【作者】 何可；

【导师】 冯志勇；

【作者基本信息】 天津大学 ， 计算机应用技术， 2010， 博士

【摘要】 存在诸多漏洞的低质量软件成为计算机安全问题急速增长的主要原因之一。因此,如何在软件开发中保证其安全性已经成为广泛关注的研究问题。为了更加有效地开发安全可信的软件,应该在软件开发生命周期中尽早考虑安全问题。其中,如何通过评估与测试方法保障软件安全性成为亟待解决的关键问题。本文结合国家自然科学基金课题“基于攻击模式的可信软件的建模、度量与验证”,对威胁模型驱动的软件安全评估与测试方法的关键技术,包括威胁的表示与建模,威胁模型驱动的软件安全评估与测试,以及辅助软件安全评估与测试的攻击模式知识库,进行了深入的研究,主要研究成果包括以下几个方面:(1)研究了威胁表示和建模方法,提出一种统一威胁模型,采用AND/OR树形式化地表示针对计算机系统的威胁,建模了攻击者实现威胁的潜在攻击方法,奠定了威胁模型驱动的软件安全评估与测试方法的基础。统一威胁模型提供了一种通用的威胁表示法,缩小了功能模型和缓和方案之间的差距,建立起软件功能和安全之间的桥梁,利于开发人员和安全人员协同开发安全的软件。(2)研究了软件安全评估技术,提出了一种统一威胁模型驱动的软件安全评估方法,从威胁的角度基于攻击路径对软件安全进行定量评估。实现了一个支持该方法原型工具。案例研究表明,该方法能够尽早地发现并缓和设计层次的漏洞,从而设计出能够防御威胁的安全软件。相比于传统的威胁树模型,统一威胁模型在评估结论的准确性、确定缓和方案的优先级和指导安全测试方面更优。(3)研究了软件安全测试技术,提出了一种攻击场景模型驱动的软件安全测试方法,通过功能测试以确保软件的实际行为符合设计的期望,并通过面向威胁的安全测试以确保软件足够健壮能够抵御潜在的攻击。实现了两个支持该方法的原型工具,并通过实验验证了所提出的方法的可行性与有效性。(4)研究了提高软件安全评估与测试效率的方法,提出了一种攻击模式描述语言和攻击模式复用技术,将已知的攻击方法及其相应的缓和方案抽象成与特定系统无关的攻击模式,构建攻击模式知识库,并在建模针对不同系统的威胁模型时复用攻击模式。通过一组对比实验阐明了复用攻击模式的具体流程,验证了所提出的方法的可行性与有效性。更多还原

【Abstract】 Poor-quality software has many vulnerbalities and it has been recognized as the root cause of the exponentially increasing computer security problems. Researchers pay extra attention to the methods and techniques of ensureing software security during the software development process. For the purpose of improving the trustworthiness of software, developers should consider the security problems as early as possible in the software development lifecycle. Specifically, how to ensure software security via evaluation and testing methods become the critical issues for secure software development.Under the support of the Project of National Science Foundation of China“Attack Pattern Based Trustworthy Software Modeling, Evaluation, and Verification”, we researched on the key techniques of methods of threat model driven software security evaluation and testing, including threat representation and modeling, threat model driven software security evaluation and testing, attack pattern repository for assisting software security evaluation and testing. The major contributions of this paper are listed as follows:(1) We researched on the threat representation and modeling methods. We proposed a unified threat model that formally represents the threats to software systems based on AND/OR trees, models the potential attack approaches that adopted by the attackers to realize the threats, forms a basis of the methods of threat model driven software security evaluation and testing. The unified threat model provides a threat representation, narrows the gaps between the software function model and mitigation measures, bridges the relationship between software function models and threat models, and facilitates the collaboration of secure software development between developers and security expert.(2) We researched on the software security evaluation techniques. We proposed a method of unified threat model driven software security evaluation, which quantitatively evaluates the software security based on attack paths from the threat perspective of security. We implemented a prototype tool to support the presented method. We performed a case study on online bankging systems. The case study results indicate that the presented method can be used to design threat-resistant and high-quality software by means of detecting and mitigating design-level vulnerabilities in the early software design stage. The unified threat model is superior to the traditional threat tree model in the accuracy of evaluating results, prioritizing mitigation measures, and guiding security testing.(3) We researched on the software security testing techniques. We proposed a method of attack scenario model driven software security testing. First, we performed functional testing to ensure that software behaves as it is supposed to. Second, we performed threat-oriented security testing to ensure that software is robust against potential attacks. We implemented two prototype tools to support the presented method. We conducted an experiment to validate the feasibility and effectiveness of the proposed method.(4) We researched on the mothod of improving the efficiency of software security evaluation and testing. We proposed an attack pattern description language and an attack pattern reuse technique. This technique abstracts the well-known attack approaches and their mitigation measures into a high-level representation. The high-level representation excludes details that make the attack approach specific to the system. Attack pattern repository is constructed based on the presented technique, and then attack pattern is reused to model threats related to diverse systems. We conducted a group of comparable experiments to demonstrate the process of attack pattern reuse and to validate the feasibility and effectiveness of the proposed method.更多还原