中国科学院软件研究所机构知识库
Advanced  
ISCAS OpenIR  > 软件所图书馆  > 期刊论文
Subject: Computer Science (provided by Thomson Reuters)
Title:
一种虚拟化环境的脆弱性检测方法
Alternative Title: a vulnerability detection method in virtual environment
Author: 王瑞 ; 连一峰 ; 陈恺
Keyword: 虚拟化环境 ; 符号链接 ; 污点传播分析
Source: 计算机应用与软件
Issued Date: 2012
Volume: 29, Issue:9, Pages:14-17,53
Indexed Type: CNKI ; CSCD ; WANFANG
Department: 中国科学院软件研究所信息安全国家重点实验室;中国科学院研究生院信息安全国家重点实验室;信息安全共性技术国家工程研究中心;信息网络安全公安部重点实验室(公安部第三研究所);
Sponsorship: 国家自然科学基金项目(61100226)|国家高技术研究发展计划项目(2011AA01A203)|北京市自然科学基金项目(4122085)|公安部三所开放基金课题(C10606)
Abstract: 基于源代码的静态分析技术是检测软件脆弱性的重要手段之一。针对Linux平台下由不安全方式创建临时文件问题引起的符号链接脆弱性,提出一种基于污点传播分析的脆弱性检测方法。通过查找打开或创建文件等导致脆弱性的特征函数从源代码中识别漏洞触发变量,采用后向污点传播分析方法分析变量传递路径,判断其是否来源于污点源,从而检测出可能存在符号链接脆弱性。利用该方法对XEN 3.03版本的源代码进行检测,成功发现了2个漏洞,其中包括1个未知漏洞。实验表明,该方法是一种有效的脆弱性检测方法。
English Abstract: Source code-based static analysis technology is one of an important means to detect software vulnerabilities.To cope with the problem of unsafe creation of temporary file on Linux platform leading to vulnerabilities in symbol link,a vulnerability detection method based on tainting analysis is proposed.The method recognises the trigger variable of bugs from source code by checking characteristic function of the file open or creation which lead to vulnerabilities,and uses backward tainting analysis method to analyse the variable transition path,and judge whether it comes from the taint data source,so as to find the symbol link vulnerability possibly existing.With this method 2 vulnerabilities have been found in the source code of XEN 3.03,including an unknown vulnerability.The results of experiment show that the method is an effective vulnerability analysis method.
Language: 中文
Citation statistics:
Content Type: 期刊论文
URI: http://ir.iscas.ac.cn/handle/311060/14966
Appears in Collections:软件所图书馆_期刊论文

Files in This Item:

There are no files associated with this item.


Recommended Citation:
王瑞,连一峰,陈恺. 一种虚拟化环境的脆弱性检测方法[J]. 计算机应用与软件,2012-01-01,29(9):14-17,53.
Service
Recommend this item
Sava as my favorate item
Show this item's statistics
Export Endnote File
Google Scholar
Similar articles in Google Scholar
[王瑞]'s Articles
[连一峰]'s Articles
[陈恺]'s Articles
CSDL cross search
Similar articles in CSDL Cross Search
[王瑞]‘s Articles
[连一峰]‘s Articles
[陈恺]‘s Articles
Related Copyright Policies
Null
Social Bookmarking
Add to CiteULike Add to Connotea Add to Del.icio.us Add to Digg Add to Reddit
所有评论 (0)
暂无评论
 
评注功能仅针对注册用户开放,请您登录
您对该条目有什么异议,请填写以下表单,管理员会尽快联系您。
内 容:
Email:  *
单位:
验证码:   刷新
您在IR的使用过程中有什么好的想法或者建议可以反馈给我们。
标 题:
 *
内 容:
Email:  *
验证码:   刷新

Items in IR are protected by copyright, with all rights reserved, unless otherwise indicated.

 

 

Valid XHTML 1.0!
Copyright © 2007-2020  中国科学院软件研究所 - Feedback
Powered by CSpace