| Program security vulnerabilities pose a significant threat to users' personal privacy Traditional research focuses on the detection of security vulnerabilities,a lot of work has been carried on static detection,dynamic detection and the run-time def ense.They mainly focus on detecting the vulnerabilities.Although these detection work found a large number of unclassified security vulnerabilities,but less for developers to solve the vulnerabilities to provide adequate debugging information.Unlike previous work,it is dedicated to the automatic classification of security vulnerabilities and provides clear debugging information for developers to address vulnerabilities.Existing security vulnerabilities can be described as a series of rules that are further simplified for mathematical assertions.The rule-based compile-time code security detection system automatically divides security vulnerabilities into three types.The core technologies to achieve the above classification goal include: the establishment of rule base obeying to different kinds of security vulnerabilities.Combining analysis on control flow and pointers,the abstract syntax tree is used to fetch the necessary information appears in the rule;verifying whether the rules are true.If it is established,it is determined as a deterministic vulnerability;otherwise,a new reverse stain analysis is used to distinguish between the remaining two vulnerabilities as an internal uncertainty vulnerability or an external uncertainty vuln erability.Based on LLVM,a rule-based compile-time code security detection system is implemented,which is completely parallel with the standard compiler processing flow.The overhead at compile-time is almost negligible.It is proved that the rule-based compile-time code security detection system improves the vulnerability false alarm rate and bug detection rate,and also proves the accuracy of the security vulnerability classification mechanism. |
PDF Full Text Request