【摘要】：2003年美國公布的《確保網(wǎng)絡空間安全的國家戰(zhàn)略》指出構(gòu)成網(wǎng)各信息空間的基礎(chǔ)設(shè)施——軟件和硬件在其設(shè)計和開發(fā)過程中是全求化的,隨著科學技術(shù)的發(fā)展,軟件在經(jīng)濟、軍事、能源等重要領(lǐng)域發(fā)揮著重要作用,其自身及供應鏈的安全性也日益凸顯。代碼是軟件拘基石,對代碼進行安全分析意味著守住了軟件安全最關(guān)鍵的防線之一,只有代碼中的安全缺陷得以及早消除,最終形成的軟件產(chǎn)品才能具備較高的安全性,有效降低軟件整體業(yè)務及全球供應鏈的安全風險。 本文以代碼安全確保為主要研究對象,結(jié)合軟件確保思想,對軟件代碼漏洞及安全測試技術(shù)、工具進行分析和總結(jié)；研究了供應鏈全球化背景下的代碼安全確保,針對軟件行業(yè)的發(fā)展態(tài)勢,以商業(yè)模式劃分軟件種類,并針對定制軟件、商用現(xiàn)貨軟件及開源軟件進行代碼風險分析,為代碼風險管理確定目標,并圍繞軟件開發(fā)生命周期從設(shè)計、編碼、測試、安全響應過程四個方面給出代碼改善方法；針對軟件代碼確保工具逐漸增多、軟件集成重要性日益凸顯的現(xiàn)狀,設(shè)計了一種基于多種架構(gòu)的分層軟件集成模型,使得集成具有一定的重用性和靈活性；描述了圍繞軟件生命周期的代碼安全確保工具分類方法,并在此基礎(chǔ)上實現(xiàn)了用戶友好的代碼安全確保工具集成系統(tǒng),有效提高軟件資源復用及二次開發(fā)的效率。設(shè)計實現(xiàn)的反匯編子工具可以成功地翻譯帶前綴單字節(jié)操作碼,以及部分帶前綴雙字節(jié)操作碼。保證了指令解析的正確性,并且在之后的拓展開發(fā)中如果發(fā)現(xiàn)錯誤,可以很方便地對其進行修正,解決了軟件集成的版權(quán)問題,方便了之后的學習研究。
[Abstract]:The National Strategy for ensuring the Security of Cyberspace, published by the United States in 2003, points out that the infrastructure that constitutes the information space of the network-software and hardware-is completely sought in the process of its design and development. With the development of science and technology, software is in the economy. Military, energy and other important fields play an important role, and the security of its own and supply chain is increasingly prominent. Code is the cornerstone of software, the code security analysis means to keep one of the most critical lines of defense of software security, only when the security defects in the code can be eliminated as soon as possible, the resulting software products can have a higher level of security. Effectively reduce the overall software business and global supply chain security risks. This paper takes the code security assurance as the main research object, unifies the software assurance thought, carries on the analysis and the summary to the software code vulnerability and the security test technology, and studies the code security assurance under the background of the supply chain globalization. In view of the development situation of software industry, the software is divided into categories by business model, and the code risk analysis is carried out for custom software, commercial off-the-shelf software and open source software, so as to set the target for code risk management. The improvement methods of code are given around the software development life cycle from four aspects: design, coding, testing and security response process, aiming at the increasing number of software code assurance tools, the importance of software integration is becoming more and more important. This paper designs a hierarchical software integration model based on multiple architectures, which makes integration have certain reusability and flexibility, and describes the method of ensuring the tool classification of code security around the software lifecycle. On this basis, a user-friendly code security system is implemented to ensure the tool integration system, which effectively improves the efficiency of software resource reuse and secondary development. The designed disassembler tool can successfully translate prefixed single-byte opcodes and partially prefixed double-byte opcodes. It ensures the correctness of instruction parsing, and if errors are found in the later development, it can be easily corrected, which solves the copyright problem of software integration and facilitates the later study and research.
【學位授予單位】：北京郵電大學
【學位級別】：碩士
【學位授予年份】：2014
【分類號】：TP311.5;TP309

【參考文獻】

相關(guān)期刊論文 前2條

1 施寅生;鄧世偉;谷天陽;;軟件安全性測試方法與工具[J];計算機工程與設(shè)計;2008年01期

2 錢宇,李荷華,李秀喜;A Multi-layer Information Integration Platform for Chemical Process Operation Systems[J];Chinese Journal of Chemical Engineering;2004年05期

，

本文編號：2130149