【摘要】：隨著云計算在各領(lǐng)域逐漸的普及,大量業(yè)務(wù)軟件被部署到云環(huán)境中。在業(yè)務(wù)軟件的生命周期中,補(bǔ)丁用于增加新的軟件功能或者修復(fù)已知的漏洞。但是補(bǔ)丁本身并不全是安全的,這些補(bǔ)丁可能沒有完全修復(fù)現(xiàn)有漏洞或者引入了新的安全問題。快速、有效的檢測補(bǔ)丁的安全性對提高云環(huán)境的安全性、穩(wěn)定性以及業(yè)務(wù)軟件的可靠性都非常重要。傳統(tǒng)解決方案將整個業(yè)務(wù)軟件當(dāng)作一個整體來檢測,其檢測的準(zhǔn)確度依賴于有效測試集的構(gòu)建,存在效率低,誤報率和漏報率較高等問題,不適合云環(huán)境中業(yè)務(wù)軟件的更新檢測。因此,如何高效的對軟件更新的安全性進(jìn)行檢測是一個值得研究的課題。軟件更新安全檢測系統(tǒng)KPSec具有自動化檢測、漏報率低、檢測效率高、可擴(kuò)展性好的特點。為了解決傳統(tǒng)方案中檢測效率低的問題,KPSec著重檢測軟件更新后新版本程序中受補(bǔ)丁影響的代碼,通過精確的分析來排除沒有受影響的代碼,達(dá)到減少執(zhí)行路徑數(shù)量的目的。為了擺脫對軟件測試集的依賴,KPSec定義了內(nèi)存安全敏感點同時設(shè)計了基于數(shù)據(jù)流分析的可執(zhí)行路徑生成方法,結(jié)合符號執(zhí)行技術(shù)和安全檢測器,高效的完成對可執(zhí)行路徑的安全檢測。為了提高檢測系統(tǒng)檢測范圍,KPSec設(shè)計了五種基于規(guī)則的安全檢測器,實現(xiàn)對多種安全問題的檢測。測試結(jié)果表明,軟件更新安全檢測系統(tǒng)KPSec具有較高的檢測效率,對于云環(huán)境下大型軟件的補(bǔ)丁,在最好的情況下能夠減少99.87%的執(zhí)行路徑,補(bǔ)丁的平均檢測時間為13.1分鐘。在檢測有效性方面,KPSec能夠檢測包括緩沖區(qū)溢出、內(nèi)存泄露、越界訪問在內(nèi)的多種常見安全問題,漏報率小于2.86%,誤報率小于5.71%,各項指標(biāo)都要優(yōu)于現(xiàn)有同類型的系統(tǒng)。
[Abstract]:With the popularity of cloud computing in various fields, a large number of business software is deployed to the cloud environment. During the lifecycle of business software, patches are used to add new software features or fix known vulnerabilities. But patches themselves are not entirely secure; they may not completely fix existing vulnerabilities or introduce new security problems. Fast and effective detection of patch security is very important to improve the security, stability and reliability of business software in cloud environment. The traditional solution takes the whole business software as a whole to detect, its detection accuracy depends on the construction of effective test set, there are some problems such as low efficiency, high false positive rate and high false positive rate, and so on. Not suitable for business software update detection in cloud environment. Therefore, how to efficiently detect the security of software update is a subject worth studying. The software update security detection system (KPSec) has the characteristics of automatic detection, low false positive rate, high detection efficiency and good expansibility. In order to solve the problem of low detection efficiency in the traditional scheme, KPSec focuses on detecting the code affected by the patch in the new version of the updated software, and eliminating the unaffected code by accurate analysis, so as to reduce the number of execution paths. In order to get rid of the dependence on software test set, KPSec defines the memory security sensitive point and designs an executable path generation method based on data flow analysis, which combines symbol execution technology and security detector. High efficiency to complete the security detection of executable paths. In order to improve the detection range of the detection system, KPSec designed five rules-based security detectors to realize the detection of a variety of security problems. The test results show that the software update security detection system KPSec has a high detection efficiency. For large-scale software patches in cloud environment, the execution path can be reduced by 99.87% in the best case. The average detection time for patches is 13.1 minutes. In terms of detection effectiveness, KPSec can detect many common security problems, including buffer overflow, memory leak and cross-border access, with false positive rate less than 2.86% and false positive rate less than 5.71%. All indicators are superior to existing systems of the same type.
【學(xué)位授予單位】：華中科技大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2016
【分類號】：TP311.53

【參考文獻(xiàn)】

相關(guān)期刊論文 前3條

1 林闖;蘇文博;孟坤;劉渠;劉衛(wèi)東;;云計算安全:架構(gòu)、機(jī)制與模型評價[J];計算機(jī)學(xué)報;2013年09期

2 姜燕;劉娜;;緩沖區(qū)溢出攻擊的原理和防范技術(shù)分析[J];電子設(shè)計工程;2013年08期

3 楊宇;張健;;程序靜態(tài)分析技術(shù)與工具[J];計算機(jī)科學(xué);2004年02期

相關(guān)會議論文 前1條

1 林錦濱;張曉菲;劉暉;;符號執(zhí)行技術(shù)研究[A];全國計算機(jī)安全學(xué)術(shù)交流會論文集（第二十四卷）[C];2009年

，

本文編號：2454822