CN117195225A - Code vulnerability checking method, device, electronic equipment and storage medium - Google Patents
Code vulnerability checking method, device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN117195225A CN117195225A CN202311114166.1A CN202311114166A CN117195225A CN 117195225 A CN117195225 A CN 117195225A CN 202311114166 A CN202311114166 A CN 202311114166A CN 117195225 A CN117195225 A CN 117195225A
- Authority
- CN
- China
- Prior art keywords
- code
- representation file
- vulnerability
- checking
- security attribute
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 60
- 238000007689 inspection Methods 0.000 claims abstract description 37
- 238000013528 artificial neural network Methods 0.000 claims description 36
- 125000004122 cyclic group Chemical group 0.000 claims description 19
- 230000006870 function Effects 0.000 claims description 17
- 239000013598 vector Substances 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 14
- 238000001514 detection method Methods 0.000 claims description 13
- 238000010586 diagram Methods 0.000 claims description 12
- 238000011001 backwashing Methods 0.000 claims description 7
- 238000012549 training Methods 0.000 claims description 5
- 238000012545 processing Methods 0.000 abstract description 8
- 238000012544 monitoring process Methods 0.000 description 12
- 238000004880 explosion Methods 0.000 description 10
- 238000004900 laundering Methods 0.000 description 10
- 239000000243 solution Substances 0.000 description 9
- 230000008439 repair process Effects 0.000 description 7
- 238000004891 communication Methods 0.000 description 6
- 238000013178 mathematical model Methods 0.000 description 5
- 230000000306 recurrent effect Effects 0.000 description 5
- 230000008569 process Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000013459 approach Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 239000012634 fragment Substances 0.000 description 2
- 238000002347 injection Methods 0.000 description 2
- 239000007924 injection Substances 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000007704 transition Effects 0.000 description 2
- 238000005406 washing Methods 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000004807 localization Effects 0.000 description 1
- 239000011159 matrix material Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000003058 natural language processing Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention provides a code vulnerability checking method, a device, electronic equipment and a storage medium, which comprise the steps of analyzing a source code to be checked to obtain a first representation file, wherein the first representation file is used for representing at least one of various elements in the source code, relations among the various elements, a control flow in the source code and control logic; abstracting the first representation file to obtain a second representation file, wherein the number of states in the second representation file is smaller than that in the first representation file; and performing attribute inspection on the second representation file based on a preset security attribute library to obtain a path violating the security attribute, wherein the preset security attribute library comprises security attributes predefined according to the security attribute checking requirement of the backwash code loophole, the path comprises at least one of nodes, variables and function calls, the complexity of a state space is reduced through abstract processing, and the accuracy and the flexibility of the code loophole checking are improved through performing attribute inspection through the self-defined preset security attribute library.
Description
Technical Field
The present invention relates to the field of data processing technologies, and in particular, to a method and apparatus for checking code vulnerabilities, an electronic device, and a storage medium.
Background
Currently, a common money laundering monitoring system may have loopholes which are difficult to detect, so in order to ensure the accuracy of money laundering monitoring, code loopholes need to be periodically checked on the money laundering monitoring system.
In the related art, mathematical models for creating a money laundering monitoring system are usually used, and the created mathematical models are checked by some model checking tools, such as a SPIN model checker, however, when the number of states of the mathematical models is large, this results in a need for a large amount of memory and computing power, in addition, the SPIN model checker has limited analysis capability and can only analyze specific sequential logic, and the SPIN model checker can find errors in the models, but cannot effectively point out specific positions and reasons for the errors.
Disclosure of Invention
The invention provides a code vulnerability checking method, a device, electronic equipment and a storage medium, which are used for solving the defects existing in the prior art of code vulnerability checking.
The invention provides a code vulnerability checking method, which comprises the following steps:
analyzing a source code to be inspected to obtain a first representation file, wherein the first representation file is used for representing at least one of various elements in the source code, relations among the elements, control flows in the source code and control logic;
abstracting the first representation file to obtain a second representation file, wherein the number of states in the second representation file is smaller than that in the first representation file;
and performing attribute inspection on the second representation file based on a preset security attribute library to obtain a path violating the security attribute, wherein the preset security attribute library comprises security attributes predefined according to the loophole inspection requirement of the money back washing code, and the path comprises at least one of nodes, variables and function calls.
According to the method for checking code vulnerabilities provided by the invention, the attribute checking is performed on the second representation file based on a preset security attribute library to obtain a path violating security attributes, and the method comprises the following steps:
and inputting the second representation file into a code vulnerability checking and circulating neural network to obtain a path which is output by the code vulnerability checking and circulating neural network and violates the security attribute, wherein the code vulnerability checking and circulating neural network is obtained by training an initial circulating neural network according to pre-defined security attribute marked data in a preset security attribute library.
According to the method for checking code loopholes provided by the invention, the second representation file is input into a code loophole checking cyclic neural network, and the method comprises the following steps:
converting the second representation file to obtain target data which accords with the data representation form input to the cyclic neural network, wherein the target data comprises at least one of a characteristic vector of a node, a characteristic vector of an edge and an input sequence established according to the relation between the nodes;
and inputting the target data into a code vulnerability checking cyclic neural network.
According to the code vulnerability checking method provided by the invention, the first representation file is any one of an abstract syntax tree, a control flow chart, a data flow chart and a dependency graph, and the abstracting of the first representation file comprises at least one of data abstraction, control abstraction, modularization abstraction and state merging.
According to the method for checking code loopholes provided by the invention, after the path violating the security attribute is obtained, the method further comprises the following steps:
analyzing the path according to a preset analysis rule to obtain an analysis result, wherein the analysis result comprises at least one of a line number, a calling relation, control flow information, data flow information and a vulnerability type of a vulnerability code corresponding to the path.
According to the code vulnerability checking method provided by the invention, the method further comprises the following steps:
and generating a code vulnerability detection report based on the analysis result, wherein the code vulnerability detection report comprises vulnerability codes in the source codes, related information of the vulnerability codes and a repairing strategy aiming at the vulnerability codes.
The invention also provides a code vulnerability checking device, which comprises:
the code analysis module is used for analyzing the source code to be inspected to obtain a first representation file, wherein the first representation file is used for representing at least one of various elements in the source code, relations among the elements of various types, control flow and control logic in the source code;
the code abstraction module is used for abstracting the first representation file to obtain a second representation file, and the number of states in the second representation file is smaller than that in the first representation file;
the vulnerability checking module is used for performing attribute checking on the second representation file based on a preset security attribute library to obtain a path violating the security attribute, wherein the preset security attribute library comprises security attributes predefined according to the vulnerability checking requirement of the backwashing code, and the path comprises at least one of nodes, variables and function calls.
The invention also provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the code bug checking method according to any one of the above when executing the program.
The present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a code vulnerability inspection method as any one of the above.
The invention also provides a computer program product comprising a computer program which when executed by a processor implements a method of code vulnerability inspection as described in any one of the above.
According to the code vulnerability checking method, the code vulnerability checking device, the electronic equipment and the storage medium, the source code to be checked is analyzed to obtain the first representation file, and the first representation file is used for representing at least one of various elements in the source code, relations among the various elements, control flows in the source code and control logic; abstracting the first representation file to obtain a second representation file, wherein the number of states in the second representation file is smaller than that in the first representation file; the method and the device further carry out abstract processing after analyzing the source code to reduce the state number of the source code, avoid the subsequent state explosion problem, and improve the detection efficiency and the expandability by reducing the complexity of a state space.
Drawings
In order to more clearly illustrate the invention or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic flow chart of a code vulnerability inspection method provided by the invention;
FIG. 2 is a schematic diagram of a code vulnerability inspection device according to the present invention;
fig. 3 is a schematic structural diagram of an electronic device provided by the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Currently, a common money laundering monitoring system may have loopholes which are difficult to detect, so in order to ensure the accuracy of money laundering monitoring, code loopholes need to be periodically checked on the money laundering monitoring system.
In the related art, it is common to create a mathematical model of a money laundering monitoring system, such as a state machine or state transition diagram, and then check one or more logical properties on this model in an automated manner. If the model meets these properties, the actual money laundering monitoring system would also meet these properties.
In the related art, there are two main types of model inspection: state space search and symbolic model checking.
State space search: this is a classical model checking method that determines whether there is a state that violates a specification by traversing the entire state space of the system model. This approach can provide detailed error trajectories but may suffer from the so-called "state explosion" problem, i.e. the number of states that need to be checked grows exponentially with the size of the system.
Symbol model checking: to address the state explosion problem, symbolic model checking techniques have been developed that use data structures such as Binary Decision Diagrams (BDDs) to efficiently represent and manipulate state sets. This approach can handle larger systems, but may not be as intuitive as state space searching, and requires more complex algorithms.
In the related art, it is proposed that a mathematical model created by some model checking tool, such as a SPIN model checker, needs to define a set of concurrent processes and describe how these processes interact and synchronize when checking using the SPIN model checker, and also needs to specify system attributes that want to be verified. These attributes may be security attributes (e.g., the system never goes into an incorrect state) or activity attributes (e.g., some good event must eventually occur). These attributes are described using linear time logic, and then a SPIN model checker is used to verify whether the model satisfies the specified attributes. When the SPIN model checker finds a state sequence that violates the attribute specification, it outputs a counterexample to show how to reach the error state from the initial state.
However, there are several problems with using a SPIN model checker to check:
state explosion: the SPIN model checker uses an explicit state model check, which may lead to state explosion problems when the number of states of the model is large. State explosion is because each state in the model is saved and checked, which results in a significant amount of memory and computing power being required.
Only linear sequential logic is supported: the analysis of the concurrent system by the SPIN model checker is based primarily on linear sequential logic, and for some problems that require the use of other logic systems, such as branch sequential logic, the SPIN model checker may not be able to handle directly.
Lack of an effective error localization mechanism: while the SPIN model checker is able to find errors in the model, it is not effective to point out the specific location and cause of the error occurrence
In order to solve the problems, the invention provides a code vulnerability checking method, after analyzing a source code, the source code is further abstracted to reduce the state number of the source code, so that the subsequent state explosion problem is avoided, the checking efficiency and expandability are improved by reducing the complexity of a state space, and in addition, the accuracy and the flexibility of the code vulnerability checking are improved by performing attribute checking through a self-defined preset safety attribute library.
Fig. 1 is a schematic flow chart of a method for checking code vulnerabilities, as shown in fig. 1, where the method for checking code vulnerabilities includes:
step 110, analyzing a source code to be inspected to obtain a first representation file, wherein the first representation file is used for representing at least one of various elements in the source code, relations among the elements, control flows in the source code and control logic;
in this embodiment, the source code for back-money-washing monitoring in the back-money-washing monitoring system is first parsed to be a representation form suitable for subsequent attribute inspection, and specifically, before the source code is parsed, the source code may be preprocessed, for example, annotation removal, macro definition processing, condition compilation processing, etc., so as to improve accuracy and efficiency of code parsing.
The first representation file may be any one of an abstract syntax tree, a control flow chart, a data flow chart, a dependency graph and the like, which may represent various elements in the source code, relationships among the various elements, a control flow in the source code, and a representation mode of code information such as control logic.
For example, the source code may be parsed into an abstract syntax tree to represent code structure and semantics. An abstract syntax tree is a tree-like data structure in which each node represents a code element (e.g., statement, expression, function, etc.), and the nesting and hierarchy of the code is described by parent-child relationships between the nodes.
For example, the source code may be parsed into a control flow graph, and a graphical representation may be constructed according to the control flow of the source code, wherein nodes represent basic blocks and edges represent control transitions (e.g., branch statements, loops, etc.) of program execution. The control flow graph can more clearly reflect the control flow in the code, facilitating static analysis and model checking.
For example, the source code may also be parsed into a dataflow graph that illustrates the dependency and data flow between variables and constants in the source code. This can help analyze the data processing in the code and find potential vulnerabilities and security risks.
For example, the source code can be resolved into a dependency graph, and the calling relationship and the dependency relationship between different modules, functions, classes and the like in the code are revealed by constructing the dependency graph.
Step 120, abstracting the first representation file to obtain a second representation file, wherein the number of states in the second representation file is smaller than that in the first representation file;
in this embodiment, in order to avoid the problem of the subsequent state explosion, the first representation file may be further abstracted to reduce the complexity of the state space. The first representation file may be abstracted, for example, in at least one of data abstraction, control abstraction, modular abstraction, and state merging.
In one example, data abstraction may be employed to abstract specific data types, variables, and constants in the first representation file into a more generalized concept to reduce the complexity of the state space. For example, an integer type is abstracted to a range or symbol, and a string type is abstracted to a pattern or length range.
In one example, data abstraction may also be employed to abstract complex control structures (e.g., loops, conditional statements) in the first representation file into simpler control flows to reduce the size of the state space. For example, loop structures are abstracted to be iteration times or loop invariants.
In one example, state merging may also be employed to merge states with similar behavior or characteristics into one more generalized state to reduce the size of the state space. For example, states having the same input-output dependency are merged, or states having identical control flows are merged.
In this embodiment, the above-described abstract method may be used, or a plurality of abstract methods may be used in combination, which is not limited thereto. In the embodiment, through data abstraction, the number of combinations of concrete values can be reduced, and a data flow diagram and a dependency graph are simplified. By means of control abstraction, the complex structure in the control flow chart can be simplified, and the scale of the state space can be reduced. Through modular abstraction, codes can be divided into smaller units for abstraction and analysis, and manageability and expandability are improved. By state merging, the size of the state space can be reduced, focusing on critical states and behaviors.
And 130, performing attribute inspection on the second representation file based on a preset security attribute library to obtain a path violating the security attribute, wherein the preset security attribute library comprises a security attribute predefined according to the backwash code loophole inspection requirement, and the path comprises at least one of nodes, variables and function calls.
It should be noted that, the security attributes in the preset security attribute library in this embodiment are customized according to the security rules and criteria of the money laundering monitoring system, and different security rules and criteria may set different security attributes, which is not limited.
In this embodiment, attribute verification is performed on elements such as nodes, variables or function calls in the second representation file through pre-defining security attributes in a preset security attribute library, for example, whether read-write operation of sensitive data exists or not, whether unauthorized access exists or not is checked. If the attribute of a node does not match the one defined in the security attribute library, the node is marked as a path violating the security attribute, and for example, whether an uninitialized variable exists, whether overflow or buffer overflow exists or not is checked. If the attribute of a variable does not match the one defined in the security attribute library, the variable is marked as a path violating the security attribute, such as by checking if there is an unauthorized function call, if there is a function call that may cause code injection or cross-site scripting attack, etc. If the attribute of a function call does not match the one defined in the security attribute library, the function call is marked as a path violating the security attribute.
According to the code vulnerability checking method provided by the embodiment of the invention, the source code to be checked is analyzed to obtain the first representation file, and the first representation file is used for representing at least one of various elements in the source code, relations among the various elements, control flows in the source code and control logic; abstracting the first representation file to obtain a second representation file, wherein the number of states in the second representation file is smaller than that in the first representation file; the method and the device further carry out abstract processing after analyzing the source code to reduce the state number of the source code, avoid the subsequent state explosion problem, and improve the detection efficiency and the expandability by reducing the complexity of a state space.
Based on any one of the foregoing embodiments, performing attribute inspection on the second representation file based on a preset security attribute library to obtain a path violating the security attribute, including:
and inputting the second representation file into a code vulnerability checking and circulating neural network to obtain a path which is output by the code vulnerability checking and circulating neural network and violates the security attribute, wherein the code vulnerability checking and circulating neural network is obtained by training an initial circulating neural network according to pre-defined security attribute marked data in a preset security attribute library.
In this embodiment, data of predefined security attribute labels in a preset security attribute library is used as a training set, and the data is used to pretrain an initial cyclic neural network, so that the cyclic neural network learns patterns and features related to the security attributes, and a code vulnerability inspection cyclic neural network for performing code vulnerability inspection is obtained.
Specifically, when the code vulnerability inspection is performed by using the code vulnerability inspection cyclic neural network, the second representation file needs to be converted into a form suitable for the input of the cyclic neural network, for example, the second representation file is converted into a numerical vector or text is represented into a sequence by using a natural language processing technology, and then the converted data is used as input, so that output results can be obtained, and the output results are used for indicating paths violating the security attribute.
According to the code vulnerability checking method provided by the embodiment of the invention, the code vulnerability checking cyclic neural network trained according to the pre-defined security attribute marked data in the preset security attribute library is used for checking the code vulnerability, so that the vulnerability security checking of the nonlinear sequential logic in the backwash code is realized, and the accuracy and the application range of the vulnerability checking are improved.
Based on any of the above embodiments, the inputting the second representation file into the code vulnerability inspection cyclic neural network includes:
converting the second representation file to obtain target data which accords with the data representation form input to the cyclic neural network, wherein the target data comprises at least one of a characteristic vector of a node, a characteristic vector of an edge and an input sequence established according to the relation between the nodes;
and inputting the target data into a code vulnerability checking cyclic neural network.
In this embodiment, for each node represented in the second representation file, its relevant feature may be extracted and represented as a feature vector. These characteristics may include information about the type, name, scope, etc. of the node. These features may be converted into numerical vectors using various techniques, such as Word Embedding (Word Embedding), word bag model, TF-IDF, and the like.
For each edge represented in the second representation file, the feature associated therewith may be extracted and represented as a feature vector. For example, information of the type, dependency, weight, etc. of the edge may be considered and converted into a numerical vector.
In addition, in this embodiment, the input sequence may be established according to the relationship between nodes, and it may be considered that the connection relationship between nodes is represented by using a adjacency matrix or adjacency list or the like. In this way, the feature vectors of the nodes and the feature vectors of the edges can be correspondingly combined into an input sequence, so that the cyclic neural network can capture the relation among the nodes.
According to the code vulnerability checking method provided by the embodiment of the invention, the second representation file is converted into the target data meeting the input requirement of the cyclic neural network in the up-conversion mode, so that the cyclic neural network can be better input and trained to perform the code vulnerability checking task.
Based on any of the foregoing embodiments, after obtaining the path violating the security attribute, the method further includes:
analyzing the path according to a preset analysis rule to obtain an analysis result, wherein the analysis result comprises at least one of a line number, a calling relation, control flow information, data flow information and a vulnerability type of a vulnerability code corresponding to the path.
In this embodiment, in order to facilitate subsequent bug code repair, the path is further parsed, for example, by information of nodes or edges in the path, so that the path of code execution can be tracked, and a line number related to the bug code in the source code is determined.
For example, call relation information related to the bug codes can be analyzed to show call relations among functions in the code execution process, so that propagation and influence of the bug can be analyzed.
For example, control flow information related to the bug code, such as a judgment condition of a conditional statement, an iteration process of a loop statement, and the like, is analyzed. This information may help understand the control flow of the code as it executes, thereby better analyzing the possible causes and scope of impact of vulnerabilities.
Also, for example, the data flow information related to the vulnerability code is parsed, including but not limited to, definitions, uses, and modifications of variables. By analyzing the data stream, potential sources of vulnerabilities can be discovered as well as the effects that vulnerabilities may have on other portions of code.
Also, for example, information of the vulnerability type of the vulnerability code is parsed, such as buffer overflow, code injection, cross-site scripting, etc. By carrying out detailed analysis and judgment on the path, the specific type of the vulnerability can be determined, so that repair or protection measures can be carried out in a targeted manner.
Based on any one of the foregoing embodiments, the analyzing the path according to a preset analysis rule, after obtaining an analysis result, further includes:
and generating a code vulnerability detection report based on the analysis result, wherein the code vulnerability detection report comprises vulnerability codes in the source codes, related information of the vulnerability codes and a repairing strategy aiming at the vulnerability codes.
In this embodiment, a code bug detection report is also provided, where bug code fragments existing in the source code may be listed in the report. The code fragments can locate the position of the vulnerability according to the line number provided in the analysis result, and corresponding code examples are given.
In addition, for each vulnerability code segment, the report should provide relevant information such as vulnerability type, possible attack patterns, reasons for vulnerability generation, etc. The information can be analyzed and described according to the vulnerability type, calling relation, control flow and data flow information obtained from the analysis result.
In addition, in this embodiment, a corresponding repair policy is provided for each bug code segment. The repair policy should include specific code modification recommendations, references to security code specifications, and other possible safeguards. The repair policy should be customized for different bug types and reasons for their generation to ensure efficient bug repair and to improve code security.
The code bug checking device provided by the invention is described below, and the code bug checking device described below and the code bug checking method described above can be correspondingly referred to each other.
Fig. 2 is a schematic structural diagram of a code bug checking apparatus according to the present invention, where, as shown in fig. 2, the code bug checking apparatus includes: the code parsing module 210 is configured to parse a source code to be inspected to obtain a first representation file, where the first representation file is used to characterize at least one of various elements in the source code, relationships among the various elements, a control flow in the source code, and a control logic; a code abstraction module 220, configured to abstract the first representation file to obtain a second representation file, where the number of states in the second representation file is smaller than the number of states in the first representation file; the vulnerability checking module 230 is configured to perform attribute checking on the second representation file based on a preset security attribute library, so as to obtain a path violating the security attribute, where the preset security attribute library includes a security attribute predefined according to a requirement of checking the vulnerability of the backwash code, and the path includes at least one of a node, a variable, and a function call.
In some embodiments, the vulnerability checking module is further configured to input the second representation file to a code vulnerability checking recurrent neural network, so as to obtain a path of violating the security attribute output by the code vulnerability checking recurrent neural network, where the code vulnerability checking recurrent neural network is obtained by training the initial recurrent neural network according to data with a predefined security attribute label in a preset security attribute library.
In some embodiments, the vulnerability inspection module is further configured to convert the second representation file to obtain target data that conforms to a data representation format input to the recurrent neural network, where the target data includes at least one of a feature vector of a node, a feature vector of an edge, and an input sequence established according to a relationship between the nodes; and inputting the target data into a code vulnerability checking cyclic neural network.
In some embodiments, the first representation file is any one of an abstract syntax tree, a control flow diagram, a data flow diagram, and a dependency diagram, and the abstracting the first representation file includes at least one of data abstraction, control abstraction, modular abstraction, and state merging.
In some embodiments, the code vulnerability inspection device further includes a path parsing module, configured to parse the path according to a preset parsing rule to obtain a parsing result, where the parsing result includes at least one of a line number, a calling relationship, control flow information, data flow information, and a vulnerability type of a vulnerability code corresponding to the path.
In some embodiments, the code bug detection device further includes a bug report generating module, configured to generate a code bug detection report based on the analysis result, where the code bug detection report includes a bug code in the source code, related information of the bug code, and a repair policy for the bug code.
The code vulnerability checking device provided by the invention is used for analyzing the source code to be checked to obtain the first representation file, wherein the first representation file is used for representing at least one of various elements in the source code, the relation among the various elements, the control flow in the source code and the control logic; abstracting the first representation file to obtain a second representation file, wherein the number of states in the second representation file is smaller than that in the first representation file; the method and the device further carry out abstract processing after analyzing the source code to reduce the state number of the source code, avoid the subsequent state explosion problem, and improve the detection efficiency and the expandability by reducing the complexity of a state space.
Fig. 3 illustrates a physical schematic diagram of an electronic device, as shown in fig. 3, where the electronic device may include: processor 310, communication interface (Communications Interface) 320, memory 330 and communication bus 340, wherein processor 310, communication interface 320, memory 330 accomplish communication with each other through communication bus 340. The processor 310 may invoke logic instructions in the memory 330 to perform a code vulnerability checking method applied to a server device, the method comprising: analyzing a source code to be inspected to obtain a first representation file, wherein the first representation file is used for representing at least one of various elements in the source code, relations among the elements, control flows in the source code and control logic; abstracting the first representation file to obtain a second representation file, wherein the number of states in the second representation file is smaller than that in the first representation file; and performing attribute inspection on the second representation file based on a preset security attribute library to obtain a path violating the security attribute, wherein the preset security attribute library comprises security attributes predefined according to the loophole inspection requirement of the money back washing code, and the path comprises at least one of nodes, variables and function calls.
Further, the logic instructions in the memory 330 described above may be implemented in the form of software functional units and may be stored in a computer-readable storage medium when sold or used as a stand-alone product. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product, where the computer program product includes a computer program, where the computer program can be stored on a non-transitory computer readable storage medium, and when the computer program is executed by a processor, the computer can execute a code bug checking method applied to a server device provided by the above methods, where the method includes: analyzing a source code to be inspected to obtain a first representation file, wherein the first representation file is used for representing at least one of various elements in the source code, relations among the elements, control flows in the source code and control logic; abstracting the first representation file to obtain a second representation file, wherein the number of states in the second representation file is smaller than that in the first representation file; and performing attribute inspection on the second representation file based on a preset security attribute library to obtain a path violating the security attribute, wherein the preset security attribute library comprises security attributes predefined according to the loophole inspection requirement of the money back washing code, and the path comprises at least one of nodes, variables and function calls.
In still another aspect, the present invention further provides a non-transitory computer readable storage medium having stored thereon a computer program, which when executed by a processor, is implemented to perform the method for checking code vulnerabilities provided by the above methods and applied to a server device, the method comprising: analyzing a source code to be inspected to obtain a first representation file, wherein the first representation file is used for representing at least one of various elements in the source code, relations among the elements, control flows in the source code and control logic; abstracting the first representation file to obtain a second representation file, wherein the number of states in the second representation file is smaller than that in the first representation file; and performing attribute inspection on the second representation file based on a preset security attribute library to obtain a path violating the security attribute, wherein the preset security attribute library comprises security attributes predefined according to the loophole inspection requirement of the money back washing code, and the path comprises at least one of nodes, variables and function calls.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (10)
1. A method for code vulnerability inspection, the method comprising:
analyzing a source code to be inspected to obtain a first representation file, wherein the first representation file is used for representing at least one of various elements in the source code, relations among the elements, control flows in the source code and control logic;
abstracting the first representation file to obtain a second representation file, wherein the number of states in the second representation file is smaller than that in the first representation file;
and performing attribute inspection on the second representation file based on a preset security attribute library to obtain a path violating the security attribute, wherein the preset security attribute library comprises security attributes predefined according to the loophole inspection requirement of the money back washing code, and the path comprises at least one of nodes, variables and function calls.
2. The method for checking code vulnerabilities according to claim 1, wherein the performing attribute checking on the second representation file based on a preset security attribute library to obtain a path violating security attributes comprises:
and inputting the second representation file into a code vulnerability checking and circulating neural network to obtain a path which is output by the code vulnerability checking and circulating neural network and violates the security attribute, wherein the code vulnerability checking and circulating neural network is obtained by training an initial circulating neural network according to pre-defined security attribute marked data in a preset security attribute library.
3. The method of code vulnerability inspection of claim 2, wherein the inputting the second representation file into a code vulnerability inspection cyclic neural network comprises:
converting the second representation file to obtain target data which accords with the data representation form input to the cyclic neural network, wherein the target data comprises at least one of a characteristic vector of a node, a characteristic vector of an edge and an input sequence established according to the relation between the nodes;
and inputting the target data into a code vulnerability checking cyclic neural network.
4. The code vulnerability inspection method of claim 1, wherein the first representation file is any one of an abstract syntax tree, a control flow diagram, a data flow diagram and a dependency graph, and wherein abstracting the first representation file comprises at least one of data abstraction, control abstraction, modular abstraction and state merging.
5. The method according to any one of claims 1 to 4, further comprising, after the path violating the security attribute is obtained:
analyzing the path according to a preset analysis rule to obtain an analysis result, wherein the analysis result comprises at least one of a line number, a calling relation, control flow information, data flow information and a vulnerability type of a vulnerability code corresponding to the path.
6. The code vulnerability inspection method of claim 5, further comprising:
and generating a code vulnerability detection report based on the analysis result, wherein the code vulnerability detection report comprises vulnerability codes in the source codes, related information of the vulnerability codes and a repairing strategy aiming at the vulnerability codes.
7. A code vulnerability inspection apparatus, the apparatus comprising:
the code analysis module is used for analyzing the source code to be inspected to obtain a first representation file, wherein the first representation file is used for representing at least one of various elements in the source code, relations among the elements of various types, control flow and control logic in the source code;
the code abstraction module is used for abstracting the first representation file to obtain a second representation file, and the number of states in the second representation file is smaller than that in the first representation file;
the vulnerability checking module is used for performing attribute checking on the second representation file based on a preset security attribute library to obtain a path violating the security attribute, wherein the preset security attribute library comprises security attributes predefined according to the vulnerability checking requirement of the backwashing code, and the path comprises at least one of nodes, variables and function calls.
8. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the code vulnerability inspection method of any one of claims 1 to 6 when the program is executed by the processor.
9. A non-transitory computer readable storage medium having stored thereon a computer program, which when executed by a processor implements the code vulnerability inspection method of any of claims 1 to 6.
10. A computer program product comprising a computer program which, when executed by a processor, implements the code vulnerability inspection method of any one of claims 1 to 6.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202311114166.1A CN117195225A (en) | 2023-08-30 | 2023-08-30 | Code vulnerability checking method, device, electronic equipment and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202311114166.1A CN117195225A (en) | 2023-08-30 | 2023-08-30 | Code vulnerability checking method, device, electronic equipment and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN117195225A true CN117195225A (en) | 2023-12-08 |
Family
ID=88982863
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202311114166.1A Pending CN117195225A (en) | 2023-08-30 | 2023-08-30 | Code vulnerability checking method, device, electronic equipment and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN117195225A (en) |
-
2023
- 2023-08-30 CN CN202311114166.1A patent/CN117195225A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Chen et al. | Neural transfer learning for repairing security vulnerabilities in c code | |
De Gouw et al. | OpenJDK’s Java. utils. Collection. sort () is broken: the good, the bad and the worst case | |
Yu et al. | Symbolic string verification: An automata-based approach | |
Yu et al. | Automata-based symbolic string analysis for vulnerability detection | |
Yu et al. | Relational string verification using multi-track automata | |
US10409706B2 (en) | Automated test generation for structural coverage for temporal logic falsification of cyber-physical systems | |
Zhang et al. | A survey of software clone detection from security perspective | |
Fourneret et al. | Model-based security verification and testing for smart-cards | |
CN114911711A (en) | Code defect analysis method and device, electronic equipment and storage medium | |
Reger | Automata based monitoring and mining of execution traces | |
Poorhadi et al. | Analysing the impact of security attacks on safety using SysML and event-B | |
CN112131120B (en) | Source code defect detection method and device | |
CN117195225A (en) | Code vulnerability checking method, device, electronic equipment and storage medium | |
Göttmann et al. | Static analysis techniques for efficient consistency checking of real-time-aware dspl specifications | |
Nooraei Abadeh et al. | Delta‐based regression testing: a formal framework towards model‐driven regression testing | |
CN112581140B (en) | Intelligent contract verification method and computer storage medium | |
Xiao et al. | Specializing neural networks for cryptographic code completion applications | |
Liu | [Retracted] Software Vulnerability Mining Techniques Based on Data Fusion and Reverse Engineering | |
Scherer | Engineering of Reliable and Secure Software via Customizable Integrated Compilation Systems | |
Ginelli | Understanding and Improving Automatic Program Repair: A Study of Code-removal Patches and a New Exception-driven Fault Localization Approach | |
CN115391780B (en) | Security reinforcement method, system, equipment and storage medium for application code | |
Sui et al. | FASER (Formal and Automatic Security Enforcement by Rewriting) by BPA algebra with test | |
Dam et al. | Automated repair of security errors in C programs via statistical model checking: a proof of concept | |
Lam | A Framework-Driven Comparison of Automata-Based Tools for Identifying Business Rule Conflicts | |
Chu | Blockchain Smart Contract Threat Detection Technology Based on Symbolic Execution |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |