基于程序切片技术的云计算软件安全模型研究

doi:10.3969/j.issn.1671-1122.2019.07.004

摘要/Abstract

摘要：

云计算是新一代信息技术产业的重要组成部分,是继个人计算机、互联网之后信息技术的第三次浪潮。虽然各界都一致认为云计算有着巨大的增长空间,但在推广中依然面临着用户认可度不高、运营经验不足、产业链不完善等诸多问题。在诸多不利因素中,云计算的安全性问题一直排在首位,云安全逐渐成为制约云计算发展的瓶颈。在云计算应用场景中,由于云计算的大规模、高动态、高开放等特点使其不但面临着一般的安全问题,而且还面临着由其固有特点所带来的安全风险。这些安全风险包括服务模式、虚拟化技术、云计算管理软件等所带来的安全问题。由于程序切片技术可以很好的辅助安全测试人员来分析云计算软件,因此文章提出了一种基于程序切片技术的云计算软件安全分析模型,该模型可以用于发现云计算软件中存在的关键信息泄露漏洞以及此类漏洞的扩散情况,从而提高对关键信息的保护能力。最后,文章讨论了云计算软件安全模型现存研究中的主要问题,并对未来的研究方向提出了建议。

关键词: 云计算, 软件安全, 程序切片, 二进制分析, 逆向工程

Abstract:

Cloud computing is an important part of the new generation of information technology industry. It is the third information technology wave after personal computer and Internet. Although people from all walks of life agree that cloud computing has a huge growth space, it still faces many problems in promotion, such as low user recognition, insufficient operation experience and imperfect industrial chain. Among all the disadvantages, the security of cloud computing has been ranked the first, and cloud security has gradually become the bottleneck restricting the development of cloud computing. In the cloud computing application scenarios, cloud computing is faced with not only general security problems, but also security risks brought by its inherent characteristics due to its super-large scale, high dynamics, high openness and other characteristics. In general, it includes security problems caused by service mode, security problems caused by virtualization technology, security problems of cloud-related management software, etc. And program slicing technology can assist security testers to analyze cloud computing software. Therefore, a software security analysis model of cloud computing based on program slicing technology is proposed. It is used to discover the key information leakage vulnerabilities and the spread of such vulnerabilities in cloud computing software, so as to improve the protection of key information.

Key words: cloud computing, software security, program slicing, binary analysis, reverse engineering

中图分类号:

TP309

崔艳鹏, 冯璐铭, 闫峥, 蔺华庆. 基于程序切片技术的云计算软件安全模型研究[J]. 信息网络安全, 2019, 19(7): 31-41.

Yanpeng CUI, Luming FENG, Zheng YAN, Huaqing LIN. Research on Software Security Model of Cloud Computing Based on Program Slicing Technology[J]. Netinfo Security, 2019, 19(7): 31-41.

图/表 5

图1

图2

表1

图3

图4

参考文献 30

[1]	KRSUL I V.Software Vulnerability Analysis[M]. West Lafayette: Purdue University, 1998.
[2]	ABLON L, BOGART A. Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits[M]. California: Rand Corporation, 2017.
[3]	MCGRAW G.Software Security[J]. Security & Privacy IEEE, 2012, 36(9): 662-665.
[4]	WEISER M.Program Slices: Formal,Psychological,Practical Investigations of An Automatic Program Abstraction Method[EB/OL]. , 2018-9-15.
[5]	WEISER M.Program Slicing[C]//IEEE. Proceedings of the 5th International Conference on Software Engineering, March 9-12, 1981, San Diego, California, USA. New Jersey: IEEE, 1981: 439-449.
[6]	WEISER M.Programmers Use Slices When Debugging[J]. Communications of the ACM, 1982, 25(7): 446-452.
[7]	GALLAGHER K B, LYLE J R.Using Program Slicing in Software Maintenance[J]. IEEE Transactions on Software Engineering, 1991, 17(8): 751-761.
[8]	LUCIA A.Program Slicing: Methods and Applications[C]//IEEE. Proceedings First IEEE International Workshop on Source Code Analysis and Manipulation, November 10-December 10, 2001, Florence, Italy. Washington: IEEE, 2001: 142-149.
[9]	GALLAGHER K B, LYLE J R.Software Safety and Program Slicing[C]//IEEE. COMPASS’93: Proceedings of the Eighth Annual Conference on Computer, June 14-17, 1993, Gaithersburg, MD, USA. Maryland: IEEE, 1993: 71-80.
[10]	OTTENSTEIN K J, OTTENSTEIN L M.The Program Dependence Graph in a Software Development Environment[J]. ACM Sigplan Notices, 1993, 19(5): 177-184.
[11]	KUCK D J, KUHN R H, PADUA D A, et al.Dependence Graphs and Compiler Optimizations[C]//ACM. Proceedings of the 8th ACM SIGPLAN-SIGACT symposium on Principles of Programming Languages, January 26-28, 1981, Williamsburg, Virginia. New York: ACM, 1981: 207-218.
[12]	FERRANTE J, OTTENSTEIN K J, WARREN J D.The Program Dependence Graph and Its Use in Optimization[J]. ACM Transactions on Programming Languages and Systems (TOPLAS), 1987, 9(3): 319-349.
[13]	KOREL B, LASKI J.Dynamic Slicing of Computer Programs[J]. Journal of Systems and Software, 1990, 13(3): 187-195.
[14]	KRSU L.Software Vulnerability Analysis[M]. West Lafayette: Purdue University, 1998.
[15]	LIU B, SHI L, CAI Z, et al.Software Vulnerability Discovery Techniques: A Survey[C]//IEEE. 2012 Fourth International Conference on Multimedia Information Networking and Security, November 2-4, 2012, Washington, DC, USA. Washington: IEEE Computer Society, 2012: 152-156.
[16]	STAVROULAKIS P, Stamp M.Handbook of Information and Communication Security[M]. Berlin: Springer Science & Business Media, 2010.
[17]	MCGRAW G, MORRISETT G.Attacking Malicious Code: A Report to the Infosec Research Council[J]. IEEE software, 2000 (5): 33-41.
[18]	COLLBERG C S, THOMBORSON C.Watermarking, Tamper-proofing, and Obfuscation-tools for Software Protection[J]. IEEE Transactions on Software Engineering, 2002, 28(8): 735-746.
[19]	LIU M, JIA C, LIU L, et al.Extracting Sent Message Formats from Executables Using Backward Slicing[C]//IEEE. 2013 Fourth International Conference on Emerging Intelligent Data and Web Technologies, September 9-11, 2013, Washington, DC, USA. Washington: IEEE Computer Society, 2013: 377-384.
[20]	ROZINOV K.Efficient Static Analysis of Executables for Detecting Malicious Behaviors[EB/OL]. , 2018-9-15.
[21]	JOHNSON N M, CABALLERO J, CHEN K Z, et al.Differential Slicing: Identifying Causal Execution Differences for Security Applications[C]//IEEE. 2011 IEEE Symposium on Security and Privacy, May 22-25, 2011, Berkeley, California, USA. California: Security and Privacy (SP), 2011: 347-362.
[22]	ZHU E, LIU F, FANG X, et al.DYBS: A Lightweight Dynamic Slicing Framework for Diagnosing Attacks on x86 Binary Programs[J]. Journal of Software, 2014, 9(3): 560-568.
[23]	HUANG S, ZHENG Y, ZHANG R.Attack Diagnosis on Binary Executables Using Dynamic Program Slicing[J]. .
[24]	LU Y, YI S, LEI Z, et al.Binary Software Vulnerability Analysis Based on Bidirectional-slicing[C]//IEEE. 2012 Second International Conference on Instrumentation, Measurement, Computer, Communication and Control, December 8-10, 2012, Washington, DC, USA. Washington: IEEE Computer Society, 2012: 842-845.
[25]	LESTRINGANT P,GUIHÉRY F,FOUQUE P A. Assisted Identification of Mode of Operation in Binary Code with Dynamic Data Flow Slicing[C]//Springer. International Conference on Applied Cryptography and Network Security, June 19-22, 2016, London (Guildford), United Kingdom. Berlin: Springer, Cham, 2016: 561-579.
[26]	DENG X, XU G, SUN G, et al.Software Watermarking Based on Dynamic Program Slicing[C]//IEEE. 2008 International Conference on Intelligent Information Hiding and Multimedia Signal Processing, August 15-17, 2008, Harbin, China. Washington: IEEE, 2008: 461-464.
[27]	LI X, CAO Y, FENG Z, et al.Web Service Security Analysis Model Based on Program Slicing[C]//IEEE. 2010 10th International Conference on Quality Software, July 14-15, 2010, Zhangjiajie, China. Washington: IEEE, 2010: 422-428.
[28]	FU W, ZHANG Y, ZHU X, et al.WSSecTool: A Web Service Security Analysis Tool Based on Program Slicing[C]//IEEE. 2012 IEEE Eighth World Congress on Services, June 24-29, 2012, Washington, DC, USA. Washington: IEEE Computer Society, 2012: 179-183.
[29]	TONG F, YAN Z.A Hybrid Approach of Mobile Malware Detection in Android[J]. Journal of Parallel and Distributed Computing, 2017, 103(5): 22-31.
[30]	YAN P, YAN Z.A Survey on Dynamic Mobile Malware Detection[J]. Software Quality Journal, 2018, 26(3): 891-919.