Research On The Approach Of Normalized Semantic Annotation And Labeling System For Software Vulnerability Source Code

Software technology has achieved rapid development with the continuous development of information technology,and various software application have been widely used in different areas.Meanwhile,more and more vulnerabilities have appeared.Great attention has been paid to the research of software vulnerability by the domestic and abroad government departments,related organizations and scholars since that software vulnerability has become a great threat that can not be ignored in software security.At present,the domestic and abroad researchers have developed various security tools to defend vulnerability invasion and analyze vulnerability.They have made great progress in vulnerability research.Most countries in the world and some companies and organizations engaged in security research have established their own vulnerability database.Although the use of a large number of security tools and the establishment of vulnerability database can effectively analyze and defend vulnerabilities,security tools usually customize their own output format specifications,so that the output form obtained by detecting the same security vulnerability with different security tools will be different.As a result,the description of the security vulnerability in different vulnerability databases will also be different.This different description will make it difficult for security tools to correlate with each other which may greatly reduce the efficiency of collaborative work.At the same time,most of the vulnerability data in the vulnerability database exists in an unstructured format,which is inconvenient with the direct processing by the computer and further research on the vulnerability information.To solve the above issues,the research of this paper is presented as follows:1.In order to solve the shortcomings of the current general description language of software vulnerability source code,a formal vulnerability code semantic description language(VCSDL)is proposed and implemented based on Extensible Markup Language(XML).This language is used to convert unstructured vulnerability source code into a structured XML file.After a detailed study of the vulnerability source information in the vulnerability database,it is determined that the vulnerability information consists of the vulnerability description information and the vulnerability source information.The framework of the VCSDL is designed based on these two parts.In order to enhance the description ability of VCSDL,this paper also implements the design of enhanced keywords and considers the description design related to specific projects and related to class structure.2.Based on the composition of VCSDL proposed in this paper,a vulnerability source code semantic annotation method based on VCSDL is proposed for the basic description information of vulnerability and the source code description information of the vulnerability.For the annotation method of the basic information of the vulnerability,the original vulnerability file is obtained firstly,then the original file will be analyzed and processed,and the attribute will be filtered as well,thirdly the attributes corresponding to the VCSDL document structure will be extracted.Finally,the annotation method of the basic information of the vulnerability will be realized.For the vulnerability source code information,a vulnerability code labling algorithm based on VCSDL namely VCLBV algorithm is proposed,and the semantic labeling of vulnerability source code information is realized based on the proposed VCLBV algorithm,the focus of which is on the design of the abstract syntax tree in the VCLBV algorithm.3.A prototype system named Software Vulnerability Code Labeling and Query System based on VCSDL(SVC-LQS)is designed and implemented in this paper.The system mainly includes four modules: the vulnerability code file processing module based on VCSDL,the vulnerability code labeling module,the vulnerability information query module and the methods comparative analysis module.The labeling of vulnerability source code and the generation of VCSDL files can be well implemented in the prototype system,and the system has good effectiveness and feasibility.