN106155893A (en) * | 2015-04-03 | 2016-11-23 | 腾讯科技(深圳)有限公司 | Judge method and the program test equipment of Application testing coverage |
| CN110149800B (en) * | 2015-04-07 | 2021-12-14 | 华为技术有限公司 | Apparatus for processing abstract syntax tree associated with source code of source program |
| CN110149800A (en) * | 2015-04-07 | 2019-08-20 | 华为技术有限公司 | It is a kind of for handling the device of abstract syntax tree associated with the source code of source program |
| CN105022958A (en) * | 2015-07-11 | 2015-11-04 | 复旦大学 | Android application used application program vulnerability detection and analysis method based on code library security specifications |
| CN105022958B (en) * | 2015-07-11 | 2018-01-12 | 复旦大学 | Vulnerability of application program determination method based on code library secure protocol in a kind of Android application |
| CN105095079A (en) * | 2015-07-27 | 2015-11-25 | 电子科技大学 | Method and device for hot spot module instruction tracking |
| CN105354137A (en) * | 2015-09-30 | 2016-02-24 | 国家电网公司 | Static model detection method based on IEC61850 protocol |
| CN105354137B (en) * | 2015-09-30 | 2018-03-02 | 国家电网公司 | A kind of static models detection method based on IEC61850 agreements |
| CN105335652B (en) * | 2015-11-24 | 2018-07-31 | 小米科技有限责任公司 | The adjustment method and device of mobile terminal application process |
| CN105335652A (en) * | 2015-11-24 | 2016-02-17 | 小米科技有限责任公司 | Debug method and debug device of application process of mobile terminal |
| CN105404584B (en) * | 2015-11-25 | 2018-12-11 | 广州博冠信息科技有限公司 | LPC static code inspection method, device and system |
| CN105404584A (en) * | 2015-11-25 | 2016-03-16 | 广州博冠信息科技有限公司 | LPC static code inspection method, apparatus and system |
| CN105786710B (en) * | 2016-03-22 | 2018-10-16 | 中国银行股份有限公司 | A kind of program code check method and engine |
| CN105786710A (en) * | 2016-03-22 | 2016-07-20 | 中国银行股份有限公司 | Program code review method and engine |
| CN105867906A (en) * | 2016-03-22 | 2016-08-17 | 东南大学 | Software evolution-oriented code replaceability assessment method |
| CN105867906B (en) * | 2016-03-22 | 2018-11-27 | 东南大学 | A kind of code replaceability appraisal procedure that software-oriented develops |
| CN105956468B (en) * | 2016-04-22 | 2018-12-28 | 中国科学院信息工程研究所 | A kind of Android malicious application detection method and system based on file access dynamic monitoring |
| CN105956468A (en) * | 2016-04-22 | 2016-09-21 | 中国科学院信息工程研究所 | Method and system for detecting Android malicious application based on file access dynamic monitoring |
| CN105893106B (en) * | 2016-04-25 | 2019-04-16 | 北京智能综电信息技术有限责任公司 | A kind of Pointer Alias Analysis method in program |
| CN105893106A (en) * | 2016-04-25 | 2016-08-24 | 北京智能综电信息技术有限责任公司 | Alias analysis method of pointer in program |
| CN105912381A (en) * | 2016-04-27 | 2016-08-31 | 华中科技大学 | Compile-time code security detection method based on rule base |
| CN106227812B (en) * | 2016-07-21 | 2019-06-21 | 杭州安恒信息技术股份有限公司 | A kind of auditing method of database object script security risk |
| CN106227812A (en) * | 2016-07-21 | 2016-12-14 | 杭州安恒信息技术有限公司 | A kind of auditing method of database object script security risk |
| CN106295322B (en) * | 2016-07-26 | 2018-12-18 | 北京航空航天大学 | A kind of hardware protection device for buffer overflow attack |
| CN106295322A (en) * | 2016-07-26 | 2017-01-04 | 北京航空航天大学 | A kind of hardware protection model for buffer overflow attack |
| CN106294156B (en) * | 2016-08-11 | 2018-12-07 | 北京邮电大学 | A kind of static code fault detection analysis method and device |
| CN106294156A (en) * | 2016-08-11 | 2017-01-04 | 北京邮电大学 | A kind of static code fault detection analysis method and device |
| CN106339313A (en) * | 2016-08-12 | 2017-01-18 | 南京航空航天大学 | Method for automatically detecting inconsistency of Java API program exception and document description |
| CN106339313B (en) * | 2016-08-12 | 2018-10-12 | 南京航空航天大学 | A kind of abnormal inconsistent automatic testing method of description with document of Java api routines |
| CN106354632B (en) * | 2016-08-24 | 2019-03-12 | 北京奇虎测腾安全技术有限公司 | A kind of source code detection system and method based on Static Analysis Technology |
| CN106372511A (en) * | 2016-08-24 | 2017-02-01 | 北京奇虎测腾安全技术有限公司 | Source code detection system and method |
| CN106354632A (en) * | 2016-08-24 | 2017-01-25 | 北京奇虎测腾科技有限公司 | Source code detecting system and method based on static analysis technology |
| CN107659555A (en) * | 2016-08-30 | 2018-02-02 | 北京长亭科技有限公司 | Detection method and device, terminal device and the computer-readable storage medium of network attack |
| CN106411855B (en) * | 2016-09-06 | 2019-03-05 | 北京邮电大学 | A kind of fragility directory search method and device |
| CN106411855A (en) * | 2016-09-06 | 2017-02-15 | 北京邮电大学 | Vulnerability directory search method and apparatus |
| CN106371997B (en) * | 2016-09-07 | 2020-01-10 | 网易(杭州)网络有限公司 | Code checking method and device |
| CN106371997A (en) * | 2016-09-07 | 2017-02-01 | 网易(杭州)网络有限公司 | Code checking method and device |
| CN108153666B (en) * | 2016-12-06 | 2023-05-26 | 三六零科技集团有限公司 | Method and device for statically detecting resource recovery loopholes in android code |
| CN108153664A (en) * | 2016-12-06 | 2018-06-12 | 北京奇虎科技有限公司 | A kind of static code scan method and device |
| CN108153666A (en) * | 2016-12-06 | 2018-06-12 | 北京奇虎科技有限公司 | A kind of method and apparatus of resource reclaim loophole in static detection Android code |
| CN107045477A (en) * | 2016-12-30 | 2017-08-15 | 上海富聪金融信息服务有限公司 | A kind of quality evaluation platform for carrying out various dimensions detection |
| CN106911686B (en) * | 2017-02-20 | 2020-07-07 | 杭州迪普科技股份有限公司 | WebShell detection method and device |
| CN106911686A (en) * | 2017-02-20 | 2017-06-30 | 杭州迪普科技股份有限公司 | WebShell detection methods and device |
| CN108459954B (en) * | 2017-02-22 | 2022-08-26 | 腾讯科技(深圳)有限公司 | Application program vulnerability detection method and device |
| CN108459954A (en) * | 2017-02-22 | 2018-08-28 | 腾讯科技(深圳)有限公司 | Vulnerability of application program detection method and device |
| CN106940647B (en) * | 2017-03-20 | 2020-09-04 | 广州视源电子科技股份有限公司 | Code management method and device |
| CN106940647A (en) * | 2017-03-20 | 2017-07-11 | 广州视源电子科技股份有限公司 | Code administration method and apparatus |
| CN106970819A (en) * | 2017-03-28 | 2017-07-21 | 清华大学 | A kind of c program code specification check device based on the regular description languages of PRDL |
| CN107103239A (en) * | 2017-04-10 | 2017-08-29 | 中国民生银行股份有限公司 | Source code based on application system business processing logic is gone beyond one's commission detection method and device |
| CN107133518B (en) * | 2017-04-10 | 2019-09-24 | 中国民生银行股份有限公司 | Source code based on parameter and information flow is gone beyond one's commission detection method and device |
| CN107133518A (en) * | 2017-04-10 | 2017-09-05 | 中国民生银行股份有限公司 | Source code based on parameter and information flow is gone beyond one's commission detection method and device |
| CN107103239B (en) * | 2017-04-10 | 2019-11-12 | 中国民生银行股份有限公司 | Source code based on application system business processing logic is gone beyond one's commission detection method and device |
| CN107943481A (en) * | 2017-05-23 | 2018-04-20 | 清华大学 | C programmer code specification building method based on multi-model |
| CN107315961A (en) * | 2017-07-11 | 2017-11-03 | 北京奇虎科技有限公司 | Bug detection method and device, computing device, storage medium |
| CN107315961B (en) * | 2017-07-11 | 2020-06-23 | 北京奇虎科技有限公司 | Program vulnerability detection method and device, computing equipment and storage medium |
| CN107516040A (en) * | 2017-07-25 | 2017-12-26 | 中国人民解放军63928部队 | A kind of Vulnerability Characteristics analysis and acquisition methods based on data controlling stream graph |
| CN107506304A (en) * | 2017-08-24 | 2017-12-22 | 方智林 | Code detection method, device, electronic equipment and storage medium |
| CN107766728A (en) * | 2017-08-28 | 2018-03-06 | 国家电网公司 | Mobile application security managing device, method and mobile operation safety protection system |
| CN109426723A (en) * | 2017-09-01 | 2019-03-05 | 深圳市源伞新科技有限公司 | Use the detection method, system, equipment and storage medium of memory after release |
| CN109426723B (en) * | 2017-09-01 | 2020-12-22 | 深圳市源伞新科技有限公司 | Detection method, system, equipment and storage medium using released memory |
| CN107704382A (en) * | 2017-09-07 | 2018-02-16 | 北京信息科技大学 | Towards Python function call path generating method and system |
| CN107704382B (en) * | 2017-09-07 | 2020-09-25 | 北京信息科技大学 | Python-oriented function call path generation method and system |
| TWI686170B (en) * | 2017-09-26 | 2020-03-01 | 美商蘋果公司 | Device for optical sensing and method for operating the device |
| CN107862327B (en) * | 2017-10-26 | 2020-07-24 | 华中科技大学 | Security defect identification system and method based on multiple features |
| CN107862327A (en) * | 2017-10-26 | 2018-03-30 | 华中科技大学 | A kind of safety defect identifying system and method based on multiple features |
| CN107895115B (en) * | 2017-12-04 | 2021-01-29 | 北京元心科技有限公司 | Method and device for preventing stack overflow and terminal equipment |
| CN107895115A (en) * | 2017-12-04 | 2018-04-10 | 北京元心科技有限公司 | Method and device for preventing stack overflow and terminal equipment |
| CN108132999A (en) * | 2017-12-21 | 2018-06-08 | 恒宝股份有限公司 | The processing method and system of a kind of masurium |
| CN109992970B (en) * | 2018-01-03 | 2023-09-26 | 北京京东尚科信息技术有限公司 | JAVA deserialization vulnerability detection system and method |
| CN109992970A (en) * | 2018-01-03 | 2019-07-09 | 北京京东尚科信息技术有限公司 | JAVA unserializing leakage location and method |
| CN108595952A (en) * | 2018-03-30 | 2018-09-28 | 全球能源互联网研究院有限公司 | A kind of detection method and system of electric power mobile application software loophole |
| CN108803561B (en) * | 2018-05-22 | 2020-03-17 | 广州明珞汽车装备有限公司 | Program automatic checking method and system for body-in-white line body control program |
| CN108803561A (en) * | 2018-05-22 | 2018-11-13 | 广州明珞汽车装备有限公司 | The program automatic check method and system of program are controlled for white body wire body |
| CN108874396A (en) * | 2018-05-31 | 2018-11-23 | 苏州蜗牛数字科技股份有限公司 | The cross-compiler and Compilation Method of multi-platform multiple target language based on HLSL |
| CN109033843A (en) * | 2018-08-02 | 2018-12-18 | 南瑞集团有限公司 | Java file dependencies analysis method and module for distributed static detection system |
| CN109033843B (en) * | 2018-08-02 | 2022-06-10 | 南瑞集团有限公司 | Java file dependency analysis method and module for distributed static detection system |
| CN112639745A (en) * | 2018-08-24 | 2021-04-09 | 甲骨文国际公司 | Scalable pre-analysis of dynamic applications |
| CN109471634B (en) * | 2018-08-28 | 2021-11-16 | 上海思立微电子科技有限公司 | Method and device for checking source code format |
| CN109471634A (en) * | 2018-08-28 | 2019-03-15 | 上海思立微电子科技有限公司 | The inspection method and equipment of source code format |
| CN109246113B (en) * | 2018-09-21 | 2021-08-10 | 郑州云海信息技术有限公司 | REST API SQL injection vulnerability detection method and device |
| CN109246113A (en) * | 2018-09-21 | 2019-01-18 | 郑州云海信息技术有限公司 | A kind of the SQL injection leak detection method and device of REST API |
| CN109241104B (en) * | 2018-10-12 | 2021-11-02 | 北京聚云位智信息科技有限公司 | AISQL resolver in decision-making distributed database system and implementation method thereof |
| CN109241104A (en) * | 2018-10-12 | 2019-01-18 | 北京聚云位智信息科技有限公司 | The resolver and its implementation of AISQL in decision type distributed data base system |
| US11050777B2 (en) | 2018-11-20 | 2021-06-29 | Saudi Arabian Oil Company | Method and system for remediating cybersecurity vulnerabilities based on utilization |
| CN109784048A (en) * | 2018-12-12 | 2019-05-21 | 江苏大学 | A kind of stack buffer spilling vulnerability checking method based on programme diagram |
| CN109784048B (en) * | 2018-12-12 | 2023-12-01 | 天航长鹰(江苏)科技有限公司 | Method for detecting overflow vulnerability of stack buffer based on program diagram |
| CN109857648B (en) * | 2019-01-14 | 2021-12-28 | 复旦大学 | API misuse change pattern mining method |
| CN109857648A (en) * | 2019-01-14 | 2019-06-07 | 复旦大学 | A kind of change mode excavation method of API misuse |
| CN111611153A (en) * | 2019-02-26 | 2020-09-01 | 阿里巴巴集团控股有限公司 | Method and device for detecting excessive drawing of user interface |
| CN111611153B (en) * | 2019-02-26 | 2023-05-16 | 阿里巴巴集团控股有限公司 | Method and device for detecting overdrawing of user interface |
| CN110188029A (en) * | 2019-03-15 | 2019-08-30 | 中山大学 | A kind of Java null pointer analysis system reaching analysis method based on definite value |
| CN110069250A (en) * | 2019-04-30 | 2019-07-30 | 联陆智能交通科技(上海)有限公司 | LTE-V2X standard application layer data decoding method, system and medium |
| CN110286891B (en) * | 2019-06-25 | 2020-09-29 | 中国科学院软件研究所 | Program source code encoding method based on code attribute tensor |
| CN110286891A (en) * | 2019-06-25 | 2019-09-27 | 中国科学院软件研究所 | A kind of program source code coding method based on code attribute tensor |
| CN110348226A (en) * | 2019-07-12 | 2019-10-18 | 北京字节跳动网络技术有限公司 | A kind of scan method of project file, device, electronic equipment and storage medium |
| CN110348226B (en) * | 2019-07-12 | 2021-06-18 | 北京字节跳动网络技术有限公司 | Engineering file scanning method and device, electronic equipment and storage medium |
| CN110377276A (en) * | 2019-07-19 | 2019-10-25 | 潍柴动力股份有限公司 | Source code file management method and equipment |
| CN110377276B (en) * | 2019-07-19 | 2023-05-23 | 潍柴动力股份有限公司 | Source code file management method and device |
| CN110399156A (en) * | 2019-07-26 | 2019-11-01 | 华东师范大学 | In-orbit upgrade method towards Space Mission Software |
| CN110532015A (en) * | 2019-07-26 | 2019-12-03 | 华东师范大学 | In-orbit upgrade-system towards Space Mission Software |
| CN110618809B (en) * | 2019-08-08 | 2020-11-03 | 北京大学 | Front-end webpage input constraint extraction method and device |
| CN110618809A (en) * | 2019-08-08 | 2019-12-27 | 北京大学 | Front-end webpage input constraint extraction method and device |
| CN111309589A (en) * | 2019-11-29 | 2020-06-19 | 中国电力科学研究院有限公司 | Code security scanning system and method based on code dynamic analysis |
| CN110990281A (en) * | 2019-12-04 | 2020-04-10 | 中国直升机设计研究所 | Automatic static analysis method |
| CN110990281B (en) * | 2019-12-04 | 2023-11-07 | 中国直升机设计研究所 | Automatic static analysis method |
| WO2021120538A1 (en) * | 2019-12-19 | 2021-06-24 | 支付宝(杭州)信息技术有限公司 | Applet code scanning method and apparatus |
| CN111104335A (en) * | 2019-12-25 | 2020-05-05 | 清华大学 | C language defect detection method and device based on multi-level analysis |
| CN111382427B (en) * | 2020-01-06 | 2022-04-26 | 宁波中科天齐信息技术有限公司 | Buffer overflow detection method based on variable association rule |
| CN111382427A (en) * | 2020-01-06 | 2020-07-07 | 宁波中科天齐信息技术有限公司 | Buffer overflow detection method based on variable association rule |
| CN111240687A (en) * | 2020-01-09 | 2020-06-05 | 华东师范大学 | Source code static analysis device |
| CN111240982A (en) * | 2020-01-09 | 2020-06-05 | 华东师范大学 | Static analysis method for source code |
| CN111611158A (en) * | 2020-05-08 | 2020-09-01 | 中国原子能科学研究院 | Application performance analysis system and method |
| CN113742732A (en) * | 2020-05-27 | 2021-12-03 | 南京大学 | Code vulnerability scanning and positioning method |
| CN111709026B (en) * | 2020-06-10 | 2023-10-24 | 深圳知释网络技术有限公司 | Static security detection method, device, computer equipment and storage medium |
| CN111709026A (en) * | 2020-06-10 | 2020-09-25 | Xc5香港有限公司 | Static security detection method and device, computer equipment and storage medium |
| CN111488155A (en) * | 2020-06-15 | 2020-08-04 | 完美世界(北京)软件科技发展有限公司 | Coloring language translation method |
| CN113806715B (en) * | 2020-06-16 | 2024-04-05 | 上海交通大学 | SDK security analysis method and system for embedded equipment |
| CN113806715A (en) * | 2020-06-16 | 2021-12-17 | 上海交通大学 | SDK security analysis method for embedded equipment |
| CN112148602B (en) * | 2020-09-17 | 2023-03-28 | 云南电网有限责任公司信息中心 | Source code security analysis method based on history optimization feature intelligent learning |
| CN112148602A (en) * | 2020-09-17 | 2020-12-29 | 云南电网有限责任公司信息中心 | Source code security analysis method based on history optimization feature intelligent learning |
| CN112100626A (en) * | 2020-09-24 | 2020-12-18 | 成都信息工程大学 | Development method for improving source code audit vulnerability hit rate |
| CN112162777A (en) * | 2020-09-27 | 2021-01-01 | 北京软安科技有限公司 | Source code feature extraction method and device |
| CN112231212A (en) * | 2020-10-16 | 2021-01-15 | 湖南皖湘科技有限公司 | Method for detecting syntax error of program code |
| CN112231212B (en) * | 2020-10-16 | 2023-05-09 | 湖南皖湘科技有限公司 | Method for detecting grammar error of program code |
| CN112181858B (en) * | 2020-11-09 | 2021-12-31 | 东北大学 | Automatic detection method for Java software project dependent conflict semantic consistency |
| CN112181858A (en) * | 2020-11-09 | 2021-01-05 | 东北大学 | Automatic detection method for Java software project dependent conflict semantic consistency |
| CN112416337A (en) * | 2020-11-11 | 2021-02-26 | 北京京航计算通讯研究所 | Software architecture development system for aerospace embedded system |
| CN112328256A (en) * | 2020-11-19 | 2021-02-05 | 四川创智联恒科技有限公司 | Method for automatically generating structure body parser source code |
| CN112328256B (en) * | 2020-11-19 | 2023-04-25 | 四川创智联恒科技有限公司 | Method for automatically generating source code of structural body analyzer |
| CN112597446A (en) * | 2020-12-14 | 2021-04-02 | 中国航发控制系统研究所 | Method for screening safety subset of safety key software modeling language |
| CN112597446B (en) * | 2020-12-14 | 2023-07-25 | 中国航发控制系统研究所 | Screening method of safety key software modeling language safety subset |
| CN112527674A (en) * | 2020-12-22 | 2021-03-19 | 苏州三六零智能安全科技有限公司 | Safety evaluation method, device, equipment and storage medium of AI (Artificial Intelligence) framework |
| CN112527674B (en) * | 2020-12-22 | 2022-11-04 | 苏州三六零智能安全科技有限公司 | AI frame safety evaluation method, device, equipment and storage medium |
| CN112650675A (en) * | 2020-12-23 | 2021-04-13 | 广州汉全信息科技股份有限公司 | Code detection method and device of block chain and computer equipment |
| CN112784290A (en) * | 2021-01-28 | 2021-05-11 | 湖北宸威玺链信息技术有限公司 | Data export tool security analysis method and system and data export method |
| CN113407442B (en) * | 2021-05-27 | 2022-02-18 | 杭州电子科技大学 | Pattern-based Python code memory leak detection method |
| CN113407442A (en) * | 2021-05-27 | 2021-09-17 | 杭州电子科技大学 | Pattern-based Python code memory leak detection method |
| CN113391817A (en) * | 2021-06-16 | 2021-09-14 | 中国海洋大学 | ANTLR 4-based header file replacement method and device |
| CN113391817B (en) * | 2021-06-16 | 2022-08-26 | 中国海洋大学 | ANTLR 4-based header file replacement method and device |
| CN114595482A (en) * | 2022-03-10 | 2022-06-07 | 北京邮电大学 | Software source code privacy detection method and system based on static detection |
| US11809847B2 (en) | 2022-03-16 | 2023-11-07 | International Business Machines Corporation | Hardcoded string detection |
| WO2023197397A1 (en) * | 2022-04-13 | 2023-10-19 | 堡垒科技有限公司 | Decentralized trusted tokenization protocol for open source software |
| WO2023241046A1 (en) * | 2022-06-16 | 2023-12-21 | 中兴通讯股份有限公司 | Code management method and apparatus, and electronic device and storage medium |
| CN115167834A (en) * | 2022-09-08 | 2022-10-11 | 杭州新中大科技股份有限公司 | Automatic source code generation method and device based on code datamation |
| CN115167834B (en) * | 2022-09-08 | 2022-12-23 | 杭州新中大科技股份有限公司 | Automatic source code generation method and device based on code datamation |
| CN115495745B (en) * | 2022-10-14 | 2023-04-21 | 国家工业信息安全发展研究中心 | Industrial software source code static detection method and system based on risk function |
| CN115495745A (en) * | 2022-10-14 | 2022-12-20 | 国家工业信息安全发展研究中心 | Industrial software source code static detection method and system based on risk function |
| CN115718696B (en) * | 2022-10-18 | 2023-06-13 | 国网智能电网研究院有限公司 | Source code cryptography misuse detection method and device, electronic equipment and storage medium |
| CN115718696A (en) * | 2022-10-18 | 2023-02-28 | 国网智能电网研究院有限公司 | Source code cryptography misuse detection method and device, electronic equipment and storage medium |
| CN115617352A (en) * | 2022-12-02 | 2023-01-17 | 中汽研软件测评(天津)有限公司 | C code detection method, equipment and storage medium based on safety coding standard |
| CN116756048B (en) * | 2023-08-16 | 2023-10-31 | 北京安普诺信息技术有限公司 | Code analysis method, device, computer equipment and storage medium |
| CN116756048A (en) * | 2023-08-16 | 2023-09-15 | 北京安普诺信息技术有限公司 | Code analysis method, device, computer equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100461132C (en) | 2009-02-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100461132C (en) | Software safety code analyzer based on static analysis of source code and testing method therefor | |
| Shar et al. | Defeating SQL injection | |
| CN106203113B (en) | The privacy leakage monitoring method of Android application file | |
| Junjin | An approach for SQL injection vulnerability detection | |
| RU2017141988A (en) | METHOD AND DEVICE FOR MANAGING SECURITY IN A COMPUTER NETWORK | |
| Lowis et al. | Vulnerability analysis in SOA-based business processes | |
| CN105022958B (en) | Vulnerability of application program determination method based on code library secure protocol in a kind of Android application | |
| Bossi et al. | A system for profiling and monitoring database access patterns by application programs for anomaly detection | |
| CN113158197B (en) | SQL injection vulnerability detection method and system based on active IAST | |
| KR101640479B1 (en) | Software vulnerability attack behavior analysis system based on the source code | |
| Tyagi et al. | Evaluation of static web vulnerability analysis tools | |
| Shin et al. | SQLUnitgen: Test case generation for SQL injection detection | |
| Jimenez et al. | Software vulnerabilities, prevention and detection methods: A review1 | |
| Yan et al. | Detection method of the second-order SQL injection in Web applications | |
| CN115952503A (en) | Application safety testing method and system integrating black, white and gray safety detection technology | |
| CN109657462B (en) | Data detection method, system, electronic device and storage medium | |
| Pozza et al. | Comparing lexical analysis tools for buffer overflow detection in network software | |
| Okun et al. | The second static analysis tool exposition (SATE) 2009 | |
| RU2662391C1 (en) | System and method for checking web resources for presence of harmful inserts | |
| CN115391230A (en) | Test script generation method, test script penetration method, test script generation device, test penetration device, test equipment and test medium | |
| Gadgikar | Preventing SQL injection attacks using negative tainting approach | |
| Antoniol | Keynote paper: Search based software testing for software security: Breaking code to make it safer | |
| Antunes | Monitoring web applications for vulnerability discovery and removal under attack | |
| Eassa et al. | IMATT: An Integrated Multi-Agent Testing Tool for the Security of Agent-Based Web Applications | |
| Najjari et al. | Presentation of a pattern to counteract the attacks of XSS Malware |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: SHENZHEN BEIYOU NETWORK TECHNOLOGY CO., LTD. Free format text: FORMER OWNER: BEIJING POSTAL AND TELECOMMUNICATIONS UNIV. Effective date: 20140805 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 100876 HAIDIAN, BEIJING TO: 518057 SHENZHEN, GUANGDONG PROVINCE |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20140805 Address after: 518057 Guangdong city of Shenzhen province Nanshan District Guangdong streets south Four Virtual University Park A301 Patentee after: Shenzhen Beiyou Network Technology Co. Ltd. Address before: 100876 Beijing city Haidian District Xitucheng Road No. 10 Patentee before: Beijing University of Posts and Telecommunications |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090211 Termination date: 20210302 |