A Model of Source Code Security Investigation Based on Trusted Computing Technology

doi:10.3969/j.issn.1671-1122.2014.10.001

Abstract

Abstract: In the stage of large-scale software engineering development, the scale of source code has become increased. With the surge in the number of the source code, the code is more complex logic, calling more complicated relationship between each other and more security vulnerabilities. Conventional manual inspection and debugging have been unable to meet the huge demand for system software review. At this point, this paper introduces the principle of the investigation code’s security, and proposed a new investigation module based on trusted computing technology. This module uses the trusted measurement method in trusted computing and access control method used in secure operation system, to detect some unsafe access to resources, which doesn’t meet the trusted computing standards. In this way it can avoid calling some untrusted procedure, keep malicious codes away from the system, and make the source codes meet the trusted computing standard. The module makes classifications on different codes by their actual privileges. With this module, source code can meet the trusted computing standard, and unsafe access to the system by some malicious codes could be avoided.

Key words: safety review, code review, trusted computing, credibility amount

CLC Number:

TP309

ZHANG Yi, WANG Wei, WANG Liu-cheng, HAO Mei-ci. A Model of Source Code Security Investigation Based on Trusted Computing Technology[J]. 信息网络安全, 2014, 14(10): 1-6.

References

[1] 卿斯汉. 可信计算的研究进展概述[J]. 信息网络安全,2008,（11）：18-19.
[2] 浅析缓冲区溢出的攻击和防范[EB/OL]. http://www.admin5.com/article/20110522/344595.shtml, 2014-05-07.
[3] Kolawa Adam, Huizinga Dorota. Automated Defect Prevention: Best Practices in Software Management[M]. Wiley-IEEE Computer Society Press, 2007: 260.
[4] 戚建淮,郑伟范,宋晶,等. 基于可信计算技术构建智能信息安全管理控制平台[J]. 信息网络安全,2009,（5）：14-16.
[5] 何立宝,黄刘生,杨威,等. 基于可信计算的P2P信任模型[J]. 信息网络安全,2009,（7）：53-57.
[6] G.Kim, E.Spafford. The design and implementation of tripwire: A file system integrity checker[C]//Proceedings of the 2nd ACM Conference on Computer and Communications Security, 1994.
[7] Iglio P. Trustedbox: AKernel-level integrity checker[C]//ACSAC’99: Proceedings of the 15th Annual Computer Security Applications Conference, Phoenix: IEEE Computer Society, 1999.
[8] Arbaugh W A, Farber D, Smith J. A secure and reliable bootstrap architecture[C]//Proceedings the IEEE Symposiumon Security and Privacy, Oakland: IEEE Computer Society, 1997.
[9] 操作系统. 百度百科[EB/OL]. http://baike.baidu.com/link?url=IKSYrmvOXvTMEBxrs7T6SpSjG68elJkPTed3sFiRhdcBp_oJJqTM1yY7j8-K1I8inOBOf2d2pLKVl6rgUojRrlQlahd5XV8KaeB6z_F_OGG, 2014-05-07.
[10] 朱凌云. 浅议可信计算在内网安全中的应用[J]. 信息网络安全,2008,（3）：10-14.
[11] TRUSTIE (Trustworthy software tools and integration environment) [EB/OL]. 2009. http://www.trustie.org,2009-05-16.
[12] 代码安全审查[EB/OL]. http://www.cnblogs.com/jannock/archive/2008/07/15/1243404.html, 2014-05-07.
[13] 陈震. 可信计算认证技术的研究[J]. 信息网络安全,2007,（7）：6-8.
[14] 沈昌祥,张焕国,王怀民,等. 可信计算的研究与发展[J]. 中国科学：信息科学,2010,40（2）： 139-166.

[1]	CHEN Lu, SUN Yajie, ZHANG Liqiang, CHEN Yun. A Scheme of Measurement for Terminal Equipment Based on DICE in IoT [J]. Netinfo Security, 2020, 20(4): 21-30.
[2]	WANG Xiao, ZHAO Jun, ZHANG Jianbiao. Research on Dynamic Monitoring Mechanism for Virtual Machine Based on Trusted Software Base [J]. Netinfo Security, 2020, 20(2): 7-13.
[3]	WU Hongsheng. Intelligent Government System Based on Trusted Computing and UEBA [J]. Netinfo Security, 2020, 20(1): 89-93.
[4]	SHANG Wenli, YIN Long, LIU Xianda, ZHAO Jianming. Construction Technology and Application of Industrial Control System Security and Trusted Environment [J]. Netinfo Security, 2019, 19(6): 1-10.
[5]	SHANG Wenli, ZHANG Xiule, LIU Xianda, YIN Long. Construction Method and Verification of Local Trusted Computing Environment in Industrial Control Network [J]. 信息网络安全, 2019, 19(4): 1-10.
[6]	WANG Jin, YU Xiao, LIU Chang, ZHAO Bo. A Remote Attestation Scheme for Intelligent Mobile Terminal Based on SDKey in Smart Grid Environment [J]. 信息网络安全, 2018, 18(7): 1-6.
[7]	ZHANG Jianbiao, YANG Shisong, TU Shanshan, WANG Xiao. Research on vTPCM Trust Management Technology for Cloud Computing Environment [J]. 信息网络安全, 2018, 18(4): 9-14.
[8]	ZHANG Jianbiao, ZHAO Zixiao, HU Jun, WANG Xiao. The Design Framework of Reconfi gurable Virtual Root of Trust in Cloud Environment [J]. 信息网络安全, 2018, 18(1): 1-8.
[9]	FAN Bo, YANG Runkai, LI Lin. Research on Establish SSH-based Trusted Channels [J]. 信息网络安全, 2018, 18(1): 45-51.
[10]	ZHANG Jiawei, ZHANG Dongmei, HUANG Siqi. Design and Implementation of Anti APT Attack Trusted Software Base [J]. 信息网络安全, 2017, 17(6): 49-55.
[11]	HUANG Qiang, WANG Gaojian, MI Wenzhi, WANG Lunwei. Centralized and Unified Trusted Computing Platform Management Model and Its Application [J]. 信息网络安全, 2017, 17(4): 9-14.
[12]	HUANG Qiang, KONG Zhiyin, CHANG Le, ZHANG Dehua. Trust Baseline Concept and Management Architecture [J]. 信息网络安全, 2016, 16(9): 145-148.
[13]	HUANG Qiang, CHANG Le, ZHANG Dehua, WANG Lunwei. Research on Trusted Security Host Architecture Based on Trusted Computing Base [J]. 信息网络安全, 2016, 16(7): 78-84.
[14]	XING Bin, LIU Jiqiang, HAN Zhen. A New Model for Measuring the Integrity of Trusted Computing Platforms [J]. 信息网络安全, 2016, 16(6): 8-14.
[15]	ZHANG Yaqi, HE Yongzhong, YU Aimin. A SSH Protocol Based on the Trusted Attestation of a Third Party Platform [J]. 信息网络安全, 2016, 16(12): 34-45.