CN103842963B - The method and apparatus of the downgrader code in assessment application code - Google Patents

Abstract

The present invention is open relates to defect and the automatic detection of incompatibility problem in flow of information downgrader.Relate to the mechanism of downgrader code in target deployment environmental assessment application code.Identify the downgrader code in application code.Based on output string, identify the output string that downgrader code exports in response to receiving input string.Retrieve one or more illegal string pattern set.Each in these one or more illegal string pattern set is associated with corresponding deployed environment.Illegal string pattern is the downgrader for safety string pattern identified in flow of information.Based on these one or more illegal string pattern set and output string, make and determining about downgrader code is the most compatible with target deployment environment.Generate instruction and determine the output of result.

Description

The method and apparatus of the downgrader code in assessment application code

Technical field

Present application relates generally to data processing equipment and the method improved, relate more specifically in flow of information downgrader Middle defect and the automatic detecting machine system of incompatibility problem, wherein flow of information downgrader be also referred to as security downgrade device or referred to simply as Downgrader.

Background technology

Information Flow Security principle establishes " the illegally flowing " not allowing information.If flowing permission can not Letter information uses (integrity violates (integrity violation)) or its permission private information complete in believable calculating Entirely or partially exposed to unauthorized user (confidentiality violates (confidentiality violation)), then stream Dynamic is exactly illegal.By declare simply should not exist any from " high " to the flow of information of " low ", integrity and confidentiality Can be counted as two fold problem, wherein " high " means " incredible " and " secret meant in confidentiality in integrity ", and " low " means " believable " in integrity and means " disclosed " in confidentiality.

Information can carry out labelling with flow of information label.Normally, flow of information label forms partial ordered set or dot matrix (lattice).If Information Flow Security is by strict implement and does not has invalid information stream to be allowed to, then major part program will Do not work.For becoming " Information Flow Security ", program will must be made to be only capable of stream by the information of certain label " X " labelling by " subregion " Move the program point with the label labelling greater than or equal to " X ".

It is the most useful for having these programs limited.Such as, from the point of view of integrity angle, Web application should Can accept from the input of potential insincere user and use those to input in believable calculating.Such as, Web bank's journey Sequence accepts account number and password (the most incredible or information of malice) the conduct input of user, and conveys them to rear end Database Systems, during they are used in trusty setting there.In another example, internet book store accepts client's User number and password and client want title (all the most incredible or information of malice) the conduct input bought, and Transaction is completed with them, etc..

From the perspective of confidentiality, data calculated based on private information and therefore are often issued in Web application, it Should be counted as secret equally.Such as, Bank application can expose the social security number of any user to cashier Latter four, and internet book store can expose the last 4-digit number etc. of credit number of any client to salesman.Known all this A little programs all show the flowing of permission " high " information flow direction " low " program point, if forcing simply to carry out Information Flow Security, The most all these programs will be rejected.In order to allow these program works, " high " information " can be demoted " and be become Enough " low " is to be used in " low " program point.

Degradation self is translated as " accreditation " in integrity and is translated as " deciphering " in confidentiality.Such as, once journey It is the string of correct format that sequence has verified that user is supplied to the input of Web application, then program just can be approved and becomes now enough Enough believable inputs are used in believable calculating.Similarly, once program has verified that the information extracted from secret not Be enough to expose secret itself, then program just can decipher the information of extraction, the information wherein extracted can become enough now The open person that is exposed to common reception.

Program can realize the downgrader of number of different types.Should not it is to say, be because program by these downgraders This receives any " high " input of " low " function, unless should be downgraded before " high " input.Specific downgrader is " low " The specific special subset of function set runs and therefore, program can be required to realize the downgrader of number of different types.

Such as, integrity " low " function accepting the input of string form is connected into SQL (SQL) this series winding and looks into Ask, and then it is submitted to data base.Here in example, this function would be required to its input and do not comprises branch and slash Number, because such character can be sql command by database interpretation.Therefore, any input giving this " low " function should be passed through Sterilize (that is, being changed illegally inputting by the suspicious portion of the illegal input of deletion/replacement) or approve and guarantee that there does not has There is this forbidden character.Only having verified that this forbidden character does not exists when believable disinfector, initial incredible string is Accepted to use in SQL query.

But, if " low " function not responsible execution SQL query, and be responsible for its string input value to be cascaded into hypertext mark Note language (HTML) code, then different sterilization necessity.Here problem is no longer to prevent SQL from injecting, but anti- Only it is referred to as cross site scripting and performs the attack of (XSS).In this case, sterilization function have to check for not existing special (Java and all trade marks based on Java and labelling are Oracle and/or the trade mark of its subsidiary or note to JavaScript Volume trade mark) label, such as<script>with</scripts>.

Downgrader often can obtain from storehouse, and specification based on corresponding " low " function is classified.But, Web Application often realizes the downgrade functions of themselves.This safety static analysis that Web is applied is extremely complex.It practice, Static analysis to Information Flow Security should receive the signature of downgrade functions and downgrade functions is mapped to " low " letter accordingly The rule of number is as input.In this, unless the input of " low " function is correctly demoted, otherwise do not appointing In the case of what leads to the path of " low " function, static analysis can authenticate to the input of " low " function the most all the time through correct Degradation.Unfortunately, when Web application realizes themselves downgrader, detect those downgraders and they for It is extremely difficult that the static analysis of Information Flow Security can be sorted out in the way of explaining them subsequently.

Web application is owing to they providing user's input and normally can be accessed by substantial amounts of user, so holding especially It is vulnerable to security attack.Alleged according to network application Security Association (WASC), found in 2008 and repaired about 100,000 Security hole, wherein 52,587 is urgent or serious.This explanation protection Web application is important with prevent malice from inputting Property.This protection realizes normally with above previously described accreditation/downgrader mechanism, this mechanism or defeated to user Enter sterilization (i.e. by delete/replace the suspicious portion of input change input), or to the input validation of user (if i.e. sentenced This user that the most just refuses that the input of disconnected user is illegal inputs).

Disinfector and validator can be construed to last (and specific to application) the defence line attacked.These Mechanism generally comprises fine reasoning, and legal and illegal input should be made a distinction in various contexts by it.And, These mechanism itself are the interfaces between security expert and Application developer.Correctly writing them is not the volume of standard Code task, since it is desired that understand in depth security threat (with the form of the long catalogue that known safe is attacked).About how to create Building the best practices of sterilization and authentication mechanism, criterion and guilding principle generally can find in security document.Challenging Be check Web application code whether have followed these criterions.The mechanism that there is presently no automatization checks to perform this.

Additionally, due to downgrader is normally write by software engineer, their speciality be develop software and not It is to understand their design and safety implications that engineering selects, must so while the attack quantity that causes of incorrect input is high Surprising.Modal, some the extreme situation relating to deleting forbidden character or character string is arranged in the realization of downgrader Except solving outside or mistakenly.But, there is also the most correct degradation and server-side component implemented sensitivity Situation.Such as, the downgrader preventing SQL injection (SQLi) from attacking should be different to each type of database server application Conversion, because these database servers use different metacharacters, such as, MS SQL server handle when resolving sql command Two hyphens (--) are construed to the beginning of annotation, and another database server may be construed to annotation pound sign (#) Beginning.

Assailant can easily and efficiently identify wherein by using fuzzy technology incorrect sterilization to be answered Use the example of application.This makes thing become even worse, because draw the disrupted conclusion of protective layer of program assailant While, assailant simultaneously learns to employ which input in the security-sensitive region in code, and this makes attack Later step is easier to.So, when whether determining downgrader with its system compatible to be protected, other choosing is arisen that War.

Summary of the invention

In an illustrative embodiment, it is provided that apply about target deployment environmental assessment in a data processing system The method of the downgrader code in code.The method includes by the applied analysis mechanism of data handling system in application code Identify downgrader code.Downgrader code is a part for code in application code, the operation of the flow of information of its application code with Guarantee to be input to the confidentiality of the information of downgrader code in the output of downgrader code.The method also includes based on input String, generates, by applied analysis mechanism, the output string that downgrader code exports in response to receiving input string.The method also includes One or more illegal string pattern set is retrieved from the storage system being associated with data handling system.One or more illegally Each in string pattern set is associated with corresponding deployed environment.Illegal string pattern is that for safety downgrader is being believed The string pattern identified in breath stream.Additionally, the method includes, based on these one or more illegal string pattern set and output string, Determine that downgrader code is mutually the most compatible with target deployment environment by applied analysis mechanism.Additionally, the method includes by answering The output of the result that instruction determines is generated by analysis mechanisms.

In other illustrative embodiment, it is provided that include that the computer with computer-readable program can be used or readable The computer program of medium.When performing on the computing device, this computer-readable program makes more than calculating equipment execution About various operations that the illustrative embodiment of the method is summarized and combinations thereof.

In also having another illustrative embodiment, it is provided that a kind of systems/devices.This systems/devices can include one Individual or multiple processor and be coupled to the memorizer on these one or more processors.Memorizer can comprise instruction, when this When a little instructions are performed by these one or more processors, these one or more processors are made to perform the explanation above with respect to the method Property embodiment general introduction various operations and combinations thereof.

These and other features of the invention and advantage will be described, or concrete according to present invention below example embodiment Describing, those of ordinary skill in the art will be become apparent by these and other feature with advantage.

Accompanying drawing explanation

By combining the accompanying drawing specific descriptions with reference to following illustrative embodiment, preferred embodiment and be preferably used mode and Its advantage will be best understood by, wherein:

Fig. 1 depicts the figure of the example distribution formula data handling system that wherein can realize illustrative embodiment each side Represent；

Fig. 2 is the example block diagram of the sample data processing system that wherein can realize illustrative embodiment each side；

Fig. 3 is the example block diagram of the main operating components of the applied analysis mechanism according to an illustrative embodiment；

Fig. 4 is the exemplary plot that the mechanism of illustrative embodiment can utilize the transducer producing CFG；

Fig. 5 is the exemplary plot that the static string parsing according to an illustrative embodiment is described；

Fig. 6 be the example procedure according to an illustrative embodiment call figure；

Fig. 7 is illustratively to describe demoting for Static Detection and classification flow of information according to an illustrative embodiment Example frame/the flow chart of the system and method for device；

Fig. 8 is the flow chart of the exemplary operations summarizing the automatic applied analysis mechanism according to an illustrative embodiment；And

Fig. 9 is the exemplary operations summarizing compatibility and intensity for assessing downgrader according to an illustrative embodiment Flow chart.

Detailed description of the invention

Illustrative embodiment is by utilizing the quality of flow of information downgrader and conforming form analysis, it is provided that for quiet State implements the mechanism of Web application safety criterion.Especially, illustrative embodiment provides the mechanism of automatization for checking such as Downgrader in the application code of Web application (i.e., it is possible to by WWW or application of access to the Internet), and guarantee application Code is followed about the criterion realizing flow of information downgrader.Based on this inspection, can generate about Web application whether with criterion phase Accord with or whether comprise the output that safety is violated.

Illustrative embodiment uses string parsing mechanism.String parsing is technology and the set of mechanism, its objective is that approximate string becomes The set of the value during operation that amount assume that.U.S. Patent application 12/575,647；12/825,293；Retouch with 12/627,351 State string parsing technology the example of Web application safety problem is applied.Especially, U.S. Patent application 12/575,647 describe Automatically the technology detected about flow of information downgrader use string parsing.

The mechanism of illustrative embodiment of the present invention with relate to how in application code, find such as disinfector and validator Downgrader application 12/575,647 in mechanism uncorrelatedly run.As an alternative, illustrative embodiment of the present invention Mechanism is for determining how downgrader constructs and determine whether this structure meets the criterion established.This illustrative enforcement The mechanism of example departs from the details that realizes of downgrader and carries out abstract and downgrader is expressed as the sequence of operation in downgrader input.This Plant abstract by built-in string operation and other instruction interested have been modeled.For example, it is possible to use unitary second order Built-in string operation is modeled by logical model.Then, the higher level of abstraction of string operation that result produces represents can be according to set of criteria Check and give a mark.Quantify application protective layer, the flow of information downgrader i.e. applied, quality can hold as automation process OK.

Automatization's mechanism according to the criteria evaluation downgrader established is used as application developer and security expert Between important bridge because this mechanism allow security expert verify the code of downgrader realize and by formal mechanism and Application developer exchanges assessment.Automatization's mechanism of illustrative embodiment can also identify that those marks are the lowest, to such an extent as to They may be the downgrader of the reason of service logic mistake, such as, if the low mark of downgrader is owing to they eliminate The fact that input character rather than refusal cause the input of accident behavior in service logic.

As the skilled person will appreciate, the present invention can be presented as system, method or computer program. Correspondingly, each side of the present invention can take complete hardware embodiment, complete software implementation (to include firmware, resident software, micro- Code etc.) or the form of embodiment of combined with hardware and software aspects, all these aspects can general in this article be referred to as " circuit ", " module " or " system ".And, each side of the present invention can be taked to embody and comprise computer available programs generation thereon The form of the computer program of any one or more of computer-readable medium of code.

The combination in any of one or more computer-readable mediums can be used.Computer-readable medium can be computer Readable signal medium or computer-readable recording medium.Computer-readable recording medium can be such as, but not limited to, electricity, Magnetic, optical, electromagnetic, infrared ray or semiconductor system, device, equipment or above-described random suitable combination.Computer can The more specifically example (non-exhaustive list) reading storage medium will include following: has the electrical connection of one or more electric wire, portable Formula computer disk, hard disk, random access memory (RAM), read only memory (ROM), EPROM (EPROM or flash memory), optical fiber, portable optic disk read only memory (CDROM), optical storage apparatus, magnetic storage apparatus or The above-described random suitable combination of person.Under the background of this document, computer-readable recording medium can be can comprise or Person's storage is by instruction execution system, device or any tangible medium of the program of equipment use or use in conjunction.

Computer-readable signal media can include wherein, such as, in a base band or as the part of carrier wave, embody The propagation data signal of computer readable program code.This transmitting signal can any one of take many forms, bag Include but be not limited to electromagnetism, light or its random suitable combination.Computer-readable signal media can store with right and wrong computer-readable Medium and can transmit, propagate or transport and used by instruction execution system, device or equipment or use in conjunction Any computer-readable medium of program.

Embodying computer code on a computer-readable medium can utilize any suitable medium to send, including but not It is limited to radio, Wireline, fiber optic cables, radio frequency (RF) etc., or its random suitable combination.

Can be with one or more programming languages for performing the computer program code of the operation of each side of the present invention Combination in any is write, and wherein programming language includes OO programming language, such as Java^TM、Smalltalk^TM, C++ etc., And traditional procedural, such as " C " programming language or similar programming language.Program code can be completely user Computer on, partly on the computer of user, as independent software kit, part on the computer of user and also portion Divide and perform on far-end computer or completely on far-end computer or server.Under latter scene, far-end computer The computer of user can be connected to by any kind of network, including LAN (LAN) or wide area network (WAN), or can To be connected to the computer (such as, by utilizing the Internet of ISP) of outside.

Below with reference to the method according to illustrative embodiment of the present invention, device (system) and the flow process of computer program Figure explanation and/or block diagram describe each aspect of the present invention.It will be appreciated that described flow chart explanation and/or each piece of block diagram and In the explanation of described flow chart and/or block diagram, the combination of block can be realized by computer program instructions.These computer programs refer to Order can be supplied to general purpose computer, special-purpose computer or the processor of other programmable data processing means, produces one Plant machine so that when described instruction performs through the processor of computer or other programmable data processing means, produce and use The device of function/action specified in one or more pieces in real presently described flow chart and/or block diagram.

These computer program instructions can also be stored in computer-readable medium, and described instruction may indicate that calculating Machine, other programmable data processing means or miscellaneous equipment function in a particular manner so that be stored in computer-readable Instruction in medium produces one and manufactures article, and these article include or many in real presently described flow chart and/or block diagram The instruction of function/action specified in individual block.

Described computer program instructions can also be loaded into computer, other programmable data processing means or other set Standby upper so that sequence of operations step performs on computer, other programmable device or miscellaneous equipment, produce one and calculate The process that machine realizes so that the instruction performed on described computer or other programmable device provides for real presently described The process of function/action specified in flow chart and/or block diagram.

Flow chart and block diagram in accompanying drawing show the system of multiple embodiments according to the present invention, method and computer journey Architectural framework in the cards, function and the operation of sequence product.In this, each square frame in flow chart or block diagram can generation One module of table, program segment or a part for code, a part for described module, program segment or code comprises one or more For realizing the executable instruction of regulation logic function.It should also be noted that at some as in the realization replaced, square frame is marked The function of note can also occur to be different from the order marked in accompanying drawing.Such as, two square frames illustrated continuously actually may be used To perform substantially in parallel, they can also perform sometimes in the opposite order, depending on this function involved by dependence.Also to note In meaning, each square frame in block diagram and/or flow chart and block diagram and/or flow chart, the combination of square frame can be with performing rule The special hardware based system of fixed function or action realizes, or can be by the group of specialized hardware with computer instruction Incompatible realization.

Illustrative embodiment can include distributed data processing environment, single data handling equipment etc. many different The data processing circumstance of type uses.In order to provide up and down to the element-specific of illustrative embodiment and the description of function Literary composition, provided hereinafter Fig. 1 and Fig. 2 as the example context that can realize illustrative embodiment each side.It should be appreciated that Fig. 1- 2 only examples rather than to claim or to imply that the environment to wherein realizing embodiments of the invention or each side is appointed What limits.In the case of without departing substantially from present subject matter and scope, described environment can be carried out many amendments.

With reference now to accompanying drawing, Fig. 1 depicts the example distribution formula data that wherein can realize illustrative embodiment each side The figure of processing system represents.It is each that distributed data processing system 100 can include can realizing illustrative embodiment wherein The computer network of aspect.Distributed data processing system 100 comprises at least one network 102, and it is used at distributed number According to the medium providing communication linkage between various equipment interconnective in processing system 100 and computer.Network 102 can wrap Include the most wired, wireless communication link or the connection of fiber optic cables.

In the example painted, server 104 and server 106 are connected to network 102 together with storage device 108.This Outward, client 110,112 and 114 is also connected to network 102.These clients 110,112 and 114 can be such as individual calculus Machine, network computer etc..In the example painted, server 104 such as starts literary composition to client 110,112 and 114 offer Part, operating system image file and the data of application.In depicted example, client 110,112 and 114 is the visitor of server 104 Family end.Distributed data processing system 100 can include extra server, client and other unshowned equipment.

In depicted example, distributed data processing system 100 is the Internet, represents that use transmission controls with network 102 Network and the set of gateway in the world wide that agreement/procotol (TCP/IP) protocol package is in communication with each other.In this Internet Center be the backbone of high-speed data communication lines between host node or host computer, wherein host node or host computer bag Containing thousands of business, government, education and other route data and the computer system of message.Certainly, distributed Data handling system 100 can also be embodied as the network comprising number of different types, the most such as, in-house network, LAN (LAN), wide area network (WAN) etc..As it has been described above, Fig. 1 is for the purpose of example rather than as the different enforcements to the present invention The structure of example limits, and therefore, and the element-specific shown in Fig. 1 is not construed as limiting can be about the present invention Wherein realize the environment of illustrative embodiment.

With reference now to Fig. 2, it illustrates and can realize the sample data of illustrative embodiment each side wherein and process system The block diagram of system.Data handling system 200 is the example of the computer of the client 110 in such as Fig. 1, wherein realizes the present invention and says Computer usable code or the instruction of the process of bright property embodiment may be located at wherein.

In depicted example, data handling system 200 uses hub architecture, including NORTH BRIDGE and storage control collection Line device (NB/MCH) 202 and south bridge and input/output (I/O) controller hub (SB/ICH) 204.Processing unit 206, main storage 208 and graphic process unit 210 are connected to NB/MCH202.Graphic process unit 210 can pass through accelerated graphics Port (AGP) is connected to NB/MCH202.

In depicted example, LAN (LAN) adapter 212 is connected to SB/ICH204.Audio frequency adapter 216, keyboard with Mouse adapter 220, modem 222, read only memory (ROM) 224, disk (HDD) 226, CD-ROM drive 230, USB (universal serial bus) (USB) port and other COM1 232 and PCI/PCIe equipment 234 are by bus 238 and bus 240 It is connected to SB/ICH204.PCI/PCIe equipment can include, such as, for the Ethernet Adaptation Unit, additional of notebook (add-in) card and PC card.PCI uses card bus control unit, and PCIe need not.ROM224 can be such as basic input and output The flash memory of system (BIOS).

HDD226 and CD-ROM drive 230 are connected to SB/ICH204 by bus 240.HDD226 and CD-ROM drives Device 230 can use such as integrated drive electronics (IDE) or Serial Advanced Technology adnexa (SATA) interface.Super input/output (SIO) equipment 236 may be coupled to SB/ICH204.

Operating system is run on processing unit 206.In the data handling system 200 of Fig. 2, this operating system is coordinated and carries For the control to various assemblies.As client, operating system can be commercially available such as7 (Microsoft and Windows be Microsoft Corporation the U.S., other country or The trade mark of both) operating system.Such as Java^TMThe OO programing system of programing system can be with operating system one Road runs, and provides from the Java run on data handling system 200^TMProgram or be applied to calling of operating system (Java is that Oracal and/or its subsidiary are at the U.S., other country or the trade mark of both).

As server, data handling system 200 it may be that such as, run senior mutual execution () operation system System orOperating systemeServer^TMSystemComputer system (IBM, eServer, System P and AIX is International Business Machines Corporation at the U.S., other country or the trade mark of both, and LINUX is Linus Torvalds At the U.S., other country or the trade mark of both).Data handling system 200 can be to comprise multiple place in processing unit 206 Symmetric multiprocessor (SMP) system of reason device.Alternately, single processor system can be used.

Instruction for this operating system, Object oriented Programming Systems and application or program is positioned at depositing of such as HDD226 On storage equipment, and main storage 208 can be loaded into perform for processing unit 206.For the illustrative enforcement of the present invention The process of example can use computer usable program code to perform by processing unit 206, its Computer available programs generation Code may be located in memorizer, such as, in such as main storage 208, ROM224 or one or more ancillary equipment 226 and 230.

The bus system of all buses as shown in Figure 2 238 or bus 240 can comprise one or more bus.Certainly, Bus system can use any kind of communication construction or architecture to realize, and wherein communication construction or architecture are adding Enter to providing data transmission between framework or different assemblies or the equipment of architecture.Modem 222 in such as Fig. 2 or The communication unit of network adapter 212 can comprise one or more equipment for sending and receive data.Memorizer is permissible It it is the cache found in NB/MCH202 in such as main storage 208, ROM224 or such as Fig. 2.

Those of ordinary skill in the art will be understood that the hardware in Fig. 1-2 can be different according to realization.All Such as other internal hardware or ancillary equipment of flash memory, the nonvolatile storage of equivalence or CD drive etc., can be used to Add or replace the hardware painted in Fig. 1-2.Equally, in the case of without departing substantially from spirit and scope of the present invention, except being previously noted Smp system beyond, the process of illustrative embodiment can also be applied in multi-processor data process system.

And, data handling system 200 can be wherein different to take any form of many different data handling systems Data handling system include client computing device, server end calculate equipment, panel computer, notebook, phone Or other communication equipment, personal digital assistant (PDA), etc..Such as, in some illustrated examples, data handling system 200 Can be portable computing device, this portable computing device be configured with flash memories to provide a store for operating system literary composition Part is or/and the nonvolatile memory of data that produces of user.Substantially, data handling system 200 can be any of Or the data handling system of in the future exploitation and there is no the restriction of architecture.

Fig. 1 and 2 calculates one or more each side that can be used to realize illustrative embodiment of equipment.Such as, In such as Fig. 1, the server end calculating equipment of server 104 can be used to realize Web application, and this application can be by such as client One or more client computing device of end 110,112 and 114 access.Before disposing Web application, or by service After device 104 realizes Web application, the mechanism of this illustrative embodiment can be employed to perform the analysis of Web application to determine Whether downgrader that is that realized by Web application or that realize together with Web application observes safety criterion.For performing Web application point The mechanism of analysis can realize on server end calculating equipment, and such as, such as Web application will be deployed in wherein or at it The server 104 of upper realization, client computing device 110,112 or 114, other calculating equipment, multiple calculating equipment, etc. Deng.

Fig. 3 is the example block diagram of the primary operational element of the applied analysis mechanism according to an illustrative embodiment.In Fig. 3 Shown element can realize with any combination of software, hardware or software and hardware.In an illustrative embodiment, in Fig. 3 Element with software instruction realize, wherein this software instruction is held by one or more processors of one or more calculating equipment OK.

As it is shown on figure 3, applied analysis mechanism 300 comprise controller 310, input/output interface 320, downgrader detection draw Hold up 330, the abstract engine of downgrader 340, downgrader evaluation engine 350, safety criterion engine 360, downgrader defect/incompatible inspection Survey engine 370 and legal/illegal string pattern data base 380.Downgrader defect/incompatible detecting and alarm 370 can be further Environmental context specification 390 is operated, wherein environmental context specification 390 can store together with applied analysis mechanism 300 or Person can provide from external source as the input to applied analysis mechanism 300.To any one in element 310-390 the most also It is such, because not being single mechanism as depicted in fig. 3, but in these elements, any one can being distributed in multiple meter On calculation equipment, and therefore, any one to a certain extent to application analysis mechanisms 300 can be " outside ", but with bag Other element containing applied analysis mechanism 300 still works when combining.

Controller 310 controls each in the overall operation of applied analysis mechanism 300 and layout other element 320-390 Operation and use.Input/output interface 320 operation receives input, is such as used for the Web application code of analysis, is used for joining Put user's input (if any) of applied analysis mechanism 300 operation, etc..Input/output interface 320 operation comes further Produce the output for providing notice to developer, Security Officer or other users, notify the degradation of their Web application Whether device meets the safety criterion established, and if be unsatisfactory for, what can there is and violate.And, based on by downgrader The analysis that defect/incompatible detecting and alarm 370 performs, input/output interface 320 is operable to produce further for opening The personnel of sending out, Security Officer or other user provide the output of notice, notify that their downgrader and downgrader are to be protected Any defect between environment and/or incompatible, as being hereafter discussed in greater detail.

Downgrader detecting and alarm 330 analyzes application code to detect where downgrader code in application code can occur. In an illustrative embodiment, downgrader detecting and alarm 330 can use with such as U.S. Patent application 12/575,647 (under Literary composition by ' 647 application refer to) described in the way of string parsing in application code, position downgrader code.Certainly, do not carrying on the back In the case of illustrative embodiment spirit and scope, it is possible to use known to other, or in the future exploitation in application Code detects the mechanism of downgrader code.

In order to provide an example how identifying downgrader code in application code, it is assumed that make use of ' 647 to apply for String parsing.In such string parsing, utilize such as Yasuhiko Minamide, " Static Approximation of Dynamically Generated Web Pages, ", Proceedings of the 14th International Conference onWorld Wide Web (WWW ' 05), the string operation of the mode described in 2005, first application code is turned Change CFG (CFG) into.Then, by application approximation on the CFG corresponding to the string operation in the application code of source String operation function, string operation delete from CFG produce product rule.These product rules normally by N-＞ X₁…X_nForm represent, wherein N is a variable, and X₁…X_nIt is variable or character and constitutes context-free Grammer.Function CFG being converted into another CFG close to string operation function, such as, with output identification finite state from The transducer of motivation.The application of iterative approximation string operation is not until having string operation in product rule.This result is to comprise product rule Then there is no the CFG of string operation.

It is to say, code shows as context-free grammer, wherein initiate variable corresponding to your approximation interested String.For example, it is assumed that this string is at " v=v1.concat (v2)；V in ".Calculate the arbitrary value of v it is to be appreciated that v1's and v2 takes out As value, and, once know the value of v1 and v2, need by " concat " operation effect on v1 and v2 is modeled and from language Method is deleted " concat " operation.Here it is the application of above statement iterative approximation string operation is not until have the most more in product rule The implication of many string operations.

Assuming that it is also known that v depends on v1 and v2, so approximation can consider v1 and v2 recursively (each rotation) conduct Initial variable.To obtaining arbitrary values of these strings, product rule originally is not necessarily (unless as discussed further below There is the definition of circulation).This recurrence once performing v1 and v2 considers (recursive consideration), and operation is returned Return to the grammer for v, and apply the effect of transducer approximation " concat ".This generates the grammer of simplification, wherein " concat " operation no longer occurs, and it practice, this composes a value to v simple in rulely.Processing cycle defines, and needs fixing Point iteration rather than above-mentioned recurrence, such as, if cascade is to complete in the circulating cycle: during ith iteration, the value of v depends on it Value in (i-1) secondary iteration.As further example, it is considered to Java below^TMProgram, wherein initial by string value " a " After change, three times handle " a " is attached to give on the string of variable.

In product rule, below CFG by each application variables v is converted into non-terminal string variable S_vAnd "=" Be converted into → obtain, wherein pass through+tandem connection be considered as on CFG tandem connection.

Sa→α

Sa→S_aa

S_r→S_a

Such as, band beginning flag S_aCFG represent give application variables a possible string value set, it generates set of strings { " a ", " aa ", " aaa ", " " aaa ", Λ }.Equally, mark S_rRepresent the possible string value set giving program variable r.Its bag Contain the string being assigned to variable a and r never, because string parsing fully ignores the condition of " for " statement.

When application code uses predefined string operation, such as below shown in application code part String.substring, employs reasonably approximation and application code is converted into CFG each string operation.For example, it is contemplated that Predefined string operation in code section below:

String a=" xxa "；

For (int i=0；I ＜ 3；I++) a=a+ " a "；

String r=a.substring (2)；

The reasonability meaning of approximate string operation is to be operated by approximate string and calculate the CFG of generation and comprise by corresponding to should The all actual string that the predefined string operation of approximate string operation calculates.One of them method of the predefined string operation of approximation is Using transducer, this transducer is the automat with output.

Reasonability can be defined below in form；For string operation f fIt is reasonably to approximate, wherein S ' =(s ' | s '=f (s), s ∈ S).One of them method of the predefined string operation of approximation is to use transducer, and this transducer is band There is the automat of output.It is known that the map of transducer is also a CFG.Other method is homomorphism on (∑ ,+), its Middle ∑ be character set and+represent return all the time same output by predefine accordingly string operation return likely go here and there The cascaded functions etc. of CFG.There is approximate string operation belowsubstring(_, 2) product rule be to use reasonably approximation Obtain from the Examples section of application code above.

S_a→xxa

S_a→S_aa

S_r→substring(S_a, 2)

With reference now to Fig. 4, illustratively depict sensor 400.Approximate string operatessubstring(_, 2) by transducer 400 define and to this string operationsubstring(_, 2) it is reasonably to approximate.By painted transducer 400 is applied to comprise The grammer of above product rule, it is possible to obtain CFG below, it represents set { " a ", " aa ", " aaa ", " aaaa ", Λ }.

S′_a→a

S′_a→S′_aa

S_r→S′_a

Label A in Fig. 4 represents any character, and A/ ε represents the conversion to empty string of any one character, and its meaning is to delete Except this character.Using " reasonably " transducer, the arbitrary value that result produces is the safety of the string that operation can produce in time running Approximation.So, for "substring(_, 2) ", this expression has simply deleted two characters in this string, such as label A/ε Indicated by (substantially deleting character A).This just obtains new CFG, it be by converter application to original grammer On result.

After application code is iteratively applied above-mentioned mechanism, just obtains this application of expression but do not have string operation to occur Product regular collection.

Therefore, the achievement of string parsing is exactly to comprise the CFG of produced product rule.

With reference to Fig. 5, an illustrative reality for realize static string parsing according to illustrative embodiment be will now be described Execute example.This description provides the process with process internal string parsing, and then explain how it to expand to interprocedual String parsing.The details that realizes shown supposes that string parsing achieves on static analysis framework.The static analysis frame used Frame can be any of framework and can include, such as, for the Watson storehouse (WALA) analyzed, this storehouse can be from Wala.sourceforge.net obtains as product of increasing income.

For describing the string parsing of this process internal, it is considered to following Java^TMIn nappend method:

In block 502, the form of Program transformation to Static Single Assignment (SSA), wherein instruction is employed pseudo-label. Show to property as described below an example of conversion:

main(String)

1.a=" a "

2.b=" b "

3.r=nappcnd (a, b, 3)

nappend(String)

1.b1=n==0

2.goto 6 ifb1

3.v1=x+y

4.r1=nappend (v1, y, n-1)

5.goto8

6.r2=x

7.goto8

8.r=phi (r1, r2)

9.return r

Depict this program in Fig. 6 calls figure.The pseudo-label in program used instruction above includes v=val, uses In to variable or territory v assignment val, v=obj.func (v1 ..., vn), for band parameter v1 ..., the method call of vn, goto N, for unconditional jump to label N, goto N if v, for being jumped to label N conditionally by condition v.It addition, should SSA conversion introduces new variable and represents φ-function by phi (v1, v2), generates each variable only one of which assignment Program.This feature of SSA form is suitable to find out data dependence.

In block 504, the mode with above-mentioned (seeing above figure 1) is the same, except for good conditionsi and unconditional jumping Turning, the assignment in SSA form is converted into the product regular collection with string operation 506.Particularly, v=phi (v1, v2) conversion Become two product rules S_v→S_v1And S_v→S_v2, in order to make it represent the associating of two set of strings being assigned to v1 and v2 respectively.Root According to this conversion, it becomes possible to obtain following product rule from the pseudo-SSA form of nappend method.

S_v1→S_xS_y

$s_r^1\&RightArrow;\mathrm{nappend}(S_{v1},S_y,n-1)$

S_r2→S_x

S_r→S_r1

S_r→S_r2

For the string parsing of interprocedual, string parsing in expansion process can be carried out by the figure information of calling built by WALA, its In can be controlled the context sensitivity of WALA neatly by known method.Each variable in SSA program is with calling Node of graph annotates out.All of product rule is all to delete from such asMethod adjust With conversion product rule after combination.Describe return value and the change of call method representing parameter and called method Dependent product rule between amount.Such as, if the non-sensitive figure that calls of context occurs as shown in Figure 6, then just draw Entering following product rule, the superscript of the most each nonterminal symbol represents and calls node of graph accordingly.This product rule is:

$\begin{array}{cc}{S}_x^2\&RightArrow;S_a^1& S_x^2\&RightArrow;S_{v1}^2\end{array}$

$\begin{array}{cc}{S}_y^2\&RightArrow;S_b^1& S_y^2\&RightArrow;S_y^2\end{array}$

$\begin{array}{cc}{S}_r^1\&RightArrow;S_r^2& S_{r1}^2\&RightArrow;S_r^2\end{array}$

The full set of the product rule with string operation 506 obtained from program includes:

$\begin{array}{cc}{S}_a^1\&RightArrow;a& S_x^2\&RightArrow;S_a^1\end{array}$

$\begin{array}{cc}{S}_b^1\&RightArrow;b& S_y^2\&RightArrow;S_b^1\end{array}$

$\begin{array}{cc}{S}_{v1}^2\&RightArrow;S_x^2{S}_y^2& S_r^1\&RightArrow;S_r^2\end{array}$

$\begin{array}{cc}{S}_{r2}^2\&RightArrow;S_x^2& S_x^2\&RightArrow;S_{v1}^2\end{array}$

$\begin{array}{cc}{S}_r^2\&RightArrow;S_{r1}^2& S_y^2\&RightArrow;S_y^2\end{array}$

$\begin{array}{cc}{S}_r^2\&RightArrow;S_{r2}^2& S_{r1}^2\&RightArrow;S_r^2\end{array}$

Its restriction countermeasurer 508 of optional pointer analysis can be performed and come constant string between recognition methods is how to flow to become Amount, and identify whether same object is assigned to different variablees in potential distinct methods, even if those are dynamic to liking State creates.In block 510 an, it is thus achieved that CFG below, its prediction is assigned to the possible string of variable r, Qi Zhongqi in main formula method Beginning is masked as

$S_r^1\&RightArrow;a|S_r^{1}b$

With reference to Fig. 7, frame/flow chart illustratively depicts quiet for flow of information downgrader according to illustrative embodiment State detection and the system and method for classification.System and method shown in Fig. 7 can downgrader detecting and alarm 330 in figure 3 Middle realization, such as, for detecting the code section corresponding with downgrader in application code.

As shown in Figure 7, in block 702, the input/output interface 320 that may pass through in Fig. 3 carries from separation equipment The program being stored in memory devices of confession, such as, by the conversion of static analyzer variable produce in instruction set every The single assignment of one variable.This includes by code variables assignment uses pseudo-labelling change application code.

Such as, in block Figure 70 4, instruction set is converted to the product rule with the string operation of aforesaid way.At block Figure 70 6 In, known to as this area, the product rule with string operation performs pointer analysis alternatively to improve essence Exactness.

In block 708, from product rule, produce CFG.In block 710, one or more by comparison Function specification checks that CFG identifies flow of information downgrader function.These one or more function specification comprise all String pattern such as regular expression.This string pattern is supplied by analytical tool or user, and it represent can (or cannot) The set of strings used in the operation of security-sensitive.Such as, string "<" and ">" is considered as unsafe string, because XSS (across Script of standing performs) attack generally these characters of use.Therefore, regular expression " .* [<>] .* " (that is, statement "<" and ">" string It is unsafe) could be for the part of the specification of flow of information downgrader, this flow of information downgrader is used for avoiding XSS to attack Hit.

These one or more functions preferably include security-sensitive function at application code.This can include based on fall The intention detection of level device function and classification downgrader function.

In block Figure 71 2, CFG preferably with the Standard heading of flow of information downgrader so that if grammer Meet specification, then just it is believed that input is correctly demoted.Between CFG and regular expression specification Relatively can such as be completed by CFL accessibility algorithm, such as Thomas Reps in August, 1998 in the opinion of University of Wisconsin Described in literary composition " Program Analysis via Graph Reachablity ".

Such as, utilize one or more function specification to downgrader function of classifying so that it is to become for one or more peaces The correct downgrader of full leak.Assuming that there is multiple string pattern (regular expression), each of which is corresponding to such as across station Script performs (XSS) and the security breaches of http response division (HRS).Such as, when there is the string pattern about XSS and HRS, Just two string patterns of the CFG obtained and that are compared.If CFG and XSS pattern Common factor be not empty, then be detected by corresponding function as the flow of information downgrader correct to XSS, wherein occur simultaneously and can lead to Cross CFL accessibility algorithm the most above-mentioned to calculate.Equally, if the common factor of CFG and HRS pattern is not Empty, then to be detected by corresponding function as the flow of information downgrader correct to HRS.It should be pointed out that, at this example In, function can be detected as flow of information downgrader the most correct for XSS and HRS.Certainly, the invention is not restricted to XSS and HRS, and Can be used for any known or exploitation in the future security breaches.

The another kind that can use and the string parsing used in illustrative embodiment of the present invention use the one of downgrader Second order is abstract performs string parsing in unit.Refer again to Fig. 3, identify in all certain modes in the manner described above in application code After one or more downgraders, the abstract engine of downgrader 340 is used for building the abstract representation of downgrader.Namely Saying, each downgrader that the abstract engine of downgrader 340 can be applied in application code identify is to produce downgrader The abstract representation separated to model for downgrader.

In an illustrative embodiment, the abstract engine of downgrader 340 can realize unitary two on the string in downgrader Rank logic, wherein downgrader code is expressed as formula in unitary second-order logic.It is applied to the example of the unitary second-order logic of string Realize described in " the MONA 1.x:New Techniques for WS1S and WS2S " that write at Elgaard et al., this article Offer and can obtain from www.brics.dk/mona/papers/mona1x-new-technique-ws1s-ws2s/ article.pdf Arriving, the document is hereby incorporated by reference.

Use this unitary second-order logic, if the instruction not operating the input to downgrader code in downgrader code can Or can be left in the basket, or represent in the way of the impact of instruction in reflection downgrader result.Such as, form " if (input.contains (" xyz ")) { ... } " test by asserting in the main body of condition, input comprises string " xyz " Represent.

Referring again to Fig. 3, use the abstract representation produced by the abstract engine of downgrader 340, downgrader evaluation engine 350 is commented Estimate downgrader in application code, process the mode of input of downgrader code, such as, assessment disinfector operation change or Mode or the checker of deleting/replace the suspicious portion of input judge input the most legal and determine whether refusal input Mode.This assessment include compare specification to compare downgrader to input process, wherein specification is that such as regulation downgrader should The formal safety criterion set how to operate.Such as, safety criterion engine 360 can provide the safety criterion established in advance, In order to avoid any safety problem operated with application code, this criterion elaborate to require downgrader in rule of its lower operation and Set of circumstances.These safety criterions established in advance can be defined by Security Officer and in data base or and safety criterion Other data structure of engine 360 association illustrates.This safety criterion engine 360 can provide one or more user interface, Security Officer or other users can be defined in data bases or data structure and store this safety criterion by it.

For example it is assumed that the safety criterion established in advance for downgrader be must or be accepted to the input of downgrader or It is rejected (such as, such as done by validator), but is not downgraded device and changes (such as, as disinfector does).This safety Criterion deflection or beneficially validator are more than disinfector.Functionally, validator and disinfector can the most correctly guarantee to answer Safety, but, disinfector may compare the reasoning of difficult ground (for example, it is desired to consider the replacement operation performed by disinfector Side effect) and more problematic for user expects (change that such as, disinfector performs can make certain logic of input Aspect lost efficacy).

Consider the abstract representation of the downgrader produced by the abstract engine of downgrader 340, the static state of downgrader evaluation engine 350 Analyze logic 352 and explain the effect of operation that its input performs by downgrader and to determine whether that this input is converted this Situation, such as, downgrader achieves disinfector.If it is, and safety criterion rule ready and by being indicated to The safety criterion engine 360 that the input of downgrader is not converted provides, then downgrader evaluation engine 350 can produce instruction The output that safety criterion is violated is occurred in that in evaluated downgrader.This output can be sent to specify the logical of contact address Knowing message, the output produced in the outut device of client computing device, this outut device is display device, a printer Deng or similar.Such as, notification message may indicate that application, the safety criterion of violation, and detects that safety criterion is violated Application code in position, i.e. what downgrader violates safety criterion.

And, downgrader evaluation engine 350 can include violating for identification and checking and downgrader evaluation engine 350 The knowledge base 354 being associated determines the suggestion that amendment downgrader code makes downgrader be consistent with the safety criterion of establishment Logic.Such as, if it is determined that downgrader have changed input and produces the output passing through sterilization from downgrader, and above-mentioned safety is accurate The most ready, then downgrader evaluation engine 350 can be violated based on detect and can use static analysis mechanism The out of Memory about downgrader code structure extracted, checks knowledge base 354, and advises becoming downgrader code revision The code section used in the case of not changing input or accept or refuse to input replaces this input of change of downgrader code Sterilization element.

In some illustrative embodiment, downgrader evaluation engine 350 can also comprise downgrader marking logic 356.Fall Level device marking logic 356 operation identifies what downgrader deviateed from the safety criterion of the establishment provided by safety criterion engine 360 Degree, and quantify this departure degree come for downgrader produce mark.Such as, mark can be simply and be downgraded device to multiple The counting of the safety criterion that code is violated, the weighted count of multiple safety criterion violated, wherein weight is disobeyed with specific The safety criterion violated is associated thereby indicate that the priority of safety criterion, etc..

Such as, once calculate in the above described manner relative to the deviation of the safety criterion established based on it, downgrader Mark can compare with the threshold values of one or more establishments and obtain instruction, be considered to represent correspondence according to this instruction downgrader It it is slight, medium or important security threat for.This classification based on downgrader to security threat level, permissible Perform various process.Represent the downgrader of slight security threat for example, it is possible to identify simply and send out to suitable user Send the potential safety problem notifying that they associate with downgrader.The degradation of the security threat medium and important to expression Device can produce have higher priority notice and be sent to one or more user and can comprise further about To the amendment proposed by this downgrader code so that downgrader meets the information of the safety criterion established.

In some illustrative embodiment, downgrader evaluation engine 350 can be based on downgrader about the safety established Downgrader code is automatically revised in the assessment of criterion so that downgrader is in and meets the position of safety criterion or at least alleviate fall The security threat that level device is brought.Such as, in an illustrative embodiment, if it is determined that downgrader is disinfector and determines This downgrader is important security threat, then downgrader evaluation engine 350 can automatically be revised downgrader code and it is become Validator is become therefore to reduce security threat.Then the code of this amendment can be supplied to that suitable user makes after it can be It is recompiled before being deployed to calculating equipment.

So, the mechanism of illustrative embodiment provide not only the machine for identifying downgrader code in application code System, and provide and for this downgrader code abstract, downgrader process can be commented according to the safety criterion established The mechanism estimated.By this way, provide for for guarantee downgrader provide by safety criterion define about application Automatization's mechanism of little safe class.The mechanism of illustrative embodiment can use string parsing recursively to catch concrete operations language Justice and show that downgrader the most automatically meets the mode of the conclusion of minimum safe criterion and models the operation of downgrader.

Fig. 8 is the flow chart of the exemplary operations summarizing the automatic applied analysis mechanism according to an illustrative embodiment.As Shown in Fig. 8, operate and start (step 810) receiving application code to be analyzed.Static analysis mechanism is applied to apply generation Code to identify downgrader code (step 820) in application code.For the next downgrader identified in step 820, produce The abstract representation (step 830) of raw downgrader.Then the abstract representation assessment of downgrader is used according to the safety criterion established Downgrader process (step 840).Based on this assessment, it is made as to whether to there is the determination that any safety criterion detected is violated (step 850).If violated, then the most alternatively, quantify the inclined of the degree violated or downgrader process and safety criterion Difference is to produce mark (step 860) for downgrader.Then this mark thus can be compared to one or more threshold values The seriousness violating the safety criterion of downgrader sorts out (step 870).Optionally, in addition, knowledge base can be accessed Identify that the solution of the recommendation violating safety criterion makes downgrader meet safety criterion (step 880).

Based on the detection violated, and alternatively, mark and/or the information obtained from knowledge base, can create and export The notification message (step 890) violated about this safety criterion.Hereafter, make about whether application code has other downgrader To be processed determine (step 895).If it has, operation returns to step 830；Otherwise operate termination.

Although it should be pointed out that, illustrative embodiment described above describes in the application code that such as Web applies Identify a mechanism of downgrader, but illustrative embodiment is not limited to this mechanism.On the contrary, illustrative without departing substantially from this In the case of embodiment spirit and scope, it is possible to use for positioning corresponding with downgrader function in application code or performing Any mechanism of the code section of downgrader function.And, although illustrative embodiment be described as being applied to Web application and Flow of information is associated with Web application, but they are not limited thereto.On the contrary, illustrative embodiment can with at application code Middle realize downgrader or any application code of being associated with application code is used together.

Refer again to Fig. 3, except above-mentioned for finding downgrader and and assessing them according to the safety criterion established Mechanism outside, illustrative embodiment additionally provides the mechanism of such as downgrader defect/incompatible detecting and alarm 370, is used for detecting Defect in downgrader and downgrader are for the incompatibility problem of they systems to be protected, even if this security downgrade device is full The foot safety criterion established discussed above.Although it is to say, previously described mechanism can determine that whether downgrader exists The safety operation type about safety criterion that execution downgrader wishes to carry out, but illustrative embodiment described below Further mechanism include for guaranteeing that the specific implementation of downgrader is being appropriately carried out those safety operations in specific environment Logic, i.e. for the realization of downgrader and dispose the environment not existing defects of downgrader or incompatibility problem.

Additionally, illustrative embodiment can also process correct beyond with deployed environment compatibility issue of relevant downgrader Sex chromosome mosaicism.If it is to say, downgrader code is compatible with deployed environment on the contrary, but downgrader code itself is the most correct Ground work, i.e. do not mate all of it it should be ensured that system associated there safety illegal mode, then illustrative The matching mechanisms of embodiment will detect these defects in the operation of downgrader.These are referred to as downgrader and fail correctly to be located in " extreme case " of reason.It is referred to as " level " problem about the compatibility issue with deployed environment and processes pole about downgrader The problem of end situation is referred to as " vertical " problem.

Illustrative embodiment provides use Static Analysis Technology, identifies that downgrader is the most imperfect, no for automatically Correct or with back-end software/hardware, the i.e. environment of its expectation protection, incompatible mechanism.This is to use three basic modules Complete.First assembly is string parsing mechanism, if it is based on the proper calculation degradation to the string that downgrader may input Device correctly operates the safety approximation of its set of strings that may export.

Second assembly is " illegal mode " set, its validator about downgrader or the correctness forming portion of disinfector Divide the set of sequence.Illegal mode is the compact representation of set of strings, such as, and regular expression or CFG), it Device/disinfector process will not be verified return/accept.It is to say, illegal mode is regular expression e so that in order to make to test Card device V is considered as safe for expression formula e, if it mates with expression formula e, validator V must refuse input string, and In order to make disinfector S be considered as safe for expression formula e, any string returned by disinfector S must with expression formula e not Coupling.

In order to illustrate that what meaning is illegal mode be, it is considered to two patterns of A and B, wherein pattern (A) is another pattern (B) strict subset.If the validator of downgrader is correct for mode B operation, then just can draw validator generally, That is, for conclusion that mode A operation is correct.But, if validator is correct only for mode A operation, and for Mode B the most just Really, then validator is the most correct in their operations, because there being string in Mode B, and does not has in Mode A, validator Can return/accept but be dangerous.Such as, the possible illegal mode attacked for cross site scripting execution (XSS) is such as One pattern, it asserts that string does not comprises "<" or ">", i.e. the string comprising "<" or ">" may indicate that XSS attack.More restrictive Illegal mode also may require that this string does not comprise substring " javascript: ".Therefore, illegal mode set expression is without prejudice to rear end In the case of software/hardware security of system, it is impossible to be downgraded the set of strings that the validator/disinfector of device returns/accepts.This portion Point sequence, i.e. restricted, be more confined from etc. illegal set of strings, it is provided that a kind of mechanism, it allows which is analysed in depth A little extreme cases are not processed, and therefore, how this analysis remedies or revise downgrader if can serve to indicate that, as follows Literary composition is discussed.

3rd assembly is the specification of the environmental context that downgrader expectation is protected, i.e. the software that downgrader is to be operated, And the description of hardware in some cases.Such as, environmental context can specify that downgrader prepares or has been deployed in it In the type (such as, the model of processor and quantity, the quantity etc. of memorizer) of server, the data base that server runs Server software, such as Microsoft (MS) SQL (SQL) server, DB2 etc..

Environmental context information may further specify that the type of the application container disposing database application, such as, Tomcat, JBoss, WebSphere etc. because different containers to comprehend performance with place according to the parsing of request different, wherein may specify The different downgraders that used (such as, Tomcat deletes “ r n from parameter value " pattern makes these values be safe to prevent Http response division (HTTPRS) is attacked, but in the case of WebSphere, it is not necessary to it is this situation).

Refer again to Fig. 3, environmental context 390, i.e. " the 3rd assembly " above-mentioned, can be that user passes through warp Input/output interface 320 receives the input regulation of one or more graphical user interface etc..As an alternative, environmentally Hereafter 390 can automatically find from the configuration information by this environment place system maintenance or infer.Such as, for Database Systems, the environmental context specification 390 of definition Database Systems type can be by analyzing for Database Systems Configuration information, checks that the deployment etc. of database software finds or infers.Relate to process cross site scripting at such as band perform (XSS) in other example of the downgrader of attack etc., it is possible to use HTML contextual information.In such a case, it is possible to convection current The data entering downgrader perform static data flow analysis to determine which HTML presents the number that statement is dependence downgrader output According to stream and then string parsing can set up HTML context at the point that this information presents.Such Static Analysis Technology is 12/ Described in 825,293.

For specific downgrader, downgrader mate, i.e. be identified as the definition of illegal illegal mode set by user There is provided or otherwise analysis from downgrader code determines.It is to say, to various different environment, downgrader can Join different illegal mode.Such as, the specific illegal mode of specific downgrader coupling can be specified by user and be stored in conjunction In method/illegal string pattern data base 380, or otherwise associate with specific downgrader.But, in other illustrative embodiment In, downgrader code can by downgrader defect/incompatible detecting and alarm 370 or other instrument (not shown) analyze with Identify that specific downgrader is found and the AD HOC of coupling, and or to the instruction (situation at validator inputting refusal Under) or to the basis (in the case of disinfector) inputting amendment.

Further, can be that various types of downgrader stores multiple illegal mould in legal/illegal string pattern data base 380 Formula set, such as, for XSS attack, the downgrader of SQLi attack etc..Illegal mode set could be included for multiple mutually similar The different downgraders of type and the illegal mode for multiple different environment that can realize these downgraders wherein.Example As, based on evaluated downgrader type, therefore the specific collection of illegal mode can be identified.Such as, downgrader defect/no Compatible detecting and alarm 370 may determine that analyzed downgrader type and retrieves from legal/illegal string pattern data base 380 Corresponding illegal string pattern set.Downgrader type easily can be subject to according to what downgrader should be forbidden from the context of application The flow of information attacked determines.Such as, call if there is the downgrader mediated from XSS receptor to the flow of information in XSS source, then By XSS specification (including illegal mode), illustrative embodiment will verify that calls.Signature (example based on called method As, String-> String for disinfector String-> Boolean for validator), can heuristically solve for In pregnable flow of information, which calls is the determination called of candidate's downgrader.

Such as, for detection and process SQL inject (SQLi) downgrader of attacking can be illegal with the most as follows String pattern set is associated:

" .* (' | x22 # | % |=|；|\\+|[cC][hH][aA][rR]\\s*\\(\\s*\\\d+\\ s*\\)).^*" //SQL injects (using # to annotate character)

" .* (' | x22 |-| | % |=|；|\\+|[cC][hH][aA][rR]\\s*\\(\\s*\\d+\\ s^*)) .* " //SQL injects (use--annotation character)

" .* (' | x22 | ∧ * | */| % |=|；|\\+|[cC][hH][aA][rR]\\s*\\(\\s*\\d+\\ s*\\)).^*" //SQL injects (use/* */annotation character)

The structure of the illegal string pattern of these examples is as follows.Pattern starts (and end) with .* and means that this pattern is at degradation The input string of device is found coupling (seeing below).Then this pattern comprise beginning round parentheses (indicate and be considered illegal mode The beginning of set.Then this pattern comprises by pipeline character | the illegal mode list of separation.This pattern is with terminating round parentheses) close Close illegal mode set and this pattern terminates with .*.

Such as, in the illegal string pattern of SQLi defined above, there is the following illegal set of strings wanting to be matched:

‘

" (by x22 define)

Annotation character.Depend on the SQL syntax used, for #,--or/* */one of them.

=

；

+

This is substantially that " char " SQL function is followed by a series of one or more numeral to char (d+).Note [Cc] Use allow word " char " is done the coupling that capital and small letter is insensitive.These give matched size and write sensitivity or capital and small letter is unwise The ability of sense.

But except a little part and parcel, each in these 3 illegal mode is just as；It is medium and small still Part and parcel is the type of the annotation character being matched.In first pattern, # single file annotation separator is matched, second In individual pattern--single file character is matched, and is matched at the 3rd/* */middle multirow annotation symbol.Other of each pattern Part keeps constant.

Different sql like language employs the annotation of different-style.Such as, the PL/SQL in oracle database and micro- T-SQL in soft data storehouse uses--single file and/* */multirow annotation, and MySQL joins legal note # single file annotation Release in the list of grammer.

The different environmental correclation that each in illegal mode described above can realize wherein from downgrader Connection (such as, the SQL language of such as T-SQL or PL/SQL props up).When identifying the input string corresponding to SQLi attack, downgrader is permissible Mate in these illegal mode.Substantially, if receiving input string and this input string in downgrader, or should One corresponding with these patterns of a part for input string matches, then downgrader detection input string is as potential threat And or refusal input (validator) or amendment input string are deleted or modified the input string that mates with illegal string pattern Partly (disinfector).

Downgrader defect/incompatible detecting and alarm 370 uses Environmental context information 390 to determine which string pattern should Mated by specific downgrader, i.e. for the context of specific environment, by the validator of downgrader/disinfector identification conduct Illegal string pattern.That is, it is possible to use environmental context specification 390 determines that in illegal string pattern set, which is illegal String pattern should be downgraded the realization coupling of device in the specific environment corresponding with environmental context specification 390.As mentioned below, May determine that illegal mode coupling that downgrader the most actually should mate with it and if not, then fall can be produced The instruction that level device is incompatible with the environment disposing it.

Such as, for MS SQL server, injecting (SQLi) attack downgrader as target with SQL will be to the most defeated Enter set and produce specific output set.Thus, the string parsing mechanism of downgrader defect/incompatible detecting and alarm 370 calculates fall The safety approximation of the level device set of strings that can return/accept, i.e. if this downgrader correctly works and with realize wherein The environment of downgrader is mutually compatible, then after given input string set, the set of strings that downgrader effectively exports.The meaning of safety approximation Think of is that the set of the value that the analytical calculation to downgrader returns comprises the collection of the possible return value returned when program carrying out practically Close.This means that this analysis has an one-sided mistake: it can be classified as correct downgrader incorrect (to thus suffer from false sun Property), otherwise but it is false.

Such as, if downgrader is disinfector, then downgrader accepts string and revises it and make it can be by one or many Individual follow-up security-sensitive operation uses safely and therefore, the string being modified is the safety string returned by downgrader. If downgrader is validator, then validator returns Boolean and points out that this string is whether effective, here it is term " accepts " or " refuse " implication gone here and there.Therefore, utilize validator, downgrader defect/incompatible detecting and alarm 370 can be passed through and calculate and dropped The safety approximation of the set of strings that level device accepts.

Therefore, if in specific environment realize certain types of downgrader correctly work and with specific environment Compatible words, then downgrader defect/incompatible detecting and alarm 370 may determine that input string Mode S, this downgrader will be produced Life specifically effectively exports O.To each input string Mode S interested, and downgrader type and deployed environment is any Combination can do so.For the various combinations of downgrader type Yu environment, the legal string set of modes that result produces is permissible It is stored in legal/illegal string pattern data base 380.As example, it is assumed that downgrader accepts string S, and if-go here and there up to 5-5 ' $ ' (space) character string fills string.Downgrader can use following approximation for returning value: S-＞ S ($)^*.Also That is, returning string can be that input string S is followed by 0 or multiple $ character string.There has been described and can pass through downgrader The set of strings of the strict superset of the string returned.

Use the conjunction in the type of downgrader, environmental context specification 390 and legal/illegal string pattern data base 380 Method/illegal string pattern, downgrader defect/incompatible detecting and alarm 370 may determine that specific downgrader is the most defective or wants Not so it is deployed in it that the most maybe will to be deployed in environment therein incompatible.Then downgrader defect/incompatible detecting and alarm 370 generate the notice about any defect of downgrader/incompatible and are sent to the calculating of appropriate person through I/O interface 320 and set Standby upper to notify their this defect/incompatible and being necessary to revise this downgrader to correct defect or incompatible.

As briefly mentioned above, the correctness of downgrader is frequently not absolute judgement and is to rely on the upper and lower of downgrader service Literary composition, i.e. downgrader is deployed in wherein or wants to be deployed in environment therein, relative judgement.For example, it is possible under environmentally Downgrader defect/do not hold concurrently is submitted to checking and the specific downgrader that is associated of specification 390 together with the request that literary composition specification 390 operates Hold detecting and alarm 370.Such as, this environmental context specification 390 can specify that downgrader deployed environment specific software arrangements, Hardware configuration, etc..Based on environmental context specification 390 and downgrader to be verified, downgrader defect/incompatible detecting and alarm 370 types that may determine that downgrader and the type of environment.Based on downgrader type and the type of environment, can from legal/ Illegal string pattern data base 380 retrieves the legal and illegal string pattern set of correspondence.

In an illustrative embodiment, it not that legal string set of modes is stored in legal/illegal string pattern data base In 380, but specific input string based on downgrader to be submitted to and downgrader type and environmental form can be the most true Determine legal string set of modes.It is to say, based on downgrader type and environmental form, downgrader defect/incompatible detecting and alarm 370 may determine that what the illegal string pattern in legal/illegal string pattern data base 380 should be downgraded device coupling.According to this Individual information, if downgrader correctly works and mutually compatible with the type of environment, then downgrader defect/incompatible detection is drawn Holding up 370 and may determine that given specific input string, the particular type downgrader in particular type environment should produce specific peace Entirely or effectively export.

Then determine whether there is incompatible with legal string set of patterns of output that can compare downgrader is not mated, i.e. for Specific input string, the string that output string comprises not in legal string set of modes.If it is, then can make about Whether the string pattern comprised in downgrader output is included in the determination in illegal string pattern set.In accordance with the above, can be true Determining downgrader is which illegal string pattern and then may determine that is downgraded the illegal string pattern of device coupling to fall in coupling Level device to be deployed in wherein or have been deployed in whether environment therein is correct pattern, i.e. downgrader whether with deployment Environment is mutually compatible or incompatible.Because downgrader code generally comprises many conditional branchings and circulation, it is difficult to accurately follow the tracks of, So can not check that downgrader code is to determine the downgrader illegal string pattern in coupling simply.Therefore, illustrative embodiment Provide in unnecessary execution to downgrader code itself thoroughly, in the case of complicated and fallible analysis, use Determine that what illegal string pattern is downgraded the mechanism of device coupling.

Comparison above-mentioned, completes by calculating regular expression, and wherein regular expression (i) is at disinfector In the case of, serve as the safety approximation of disinfector return value, or (ii) is in the case of validator, serves as the string that downgrader accepts The safety approximation of set.Then, use the technology being used for comparing between regular expression of standard, analyze according to degradation It is classified by the standard norm of device.Such as, if downgrader be approximately regular expression R, and R is just for DB2 The then subset of expression formula, but for other database servers be not, then this downgrader is for using the environment of DB2 It is correct.Then the information about deployed environment is used to determine whether to there is compatibility issue, i.e. deployed environment is with this just Then its effective environment is matched by expression formula, such as, if regular expression is effective to DB2 and deployed environment is DB2, then the most there is not compatibility issue, but if deployed environment is different environment, then exist for compatibility issue.

Based on above-mentioned about compatible or incompatible determination, the calculating equipment dispatch order instruction of suitable user can be given This is compatible or incompatible.Such as, the calculating equipment that the user of initiation downgrader analysis can have through them returns to him The result of analysis.Comprise analysis result in the notification to be possible not only to comprise the finger that downgrader is the most compatible or incompatible Show, it is also possible to determine suitable amending advice and user can be allowed with reference to the more information about problem.This amending advice and Out of Memory can be stored in knowledge base (not shown), it be the applied analysis mechanism 300 of illustrative embodiment part or Person is associated with mechanism 300.Such as, if the analysis that illustrative embodiment performs determines that some extreme case is not by correctly Process, then just about the amendment advisory data storehouse of this extreme case.

For example, it is contemplated that the SQLi in above-mentioned example attacks and the example collection of illegal string pattern.Utilize explanation The mechanism of property embodiment, based on environmental context specification 390 (that is, database server type), the mechanism of illustrative embodiment Which determine string pattern to be mated by target downgrader, i.e. above-mentioned illegal string pattern set.Downgrader defect/incompatible Detecting and alarm 370 performs the safety approximation of the string parsing string pattern set to calculate target downgrader and can return/accept.String mould The safety approximation of formula set compares with illegal string pattern set and to determine which illegal string pattern is approximated safely by this and mate.So After, the corresponding deployed environment being associated with the illegal string pattern of coupling and deployed environment, or want the environment disposed (as logical Cross environmental context specification 390 definition) compare, make target downgrader determine target downgrader whether with environmental context specification The environment identified in 390 is mutually compatible.

Such as, if the most hereafter the database server of regulation is the SQL server of Microsoft in specification 390, and And first illegal string pattern, i.e. " .* (' | x22 | # | % |=|；| +| [cC] [hH] [aA] [rR] s* ( S* d+ s* )) .* ", be matched rather than second pattern, i.e. " .* (' | x22 |--| % |=|；|\\+|[cC] [hH] [aA] [rR] s* (s* d+ s* )) .* ", it is for being downgraded for Microsoft's SQL server environment The correct illegal string pattern of device coupling, then downgrader defect/incompatible detecting and alarm 370 identifies that instruction downgrader is just at base In the incompatibility problem assuming lower operation employing different types of database server.Downgrader defect/incompatible detection Engine 370 is it may also be determined that be used for the incompatible suggestion that correction is identified.This information, with to being used for solving this incompatibility asking As the quoting of out of Memory source of topic, it is sent to suitable user through one or more calculating equipment in the notification.

Except identifying that downgrader and downgrader are deployed in the incompatibility problem of deployed environment therein, downgrader defect/no Compatible detecting and alarm 370 can also detect the effectiveness of downgrader, and wherein downgrader may be confirmed as being disposed with them Environment is compatible mutually and does not has defect.Compatible mutually with deployed environment and do not have the validation checking of defective downgrader can be with The identification of above-mentioned downgrader incompatibility problem performs together or dividually.It is to say, the knowledge of downgrader incompatibility problem Not need not perform as the predecessor of downgrader validation checking.

The effectiveness of downgrader can the most such as pass through ring by identifying that the various intensity ranks of illegal string pattern determine Border context specification 390 defined, downgrader correctly can mate illegal string pattern in the deployed environment identified.Illegally The intensity of string pattern can be to complete how many tolerance about the operation of illegal string pattern downgrader, and wherein strong illegal string pattern can Can be the instruction of downgrader operation, and weak illegal mode has been to be partially completed the instruction of downgrader operation.Various complete Level, or the mechanism that intensity could so be defined and use this illustrative embodiment is identified.

Such as, it is associated with every kind of deployed environment type and every kind of downgrader type, legal/illegal string pattern data base 380 set that can store the multiple illegal string pattern that can be downgraded device coupling, each illegal string pattern has a pass The intensity level of connection.For example it is assumed that to specific deployed environment, such as MS SQL server, drops for the SQLi of this deployed environment Level device can mate any one in following three illegal string patterns:

" .* (' | x22 | # | % |=|；\\+[cC][hH][aA][rR]\\s*\\(\\s*\\d+\\ S* )) .* " // strong

" .* (' | x22 | # | % |=|；| +) .* " // more weak

" .* (and # | % |=|；| +) .* // the most weak

Downgrader defect/incompatible detecting and alarm 370 may determine that target downgrader the most only export meet first non- The string of method string pattern demand.If it is then this downgrader is incompatible with deployed environment and also achieves SQLi attack Strong enforcement.But, if downgrader output string consistent with above second illegal string pattern, but not with first illegal string Pattern is consistent, i.e. downgrader output string is included in first illegal string pattern not in second illegal string pattern String pattern, then may determine that the effectiveness of downgrader is relatively right weak than it.Downgrader defect/incompatible detection Engine 370 can such as to determine that target downgrader be whether defective/with deployed environment after incompatible in the notice of generation, Return to user about downgrader for the instruction of downgrader intensity of the attack of its protection back-end system.Downgrader defect/no Compatible detecting and alarm 370 is it may also be determined that recommend solution to the weakness detected in the protection provided by downgrader.Example As, if it is determined that downgrader only mate with second illegal string pattern, then this recommendation can be amendment downgrader realize and First illegal string pattern coupling.And, fall can be strengthened by making downgrader correctly work in more deployed environment Level device, such as, if a deployed environment is only correctly worked by downgrader, then should extend downgrader itself and support more Many deployed environment, such as, more database server type.

Therefore, whether illustrative embodiment may determine that downgrader is the most defective or is deployed in wherein with it or will It is deployed in deployed environment therein incompatible, and also may determine that by mutually compatible with deployed environment, or even not compatible The intensity of the protection that downgrader provides.These can complete dividually or the most together.Such as, downgrader is to deployed environment For may be incorrect at more than one aspect.Such as, SQLi downgrader may be incompatible with back end database server But can also be confirmed as only meeting with relatively weak illegal string pattern.The mechanism of illustrative embodiment can be along two " axle ", i.e. compatible axle and intensity axis, the incorrectness of detection downgrader.

Fig. 9 is to summarize the exemplary operations for determining downgrader defect/incompatibility according to an illustrative embodiment Flow chart.Such as, the operation summarized in Fig. 9 can be passed through, and such as, the applied analysis mechanism 300 in Fig. 3 realizes.

As shown in Figure 9, operation starts (step 910) to receive application code and identifies downgrader in application code Code (step 920).Such as, these operations can be passed through, and such as, the downgrader detecting and alarm 330 in Fig. 3 performs.Remaining Operation can be passed through, and such as, the downgrader defect in Fig. 3/incompatible detecting and alarm 370 performs.Receive/determine for identification Environmental context specification (step 930) of downgrader code.As it has been described above, environmental context specification can be user-defined or Person can be that the downgrader code identified by inspection is disposed wherein or wanted to be deployed in deployed environment therein and determines.

Hereinafter, to the next downgrader in the downgrader code identified, it is thus achieved that for one or more input strings Set effective downgrader output string pattern set safety approximation (step 940).This effective downgrader output string pattern collection Conjunction can dynamically determine based on the input of specific input string or can store from for particular type downgrader to be assessed Storage device/the system of legal (effectively) downgrader string pattern is retrieved.Mould is illegally gone here and there for evaluated specific downgrader Formula set also retrieves (step 950) from illegal string pattern storage device/system.More effectively export the safe collection of string pattern Conjunction, illegal string pattern set and environmental context specification (step 960).Determine the compatibility about downgrader Yu deployed environment And the determination (step 970) of the relative intensity of the protection provided by downgrader.Determine based on this, produce suitable notice output Give the user's (step 980) being authorized to.Then, make about whether the determination (step having more downgrader to be evaluated 990).If it has, operation returns step 940；Otherwise operate termination.

Thus, illustrative embodiment provides for identifying downgrader in application code and assessing it for downgrader The most defective or whether be deployed in, with downgrader, the mechanism that deployed environment therein is incompatible that the most maybe will be deployed in. And, illustrative embodiment provides the mechanism of the relative intensity for determining the protection provided by downgrader.Bag can be produced Notice containing these assessment results, this notice can comprise alternatively about how to make downgrader and deployed environment compatible mutually and/ Or how the suggestion of the intensity of the protection provided by downgrader is provided.As result, notify that user's downgrader is incompatible and such as What corrects this incompatibility to guarantee the downgrader optimum realization for its deployed environment.

As it is indicated above, it should be appreciated that illustrative embodiment can take complete hardware embodiment, complete software The form of the embodiment of embodiment or combined with hardware and software element.In a kind of exemplary embodiments, illustrative embodiment Mechanism realizes in software or program code, includes but not limited to firmware, resident software, microcode etc..

Be suitable to storage and/or perform the data handling system of program code will to include directing or through system bus indirect It is coupled at least one processor of memory component.Memory component can be included in institute during program code really performs Local storage, bulk storage and the cache memory used, wherein cache memory provides at least some The interim storage of program code, in order to reducing in the process of implementation must be from the number of times of bulk storage retrieval coding.

Input/output or I/O equipment (including but not limited to keyboard, display, pointing device etc.) can directly or Person is coupled to system by middle I/O controller.Network adapter can also be coupled to system, enables data handling system to lead to Special or public network in the middle of crossing becomes coupled to other data handling system or remote printer or storage device.Modulation Demodulator, cable modem and Ethernet card are only the several types of the network adapter that currently can obtain.

Description of the invention illustrate that and the purpose that describes and be given rather than detailed or will be the present invention It is limited to disclosed form.To those skilled in the art, many amendments will be apparent from variant.Real Executing the selection of example and describing is to explain the principle of the present invention, practical application best, and makes other of this area common Skilled artisan will appreciate that the present invention has the various embodiments of the various amendments being suitable to expection special-purpose.

Claims (18)

1. about a method for the downgrader code in target deployment environmental assessment application code, including:

The downgrader code being associated with application code by applied analysis mechanism identification, wherein downgrader code is and application generation A part of code of code-phase association, the flow of information of described a part of code application code carries out operating to guarantee in downgrader generation The confidentiality in the output of code, the information of downgrader code inputted；

Based on input string, generate, by applied analysis mechanism, the output string that downgrader code exports in response to receiving input string；

From the storage one or more illegal string pattern set of system retrieval, in wherein said one or more illegal string pattern set Each be associated with corresponding deployed environment, and wherein illegal string pattern be downgrader for safety in flow of information The string pattern identified；

Based on one or more illegal string pattern set and output string, by applied analysis mechanism determine downgrader code whether with Target deployment environment is mutually compatible；And

The output of the result that instruction determines is produced by applied analysis mechanism.

2. the method for claim 1, wherein determines whether downgrader code includes with target deployment environment compatibility mutually:

Identify that downgrader code is deployed in wherein or will be deployed in target deployment environment therein；And

Based on one or more illegal string pattern set, output string and the identification of target deployment environment, determine downgrader code Mutually the most compatible with described target deployment environment.

3. method as claimed in claim 2, wherein identifies that target deployment environment includes:

Receive user's specification of target deployment environment.

4. the method as described in claim 2 or claim 3, wherein identifies that target deployment environment includes:

Based on the analysis to the configuration information safeguarded by data handling system, automatically determine target deployment environment.

5. the method as described in claim 1,2 or 3, wherein determine downgrader code whether with target deployment environment phase compliant packet Include:

Compare the output string of downgrader code and one or more illegal string pattern set；And

The output string of identification and matching downgrader code be associated with one or more illegal string pattern set illegally go here and there mould Formula.

6. method as claimed in claim 5, wherein determines whether downgrader code includes with target deployment environment compatibility mutually:

Identify the corresponding deployed environment that the illegal string pattern of the output String matching to downgrader code is associated；And

Determine corresponding deployed environment whether with target deployment environments match, wherein, if corresponding deployed environment and target deployment ring Border is mated, and determines that downgrader code is mutually compatible with target deployment environment, and wherein, if corresponding deployed environment and target portion Administration's environment does not mates, and determines that downgrader code is incompatible with target deployment environment.

7. method as claimed in claim 5, also includes:

Determine the intensity of illegal string pattern of output String matching with downgrader code；

Determine and whether target deployment environment is existed to the higher-strength that is associated with one or more illegal string pattern set Illegal string pattern；And

In response to determining the illegal string pattern that there is higher-strength, produce about how improving being operable so that of downgrader code The suggestion that the output string of downgrader code will mate with the illegal string pattern of higher-strength.

8. method as claimed in claim 7, wherein output includes being sent to the notice of user, and wherein said notice identification is demoted Device code is the most compatible mutually with target deployment environment and identifies suggestion further.

9. the method as described in claim 1,2 or 3, also includes:

Store multiple illegal string pattern, each illegal string pattern set being wherein associated and a kind with multiple illegal string patterns The downgrader code of type is associated, and wherein retrieval to one or more illegal string pattern set is based on application code The type of the downgrader code of middle identification performs.

10. about an equipment for the downgrader code in target deployment environmental assessment application code, including:

The device of the downgrader code for being associated with application code by applied analysis mechanism identification, wherein downgrader code Being a part of code being associated with application code, the flow of information of described a part of code application code carries out operating to guarantee The confidentiality in the output of downgrader code, the information of downgrader code inputted；

For based on input string, generate downgrader code by applied analysis mechanism and may operate in response to receiving input string and defeated The device of the output string gone out；

For the device from the storage one or more illegal string pattern set of system retrieval, wherein said one or more illegal strings Each in set of modes is associated with corresponding deployed environment, and wherein illegal string pattern be downgrader may operate to into Safety and the string pattern that identifies in flow of information；

For based on one or more illegal string pattern set and output string, determining that downgrader code is by applied analysis mechanism No with the compatible device of target deployment environment；And

For being produced the device of the output of the result that instruction determines by applied analysis mechanism.

11. equipment as claimed in claim 10, are wherein used for determining that downgrader code is mutually the most compatible with target deployment environment Device also include:

For identifying that downgrader code is deployed in wherein or will be deployed in the device of target deployment environment therein；And

For based on one or more illegal string pattern set, output string and the identification of target deployment environment, determining downgrader Code whether with the described compatible device of target deployment environment.

12. equipment as claimed in claim 11, wherein for identifying that the device of target deployment environment also includes:

For receiving the device of user's specification of target deployment environment.

13. equipment as described in claim 11 or claim 12, wherein for identifying that the device of target deployment environment also wraps Include:

For based on the analysis to the configuration information safeguarded by data handling system, automatically determining the dress of target deployment environment Put.

14. equipment as described in claim 10,11 or 12, be wherein used for determining downgrader code whether with target deployment environment Compatible device also includes:

For comparing output string and the device of one or more illegal string pattern set of downgrader code；And

Illegal with what the output String matching of downgrader code and one or more illegal string pattern set were associated for identification The device of string pattern.

15. equipment as claimed in claim 14, are wherein used for determining that downgrader code is mutually the most compatible with target deployment environment Device include:

Device for the corresponding deployed environment that the illegal string pattern exporting String matching identified to downgrader code is associated；

For determine corresponding deployed environment whether with the device of target deployment environments match；

For in response to corresponding deployed environment and target deployment environments match, determining that downgrader code is held concurrently mutually with target deployment environment The device held；And

For not mating with target deployment environment in response to corresponding deployed environment, determine that downgrader code is with target deployment environment not Compatible device.

16. equipment as claimed in claim 14, also include:

For determining the device of the intensity of the illegal string pattern of the output String matching with downgrader code；

For determine whether target deployment environment is existed more high-strength with what one or more illegal string pattern set were associated The device of the illegal string pattern of degree；And

For in response to determining the illegal string pattern that there is higher-strength, produce about how to improve the operation of downgrader code with Make the device of suggestion that the output string of downgrader code will mate with the illegal string pattern of higher-strength.

17. equipment as claimed in claim 16, wherein output includes being sent to the notice of user, wherein said notify operable Identify that downgrader code is the most compatible mutually with target deployment environment and may operate to identify suggestion.

18. equipment as described in claim 10,11 or 12, also include:

For storing the device of multiple illegal string pattern, each illegal string pattern collection being wherein associated with multiple illegal string patterns Close and be associated with a type of downgrader code；And

For type based on the downgrader code identified in application code, one or more illegal string pattern set are carried out The device of retrieval.