摘要
软件在国民经济的各个领域占据越来越重要的地位.万物互联的大背景下,信息之间的交互、分析、协同变得越来越普遍,程序/软件之间的依赖关系逐渐增多,这使得人们对系统可靠性和健壮性提出了更高的要求.由开源组件和第三方组件构成的软件供应链,其所面临的安全问题近年来成为了学术界和工业界共同关注的焦点.库函数作为开源软件的重要组成部分,与软件供应链安全有着密切的联系.为了提高软件开发效率,软件库或应用程序编程接口(API)在程序编写过程中会被频繁使用,但库函数中存在的错误或漏洞可能会被攻击者利用,从而损害软件供应链安全.这些错误或漏洞往往与库函数中存在的异常有关,因此,从精度和效率两方面对适用于库函数的异常分析方法进行总结归纳,对于每种异常分析方法的基本思想和重要过程进行阐述,并针对库函数异常分析面临的挑战给出初步解决思路.对软件供应链中的库函数进行异常分析,有助于增强软件系统的健壮性,进而保障软件供应链的安全.
Software occupies an increasingly important position in various fields of the national economy.Under the background of the Internet of everything,interaction,analysis and collaboration of information are becoming more and more common,and dependencies among programs/softwares are increasing.It makes people put forward higher requirements for system reliability and robustness.A software supply chain consists of open source components and third-party components,and its security problems have become the focus of both academia and industry in recent years.As an important part of open source software,library functions are closely related to the security of the software supply chain.In order to improve software development efficiency,software libraries or application programming interfaces(APIs)will be frequently used in the process of programming,but errors or vulnerabilities in library functions may be exploited by attackers to compromise the security of the software supply chain.These errors or vulnerabilities are often related to exceptions in library functions.Therefore,the exception analysis methods of library functions are summarized from the two aspects of accuracy and efficiency in this study.The basic idea and important process of each exception analysis method are described,and a preliminary solution is given for the challenges faced by library function exception analysis.Exception analysis of library functions in the software supply chain is helpful to enhance the robustness of software system and to ensure the security of the software supply chain.
作者
葛丽丽
帅东昕
谢金言
张迎周
薛渝川
杨嘉毅
密杰
卢跃
GE Li-Li;SHUAI Dong-Xin;XIE Jin-Yan;ZHANG Ying-Zhou;XUE Yu-Chuan;YANG Jia-Yi;MI Jie;LU Yue(School of Computer Science,Nanjing University of Posts and Telecommunications,Nanjing 210023,China)
出处
《软件学报》
EI
CSCD
北大核心
2023年第6期2606-2627,共22页
Journal of Software
关键词
软件供应链
异常分析
库函数
精度优化
效率优化
函数摘要
software supply chain
exception analysis
library function
precision optimization
efficiency optimization
function summary
