Software Security Vulnerability Detection Techniques Based On Program Analysis

With the ever-increasing number of hacker attacks and the spread of the worm on the Internet, information security has gradually become the focus of people's eyes. The software security vulnerabilities exist in the computer systems are the most important core issue of information security, which a malicious attacker can use to enhance competence, visit unauthorized resources, or even destroy sensitive data. So the problem of how to find vulnerabilities is critical for software security. Those prevailing safety softwares such as firewalls, IDS and virus cleaners cannot play the key role of protecting the systems without the guarantee of softwares' security.This paper mainly focus on the methods and techniques those are able to effectively reduce the vulnerabilities in the software development life cycle, especially on program analysis techniques at the code level. There are two types of program analysis: static and dynamic. Static analysis tools parse and analyze the source code without running it, but also can produce false positives. Dynamic analysis tools execute the program and observe its behavior over a number of runs, but also can produce false negatives. Based on previous experiences, this paper designs a vulnerability detection model at the code level. The research work of this dissertation mainly includes:1. Systematically study the software security issue in the software development life cycle, and analyze the the best practices which can effectively reduce the security vulnerabilities in software requirements phase, the design phase and the testing phase. Summarize common classes of security vulnerabilities and their taxonomy at the code level.2. Research the security vulnerabilities detection methods and techniques based on static analysis and dynamic analysis, analysis the strengths and weaknesses of them and discuss the ways of combining static and dynamic analysis.3. Propose a security vulnerabilities detection model which use static analysis and dynamic verification strategy. Introduce the functions of the components and the detection process. Detailedly discuss the problem of static program representation, the description of vulnerabilities, alias analysis and code instrument.4. Analysis the example of the input validation security vulnerabilities, and propose...