摘要
基于源码与二进制文件的的静态漏洞挖掘分析可以检测出很多漏洞,但同时存在很多漏报以及误报。动态分析技术分析动态调试器中程序的内存、状态以及调试器的寄存器等信息,进而发现潜在的安全漏洞,具有较高的准确率和较强的针对性。但动态漏洞分析技术在输入数据格式较为复杂时,很容易构造出触发程序异常的数据。针对二者的不足,本文提出了一种基于静、动态结合的漏洞挖掘分析方法,为漏洞挖掘分析增添了新的思路。
Static vulnerability mining based on the source code and binaries can detect a lot of vulnerabilities, but there are a lot of missing reports and error reports. Dynamic analysis techniques can analyze the dynamic memory debugger program, status and debugger register and other information. Then identify potential security vulnerabilities, with high accuracy and highly targeted. However, it is easy to construct a program to make an exception of data when input data format is more complicated in dynamic vulnerabilities analysis technology. For the above two drawbacks, this paper presents an vulnerability analysis mining method based on static and dynamic analysis, which adds a new way of thinking for mining vulnerabilities analysis.
出处
《软件》
2016年第8期95-98,共4页
Software
基金
江苏省2016年度科技发展基金
项目编号:宁科(2016)138号
关键词
漏洞挖掘
静态分析
动态分析
静、动态相结合
Vulnerability mining
Static analysis
Dynamic analysis
Combination of static and dynamic
