节点文献
Java代码缺陷检测分析与应用
Java Code Vulnuerabilities Detection Analysis and Application
【作者】 郭瑞;
【导师】 梁洪亮;
【作者基本信息】 北京邮电大学 , 计算机技术(专业学位), 2013, 硕士
【摘要】 在互联网通信和全球云计算的大力发展环境下,Java语言连续数年稳居于TIOBE世界编程语言排行榜首位,并保持有着广阔的前景和显著的优势。但是其相关应用所面临的安全威胁也日益增多。比如,SQL注入攻击、程序信息暴露、AJAX漏洞、业务逻辑漏洞、命令注入、跨站脚本攻击、页面层逻辑漏洞利用等,因为很多Java应用与人们的信息、财产息息相关,所以一旦出现安全问题,会造成很严重的后果。若想最大限度的避免这些问题的出现,应该在软件发行前做好缺陷检测工作,其中静态分析Java软件缺陷是一个有效的方法。本论文针对Java代码缺陷检测问题,对于一些现有代码缺陷种类、静态检测方法进行了研究,并以LAPSE+为基础开发了一款针对Java代码的缺陷检测工具。该工具主要是基于上下文敏感的指针分析算法开发的。通过对大量的缺陷代码进行分析,并且对开发桌面应用进行探索,最终使该缺陷检测工具扩充了LAPSE+可检测缺陷的种类,并且由插件转化RCP桌面应用LAPS,它的配置使用等更为方便。该工具有着较低的误报率,可以检测多种缺陷类型,可用于辅助开发人员进行安全高效的开发。
【Abstract】 In recent years, as the perfection of the Internet infrastructure and the rapid de-velopment ef network communication technology, Java language has retained its po-sition at the top of the charts of TIOBE world programming languages for several years。 and has broad prospects and significant advantages.But the security threats of the Java applications are increasing, such as SQL injection attacks, program infor-mation exposure, AJAX vulnerabilities, business logic vulnerabilities, Cross Site Scripting attacks. As there is great business between people’s information, properties and the applications. Once going wrong, it may cause serious consequences. We would detect the vulnerabilities before the release of the software rather than supply a gap. For modern Internet development is rapid, large-scale software increased, static detecting Java codes can be regarded as a good method.In this paper we studied a lot of some existing code defection modes and static detection This topic for some existing code vulnerabilities mode, we also developed a Java code vulnerabilities detection tool based on LAPSE+. This tool is based on a context sensitive pointer analysis algorithm. By studying a large number of codes with vulnerabilities, we expanded the Java code vulnerabilities detection tool in de-tection types and transfered the plugin into a RCP desktop application in Chinese. This tool has a low false positive, and it can detect many kinds Java code vulnerabili-ties and assist the developers in the project safety and efficient development.
【Key words】 defect detecting; static analysis; context sensitive; pointer analysis; RCP application;
- 【网络出版投稿人】 北京邮电大学 【网络出版年期】2013年 11期
- 【分类号】TP311.53
- 【下载频次】197