CN112269984B - Automatic code audit platform system for guaranteeing source code safety - Google Patents
Automatic code audit platform system for guaranteeing source code safety Download PDFInfo
- Publication number
- CN112269984B CN112269984B CN202011006575.6A CN202011006575A CN112269984B CN 112269984 B CN112269984 B CN 112269984B CN 202011006575 A CN202011006575 A CN 202011006575A CN 112269984 B CN112269984 B CN 112269984B
- Authority
- CN
- China
- Prior art keywords
- code
- module
- audited
- risk
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Abstract
The invention discloses an automatic code audit platform system for guaranteeing source code safety, which comprises an access switch, a test client connected with the access switch, a service deployment server for deploying a code to be audited, a risk matching feature library for calculating the risk of the code to be audited, a service sandbox server for testing in an isolation environment, an audit rule matching library for audit rule storage, and a solution matching library for providing a solution; the automatic code audit platform system for guaranteeing the source code safety can improve the system safety and reduce the probability of false alarm and loopholes.
Description
Technical Field
The invention relates to the field of computer security, in particular to an automatic code audit platform system for guaranteeing source code security.
Background
Software vulnerabilities are a source of most security vulnerabilities for today's information systems. Software vulnerabilities are some flaws in software that may be exploited by third parties or programs for unauthorized resource access, or to change control authority to perform other operations; the software loopholes cause corresponding economic or property loss, and serious disasters are caused, so that the source codes are detected and analyzed from the view of source code audit, thereby fundamentally protecting the safety of the software and an information system, avoiding the security threat of the loopholes at the back gate of the codes, and some automatic code audit tools are available for enterprises or individuals on the market, but the expandability of the automatic tools is poor, and false alarm and loopholes appear on the scanning result.
Disclosure of Invention
The invention aims to provide an automatic code audit platform system for guaranteeing source code safety aiming at the defects of the prior art.
The technical scheme for solving the problems is as follows: an automatic code audit platform system for guaranteeing source code safety comprises an access switch, a test client connected with the access switch, a service deployment server for deploying code to be audited, a risk matching feature library for calculating risk of the code to be audited, a service sandbox server for testing under an isolation environment, an audit rule matching library for audit rule storage, and a solution matching library for providing a solution.
The service deployment server, the risk matching feature library, the service sandbox server, the audit rule matching library and the solution matching library are all connected with the access switch.
Preferably, the service deployment server comprises a language identification module for identifying the language of the code to be audited, a version detection module for identifying the version of the code to be audited, an entry selection module for determining the entry of the variable in the code to be audited, a variable tracking module for tracking the variable in the code to be audited, and a structure detection module for determining the structure of the code to be audited.
Preferably, the risk matching feature library comprises a risk coefficient evaluation module for evaluating risk coefficients of the code to be audited.
Preferably, the service sandbox server comprises a sandbox attack module for attacking the code to be audited, and a permission judgment module for evaluating the override risk coefficient of the code to be audited.
Preferably, the audit rule matching library comprises an audit rule management module for storing audit rules.
Preferably, the solution matching library includes a solution matching module that provides solutions for vulnerabilities in the code under review.
An automatic code audit platform system for guaranteeing source code safety comprises an access switch, and comprises the following working steps:
s1: and deploying the pending code in a service deployment server.
S2: and a language identification module and a version detection module in the service deployment server are matched with the characteristics of code language, language version and the like according to the characteristics of the code to be checked.
S3: the structure detection module in the service deployment server explores the code structure according to the service types, and the code structure comprises file affiliation or function definition and call relationship.
S4: and the service deployment server feeds back the exploration result to the test client.
S5: and the auditor writes audit rules according to the results and uploads the audit rules to an audit rule management module in an audit rule matching library to wait for calling.
S6: and the entrance selection module in the service deployment server selects a data stream inlet of the code to be checked and acquires an operation instruction of the code to be checked.
S7: if the operation instruction has dangerous operation, transferring the operation instruction to a service sandbox server, and tracking the data flow by a variable tracking module in the service deployment server.
S8: if the operation instruction does not have dangerous operation, a variable tracking module in the service deployment server tracks the data flow.
S9: and judging possible loopholes of the possible code to be audited by the risk matching feature library according to the data flow, and carrying out quantitative analysis according to the vulnerability weight to obtain the risk coefficient of the first part of code to be audited.
S10: and a sandbox attack module in the service sandbox server attacks the code system to be audited by using a common network attack tool, and quantitatively analyzes according to an attack result to obtain a risk coefficient of a second part of code to be audited.
S11: and the authority judging module in the business sandbox server performs an integration action on the existing code override risk coefficient, analyzes and judges the code override risk coefficient, and performs quantitative analysis according to an analysis result to obtain a risk coefficient of a third part of codes to be audited.
S12: and integrating risk coefficients of the auditing codes of the first part, the second part and the third part by using a risk coefficient evaluation module in the risk matching feature library to obtain a final code auditing result.
S13: according to the loopholes of the pending code, the solution matching module matches the existing solutions in the solution matching library and feeds the results back to the test client.
The invention has the beneficial effects that:
the invention provides an automatic code audit platform system for guaranteeing source code safety, which solves the problem that the traditional penetration test cannot comprehensively discover vulnerabilities of the system by carrying out code safety audit on the system, realizes comprehensive and deep safety problem analysis on the system, discovers vulnerabilities in time and prevents the vulnerabilities in advance; the discovered problems are timely fed back to a developer and correction suggestions are provided, the overall vulnerability of the using system is greatly reduced, and the overall safety is obviously improved.
Drawings
FIG. 1 is a system diagram of the present invention;
FIG. 2 is a block diagram of the present invention;
FIG. 3 is a flow chart of the present invention;
in the figure: the system comprises a 1-access switch, a 2-test client, a 3-service deployment server, a 31-language identification module, a 32-version detection module, a 33-variable tracking module, a 34-entry selection module, a 35-structure detection module, a 4-risk matching feature library, a 41-risk coefficient evaluation module, a 5-service sandbox server, a 51-permission judgment module, a 52-sandbox attack module, a 6-audit rule matching library, a 61-audit rule management module, a 7-solution matching library and a 71-solution matching module.
Detailed Description
In the description of the present invention, it should be noted that, unless explicitly specified and limited otherwise, the terms "mounted," "connected," and "connected" are to be construed broadly, and may be either fixedly connected, detachably connected, or integrally connected, for example; can be mechanically or electrically connected; can be directly connected or indirectly connected through an intermediate medium, and can be communication between two elements. The specific meaning of the above terms in the present invention can be understood by those of ordinary skill in the art in a specific case.
As shown in fig. 1, an automated code audit platform system for guaranteeing source code security includes an access switch 1, a test client 2 connected with the access switch 1, a service deployment server 3 for deploying a code to be audited, a risk matching feature library 4 for calculating risk of the code to be audited, a service sandbox server 5 for testing in an isolated environment, an audit rule matching library 6 for audit rule storage, and a solution matching library 7 for providing solutions.
The service deployment server 3, the risk matching feature library 4, the service sandbox server 5, the audit rule matching library 6 and the solution matching library 7 are all connected with the access switch 1.
As shown in fig. 2, the service deployment server 3 includes a language identification module 31 for identifying a language of the code to be audited, a version detection module 32 for identifying a version of the code to be audited, an entry selection module 34 for determining a variable entry in the code to be audited, a variable tracking module 33 for tracking a variable in the code to be audited, and a structure detection module 35 for determining a structure of the code to be audited.
As shown in fig. 2, the risk matching feature library 4 includes a risk coefficient evaluation module 41 for evaluating risk coefficients of the code to be audited.
The business sandbox server 5 comprises a sandbox attack module 52 for attacking the code to be audited, and a permission judging module 51 for evaluating the override risk coefficient of the code to be audited.
As shown in fig. 2, the audit rule matching base 6 includes an audit rule management module 61 that stores audit rules.
The solution matching library 7 includes a solution matching module 71 that provides solutions for vulnerabilities in the code under review.
An automatic code audit platform system for guaranteeing source code safety comprises an access switch 1, and comprises the following working steps:
s1: the pending code is deployed in the service deployment server 3.
S2: the language identification module 31 and the version detection module 32 in the service deployment server 3 match the characteristics of code language, language version and the like according to the characteristics of the code to be checked: for example: c++ language, c# language, JAVA, javaScript, python2, python3, etc.
S3: the structure detection module 35 in the service deployment server 3 explores the code structure according to the service category, including file affiliations or function definitions and call relationships.
S4: the service deployment server 3 feeds back the exploration result to the test client 2.
S5: the auditor writes the audit rule according to the result and uploads the audit rule to the audit rule management module 61 in the audit rule matching library 6 to wait for call.
S6: the entry selection module 34 in the service deployment server 3 selects a data stream entry of the code to be audited and acquires an operation instruction of the code to be audited.
S7: if the operation instruction has dangerous operation, the operation instruction is transferred to the service sandboxed server 5, and the variable tracking module 33 in the service deployment server 3 tracks the data flow.
S8: if the operation instruction does not have dangerous operation, the variable tracking module 33 in the service deployment server 3 tracks the data flow.
S9: and the risk matching feature library 4 judges possible loopholes of the possible code to be audited according to the data flow and carries out quantitative analysis according to the vulnerability weight so as to obtain risk coefficients of the first part of code to be audited.
S10: the sandboxed attack module 52 in the traffic sandboxed server 5 uses common network attack tools including: and (3) performing DDOS attack, replay attack, SQL injection, XSS cross-site attack and the like on the code system to be audited, and performing quantitative analysis according to an attack result to obtain a risk coefficient of a second part of code to be audited.
S11: the authority judging module 51 in the business sandbox server 5 performs an integration action on the existing code override risk coefficients, performs analysis and judgment, and performs quantitative analysis according to the analysis result to obtain risk coefficients of the third part of codes to be audited.
S12: the risk coefficient evaluation module 41 in the risk matching feature library 4 integrates risk coefficients of the first part, the second part and the third part of auditing codes to obtain a final code auditing result.
S13: according to the loopholes of the pending code, the solution matching module 71 matches the existing solutions in the solution matching library 7 and feeds the results back to the test client 2.
The present invention is not limited to the above-mentioned embodiments, and any equivalent embodiments which can be changed or modified by the technical content disclosed above can be applied to other fields, but any simple modification, equivalent changes and modification made to the above-mentioned embodiments according to the technical substance of the present invention without departing from the technical content of the present invention still belong to the protection scope of the technical solution of the present invention.
Claims (1)
1. An automated code audit platform system for guaranteeing source code security is characterized in that: the system comprises an access switch (1), a test client (2) connected with the access switch (1), a service deployment server (3) for deploying codes to be audited, a risk matching feature library (4) for calculating risks of the codes to be audited, a service sandbox server (5) for testing in an isolated environment, an audit rule matching library (6) for auditing rule storage, and a solution matching library (7) for providing solutions; the business deployment server (3), the risk matching feature library (4), the business sandbox server (5), the audit rule matching library (6) and the solution matching library (7) are all connected with the access switch (1);
the business deployment server (3) comprises a language identification module (31) for identifying the language of the code to be audited, a version detection module (32) for identifying the version of the code to be audited, an entry selection module (34) for determining the entry of a variable in the code to be audited, a variable tracking module (33) for tracking the variable in the code to be audited, and a structure detection module (35) for determining the structure of the code to be audited;
the risk matching feature library (4) comprises a risk coefficient evaluation module (41) for evaluating risk coefficients of codes to be audited;
the business sandbox server (5) comprises a sandbox attack module (52) for attacking the code to be audited, and a permission judging module (51) for evaluating the override risk coefficient of the code to be audited;
the audit rule matching library (6) comprises an audit rule management module (61) for storing audit rules;
the solution matching library (7) comprises a solution matching module (71) that provides solutions for vulnerabilities in the code under review;
the method comprises the following working steps:
s1: deploying the code to be checked in a service deployment server (3);
s2: a language identification module (31) and a version detection module (32) in the service deployment server (3) are matched with code language and language version characteristics according to the code characteristics to be checked;
s3: a structure detection module (35) in the service deployment server (3) explores a code structure according to service types, wherein the code structure comprises file affiliations or function definitions and calling relations;
s4: the service deployment server (3) feeds back the exploration result to the test client (2);
s5: the auditor writes audit rules according to the results and uploads the audit rules to an audit rule management module (61) in an audit rule matching library (6) to wait for calling;
s6: an entry selection module (34) in the service deployment server (3) selects a data stream inlet of the code to be checked and acquires an operation instruction of the code to be checked;
s7: if the operation instruction has dangerous operation, transferring the operation instruction to a service sandbox server (5), and tracking a data stream by a variable tracking module (33) in a service deployment server (3);
s8: if the operation instruction does not have dangerous operation, a variable tracking module (33) in the service deployment server (3) tracks the data flow;
s9: the risk matching feature library (4) judges possible loopholes of the possible to-be-checked codes according to the data flow and carries out quantitative analysis according to the vulnerability weight so as to obtain risk coefficients of the first part of to-be-checked codes;
s10: a sandbox attack module (52) in the service sandbox server (5) attacks the code system to be audited by using a common network attack tool, and quantitatively analyzes according to an attack result to obtain a risk coefficient of a second part of code to be audited;
s11: the authority judging module (51) in the business sandbox server (5) performs an integration action aiming at the existing code override risk coefficient, performs analysis and judgment, and performs quantitative analysis according to an analysis result to obtain a risk coefficient of a third part of code to be checked;
s12: the risk coefficient evaluation module (41) in the risk matching feature library (4) integrates risk coefficients of the auditing codes of the first part, the second part and the third part to obtain a final code auditing result;
s13: according to loopholes existing in the code to be checked, the solution matching module (71) matches existing solutions in the solution matching library (7) and feeds the existing solutions back to the test client (2) along with the results.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011006575.6A CN112269984B (en) | 2020-09-23 | 2020-09-23 | Automatic code audit platform system for guaranteeing source code safety |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011006575.6A CN112269984B (en) | 2020-09-23 | 2020-09-23 | Automatic code audit platform system for guaranteeing source code safety |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112269984A CN112269984A (en) | 2021-01-26 |
| CN112269984B true CN112269984B (en) | 2023-07-11 |
Family
ID=74348893
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011006575.6A Active CN112269984B (en) | 2020-09-23 | 2020-09-23 | Automatic code audit platform system for guaranteeing source code safety |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112269984B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102682229A (en) * | 2011-03-11 | 2012-09-19 | 北京市国路安信息技术有限公司 | Malicious code behavior detection method based on virtualization technology |
| CN104462988A (en) * | 2014-12-16 | 2015-03-25 | 国家电网公司 | Walk-through test technique based information security audit implementation method and system |
| CN104537309A (en) * | 2015-01-23 | 2015-04-22 | 北京奇虎科技有限公司 | Application program bug detection method, application program bug detection device and server |
| CN104537308A (en) * | 2015-01-23 | 2015-04-22 | 北京奇虎科技有限公司 | System and method for providing application security auditing function |
| CN110968868A (en) * | 2019-11-20 | 2020-04-07 | 北京国舜科技股份有限公司 | Application security audit method and device, electronic equipment and storage medium |
| CN111008376A (en) * | 2019-12-09 | 2020-04-14 | 国网山东省电力公司电力科学研究院 | Mobile application source code safety audit system based on code dynamic analysis |
| CN111031003A (en) * | 2019-11-21 | 2020-04-17 | 中国电子科技集团公司第三十研究所 | Intelligent evaluation system of cross-network isolation safety system |
| CN111666218A (en) * | 2020-06-08 | 2020-09-15 | 北京字节跳动网络技术有限公司 | Code auditing method and device, electronic equipment and medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9268944B2 (en) * | 2014-02-10 | 2016-02-23 | Wipro Limited | System and method for sampling based source code security audit |
-
2020
- 2020-09-23 CN CN202011006575.6A patent/CN112269984B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102682229A (en) * | 2011-03-11 | 2012-09-19 | 北京市国路安信息技术有限公司 | Malicious code behavior detection method based on virtualization technology |
| CN104462988A (en) * | 2014-12-16 | 2015-03-25 | 国家电网公司 | Walk-through test technique based information security audit implementation method and system |
| CN104537309A (en) * | 2015-01-23 | 2015-04-22 | 北京奇虎科技有限公司 | Application program bug detection method, application program bug detection device and server |
| CN104537308A (en) * | 2015-01-23 | 2015-04-22 | 北京奇虎科技有限公司 | System and method for providing application security auditing function |
| CN110968868A (en) * | 2019-11-20 | 2020-04-07 | 北京国舜科技股份有限公司 | Application security audit method and device, electronic equipment and storage medium |
| CN111031003A (en) * | 2019-11-21 | 2020-04-17 | 中国电子科技集团公司第三十研究所 | Intelligent evaluation system of cross-network isolation safety system |
| CN111008376A (en) * | 2019-12-09 | 2020-04-14 | 国网山东省电力公司电力科学研究院 | Mobile application source code safety audit system based on code dynamic analysis |
| CN111666218A (en) * | 2020-06-08 | 2020-09-15 | 北京字节跳动网络技术有限公司 | Code auditing method and device, electronic equipment and medium |
Non-Patent Citations (2)
| Title |
|---|
| 局域网恶意代码入侵自动安全监测系统设计;李建;;吉林大学学报(信息科学版);第37卷(第05期);第559-565页 * |
| 源代码审计综述;向灵孜;;保密科学技术(12);第36-41页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112269984A (en) | 2021-01-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108322446B (en) | Method and device for detecting vulnerability of intranet assets, computer equipment and storage medium | |
| Kwon et al. | Cyber threat dictionary using mitre att&ck matrix and nist cybersecurity framework mapping | |
| US20090106843A1 (en) | Security risk evaluation method for effective threat management | |
| CN113542279B (en) | Network security risk assessment method, system and device | |
| CN115733681A (en) | Data security management platform for preventing data loss | |
| CN112637220A (en) | Industrial control system safety protection method and device | |
| Caesarano et al. | Network forensics for detecting SQL injection attacks using NIST method | |
| CN113709170A (en) | Asset safe operation system, method and device | |
| CN112269984B (en) | Automatic code audit platform system for guaranteeing source code safety | |
| KR101399326B1 (en) | Tracking trail apparatus for information security and method thereof | |
| CN110958236A (en) | Dynamic authorization method of operation and maintenance auditing system based on risk factor insight | |
| Seker | Cyber Threat Intelligence Understanding Fundamentals | |
| Hakkoymaz | Classifying Database Users for Intrusion Prediction and Detection in Data Security | |
| CN111740976A (en) | Network security discrimination and study system and method | |
| Singh et al. | Attacks on Vulnerable Web Applications | |
| Ziro et al. | Improved Method for Penetration Testing of Web Applications. | |
| KR102330404B1 (en) | Method And Apparatus for Diagnosing Integrated Security | |
| Leniski et al. | Securing the biometric model | |
| Bagri et al. | Automation Framework for Software Vulnerability Exploitability Assessment | |
| Veerasamy | High-level methodology for carrying out combined red and blue teams | |
| Huuskonen | Cybersecurity validation and verification for automated vessels: conforming to NIST, IEC 62443-3-3 and CIS | |
| CN117670023A (en) | Customer service center call platform data security risk assessment method based on artificial intelligence | |
| Baloyi | Misuse intrusion architecture: prevent, detect, monitor and recover employee fraud | |
| Škundrić et al. | Process management within the security operation centre of an organization | |
| CN117499066A (en) | Network security system structure construction method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |