软件代码安全性确保技术研究
发布时间:2018-07-17 15:48
【摘要】:2003年美国公布的《确保网络空间安全的国家战略》指出构成网各信息空间的基础设施——软件和硬件在其设计和开发过程中是全求化的,随着科学技术的发展,软件在经济、军事、能源等重要领域发挥着重要作用,其自身及供应链的安全性也日益凸显。代码是软件拘基石,对代码进行安全分析意味着守住了软件安全最关键的防线之一,只有代码中的安全缺陷得以及早消除,最终形成的软件产品才能具备较高的安全性,有效降低软件整体业务及全球供应链的安全风险。 本文以代码安全确保为主要研究对象,结合软件确保思想,对软件代码漏洞及安全测试技术、工具进行分析和总结;研究了供应链全球化背景下的代码安全确保,针对软件行业的发展态势,以商业模式划分软件种类,并针对定制软件、商用现货软件及开源软件进行代码风险分析,为代码风险管理确定目标,并围绕软件开发生命周期从设计、编码、测试、安全响应过程四个方面给出代码改善方法;针对软件代码确保工具逐渐增多、软件集成重要性日益凸显的现状,设计了一种基于多种架构的分层软件集成模型,使得集成具有一定的重用性和灵活性;描述了围绕软件生命周期的代码安全确保工具分类方法,并在此基础上实现了用户友好的代码安全确保工具集成系统,有效提高软件资源复用及二次开发的效率。设计实现的反汇编子工具可以成功地翻译带前缀单字节操作码,以及部分带前缀双字节操作码。保证了指令解析的正确性,并且在之后的拓展开发中如果发现错误,可以很方便地对其进行修正,解决了软件集成的版权问题,方便了之后的学习研究。
[Abstract]:The National Strategy for ensuring the Security of Cyberspace, published by the United States in 2003, points out that the infrastructure that constitutes the information space of the network-software and hardware-is completely sought in the process of its design and development. With the development of science and technology, software is in the economy. Military, energy and other important fields play an important role, and the security of its own and supply chain is increasingly prominent. Code is the cornerstone of software, the code security analysis means to keep one of the most critical lines of defense of software security, only when the security defects in the code can be eliminated as soon as possible, the resulting software products can have a higher level of security. Effectively reduce the overall software business and global supply chain security risks. This paper takes the code security assurance as the main research object, unifies the software assurance thought, carries on the analysis and the summary to the software code vulnerability and the security test technology, and studies the code security assurance under the background of the supply chain globalization. In view of the development situation of software industry, the software is divided into categories by business model, and the code risk analysis is carried out for custom software, commercial off-the-shelf software and open source software, so as to set the target for code risk management. The improvement methods of code are given around the software development life cycle from four aspects: design, coding, testing and security response process, aiming at the increasing number of software code assurance tools, the importance of software integration is becoming more and more important. This paper designs a hierarchical software integration model based on multiple architectures, which makes integration have certain reusability and flexibility, and describes the method of ensuring the tool classification of code security around the software lifecycle. On this basis, a user-friendly code security system is implemented to ensure the tool integration system, which effectively improves the efficiency of software resource reuse and secondary development. The designed disassembler tool can successfully translate prefixed single-byte opcodes and partially prefixed double-byte opcodes. It ensures the correctness of instruction parsing, and if errors are found in the later development, it can be easily corrected, which solves the copyright problem of software integration and facilitates the later study and research.
【学位授予单位】:北京邮电大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP311.5;TP309
本文编号:2130149
[Abstract]:The National Strategy for ensuring the Security of Cyberspace, published by the United States in 2003, points out that the infrastructure that constitutes the information space of the network-software and hardware-is completely sought in the process of its design and development. With the development of science and technology, software is in the economy. Military, energy and other important fields play an important role, and the security of its own and supply chain is increasingly prominent. Code is the cornerstone of software, the code security analysis means to keep one of the most critical lines of defense of software security, only when the security defects in the code can be eliminated as soon as possible, the resulting software products can have a higher level of security. Effectively reduce the overall software business and global supply chain security risks. This paper takes the code security assurance as the main research object, unifies the software assurance thought, carries on the analysis and the summary to the software code vulnerability and the security test technology, and studies the code security assurance under the background of the supply chain globalization. In view of the development situation of software industry, the software is divided into categories by business model, and the code risk analysis is carried out for custom software, commercial off-the-shelf software and open source software, so as to set the target for code risk management. The improvement methods of code are given around the software development life cycle from four aspects: design, coding, testing and security response process, aiming at the increasing number of software code assurance tools, the importance of software integration is becoming more and more important. This paper designs a hierarchical software integration model based on multiple architectures, which makes integration have certain reusability and flexibility, and describes the method of ensuring the tool classification of code security around the software lifecycle. On this basis, a user-friendly code security system is implemented to ensure the tool integration system, which effectively improves the efficiency of software resource reuse and secondary development. The designed disassembler tool can successfully translate prefixed single-byte opcodes and partially prefixed double-byte opcodes. It ensures the correctness of instruction parsing, and if errors are found in the later development, it can be easily corrected, which solves the copyright problem of software integration and facilitates the later study and research.
【学位授予单位】:北京邮电大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP311.5;TP309
【参考文献】
相关期刊论文 前2条
1 施寅生;邓世伟;谷天阳;;软件安全性测试方法与工具[J];计算机工程与设计;2008年01期
2 钱宇,李荷华,李秀喜;A Multi-layer Information Integration Platform for Chemical Process Operation Systems[J];Chinese Journal of Chemical Engineering;2004年05期
,本文编号:2130149
本文链接:https://www.wllwen.com/guanlilunwen/gongyinglianguanli/2130149.html
