摘要:随着计算机技术的飞速发展,信息技术的广泛使用,软件安全问题成为了人们关注的焦点。许多的软件系统因为自身存在安全漏洞,成为了恶意攻击者的攻击对象。软件安全测试为此应运而生,近年来越来越多的软件安全研究人员把工作的重心转移到了软件安全测试上。
首先,本文针对研究课题软件安全问题,系统而详细地讲述了软件的安全漏洞,同时通过简短的代码或者简单的程序具体说明各式漏洞,特别地区分了安全漏洞和系统Bug的问题。结合安全漏洞,简明扼要的阐述了利用漏洞发起攻击的防护技术,并且对防护技术进行了代价、性能、效率等多方面的分析。
其次,本文着重介绍了安全漏洞的静态检测方法和动态检测方法,与此同时把动态检测和静态检测进行了对比分析。明确地指出了各项安全检测方法所需要的代价以及应用前景。
最后,针对安全检测的Fuzz技术进行了具体的阐述说明。在对Fuzz技术有全面理解的基础上,通过MFC实现了原型系统MyFuzz的编写。
关键词:软件安全;安全漏洞;攻击防护;漏洞检测;Fuzz技术
Abstract:Along with the rapid development of computer technology, the widespread use of information technology, software security issues became the focus of attention. Many software systems became the target of malicious attackers because of its own security vulnerabilities. Software security testing therefore emerged, in recent years, more and more software security researchers put focus on to software security testing.
Firstly, according to the software security issues, security vulnerabilities have been explained systematically and detailedly in this paper. Meanwhile, this paper points the differences between security vulnerabilities and systems bugs, through some short codes or simple programs. The protection technology which is based using the vulnerability attack, and its price, performance, efficiency and other aspects of analysis are discussed briefly in the paper.
Secondly, this paper mainly introduces static detection method and dynamic testing method of the security vulnerabilities and the comparative analysis between the two methods are explained as well. The paper explicitly pointed out the cost and application prospect of various safety testing methods.
Finally, this paper makes a concrete explanation of the Fuzz technology for safety testing method. On the basis of a comprehensive understanding of the Fuzz technology, the prototype system which is called "MyFuzz" has been implemented through the MFC framework.
keywords: software security, security vulnerabilities, attack protection, vulnerability detection, Fuzz technology
系统的安全漏洞,又可以称之为系统脆弱性(Vulnerability),是计算机系统在硬件、软件、协议的设计与实现过程中存在的不足和缺陷。非法用户可以利用漏洞提升用户权限(因为系统分为四级权限,最高权限是Ring0,在这个权限下,可以访问系统的一切资源,将对系统造成极大的威胁)、修改或删除用户数据、窃取用户信息、破坏计算机系统等一系列危害计算机安全的操作。
根据科学研究的一般规律,建立科学合理的软件漏洞发掘模型和发掘流程,对安全漏洞的本质有进一步的理解,有助于程序开发人员在编写软件程序时尽可能减少安全漏洞,也有助于软件的测试人员及时的发现软件程序中存在的安全漏洞,从而降低由于安全漏洞引起的危害和损失。
此外,自动化程度高的漏洞发掘理论和实现已经成为了漏洞发掘发展的重要方向。这样就可以摆脱早期只能通过阅读源代码、了解程序流程等费时费工漏洞检测方法,很大程度上提高了漏洞发现效率,对软件安全有着巨大的推动作用。
