CN101588363B - Method for estabilishing Web service security analysis model based on program slice - Google Patents
Method for estabilishing Web service security analysis model based on program slice Download PDFInfo
- Publication number
- CN101588363B CN101588363B CN2009100693254A CN200910069325A CN101588363B CN 101588363 B CN101588363 B CN 101588363B CN 2009100693254 A CN2009100693254 A CN 2009100693254A CN 200910069325 A CN200910069325 A CN 200910069325A CN 101588363 B CN101588363 B CN 101588363B
- Authority
- CN
- China
- Prior art keywords
- web service
- section
- analysis
- service
- interface
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The present invention relates to a software establishing technique and network security, and specifically to a method for establishing the Web service security analysis model based on the program slice. The invention provides a method for establishing Web service security analysis model based on program slice for protecting the key information and the common information in the network service from the inside and the outside and increasing the network service security. The method of the invention adopts the following technical solutions: 1) establishing a slicer module for obtaining the abstract of the information flow in the Web service realizing code; 2) establishing a network service analysis module for discovering the safety breaking state that the key information is leaked to the Internet user through the current service interface, wherein the step comprises the safety analysis of the independent network service and the safety analysis of the network service network; and 3) establishing a safety reporting module for analyzing the result based on the module, and combining the safety measures presented in the existing web service security specification and process for generating a corresponding security report. The method of the invention is mainly used for providing the Web service security.
Description
Technical field
The present invention relates to software building technology, network security, particularly, set up method based on the Web service safety analysis model of program slice based on the software architecture of the Web service safety analysis model of program slice.
Background technology
Web service (Web Service) is based on expandable mark language XML and HTTPS (full name: Hypertext TransferProtocol over Secure Socket Layer, the HTML (Hypertext Markup Language) of band security procedure communication equipment preparative layer) a kind of service, its communication protocol is mainly based on Simple Object Access Protocol SOAP, the description of service is by web service description language (sdl) WSDL, by unifying the metadata that description, discovery and integrated agreement UDDI find and obtain to serve.
Web service makes it to be used widely in the complexity of shielding harness, the unique advantage aspect the heterogeneous platform exchange message, and the security breaches that exist in the Web service simultaneously also cause using present situation can not be satisfactory.The safety of Web service can be considered from two angles: the 1) security situation the independent Web service; 2) security situation in the Web service network.The research topic relevant with independent Web service safety mainly comprises: issue the Web service safety standard jointly by standard formulation mechanism and group, the safety of guarantee information in packet transmission course; Introduce art of programming, comprise the safe course training of development group and Code Review etc.; The security model that should follow and process are proposed in the software development process.
By implementing safety standard and safe practice, to developing safe Web service positive effect is arranged, but various safety standards and process all have higher requirements to the safe budget of exploitation mechanism, developer's security knowledge in implementation process, are unfavorable for extensively implementing in all Web service exploitations.The more important thing is; to the measure of soap message through encrypting, signing; although can effectively protect the confidentiality and integrity in the message transmitting procedure; but when the realization of a web service itself had had potential defective, the information leakage security breaches that this defective victim utilization causes can't relax by single external security measure.In fact, if the neither one effective mechanism is analyzed the safety defect in the realization of Web service, such security breaches may exist always, break through the back until victim and cause huge infringement to system.From software itself, the discovery and the mitigation of research Web service inherently safe leak are the effective measures that improves Product Safety.
Program slice is abstract to program, and abstract by information extraction stream is applied to the information flow acquisition process with strip theory.Analyze by web being served the information flow that is transmitted in the accessed process; check thereby whether the key message that needs protection is revealed to external user in this information flow; find the security breaches that key message is revealed; guarantee that key message is not by unauthorized access; raising improves the fail safe of single web service to the key message protection.
In the Web service network, security breaches spread to system and user brings tremendous influence and loss.At present, service network forms reason and is that mainly SOA's (Service-Oriented Architecture, Enterprise SOA) is popular.SOA becomes workflow with the Business Processing process model building, in workflow, pass through BPEL (Business Process Execution Language, the Business Processing effective language) handles a plurality of Web service reciprocal processes, an independently function is finished in each Web service, functional interface is by WSDL (Web Service Description Language, the web service description language (sdl)) describe, the message process between service is finished by SOAP.That is to say, comprise several Web service nodes in the workflow, different workflows makes all nodes form a web service network by having contact alternately.When one of them node (being Web service) when having security breaches, these security breaches can be brought bigger harmfulness to system by being spread alternately between node in the network.In order to find the situation of current leak diffusion in the service network, with the security situation in the independent web service as working foundation, by following the tracks of key message or the transmittance process of sensitive data between a plurality of Web services, information leakage in the research service network and leak diffusion, improving internet security is a problem being badly in need of solution.
Summary of the invention
For overcoming the deficiencies in the prior art; the objective of the invention is to: propose a kind of method of setting up based on the Web service safety analysis model of program slice; and how the analysis result of this model is combined with the safety measure that proposes in existing Web service safety standard and process; with the outside key message in the Web service and common message are protected internally, improved the Web service fail safe.The technical solution used in the present invention is: set up the method based on the Web service safety analysis model of program slice, comprise the following steps:
Set up the food slicer module, be used for: by specifying rational section configuration attribute, calculate the section of java applet, provide functional interface to call for the Web service analysis module in this model, obtaining the program relevant with the criterion of cutting into slices abstract is the information flow of program;
Set up the Web service analysis module, be used for:
(1) safety analysis of independent Web service: the first step is resolved the WSDL agreement, obtain the specifying information of describing in Web service, comprise abstract definition, be tied to the concrete agreement of these operations, a network endpoint standard of binding and carry out the network operating end points operation; Second step disposes as section with the service interface that obtains with making up the food slicer functions of modules interface of finishing, and the source code of Web service is cut into slices, and obtains the information flow of external interface; The 3rd step checked that whether the key message that needs protection is present in the interface message stream, judged that whether information leaks, and finishes the safety analysis to independent Web service;
(2) safety analysis of Web service network: based on the section result and to independent Web service safety analysis result, the analytical information transmittance process, check that whether key message is transmitted leakage between two Web services, judge the problem of security breaches diffusion in service network;
Set up the safety message module, be used for: the composition structure of design safety report, comprise interface with security breaches, the key message of being revealed, the content of measure internally and two angle research of outside measure mitigation scheme, internal measure comprises to be revised network web service source code, be made as the method for correspondence privately owned and change method name, realizes the shielding of dangerous interface; Outside measure comprises that adding safety control module realizes signature and encryption, adds safety management module and realizes authentication and access control.
Described foundation in the food slicer module, food slicer module comprise following 3 submodules:
(1) food slicer engine: read in configuration file, call the program dependency analysis framework/storehouse of increasing income program dependency analysis functional interface constructing system dependency graph is provided, use based on the section algorithm of iteration and collect the statement that belongs to current slice in the source program, form section;
(2) section criterion: belong to the composition structure of the configuration file of carrying out section, in the section criterion, specify slice type type, scope scope and as the concrete statement criteria at section center;
(3) section result treatment unit is post processor: by post processor, finish the mapping conversion from jimple result to the Java statement, Java is a kind of programming language, and jimple is the middle expression-form of Java programming language.
The described Web service analysis module of setting up, stand-alone service safety analysis wherein be, as input, is output as the report that whether exists key message to reveal security breaches with Web service source code and the key message that needs protection, comprising:
1) resolves the WSDL agreement, WSDL is a Web Service Description LanguageWeb service description language (sdl), obtain external interface information, retrievable information comprises the target designation space, service name, the port title, action name and input, WSDL document resolver workflow: the root node definitions that at first in the WSDL document, obtains the service of service, obtain service name by the array definiton.getServices method of calling the service of returning, obtain serve port by calling the array service.getPorts method of returning serve port, bundling port calls the port port.getBinding that returns binding, by a circulation, to each selected action name, analysis operation is called in use, the specifying information analysisOperation method of return is obtained the title and the type of input parameter and output parameter respectively, after resolving finishes, all information that obtain are write among the file object File of access customer appointment, read for other modules;
2) according to the interface name and the parameter type that obtain, interface conversion is become the input of the form of legal Java statement as food slicer, finish needed other configurations of food slicer comprise specify section scope, type after, call the section computing function source program is carried out section, from the section result, obtain the interface related information flow;
3) key message and the interface message stream that needs protection is mated,, judge that security breaches exist in the current Web service if both overlap.
The analysis of described Web service network security is, the Analysis Service interface calls situation, call as representative with two Web services, analytic process is by judging whether to occur the call address Endpoint of target Web service and the order of object run, reached afterwards with the elder generation of appearance order and to judge whether the target Web service calls the purpose of object run in another Web service, during dangerous interface interchange situation between Analysis Service, be input as analyzed Web service source file and safety loophole information file, the aforementioned information file is produced by the food slicer module, the safety loophole information file provides the service that comprises security breaches URI, URI is a Universal Resource Identifier resource label symbol, and corresponding risky operation, by mating between this three, the match is successful, illustrate that analyzed Web service called the operation that comprises security breaches really, thereby caused the diffusion of security breaches; Otherwise, think that this Web service do not spread security breaches, for being judged the call relation that has security breaches, there are new security breaches among the network web service call person, it is added new dangerous interface list.
The described safety message module of setting up provides solution to relax leak from two angles:
1, by adding the mode that security mechanism comprises that mandate, authentication, XML signature or XML encrypt, XML is an Extensible Markup Language extend markup language, reach the client that only the allows specific role effect to the access of this service, the measure that can take comprises authentication, signature, selectively soap message is encrypted and double-deck access control mechanisms;
2, there is the interface of security breaches in cancellation issue, and there is the interface of security breaches in cancellation in wsdl document, and makes amendment in source file, comprises method being made as privately owned, or changes method name.
The described food slicer module of setting up, the food slicer module further specifically comprises section calculating: when realizing, whole section computational process is made up of a plurality of phase, phase is meant the whole implementation of food slicer, be divided into several phase, in phase, carry out static analysis or process, can mark the beginning and the end of these analyses or process, each megastage major phase is made up of 0 or a plurality of little stage minor phase, order is carried out, a process is meant a series of program behaviors that can finish a specific function, the 1st major phase is made up of 3 minor phase, i.e. the object data stream analysis phase for the section calculation stages, the dependency analysis stage, the section collection phase; The 2nd major phase is the section result treatment stage, no minorphase, and implementation is:
1) a food slicer slicer of initialization object at first comprises that appointment is by section program, section scope, type;
2) in the food slicer engine, carry out the object data stream analysis, in specify labels tag title, after Load System environmental variance and the section configuration, by carrying out object data stream analysis and dependency analysis, generator dependency graph;
3) collect section, by the food slicer driven by engine, the node that belongs to the part of cutting into slices among the AST with program marks with the bookmark name tagName of appointment, if the appointed tagName mark of node, mean that it belongs to the part of section, the node that is identified has two types to be labels class taggedClasses and two set of stamp methods taggedMethods collection, in this way, and the identification section;
4) handle the section result, finish mapping from the jimple statement to the Java statement, tagName according to previous appointment identifies the statement that belongs to section, again according to having source statement row information in the statement, in source program, identify the statement of corresponding Java form, realize the section result of jimple statement form is changed into general Java statement.
Beneficial effect of the present invention: the present invention is towards safety Web service product development, to reduce the security breaches in the Web service, the raising software quality is a target, make up a Web service safety analysis model, can be used for finding the existence and the diffusion of information leakage security breaches in independent Web service and the Web service network, concrete effect comprises:
1, proposes the discover method of information leakage security breaches in the independent Web service, can analysis of key information whether be revealed, be used to improve protection, reduce security breaches key message to external user;
2,, propose to find the method for security breaches diffusion in the service network based on the report of security situation in the independent Web service.To being present in the security breaches in the single Web service, by analyzing the spread condition of this leak in service network, the mitigation scheme is proposed, reduced the massive losses that brings owing to the diffusion of leak coverage;
3, development graph user interface provides Web service safety analysis block configuration, carries out the function of safety analysis; Provide api interface to encapsulate the analytic function module that this model provides, be issued as the Web service interface that can supply the Internet user to call, reduce the user resources demand, improve service efficiency.
In the actual development process, when interface quantity is huge in the Web service of service provider's issue, by moving the safety analysis instrument that this model provides, find that these carry out interface operable to sensitive data and take appropriate measures, when improving the Web service fail safe, also can effectively save time and money.
Description of drawings
The general frame figure of Fig. 1 Web service safety analysis model.
The operational flow diagram of Fig. 2 Web service safety analysis model.
Embodiment
The key problem that the present invention attempts to solve comprises: based on program slice, obtain the abstract of information flow from Web service realizes; In Web service independently, obtain the flow direction and the leakage situation of key message; In the web service network, whether the research key message is transmitted to reveal causes the leak diffusion; And how the analysis result of this model is combined with the safety measure that proposes in existing web services security specifications and process, come with the outside key message and common message in the web service to be protected internally, improve the web service safe.
At above-mentioned key problem, the present invention is towards the coding stage of safety Web service exploitation, and it is abstract to obtain information flow based on program slice, makes up Web service safety analysis model, find the information leakage security breaches in the web service network, important in theory meaning and actual application value are arranged.Main contents comprise:
1) core concept of search procedure section, it is abstract to be applied to obtain information flow in the Web service code;
2) discover the method for the information leakage security breaches in the independent web service, by to service interface information stream and the set of key message statement obtain and work in coordination with coupling respectively, the discovery key message passes through the Security Violation situation of current service interface leak to the Internet user;
3) based on result to leak situation analysis in the independent web service, research is to the analytical method of security breaches diffusion in the web service network, by checking that service interface calls situation, analysis of key information is transmittance process between different web services, judges whether this transmittance process causes single web information on services to reveal security breaches and given more multiple internet user by diffusion in service network;
4) based on the model analysis result, in conjunction with the safety measure that proposes in existing web services security specifications and the process, generate corresponding safety message, provide rational mitigation scheme with outside two angles internally.
Further describe the present invention below in conjunction with drawings and Examples.
The present invention includes food slicer module, web service analysis module and safety message module, each module composition reaches alternately as shown in Figure 1:
1, food slicer module
This module is an independently functional module, by specifying rational section configuration attribute, calculates the section of java applet.Provide functional interface for the web service analysis module invokes in this model, obtain the program relevant abstract (being the information flow of program) with the criterion of cutting into slices.Have the feature of reusing,, can be used in the sundry item through suitably revising.The food slicer module is made up of following 3 submodules.
(1) food slicer engine: read in configuration file, calling the program dependency analysis framework (storehouse) of increasing income provides the API constructing system dependency graph of program dependency analysis function, use is collected the statement that belongs to current slice in the source program based on the section algorithm of iteration, forms section.
(2) section criterion: belong to the composition structure of the configuration file of carrying out section, in the section criterion, specify type (slice type), scope (scope) and criteria (as the concrete statement at section center).
(3) section result treatment (being post processor): carry out in the flow process in the food slicer engine modules, owing to be directly to use static analysis storehouse API to calculate, the section result who obtains is Jimple (the middle expression-form of java, provide conversion from java to jimple by the soot framework) statement, be unfavorable for reading and understanding, therefore need to be converted to the java statement through suitably handling.By post processor, finish mapping conversion from jimple result to the java statement.
2, Web service analysis module
(1) safety analysis of independent web service: the first step is resolved the WSDL agreement, obtain specifying information at the web service describing, comprise abstract definition, be tied to the concrete agreement of these operations, a network endpoint standard of binding and carry out the network operating end points operation; Second step disposes as section with the service interface that obtains with making up the food slicer functions of modules interface of finishing, and the source code of web service is cut into slices, and obtains the information flow of external interface; The 3rd step checked whether the key message that needs protection is present in the interface message stream, judges whether information leaks, and finishes the safety analysis to independent web service;
(2) safety analysis of web service network: different web services are formed service network by interface interchange, and various information are transmitted in this interface interchange process.When security breaches occur in the web service, when this web service of other web service calls is simultaneously finished new function and is issued into new interface, these security breaches are spread, based on the section result and to independent web service safe analysis result, the analytical information transmittance process, check that whether key message is transmitted leakage between two web services, judge the problem of security breaches diffusion in service network
3, safety message module
The composition structure of design safety report comprises the interface with security breaches, the key message of being revealed.The content of measure internally and two angle research of outside measure mitigation scheme.Internal measure comprises to be revised web service source code, be made as the method for correspondence privately owned and change method name etc., realizes the shielding of dangerous interface; Outside measure comprises that adding safety control module realizes signature and encryption, adds safety management module and realizes authentication and access control etc.
Two kinds of occupation modes: 1) development graph user interface, finish safety analysis in this locality; 2) each functions of modules is packaged into interface API, is issued as the web service, for Internet user's far call, reduce user resources consumption, other user provides service for the higher order of magnitude.
Beneficial effect of the present invention: the present invention is towards safety Web service product development, to reduce the security breaches in the Web service, the raising software quality is a target, make up a web service safe analytical model, can be used for finding the existence and the diffusion of information leakage security breaches in independent web service and the web service network, concrete results comprise:
1, proposes the discover method of information leakage security breaches in the independent web service, can analysis of key information whether be revealed, be used to improve protection, reduce security breaches key message to external user;
2,, propose to find the method for security breaches diffusion in the service network based on the report of security situation in the independent web service.To being present in the security breaches in the single web service, by analyzing the spread condition of this leak in service network, the mitigation scheme is proposed, reduced the massive losses that brings owing to the diffusion of leak coverage;
3, development graph user interface provides the configuration of web service safe analysis module, carries out the function of safety analysis; Provide api interface to encapsulate the analytic function module that this model provides, be issued as the web service interface that can supply the Internet user to call, reduce the user resources demand, improve service efficiency.
In the actual development process, when interface quantity is huge in the web of the service provider's issue service, by moving the safety analysis instrument that this model provides, find that these carry out interface operable to sensitive data and take appropriate measures, when improving the web service safe, also can effectively save time and money.
Below in conjunction with accompanying drawing, embodiment each module among the present invention is further described.
1, section is calculated
When realizing, whole section computational process has a plurality of Phase (stage) to form.Phase is meant the whole implementation of food slicer, is divided into several phase.In phase, carry out static analysis or process, can mark the beginning and the end of these analyses or process.Each major phase (megastage) is made up of 0 or a plurality of minor phase (little stage), and order is carried out.
1) slicer of initialization (food slicer) object at first comprises that appointment is by section program, section scope, type;
2) in the food slicer engine, carry out the object data stream analysis, specifying tag (label) title, after Load System environmental variance and the section configuration, by carrying out object data stream analysis and dependency analysis, generator dependency graph;
3) collect section, by the food slicer driven by engine, the node that belongs to the part of cutting into slices among the AST with program marks with the tagName (bookmark name) of appointment, that is to say, if the appointed tagName mark of node means that it belongs to the part of section, the node that is identified has two types i.e. (taggedClasses (labels class) and two collection of taggedMethods (stamp methods) (set)), in this way, identification section.
4) handle the section result, finish mapping from the jimple statement to the java statement.TagName according to previous appointment identifies the statement that belongs to section, again according to having source statement row information in the statement, in source program, identify the statement of corresponding java form, realize the section result of jimple statement form is changed into the function of general java statement.
2, independent web service safe is analyzed
In this process, as input, be output as the report that whether exists key message to reveal security breaches with web service source code and the key message that needs protection.
1) resolve the WSDL agreement, obtain external interface information, retrievable information comprises target designation space, service name, port title, action name and input.The WSDL document resolver workflow of exploitation: the definitions (root node of service) that at first in the WSDL document, obtains service, obtain service name by definiton.getServices method (calling the array that this method is returned service), obtain serve port by service.getPorts (calling the array that this method is returned serve port) method, bundling port port.getBinding (returning the port of binding with this method), by a circulation, to each selected action name, use analysisOperation method (calling this methods analyst operation, the specifying information of return) to obtain the title and the type of input parameter and output parameter respectively.After resolving finishes, all information that obtain are write among the File (file object) of access customer appointment, read for other modules.
2) according to the interface name and the parameter type that obtain, interface conversion is become the input of the form of legal Java statement as food slicer, after finishing needed other configurations of food slicer (specifying section scope, type etc.), call the section computing function source program is carried out section, from the section result, obtain the interface related information flow;
3) key message and the interface message stream that needs protection is mated,, judge that security breaches exist in the current web service if both overlap.
3, web service network safety analysis
The Analysis Service interface calls situation.With two web service calls as representative, analytic process by judging whether to occur target web service Endpoint (call address of web service) and the elder generation of the order of object run and appearance order reached afterwards judge target web service whether call another web serve in the purpose of object run
During dangerous interface interchange situation between Analysis Service, be input as analyzed web service source file and safety loophole information file (producing) by the food slicer module.The safety loophole information file provides service URI (UniversalResource Identifier, resource label symbol) and the corresponding risky operation that comprises security breaches.By mating between this three, the match is successful, illustrates that analyzed web service called the operation that comprises security breaches really, thereby caused the diffusion of security breaches; Otherwise, think that this web service do not spread security breaches.
For being judged the call relation that has security breaches, there are new security breaches among the web service call person, it should be added new dangerous interface list.
4, safety message
At the potential security hole of having found, safety message corresponding mitigating measures is provided, for the user eliminates threat, improving the web service safe provides complementary suggestion.In conjunction with the different needs of user, provide solution to relax leak from two angles:
1, when the developer needs to issue this service really and uses for specific customer group, by adding security mechanism (as mandate, authentication, XML (Extensible Markup Language, be extend markup language) signature, XML encrypt etc.) mode, reach the client that only the allows specific role effect to the access of this service, the measure that can take comprises authentication, signature, selectively soap message is encrypted and double-deck access control mechanisms.
2, there is the interface of security breaches in the cancellation issue.This mitigating measures is applicable to such situation, when developer (as the automatic Core Generator of wsdl document) under unintentional situation, has exposed the operation-interface of sensitive information.At this moment, should therefore need in wsdl document, not cancel this interface by any external client, and in source file, make amendment (privately owned as method is made as, as to change method name etc.).
In actual conditions, the use of can arranging in pairs or groups mutually of these mitigating measures produces best effects.
Below the concise and to the point operational process of describing the safety analysis model: as seen from Figure 2, when the user carries out safety analysis to the Web service of oneself, need provide following information: Web service source code and the key message that needs protection.The function that the food slicer module is finished comprises: extract the key sentence set according to key message from web service source code, for follow-up use; Use the section criterion that has obtained, calculate section; On the basis of first two steps, handle the section result, judge the Existence problems of security breaches.The function that the Web service protocol-analysis model is finished has two: first obtains web service exposed exterior user interface and handles, generate the needed section criterion of back, call the food slicer functions of modules source program is carried out section, judge the existence of security breaches; Second result of calculation according to the food slicer module, in conjunction with the interface interchange relation between different services in the web service network, the key message problem of transmission that relates in the analytical information stream transmission process is judged the security breaches diffusion.
Claims (5)
1. a foundation is characterized in that based on the method for the Web service safety analysis model of program slice, comprises the following steps:
Set up the food slicer module, be used for: by specifying rational section configuration attribute, calculate the section of java applet, provide functional interface for the network web service analysis module invokes in this model, obtaining the program relevant with the criterion of cutting into slices abstract is the information flow of program;
Set up the Web service analysis module, be used for:
(1) safety analysis of independent Web service: the first step is resolved the WSDL agreement, WSDL is a Web Service Description LanguageWeb service description language (sdl), obtain the specifying information of describing in Web service, comprise abstract definition to operation, be tied to the concrete agreement of these operations, a network endpoint standard of binding and carry out the network operating end points; Second step disposes as section with the service interface that obtains with making up the food slicer functions of modules interface of finishing, and the source code of Web service is cut into slices, and obtains the information flow of external interface; The 3rd step checked that whether the key message that needs protection is present in the interface message stream, judged that whether information leaks, and finishes the safety analysis to independent Web service;
(2) safety analysis of Web service network: based on the section result and to independent Web service safety analysis result, the analytical information transmittance process, check that whether key message is transmitted leakage between two Web services, judge the problem of security breaches diffusion in service network;
Set up the safety message module, be used for: the composition structure of design safety report, comprise interface with security breaches, the key message of being revealed, the content of measure internally and two angle research of outside measure mitigation scheme, internal measure comprises to be revised network web service source code, be made as the method for correspondence privately owned and change method name, realizes the shielding of dangerous interface; Outside measure comprises that adding safety control module realizes signature and encryption, adds safety management module and realizes authentication and access control.
2. a kind of method of setting up based on the Web service safety analysis model of program slice according to claim 1 is characterized in that, described foundation in the food slicer module, and the food slicer module comprises following 3 submodules:
(1) food slicer engine: read in configuration file, call the program dependency analysis framework/storehouse of increasing income program dependency analysis functional interface constructing system dependency graph is provided, use based on the section algorithm of iteration and collect the statement that belongs to current slice in the source program, form section;
(2) section criterion: belong to the composition structure of the configuration file of carrying out section, in the section criterion, specify slice type type, scope scope and as the concrete statement criteria at section center;
(3) section result treatment unit is post processor: by post processor, finish the mapping conversion from jimple result to the Java statement, Java is a kind of programming language, and jimple is the middle expression-form of Java programming language.
3. a kind of method of setting up based on the Web service safety analysis model of program slice according to claim 1; it is characterized in that; the described Web service analysis module of setting up; independent Web service safety analysis wherein is; with Web service source code and the key message that needs protection as input; be output as the report that whether exists key message to reveal security breaches, comprise:
1) resolves the WSDL agreement, obtain external interface information, retrievable information comprises the target designation space, service name, the port title, action name and input, WSDL document resolver workflow: the root node definitions that at first in the WSDL document, obtains service, obtain service name by the array definiton.getServices method of calling the service of returning, obtain serve port by calling the array service.getPorts method of returning serve port, bundling port calls the port port.getBinding that returns binding, by a circulation, to each selected action name, analysis operation is called in use, the specifying information analysisOperation method of return is obtained the title and the type of input parameter and output parameter respectively, after resolving finishes, all information that obtain are write among the file object File of access customer appointment, read for other modules;
2) according to the interface name and the parameter type that obtain, interface conversion is become the input of the form of legal Java statement as food slicer, finish needed other configurations of food slicer comprise specify section scope, type after, call the section computing function source program is carried out section, from the section result, obtain the interface related information flow;
3) key message and the interface message stream that needs protection is mated,, judge that security breaches exist in the current Web service if both overlap;
The analysis of described Web service network security is, the Analysis Service interface calls situation, call as representative with two Web services, analytic process is by judging whether to occur the call address Endpoint of target Web service and the order of object run, reached afterwards with the elder generation of appearance order and to judge whether the target Web service calls the purpose of object run in another Web service, during dangerous interface interchange situation between Analysis Service, be input as analyzed Web service source file and safety loophole information file, the aforementioned information file is produced by the food slicer module, the safety loophole information file provides the service that comprises security breaches URI, URI is a Universal Resource Identifier resource label symbol, and corresponding risky operation, by mating between this three, the match is successful, illustrate that analyzed Web service called the operation that comprises security breaches really, thereby caused the diffusion of security breaches; Otherwise, think that this Web service do not spread security breaches, for being judged the call relation that has security breaches, there are new security breaches among the network web service call person, it is added new dangerous interface list.
4. a kind of method of setting up based on the Web service safety analysis model of program slice according to claim 1 is characterized in that the described safety message module of setting up provides solution to relax leak from two angles:
(1) by adding the mode that security mechanism comprises that mandate, authentication, XML signature or XML encrypt, XML is an Extensible Markup Language extend markup language, reach the client that only the allows specific role effect to the access of this service, the measure that can take comprises authentication, signature, selectively soap message is encrypted and double-deck access control mechanisms;
(2) there is the interface of security breaches in cancellation issue, and there is the interface of security breaches in cancellation in wsdl document, and makes amendment in source file, comprises method being made as privately owned, or changes method name.
5. a kind of method of setting up based on the Web service safety analysis model of program slice according to claim 1 and 2, it is characterized in that, the described food slicer module of setting up, the food slicer module further specifically comprises section calculating: when realizing, whole section computational process is made up of a plurality of phase, phase is meant the whole implementation of food slicer, be divided into several phase, in phase, carry out static analysis or process, can mark the beginning and the end of these analyses or process, each megastage major phase is made up of 0 or a plurality of little stage minor phase, and order is carried out, a process is meant a series of program behaviors that can finish a specific function, the 1st major phase is made up of 3 minor phase, i.e. the object data stream analysis phase for the section calculation stages, the dependency analysis stage, the section collection phase; The 2nd major phase is the section result treatment stage, no minor phase, and implementation is:
1) a food slicer slicer of initialization object at first comprises that appointment is by section program, section scope, type;
2) in the food slicer engine, carry out the object data stream analysis, in specify labels tag title, after Load System environmental variance and the section configuration, by carrying out object data stream analysis and dependency analysis, generator dependency graph;
3) collect section, by the food slicer driven by engine, the node that belongs to the part of cutting into slices among the AST with program marks with the bookmark name tagName of appointment, AST is the abbreviation of Abstract Syntax Tree, the expression abstract syntax tree, if the appointed tagName mark of node, mean that it belongs to the part of section, the node that is identified has two types to be labels class taggedClasses and two set of stamp methods taggedMethods collection, in this way, identification section;
4) handle the section result, finish mapping from the jimple statement to the Java statement, tagName according to previous appointment identifies the statement that belongs to section, again according to having source statement row information in the statement, in source program, identify the statement of corresponding Java form, realize the section result of jimple statement form is changed into general Java statement.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2009100693254A CN101588363B (en) | 2009-06-18 | 2009-06-18 | Method for estabilishing Web service security analysis model based on program slice |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2009100693254A CN101588363B (en) | 2009-06-18 | 2009-06-18 | Method for estabilishing Web service security analysis model based on program slice |
Publications (2)
Publication Number | Publication Date |
---|---|
CN101588363A CN101588363A (en) | 2009-11-25 |
CN101588363B true CN101588363B (en) | 2011-12-14 |
Family
ID=41372426
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2009100693254A Active CN101588363B (en) | 2009-06-18 | 2009-06-18 | Method for estabilishing Web service security analysis model based on program slice |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101588363B (en) |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101873323B (en) * | 2010-06-21 | 2012-09-05 | 南京邮电大学 | Web service platform based on program slicing technique |
CN102193556B (en) * | 2011-04-18 | 2012-10-31 | 华东师范大学 | System and method for detecting potential interruption safety hazard of automobile electron device |
CN102790712B (en) * | 2011-05-17 | 2015-07-15 | 北京航空航天大学 | Web service security treatment method and system |
CN104933360B (en) * | 2015-05-21 | 2018-05-18 | 中国科学院信息工程研究所 | Android platform based on program dependency graph is counterfeit to apply detection method |
CN106534167A (en) * | 2016-12-06 | 2017-03-22 | 郑州云海信息技术有限公司 | Network encryption transmission method based on XML and system |
US11763007B1 (en) * | 2023-04-19 | 2023-09-19 | Citibank, N.A. | Systems and methods for performing vulnerability assessment on partially functional applications |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1140519A (en) * | 1994-12-07 | 1997-01-15 | 美国松下电器公司 | Security system for interconnected computer networks |
US20060008088A1 (en) * | 2004-07-09 | 2006-01-12 | Nokia Corporation | Software plug-in framework to modify decryption methods in terminals |
CN1909551A (en) * | 2005-08-03 | 2007-02-07 | 北京航空航天大学 | Data exchanging method based on Web service |
-
2009
- 2009-06-18 CN CN2009100693254A patent/CN101588363B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1140519A (en) * | 1994-12-07 | 1997-01-15 | 美国松下电器公司 | Security system for interconnected computer networks |
US20060008088A1 (en) * | 2004-07-09 | 2006-01-12 | Nokia Corporation | Software plug-in framework to modify decryption methods in terminals |
CN1909551A (en) * | 2005-08-03 | 2007-02-07 | 北京航空航天大学 | Data exchanging method based on Web service |
Also Published As
Publication number | Publication date |
---|---|
CN101588363A (en) | 2009-11-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10313382B2 (en) | System and method for visualizing and analyzing cyber-attacks using a graph model | |
Saleh et al. | A new comprehensive framework for enterprise information security risk management | |
Lin et al. | Adapting bro into scada: building a specification-based intrusion detection system for the dnp3 protocol | |
CN101588363B (en) | Method for estabilishing Web service security analysis model based on program slice | |
KR20070043707A (en) | Apparatus and method for developing, testing and monitoring secure software | |
CN113190330B (en) | Block chain threat sensing system and method | |
Dalezios et al. | Digital forensics cloud log unification: Implementing CADF in Apache CloudStack | |
Auricchio et al. | An automated approach to web offensive security | |
CN117744087A (en) | Intelligent equipment remote code execution vulnerability detection method based on static analysis | |
Schmerl et al. | Architecture modeling and analysis of security in android systems | |
Liu et al. | The development of privacy protection standards for smart home | |
Temple et al. | CyberSAGE: The cyber security argument graph evaluation tool | |
Gu et al. | Accurate and fast machine learning algorithm for systems outage prediction | |
Schütte et al. | Model-based security event management | |
Beckers et al. | A threat analysis methodology for smart home scenarios | |
CN115296936B (en) | Automatic method and system for assisting detection of anti-network crime | |
Arass et al. | Data life cycle: towards a reference architecture | |
Rizal et al. | An Overview Diversity Framework for Internet of Things (IoT) Forensic Investigation | |
Acosta et al. | Network data curation toolkit: cybersecurity data collection, aided-labeling, and rule generation | |
Deveci et al. | Model driven security framework for software design and verification | |
CN110759191B (en) | Elevator control method based on 5G smart park | |
Dai et al. | SuperDetector: A Framework for Performance Detection on Vulnerabilities of Smart Contracts | |
Wang et al. | Multi-source data sharing of electrical equipment based on handle system identity resolution technology for Internet of things in electric industry | |
Zorgati et al. | Sewsec: A secure web service composer using information flow control | |
Deng et al. | Static program analysis for IoT risk mitigation in space-air-ground integrated networks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right | ||
TR01 | Transfer of patent right |
Effective date of registration: 20201120 Address after: No.150 Pingdong Avenue, Pingchao Town, Tongzhou District, Nantong City, Jiangsu Province Patentee after: Jiangsu Yongda power telecommunication installation engineering Co., Ltd Address before: 300072 Tianjin City, Nankai District Wei Jin Road No. 92 Patentee before: Tianjin University |