CN103842963B - The method and apparatus of the downgrader code in assessment application code - Google Patents
The method and apparatus of the downgrader code in assessment application code Download PDFInfo
- Publication number
- CN103842963B CN103842963B CN201280047485.9A CN201280047485A CN103842963B CN 103842963 B CN103842963 B CN 103842963B CN 201280047485 A CN201280047485 A CN 201280047485A CN 103842963 B CN103842963 B CN 103842963B
- Authority
- CN
- China
- Prior art keywords
- downgrader
- code
- string
- illegal
- target deployment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000000875 corresponding Effects 0.000 claims abstract description 26
- 230000004044 response Effects 0.000 claims abstract description 10
- 238000004458 analytical method Methods 0.000 claims description 52
- 238000003860 storage Methods 0.000 claims description 23
- 230000023298 conjugation with cellular fusion Effects 0.000 claims 1
- 230000013011 mating Effects 0.000 claims 1
- 230000021037 unidirectional conjugation Effects 0.000 claims 1
- 238000001514 detection method Methods 0.000 abstract description 12
- 238000000034 method Methods 0.000 description 30
- 239000000047 product Substances 0.000 description 24
- 239000000203 mixture Substances 0.000 description 22
- 230000003068 static Effects 0.000 description 18
- 230000001808 coupling Effects 0.000 description 16
- 238000010168 coupling process Methods 0.000 description 16
- 238000005859 coupling reaction Methods 0.000 description 16
- 230000015654 memory Effects 0.000 description 15
- 238000010586 diagram Methods 0.000 description 14
- 238000011156 evaluation Methods 0.000 description 11
- 238000005516 engineering process Methods 0.000 description 9
- 230000015556 catabolic process Effects 0.000 description 8
- 238000004891 communication Methods 0.000 description 8
- 238000004590 computer program Methods 0.000 description 8
- 230000004059 degradation Effects 0.000 description 8
- 238000006731 degradation reaction Methods 0.000 description 8
- 238000006243 chemical reaction Methods 0.000 description 7
- 230000001954 sterilising Effects 0.000 description 7
- 238000004659 sterilization and disinfection Methods 0.000 description 7
- 230000002950 deficient Effects 0.000 description 5
- 238000002372 labelling Methods 0.000 description 5
- 238000004364 calculation method Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000007689 inspection Methods 0.000 description 3
- 230000035945 sensitivity Effects 0.000 description 3
- 238000010200 validation analysis Methods 0.000 description 3
- 230000000712 assembly Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 238000009826 distribution Methods 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 230000005291 magnetic Effects 0.000 description 2
- 230000003287 optical Effects 0.000 description 2
- 239000011241 protective layer Substances 0.000 description 2
- 238000000926 separation method Methods 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- 241000272519 Aix Species 0.000 description 1
- 206010068052 Mosaicism Diseases 0.000 description 1
- 101700057905 NUPR1 Proteins 0.000 description 1
- 210000003733 Optic Disk Anatomy 0.000 description 1
- 101710036782 RBBP8 Proteins 0.000 description 1
- 102100008299 RBBP8 Human genes 0.000 description 1
- 210000003765 Sex Chromosomes Anatomy 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 239000000969 carrier Substances 0.000 description 1
- 239000012084 conversion product Substances 0.000 description 1
- 101710034882 ctp1 Proteins 0.000 description 1
- 230000001419 dependent Effects 0.000 description 1
- 238000000151 deposition Methods 0.000 description 1
- 230000005611 electricity Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000005206 flow analysis Methods 0.000 description 1
- 239000003365 glass fiber Substances 0.000 description 1
- 101700015978 ifb-1 Proteins 0.000 description 1
- 210000003702 immature single positive T cell Anatomy 0.000 description 1
- 230000000977 initiatory Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000005304 joining Methods 0.000 description 1
- 230000004301 light adaptation Effects 0.000 description 1
- 239000011159 matrix material Substances 0.000 description 1
- 230000001404 mediated Effects 0.000 description 1
- 230000000051 modifying Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 231100000486 side effect Toxicity 0.000 description 1
- LIVNPJMFVYWSIS-UHFFFAOYSA-N silicon monoxide Inorganic materials [Si-]#[O+] LIVNPJMFVYWSIS-UHFFFAOYSA-N 0.000 description 1
- 235000010384 tocopherol Nutrition 0.000 description 1
- 230000001131 transforming Effects 0.000 description 1
- 235000019731 tricalcium phosphate Nutrition 0.000 description 1
- 238000004804 winding Methods 0.000 description 1
Abstract
The present invention is open relates to defect and the automatic detection of incompatibility problem in flow of information downgrader.Relate to the mechanism of downgrader code in target deployment environmental assessment application code.Identify the downgrader code in application code.Based on output string, identify the output string that downgrader code exports in response to receiving input string.Retrieve one or more illegal string pattern set.Each in these one or more illegal string pattern set is associated with corresponding deployed environment.Illegal string pattern is the downgrader for safety string pattern identified in flow of information.Based on these one or more illegal string pattern set and output string, make and determining about downgrader code is the most compatible with target deployment environment.Generate instruction and determine the output of result.
Description
Technical field
Present application relates generally to data processing equipment and the method improved, relate more specifically in flow of information downgrader
Middle defect and the automatic detecting machine system of incompatibility problem, wherein flow of information downgrader be also referred to as security downgrade device or referred to simply as
Downgrader.
Background technology
Information Flow Security principle establishes " the illegally flowing " not allowing information.If flowing permission can not
Letter information uses (integrity violates (integrity violation)) or its permission private information complete in believable calculating
Entirely or partially exposed to unauthorized user (confidentiality violates (confidentiality violation)), then stream
Dynamic is exactly illegal.By declare simply should not exist any from " high " to the flow of information of " low ", integrity and confidentiality
Can be counted as two fold problem, wherein " high " means " incredible " and " secret meant in confidentiality in integrity
", and " low " means " believable " in integrity and means " disclosed " in confidentiality.
Information can carry out labelling with flow of information label.Normally, flow of information label forms partial ordered set or dot matrix
(lattice).If Information Flow Security is by strict implement and does not has invalid information stream to be allowed to, then major part program will
Do not work.For becoming " Information Flow Security ", program will must be made to be only capable of stream by the information of certain label " X " labelling by " subregion "
Move the program point with the label labelling greater than or equal to " X ".
It is the most useful for having these programs limited.Such as, from the point of view of integrity angle, Web application should
Can accept from the input of potential insincere user and use those to input in believable calculating.Such as, Web bank's journey
Sequence accepts account number and password (the most incredible or information of malice) the conduct input of user, and conveys them to rear end
Database Systems, during they are used in trusty setting there.In another example, internet book store accepts client's
User number and password and client want title (all the most incredible or information of malice) the conduct input bought, and
Transaction is completed with them, etc..
From the perspective of confidentiality, data calculated based on private information and therefore are often issued in Web application, it
Should be counted as secret equally.Such as, Bank application can expose the social security number of any user to cashier
Latter four, and internet book store can expose the last 4-digit number etc. of credit number of any client to salesman.Known all this
A little programs all show the flowing of permission " high " information flow direction " low " program point, if forcing simply to carry out Information Flow Security,
The most all these programs will be rejected.In order to allow these program works, " high " information " can be demoted " and be become
Enough " low " is to be used in " low " program point.
Degradation self is translated as " accreditation " in integrity and is translated as " deciphering " in confidentiality.Such as, once journey
It is the string of correct format that sequence has verified that user is supplied to the input of Web application, then program just can be approved and becomes now enough
Enough believable inputs are used in believable calculating.Similarly, once program has verified that the information extracted from secret not
Be enough to expose secret itself, then program just can decipher the information of extraction, the information wherein extracted can become enough now
The open person that is exposed to common reception.
Program can realize the downgrader of number of different types.Should not it is to say, be because program by these downgraders
This receives any " high " input of " low " function, unless should be downgraded before " high " input.Specific downgrader is " low "
The specific special subset of function set runs and therefore, program can be required to realize the downgrader of number of different types.
Such as, integrity " low " function accepting the input of string form is connected into SQL (SQL) this series winding and looks into
Ask, and then it is submitted to data base.Here in example, this function would be required to its input and do not comprises branch and slash
Number, because such character can be sql command by database interpretation.Therefore, any input giving this " low " function should be passed through
Sterilize (that is, being changed illegally inputting by the suspicious portion of the illegal input of deletion/replacement) or approve and guarantee that there does not has
There is this forbidden character.Only having verified that this forbidden character does not exists when believable disinfector, initial incredible string is
Accepted to use in SQL query.
But, if " low " function not responsible execution SQL query, and be responsible for its string input value to be cascaded into hypertext mark
Note language (HTML) code, then different sterilization necessity.Here problem is no longer to prevent SQL from injecting, but anti-
Only it is referred to as cross site scripting and performs the attack of (XSS).In this case, sterilization function have to check for not existing special
(Java and all trade marks based on Java and labelling are Oracle and/or the trade mark of its subsidiary or note to JavaScript
Volume trade mark) label, such as<script>with</scripts>.
Downgrader often can obtain from storehouse, and specification based on corresponding " low " function is classified.But, Web
Application often realizes the downgrade functions of themselves.This safety static analysis that Web is applied is extremely complex.It practice,
Static analysis to Information Flow Security should receive the signature of downgrade functions and downgrade functions is mapped to " low " letter accordingly
The rule of number is as input.In this, unless the input of " low " function is correctly demoted, otherwise do not appointing
In the case of what leads to the path of " low " function, static analysis can authenticate to the input of " low " function the most all the time through correct
Degradation.Unfortunately, when Web application realizes themselves downgrader, detect those downgraders and they for
It is extremely difficult that the static analysis of Information Flow Security can be sorted out in the way of explaining them subsequently.
Web application is owing to they providing user's input and normally can be accessed by substantial amounts of user, so holding especially
It is vulnerable to security attack.Alleged according to network application Security Association (WASC), found in 2008 and repaired about 100,000
Security hole, wherein 52,587 is urgent or serious.This explanation protection Web application is important with prevent malice from inputting
Property.This protection realizes normally with above previously described accreditation/downgrader mechanism, this mechanism or defeated to user
Enter sterilization (i.e. by delete/replace the suspicious portion of input change input), or to the input validation of user (if i.e. sentenced
This user that the most just refuses that the input of disconnected user is illegal inputs).
Disinfector and validator can be construed to last (and specific to application) the defence line attacked.These
Mechanism generally comprises fine reasoning, and legal and illegal input should be made a distinction in various contexts by it.And,
These mechanism itself are the interfaces between security expert and Application developer.Correctly writing them is not the volume of standard
Code task, since it is desired that understand in depth security threat (with the form of the long catalogue that known safe is attacked).About how to create
Building the best practices of sterilization and authentication mechanism, criterion and guilding principle generally can find in security document.Challenging
Be check Web application code whether have followed these criterions.The mechanism that there is presently no automatization checks to perform this.
Additionally, due to downgrader is normally write by software engineer, their speciality be develop software and not
It is to understand their design and safety implications that engineering selects, must so while the attack quantity that causes of incorrect input is high
Surprising.Modal, some the extreme situation relating to deleting forbidden character or character string is arranged in the realization of downgrader
Except solving outside or mistakenly.But, there is also the most correct degradation and server-side component implemented sensitivity
Situation.Such as, the downgrader preventing SQL injection (SQLi) from attacking should be different to each type of database server application
Conversion, because these database servers use different metacharacters, such as, MS SQL server handle when resolving sql command
Two hyphens (--) are construed to the beginning of annotation, and another database server may be construed to annotation pound sign (#)
Beginning.
Assailant can easily and efficiently identify wherein by using fuzzy technology incorrect sterilization to be answered
Use the example of application.This makes thing become even worse, because draw the disrupted conclusion of protective layer of program assailant
While, assailant simultaneously learns to employ which input in the security-sensitive region in code, and this makes attack
Later step is easier to.So, when whether determining downgrader with its system compatible to be protected, other choosing is arisen that
War.
Summary of the invention
In an illustrative embodiment, it is provided that apply about target deployment environmental assessment in a data processing system
The method of the downgrader code in code.The method includes by the applied analysis mechanism of data handling system in application code
Identify downgrader code.Downgrader code is a part for code in application code, the operation of the flow of information of its application code with
Guarantee to be input to the confidentiality of the information of downgrader code in the output of downgrader code.The method also includes based on input
String, generates, by applied analysis mechanism, the output string that downgrader code exports in response to receiving input string.The method also includes
One or more illegal string pattern set is retrieved from the storage system being associated with data handling system.One or more illegally
Each in string pattern set is associated with corresponding deployed environment.Illegal string pattern is that for safety downgrader is being believed
The string pattern identified in breath stream.Additionally, the method includes, based on these one or more illegal string pattern set and output string,
Determine that downgrader code is mutually the most compatible with target deployment environment by applied analysis mechanism.Additionally, the method includes by answering
The output of the result that instruction determines is generated by analysis mechanisms.
In other illustrative embodiment, it is provided that include that the computer with computer-readable program can be used or readable
The computer program of medium.When performing on the computing device, this computer-readable program makes more than calculating equipment execution
About various operations that the illustrative embodiment of the method is summarized and combinations thereof.
In also having another illustrative embodiment, it is provided that a kind of systems/devices.This systems/devices can include one
Individual or multiple processor and be coupled to the memorizer on these one or more processors.Memorizer can comprise instruction, when this
When a little instructions are performed by these one or more processors, these one or more processors are made to perform the explanation above with respect to the method
Property embodiment general introduction various operations and combinations thereof.
These and other features of the invention and advantage will be described, or concrete according to present invention below example embodiment
Describing, those of ordinary skill in the art will be become apparent by these and other feature with advantage.
Accompanying drawing explanation
By combining the accompanying drawing specific descriptions with reference to following illustrative embodiment, preferred embodiment and be preferably used mode and
Its advantage will be best understood by, wherein:
Fig. 1 depicts the figure of the example distribution formula data handling system that wherein can realize illustrative embodiment each side
Represent;
Fig. 2 is the example block diagram of the sample data processing system that wherein can realize illustrative embodiment each side;
Fig. 3 is the example block diagram of the main operating components of the applied analysis mechanism according to an illustrative embodiment;
Fig. 4 is the exemplary plot that the mechanism of illustrative embodiment can utilize the transducer producing CFG;
Fig. 5 is the exemplary plot that the static string parsing according to an illustrative embodiment is described;
Fig. 6 be the example procedure according to an illustrative embodiment call figure;
Fig. 7 is illustratively to describe demoting for Static Detection and classification flow of information according to an illustrative embodiment
Example frame/the flow chart of the system and method for device;
Fig. 8 is the flow chart of the exemplary operations summarizing the automatic applied analysis mechanism according to an illustrative embodiment;And
Fig. 9 is the exemplary operations summarizing compatibility and intensity for assessing downgrader according to an illustrative embodiment
Flow chart.
Detailed description of the invention
Illustrative embodiment is by utilizing the quality of flow of information downgrader and conforming form analysis, it is provided that for quiet
State implements the mechanism of Web application safety criterion.Especially, illustrative embodiment provides the mechanism of automatization for checking such as
Downgrader in the application code of Web application (i.e., it is possible to by WWW or application of access to the Internet), and guarantee application
Code is followed about the criterion realizing flow of information downgrader.Based on this inspection, can generate about Web application whether with criterion phase
Accord with or whether comprise the output that safety is violated.
Illustrative embodiment uses string parsing mechanism.String parsing is technology and the set of mechanism, its objective is that approximate string becomes
The set of the value during operation that amount assume that.U.S. Patent application 12/575,647;12/825,293;Retouch with 12/627,351
State string parsing technology the example of Web application safety problem is applied.Especially, U.S. Patent application 12/575,647 describe
Automatically the technology detected about flow of information downgrader use string parsing.
The mechanism of illustrative embodiment of the present invention with relate to how in application code, find such as disinfector and validator
Downgrader application 12/575,647 in mechanism uncorrelatedly run.As an alternative, illustrative embodiment of the present invention
Mechanism is for determining how downgrader constructs and determine whether this structure meets the criterion established.This illustrative enforcement
The mechanism of example departs from the details that realizes of downgrader and carries out abstract and downgrader is expressed as the sequence of operation in downgrader input.This
Plant abstract by built-in string operation and other instruction interested have been modeled.For example, it is possible to use unitary second order
Built-in string operation is modeled by logical model.Then, the higher level of abstraction of string operation that result produces represents can be according to set of criteria
Check and give a mark.Quantify application protective layer, the flow of information downgrader i.e. applied, quality can hold as automation process
OK.
Automatization's mechanism according to the criteria evaluation downgrader established is used as application developer and security expert
Between important bridge because this mechanism allow security expert verify the code of downgrader realize and by formal mechanism and
Application developer exchanges assessment.Automatization's mechanism of illustrative embodiment can also identify that those marks are the lowest, to such an extent as to
They may be the downgrader of the reason of service logic mistake, such as, if the low mark of downgrader is owing to they eliminate
The fact that input character rather than refusal cause the input of accident behavior in service logic.
As the skilled person will appreciate, the present invention can be presented as system, method or computer program.
Correspondingly, each side of the present invention can take complete hardware embodiment, complete software implementation (to include firmware, resident software, micro-
Code etc.) or the form of embodiment of combined with hardware and software aspects, all these aspects can general in this article be referred to as
" circuit ", " module " or " system ".And, each side of the present invention can be taked to embody and comprise computer available programs generation thereon
The form of the computer program of any one or more of computer-readable medium of code.
The combination in any of one or more computer-readable mediums can be used.Computer-readable medium can be computer
Readable signal medium or computer-readable recording medium.Computer-readable recording medium can be such as, but not limited to, electricity,
Magnetic, optical, electromagnetic, infrared ray or semiconductor system, device, equipment or above-described random suitable combination.Computer can
The more specifically example (non-exhaustive list) reading storage medium will include following: has the electrical connection of one or more electric wire, portable
Formula computer disk, hard disk, random access memory (RAM), read only memory (ROM), EPROM
(EPROM or flash memory), optical fiber, portable optic disk read only memory (CDROM), optical storage apparatus, magnetic storage apparatus or
The above-described random suitable combination of person.Under the background of this document, computer-readable recording medium can be can comprise or
Person's storage is by instruction execution system, device or any tangible medium of the program of equipment use or use in conjunction.
Computer-readable signal media can include wherein, such as, in a base band or as the part of carrier wave, embody
The propagation data signal of computer readable program code.This transmitting signal can any one of take many forms, bag
Include but be not limited to electromagnetism, light or its random suitable combination.Computer-readable signal media can store with right and wrong computer-readable
Medium and can transmit, propagate or transport and used by instruction execution system, device or equipment or use in conjunction
Any computer-readable medium of program.
Embodying computer code on a computer-readable medium can utilize any suitable medium to send, including but not
It is limited to radio, Wireline, fiber optic cables, radio frequency (RF) etc., or its random suitable combination.
Can be with one or more programming languages for performing the computer program code of the operation of each side of the present invention
Combination in any is write, and wherein programming language includes OO programming language, such as JavaTM、SmalltalkTM, C++ etc.,
And traditional procedural, such as " C " programming language or similar programming language.Program code can be completely user
Computer on, partly on the computer of user, as independent software kit, part on the computer of user and also portion
Divide and perform on far-end computer or completely on far-end computer or server.Under latter scene, far-end computer
The computer of user can be connected to by any kind of network, including LAN (LAN) or wide area network (WAN), or can
To be connected to the computer (such as, by utilizing the Internet of ISP) of outside.
Below with reference to the method according to illustrative embodiment of the present invention, device (system) and the flow process of computer program
Figure explanation and/or block diagram describe each aspect of the present invention.It will be appreciated that described flow chart explanation and/or each piece of block diagram and
In the explanation of described flow chart and/or block diagram, the combination of block can be realized by computer program instructions.These computer programs refer to
Order can be supplied to general purpose computer, special-purpose computer or the processor of other programmable data processing means, produces one
Plant machine so that when described instruction performs through the processor of computer or other programmable data processing means, produce and use
The device of function/action specified in one or more pieces in real presently described flow chart and/or block diagram.
These computer program instructions can also be stored in computer-readable medium, and described instruction may indicate that calculating
Machine, other programmable data processing means or miscellaneous equipment function in a particular manner so that be stored in computer-readable
Instruction in medium produces one and manufactures article, and these article include or many in real presently described flow chart and/or block diagram
The instruction of function/action specified in individual block.
Described computer program instructions can also be loaded into computer, other programmable data processing means or other set
Standby upper so that sequence of operations step performs on computer, other programmable device or miscellaneous equipment, produce one and calculate
The process that machine realizes so that the instruction performed on described computer or other programmable device provides for real presently described
The process of function/action specified in flow chart and/or block diagram.
Flow chart and block diagram in accompanying drawing show the system of multiple embodiments according to the present invention, method and computer journey
Architectural framework in the cards, function and the operation of sequence product.In this, each square frame in flow chart or block diagram can generation
One module of table, program segment or a part for code, a part for described module, program segment or code comprises one or more
For realizing the executable instruction of regulation logic function.It should also be noted that at some as in the realization replaced, square frame is marked
The function of note can also occur to be different from the order marked in accompanying drawing.Such as, two square frames illustrated continuously actually may be used
To perform substantially in parallel, they can also perform sometimes in the opposite order, depending on this function involved by dependence.Also to note
In meaning, each square frame in block diagram and/or flow chart and block diagram and/or flow chart, the combination of square frame can be with performing rule
The special hardware based system of fixed function or action realizes, or can be by the group of specialized hardware with computer instruction
Incompatible realization.
Illustrative embodiment can include distributed data processing environment, single data handling equipment etc. many different
The data processing circumstance of type uses.In order to provide up and down to the element-specific of illustrative embodiment and the description of function
Literary composition, provided hereinafter Fig. 1 and Fig. 2 as the example context that can realize illustrative embodiment each side.It should be appreciated that Fig. 1-
2 only examples rather than to claim or to imply that the environment to wherein realizing embodiments of the invention or each side is appointed
What limits.In the case of without departing substantially from present subject matter and scope, described environment can be carried out many amendments.
With reference now to accompanying drawing, Fig. 1 depicts the example distribution formula data that wherein can realize illustrative embodiment each side
The figure of processing system represents.It is each that distributed data processing system 100 can include can realizing illustrative embodiment wherein
The computer network of aspect.Distributed data processing system 100 comprises at least one network 102, and it is used at distributed number
According to the medium providing communication linkage between various equipment interconnective in processing system 100 and computer.Network 102 can wrap
Include the most wired, wireless communication link or the connection of fiber optic cables.
In the example painted, server 104 and server 106 are connected to network 102 together with storage device 108.This
Outward, client 110,112 and 114 is also connected to network 102.These clients 110,112 and 114 can be such as individual calculus
Machine, network computer etc..In the example painted, server 104 such as starts literary composition to client 110,112 and 114 offer
Part, operating system image file and the data of application.In depicted example, client 110,112 and 114 is the visitor of server 104
Family end.Distributed data processing system 100 can include extra server, client and other unshowned equipment.
In depicted example, distributed data processing system 100 is the Internet, represents that use transmission controls with network 102
Network and the set of gateway in the world wide that agreement/procotol (TCP/IP) protocol package is in communication with each other.In this Internet
Center be the backbone of high-speed data communication lines between host node or host computer, wherein host node or host computer bag
Containing thousands of business, government, education and other route data and the computer system of message.Certainly, distributed
Data handling system 100 can also be embodied as the network comprising number of different types, the most such as, in-house network, LAN
(LAN), wide area network (WAN) etc..As it has been described above, Fig. 1 is for the purpose of example rather than as the different enforcements to the present invention
The structure of example limits, and therefore, and the element-specific shown in Fig. 1 is not construed as limiting can be about the present invention
Wherein realize the environment of illustrative embodiment.
With reference now to Fig. 2, it illustrates and can realize the sample data of illustrative embodiment each side wherein and process system
The block diagram of system.Data handling system 200 is the example of the computer of the client 110 in such as Fig. 1, wherein realizes the present invention and says
Computer usable code or the instruction of the process of bright property embodiment may be located at wherein.
In depicted example, data handling system 200 uses hub architecture, including NORTH BRIDGE and storage control collection
Line device (NB/MCH) 202 and south bridge and input/output (I/O) controller hub (SB/ICH) 204.Processing unit
206, main storage 208 and graphic process unit 210 are connected to NB/MCH202.Graphic process unit 210 can pass through accelerated graphics
Port (AGP) is connected to NB/MCH202.
In depicted example, LAN (LAN) adapter 212 is connected to SB/ICH204.Audio frequency adapter 216, keyboard with
Mouse adapter 220, modem 222, read only memory (ROM) 224, disk (HDD) 226, CD-ROM drive 230,
USB (universal serial bus) (USB) port and other COM1 232 and PCI/PCIe equipment 234 are by bus 238 and bus 240
It is connected to SB/ICH204.PCI/PCIe equipment can include, such as, for the Ethernet Adaptation Unit, additional of notebook
(add-in) card and PC card.PCI uses card bus control unit, and PCIe need not.ROM224 can be such as basic input and output
The flash memory of system (BIOS).
HDD226 and CD-ROM drive 230 are connected to SB/ICH204 by bus 240.HDD226 and CD-ROM drives
Device 230 can use such as integrated drive electronics (IDE) or Serial Advanced Technology adnexa (SATA) interface.Super input/output
(SIO) equipment 236 may be coupled to SB/ICH204.
Operating system is run on processing unit 206.In the data handling system 200 of Fig. 2, this operating system is coordinated and carries
For the control to various assemblies.As client, operating system can be commercially available such as7 (Microsoft and Windows be Microsoft Corporation the U.S., other country or
The trade mark of both) operating system.Such as JavaTMThe OO programing system of programing system can be with operating system one
Road runs, and provides from the Java run on data handling system 200TMProgram or be applied to calling of operating system
(Java is that Oracal and/or its subsidiary are at the U.S., other country or the trade mark of both).
As server, data handling system 200 it may be that such as, run senior mutual execution () operation system
System orOperating systemeServerTMSystemComputer system (IBM, eServer, System
P and AIX is International Business Machines Corporation at the U.S., other country or the trade mark of both, and LINUX is Linus Torvalds
At the U.S., other country or the trade mark of both).Data handling system 200 can be to comprise multiple place in processing unit 206
Symmetric multiprocessor (SMP) system of reason device.Alternately, single processor system can be used.
Instruction for this operating system, Object oriented Programming Systems and application or program is positioned at depositing of such as HDD226
On storage equipment, and main storage 208 can be loaded into perform for processing unit 206.For the illustrative enforcement of the present invention
The process of example can use computer usable program code to perform by processing unit 206, its Computer available programs generation
Code may be located in memorizer, such as, in such as main storage 208, ROM224 or one or more ancillary equipment 226 and 230.
The bus system of all buses as shown in Figure 2 238 or bus 240 can comprise one or more bus.Certainly,
Bus system can use any kind of communication construction or architecture to realize, and wherein communication construction or architecture are adding
Enter to providing data transmission between framework or different assemblies or the equipment of architecture.Modem 222 in such as Fig. 2 or
The communication unit of network adapter 212 can comprise one or more equipment for sending and receive data.Memorizer is permissible
It it is the cache found in NB/MCH202 in such as main storage 208, ROM224 or such as Fig. 2.
Those of ordinary skill in the art will be understood that the hardware in Fig. 1-2 can be different according to realization.All
Such as other internal hardware or ancillary equipment of flash memory, the nonvolatile storage of equivalence or CD drive etc., can be used to
Add or replace the hardware painted in Fig. 1-2.Equally, in the case of without departing substantially from spirit and scope of the present invention, except being previously noted
Smp system beyond, the process of illustrative embodiment can also be applied in multi-processor data process system.
And, data handling system 200 can be wherein different to take any form of many different data handling systems
Data handling system include client computing device, server end calculate equipment, panel computer, notebook, phone
Or other communication equipment, personal digital assistant (PDA), etc..Such as, in some illustrated examples, data handling system 200
Can be portable computing device, this portable computing device be configured with flash memories to provide a store for operating system literary composition
Part is or/and the nonvolatile memory of data that produces of user.Substantially, data handling system 200 can be any of
Or the data handling system of in the future exploitation and there is no the restriction of architecture.
Fig. 1 and 2 calculates one or more each side that can be used to realize illustrative embodiment of equipment.Such as,
In such as Fig. 1, the server end calculating equipment of server 104 can be used to realize Web application, and this application can be by such as client
One or more client computing device of end 110,112 and 114 access.Before disposing Web application, or by service
After device 104 realizes Web application, the mechanism of this illustrative embodiment can be employed to perform the analysis of Web application to determine
Whether downgrader that is that realized by Web application or that realize together with Web application observes safety criterion.For performing Web application point
The mechanism of analysis can realize on server end calculating equipment, and such as, such as Web application will be deployed in wherein or at it
The server 104 of upper realization, client computing device 110,112 or 114, other calculating equipment, multiple calculating equipment, etc.
Deng.
Fig. 3 is the example block diagram of the primary operational element of the applied analysis mechanism according to an illustrative embodiment.In Fig. 3
Shown element can realize with any combination of software, hardware or software and hardware.In an illustrative embodiment, in Fig. 3
Element with software instruction realize, wherein this software instruction is held by one or more processors of one or more calculating equipment
OK.
As it is shown on figure 3, applied analysis mechanism 300 comprise controller 310, input/output interface 320, downgrader detection draw
Hold up 330, the abstract engine of downgrader 340, downgrader evaluation engine 350, safety criterion engine 360, downgrader defect/incompatible inspection
Survey engine 370 and legal/illegal string pattern data base 380.Downgrader defect/incompatible detecting and alarm 370 can be further
Environmental context specification 390 is operated, wherein environmental context specification 390 can store together with applied analysis mechanism 300 or
Person can provide from external source as the input to applied analysis mechanism 300.To any one in element 310-390 the most also
It is such, because not being single mechanism as depicted in fig. 3, but in these elements, any one can being distributed in multiple meter
On calculation equipment, and therefore, any one to a certain extent to application analysis mechanisms 300 can be " outside ", but with bag
Other element containing applied analysis mechanism 300 still works when combining.
Controller 310 controls each in the overall operation of applied analysis mechanism 300 and layout other element 320-390
Operation and use.Input/output interface 320 operation receives input, is such as used for the Web application code of analysis, is used for joining
Put user's input (if any) of applied analysis mechanism 300 operation, etc..Input/output interface 320 operation comes further
Produce the output for providing notice to developer, Security Officer or other users, notify the degradation of their Web application
Whether device meets the safety criterion established, and if be unsatisfactory for, what can there is and violate.And, based on by downgrader
The analysis that defect/incompatible detecting and alarm 370 performs, input/output interface 320 is operable to produce further for opening
The personnel of sending out, Security Officer or other user provide the output of notice, notify that their downgrader and downgrader are to be protected
Any defect between environment and/or incompatible, as being hereafter discussed in greater detail.
Downgrader detecting and alarm 330 analyzes application code to detect where downgrader code in application code can occur.
In an illustrative embodiment, downgrader detecting and alarm 330 can use with such as U.S. Patent application 12/575,647 (under
Literary composition by ' 647 application refer to) described in the way of string parsing in application code, position downgrader code.Certainly, do not carrying on the back
In the case of illustrative embodiment spirit and scope, it is possible to use known to other, or in the future exploitation in application
Code detects the mechanism of downgrader code.
In order to provide an example how identifying downgrader code in application code, it is assumed that make use of ' 647 to apply for
String parsing.In such string parsing, utilize such as Yasuhiko Minamide, " Static Approximation of
Dynamically Generated Web Pages, ", Proceedings of the 14th International
Conference onWorld Wide Web (WWW ' 05), the string operation of the mode described in 2005, first application code is turned
Change CFG (CFG) into.Then, by application approximation on the CFG corresponding to the string operation in the application code of source
String operation function, string operation delete from CFG produce product rule.These product rules normally by
N-> X1…XnForm represent, wherein N is a variable, and X1…XnIt is variable or character and constitutes context-free
Grammer.Function CFG being converted into another CFG close to string operation function, such as, with output identification finite state from
The transducer of motivation.The application of iterative approximation string operation is not until having string operation in product rule.This result is to comprise product rule
Then there is no the CFG of string operation.
It is to say, code shows as context-free grammer, wherein initiate variable corresponding to your approximation interested
String.For example, it is assumed that this string is at " v=v1.concat (v2);V in ".Calculate the arbitrary value of v it is to be appreciated that v1's and v2 takes out
As value, and, once know the value of v1 and v2, need by " concat " operation effect on v1 and v2 is modeled and from language
Method is deleted " concat " operation.Here it is the application of above statement iterative approximation string operation is not until have the most more in product rule
The implication of many string operations.
Assuming that it is also known that v depends on v1 and v2, so approximation can consider v1 and v2 recursively (each rotation) conduct
Initial variable.To obtaining arbitrary values of these strings, product rule originally is not necessarily (unless as discussed further below
There is the definition of circulation).This recurrence once performing v1 and v2 considers (recursive consideration), and operation is returned
Return to the grammer for v, and apply the effect of transducer approximation " concat ".This generates the grammer of simplification, wherein
" concat " operation no longer occurs, and it practice, this composes a value to v simple in rulely.Processing cycle defines, and needs fixing
Point iteration rather than above-mentioned recurrence, such as, if cascade is to complete in the circulating cycle: during ith iteration, the value of v depends on it
Value in (i-1) secondary iteration.As further example, it is considered to Java belowTMProgram, wherein initial by string value " a "
After change, three times handle " a " is attached to give on the string of variable.
In product rule, below CFG by each application variables v is converted into non-terminal string variable SvAnd "="
Be converted into → obtain, wherein pass through+tandem connection be considered as on CFG tandem connection.
Sa→α
Sa→Saa
Sr→Sa
Such as, band beginning flag SaCFG represent give application variables a possible string value set, it generates set of strings
{ " a ", " aa ", " aaa ", " " aaa ", Λ }.Equally, mark SrRepresent the possible string value set giving program variable r.Its bag
Contain the string being assigned to variable a and r never, because string parsing fully ignores the condition of " for " statement.
When application code uses predefined string operation, such as below shown in application code part
String.substring, employs reasonably approximation and application code is converted into CFG each string operation.For example, it is contemplated that
Predefined string operation in code section below:
String a=" xxa ";
For (int i=0;I < 3;I++) a=a+ " a ";
String r=a.substring (2);
The reasonability meaning of approximate string operation is to be operated by approximate string and calculate the CFG of generation and comprise by corresponding to should
The all actual string that the predefined string operation of approximate string operation calculates.One of them method of the predefined string operation of approximation is
Using transducer, this transducer is the automat with output.
Reasonability can be defined below in form;For string operation f fIt is reasonably to approximate, wherein S '
=(s ' | s '=f (s), s ∈ S).One of them method of the predefined string operation of approximation is to use transducer, and this transducer is band
There is the automat of output.It is known that the map of transducer is also a CFG.Other method is homomorphism on (∑ ,+), its
Middle ∑ be character set and+represent return all the time same output by predefine accordingly string operation return likely go here and there
The cascaded functions etc. of CFG.There is approximate string operation belowsubstring(_, 2) product rule be to use reasonably approximation
Obtain from the Examples section of application code above.
Sa→xxa
Sa→Saa
Sr→substring(Sa, 2)
With reference now to Fig. 4, illustratively depict sensor 400.Approximate string operatessubstring(_, 2) by transducer
400 define and to this string operationsubstring(_, 2) it is reasonably to approximate.By painted transducer 400 is applied to comprise
The grammer of above product rule, it is possible to obtain CFG below, it represents set { " a ", " aa ", " aaa ", " aaaa ", Λ }.
S′a→a
S′a→S′aa
Sr→S′a
Label A in Fig. 4 represents any character, and A/ ε represents the conversion to empty string of any one character, and its meaning is to delete
Except this character.Using " reasonably " transducer, the arbitrary value that result produces is the safety of the string that operation can produce in time running
Approximation.So, for "substring(_, 2) ", this expression has simply deleted two characters in this string, such as label A/ε
Indicated by (substantially deleting character A).This just obtains new CFG, it be by converter application to original grammer
On result.
After application code is iteratively applied above-mentioned mechanism, just obtains this application of expression but do not have string operation to occur
Product regular collection.
Therefore, the achievement of string parsing is exactly to comprise the CFG of produced product rule.
With reference to Fig. 5, an illustrative reality for realize static string parsing according to illustrative embodiment be will now be described
Execute example.This description provides the process with process internal string parsing, and then explain how it to expand to interprocedual
String parsing.The details that realizes shown supposes that string parsing achieves on static analysis framework.The static analysis frame used
Frame can be any of framework and can include, such as, for the Watson storehouse (WALA) analyzed, this storehouse can be from
Wala.sourceforge.net obtains as product of increasing income.
For describing the string parsing of this process internal, it is considered to following JavaTMIn nappend method:
In block 502, the form of Program transformation to Static Single Assignment (SSA), wherein instruction is employed pseudo-label.
Show to property as described below an example of conversion:
main(String)
1.a=" a "
2.b=" b "
3.r=nappcnd (a, b, 3)
nappend(String)
1.b1=n==0
2.goto 6 ifb1
3.v1=x+y
4.r1=nappend (v1, y, n-1)
5.goto8
6.r2=x
7.goto8
8.r=phi (r1, r2)
9.return r
Depict this program in Fig. 6 calls figure.The pseudo-label in program used instruction above includes v=val, uses
In to variable or territory v assignment val, v=obj.func (v1 ..., vn), for band parameter v1 ..., the method call of vn, goto
N, for unconditional jump to label N, goto N if v, for being jumped to label N conditionally by condition v.It addition, should
SSA conversion introduces new variable and represents φ-function by phi (v1, v2), generates each variable only one of which assignment
Program.This feature of SSA form is suitable to find out data dependence.
In block 504, the mode with above-mentioned (seeing above figure 1) is the same, except for good conditionsi and unconditional jumping
Turning, the assignment in SSA form is converted into the product regular collection with string operation 506.Particularly, v=phi (v1, v2) conversion
Become two product rules Sv→Sv1And Sv→Sv2, in order to make it represent the associating of two set of strings being assigned to v1 and v2 respectively.Root
According to this conversion, it becomes possible to obtain following product rule from the pseudo-SSA form of nappend method.
Sv1→SxSy
Sr2→Sx
Sr→Sr1
Sr→Sr2
For the string parsing of interprocedual, string parsing in expansion process can be carried out by the figure information of calling built by WALA, its
In can be controlled the context sensitivity of WALA neatly by known method.Each variable in SSA program is with calling
Node of graph annotates out.All of product rule is all to delete from such asMethod adjust
With conversion product rule after combination.Describe return value and the change of call method representing parameter and called method
Dependent product rule between amount.Such as, if the non-sensitive figure that calls of context occurs as shown in Figure 6, then just draw
Entering following product rule, the superscript of the most each nonterminal symbol represents and calls node of graph accordingly.This product rule is:
The full set of the product rule with string operation 506 obtained from program includes:
Its restriction countermeasurer 508 of optional pointer analysis can be performed and come constant string between recognition methods is how to flow to become
Amount, and identify whether same object is assigned to different variablees in potential distinct methods, even if those are dynamic to liking
State creates.In block 510 an, it is thus achieved that CFG below, its prediction is assigned to the possible string of variable r, Qi Zhongqi in main formula method
Beginning is masked as
With reference to Fig. 7, frame/flow chart illustratively depicts quiet for flow of information downgrader according to illustrative embodiment
State detection and the system and method for classification.System and method shown in Fig. 7 can downgrader detecting and alarm 330 in figure 3
Middle realization, such as, for detecting the code section corresponding with downgrader in application code.
As shown in Figure 7, in block 702, the input/output interface 320 that may pass through in Fig. 3 carries from separation equipment
The program being stored in memory devices of confession, such as, by the conversion of static analyzer variable produce in instruction set every
The single assignment of one variable.This includes by code variables assignment uses pseudo-labelling change application code.
Such as, in block Figure 70 4, instruction set is converted to the product rule with the string operation of aforesaid way.At block Figure 70 6
In, known to as this area, the product rule with string operation performs pointer analysis alternatively to improve essence
Exactness.
In block 708, from product rule, produce CFG.In block 710, one or more by comparison
Function specification checks that CFG identifies flow of information downgrader function.These one or more function specification comprise all
String pattern such as regular expression.This string pattern is supplied by analytical tool or user, and it represent can (or cannot)
The set of strings used in the operation of security-sensitive.Such as, string "<" and ">" is considered as unsafe string, because XSS (across
Script of standing performs) attack generally these characters of use.Therefore, regular expression " .* [<>] .* " (that is, statement "<" and ">" string
It is unsafe) could be for the part of the specification of flow of information downgrader, this flow of information downgrader is used for avoiding XSS to attack
Hit.
These one or more functions preferably include security-sensitive function at application code.This can include based on fall
The intention detection of level device function and classification downgrader function.
In block Figure 71 2, CFG preferably with the Standard heading of flow of information downgrader so that if grammer
Meet specification, then just it is believed that input is correctly demoted.Between CFG and regular expression specification
Relatively can such as be completed by CFL accessibility algorithm, such as Thomas Reps in August, 1998 in the opinion of University of Wisconsin
Described in literary composition " Program Analysis via Graph Reachablity ".
Such as, utilize one or more function specification to downgrader function of classifying so that it is to become for one or more peaces
The correct downgrader of full leak.Assuming that there is multiple string pattern (regular expression), each of which is corresponding to such as across station
Script performs (XSS) and the security breaches of http response division (HRS).Such as, when there is the string pattern about XSS and HRS,
Just two string patterns of the CFG obtained and that are compared.If CFG and XSS pattern
Common factor be not empty, then be detected by corresponding function as the flow of information downgrader correct to XSS, wherein occur simultaneously and can lead to
Cross CFL accessibility algorithm the most above-mentioned to calculate.Equally, if the common factor of CFG and HRS pattern is not
Empty, then to be detected by corresponding function as the flow of information downgrader correct to HRS.It should be pointed out that, at this example
In, function can be detected as flow of information downgrader the most correct for XSS and HRS.Certainly, the invention is not restricted to XSS and HRS, and
Can be used for any known or exploitation in the future security breaches.
The another kind that can use and the string parsing used in illustrative embodiment of the present invention use the one of downgrader
Second order is abstract performs string parsing in unit.Refer again to Fig. 3, identify in all certain modes in the manner described above in application code
After one or more downgraders, the abstract engine of downgrader 340 is used for building the abstract representation of downgrader.Namely
Saying, each downgrader that the abstract engine of downgrader 340 can be applied in application code identify is to produce downgrader
The abstract representation separated to model for downgrader.
In an illustrative embodiment, the abstract engine of downgrader 340 can realize unitary two on the string in downgrader
Rank logic, wherein downgrader code is expressed as formula in unitary second-order logic.It is applied to the example of the unitary second-order logic of string
Realize described in " the MONA 1.x:New Techniques for WS1S and WS2S " that write at Elgaard et al., this article
Offer and can obtain from www.brics.dk/mona/papers/mona1x-new-technique-ws1s-ws2s/ article.pdf
Arriving, the document is hereby incorporated by reference.
Use this unitary second-order logic, if the instruction not operating the input to downgrader code in downgrader code can
Or can be left in the basket, or represent in the way of the impact of instruction in reflection downgrader result.Such as, form " if
(input.contains (" xyz ")) { ... } " test by asserting in the main body of condition, input comprises string " xyz "
Represent.
Referring again to Fig. 3, use the abstract representation produced by the abstract engine of downgrader 340, downgrader evaluation engine 350 is commented
Estimate downgrader in application code, process the mode of input of downgrader code, such as, assessment disinfector operation change or
Mode or the checker of deleting/replace the suspicious portion of input judge input the most legal and determine whether refusal input
Mode.This assessment include compare specification to compare downgrader to input process, wherein specification is that such as regulation downgrader should
The formal safety criterion set how to operate.Such as, safety criterion engine 360 can provide the safety criterion established in advance,
In order to avoid any safety problem operated with application code, this criterion elaborate to require downgrader in rule of its lower operation and
Set of circumstances.These safety criterions established in advance can be defined by Security Officer and in data base or and safety criterion
Other data structure of engine 360 association illustrates.This safety criterion engine 360 can provide one or more user interface,
Security Officer or other users can be defined in data bases or data structure and store this safety criterion by it.
For example it is assumed that the safety criterion established in advance for downgrader be must or be accepted to the input of downgrader or
It is rejected (such as, such as done by validator), but is not downgraded device and changes (such as, as disinfector does).This safety
Criterion deflection or beneficially validator are more than disinfector.Functionally, validator and disinfector can the most correctly guarantee to answer
Safety, but, disinfector may compare the reasoning of difficult ground (for example, it is desired to consider the replacement operation performed by disinfector
Side effect) and more problematic for user expects (change that such as, disinfector performs can make certain logic of input
Aspect lost efficacy).
Consider the abstract representation of the downgrader produced by the abstract engine of downgrader 340, the static state of downgrader evaluation engine 350
Analyze logic 352 and explain the effect of operation that its input performs by downgrader and to determine whether that this input is converted this
Situation, such as, downgrader achieves disinfector.If it is, and safety criterion rule ready and by being indicated to
The safety criterion engine 360 that the input of downgrader is not converted provides, then downgrader evaluation engine 350 can produce instruction
The output that safety criterion is violated is occurred in that in evaluated downgrader.This output can be sent to specify the logical of contact address
Knowing message, the output produced in the outut device of client computing device, this outut device is display device, a printer
Deng or similar.Such as, notification message may indicate that application, the safety criterion of violation, and detects that safety criterion is violated
Application code in position, i.e. what downgrader violates safety criterion.
And, downgrader evaluation engine 350 can include violating for identification and checking and downgrader evaluation engine 350
The knowledge base 354 being associated determines the suggestion that amendment downgrader code makes downgrader be consistent with the safety criterion of establishment
Logic.Such as, if it is determined that downgrader have changed input and produces the output passing through sterilization from downgrader, and above-mentioned safety is accurate
The most ready, then downgrader evaluation engine 350 can be violated based on detect and can use static analysis mechanism
The out of Memory about downgrader code structure extracted, checks knowledge base 354, and advises becoming downgrader code revision
The code section used in the case of not changing input or accept or refuse to input replaces this input of change of downgrader code
Sterilization element.
In some illustrative embodiment, downgrader evaluation engine 350 can also comprise downgrader marking logic 356.Fall
Level device marking logic 356 operation identifies what downgrader deviateed from the safety criterion of the establishment provided by safety criterion engine 360
Degree, and quantify this departure degree come for downgrader produce mark.Such as, mark can be simply and be downgraded device to multiple
The counting of the safety criterion that code is violated, the weighted count of multiple safety criterion violated, wherein weight is disobeyed with specific
The safety criterion violated is associated thereby indicate that the priority of safety criterion, etc..
Such as, once calculate in the above described manner relative to the deviation of the safety criterion established based on it, downgrader
Mark can compare with the threshold values of one or more establishments and obtain instruction, be considered to represent correspondence according to this instruction downgrader
It it is slight, medium or important security threat for.This classification based on downgrader to security threat level, permissible
Perform various process.Represent the downgrader of slight security threat for example, it is possible to identify simply and send out to suitable user
Send the potential safety problem notifying that they associate with downgrader.The degradation of the security threat medium and important to expression
Device can produce have higher priority notice and be sent to one or more user and can comprise further about
To the amendment proposed by this downgrader code so that downgrader meets the information of the safety criterion established.
In some illustrative embodiment, downgrader evaluation engine 350 can be based on downgrader about the safety established
Downgrader code is automatically revised in the assessment of criterion so that downgrader is in and meets the position of safety criterion or at least alleviate fall
The security threat that level device is brought.Such as, in an illustrative embodiment, if it is determined that downgrader is disinfector and determines
This downgrader is important security threat, then downgrader evaluation engine 350 can automatically be revised downgrader code and it is become
Validator is become therefore to reduce security threat.Then the code of this amendment can be supplied to that suitable user makes after it can be
It is recompiled before being deployed to calculating equipment.
So, the mechanism of illustrative embodiment provide not only the machine for identifying downgrader code in application code
System, and provide and for this downgrader code abstract, downgrader process can be commented according to the safety criterion established
The mechanism estimated.By this way, provide for for guarantee downgrader provide by safety criterion define about application
Automatization's mechanism of little safe class.The mechanism of illustrative embodiment can use string parsing recursively to catch concrete operations language
Justice and show that downgrader the most automatically meets the mode of the conclusion of minimum safe criterion and models the operation of downgrader.
Fig. 8 is the flow chart of the exemplary operations summarizing the automatic applied analysis mechanism according to an illustrative embodiment.As
Shown in Fig. 8, operate and start (step 810) receiving application code to be analyzed.Static analysis mechanism is applied to apply generation
Code to identify downgrader code (step 820) in application code.For the next downgrader identified in step 820, produce
The abstract representation (step 830) of raw downgrader.Then the abstract representation assessment of downgrader is used according to the safety criterion established
Downgrader process (step 840).Based on this assessment, it is made as to whether to there is the determination that any safety criterion detected is violated
(step 850).If violated, then the most alternatively, quantify the inclined of the degree violated or downgrader process and safety criterion
Difference is to produce mark (step 860) for downgrader.Then this mark thus can be compared to one or more threshold values
The seriousness violating the safety criterion of downgrader sorts out (step 870).Optionally, in addition, knowledge base can be accessed
Identify that the solution of the recommendation violating safety criterion makes downgrader meet safety criterion (step 880).
Based on the detection violated, and alternatively, mark and/or the information obtained from knowledge base, can create and export
The notification message (step 890) violated about this safety criterion.Hereafter, make about whether application code has other downgrader
To be processed determine (step 895).If it has, operation returns to step 830;Otherwise operate termination.
Although it should be pointed out that, illustrative embodiment described above describes in the application code that such as Web applies
Identify a mechanism of downgrader, but illustrative embodiment is not limited to this mechanism.On the contrary, illustrative without departing substantially from this
In the case of embodiment spirit and scope, it is possible to use for positioning corresponding with downgrader function in application code or performing
Any mechanism of the code section of downgrader function.And, although illustrative embodiment be described as being applied to Web application and
Flow of information is associated with Web application, but they are not limited thereto.On the contrary, illustrative embodiment can with at application code
Middle realize downgrader or any application code of being associated with application code is used together.
Refer again to Fig. 3, except above-mentioned for finding downgrader and and assessing them according to the safety criterion established
Mechanism outside, illustrative embodiment additionally provides the mechanism of such as downgrader defect/incompatible detecting and alarm 370, is used for detecting
Defect in downgrader and downgrader are for the incompatibility problem of they systems to be protected, even if this security downgrade device is full
The foot safety criterion established discussed above.Although it is to say, previously described mechanism can determine that whether downgrader exists
The safety operation type about safety criterion that execution downgrader wishes to carry out, but illustrative embodiment described below
Further mechanism include for guaranteeing that the specific implementation of downgrader is being appropriately carried out those safety operations in specific environment
Logic, i.e. for the realization of downgrader and dispose the environment not existing defects of downgrader or incompatibility problem.
Additionally, illustrative embodiment can also process correct beyond with deployed environment compatibility issue of relevant downgrader
Sex chromosome mosaicism.If it is to say, downgrader code is compatible with deployed environment on the contrary, but downgrader code itself is the most correct
Ground work, i.e. do not mate all of it it should be ensured that system associated there safety illegal mode, then illustrative
The matching mechanisms of embodiment will detect these defects in the operation of downgrader.These are referred to as downgrader and fail correctly to be located in
" extreme case " of reason.It is referred to as " level " problem about the compatibility issue with deployed environment and processes pole about downgrader
The problem of end situation is referred to as " vertical " problem.
Illustrative embodiment provides use Static Analysis Technology, identifies that downgrader is the most imperfect, no for automatically
Correct or with back-end software/hardware, the i.e. environment of its expectation protection, incompatible mechanism.This is to use three basic modules
Complete.First assembly is string parsing mechanism, if it is based on the proper calculation degradation to the string that downgrader may input
Device correctly operates the safety approximation of its set of strings that may export.
Second assembly is " illegal mode " set, its validator about downgrader or the correctness forming portion of disinfector
Divide the set of sequence.Illegal mode is the compact representation of set of strings, such as, and regular expression or CFG), it
Device/disinfector process will not be verified return/accept.It is to say, illegal mode is regular expression e so that in order to make to test
Card device V is considered as safe for expression formula e, if it mates with expression formula e, validator V must refuse input string, and
In order to make disinfector S be considered as safe for expression formula e, any string returned by disinfector S must with expression formula e not
Coupling.
In order to illustrate that what meaning is illegal mode be, it is considered to two patterns of A and B, wherein pattern (A) is another pattern
(B) strict subset.If the validator of downgrader is correct for mode B operation, then just can draw validator generally,
That is, for conclusion that mode A operation is correct.But, if validator is correct only for mode A operation, and for Mode B the most just
Really, then validator is the most correct in their operations, because there being string in Mode B, and does not has in Mode A, validator
Can return/accept but be dangerous.Such as, the possible illegal mode attacked for cross site scripting execution (XSS) is such as
One pattern, it asserts that string does not comprises "<" or ">", i.e. the string comprising "<" or ">" may indicate that XSS attack.More restrictive
Illegal mode also may require that this string does not comprise substring " javascript: ".Therefore, illegal mode set expression is without prejudice to rear end
In the case of software/hardware security of system, it is impossible to be downgraded the set of strings that the validator/disinfector of device returns/accepts.This portion
Point sequence, i.e. restricted, be more confined from etc. illegal set of strings, it is provided that a kind of mechanism, it allows which is analysed in depth
A little extreme cases are not processed, and therefore, how this analysis remedies or revise downgrader if can serve to indicate that, as follows
Literary composition is discussed.
3rd assembly is the specification of the environmental context that downgrader expectation is protected, i.e. the software that downgrader is to be operated,
And the description of hardware in some cases.Such as, environmental context can specify that downgrader prepares or has been deployed in it
In the type (such as, the model of processor and quantity, the quantity etc. of memorizer) of server, the data base that server runs
Server software, such as Microsoft (MS) SQL (SQL) server, DB2 etc..
Environmental context information may further specify that the type of the application container disposing database application, such as, Tomcat,
JBoss, WebSphere etc. because different containers to comprehend performance with place according to the parsing of request different, wherein may specify
The different downgraders that used (such as, Tomcat deletes “ r n from parameter value " pattern makes these values be safe to prevent
Http response division (HTTPRS) is attacked, but in the case of WebSphere, it is not necessary to it is this situation).
Refer again to Fig. 3, environmental context 390, i.e. " the 3rd assembly " above-mentioned, can be that user passes through warp
Input/output interface 320 receives the input regulation of one or more graphical user interface etc..As an alternative, environmentally
Hereafter 390 can automatically find from the configuration information by this environment place system maintenance or infer.Such as, for
Database Systems, the environmental context specification 390 of definition Database Systems type can be by analyzing for Database Systems
Configuration information, checks that the deployment etc. of database software finds or infers.Relate to process cross site scripting at such as band perform
(XSS) in other example of the downgrader of attack etc., it is possible to use HTML contextual information.In such a case, it is possible to convection current
The data entering downgrader perform static data flow analysis to determine which HTML presents the number that statement is dependence downgrader output
According to stream and then string parsing can set up HTML context at the point that this information presents.Such Static Analysis Technology is 12/
Described in 825,293.
For specific downgrader, downgrader mate, i.e. be identified as the definition of illegal illegal mode set by user
There is provided or otherwise analysis from downgrader code determines.It is to say, to various different environment, downgrader can
Join different illegal mode.Such as, the specific illegal mode of specific downgrader coupling can be specified by user and be stored in conjunction
In method/illegal string pattern data base 380, or otherwise associate with specific downgrader.But, in other illustrative embodiment
In, downgrader code can by downgrader defect/incompatible detecting and alarm 370 or other instrument (not shown) analyze with
Identify that specific downgrader is found and the AD HOC of coupling, and or to the instruction (situation at validator inputting refusal
Under) or to the basis (in the case of disinfector) inputting amendment.
Further, can be that various types of downgrader stores multiple illegal mould in legal/illegal string pattern data base 380
Formula set, such as, for XSS attack, the downgrader of SQLi attack etc..Illegal mode set could be included for multiple mutually similar
The different downgraders of type and the illegal mode for multiple different environment that can realize these downgraders wherein.Example
As, based on evaluated downgrader type, therefore the specific collection of illegal mode can be identified.Such as, downgrader defect/no
Compatible detecting and alarm 370 may determine that analyzed downgrader type and retrieves from legal/illegal string pattern data base 380
Corresponding illegal string pattern set.Downgrader type easily can be subject to according to what downgrader should be forbidden from the context of application
The flow of information attacked determines.Such as, call if there is the downgrader mediated from XSS receptor to the flow of information in XSS source, then
By XSS specification (including illegal mode), illustrative embodiment will verify that calls.Signature (example based on called method
As, String-> String for disinfector String-> Boolean for validator), can heuristically solve for
In pregnable flow of information, which calls is the determination called of candidate's downgrader.
Such as, for detection and process SQL inject (SQLi) downgrader of attacking can be illegal with the most as follows
String pattern set is associated:
" .* (' | x22 # | % |=|;|\\+|[cC][hH][aA][rR]\\s*\\(\\s*\\\d+\\
s*\\)).*" //SQL injects (using # to annotate character)
" .* (' | x22 |-| | % |=|;|\\+|[cC][hH][aA][rR]\\s*\\(\\s*\\d+\\
s*)) .* " //SQL injects (use--annotation character)
" .* (' | x22 | ∧ * | */| % |=|;|\\+|[cC][hH][aA][rR]\\s*\\(\\s*\\d+\\
s*\\)).*" //SQL injects (use/* */annotation character)
The structure of the illegal string pattern of these examples is as follows.Pattern starts (and end) with .* and means that this pattern is at degradation
The input string of device is found coupling (seeing below).Then this pattern comprise beginning round parentheses (indicate and be considered illegal mode
The beginning of set.Then this pattern comprises by pipeline character | the illegal mode list of separation.This pattern is with terminating round parentheses) close
Close illegal mode set and this pattern terminates with .*.
Such as, in the illegal string pattern of SQLi defined above, there is the following illegal set of strings wanting to be matched:
‘
" (by x22 define)
Annotation character.Depend on the SQL syntax used, for #,--or/* */one of them.
=
;
+
This is substantially that " char " SQL function is followed by a series of one or more numeral to char (d+).Note [Cc]
Use allow word " char " is done the coupling that capital and small letter is insensitive.These give matched size and write sensitivity or capital and small letter is unwise
The ability of sense.
But except a little part and parcel, each in these 3 illegal mode is just as;It is medium and small still
Part and parcel is the type of the annotation character being matched.In first pattern, # single file annotation separator is matched, second
In individual pattern--single file character is matched, and is matched at the 3rd/* */middle multirow annotation symbol.Other of each pattern
Part keeps constant.
Different sql like language employs the annotation of different-style.Such as, the PL/SQL in oracle database and micro-
T-SQL in soft data storehouse uses--single file and/* */multirow annotation, and MySQL joins legal note # single file annotation
Release in the list of grammer.
The different environmental correclation that each in illegal mode described above can realize wherein from downgrader
Connection (such as, the SQL language of such as T-SQL or PL/SQL props up).When identifying the input string corresponding to SQLi attack, downgrader is permissible
Mate in these illegal mode.Substantially, if receiving input string and this input string in downgrader, or should
One corresponding with these patterns of a part for input string matches, then downgrader detection input string is as potential threat
And or refusal input (validator) or amendment input string are deleted or modified the input string that mates with illegal string pattern
Partly (disinfector).
Downgrader defect/incompatible detecting and alarm 370 uses Environmental context information 390 to determine which string pattern should
Mated by specific downgrader, i.e. for the context of specific environment, by the validator of downgrader/disinfector identification conduct
Illegal string pattern.That is, it is possible to use environmental context specification 390 determines that in illegal string pattern set, which is illegal
String pattern should be downgraded the realization coupling of device in the specific environment corresponding with environmental context specification 390.As mentioned below,
May determine that illegal mode coupling that downgrader the most actually should mate with it and if not, then fall can be produced
The instruction that level device is incompatible with the environment disposing it.
Such as, for MS SQL server, injecting (SQLi) attack downgrader as target with SQL will be to the most defeated
Enter set and produce specific output set.Thus, the string parsing mechanism of downgrader defect/incompatible detecting and alarm 370 calculates fall
The safety approximation of the level device set of strings that can return/accept, i.e. if this downgrader correctly works and with realize wherein
The environment of downgrader is mutually compatible, then after given input string set, the set of strings that downgrader effectively exports.The meaning of safety approximation
Think of is that the set of the value that the analytical calculation to downgrader returns comprises the collection of the possible return value returned when program carrying out practically
Close.This means that this analysis has an one-sided mistake: it can be classified as correct downgrader incorrect (to thus suffer from false sun
Property), otherwise but it is false.
Such as, if downgrader is disinfector, then downgrader accepts string and revises it and make it can be by one or many
Individual follow-up security-sensitive operation uses safely and therefore, the string being modified is the safety string returned by downgrader.
If downgrader is validator, then validator returns Boolean and points out that this string is whether effective, here it is term " accepts " or
" refuse " implication gone here and there.Therefore, utilize validator, downgrader defect/incompatible detecting and alarm 370 can be passed through and calculate and dropped
The safety approximation of the set of strings that level device accepts.
Therefore, if in specific environment realize certain types of downgrader correctly work and with specific environment
Compatible words, then downgrader defect/incompatible detecting and alarm 370 may determine that input string Mode S, this downgrader will be produced
Life specifically effectively exports O.To each input string Mode S interested, and downgrader type and deployed environment is any
Combination can do so.For the various combinations of downgrader type Yu environment, the legal string set of modes that result produces is permissible
It is stored in legal/illegal string pattern data base 380.As example, it is assumed that downgrader accepts string S, and if-go here and there up to
5-5 ' $ ' (space) character string fills string.Downgrader can use following approximation for returning value: S-> S ($)*.Also
That is, returning string can be that input string S is followed by 0 or multiple $ character string.There has been described and can pass through downgrader
The set of strings of the strict superset of the string returned.
Use the conjunction in the type of downgrader, environmental context specification 390 and legal/illegal string pattern data base 380
Method/illegal string pattern, downgrader defect/incompatible detecting and alarm 370 may determine that specific downgrader is the most defective or wants
Not so it is deployed in it that the most maybe will to be deployed in environment therein incompatible.Then downgrader defect/incompatible detecting and alarm
370 generate the notice about any defect of downgrader/incompatible and are sent to the calculating of appropriate person through I/O interface 320 and set
Standby upper to notify their this defect/incompatible and being necessary to revise this downgrader to correct defect or incompatible.
As briefly mentioned above, the correctness of downgrader is frequently not absolute judgement and is to rely on the upper and lower of downgrader service
Literary composition, i.e. downgrader is deployed in wherein or wants to be deployed in environment therein, relative judgement.For example, it is possible under environmentally
Downgrader defect/do not hold concurrently is submitted to checking and the specific downgrader that is associated of specification 390 together with the request that literary composition specification 390 operates
Hold detecting and alarm 370.Such as, this environmental context specification 390 can specify that downgrader deployed environment specific software arrangements,
Hardware configuration, etc..Based on environmental context specification 390 and downgrader to be verified, downgrader defect/incompatible detecting and alarm
370 types that may determine that downgrader and the type of environment.Based on downgrader type and the type of environment, can from legal/
Illegal string pattern data base 380 retrieves the legal and illegal string pattern set of correspondence.
In an illustrative embodiment, it not that legal string set of modes is stored in legal/illegal string pattern data base
In 380, but specific input string based on downgrader to be submitted to and downgrader type and environmental form can be the most true
Determine legal string set of modes.It is to say, based on downgrader type and environmental form, downgrader defect/incompatible detecting and alarm
370 may determine that what the illegal string pattern in legal/illegal string pattern data base 380 should be downgraded device coupling.According to this
Individual information, if downgrader correctly works and mutually compatible with the type of environment, then downgrader defect/incompatible detection is drawn
Holding up 370 and may determine that given specific input string, the particular type downgrader in particular type environment should produce specific peace
Entirely or effectively export.
Then determine whether there is incompatible with legal string set of patterns of output that can compare downgrader is not mated, i.e. for
Specific input string, the string that output string comprises not in legal string set of modes.If it is, then can make about
Whether the string pattern comprised in downgrader output is included in the determination in illegal string pattern set.In accordance with the above, can be true
Determining downgrader is which illegal string pattern and then may determine that is downgraded the illegal string pattern of device coupling to fall in coupling
Level device to be deployed in wherein or have been deployed in whether environment therein is correct pattern, i.e. downgrader whether with deployment
Environment is mutually compatible or incompatible.Because downgrader code generally comprises many conditional branchings and circulation, it is difficult to accurately follow the tracks of,
So can not check that downgrader code is to determine the downgrader illegal string pattern in coupling simply.Therefore, illustrative embodiment
Provide in unnecessary execution to downgrader code itself thoroughly, in the case of complicated and fallible analysis, use
Determine that what illegal string pattern is downgraded the mechanism of device coupling.
Comparison above-mentioned, completes by calculating regular expression, and wherein regular expression (i) is at disinfector
In the case of, serve as the safety approximation of disinfector return value, or (ii) is in the case of validator, serves as the string that downgrader accepts
The safety approximation of set.Then, use the technology being used for comparing between regular expression of standard, analyze according to degradation
It is classified by the standard norm of device.Such as, if downgrader be approximately regular expression R, and R is just for DB2
The then subset of expression formula, but for other database servers be not, then this downgrader is for using the environment of DB2
It is correct.Then the information about deployed environment is used to determine whether to there is compatibility issue, i.e. deployed environment is with this just
Then its effective environment is matched by expression formula, such as, if regular expression is effective to DB2 and deployed environment is
DB2, then the most there is not compatibility issue, but if deployed environment is different environment, then exist for compatibility issue.
Based on above-mentioned about compatible or incompatible determination, the calculating equipment dispatch order instruction of suitable user can be given
This is compatible or incompatible.Such as, the calculating equipment that the user of initiation downgrader analysis can have through them returns to him
The result of analysis.Comprise analysis result in the notification to be possible not only to comprise the finger that downgrader is the most compatible or incompatible
Show, it is also possible to determine suitable amending advice and user can be allowed with reference to the more information about problem.This amending advice and
Out of Memory can be stored in knowledge base (not shown), it be the applied analysis mechanism 300 of illustrative embodiment part or
Person is associated with mechanism 300.Such as, if the analysis that illustrative embodiment performs determines that some extreme case is not by correctly
Process, then just about the amendment advisory data storehouse of this extreme case.
For example, it is contemplated that the SQLi in above-mentioned example attacks and the example collection of illegal string pattern.Utilize explanation
The mechanism of property embodiment, based on environmental context specification 390 (that is, database server type), the mechanism of illustrative embodiment
Which determine string pattern to be mated by target downgrader, i.e. above-mentioned illegal string pattern set.Downgrader defect/incompatible
Detecting and alarm 370 performs the safety approximation of the string parsing string pattern set to calculate target downgrader and can return/accept.String mould
The safety approximation of formula set compares with illegal string pattern set and to determine which illegal string pattern is approximated safely by this and mate.So
After, the corresponding deployed environment being associated with the illegal string pattern of coupling and deployed environment, or want the environment disposed (as logical
Cross environmental context specification 390 definition) compare, make target downgrader determine target downgrader whether with environmental context specification
The environment identified in 390 is mutually compatible.
Such as, if the most hereafter the database server of regulation is the SQL server of Microsoft in specification 390, and
And first illegal string pattern, i.e. " .* (' | x22 | # | % |=|;| +| [cC] [hH] [aA] [rR] s* (
S* d+ s* )) .* ", be matched rather than second pattern, i.e. " .* (' | x22 |--| % |=|;|\\+|[cC]
[hH] [aA] [rR] s* (s* d+ s* )) .* ", it is for being downgraded for Microsoft's SQL server environment
The correct illegal string pattern of device coupling, then downgrader defect/incompatible detecting and alarm 370 identifies that instruction downgrader is just at base
In the incompatibility problem assuming lower operation employing different types of database server.Downgrader defect/incompatible detection
Engine 370 is it may also be determined that be used for the incompatible suggestion that correction is identified.This information, with to being used for solving this incompatibility asking
As the quoting of out of Memory source of topic, it is sent to suitable user through one or more calculating equipment in the notification.
Except identifying that downgrader and downgrader are deployed in the incompatibility problem of deployed environment therein, downgrader defect/no
Compatible detecting and alarm 370 can also detect the effectiveness of downgrader, and wherein downgrader may be confirmed as being disposed with them
Environment is compatible mutually and does not has defect.Compatible mutually with deployed environment and do not have the validation checking of defective downgrader can be with
The identification of above-mentioned downgrader incompatibility problem performs together or dividually.It is to say, the knowledge of downgrader incompatibility problem
Not need not perform as the predecessor of downgrader validation checking.
The effectiveness of downgrader can the most such as pass through ring by identifying that the various intensity ranks of illegal string pattern determine
Border context specification 390 defined, downgrader correctly can mate illegal string pattern in the deployed environment identified.Illegally
The intensity of string pattern can be to complete how many tolerance about the operation of illegal string pattern downgrader, and wherein strong illegal string pattern can
Can be the instruction of downgrader operation, and weak illegal mode has been to be partially completed the instruction of downgrader operation.Various complete
Level, or the mechanism that intensity could so be defined and use this illustrative embodiment is identified.
Such as, it is associated with every kind of deployed environment type and every kind of downgrader type, legal/illegal string pattern data base
380 set that can store the multiple illegal string pattern that can be downgraded device coupling, each illegal string pattern has a pass
The intensity level of connection.For example it is assumed that to specific deployed environment, such as MS SQL server, drops for the SQLi of this deployed environment
Level device can mate any one in following three illegal string patterns:
" .* (' | x22 | # | % |=|;\\+[cC][hH][aA][rR]\\s*\\(\\s*\\d+\\
S* )) .* " // strong
" .* (' | x22 | # | % |=|;| +) .* " // more weak
" .* (and # | % |=|;| +) .* // the most weak
Downgrader defect/incompatible detecting and alarm 370 may determine that target downgrader the most only export meet first non-
The string of method string pattern demand.If it is then this downgrader is incompatible with deployed environment and also achieves SQLi attack
Strong enforcement.But, if downgrader output string consistent with above second illegal string pattern, but not with first illegal string
Pattern is consistent, i.e. downgrader output string is included in first illegal string pattern not in second illegal string pattern
String pattern, then may determine that the effectiveness of downgrader is relatively right weak than it.Downgrader defect/incompatible detection
Engine 370 can such as to determine that target downgrader be whether defective/with deployed environment after incompatible in the notice of generation,
Return to user about downgrader for the instruction of downgrader intensity of the attack of its protection back-end system.Downgrader defect/no
Compatible detecting and alarm 370 is it may also be determined that recommend solution to the weakness detected in the protection provided by downgrader.Example
As, if it is determined that downgrader only mate with second illegal string pattern, then this recommendation can be amendment downgrader realize and
First illegal string pattern coupling.And, fall can be strengthened by making downgrader correctly work in more deployed environment
Level device, such as, if a deployed environment is only correctly worked by downgrader, then should extend downgrader itself and support more
Many deployed environment, such as, more database server type.
Therefore, whether illustrative embodiment may determine that downgrader is the most defective or is deployed in wherein with it or will
It is deployed in deployed environment therein incompatible, and also may determine that by mutually compatible with deployed environment, or even not compatible
The intensity of the protection that downgrader provides.These can complete dividually or the most together.Such as, downgrader is to deployed environment
For may be incorrect at more than one aspect.Such as, SQLi downgrader may be incompatible with back end database server
But can also be confirmed as only meeting with relatively weak illegal string pattern.The mechanism of illustrative embodiment can be along two
" axle ", i.e. compatible axle and intensity axis, the incorrectness of detection downgrader.
Fig. 9 is to summarize the exemplary operations for determining downgrader defect/incompatibility according to an illustrative embodiment
Flow chart.Such as, the operation summarized in Fig. 9 can be passed through, and such as, the applied analysis mechanism 300 in Fig. 3 realizes.
As shown in Figure 9, operation starts (step 910) to receive application code and identifies downgrader in application code
Code (step 920).Such as, these operations can be passed through, and such as, the downgrader detecting and alarm 330 in Fig. 3 performs.Remaining
Operation can be passed through, and such as, the downgrader defect in Fig. 3/incompatible detecting and alarm 370 performs.Receive/determine for identification
Environmental context specification (step 930) of downgrader code.As it has been described above, environmental context specification can be user-defined or
Person can be that the downgrader code identified by inspection is disposed wherein or wanted to be deployed in deployed environment therein and determines.
Hereinafter, to the next downgrader in the downgrader code identified, it is thus achieved that for one or more input strings
Set effective downgrader output string pattern set safety approximation (step 940).This effective downgrader output string pattern collection
Conjunction can dynamically determine based on the input of specific input string or can store from for particular type downgrader to be assessed
Storage device/the system of legal (effectively) downgrader string pattern is retrieved.Mould is illegally gone here and there for evaluated specific downgrader
Formula set also retrieves (step 950) from illegal string pattern storage device/system.More effectively export the safe collection of string pattern
Conjunction, illegal string pattern set and environmental context specification (step 960).Determine the compatibility about downgrader Yu deployed environment
And the determination (step 970) of the relative intensity of the protection provided by downgrader.Determine based on this, produce suitable notice output
Give the user's (step 980) being authorized to.Then, make about whether the determination (step having more downgrader to be evaluated
990).If it has, operation returns step 940;Otherwise operate termination.
Thus, illustrative embodiment provides for identifying downgrader in application code and assessing it for downgrader
The most defective or whether be deployed in, with downgrader, the mechanism that deployed environment therein is incompatible that the most maybe will be deployed in.
And, illustrative embodiment provides the mechanism of the relative intensity for determining the protection provided by downgrader.Bag can be produced
Notice containing these assessment results, this notice can comprise alternatively about how to make downgrader and deployed environment compatible mutually and/
Or how the suggestion of the intensity of the protection provided by downgrader is provided.As result, notify that user's downgrader is incompatible and such as
What corrects this incompatibility to guarantee the downgrader optimum realization for its deployed environment.
As it is indicated above, it should be appreciated that illustrative embodiment can take complete hardware embodiment, complete software
The form of the embodiment of embodiment or combined with hardware and software element.In a kind of exemplary embodiments, illustrative embodiment
Mechanism realizes in software or program code, includes but not limited to firmware, resident software, microcode etc..
Be suitable to storage and/or perform the data handling system of program code will to include directing or through system bus indirect
It is coupled at least one processor of memory component.Memory component can be included in institute during program code really performs
Local storage, bulk storage and the cache memory used, wherein cache memory provides at least some
The interim storage of program code, in order to reducing in the process of implementation must be from the number of times of bulk storage retrieval coding.
Input/output or I/O equipment (including but not limited to keyboard, display, pointing device etc.) can directly or
Person is coupled to system by middle I/O controller.Network adapter can also be coupled to system, enables data handling system to lead to
Special or public network in the middle of crossing becomes coupled to other data handling system or remote printer or storage device.Modulation
Demodulator, cable modem and Ethernet card are only the several types of the network adapter that currently can obtain.
Description of the invention illustrate that and the purpose that describes and be given rather than detailed or will be the present invention
It is limited to disclosed form.To those skilled in the art, many amendments will be apparent from variant.Real
Executing the selection of example and describing is to explain the principle of the present invention, practical application best, and makes other of this area common
Skilled artisan will appreciate that the present invention has the various embodiments of the various amendments being suitable to expection special-purpose.
Claims (18)
1. about a method for the downgrader code in target deployment environmental assessment application code, including:
The downgrader code being associated with application code by applied analysis mechanism identification, wherein downgrader code is and application generation
A part of code of code-phase association, the flow of information of described a part of code application code carries out operating to guarantee in downgrader generation
The confidentiality in the output of code, the information of downgrader code inputted;
Based on input string, generate, by applied analysis mechanism, the output string that downgrader code exports in response to receiving input string;
From the storage one or more illegal string pattern set of system retrieval, in wherein said one or more illegal string pattern set
Each be associated with corresponding deployed environment, and wherein illegal string pattern be downgrader for safety in flow of information
The string pattern identified;
Based on one or more illegal string pattern set and output string, by applied analysis mechanism determine downgrader code whether with
Target deployment environment is mutually compatible;And
The output of the result that instruction determines is produced by applied analysis mechanism.
2. the method for claim 1, wherein determines whether downgrader code includes with target deployment environment compatibility mutually:
Identify that downgrader code is deployed in wherein or will be deployed in target deployment environment therein;And
Based on one or more illegal string pattern set, output string and the identification of target deployment environment, determine downgrader code
Mutually the most compatible with described target deployment environment.
3. method as claimed in claim 2, wherein identifies that target deployment environment includes:
Receive user's specification of target deployment environment.
4. the method as described in claim 2 or claim 3, wherein identifies that target deployment environment includes:
Based on the analysis to the configuration information safeguarded by data handling system, automatically determine target deployment environment.
5. the method as described in claim 1,2 or 3, wherein determine downgrader code whether with target deployment environment phase compliant packet
Include:
Compare the output string of downgrader code and one or more illegal string pattern set;And
The output string of identification and matching downgrader code be associated with one or more illegal string pattern set illegally go here and there mould
Formula.
6. method as claimed in claim 5, wherein determines whether downgrader code includes with target deployment environment compatibility mutually:
Identify the corresponding deployed environment that the illegal string pattern of the output String matching to downgrader code is associated;And
Determine corresponding deployed environment whether with target deployment environments match, wherein, if corresponding deployed environment and target deployment ring
Border is mated, and determines that downgrader code is mutually compatible with target deployment environment, and wherein, if corresponding deployed environment and target portion
Administration's environment does not mates, and determines that downgrader code is incompatible with target deployment environment.
7. method as claimed in claim 5, also includes:
Determine the intensity of illegal string pattern of output String matching with downgrader code;
Determine and whether target deployment environment is existed to the higher-strength that is associated with one or more illegal string pattern set
Illegal string pattern;And
In response to determining the illegal string pattern that there is higher-strength, produce about how improving being operable so that of downgrader code
The suggestion that the output string of downgrader code will mate with the illegal string pattern of higher-strength.
8. method as claimed in claim 7, wherein output includes being sent to the notice of user, and wherein said notice identification is demoted
Device code is the most compatible mutually with target deployment environment and identifies suggestion further.
9. the method as described in claim 1,2 or 3, also includes:
Store multiple illegal string pattern, each illegal string pattern set being wherein associated and a kind with multiple illegal string patterns
The downgrader code of type is associated, and wherein retrieval to one or more illegal string pattern set is based on application code
The type of the downgrader code of middle identification performs.
10. about an equipment for the downgrader code in target deployment environmental assessment application code, including:
The device of the downgrader code for being associated with application code by applied analysis mechanism identification, wherein downgrader code
Being a part of code being associated with application code, the flow of information of described a part of code application code carries out operating to guarantee
The confidentiality in the output of downgrader code, the information of downgrader code inputted;
For based on input string, generate downgrader code by applied analysis mechanism and may operate in response to receiving input string and defeated
The device of the output string gone out;
For the device from the storage one or more illegal string pattern set of system retrieval, wherein said one or more illegal strings
Each in set of modes is associated with corresponding deployed environment, and wherein illegal string pattern be downgrader may operate to into
Safety and the string pattern that identifies in flow of information;
For based on one or more illegal string pattern set and output string, determining that downgrader code is by applied analysis mechanism
No with the compatible device of target deployment environment;And
For being produced the device of the output of the result that instruction determines by applied analysis mechanism.
11. equipment as claimed in claim 10, are wherein used for determining that downgrader code is mutually the most compatible with target deployment environment
Device also include:
For identifying that downgrader code is deployed in wherein or will be deployed in the device of target deployment environment therein;And
For based on one or more illegal string pattern set, output string and the identification of target deployment environment, determining downgrader
Code whether with the described compatible device of target deployment environment.
12. equipment as claimed in claim 11, wherein for identifying that the device of target deployment environment also includes:
For receiving the device of user's specification of target deployment environment.
13. equipment as described in claim 11 or claim 12, wherein for identifying that the device of target deployment environment also wraps
Include:
For based on the analysis to the configuration information safeguarded by data handling system, automatically determining the dress of target deployment environment
Put.
14. equipment as described in claim 10,11 or 12, be wherein used for determining downgrader code whether with target deployment environment
Compatible device also includes:
For comparing output string and the device of one or more illegal string pattern set of downgrader code;And
Illegal with what the output String matching of downgrader code and one or more illegal string pattern set were associated for identification
The device of string pattern.
15. equipment as claimed in claim 14, are wherein used for determining that downgrader code is mutually the most compatible with target deployment environment
Device include:
Device for the corresponding deployed environment that the illegal string pattern exporting String matching identified to downgrader code is associated;
For determine corresponding deployed environment whether with the device of target deployment environments match;
For in response to corresponding deployed environment and target deployment environments match, determining that downgrader code is held concurrently mutually with target deployment environment
The device held;And
For not mating with target deployment environment in response to corresponding deployed environment, determine that downgrader code is with target deployment environment not
Compatible device.
16. equipment as claimed in claim 14, also include:
For determining the device of the intensity of the illegal string pattern of the output String matching with downgrader code;
For determine whether target deployment environment is existed more high-strength with what one or more illegal string pattern set were associated
The device of the illegal string pattern of degree;And
For in response to determining the illegal string pattern that there is higher-strength, produce about how to improve the operation of downgrader code with
Make the device of suggestion that the output string of downgrader code will mate with the illegal string pattern of higher-strength.
17. equipment as claimed in claim 16, wherein output includes being sent to the notice of user, wherein said notify operable
Identify that downgrader code is the most compatible mutually with target deployment environment and may operate to identify suggestion.
18. equipment as described in claim 10,11 or 12, also include:
For storing the device of multiple illegal string pattern, each illegal string pattern collection being wherein associated with multiple illegal string patterns
Close and be associated with a type of downgrader code;And
For type based on the downgrader code identified in application code, one or more illegal string pattern set are carried out
The device of retrieval.
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/248,724 US8769696B2 (en) | 2011-09-29 | 2011-09-29 | Automated detection of flaws and incompatibility problems in information flow downgraders |
US13/248,724 | 2011-09-29 | ||
PCT/IB2012/053856 WO2013046070A1 (en) | 2011-09-29 | 2012-07-27 | Automated detection of flaws and incompatibility problems in information flow downgraders |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103842963A CN103842963A (en) | 2014-06-04 |
CN103842963B true CN103842963B (en) | 2016-11-30 |
Family
ID=
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0510241A2 (en) * | 1991-04-22 | 1992-10-28 | Acer Incorporated | Upgradeable/downgradeable computer |
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0510241A2 (en) * | 1991-04-22 | 1992-10-28 | Acer Incorporated | Upgradeable/downgradeable computer |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11036867B2 (en) | Advanced rule analyzer to identify similarities in security rules, deduplicate rules, and generate new rules | |
JP5940160B2 (en) | Methods, computer program products, and equipment for evaluating downgrader code in application code (automatic detection of defects and incompatibility issues in information flow downgraders) | |
CN103262088B (en) | The method and apparatus of the downgrader code in evaluate application code | |
US8776239B2 (en) | In-development vulnerability response management | |
Bejarano et al. | Detection of source code similitude in academic environments | |
Vasilatos et al. | Howkgpt: Investigating the detection of chatgpt-generated university student homework through context-aware perplexity analysis | |
Hara et al. | Machine-learning approach using solidity bytecode for smart-contract honeypot detection in the ethereum | |
Alhassan et al. | A fuzzy classifier-based penetration testing for web applications | |
Sotgiu et al. | Explainability-based debugging of machine learning for vulnerability discovery | |
Zhang et al. | When llms meet cybersecurity: A systematic literature review | |
Tsoukalas et al. | An ontology-based approach for automatic specification, verification, and validation of software security requirements: Preliminary results | |
CN116932381A (en) | Automatic evaluation method for security risk of applet and related equipment | |
Jiang | Detecting scams using large language models | |
CN103842963B (en) | The method and apparatus of the downgrader code in assessment application code | |
Zahan et al. | Shifting the Lens: Detecting Malware in npm Ecosystem with Large Language Models | |
WO2023101574A1 (en) | Method and system for static analysis of binary executable code | |
US20240045955A1 (en) | Identifying security events in programming code for logging | |
Moffitt | A framework for legacy source code audit analytics | |
Kommrusch | Artificial Intelligence Techniques for Security Vulnerability Prevention | |
Evangelista | Cybersecurity Vulnerability Classification Utilizing Natural Language Processing Methods | |
LIMING | Detecting Scams Using Large Language Models | |
Samuel et al. | Leveraging external data sources to enhance secure system design | |
Sun et al. | Padetective: A systematic approach to automate detection of promotional attackers in mobile app store | |
Yulianto et al. | Comprehensive analysis and remediation of insecure direct object references (IDOR) vulnerabilities in android APIs | |
Okutan et al. | A Novel Approach to Identify Security Controls in Source Code |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant |