摘要:软件漏洞是发生安全事件的重要原因。在计算机安全学中,漏洞指的是存在于一个系统内的弱点或缺陷,系统对一个特定的威胁攻击或危险事件的敏感性,或进行攻击的威胁作用的可能性。据CERT(Computer Emergency Response Team)统计,自蠕虫事件以来,Internet安全威胁事件逐年上升,近年来尤为迅猛,从1998年到2010年,平均每年增长幅度到50%左右,促使这些安全事件的主要因素是系统和网络安全脆弱性层出不穷,给Internet带来了巨大的经济损失。
目前对于软件漏洞加强研究,可以有效的减少安全事件的发生,从而减少经济损失,促进计算机网络的健康和安全发展。
本文通过对软件漏洞的研究,提出代码的审计方法,以减少安全事件的发生,从而达到一种主动防御的效果。本文的主要工作包括:
1、探讨漏洞产生分类和相关的原理。
2、对软件漏洞分析方法的探讨。
3、设计实现代码审计的软件。
4、对设计的软件进行用例测试。
5、对测试结果进行评估,给出了安全编码建议。
关键词:恶意代码、软件漏洞、代码审计、主动防御、信息安全
Abstract:Malicious code is always transferred by Software vulnerabilities. The Software vulnerabilities are the most important reason for the safety events. In the field of computer safety, leak is the vulnerability in the system of computer. And it is the sensitive to the special the threaten attack or dangerous events. It also appears possibility of threaten of attack. According to statistics of the Computer Emergency Response Team, with the occurrence of worm incident, the chance of safety events on Internet is increasing year after year, especially in recent years. From 1998 to 2010, the growth margin reaches to fifty percent on average. The main reason of which is the vulnerability of system and network safety emerges in endlessly leading to tremendous economic loss.
At present, reinforcing the research of software leak can decrease the occurrence of safety incidents efficiently to reduce the loss of economy which bring the healthy and safe development of the network.
By the study of the vulnerability, this paper put forward the way of code review to reduce the happen of the safety events and achieve the effect of active defense.
1. Discuss the classification and the relevant principle of software leak.
2. Discuss the analysis way of software leak.
3. Design the software of code review.
4. Test the software.
5. Evaluate the result of test, and propose the advice on possible defect in use.
Key words: malicious code; software vulnerabilities; code review; active defense; information security