CN115587351A - Method, device and storage medium for password security detection in static code scanning - Google Patents

Method, device and storage medium for password security detection in static code scanning Download PDF

Info

Publication number
CN115587351A
CN115587351A CN202110762607.3A CN202110762607A CN115587351A CN 115587351 A CN115587351 A CN 115587351A CN 202110762607 A CN202110762607 A CN 202110762607A CN 115587351 A CN115587351 A CN 115587351A
Authority
CN
China
Prior art keywords
password
variable
library
name
constant
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110762607.3A
Other languages
Chinese (zh)
Inventor
肖芫莹
游耀东
闵婕
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202110762607.3A priority Critical patent/CN115587351A/en
Publication of CN115587351A publication Critical patent/CN115587351A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems

Abstract

The present disclosure relates to a method, apparatus, and storage medium for password security detection in static code scanning. A method of password security detection in static code scanning may include, for example: performing semantic analysis on the source code to obtain the constant and the variable in the source code and the corresponding configuration file; determining whether the obtained constant is used as a password; and determining whether the obtained variable is a parameter or a method related to the password by matching with the password variable/method library.

Description

Method, device and storage medium for password security detection in static code scanning
Technical Field
The present disclosure relates generally to the field of computer security, and more particularly to a method, apparatus, and storage medium for password security detection in static code scanning.
Background
In the source code, the code is subjected to hard coding cipher, namely, the code is subjected to security hidden trouble by directly using a plaintext cipher. Anyone with access to the code can obtain this password. Once the program is released, if an attacker has access to the application's bytecode, they can directly obtain the password using the disassembled code.
Static code scanning can conveniently find out the unsafe password setting in the code by scanning the source code, thereby improving the code security.
In the prior art, when password security detection is carried out in current static code scanning, the problems that the report is missed and the provided information is not detailed enough exist because only a specific variable is detected.
For example, FIG. 1 illustrates a prior art method of statically detecting cryptographic security. In the method, only the matching detection is carried out on the value of password appearing in the code, namely, whether the password exists is judged by judging whether the variable is password or not. For detecting similar password variables, it is simpler, as follows.
public String bad(){
String password = "password"; // difference
return password;}
Therefore, there is a need in the art for an improved technique for discovering the cryptographic security problem in the source code caused by hard-coded cryptography, thereby achieving the goal of solving the cryptographic security problem at the source code stage.
Disclosure of Invention
The following presents a simplified summary of the disclosure in order to provide a basic understanding of some aspects of the disclosure. However, it should be understood that this summary is not an exhaustive overview of the disclosure. It is not intended to identify key or critical elements of the disclosure or to delineate the scope of the disclosure. Its sole purpose is to present some concepts of the disclosure in a simplified form as a prelude to the more detailed description that is presented later.
In the source code, the code is subjected to hard coding, namely, a plaintext password is directly used, so that the code has potential safety hazards. Anyone with access to the code can obtain this password. Once the program is released, if an attacker has access to the application's bytecode, they can directly obtain the password using the disassembled code.
Static code scanning can conveniently find out the unsafe password setting behavior in the code by scanning the source code, thereby improving the code security.
The invention improves the problems that the report is missed because only specific variables are detected and the provided information is not detailed enough when password security detection is carried out in the current static code scanning, and discovers the password security problem caused by hard coding passwords in source codes, thereby achieving the purpose of solving the password security problem at the source code stage.
According to one aspect of the present disclosure, there is provided a method for password security detection in static code scanning, comprising: performing semantic analysis on the source code to obtain the constant and the variable in the source code and the corresponding configuration file; determining whether the obtained constant is used as a password; and determining whether the obtained variable is a parameter or a method related to the password by matching with the password variable/method library.
According to another aspect of the present disclosure, there is provided an apparatus for password security detection in static code scanning, comprising: a memory having instructions stored thereon; and a processor configured to execute instructions stored on the memory to perform a method according to the above aspects of the disclosure. .
According to yet another aspect of the present disclosure, there is provided a computer-readable storage medium comprising computer-executable instructions that, when executed by one or more processors, cause the one or more processors to perform a method according to the above-mentioned aspect of the present disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description, serve to explain the principles of the disclosure.
The present disclosure may be more clearly understood from the following detailed description with reference to the accompanying drawings, in which:
fig. 1 illustrates a prior art method of statically detecting cryptographic security.
FIG. 2 shows a data flow diagram of a process for password security detection in static code scanning in accordance with an embodiment of the present disclosure.
FIG. 3 shows a flow diagram of a process for password security detection in static code scanning, in accordance with an embodiment of the present disclosure.
FIG. 4 illustrates an exemplary configuration of a computing device in which embodiments in accordance with the present disclosure may be implemented.
Detailed Description
The following detailed description is made with reference to the accompanying drawings and is provided to assist in a comprehensive understanding of various exemplary embodiments of the disclosure. The following description includes various details to aid understanding, but these details are to be regarded as examples only and are not intended to limit the disclosure, which is defined by the appended claims and their equivalents. The words and phrases used in the following description are used only to provide a clear and consistent understanding of the disclosure. In addition, descriptions of well-known structures, functions, and configurations may be omitted for clarity and conciseness. Those of ordinary skill in the art will recognize that various changes and modifications of the examples described herein can be made without departing from the spirit and scope of the disclosure.
The inventor of the invention realizes that the combination with the grammar analysis of static code detection obtains the source code and the variable in the corresponding configuration file, matches with the password variable/method library, judges whether the variable or the method is the variable or the method related to the password, adopts KMP algorithm in the matching algorithm, and reduces the matching times of the mode string and the main string as much as possible by using the information after the matching fails so as to achieve fast matching. And (4) detecting whether the data flow is constant or comes from variable, whether the variable source is in compliance and whether encryption is performed or not by combining the data flow analysis result. Ensuring that no plaintext cipher is present in the source code.
The inventor of the present invention proposes an improved method, comprising: and establishing a password variable library/method library, not only detecting whether unsafe password variables exist, but also detecting the password related methods possibly used by the api interface. And (4) judging whether the result of the analysis of the comprehensive data stream is a constant, and comprehensively analyzing the password security problem in the source code.
FIG. 2 shows a data flow diagram of a process 200 for password security detection in static code scanning in accordance with an embodiment of the present disclosure.
Process 200 begins at step 210. At step 210, semantic analysis is performed on the source code to obtain constants and variables in the source code and corresponding configuration files.
Any method may be used to implement the semantic analysis of the original code. Step 210 is typically implemented by source code preprocessing, syntax parsing, and data flow analysis.
Then, the source code and the variables in the corresponding configuration file are obtained by combining with the grammar analysis of static code detection. And (4) matching with the password variable/method library to judge whether the variable or the method is related to the password. The matching algorithm adopts a KMP algorithm, and the matching times of the mode string and the main string are reduced as much as possible by using the information after the matching fails so as to achieve quick matching.
Figure BDA0003149583580000041
Figure BDA0003149583580000042
And (4) detecting whether the data flow is constant or comes from variable, whether the variable source is in compliance and whether encryption is performed or not by combining the data flow analysis result. Ensuring that no clear-text cipher is present in the source code.
At step 220, it is determined whether the obtained constant is used as a password.
For example, if a constant is used in conjunction with the keyword "password" or a variant thereof, it is determined that the constant is used as a password. For example, the Password may be "Password", "PW", "PWD", or the like.
At step 230, a determination is made as to whether the variable obtained is a parameter or method associated with the password by matching against a library of password variables/methods.
If there is a match with the password variable/method inventory, determining if the obtained variable is a method name and the method corresponding to the method name includes a "password" variable; determining that the variable is related to the password if it is determined that the obtained variable is a method name and the method corresponding to the method name includes a "password" variable; and storing the language association, prefix, method name of the variable and the parameters of the corresponding method in association with the cryptographic variable/method library.
If there is no match with the password variable/method library, determining if the obtained variable includes a "password" variable; and if it is determined that the obtained variable comprises a "password" variable, storing the obtained variable in a password variable/method library.
Optionally, process 200 further includes step 240. At step 240, a cryptographic variable/method library is established.
For example, establishing a cryptographic variable/method library may include:
1. setting initial password name/method prefix
2. Comparing variable/method names read from source code
3. Recording upon reading similar possible method names
4. Meanwhile, the judgment of the audit result is combined, and the code variable name/method name library is continuously subjected to iterative optimization.
The password for accessing the database may be set in the following manner.
DriverManagerDataSource pw=new DriverManagerDataSource();
Setpassword ("password"); // setting password to access database
The data in the cryptographic variables/methods library may be stored in the following format:
Figure BDA0003149583580000051
optionally, process 200 further includes step 250. At step 250, the constants and variables determined to be associated with the password are sorted, and the sorted constants and variables are stored in a password variable/method library in a predetermined format.
For example, the cryptographic variable/method library may store data in a format of at least one of a language type, a class name, a prefix, a cryptographic name, a parameter, a type.
FIG. 3 shows a flow diagram of a process 300 for password security detection in static code scanning according to an embodiment of the present disclosure.
Process 300 begins at step 301.
At step 301, a data flow analysis is performed on the source code.
At step 302, the method/variable name is obtained from step 301.
At step 303, a determination is made whether there is a match with an existing cryptographic variable/method library. If not, the process 300 proceeds to step 304. Otherwise, process 300 proceeds to step 305.
At step 304, the obtained method/variable name is determined to be password-related.
At step 305, it is determined whether it is a method name. If so, process 300 proceeds to step 306.
At step 306, it is determined whether a cryptographic variable is included. If so, process 300 proceeds to step 307.
At step 307, the language type, prefix, method name and parameters, etc. are recorded.
At step 308, the class name, etc. is recorded.
At step 309, it is determined whether the prefix includes "set" or the like. If so, process 300 proceeds to step 310.
At step 310, the type is set to the password setting method. The process 300 then proceeds to step 304.
The present invention has one or more of the following advantages and effects, relative to the prior art.
1) At present, other weak password detection methods are mostly dynamic weak password detection, and rely on a starting process to acquire a password in a thread or a memory, or try a common password to carry out brute force cracking to judge whether a weak password exists.
2) Compared with the dynamic detection, the method has higher coverage for the static detection of the source code, is a more intuitive judgment method, and avoids the problem of false negative caused by insufficient trial times and insufficient weak code library. Meanwhile, a process does not need to be started, the application is not influenced, and the detection degree can be ensured.
3) Compared with the password detection only aiming at specific variables in the current static code scanning, the judgment of various variables is added, and the password security problem existing in the source code can be more comprehensively analyzed.
By using the invention, at least one of the following technical effects can be realized:
1. by combining with the semantic analysis of static code scanning, the existing password security problem can be effectively discovered at the source code stage. The static code scanning is simple to use, can be automatically scanned by only providing a source code to obtain a detection result, and has high coverage rate.
2. The detection is carried out on the possible password variables or interfaces related to the password, and the improved detection method can provide more detailed defect analysis.
3. This effectively avoids an attacker directly obtaining the password by using disassembled code or other risks brought by password security.
Fig. 4 illustrates an exemplary configuration of a computing device 1200 capable of implementing embodiments in accordance with the present disclosure.
Computing device 1200 is an example of a hardware device to which the above-described aspects of the disclosure can be applied. Computing device 1200 may be any machine configured to perform processing and/or computing. Computing device 1200 may be, but is not limited to, a workstation, a server, a desktop computer, a laptop computer, a tablet computer, a Personal Data Assistant (PDA), a smart phone, an in-vehicle computer, or a combination thereof.
As shown in fig. 4, computing device 1200 may include one or more elements that may be connected to or communicate with bus 1202 via one or more interfaces. The bus 1202 may include, but is not limited to, an Industry Standard Architecture (ISA) bus, a Micro Channel Architecture (MCA) bus, an Enhanced ISA (EISA) bus, a Video Electronics Standards Association (VESA) local bus, and a Peripheral Component Interconnect (PCI) bus. Computing device 1200 may include, for example, one or more processors 1204, one or more input devices 1206, and one or more output devices 1208. The one or more processors 1204 may be any kind of processor and may include, but are not limited to, one or more general-purpose processors or special-purpose processors (such as special-purpose processing chips). Processor 1204 may, for example, perform the processes illustrated in FIG. 1. Input device 1206 may be any type of input device capable of inputting information to a computing device and may include, but is not limited to, a mouse, a keyboard, a touch screen, a microphone, and/or a remote control. Output device 1208 can be any type of device capable of presenting information and can include, but is not limited to, a display, speakers, a video/audio output terminal, a vibrator, and/or a printer.
Computing device 1200 may also include or be connected to a non-transitory storage device 1214, which non-transitory storage device 1214 may be any non-transitory and may implement a data storage, and may include, but is not limited to, a disk drive, an optical storage device, a solid state memory, a floppy disk, a flexible disk, a hard disk, a magnetic tape, or any other magnetic medium, a compact disk, or any other optical medium, a cache memory, and/or any other memory chip or module, and/or any other medium from which a computer may read data, instructions, and/or code. Computing device 1200 may also include Random Access Memory (RAM) 1210 and Read Only Memory (ROM) 1212. The ROM 1212 may store programs, utilities or processes to be executed in a non-volatile manner. The RAM 1210 may provide volatile data storage, and stores instructions related to the operation of the computing device 1200. Computing device 1200 may also include a network/bus interface 1216 coupled to a data link 1218. The network/bus interface 1216 can be any kind of device or system capable of enabling communication with external apparatuses and/or networks, and can include, but is not limited to, a modem, a network card, an infrared communication device, a wireless communication device, and/or a chipset (such as bluetooth) TM Devices, 802.11 devices, wiFi devices, wiMax devices, cellular communications facilities, etc.).
The present disclosure may be implemented as any combination of devices, systems, integrated circuits, and computer programs on non-transitory computer readable media. One or more processors may be implemented as an Integrated Circuit (IC), an Application Specific Integrated Circuit (ASIC), or a large scale integrated circuit (LSI), a system LSI, or a super LSI, or as an ultra LSI package that performs some or all of the functions described in this disclosure.
The present disclosure includes the use of software, applications, computer programs, or algorithms. Software, applications, computer programs, or algorithms may be stored on a non-transitory computer readable medium to cause a computer, such as one or more processors, to perform the steps described above and depicted in the figures. For example, one or more memories store software or algorithms in executable instructions and one or more processors may associate a set of instructions to execute the software or algorithms to provide various functionality in accordance with embodiments described in this disclosure.
Software and computer programs (which may also be referred to as programs, software applications, components, or code) include machine instructions for a programmable processor, and may be implemented in a high-level procedural, object-oriented, functional, logical, or assembly or machine language. The term "computer-readable medium" refers to any computer program product, apparatus or device, such as magnetic disks, optical disks, solid state storage devices, memories, and Programmable Logic Devices (PLDs), used to provide machine instructions or data to a programmable data processor, including a computer-readable medium that receives machine instructions as a computer-readable signal.
By way of example, computer-readable media can comprise Dynamic Random Access Memory (DRAM), random Access Memory (RAM), read Only Memory (ROM), electrically erasable read only memory (EEPROM), compact disk read only memory (CD-ROM) or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired computer-readable program code in the form of instructions or data structures and that can be accessed by a general-purpose or special-purpose computer or a general-purpose or special-purpose processor. Disk and disc, as used herein, includes Compact Disc (CD), laser disc, optical disc, digital Versatile Disc (DVD), floppy disk and blu-ray disc where disks usually reproduce data magnetically, while discs reproduce data optically with lasers. Combinations of the above are also included within the scope of computer-readable media.
Similarly, while operations are depicted in the drawings in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In some cases, multitasking and parallel processing may be advantageous.

Claims (8)

1. A method for password security detection in static code scanning, comprising:
performing semantic analysis on the source code to obtain the constant and the variable in the source code and the corresponding configuration file;
determining whether the obtained constant is used as a password; and
and matching with a password variable/method library to determine whether the obtained variable is a parameter or a method related to the password.
2. The method of claim 1, wherein determining whether the obtained constant is used as a password comprises:
if a constant is used in conjunction with the keyword "password" or a variant thereof, it is determined that the constant is used as a password.
3. The method of claim 1, further comprising:
if there is a match with the password variable/method inventory, determining if the obtained variable is a method name and the method corresponding to the method name includes a "password" variable;
determining that the obtained variable is related to the password if it is determined that the variable is a method name and the method corresponding to the method name includes a "password" variable; and
the language association, prefix, method name of the variable and the parameters of the corresponding method are stored in association in a cryptographic variable/method library.
4. The method of claim 1, further comprising:
if there is no match with the password variable/method library, determining if the obtained variable includes a "password" variable; and
if it is determined that the obtained variable includes a "password" variable, the obtained variable is stored in a password variable/method library.
5. The method of claim 1, wherein the cryptographic variables/methods library stores data in a format of at least one of language type, class name, prefix, cryptographic name, parameter, type.
6. The method of claim 1, further comprising:
establishing a password variable/method library; and
the constants and variables determined to be associated with the password are sorted, and the sorted constants and variables are stored in a password variable/method library in a predetermined format.
7. An apparatus for performing cryptographic security detection in a static code scan, comprising:
a memory having instructions stored thereon; and
a processor configured to execute instructions stored on the memory to perform the method of any of claims 1 to 6.
8. A computer-readable storage medium comprising computer-executable instructions that, when executed by one or more processors, cause the one or more processors to perform the method of any one of claims 1-6.
CN202110762607.3A 2021-07-06 2021-07-06 Method, device and storage medium for password security detection in static code scanning Pending CN115587351A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110762607.3A CN115587351A (en) 2021-07-06 2021-07-06 Method, device and storage medium for password security detection in static code scanning

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110762607.3A CN115587351A (en) 2021-07-06 2021-07-06 Method, device and storage medium for password security detection in static code scanning

Publications (1)

Publication Number Publication Date
CN115587351A true CN115587351A (en) 2023-01-10

Family

ID=84771793

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110762607.3A Pending CN115587351A (en) 2021-07-06 2021-07-06 Method, device and storage medium for password security detection in static code scanning

Country Status (1)

Country Link
CN (1) CN115587351A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116346688A (en) * 2023-05-24 2023-06-27 江苏金盾检测技术股份有限公司 SSL VPN security authentication gateway service compliance detection system and method based on active scanning

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116346688A (en) * 2023-05-24 2023-06-27 江苏金盾检测技术股份有限公司 SSL VPN security authentication gateway service compliance detection system and method based on active scanning
CN116346688B (en) * 2023-05-24 2023-08-04 江苏金盾检测技术股份有限公司 SSL VPN security authentication gateway service compliance detection system and method

Similar Documents

Publication Publication Date Title
US11711388B2 (en) Automated detection of malware using trained neural network-based file classifiers and machine learning
US7730219B2 (en) System and method for detecting free and open wireless networks
US9798981B2 (en) Determining malware based on signal tokens
US10986103B2 (en) Signal tokens indicative of malware
US20160110543A1 (en) Apparatus and method for detecting malicious application based on visualization similarity
US10733594B1 (en) Data security measures for mobile devices
KR102006242B1 (en) Method and system for identifying an open source software package based on binary files
KR102302484B1 (en) Method for mobile malware classification based feature selection, recording medium and device for performing the method
Wu et al. Overprivileged permission detection for android applications
US20190325134A1 (en) Neural network detection of malicious activity
CN115587351A (en) Method, device and storage medium for password security detection in static code scanning
JP7314243B2 (en) How to Generate Malicious Behavior Feature Information for Malware
KR20170053056A (en) Security server using case based reasoning engine and storage medium for installing security function
CN114186200A (en) Method and device for identifying whether android application is legal application
US10853462B2 (en) Authorizing file access with user I/O and hardware usage patterns
CN114238119A (en) Automatic testing method and system for android application and storage medium
CN116010945A (en) Method, apparatus and computer readable storage medium for automatically detecting malicious code
CN114510669A (en) Bad information website detection method, device and storage medium
KR102345016B1 (en) Method and apparatus for detecting ransomware
US11113378B2 (en) Content-based authentication
CN115309438A (en) Android SDK version detection method and device and storage medium
CN113641964B (en) Repackaging application detection method, electronic device and storage medium
KR102384788B1 (en) Apparatus and method for validity check
CN115858328A (en) Code similarity detection method and device and storage medium
CN113934641A (en) Code security detection method and system based on incremental clustering

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination