CN102945203B - A kind of code security method of testing for mobile Internet application - Google Patents
A kind of code security method of testing for mobile Internet application Download PDFInfo
- Publication number
- CN102945203B CN102945203B CN201210421258.XA CN201210421258A CN102945203B CN 102945203 B CN102945203 B CN 102945203B CN 201210421258 A CN201210421258 A CN 201210421258A CN 102945203 B CN102945203 B CN 102945203B
- Authority
- CN
- China
- Prior art keywords
- code
- analysis
- module
- safety
- analyzer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Abstract
The invention discloses a kind of code security method of testing for mobile Internet application, described method is mainly for the code security demand of Mobile solution software, give code analysis module, data-flow analysis module, control flow analysis module, the test macro that the functional modules such as Structural Analysis Module and safety analysis module are formed, support Android, Windows Mobile Phone, Symbian, HP-UX 11v1, IBM AIX 5.2, Linux Red Hat ES4/5, Linux Fedora Core 7, Linux Novelle SUSE 10, Sun the operating systems such as Solaris8/9/10, more than 300 kind of leak can be scanned, achieve the low rate of failing to report test of code.
Description
Technical field
The present invention relates to a kind of mobile Internet application technology, particularly relate to a kind of code security method of testing for mobile Internet application.
Background technology
Along with the popularization and application of mobile Internet terminal, mobile Internet business obtains unprecedented fast development, relevant mobile service application software also by increasing individual or enterprise for the treatment of various private information, sensitive information and high value information, such as individual privacy, commercial negotiation information etc., this makes mobile service application software day by day become the target of attack of the assailant of these information of attempt acquisition.The security breaches that software code writing phase introduces are modal security breaches, how to design a kind of effective code security method of testing, are necessary to detect the potential threat be present in source code, and urgent.
The leak of software code detects mainly through static method and dynamic approach.Although the scale of dynamic approach to code does not limit, can detect large program, but weak point is the effect heavy dependence input method detected to only have when specific input makes code perform dangerous point, leak just can be found, and in this way rate of failing to report is higher in institute.
Based on the code vulnerabilities detection method (application number: a kind of method 200910086938.9) proposing model inspection of about beam analysis is verified buffer-overflow vulnerability of about beam analysis and model testing, model solution is carried out by predicate axiomatics, judge and analyze security breaches and cause path, to a certain degree can reduce rate of failing to report in Shangdi, but this is to sacrifice a large amount of computational resource for cost, in addition, the method does not consider that Mobile solution business is more flexible, the features such as access way variation, be difficult to be applied directly in Mobile solution software.
Summary of the invention
The technical problem to be solved in the present invention there are provided one can scan more than 300 kind of leak, achieves the method for testing of the low rate of failing to report of code.
For solving the problems of the technologies described above, the present invention is realized by following scheme: a kind of code security method of testing for mobile Internet application, described method is mainly for the code security demand of Mobile solution software, give the test macro that the functional modules such as code analysis module, data-flow analysis module, control flow analysis module, Structural Analysis Module and safety analysis module are formed, described test macro comprises code parser, code analysis engine, Report Builder and safety rule module, Subscriber Interface Module SIM composition, and each module major function is as follows:
Described code parser is connected with code analysis engine, is to be responsible for carrying out morphology grammatical analysis to source program, and converts intermediate representation to, and according to the needs of subsequent analysis module, generates specific syntax tree structure;
Described code analysis engine comprises data stream analyzer, control flow analysis device, structure analyzer, safety analyzer;
Described Report Builder analyzes the result of code analysis and submits to user, and generate corresponding audit report;
Described safety rule module in charge provides code analysis rules support for code analysis engine;
Described Subscriber Interface Module SIM is responsible for carrying out alternately with user, can accept the request of scanning input source code on the one hand, then the result of scanning analysis is exported to user on the other hand.
Described data stream analyzer is on the basis of code analysis, the traffic flow information of extraction procedure.
Described control flow analysis device is mainly on the basis of code analysis, the control flow check information of extraction procedure, control flow analysis device is according to rule, by traversal AST (abstract syntax tree), generate corresponding program control dependence figure, and provide interface with reading information to safety analysis scheduler module.
The target of described structure analyzer is on the basis of the syntax tree extracted at code analysis engine, according to the code analysis rules that safety rule module provides, and the primary structure of extraction procedure.
The information that described safety analyzer provides according to safety rule module, scheduling structure analyzer carries out safety analysis, and generates account, provides interface to call for Report Builder.
Advantage of the present invention is: The present invention gives a kind of code security method of testing for mobile Internet application, mainly for the code security demand of Mobile solution software, give code analysis, data-flow analysis, control flow analysis, the functional module such as structure analysis and safety analysis, support Android, , WindowsMobilePhone, Symbian, HP-UX11v1, IBMAIX5.2, LinuxRedHatES4/5, LinuxFedoraCore7, LinuxNovelleSUSE10, the operating systems such as SunSolaris8/9/10, more than 300 kind of leak can be scanned, achieve the low rate of failing to report test of code.
Accompanying drawing explanation
Below in conjunction with accompanying drawing, the present invention is elaborated.
Fig. 1 is present system architecture design schematic diagram;
Fig. 2 is code parser functional realiey process flow diagram of the present invention;
Fig. 3 is data stream analyzer functional realiey process flow diagram of the present invention;
Fig. 4 is structure analyzer functional realiey process flow diagram of the present invention;
Fig. 5 is safety analyzer functional realiey process flow diagram of the present invention;
Fig. 6 is present system processing flow chart.
Fig. 7 is the control flow schematic diagram of Main method of the present invention;
Fig. 8 is label syntactic structure schematic diagram of the present invention;
Fig. 9 is break, continue, return, goto, exit () of the present invention and abort () syntactic structure schematic diagram;
Figure 10 is if syntactic structure schematic diagram of the present invention;
Figure 11 is switch-case syntactic structure schematic diagram of the present invention;
Figure 12 is while loop grammar structural representation of the present invention;
Figure 13 is for syntactic structure schematic diagram of the present invention;
Figure 14 is do-while loop grammar structural representation of the present invention;
Figure 15 is the empty branched structure schematic diagram of the present invention.
As shown in Figure 1, a kind of code security method of testing for mobile Internet application, described method is mainly for the code security demand of Mobile solution software, give the test macro that the functional modules such as code analysis module, data-flow analysis module, control flow analysis module, Structural Analysis Module and safety analysis module are formed, described test macro comprises code parser 1, code analysis engine 2, Report Builder 3 and safety rule module 4, Subscriber Interface Module SIM 5 forms, and each module major function is as follows:
1), code parser 1 is responsible for carrying out morphology grammatical analysis to source program, and convert intermediate representation to, and according to the needs of subsequent analysis module, generate specific syntax tree structure, for subsequent analyses provides convenient, data stream analyzer 21 is on the basis of code parser 1, the traffic flow information of extraction procedure.As shown in Figure 2, the pre-service such as source code is dispatched by analysis, lexical analysis, grammatical analysis, connect some processing threads, lexical analysis is with AST Buffer Pool for its realization flow.
2), described code analysis engine 2 comprises data stream analyzer 21, control flow analysis device 22, structure analyzer 23, safety analyzer 24,
Data stream analyzer 21 functional realiey process flow diagram as shown in Figure 3, data stream analyzer 21 is by traversal AST (abstract syntax tree), extract the data message of needs, and according to user policy, brush choosing is carried out to these information, and provide interface to read these information to process analysis module, it realizes principle and is:
Suppose that the definite value of variable x is a statement, its assignment or possibility assignment are to x.
Prevailing definite value is to the assignment of x or reads the statement of value to x.These statements really to x definite value, be called x without ambiguous field planting.Also have some statements, they to x definite value, may be called ambiguous field planting.
Claim a definite value d to arrive program point P, if there is path to arrive P from the point immediately following d, and d is not canceled on this paths.If certain point-to-point transmission along this paths reads a or the assignment to a, so we nullify that definite value of variable a.
Intuitively, if the definite value d point of arrival P of certain variable a, so P quote the up-to-date definite value of a may at d point.Only has other definite value of nullifying a without ambiguous definite value of a.Like this, point can by a paths without ambiguous definite value and same occurrences arriving without the ambiguous definite value after ambiguous definite value.
Control flow analysis device 22 mainly on the basis of code parser 1, the control flow check information of extraction procedure.Control flow analysis device 22, according to rule, by traversal AST (abstract syntax tree), generates corresponding program control dependence figure, and provides interface to read these information to safety analysis scheduler module.The realization of control flow analysis device 22 is as follows:
The control flow chart of program is made up of above-mentioned node and branch, represents a kind of abstract figure of programmed control flow process.The control flow chart of above Main method can be expressed as figure as shown in Figure 7.
A point number in control flow chart is exactly all points of number sums in figure.In fact, " outflow " that divide number also to equal all nodes point number sum.Therefore, a kind of easy branch's number calculating method is each node " outflow " point number sum in calculation procedure.Following table provides the computing method of " outflow " point number of the take-off point of often kind of grammer and correspondence thereof.
Structure analyzer 23 functional flow diagram as shown in Figure 4, the target of structure analyzer 23 is on the basis of the syntax tree extracted at code analysis engine 2, according to the code analysis rules that safety rule module 4 provides, the primary structure (as information such as entry point information, main method name, method relations) of extraction procedure.
Safety analyzer 24 functional realiey process flow diagram as shown in Figure 5, the information that safety analyzer 24 can provide according to safety rule module 4, scheduling structure analyzer 23 carries out safety analysis, and generates account, provides interface to call for Report Builder 3.
3), described Report Builder 3 is analyze the result of code analysis and submit to user, and generates corresponding audit report;
4), described safety rule module 4 is responsible for code analysis engine 2 and provides code analysis rules support;
5), described Subscriber Interface Module SIM 5 is responsible for and user carries out alternately, can accept the request of scanning input source code on the one hand, then the result of scanning analysis is exported to user on the other hand.
System processing flow chart as shown in Figure 6, after user selects source code path, system first carries out grammer to source code and morphology is resolved, source code is converted into the AST tree of standard, and then system carries out data stream and control flow analysis to AST tree, function/method the information obtaining relevant item (comprises title, number, parameter, mutual call relation etc. between method) and control dependence between variable information (comprise variable name, use the function of variable, function/method and variable in the value etc. of diverse location) and function/method.
On the result basis of data stream and control flow analysis, system calls different resolvers according to the safety rule of definition, and resolver can be divided into XSS resolver according to the type of rule, and SQL injects resolver, cryptographic verification resolver etc.When invoke resolver, system is according to the resolver of the content Automatically invoked respective type of rule, after resolver is analyzed, result existed in result Buffer Pool, wait for all resolvers all after hours, system exports to user by unified for analysis result, result comprises problem types, position residing for problem, and the concrete trace information etc. of problem, this system also gives concrete reference solution according to different problem typeses simultaneously.
Such as: if we need the problem checking that in code, SQL injects, concrete scanning process is as follows: first source code is resolved to standard A ST tree by system, then on AST tree, data stream and control flow analysis is done.If it is executeQuery that our rule is defined as initial API, termination API is getParameter, and so when invoke resolver, concrete process of analysis is as follows:
1), first in data stream result, search for the code that API is called executeQuery, if find multiple, check one by one;
2), analyze the parameter of executeQuery, obtain query;
3), in data stream result, find the invocation list of variable query, find definition statement stringquery=" SELECT*FROMStudentWHEREName=' "+studentName+ " ' ";
4), analyze this definition statement, find that query is relevant to variable studentName.
The invocation list of variable studentName is found respectively in data stream result, find definition statement, find studentName call API with stop API identical, think that this variable inputs from outside, do not detect again whether code judges containing single quotation marks variable studentName simultaneously, so think that this SQL query statement is unsafe, by outcome record in Buffer Pool.
The foregoing is only the preferred embodiment of the present invention; not thereby the scope of the claims of the present invention is limited; every utilize instructions of the present invention and accompanying drawing content to do equivalent structure or equivalent flow process conversion; or be directly or indirectly used in other relevant technical field, be all in like manner included in scope of patent protection of the present invention.
Claims (1)
1. the code security method of testing for mobile Internet application, it is characterized in that: described method is mainly for the code security demand of Mobile solution software, give the test macro that the functional modules such as code analysis module, data-flow analysis module, control flow analysis module, Structural Analysis Module and safety analysis module are formed, described test macro comprises code parser (1), code analysis engine (2), Report Builder (3) and safety rule module (4), Subscriber Interface Module SIM (5) composition, and each module major function is as follows:
Described code parser (1) is connected with code analysis engine (2), is to be responsible for carrying out morphology grammatical analysis to source program, and converts intermediate representation to, and according to the needs of subsequent analysis module, generates specific syntax tree structure;
Described code analysis engine (2) comprises data stream analyzer (21), control flow analysis device (22), structure analyzer (23), safety analyzer (24); Described Report Builder (3) analyzes the result of code analysis and submits to user, and generate corresponding audit report;
Described safety rule module (4) is responsible for code analysis engine (2) and provides code analysis rules support; Described Subscriber Interface Module SIM (5) is responsible for carrying out alternately with user, can accept the request of scanning input source code on the one hand, then the result of scanning analysis is exported to user on the other hand;
Described data stream analyzer (21) is on the basis of code analysis, the traffic flow information of extraction procedure;
Described control flow analysis device (22) is mainly on the basis of code analysis, the control flow check information of extraction procedure, control flow analysis device (22) is according to rule, by traversal AST abstract syntax tree, generate corresponding program control dependence figure, and provide interface with reading information to safety analysis scheduler module;
The target of described structure analyzer (23) is on the basis of the syntax tree extracted at code analysis engine (2), according to the code analysis rules that safety rule module (4) provides, and the primary structure of extraction procedure;
The information that described safety analyzer (24) provides according to safety rule module (4), scheduling structure analyzer (23) carries out safety analysis, and generates account, provides interface to call for Report Builder (3).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210421258.XA CN102945203B (en) | 2012-10-26 | 2012-10-26 | A kind of code security method of testing for mobile Internet application |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210421258.XA CN102945203B (en) | 2012-10-26 | 2012-10-26 | A kind of code security method of testing for mobile Internet application |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102945203A CN102945203A (en) | 2013-02-27 |
| CN102945203B true CN102945203B (en) | 2016-04-13 |
Family
ID=47728151
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210421258.XA Expired - Fee Related CN102945203B (en) | 2012-10-26 | 2012-10-26 | A kind of code security method of testing for mobile Internet application |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102945203B (en) |
Families Citing this family (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014133528A1 (en) * | 2013-02-28 | 2014-09-04 | Hewlett-Packard Development Company, L.P. | Determining coverage of dynamic security scans using runtime and static code analyses |
| US9426177B2 (en) | 2013-07-15 | 2016-08-23 | Tencent Technology (Shenzhen) Company Limited | Method and apparatus for detecting security vulnerability for animation source file |
| CN104298921B (en) * | 2013-07-15 | 2019-01-29 | 深圳市腾讯计算机系统有限公司 | Animation source file security breaches inspection method and device |
| CN103399820B (en) * | 2013-08-21 | 2016-03-02 | 中国科学院合肥物质科学研究院 | The breakdown judge system and method for a kind of sequence based on event tree and consequences analysis |
| CN106295346B (en) * | 2015-05-20 | 2022-08-30 | 深圳市腾讯计算机系统有限公司 | Application vulnerability detection method and device and computing equipment |
| CN105022958B (en) * | 2015-07-11 | 2018-01-12 | 复旦大学 | Vulnerability of application program determination method based on code library secure protocol in a kind of Android application |
| CN106548264A (en) * | 2015-09-22 | 2017-03-29 | 阿里巴巴集团控股有限公司 | A kind of data analysing method and device |
| CN106354632B (en) * | 2016-08-24 | 2019-03-12 | 北京奇虎测腾安全技术有限公司 | A kind of source code detection system and method based on Static Analysis Technology |
| CN107103239B (en) * | 2017-04-10 | 2019-11-12 | 中国民生银行股份有限公司 | Source code based on application system business processing logic is gone beyond one's commission detection method and device |
| CN107133518B (en) * | 2017-04-10 | 2019-09-24 | 中国民生银行股份有限公司 | Source code based on parameter and information flow is gone beyond one's commission detection method and device |
| KR102396867B1 (en) * | 2017-09-26 | 2022-05-12 | 애플 인크. | Concentric architecture for optical sensing |
| CN110955898A (en) * | 2019-12-12 | 2020-04-03 | 杭州安恒信息技术股份有限公司 | Vulnerability auditing method and system of station building system and related device |
| CN111143204B (en) * | 2019-12-19 | 2021-06-29 | 支付宝(杭州)信息技术有限公司 | Applet code scanning method and device |
| CN111142871B (en) * | 2019-12-24 | 2023-06-06 | 杭州安恒信息技术股份有限公司 | Front-end page development system, method, equipment and medium |
| CN112784290B (en) * | 2021-01-28 | 2022-07-19 | 湖北宸威玺链信息技术有限公司 | Data export tool security analysis method and system and data export method |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101286132A (en) * | 2008-06-02 | 2008-10-15 | 北京邮电大学 | Test method and system based on software defect mode |
| CN101482847A (en) * | 2009-01-19 | 2009-07-15 | 北京邮电大学 | Detection method based on safety bug defect mode |
| CN101714119A (en) * | 2009-12-09 | 2010-05-26 | 北京邮电大学 | Test data generating device and method based on binary program |
| CN101814053A (en) * | 2010-03-29 | 2010-08-25 | 中国人民解放军信息工程大学 | Method for discovering binary code vulnerability based on function model |
| CN102236602A (en) * | 2011-07-21 | 2011-11-09 | 南京大学 | Visual software test design platform |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100223599A1 (en) * | 2009-02-27 | 2010-09-02 | Fujitsu Limited | Efficient symbolic execution of software using static analysis |
-
2012
- 2012-10-26 CN CN201210421258.XA patent/CN102945203B/en not_active Expired - Fee Related
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101286132A (en) * | 2008-06-02 | 2008-10-15 | 北京邮电大学 | Test method and system based on software defect mode |
| CN101482847A (en) * | 2009-01-19 | 2009-07-15 | 北京邮电大学 | Detection method based on safety bug defect mode |
| CN101714119A (en) * | 2009-12-09 | 2010-05-26 | 北京邮电大学 | Test data generating device and method based on binary program |
| CN101814053A (en) * | 2010-03-29 | 2010-08-25 | 中国人民解放军信息工程大学 | Method for discovering binary code vulnerability based on function model |
| CN102236602A (en) * | 2011-07-21 | 2011-11-09 | 南京大学 | Visual software test design platform |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102945203A (en) | 2013-02-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102945203B (en) | A kind of code security method of testing for mobile Internet application | |
| CN106203113B (en) | The privacy leakage monitoring method of Android application file | |
| CN109992970B (en) | JAVA deserialization vulnerability detection system and method | |
| Salis et al. | Pycg: Practical call graph generation in python | |
| Zhao et al. | “TrustDroid™”: Preventing the use of SmartPhones for information leaking in corporate networks through the used of static analysis taint tracking | |
| US8850581B2 (en) | Identification of malware detection signature candidate code | |
| US8402547B2 (en) | Apparatus and method for detecting, prioritizing and fixing security defects and compliance violations in SAP® ABAP™ code | |
| Kim et al. | ScanDal: Static analyzer for detecting privacy leaks in android applications | |
| CN103164331B (en) | A kind of leak detection method of application program and device | |
| CN107623738B (en) | A kind of WebView bridge joint mouth stain mapping and analysis method towards Android application | |
| CN103927473A (en) | Method, device and system for detecting source code safety of mobile intelligent terminal | |
| CN102737190A (en) | Detection method for information leakage hidden trouble in Android application log based on static state analysis | |
| CN106528421A (en) | Method for processing SDKs in Android applications | |
| Singh et al. | Analysis of malicious behavior of android apps | |
| Armando et al. | Android permissions unleashed | |
| Liao et al. | Smartdagger: a bytecode-based static analysis approach for detecting cross-contract vulnerability | |
| Tang et al. | Securing android applications via edge assistant third-party library detection | |
| US20230065259A1 (en) | Method and apparatus for protecting smart contracts against attacks | |
| Lu et al. | Model-based static source code analysis of java programs with applications to android security | |
| Shen et al. | Multifeature-based behavior of privilege escalation attack detection method for android applications | |
| Zhang et al. | Contextual approach for identifying malicious Inter-Component privacy leaks in Android apps | |
| Brutschy et al. | Shamdroid: gracefully degrading functionality in the presence of limited resource access | |
| Ma et al. | Code analysis with static application security testing for python program | |
| Gorski III et al. | {FReD}: Identifying File {Re-Delegation} in Android System Services | |
| Meng et al. | Wemint: Tainting Sensitive Data Leaks in WeChat Mini-Programs |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160413 Termination date: 20161026 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |