CN111008376B - Mobile application source code safety audit system based on code dynamic analysis - Google Patents
Mobile application source code safety audit system based on code dynamic analysis Download PDFInfo
- Publication number
- CN111008376B CN111008376B CN201911247159.2A CN201911247159A CN111008376B CN 111008376 B CN111008376 B CN 111008376B CN 201911247159 A CN201911247159 A CN 201911247159A CN 111008376 B CN111008376 B CN 111008376B
- Authority
- CN
- China
- Prior art keywords
- code
- scanning
- security
- vulnerability
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 91
- 238000012550 audit Methods 0.000 title claims abstract description 39
- 238000000034 method Methods 0.000 claims abstract description 53
- 230000010354 integration Effects 0.000 claims abstract description 19
- 238000013500 data storage Methods 0.000 claims abstract description 12
- 238000013439 planning Methods 0.000 claims abstract description 7
- 230000008569 process Effects 0.000 claims description 29
- 238000007726 management method Methods 0.000 claims description 25
- 239000008186 active pharmaceutical agent Substances 0.000 claims description 10
- 238000001514 detection method Methods 0.000 claims description 10
- 238000013523 data management Methods 0.000 claims description 9
- 230000006870 function Effects 0.000 claims description 7
- 238000002347 injection Methods 0.000 claims description 7
- 239000007924 injection Substances 0.000 claims description 7
- 230000000737 periodic effect Effects 0.000 claims description 7
- 238000012544 monitoring process Methods 0.000 claims description 6
- 230000007547 defect Effects 0.000 claims description 5
- 238000012038 vulnerability analysis Methods 0.000 claims description 5
- 230000006399 behavior Effects 0.000 claims description 4
- 238000013519 translation Methods 0.000 claims description 4
- 230000002452 interceptive effect Effects 0.000 claims description 3
- 230000009545 invasion Effects 0.000 claims description 3
- 238000012545 processing Methods 0.000 claims description 3
- 238000013475 authorization Methods 0.000 claims description 2
- 230000005540 biological transmission Effects 0.000 claims description 2
- 238000007689 inspection Methods 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 abstract description 12
- 238000005206 flow analysis Methods 0.000 abstract description 2
- 238000011161 development Methods 0.000 description 8
- 239000000243 solution Substances 0.000 description 4
- 238000009430 construction management Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000012423 maintenance Methods 0.000 description 3
- 238000005065 mining Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012858 packaging process Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000026676 system process Effects 0.000 description 2
- 238000012356 Product development Methods 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 235000014510 cooky Nutrition 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 238000012856 packing Methods 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
- Debugging And Monitoring (AREA)
Abstract
The application discloses mobile application source code safety audit system based on code dynamic analysis includes: the system comprises a code scanning engine module, an application presentation layer module and a data storage module; the application display layer module provides an external system integration interface for a front-end interface of the system; the code scanning engine module is cooperated with the application presentation layer module to realize the planning, the creation, the scanning and the report generation of a code security scanning task; the data storage module is used for storing data of the system. The method adopts a virtual execution technology, and solves the problems of low efficiency and low accuracy existing in the first generation and the second generation based on the technologies of pattern matching, data flow/control flow analysis and the like; the labor and time cost wasted in dealing with invalid vulnerabilities is reduced, and the security risk caused by missed reports of the traditional code scanning tool to a company is also reduced; the system can be customized according to the actual requirements of the company, the efficiency is further improved, and the code safety level of the company is comprehensively improved at the lowest cost.
Description
Technical Field
The invention belongs to the technical field of network security, and relates to a mobile application source code security audit system based on code dynamic analysis.
Background
With the development of the times, information technology has profoundly influenced the work and life of people. However, while bringing convenience to people, information technology has become a new criminal tool. Hacker attacks in information systems are more hidden than traditional criminal acts and more difficult to prevent. In silent silence, the information assets and even physical security of people may be compromised. The introduction of defensive devices, including firewalls, IDS, IPS, etc., has improved the security level of the system to some extent, but these devices cannot effectively prevent attacks at the application level, especially attack at the unknown vulnerability 0day in the system. Each time a new 0day attack comes down the whole internet to a large extent.
At present, the information system of a national power grid company (hereinafter referred to as a company) is large in scale, the version iteration speed is high, the development and maintenance work is heavy, and meanwhile, the information safety is considered. Information system developers are generally reluctant or unable to write secure program code, due to their lack of security technical knowledge and security awareness. Companies are expensive to perform information security work, but profits and outcomes are difficult to quantify. Most importantly, companies lack automated solutions that can truly efficiently, accurately, and in-depth exploit code level security vulnerabilities.
The first generation of code scanning technologies, generally used for open source code scanning tools. The key word and pattern matching technology is mainly adopted, and the method is only suitable for detecting the simplest and most obvious security loopholes, and has very limited practical value. The second generation code scanning technology, which performs static code analysis based on formalized logic and mathematical theory, is the mainstream in the industry at present. Compared with the first generation technology, the method has more comprehension capability on the overall logic of the program code, but the static model has lower accuracy and high false alarm rate, and professional personnel with safety knowledge spend a great deal of time on rechecking and correcting the error, so that the working efficiency is low.
The code security detection work developed by the current company mainly relies on Fortify in the United states and Checkmarx in Israel. With the continuous improvement of the security requirements of companies on the electric power information system, the current foreign code security detection device has the following disadvantages in the actual work:
1. cannot be controlled independently: in the "network security action plan for power industry (2018 and 2020)", which is compiled by the national energy agency organization, it is explicitly pointed out that: 'insist on autonomous innovation, accelerate the promotion of autonomous controllability and core technology breakthrough of an electric power system';
2. does not meet the industrial characteristics: because the safety requirement of the power information system is high and the power information system has distinct industrial characteristics, foreign code safety detection products cannot provide customized services;
3. the cost and expense are high: the maintenance and upgrade cost of foreign security detection products is high, and the maintenance and upgrade cost is more than 25% of the purchase price of purchasing tools every year.
Disclosure of Invention
In order to solve the defects in the prior art, the application provides a mobile application source code security audit system based on code dynamic analysis, and by means of effective understanding of code logic, the system provides high-efficiency and low-false-alarm code security scanning capability, establishes a high-efficiency and safe development system for users, and comprehensively improves the overall security level of an IT system on the premise of greatly reducing the investment of enterprise information security resources.
In order to achieve the above object, the first invention of the present application adopts the following technical solutions:
a mobile application source code security audit system based on code dynamic analysis, the mobile application source code security audit system comprising: the system comprises a code scanning engine module, an application presentation layer module and a data storage module;
the application display layer module provides an external system integration interface for a front-end interface of the mobile application source code security audit system;
the code scanning engine module is cooperated with the application presentation layer module to realize the planning, the creation, the scanning and the report generation of a code security scanning task;
the data storage module is used for storing data of the mobile application source code security audit system.
The invention further comprises the following preferred embodiments:
preferably, the code scan engine module comprises a virtual intermediate language code translator, a security scan rule module, a virtual executor, and a scan report generator;
the virtual intermediate language code translator is responsible for translating the scanned project/product code into a virtual intermediate language code, simplifying the instruction of the analyzed program in the translation process, only reserving information related to the security vulnerability, and improving the security scanning efficiency and accuracy of the code;
the security scanning rule module is used for defining the characteristics and security scanning rules of different security vulnerability types;
the virtual executor loads and executes the converted virtual intermediate language code, and potential safety problems are mined according to safety scanning rules;
the scan report generator classifies and deduplicates security problems discovered in the code analysis process, and grades security threat levels for discovered security vulnerabilities.
Preferably, the scan report generator ranks the discovered security vulnerabilities for severe, high-risk, medium-risk, or low-risk security threats.
Preferably, the code scanning engine module cooperates with the application presentation layer module to complete planning, creating, scanning and report generation of a code security scanning task, and the process is as follows:
predefining characteristics and security scanning rules of different security vulnerability types through a security scanning rule module in the code scanning engine module;
after the application display layer module creates a source code scanning task, calling a code scanning engine module;
in the code scanning engine module, a virtual intermediate language code translator translates a virtual code, then a virtual actuator performs scanning detection, the code is dynamically analyzed and judged one by one according to scanning rules, and finally a scanning report generator is used for generating a corresponding source code security defect audit report.
Preferably, the security vulnerability types include an authority check vulnerability, a component analysis vulnerability, an advertisement module analysis vulnerability, a sensitive API analysis vulnerability, a third party component analysis vulnerability, a code injection analysis vulnerability, an information storage analysis vulnerability, a resource unreleased analysis vulnerability, a sensitive information leakage analysis vulnerability, a poor practice vulnerability and a privacy violation vulnerability.
Preferably, the code scanning engine module identifies a security vulnerability existing in the source code according to a feature corresponding to the security vulnerability type in the scanning process:
the permission inspection loophole detects whether excessive permission is applied, whether the user-defined permission is used and whether the authorization has risk by extracting the permission;
the component analysis loophole analyzes whether the component is externally disclosed, whether the authority is correctly set, whether the attribute is correctly set and whether the authority is covered by listing all components;
the advertisement module analysis vulnerability analyzes the advertisement module vulnerability by extracting all advertisement modules;
the sensitive API analysis vulnerability analyzes the sensitive API vulnerability by enumerating all sensitive APIs and calling a stack;
the third-party component analyzes whether the vulnerability exists in the third-party component used by the vulnerability analysis;
the code injection analysis vulnerability analyzes whether the system has vulnerabilities such as SQL injection, XSS, reflection and dynamic loading to cause code execution;
the information storage analysis vulnerability analyzes whether the position and the mode of information storage are correct or not;
analyzing whether the resources used by the application system are released or not after the resources are used up by analyzing the unreleased analysis vulnerability of the resources;
whether sensitive information leakage analysis vulnerability analysis information is possibly leaked during transmission and storage is judged;
the poor practice vulnerabilities include application enabled debug mode, weak authentication, use of internal APIs, and component lack of permission settings;
the invasion of the privacy vulnerability comprises collection of the privacy information of the user without permission of the user.
Preferably, the code scanning engine module loads the converted virtual intermediate language code into the virtual machine in the code scanning process, and forcibly starts the virtual actuator to run;
the virtual executor dynamically tracks and analyzes the operation-period behavior of the program code in the controlled operation process, so that the program logic can be more comprehensively and accurately understood.
Preferably, the process of the virtual executor dynamically tracking and analyzing the program code is as follows:
the method comprises the following steps: loading the converted virtual intermediate language code into a virtual machine;
step two: searching potential safety risk points existing in the virtual intermediate language codes according to a preset analysis target;
step three: reading the instructions of the method of the potential safety risk points one by one, and simulating data stacking to obtain data flowing into the risk points;
step four: evaluating the obtained data of the inflow risk points, if the data has an unknown part, finding out a source method of the unknown part of the data by a code scanning engine, taking the unknown part as a new potential safety risk point, returning to the step III, completing dynamic analysis of the method until the data properties of all the inflow risk points are determined, and outputting the data obtained by dynamic analysis;
step five: a code analysis engine in the virtual actuator judges whether the data obtained by dynamic analysis can cause real safety problems or not according to a safety scanning rule; and if the real security problem is caused, judging that the source code data has a security vulnerability.
Preferably, the external system integration interface provided by the application presentation layer module comprises an IDE plugin integration interface, a persistent integration tool integration interface and a Bug tracking system integration interface.
Preferably, the application presentation layer module comprises a basic data management module, a code security scanning task management module, a code security scanning report management module and a code scanning engine monitoring module;
the basic data management function module is used for user/account management, product management and authority management, so that users with different authorities can see views suitable for the users, the requirement of safe work is met, and meanwhile, authority control is provided, and sensitive information is prevented from being exposed;
the code security scanning task management module provides two types of scanning tasks, namely instant scanning and periodic scanning, and meets different scene requirements;
the code security scanning report management module is used for checking summary reports, checking detailed reports and downloading reports;
the code scanning engine monitoring module is used for checking the working state of the code scanning engine module and providing necessary information for an administrator to know the system running state and load.
Preferably, the step of creating the source code scanning task by the application presentation layer module is as follows:
adding products through a basic data management function module, inputting product names and selecting scanning file types;
after the items are stored, entering a scanning task list, selecting detailed information of the scanning task, wherein the scanning type is immediate scanning or periodic scanning, the vulnerability level is serious, high-risk, medium-risk and low-risk, configuring a scanning strategy to select all vulnerability types and version numbers of the system, and starting code vulnerability scanning after uploading an APK packet.
Preferably, the scan file types include J2EE and Android.
Preferably, the code security scanning report management module is further used for interactive security vulnerability review and security vulnerability processing state tracking associated with the source code.
Preferably, the working state of the code scanning engine module includes resource occupation conditions such as a task being scanned, a scanning time length, a memory and the like.
Preferably, the data storage module stores two types of data, one type is metadata used by the code security scanning engine module, and the other type is data generated by a user in the process of using the mobile application source code security audit system of code dynamic analysis.
Preferably, the data generated by the user in the mobile application source code security audit system process using code dynamic analysis comprises user information, product information, code security scanning task data and code security scanning reports.
The beneficial effect that this application reached:
1. the method adopts a new generation code security analysis technology-virtual execution, and solves the problems of low efficiency and low accuracy of the first generation and the second generation based on the technologies of pattern matching, data flow/control flow analysis and the like to a certain extent;
2. the method and the device solve a plurality of problems existing in the traditional code safety scanning tool, reduce the labor and time cost wasted on dealing with invalid vulnerabilities, and also reduce the safety risk caused by the fact that the traditional code scanning tool fails to report to a company.
3. The system and the method can be customized according to the actual requirements of the company, the efficiency is further improved, and the code safety level of the company is comprehensively improved at the lowest cost.
Drawings
FIG. 1 is a block diagram of a mobile application source code security audit system based on code dynamic analysis according to the present application;
FIG. 2 is a flow chart illustrating dynamic tracking and analysis of program code by a virtual executor in an embodiment of the present application;
FIG. 3 is a schematic flow chart illustrating a code scan analysis performed by the code scan engine module in the embodiment of the present application;
FIG. 4 is a security vulnerability level distribution diagram in an embodiment of the present application;
fig. 5 is a security vulnerability type distribution diagram in the embodiment of the present application.
Detailed Description
The present application is further described below with reference to the accompanying drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and the protection scope of the present application is not limited thereby.
As shown in fig. 1, the mobile application source code security audit system based on code dynamic analysis of the present application enables customers to comprehensively improve product security level with lower cost by using clear and readable vulnerability analysis reports, rich statistics, reports and graphical display interfaces, flexible deployment and scanning modes.
The method comprises the following steps: the system comprises a code scanning engine module, an application presentation layer module and a data storage module;
the code scanning engine module is cooperated with the application presentation layer module to realize the planning, the creation, the scanning and the report generation of a code security scanning task;
the application presentation layer module provides an external system integration interface for a front-end interface of the mobile application source code security audit system, and the external system integration interface comprises an IDE plugin integration interface, a continuous integration tool integration interface and a Bug tracking system integration interface;
the data storage module is used for storing data of the mobile application source code security audit system.
In an embodiment, the data storage module stores two types of data, one type is metadata used by the code security scanning engine module, and the other type is data generated by a user in a mobile application source code security audit system process using code dynamic analysis, wherein the data comprises user information, product information, code security scanning task data and a code security scanning report.
The application adopts a modular design, an application display layer, a code scanning engine and data storage can be deployed as independent subsystems, and transverse expansion is realized according to the operating environment and data pressure.
The code scanning engine module is the core for finding potential safety problems from complex codes, the virtual execution technology originally created in the industry is adopted for code analysis and vulnerability mining, and by loading and running a target application program in a special virtual machine, the running period behavior of the program codes is dynamically tracked in the running process, so that the program logic can be more comprehensively and accurately understood. Aiming at a special code analysis engine constructed by security vulnerability mining, the accurate technical details related to security risks are concentrated in the analysis process, and the accuracy of vulnerability mining is greatly improved.
The code scanning engine module comprises a virtual intermediate language code translator, a safety scanning rule module, a virtual executor and a scanning report generator;
the virtual intermediate language code translator is responsible for translating the scanned project/product code into a virtual intermediate language code, simplifying the instruction of the analyzed program in the translation process, only reserving information related to the security vulnerability, and improving the security scanning efficiency and accuracy of the code;
the method and the device define a set of virtual intermediate language by user, convert the analyzed code into the virtual intermediate language code when the code is safely scanned, and then safely scan the translated virtual intermediate language code to find potential safety problems.
The beneficial effect of such design does:
extensions are easily made to support multiple languages-parsing against a virtual intermediate language rather than the language used for project/product development, so that the code scanning engine is free from reliance on a particular development language. When a code scanning engine hopes to add new development language support, theoretically only the translation of the new development language is needed to be realized;
security analysis accuracy-the code scan engine analyzes the code in a dynamic execution manner, and a large amount of security-independent logic contained in the analyzed code affects the accuracy of the final security analysis. The code security scanning engine reasonably simplifies the code when translating the code into the virtual intermediate language and eliminates a plurality of security irrelevant logics, thereby improving the accuracy of security analysis;
the speed of security analysis is improved, because the codes are reasonably simplified when being translated into the virtual intermediate language, and a lot of security irrelevant logics are eliminated, the speed of the security analysis of the codes is greatly improved.
The security scanning rule module is used for defining the characteristics and security scanning rules of different security vulnerability types;
the system is focused on Web security vulnerability scanning, currently supported development languages comprise Java, JSP, C, C + + and the like, more than 40 security vulnerabilities comprising input verification, cryptography, technology, protocol and other related vulnerability types and unsafe programming habits are supported, and basic Web application related security threats are fully covered.
The main security vulnerability types are shown in table 1:
table 1 Android platform major security vulnerability type name and introduction
The code scanning engine module identifies the security vulnerabilities existing in the source codes according to the corresponding features of the security vulnerability types in the scanning process, and the following detailed description is made on the common SQL injection vulnerability scanning detection process as follows:
1) after the scanning detection is started, the virtual code translator translates the scanned item code into a virtual intermediate language code;
2) then the virtual actuator combines the security scanning rule to dynamically analyze and judge the codes one by one, and transmits the SQL parameters to query character strings by GET, POST or Cookie to generate URL requests;
3) a code analysis engine in the virtual actuator judges the result returned by the detection code according to the submitted SQL parameter;
4) a code analysis engine in the virtual actuator judges whether the SQL parameter can be injected in the SQL; if the Payload information of the database can be obtained, a code analysis engine is used for carrying out dynamic analysis to obtain corresponding sensitive data, such as information of a database name, a database user name, a password, a table structure and the like;
5) and finally, generating a corresponding source code security defect audit report by using a scanning report generator.
The virtual executor loads and executes the converted virtual intermediate language code, and potential safety problems are mined according to safety scanning rules;
in the embodiment, the code scanning engine module loads the converted virtual intermediate language code into a virtual machine in the code scanning process, and forcibly starts a virtual actuator to run;
the virtual executor dynamically tracks and analyzes the operation-period behavior of the program code in the controlled operation process, so that the program logic can be more comprehensively and accurately understood.
As shown in FIG. 2, the process of the virtual executor dynamically tracking and analyzing the program code is as follows:
the method comprises the following steps: loading the converted virtual intermediate language code into a virtual machine;
step two: searching potential safety risk points existing in the virtual intermediate language codes according to a preset analysis target;
step three: reading the instructions of the method of the potential safety risk points one by one, and simulating data stacking to obtain data flowing into the risk points;
step four: evaluating the obtained data of the inflow risk points, if the data has an unknown part, finding out a source method of the unknown part of the data by a code scanning engine, taking the unknown part as a new potential safety risk point, returning to the step III, completing dynamic analysis of the method until the data properties of all the inflow risk points are determined, and outputting the data obtained by dynamic analysis, namely the data flowing into the potential risk points;
step five: a code analysis engine in the virtual actuator judges whether the data obtained by dynamic analysis can cause real safety problems or not according to a safety scanning rule; and if the real security problem is caused, judging that the source code data has a security vulnerability.
The scanning report generator classifies, sorts and deduplicates the security problems found in the code analysis process, and grades the security threat level of the found security holes, wherein the security threat level comprises serious, high-risk, medium-risk or low-risk.
The process of the code scanning analysis by the code scanning engine module is shown in fig. 3, and the traditional code scanning tool often needs to modify the compiling, packing script and flow of the project. For the complicated compiling and packaging process of large projects, the work is time-consuming and labor-consuming, errors are easy to occur, and conflicts and confusion between a code scanning environment and a normal project packaging environment are often caused.
In an embodiment, the application presentation layer module comprises a basic data management module, a code security scanning task management module, a code security scanning report management module and a code scanning engine monitoring module;
the basic data management function module is used for user/account management, product management and authority management, so that users with different authorities can see views suitable for the users, the requirement of safe work is met, perfect authority control is provided, and sensitive information is prevented from being exposed;
the code security scanning task management module provides two types of scanning tasks, namely instant scanning and periodic scanning, and meets different scene requirements;
the code security scanning report management module is used for checking a summary report, checking a detailed report and downloading the report, and is also used for checking interactive security vulnerabilities associated with source codes and tracking security vulnerability processing states;
the code scanning engine monitoring module is used for checking the working state (such as a task being scanned, scanning time, memory and other resource occupation conditions) of the code scanning engine module and providing necessary information for an administrator to know the system running state and load.
The code scanning engine module cooperates with the application display layer module to complete the planning, creating, scanning and report generation of the code security scanning task, and the process is as follows:
predefining characteristics and security scanning rules of different security vulnerability types through a security scanning rule module in the code scanning engine module;
after the application display layer module creates a source code scanning task, calling a code scanning engine module;
in the code scanning engine module, a virtual intermediate language code translator translates a virtual code, then a virtual actuator performs scanning detection, the code is dynamically analyzed and judged one by one according to scanning rules, and finally a scanning report generator is used for generating a corresponding source code security defect audit report.
The steps of the application presentation layer module for creating the source code scanning task are as follows:
adding products through a basic data management function module, inputting product names and selecting the type of a scanning file to be J2EE or Android;
after the items are saved, the method enters a scanning task list, selects detailed information of the scanning task, and is very simple and convenient, wherein the scanning type is instant scanning or periodic scanning, the vulnerability level is serious, high-risk, medium-risk and low-risk, the scanning strategy is configured to select all vulnerability types and version numbers of the system, an APK packet is uploaded, and a save button is clicked to start code vulnerability scanning.
The method and the device support the product management function of the application presentation layer to add the product to upload the APK, directly use the existing APK of the Java project to scan, do not need to change the compiling and packaging processes of the application system, save the complicated and error-prone configuration modification and trial process, and are convenient and efficient. If the exact position of the vulnerability in the source code needs to be shown, the user can also upload the source code to a detailed report of a corresponding test item in a 'scanning task list' of the system. The user can set periodic timing scanning according to specific requirements, the scanning speed is high, the accuracy is high, and the method can be flexibly integrated into various software development flows including agile development.
The specific application examples are as follows:
the system performs security audit on source codes of 'intelligent capital construction management and control platform APK' of electric power company of Shandong province in the state of China network in 2019, 10 months and 30 days.
The code scan summary report is shown in table 2:
TABLE 2 code Scan Abstract report
| Application system name | Intelligent capital construction management and control platform APK |
| Scanning type | Instant scanning |
| Product code package name | |
| Scanning vulnerability classes | Severe, high, medium and low risk |
| Scanning strategy | Scanning strategy |
| Engine version number | v2019.02 |
| Scanning start time | 2019-10-30 08:58:37 |
| Duration of scan consumption | 3 minutes and 49 seconds |
| Scanning the total number of documents | 3490 |
| Total number of lines of scanning code | 103265 |
| Total number of discovered bugs | 2249 |
| Number of loopholes above high risk | 1 |
| Degree of completion of scanning | 100.00% |
The security vulnerability level is defined as follows:
the security hole is closely related to the information asset and may be threatened and utilized under certain conditions or environments, thereby causing asset loss. The vulnerability arises for various reasons, such as quality problems during software development, configuration problems for system administrators, and security management issues, and a common feature of these is to provide an attacker with an opportunity to attack the information assets. Referring to international traffic standards and experience, we classified the severity of the vulnerability existing in the asset in this evaluation into 4 grades, which are severity (C), high risk (H), medium risk (M), and low risk (L), respectively, as shown in table 3:
TABLE 3 Security vulnerability level and definition
The security vulnerability level distribution and the security vulnerability type distribution are respectively shown in fig. 4 and fig. 5.
The security vulnerability profile is shown in table 4:
table 4 security vulnerability profiles table
According to the method and the device, whether the application system has the loophole which can be truly utilized by an attacker and the risk caused by the loophole is determined through auditing and evaluating the source code of the project of 'intelligent capital construction management and control platform APK', so that the safety protection level of the project is evaluated, the safety risk is quantified, and a practical basis is provided for making corresponding countermeasures and solutions.
The present applicant has described and illustrated embodiments of the present invention in detail with reference to the accompanying drawings, but it should be understood by those skilled in the art that the above embodiments are merely preferred embodiments of the present invention, and the detailed description is only for the purpose of helping the reader to better understand the spirit of the present invention, and not for limiting the scope of the present invention, and on the contrary, any improvement or modification made based on the spirit of the present invention should fall within the scope of the present invention.
Claims (13)
1. A mobile application source code security audit system based on code dynamic analysis is characterized in that:
the mobile application source code security audit system comprises: the system comprises a code scanning engine module, an application presentation layer module and a data storage module;
the application display layer module provides an external system integration interface for a front-end interface of the mobile application source code security audit system;
the code scanning engine module is cooperated with the application presentation layer module to realize the planning, the creation, the scanning and the report generation of a code security scanning task;
the data storage module is used for storing data of the mobile application source code security audit system;
the code scanning engine module comprises a virtual intermediate language code translator, a safety scanning rule module, a virtual executor and a scanning report generator;
the virtual intermediate language code translator is responsible for translating the scanned project/product code into a virtual intermediate language code, simplifying the instruction of the analyzed program in the translation process, only reserving information related to the security vulnerability, and improving the security scanning efficiency and accuracy of the code;
the security scanning rule module is used for defining the characteristics and security scanning rules of different security vulnerability types;
the virtual executor loads and executes the converted virtual intermediate language code, and potential safety problems are mined according to safety scanning rules;
the scanning report generator classifies and deduplicates the security problems found in the code analysis process, and grades the security threat level of the found security holes;
the code scanning engine module loads the converted virtual intermediate language code into a virtual machine in the code scanning process, and forcibly starts a virtual actuator to run;
the virtual executor dynamically tracks and analyzes the operation period behavior of the program code in the controlled operation process, so that the program logic is more comprehensively and accurately understood;
the process of the virtual executor dynamically tracking and analyzing the program code is as follows:
the method comprises the following steps: loading the converted virtual intermediate language code into a virtual machine;
step two: searching potential safety risk points existing in the virtual intermediate language codes according to a preset analysis target;
step three: reading the instructions of the method of the potential safety risk points one by one, and simulating data stacking to obtain data flowing into the risk points;
step four: evaluating the obtained data of the inflow risk points, if the data has an unknown part, finding out a source method of the unknown part of the data by a code scanning engine, taking the unknown part as a new potential safety risk point, returning to the step III, completing dynamic analysis of the method until the data properties of all the inflow risk points are determined, and outputting the data obtained by dynamic analysis;
step five: a code analysis engine in the virtual actuator judges whether the data obtained by dynamic analysis can cause real safety problems or not according to a safety scanning rule; and if the real security problem is caused, judging that the source code data has a security vulnerability.
2. The system for mobile application source code security audit based on code dynamic analysis of claim 1 wherein:
and the scanning report generator grades the discovered security vulnerabilities according to the level of severe, high-risk, medium-risk or low-risk security threats.
3. The system for mobile application source code security audit based on code dynamic analysis of claim 1 wherein:
the code scanning engine module cooperates with the application display layer module to complete the planning, creating, scanning and report generation of the code security scanning task, and the process is as follows:
predefining characteristics and security scanning rules of different security vulnerability types through a security scanning rule module in the code scanning engine module;
after the application display layer module creates a source code scanning task, calling a code scanning engine module;
in the code scanning engine module, a virtual intermediate language code translator translates a virtual code, then a virtual actuator performs scanning detection, the code is dynamically analyzed and judged one by one according to scanning rules, and finally a scanning report generator is used for generating a corresponding source code security defect audit report.
4. The system for mobile application source code security audit based on code dynamic analysis of claim 1 wherein:
the security vulnerability types include an authority check vulnerability, a component analysis vulnerability, an advertisement module analysis vulnerability, a sensitive API analysis vulnerability, a third party component analysis vulnerability, a code injection analysis vulnerability, an information storage analysis vulnerability, a resource unreleased analysis vulnerability, a sensitive information leakage analysis vulnerability, a poor practice vulnerability and an invasion privacy vulnerability.
5. The system of claim 4, wherein the system is configured to perform a security audit of source code for the mobile application based on dynamic analysis of code:
the code scanning engine module identifies the security vulnerabilities existing in the source codes according to the corresponding features of the security vulnerability types in the scanning process:
the permission inspection loophole detects whether excessive permission is applied, whether the user-defined permission is used and whether the authorization has risk by extracting the permission;
the component analysis loophole analyzes whether the component is externally disclosed, whether the authority is correctly set, whether the attribute is correctly set and whether the authority is covered by listing all components;
the advertisement module analysis vulnerability analyzes the advertisement module vulnerability by extracting all advertisement modules;
the sensitive API analysis vulnerability analyzes the sensitive API vulnerability by enumerating all sensitive APIs and calling a stack;
the third-party component analyzes whether the vulnerability exists in the third-party component used by the vulnerability analysis;
the code injection analysis vulnerability analyzes whether the system has vulnerabilities such as SQL injection, XSS, reflection and dynamic loading to cause code execution;
the information storage analysis vulnerability analyzes whether the position and the mode of information storage are correct or not;
analyzing whether the resources used by the application system are released or not after the resources are used up by analyzing the unreleased analysis vulnerability of the resources;
whether sensitive information leakage analysis vulnerability analysis information is possibly leaked during transmission and storage is judged;
the poor practice vulnerabilities include application enabled debug mode, weak authentication, use of internal APIs, and component lack of permission settings;
the invasion of the privacy vulnerability comprises collection of the privacy information of the user without permission of the user.
6. The system for mobile application source code security audit based on code dynamic analysis of claim 1 wherein:
the external system integration interface provided by the application presentation layer module comprises an IDE plugin integration interface, a continuous integration tool integration interface and a Bug tracking system integration interface.
7. The system for mobile application source code security audit based on code dynamic analysis of claim 1 wherein:
the application display layer module comprises a basic data management module, a code security scanning task management module, a code security scanning report management module and a code scanning engine monitoring module;
the basic data management function module is used for user/account management, product management and authority management, so that users with different authorities can see views suitable for the users, the requirement of safe work is met, and meanwhile, authority control is provided, and sensitive information is prevented from being exposed;
the code security scanning task management module provides two types of scanning tasks, namely instant scanning and periodic scanning, and meets different scene requirements;
the code security scanning report management module is used for checking summary reports, checking detailed reports and downloading reports;
the code scanning engine monitoring module is used for checking the working state of the code scanning engine module and providing necessary information for an administrator to know the system running state and load.
8. The system of claim 7, wherein the system is configured to perform a security audit of source code for a mobile application based on dynamic analysis of code:
the steps of the application presentation layer module for creating the source code scanning task are as follows:
adding products through a basic data management function module, inputting product names and selecting scanning file types;
after the items are stored, entering a scanning task list, selecting detailed information of the scanning task, wherein the scanning type is immediate scanning or periodic scanning, the vulnerability level is serious, high-risk, medium-risk and low-risk, configuring a scanning strategy to select all vulnerability types and version numbers of the system, and starting code vulnerability scanning after uploading an APK packet.
9. The system of claim 8, wherein the system is configured to perform a security audit of source code for a mobile application based on dynamic analysis of code:
the scan file types include J2EE and Android.
10. The system of claim 7, wherein the system is configured to perform a security audit of source code for a mobile application based on dynamic analysis of code:
the code security scanning report management module is also used for interactive security vulnerability checking associated with source codes and tracking security vulnerability processing state.
11. The system of claim 7, wherein the system is configured to perform a security audit of source code for a mobile application based on dynamic analysis of code:
the working state of the code scanning engine module comprises the resource occupation conditions of a task being scanned, scanning time, a memory and the like.
12. The system for mobile application source code security audit based on code dynamic analysis of claim 1 wherein:
the data storage module stores two types of data, wherein one type of data is metadata used by the code security scanning engine module, and the other type of data is data generated by a user in the process of using the mobile application source code security audit system of code dynamic analysis.
13. The system of claim 12, wherein the system is configured to perform a security audit of source code for a mobile application based on dynamic analysis of code:
data generated by a user in the process of using the mobile application source code security audit system of code dynamic analysis comprises user information, product information, code security scanning task data and a code security scanning report.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911247159.2A CN111008376B (en) | 2019-12-09 | 2019-12-09 | Mobile application source code safety audit system based on code dynamic analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911247159.2A CN111008376B (en) | 2019-12-09 | 2019-12-09 | Mobile application source code safety audit system based on code dynamic analysis |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111008376A CN111008376A (en) | 2020-04-14 |
| CN111008376B true CN111008376B (en) | 2021-11-05 |
Family
ID=70114071
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911247159.2A Active CN111008376B (en) | 2019-12-09 | 2019-12-09 | Mobile application source code safety audit system based on code dynamic analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111008376B (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111611590B (en) * | 2020-05-22 | 2023-10-27 | 支付宝(杭州)信息技术有限公司 | Method and device for data security related to application program |
| CN111881456A (en) * | 2020-07-29 | 2020-11-03 | 江苏云从曦和人工智能有限公司 | Security risk management and control method, device, equipment and medium |
| CN111858378A (en) * | 2020-07-30 | 2020-10-30 | 重庆都会信息科技有限公司 | PHP code auditing system |
| CN112269984B (en) * | 2020-09-23 | 2023-07-11 | 江苏三台山数据应用研究院有限公司 | Automatic code audit platform system for guaranteeing source code safety |
| CN112329020A (en) * | 2020-11-05 | 2021-02-05 | 国网江苏省电力有限公司信息通信分公司 | Automatic detection method and device based on safety rules of electric power data middling station |
| CN112511512A (en) * | 2020-11-19 | 2021-03-16 | 北京凌云信安科技有限公司 | Vulnerability scanning engine and risk management system of threat detection engine |
| CN112632546A (en) * | 2020-12-31 | 2021-04-09 | 华数传媒网络有限公司 | Automatic code analysis method for broadcasting and television industry |
| CN113010298A (en) * | 2021-04-29 | 2021-06-22 | 中国工商银行股份有限公司 | Self-diagnosis scheduling method and device for static code scanning tool |
| CN116089262A (en) * | 2022-11-23 | 2023-05-09 | 北京东方通科技股份有限公司 | Code security scanning system and method based on code dynamic analysis |
Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101242279A (en) * | 2008-03-07 | 2008-08-13 | 北京邮电大学 | Automatic penetration testing system and method for WEB system |
| CN101808093A (en) * | 2010-03-15 | 2010-08-18 | 北京安天电子设备有限公司 | System and method for automatically detecting WEB security |
| CN103793652A (en) * | 2012-10-29 | 2014-05-14 | 广东电网公司信息中心 | Application system code safety scanning device based on static analysis |
| CN104410617A (en) * | 2014-11-21 | 2015-03-11 | 西安邮电大学 | Information safety attack and defense system structure of cloud platform |
| CN105740135A (en) * | 2014-12-08 | 2016-07-06 | ***通信集团山西有限公司 | Code auditing method and apparatus |
| CN106411578A (en) * | 2016-09-12 | 2017-02-15 | 国网山东省电力公司电力科学研究院 | Website monitoring system and method applicable to power industry |
| CN106611122A (en) * | 2015-10-27 | 2017-05-03 | 国家电网公司 | Virtual execution-based unknown malicious program offline detection system |
| CN106713365A (en) * | 2017-02-28 | 2017-05-24 | 郑州云海信息技术有限公司 | Cloud environment-based network security system |
| CN107169360A (en) * | 2017-06-14 | 2017-09-15 | 广东电力发展股份有限公司沙角A电厂 | The detection method and system of a kind of source code security loophole |
| CN107273751A (en) * | 2017-06-21 | 2017-10-20 | 北京计算机技术及应用研究所 | Security breaches based on multi-mode matching find method online |
| CN109379373A (en) * | 2018-11-23 | 2019-02-22 | 中国电子科技网络信息安全有限公司 | A kind of cloud security assessment system and method |
| US10498758B1 (en) * | 2017-06-28 | 2019-12-03 | Armis Security Ltd. | Network sensor and method thereof for wireless network vulnerability detection |
| CN110543422A (en) * | 2019-09-05 | 2019-12-06 | 中国人民解放军国防科技大学 | software package code defect data processing method, system and medium for FPR |
| CN110543770A (en) * | 2019-09-02 | 2019-12-06 | 南瑞集团有限公司 | vulnerability detection method, device and system for open source software |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140032733A1 (en) * | 2011-10-11 | 2014-01-30 | Citrix Systems, Inc. | Policy-Based Application Management |
-
2019
- 2019-12-09 CN CN201911247159.2A patent/CN111008376B/en active Active
Patent Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101242279A (en) * | 2008-03-07 | 2008-08-13 | 北京邮电大学 | Automatic penetration testing system and method for WEB system |
| CN101808093A (en) * | 2010-03-15 | 2010-08-18 | 北京安天电子设备有限公司 | System and method for automatically detecting WEB security |
| CN103793652A (en) * | 2012-10-29 | 2014-05-14 | 广东电网公司信息中心 | Application system code safety scanning device based on static analysis |
| CN104410617A (en) * | 2014-11-21 | 2015-03-11 | 西安邮电大学 | Information safety attack and defense system structure of cloud platform |
| CN105740135A (en) * | 2014-12-08 | 2016-07-06 | ***通信集团山西有限公司 | Code auditing method and apparatus |
| CN106611122A (en) * | 2015-10-27 | 2017-05-03 | 国家电网公司 | Virtual execution-based unknown malicious program offline detection system |
| CN106411578A (en) * | 2016-09-12 | 2017-02-15 | 国网山东省电力公司电力科学研究院 | Website monitoring system and method applicable to power industry |
| CN106713365A (en) * | 2017-02-28 | 2017-05-24 | 郑州云海信息技术有限公司 | Cloud environment-based network security system |
| CN107169360A (en) * | 2017-06-14 | 2017-09-15 | 广东电力发展股份有限公司沙角A电厂 | The detection method and system of a kind of source code security loophole |
| CN107273751A (en) * | 2017-06-21 | 2017-10-20 | 北京计算机技术及应用研究所 | Security breaches based on multi-mode matching find method online |
| US10498758B1 (en) * | 2017-06-28 | 2019-12-03 | Armis Security Ltd. | Network sensor and method thereof for wireless network vulnerability detection |
| CN109379373A (en) * | 2018-11-23 | 2019-02-22 | 中国电子科技网络信息安全有限公司 | A kind of cloud security assessment system and method |
| CN110543770A (en) * | 2019-09-02 | 2019-12-06 | 南瑞集团有限公司 | vulnerability detection method, device and system for open source software |
| CN110543422A (en) * | 2019-09-05 | 2019-12-06 | 中国人民解放军国防科技大学 | software package code defect data processing method, system and medium for FPR |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111008376A (en) | 2020-04-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111008376B (en) | Mobile application source code safety audit system based on code dynamic analysis | |
| Hooda et al. | Software test process, testing types and techniques | |
| US7284274B1 (en) | System and method for identifying and eliminating vulnerabilities in computer software applications | |
| Almorsy et al. | Automated software architecture security risk analysis using formalized signatures | |
| Antunes et al. | Effective detection of SQL/XPath injection vulnerabilities in web services | |
| CN110266669A (en) | A kind of Java Web frame loophole attacks the method and system of general detection and positioning | |
| US11748487B2 (en) | Detecting a potential security leak by a microservice | |
| Lonetti et al. | Emerging software testing technologies | |
| KR101640479B1 (en) | Software vulnerability attack behavior analysis system based on the source code | |
| CN104766015A (en) | Function call based dynamic detection method for buffer overflow vulnerability | |
| Micskei et al. | Robustness testing techniques and tools | |
| Berger et al. | An android security case study with bauhaus | |
| CN111309589A (en) | Code security scanning system and method based on code dynamic analysis | |
| Pérez et al. | Lapse+ static analysis security software: Vulnerabilities detection in java ee applications | |
| Auricchio et al. | An automated approach to web offensive security | |
| CN109446053A (en) | Test method, computer readable storage medium and the terminal of application program | |
| Ferrara et al. | Static Privacy Analysis by Flow Reconstruction of Tainted Data | |
| Zhao et al. | Automated fuzz generators for high-coverage tests based on program branch predications | |
| Skandylas et al. | Design and implementation of self-protecting systems: A formal approach | |
| Yang et al. | CrossFuzz: Cross-contract fuzzing for smart contract vulnerability detection | |
| Stergiopoulos et al. | Program analysis with risk-based classification of dynamic invariants for logical error detection | |
| Zhang | A framework of vulnerable code dataset generation by open-source injection | |
| Van Landuyt et al. | A study of NoSQL query injection in Neo4j | |
| Wang et al. | A framework for modeling and detecting security vulnerabilities in Human-Machine Pair Programming | |
| Sodanil et al. | A knowledge transfer framework for secure coding practices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |