Research On Security Vulnerabilities Detection Method Based On Combination Of Static And Dynamic Analysis

As software security problems become more severe, the scholars unceasingly proposenew vulnerabilities detection methods which are mainly divided into static detection anddynamic detection, etc. Static detection method has a high efficiency and a low falsenegative rate, but its false positive rate is high. Dynamic detection method has a highaccuracy, but its detection efficiency is low and it is not easy to generate test cases.Although the security vulnerabilities detection method based on combination of static anddynamic analysis has already been proposed, but it did not integrate both of them in realsense, its efficiency and effectiveness are still not ideal.Security vulnerabilities detection based on combination of static and dynamicanalysis can be divided into two stages. In the static detection stage, the source code willbe firstly analyzed and transformed. And then the flow analysis techniques and staticvulnerabilities detection algorithm will be used to obtain the candidate bug report sets,which are the input for dynamic detection. In the dynamic detection stage, programslicings based on the vulnerability type will be generated by using the candidate bugreport information at first. And then a new test scenario generation algorithm will be usedto generate the most concise test scenarios. After that, the template library of detectiondata will be loaded to generate test cases. Ultimately, test scenarios will be executed andthe dynamic verification will be completed by inserting the stub code and matching theautomachine states. The whole process realizes a high degree of the automaticvulnerability detection. Besides, the method also provides a purely manual mechanism fordynamic validation which is used to assist security vulnerabilities detection, when the testsuite generation fails.The experiment results show that the security vulnerabilities detection system basedon combination of static and dynamic analysis can generate test scenarios and test cases accurately, and complete the static detection and dynamic verification efficiently.Moreover, it has a high accuracy and low false negative rate with the desired results in thecase of the detection of a large-scale source code.