| With the rapid development of software industry and the Internet industry,people working on software security become increasingly demanding.However,software developers lack awareness of information security,and therefore in the development process a lot of security vulnerabilities are introduced.For large and medium-sized code,artificial investigation is inefficient.Therefore,accurate and efficient software source code security testing tools is very necessary and urgent.This paper presents the combination of static analysis and dynamic monitoring of Java source code defect detection technology,the main work is as follows:(1)The design of the static analysis framework based on relational databases.We proceed the Java source code into a relational database,and proceed static analysis based on relational database design rules.(2)We put forward innovative bidirectional taint analysis.In static analysis,on the basis of the one-way taint analysis,this paper has conducted a reverse stain analysis.The method will improve the accuracy of static analysis,and it can also get the taint propagation path flow.This paper also presents an exhaustive taint propagation path recursive calculation algorithm.(3)For the SQL injection vulnerability,we put forward innovative construction method based on static analysis test.We design SQL injection vulnerability test structure,and using the results of static analysis to fill test cases for dynamic monitoring.(4)We put forward aspect-oriented dynamic monitoring method based on static analysis.In this paper,the Aspect code is generated from the static analysis to carry out dynamic monitoring.The method is simple and easy to implement,and dynamic monitoring code is independent of the source code.(5)Webgoat,snipsnap and other open source code are used to test the JavaChecker system.Experimental results show that the system can detect the large and medium-sized program and it has high accuracy and low false alarm rate. |
PDF Full Text Request