CN101017458A

CN101017458A - Software safety code analyzer based on static analysis of source code and testing method therefor

Info

Publication number: CN101017458A
Application number: CN 200710064155
Authority: CN
Inventors: 徐国爱; 张淼; 徐国胜; 梁婕; 陈爱国
Original assignee: Beijing University of Posts and Telecommunications
Current assignee: Shenzhen Beiyou Network Technology Co Ltd
Priority date: 2007-03-02
Filing date: 2007-03-02
Publication date: 2007-08-15
Anticipated expiration: 2027-03-02
Also published as: CN100461132C

Abstract

A software security code analyzer based on source code static analysis and its detection method. The software security code analyzer includes five functional modules: a code parser, a code analysis engine, a security risk reporter, a security rule base, and a user interface, wherein The code analysis engine is composed of a data flow analyzer, a control flow analyzer, a structure analyzer, a security analysis scheduler and a security analysis interface. The source code and the syntax and semantics of the code are analyzed by the engine to analyze the structure and key features of the code, thereby obtaining the security risks of the program and reporting them to the user. According to the input source program, the present invention analyzes the structure and key features of the program according to the grammar and semantics, thereby obtaining the security risk of the program and reporting it to the user; the code analysis result can also be submitted to the user through the report form to find the security loophole Conduct review and evaluation.

Description

Software security code profiler and detection method thereof based on the source code static analysis

Technical field

The present invention relates to a kind of technology that in software source code, detects security breaches, exactly, relate to a kind of software security code profiler and detection method thereof, belong to the technical field of software security in the information security based on source code static analysis technology.

Background technology

At present, the research of code analysis techniques is a lot, and the open source software of main flow comprises: ITS4, BOON, CQual, MOPS, RATS, FlawFinder etc.Below these softwares are carried out brief introduction:

ITS4: a kind of instrument that is used for Static Detection C and C++ source code security loophole.Compare with other similar techniques, the accuracy of ITS4 is higher, can feed back to the developer to testing result in real time in programming process; Can support simultaneously the detection of C++ code like a cork.ITS4 supports the order line form, can run on Windows and Unix platform.ITS4 seeks dangerous function call in C or C++ source code.Call for some, ITS4 can be analyzed, to determine its hazard level.ITS4 also can provide simple description that comprises leak and the analysis report of improving one's methods.ITS4 carries out code scans based on the function coupling, is indifferent to context.It just searches for function or the application programming interfaces API (Application Program Interface) that is complementary with the leak database in C or the C++ source code.If the leak function exists, ITS4 can give a warning, and provides amending advice to the programmer, to improve code safety.The programmer can select danger classes (0-5), thereby reduces rate of false alarm.ITS4 also allows the programmer to ignore inspection to certain specific function name, as scanf.

RATS: a kind of security audit instrument that is used for C, C++, Python, Per and PHP code.It can scan source code, finds out potential dangerous function and calls.The final goal of this instrument is not to find out the code leak, but provides a convenient and reasonable starting point for artificial security audit.RATS combines the static check technology of ITS4 and the degree of depth semantic analysis technology of MOPS is checked buffer-overflow vulnerability.RATS observes general public licence GPL.Compare with ITS4, RATS can check whole engineering code, rather than single file.Simultaneously, RATS can also check the border of array.

BOON:BOON uses the buffer-overflow vulnerability that exists in the degree of depth semantic analysis technology autoscan C language source code.Whether thereby BOON can analyze the array of determining in the c program to integer range crosses the border.Although the leak that BOON can find many other analysis tools to omit, still out of true.

Except above-mentioned main tool, also done big quantity research in the safety analysis field of software both at home and abroad, propose the safety analysis method of some feasible static state, and constructed corresponding software security analysis tool.At present static safety analysis method can be divided into: model testing, carry code verification, and lexical analysis, simple semantic analysis is based on the safety analysis of information flow etc.Below it is briefly introduced respectively:

Model testing, its basis is a finite-state automata.It enumerates the possible state of institute that a system can be in, and checks whether each state violates rule and the condition of being formulated by the user, and causes the step of illegal state according to analysis result information.The theoretical foundation of model testing is sequential logic and automaton theory.It is shown as the sequential logic formula with the attribute list that will check, and system representation becomes finite-state automata, when the traversal finite-state automata, checks whether all states of automat satisfy the attribute of giving.

Can there be complicated mistake semantically in model testing in the discovery procedure, thereby potential security hole in the accurate discovery procedure, but existing model testing instrument is normally analyzed the formal expression (mathematical description) of source program, rather than with source program as input.As need the mathematical model of source program, can finish the generation of source program model automatically by process analysis (as data flow analysis, control flow analysis, program slice) instrument usually.Be not difficult to find out that from simplifying the model of program slice extraction procedure process analysis is the basis.Process analysis herein except grammatical analysis, more needs to relate to semantic analysis, comprises control flow analysis and data-flow analysis.

The basic thought that carries Validation Code PCC (Proof-Carrying Code) extremely is similar to password.At first, be one group of security strategy of code definition.Then, the code supplier must observe these security strategies when programming, and adds the code of checking in program source code, has observed these security strategies with the code of proof source program; Confirm the security of these codes at last by the code user.

Lexical scan is based on the safety scanning of lexical analysis.Source code is only carried out lexical analysis.Find out potential security breaches by the static scanning source code, in case find just to provide warning message.Basic skills be with one or more source code file as input, and each file is decomposed into morphology mark stream, relatively identifier and the predefined security hole dictionary in the mark stream.For example in case find to have strcpy in the C source program, string operation functions such as strcat are promptly thought the security hole that exists buffer zone to overflow, because these functions may cause that buffer zone overflows, the security hole dictionary of this moment comprises strcpy, strcat etc.

Simple semantic analysis is based on the security inspection of grammer and simple semantic analysis, its principle of work is very similar to compiler system, it is based on grammatical analysis and semantic rules, add simple control flow analysis and data-flow analysis simultaneously, therefore have higher analysis efficiency and extensibility, and can find the extensive security hole that exists in the software by the mode that in program, adds the data-flow analysis annotation information in the object-oriented program section, as occurring the maximum internal storage access leak of probability in the program, comprise the illegal use of memory block, taking off of null pointer quoted, buffer zone overflows or the like.Its another advantage is applicable to the analysis to extensive program.

Information flow analysis: for a long time, particularly along with development of internet technology, the information security in the computer system receives much attention always, and main stream approach is based on the information flow checking of type inferencing and detects.Information flow checking and detection method have proposed the security that a kind of authentication mechanism is guaranteed information flow in the program by the lattice model (latice model) of setting up the security information flow verification.This method is " security classes " that information is specified a set, and with the information flow that allows between " flow relation " definition security classes, each storage object in the program is tied to specific security classes.Use the value of some object (as x) when an operation (or a series of operation), obtain the value of other objects (as y), then cause the information flow from x to y.The security classes of x can flow to the security classes of y in and if only if the given Flow Policy, and the information flow from x to y allows.

Comprehensively above-mentioned, the static code analysis engine of main flow substantially all is based on suspicious API string matching at present, some algorithm is also done a lot on context relation, but as a whole, the deficiency that these prior aries exist is: function or limitation that each algorithm can be realized are bigger.Such as

(1) deficiency of string matching: is that present code analysis techniques is used the most general algorithm with the string matching for the based rule matching technique, its main thought is the rule by pre-establishing, according to keyword matching, find out corresponding code, and the prompting user.For example, when using the ITC4 scan code, can use the code of strcpy all to report all, think that it is dangerous, need to use strncpy to replace.But this method rate of false alarm is too high, and it is dangerous that the API that a lot of processes detect also is considered to, and where the very difficult resolution of developer is only and really has safety problem.

(2) the present deficiency of context relation algorithm: have some programs can accomplish to a certain degree based on context related, for example RATS and BOON.Here be example with BOON, it can convert correlative code to specific descriptive language, and whether is judging through checking whether code exists buffer zone to overflow in full by detecting correlated variables.Like this, solve the wrong report problem to a certain extent, but also had some problems.For example can not detected handle (dual pointer), (strcpy (a+5, form b)) etc., and can only solve the character string buffer zone and overflow with integer and overflow can not solve problems such as boundary condition, input validation can not to detect the character string skew.

Because at present the security threat of software is very many, comprise that common buffer zone overflows, contest condition, input validation etc.These security threats under development are very easy to be utilized by the hacker, and are not easy to be developed personnel's discovery.Therefore how the technology that detects security breaches in the software source code is improved, just become the focus that those skilled in the art pay close attention to.

Summary of the invention

In view of this, the purpose of this invention is to provide a kind of software security code profiler and detection method thereof based on source code static analysis technology, this software security code profiler SSCA (Software Security CodeAnalyzer) is to start with from source code, solves the safety problem that software faces.This software security code profiler is according to the source program of input, according to grammer with semantic, the structure of routine analyzer and key feature, thereby the security risk of the program of acquisition, and report to the user.In addition, it can also pass through form with the result of code analysis, the security breaches of finding is submitted to the user examine and assess.

In order to achieve the above object, the invention provides a kind of software security code profiler based on source code static analysis technology, it is characterized in that: described software security code profiler includes following five functional modules and forms:

Code parser is responsible for source program code is carried out morphology, grammatical analysis.Take out abundant information then and convert abstract syntax tree AST (Abstract Syntax Tree) to and represent, send into the code analysis engine again, for follow-up analysis facilitates; This module can also be supported to resolve the project project file, obtains whole source code information in the engineering;

The code analysis engine, by finishing five sub-function module of function separately respectively: data stream analyzer, control flow analysis device, structure analyzer, safety analysis scheduler and safety analysis interface are formed, be responsible for structure and key feature according to the rule base routine analyzer, the security risk of acquisition program, and the result is submitted to user interface by security risk report device;

Security risk report device is responsible for the result according to the code analysis engine, and the dependent parser and the semanteme that refer again to rule base are compared, and the security risk of finding is submitted to user interface;

Security rule base is responsible for the code analysis engine code analysis rules of using the expandable mark language XML configuration is provided, and the security risk support of corresponding different security hole; Risk improvement strategy report can also be provided, promptly can expand at the diversity and the complicacy of the software systems of varying environment;

User interface is responsible for carrying out alternately with the user, and one side is accepted the request of scanning input code, then the result of scanning analysis is exported to the user on the other hand.

The function of five submodules is in the described code analysis engine:

Data stream analyzer is used for the basis at code analysis, the traffic flow information of extraction procedure; It is by traversal abstract syntax tree AST, extracts to comprise pointer variable, memory block, constant, and the data message of function structure is brushed choosing according to user policy to these information again, and provides interface to the program structure analyzer, to read these information;

The control flow analysis device is used on the code analysis basis, the control stream information of extraction procedure; It is according to rule with by traversal abstract syntax tree AST, generates corresponding programmed control dependency graph, and provides interface to the safety analysis scheduler, to read these information;

Structure analyzer, be used for the syntax tree basis that extracts at the code analysis engine, the code analysis rules that provides according to security rule base, the primary structure information that includes stomion, main function name and funtcional relationship of extraction procedure, data dispatching stream analyzer and control flow analysis device again, finish the analysis to the key variables of regular appointment, and call the safety analysis interface, the security of finishing correlative code detects;

The safety analysis scheduler as the main scheduler module of code analysis engine, is used for the information that provides according to security rule base, and the scheduling structure analyzer carries out safety analysis, and generates account, provides interface to call for the safety analysis report device;

The safety analysis interface is responsible for calling specific safety analytical method according to safety rule, and these methods are utilized syntax tree and flow analysis result, carry out safety analysis, and analysis result is submitted to security risk report device.

Described source program code is the main flow development language that comprises C, C++, C#, JAVA and Perl.

The software security flaw that described software security code profiler can detect comprises following multiclass:

Input validation Input Validation, comprise: buffer zone overflows Buffer Overflow, Command Injection is injected in order, cross site scripting Cross-Site Scripting, format character string Format String, illegal pointer Illegal Pointer Value, integer overflows Integer Overflow, Log Forging is forged in daily record, Path Manipulation is handled in the path, process control Process Control, resource leakage ResourceInjection, SQL injects SQL Injection, and the character string mistake is ended String Termination Error;

API misuse, i.e. API Abuse comprises: dangerous function Dangerous Function, catalogue restriction Directory Restriction does not detect rreturn value Unchecked Return Value, heapcheck HeapInspection;

Security feature Security Features comprises: unsafe random number Insecure Randomness, least privilege be Least Privilege Violation in violation of rules and regulations;

Time and state Time and State comprise: file access contest condition File Access RaceCondition:TOCTOU, unsafe temporary file Insecure Temporary File;

Code quality Code Quality, comprise: dual release Double Free, memory overflow MemoryLeak, null pointer is checked Null Dereference, discarded function Obsolete, uninitialized variable Uninitialized Variable does not discharge resource Unreleased Resource, discharges the back and uses Use AfterFree.

In order to achieve the above object, the present invention also provides a kind of method of detection software security flaw of the software security code profiler based on source code static analysis technology, it is characterized in that: comprise following operation steps:

(1) after the source code directory, code language, the header file catalogue that detect of the needs that the user is configured sent into the software security code profiler, this pick-up unit was started working;

(2) earlier the source code of input is carried out pre-service,, be substituted in the source code on the corresponding position header file and grand the untiing that has defined in the program;

(3) read rule file, resolve the employed expandable mark language XML file of storage rule, obtain needed safety analysis rule;

(4) each source file of handling is carried out syntax parsing, after handling, carry out syntax parsing, resolve to source code from left to right that LL describes grammatical described data, after this resolve to the AST syntax tree of standard through grand parsing and header file;

(5), the source code of target engineering is carried out preanalysis according to safety rule and AST syntax tree; If finding does not need to carry out flow analysis with regard to detectable safety problem, then directly analysis result is submitted to the result treatment module; Otherwise, give control flow analysis device, data stream analyzer and safety analysis scheduler with the AST tree with safety rule, be for further processing;

(6) respectively further control flow analysis and data-flow analysis made in the AST syntax tree, wherein data-flow analysis is in data centralization to a Buffer Pool of allocating in advance with the call relation of all variablees in the code, tell the variable name and the number of being expert at during use, so that search its function call table; Control flow analysis then is that the control relation of particular row is added up, can be with any delegation's Be Controlled and which row control all to be submitted to relevant interface by whether in the code;

(7) according to the analysis class name that disposes in the rule, by analyzing scheduler the safety problem of code to be analyzed, each class safety problem is carried out safety analysis corresponding to a safety analytical method by these safety analytical methods of safety analysis interface dynamic call; These analytical approachs at security breaches comprise at least: buffer zone overflows, resource leakage, dangerous API and format character string, these structure analyzers utilize the result of safety rule, AST syntax tree and flow analysis to make a concrete analysis of, in case after the discovery safety problem, be about to analysis result and be filled into as a result in the Buffer Pool;

(8) after safety analysis finishes, the analysis result that is stored in the Buffer Pool is as a result taken out, be stored in local disk, and submit to the user and check;

Described step 4 further comprises following content of operation:

(41) elder generation of the syntax parsing module in the code parser filters the type of the source file of input, extracts required source code according to extension name;

(42) source code that extracts is carried out pre-service, all header file information and grand information in the resolving code, and it is unlock in the file of appointment;

(43) carry out lexical analysis, source code is converted to the LL syntax;

(44) carry out grammatical analysis, convert the result of syntax analysis to the AST syntax tree.

Described step 6 further comprises following content of operation:

(61) carry out control flow analysis earlier, promptly, seek and obtain control statement comprising if, while, for, switch by software security code profiler traversal AST syntax tree;

(62) if there is the control statement of the described if of comprising, while, for, switch, then carry out recursive calculation, the record controls relation is till can not find control relation; If there is no described control statement then carries out record to the control relation of analyzing out;

(63) arrive/data-flow analysis of definite value, obtain the behaviour in service of each parameter;

(64) if the situation that exists parameter to quote is then carried out pointer/alias analysis, obtain the actual sensing of these parameters;

(65), carry out variable query, internal memory inquiry or functional query respectively according to the difference of parameter;

(66) Query Result is stored in the corresponding data list, make things convenient for next step use.

Alias analysis in the described step 64 is to analyze the situation that two or more different variablees point to same blocks of data district.

The present invention is a kind of software security code profiler and detection method thereof based on source code static analysis technology, and the security code analysis engine in this software security code profiler can extract program structure and by based on grammer in full, the safety problem that semanteme comes code analysis.The source code by input and the grammer of code be with semantic, analyzes the structure and the key feature of code by this engine, obtains the security risk of program thus and report to the user.

With respect to present other correlation techniques, innovation point of the present invention mainly is: 1, safety rule wherein is configured by XML, so the software security flaw that SSCA supports can expand.2, open-ended many programming languages support: source code is to be converted to the AST syntax tree through converter independently, analyzes again, and promptly programming language is open-ended.3, understand technology based on contextual code implication: the present invention has used data-flow analysis technology and control flow analysis technology when code analysis, thereby understands and analysis through context implication when guaranteeing code analysis.4, safety analyzer dynamic load: after flow analysis according to regular dynamic load safety analyzer.Therefore, advantage of the present invention and effect are:

(1) correctness used of the omnidistance API of investigation parameter: for example: simply according to the use of suspicious API whether processing whether parameter having made somewhere before using crosses the border etc., rather than only limit to current line and make judgement more be not.

The present invention extracts key message and is converted to specific form by analyzing specific API or variable, and the constraint condition by pre-establishing is analyzed code in context again, thereby determines the safety problem of code.For example, for the string overflow problem, program is by analyzing specific API (as strcpy, strncpy, sprintf etc.), its variable that calls is checked, based on context detect it and whether passed through detection (for example whether judged string length, whether limited string length etc.), and, judge whether to take place buffer zone and overflow according to the constraint condition of this function.

(2) based on meaning of one's words depth detection: with respect to other technologies, the present invention is the code logic according to program, understands the implication of code, thereby makes the most appropriate judgement.For example when the processing buffer zone overflows, no longer only detect according to crucial API Name, and can the upper and lower relation of API be analyzed, by the flow analysis technology, whether the variable of finding out its use has been judged, thereby improves the accuracy rate that detects greatly.

(3) multilingual support and expansion capacity: other technologies can only be supported the language that a few is fixing at present, and for example RATS supports C, C++, Python, Per and PHP, and BOON can only support C/C++.The present invention can support main flow development languages such as C, C++, C#, JAVA, Perl, and can support the expansion capacity to new language.

(4) detection of various features leak and expansion capacity: other instruments can only be supported specific leak at present, and for example BOON can only detect buffer zone and overflows, and RATS also can only detect minority code leak.The present invention has supported tens of kinds of software security flaws at present, and can be by pre-configured safety rule, the security breaches that dynamic interpolation can detect.

(5) multiple operating system support: other software security instruments relatively, native system can be supported present most mainstream operation system, comprising: Windows series, Unix, Linux, FreeBSD etc.

Therefore, the present invention has good popularization and application prospect.

Description of drawings

Fig. 1 is the composition block diagram of software security code profiler of the present invention.

Fig. 2 is the process flow diagram of the detection method of software security code profiler of the present invention.

Fig. 3 is the syntax parsing process flow diagram in the software security code profiler detection method of the present invention.

Fig. 4 is the flow analysis process flow diagram in the software security code profiler detection method of the present invention.

Fig. 5 is to use the present invention to carry out the embodiment process flow diagram of software development.

Fig. 6 is to use the present invention to carry out the embodiment process flow diagram of access assessment.

Embodiment

For making the purpose, technical solutions and advantages of the present invention clearer, the present invention is described in further detail below in conjunction with accompanying drawing.

Referring to Fig. 1, introduce the structure of the software security code profiler SSCA that the present invention is based on source code static analysis technology and form, mainly include following five functional modules:

1, code parser is responsible for source program is carried out morphology, grammatical analysis.Take out abundant information then and convert abstract syntax tree AST to and represent, send into the code analysis engine again, for follow-up analysis facilitates; This module can also be supported to resolve the project project file, obtains whole source code information in the engineering;

2, code analysis engine is responsible for structure and key feature according to the rule base routine analyzer, obtains the security risk of program, and by security risk report device the result is submitted to user interface; By finishing five sub-function module of function separately respectively: data stream analyzer, control flow analysis device, structure analyzer, safety analysis scheduler and safety analysis interface are formed; Introduce this five sub-function module below respectively:

Data stream analyzer is on the basis of code analysis, the traffic flow information of extraction procedure; It is by traversal abstract syntax tree AST, extracts to comprise pointer variable, memory block, constant, and the data message of function structure is brushed choosing according to user policy to these information again, and provides interface to the program structure analyzer, to read these information;

The control flow analysis device is on the code analysis basis, the control stream information of extraction procedure; It is according to rule with by traversal abstract syntax tree AST, generates corresponding programmed control dependency graph, and provides interface to the safety analysis scheduler, to read these information;

Structure analyzer is on the syntax tree basis that the code analysis engine extracts, the code analysis rules that provides according to security rule base, the primary structure of extraction procedure (as entrance, main function name and funtcional relationship etc.) information, data dispatching stream analyzer and control flow analysis device again, finish analysis to the key variables of regular appointment, and call the safety analysis interface, the security of finishing correlative code detects;

The safety analysis scheduler is the main scheduler module of code analysis engine, and the information that provides according to security rule base is provided, and the scheduling structure analyzer carries out safety analysis, and generates account, provides interface to call for the safety analysis report device;

The safety analysis interface is to be responsible for calling specific safety analytical method according to safety rule.These methods are utilized syntax tree and flow analysis result, carry out safety analysis, and analysis result is submitted to security risk report device.

3, security risk report device is responsible for the result according to the code analysis engine, and the dependent parser and the semanteme that refer again to rule base are compared, and the security risk of finding is submitted to user interface;

4, security rule base is responsible for the code analysis engine code analysis rules of using the expandable mark language XML configuration is provided, and the security risk support of corresponding different security hole; Risk improvement strategy report also can be provided, promptly can expand at the diversity and the complicacy of the software systems of varying environment;

5, user interface is responsible for carrying out alternately with the user, and one side is accepted the request of scanning input code, then the result of scanning analysis is exported to the user on the other hand.

The key of software security code profiler SSCA of the present invention is the security code analysis engine, and this engine can be according to the source program of input, according to grammer with semantic, the structure of routine analyzer and key feature, thereby the security risk of the program of acquisition, and report to the user.Wherein source code at first considers to support main flow development languages such as C/C++/C#/JAVA/Perl.

By above as can be known, the content of program analysis method and safety rule has determined result and the efficient analyzed.Process analysis is the basis of security inspection, is responsible for extraction procedure information so that and the security rule be complementary, thereby scan wherein security hole.In the present invention, process analysis is from data-flow analysis and two angle incisions of control flow analysis.The structure of safety rule is to seek the safe mode of different security hole.

Because the diversity and the complicacy of software systems (the particularly software systems of distributed environment) make security hole of a great variety, can not address all of these issues.At present, the software security flaw primary categories that can support of apparatus of the present invention has: Input Validation, API Abuse, Security Features, Time and State, Code Quality etc.

Referring to Fig. 2, introduce the main treatment step of SSCA detecting operation method flow:

(3) read rule file, resolve the expandable mark language XML file that storage rule uses, obtain required safety analysis rule;

(4) each source file of handling is carried out syntax parsing, after through grand parsing and header file processing, carry out the syntax and resolve, source code is resolved to the data that the LL syntax are described, after this resolve to the AST syntax tree of standard; This step can be subdivided into following each concrete operations content (referring to shown in Figure 3):

(42) the extraction source code is carried out pre-service, all header file information and grand information in the resolving code, and it is unlock in the file of appointment;

(43) carry out lexical analysis, source code is converted to the LL syntax;

(6) respectively further control flow analysis and data-flow analysis made in the AST syntax tree, wherein data-flow analysis is in data centralization to a Buffer Pool of allocating in advance with the call relation of all variablees in the code, tell the variable name and the number of being expert at during use, so that search its function call table; Control flow analysis then is that the control relation of particular row is added up, can be with any delegation's Be Controlled and which row control all to be submitted to relevant interface by whether in the code; This step is subdivided into following each concrete operations content (as shown in Figure 4):

(61) carry out control flow analysis earlier, promptly, seek and obtain Control Node comprising the control statement of if, while, for, switch by software security code profiler traversal AST syntax tree;

(62) if there is the control statement of the described if of comprising, while, for, switch, then carry out recursive calculation, the record controls relation is till can not find control relation; If there is no described control statement then carries out record to the Control Node of the control relation analyzing out;

The present invention has carried out the enforcement test of two aspects, and one is software development: the enterprises and individuals who carries out software development can use the present invention to split the source code that distributes and detect, therefrom find out the risk of existence, and improve.The improvement flow process of its code research and development as shown in Figure 5 like this.Another is the access assessment: as the unit of test and appraisal mechanism and final deployment software product, owing to do not understand the flow process of software development, can only carry out black box to software detects, the potential safety hazard that exists in the software can not in time find, the safe operation of these units has been caused great threat.The present invention can effectively address this problem, and can clearly find the risk that exists in the software by code scans, guarantees the safety and stablization of software.Its application flow as shown in Figure 6.

Claims

1. A software security code analyzer based on source code static analysis technology, characterized in that: said software security code analyzer includes the following five functional modules:

The code parser is responsible for lexical and grammatical analysis of the source code. Then abstract enough information and convert it into an abstract syntax tree AST to represent it, and then send it to the code analysis engine to facilitate subsequent analysis; this module can also support parsing project project files to obtain all source code information in the project;

The code analysis engine is composed of five sub-function modules that complete their respective functions: data flow analyzer, control flow analyzer, structure analyzer, security analysis scheduler and security analysis interface, responsible for analyzing the structure and key points of the program according to the rule base feature, obtain the security risk of the program, and submit the result to the user interface through the security risk reporter;

The security risk reporter is responsible for comparing the results of the code analysis engine with the relevant syntax and semantics of the rule base, and submitting the discovered security risks to the user interface;

The security rule base is responsible for providing the code analysis engine with code analysis rules configured using Extensible Markup Language XML, and security risk support corresponding to different security vulnerabilities; it can also provide risk improvement strategy reports, that is, software systems that can target different environments expand the diversity and complexity of

The user interface is responsible for interacting with the user. On the one hand, it accepts the user's request to scan the code, and on the other hand, it outputs the results of the scanning analysis to the user.

2. The software security code analyzer according to claim 1, characterized in that: the functions of the five submodules in the code analysis engine are:

The data flow analyzer is used to extract the data flow information of the program on the basis of code analysis; it extracts the data information including pointer variables, memory blocks, constants, and function structures by traversing the abstract syntax tree AST, and then according to the user The rules brush the information and provide an interface to the program structure analyzer to read the information;

The control flow analyzer is used to extract the control flow information of the program on the basis of code analysis; it generates the corresponding program control dependency graph according to the rules and by traversing the abstract syntax tree AST, and provides an interface to the security analysis scheduler to read this information;

The structure analyzer is used to extract the main structural information of the program including the entry point, main function name and function relationship based on the syntax tree extracted by the code analysis engine and according to the code analysis rules provided by the security rule base, and then schedule data flow analysis Analyzer and control flow analyzer to complete the analysis of the key variables specified by the rules, and call the security analysis interface to complete the security detection of related codes;

The security analysis scheduler, as the main scheduling module of the code analysis engine, is used to schedule the structure analyzer to perform security analysis according to the information provided by the security rule base, generate a report table, and provide an interface for the security analysis reporter to call;

The security analysis interface is responsible for invoking specific security analysis methods according to security rules. These methods use the syntax tree and flow analysis results to perform security analysis and submit the analysis results to the security risk reporter.

3. The software security code analyzer according to claim 1, wherein the source program code is a mainstream development language including C, C++, C#, JAVA and Perl.

4. The software security code analyzer according to claim 1, characterized in that: the software security vulnerabilities that can be detected by the software security code analyzer include the following categories:

Input Validation Input Validation, including: Buffer Overflow, Command Injection, Cross-Site Scripting, Format String, Illegal Pointer Value, Integer Overflow, Log Forging, Path Manipulate Path Manipulation, process control Process Control, resource leakage ResourceInjection, SQL injection SQL Injection, string error abort String Termination Error;

API misuse, that is, API Abuse, including: Dangerous Function, Directory Restriction, Unchecked Return Value, and HeapInspection;

Security Features Security Features, including: Insecure Randomness, Least Privilege Violation;

Time and state Time and State, including: file access race condition File Access RaceCondition: TOCTOU, insecure temporary file Insecure Temporary File;

Code Quality Code Quality, including: Double Free, Memory Leak, Null Dereference, Obsolete Function, Uninitialized Variable, Unreleased Resource, Use AfterFree after release.

5. A method for detecting software security vulnerabilities of a software security code analyzer based on source code static analysis technology, characterized in that: comprising the following steps:

(1) After sending the user-configured source code directory, code language, and header file directory that need to be detected into the software security code analyzer, the detection device starts to work;

(2) Preprocess the input source code first, untie the defined header files and macros in the program, and replace them with corresponding positions in the source code;

(3) read the rule file, parse the Extensible Markup Language XML file used by the storage rule, and obtain the required security analysis rule;

(4) Perform grammatical analysis on each processed source file. After macro analysis and header file processing, perform grammatical analysis, and parse the source code into the data described by the LL description grammar from left to right, and then parse it into the standard AST syntax tree;

(5) According to the security rules and AST syntax tree, pre-analyze the source code of the target project; if a security problem that can be found without flow analysis is found, the analysis result is directly submitted to the result processing module; otherwise, the AST The tree and security rules are handed over to the control flow analyzer, data flow analyzer and security analysis scheduler for further processing;

(6) Perform further control flow analysis and data flow analysis on the AST syntax tree respectively. The data flow analysis is to collect the data of the calling relationship of all variables in the code into a pre-allocated buffer pool, and tell the variable name and The line number is used to find its function call table; the control flow analysis is to count the control relationship of a specific line, and can submit whether any line in the code is controlled and which line is controlled to the relevant interface;

(7) According to the analysis class name configured in the rules, analyze the security issues of the code through the analysis scheduler, each type of security issue corresponds to a security analysis method, and the security analysis interface dynamically invokes these security analysis methods for security analysis ; The security vulnerabilities targeted by these analysis methods include at least: buffer overflow, resource leak, dangerous API and format string, these structural analyzers use the results of security rules, AST syntax tree and flow analysis to conduct specific analysis, once security problems are found After that, fill the analysis result into the result buffer pool;

(8) After the security analysis is completed, the analysis results stored in the result buffer pool are taken out, stored in the local disk, and submitted to the user for review;

6. The method for detecting software security vulnerabilities according to claim 5, characterized in that: said step 4 further includes the following operations:

(41) The syntax analysis module in the code parser first filters the type of the input source file, and extracts the required source code according to the extension;

(42) Preprocessing the extracted source code, parsing all header file information and macro information in the code, and unpacking it into a specified file;

(43) Perform lexical analysis to convert the source code into LL grammar;

(44) Carry out grammatical analysis, and convert the result of grammatical analysis into an AST syntax tree.

7. The method for detecting software security vulnerabilities according to claim 5, characterized in that: said step 6 further includes the following operations:

(61) Perform control flow analysis first, that is, traverse the AST syntax tree by the software security code analyzer, find and obtain control statements including if, while, for, and switch;

(62) If there is said control statement comprising if, while, for, switch, then recursive calculation is carried out, and the control relationship is recorded until the control relationship cannot be found; if there is no said control statement, then the analysis is performed record the control relationship;

(63) Carry out data flow analysis of arrival/fixed value, and obtain the usage status of each parameter;

(64) If there is a parameter reference, then perform pointer/alias analysis to obtain the actual pointing of these parameters;

(65) Perform variable query, memory query, or function query respectively according to different parameters;

(66) Store the query result in the corresponding data list, which is convenient for use in the next step.

8. The method for detecting software security vulnerabilities according to claim 5, characterized in that: the alias analysis in step 64 is to analyze the situation that two or more different variables point to the same data area.