Research On Some Key Technologies For Testing And Analysis Of Software Security

The Third Technology Revolution preludes the Information Age with the speedy boom of information science. The universal information technology enables the world to become a "global village", altering the traditional ways of our production, life and communication. However, the swift development and unprecedented prosperity of IT-industry brings the "Pains of Information" at the same time. For the sake of the technology and cost, people used to keep an eye on the availability of computer and network, not the security factors from design to realization, which turning out to risk our information infrastructure and bring losses. Software is the soul of information infrastructure. Due to the historical reason of security awareness deficiency and the realistic reason of functionality complexity, there exist many faults and failures during the design and operation of software. Software testing is the procedure inspecting whether the software meets the design requirements and the expected attributes based on the manual or automatic analysis. Generally, we can detect software by static source-code analysis or dynamic object-code running. Security is the non-functional attribute of software and testing can find, orientate and eliminate the potential safety hazards. As a result, software testing is not only the key technology of assuring security, but also the necessary means during the software development and maintenance.From the aspect of "discovery", this thesis tests and analyzes on the latent or covert properties of software, especially the potential safety hazards. Our researches of software testing and analysis are dealt with from the following four key technologies:malware detection, vulnerability localization, code redundancy simplification, host security reinforce based on user behavioral habbits. By static analysis and dynamic analysis, we develop corresponding systems and achieve some positive and meaningful results as follows.The first research point is malware detection. To overcome the disadvantages of traditional malware detection with high false negative rate and low running efficiency, we abstract function call graphs from candidate malware by static analysis. Graph edit distance is taken as the evaluation criteria of malware similarity, and therefore the malware classification and identification is transformed into the problem of searching the nearest neighbors in the existing malware graph database. To improve the detection speed, we introduce the assembly instruction sets of functions and the multi-way vantage point tree as high-dimensional indexing algorithm. Experiments show that our method has good performance in both accuracy and efficiency.The second aspect of this thesis is vulnerability localization. By viewing large-scale software as a complex network system, we present a new method of patch comparison and vulnerability localization. The software structure is depicted by system-level features of complex network. In this way, we generate structural signatures of the original and patched software respectively, and compare the signature pair. By splitting the connexity group recursively and backtracking, the vulnerability location of function level can be localized preliminarily.The precise position of vulnerability is localized by patch comparison of control flow level. Our method adopts the new research idea of viewing the software system as network.The third part of our work is code redundancy simplification. By PDG (Program Dependence Graph), we study on the dependency relationships between the program branches and variables from source or intermediate code, which establishes an effective testing to discover and locate the redundant code. Compared with the conventional code optimization emphasizing the improvement of time efficiency, we compress the size of the final object code, independent of the programming language or whether we have the source code. Our simplification not only reduces the occupied program space but also assures the functional consistency.The last study point is a dynamic knowledge repository system about user behavior and host security. Traditional malware detection usually relies on the detected file only, not considering the usage scenario. We introduce the patterns of user behaviors, in addition to the normal dynamic analysis of process behaviors. The maliciousness of unknown file is calculated by attack tree model and Bayesian algorithm based on the file behaviors and sources. We count the security weights of file sources where users download or copy files, indicating the use habits and the safety consciousness. The assessment value of host security is finally obtained by knowledge repository update and dynamic machine learning, helping users to detect the behavior pattern and reinforce the host security.