摘要
随着Java软件功能日益复杂,开发者越来越多地依赖于密码学函数来保护应用数据.虽然密码学算法功能非常强大,但是设计复杂的Java密码学API经常被开发者误用,引入本可避免的安全漏洞.为了强制规范开发者的行为,本文提出基于注解的Java密码学API安全性增强方法,实现SecureCrypto框架,框架能够根据用户参数以及应用场景的模板自动生成加解密代码,同时对开发者代码进行校验,在编译阶段发现并报出错误.此外为了简化注解开发,本文还实现了一个基于Java代码的模板生成器,安全专家能够快速准确定义新场景以完善SecureCrypto.实验调查发现,注解确实能帮助开发者高效编写安全可靠代码,模板生成器是安全专家拓展注解使用场景的必要工具.
As Java software becoming more and more sophisticated,developers increasingly rely on cryptographic libraries to protect application data. While cryptographic libraries are secure enough,the complicated Java cryptographic API is often misused,leading to some avoidable security problem. We propose SecureCrypto,an annotation-based framework to help developers securely using cryptographic APIs. SecureCrypto framework can generate code based on user parameters and scenario template,verify user code and raise errors during compile time. To simplify annotation developing,we implemented a template generator based on Java code. Security expert can quickly define newscenarios to extend SecureCrypto. From control experiment,we find that annotation can indeed help developers to write secure and reliable code,template generator is also a necessary tool for security experts to define newannotation scenarios.
作者
周济时
张晓寒
张源
杨珉
ZHOU Ji-shi;ZHANG Xiao-han;ZHANG Yuan;YANG Min(Software School,Fudan University,Shanghai 201203,China)
出处
《小型微型计算机系统》
CSCD
北大核心
2019年第2期367-373,共7页
Journal of Chinese Computer Systems
基金
上海市青年科技英才扬帆计划项目(16YF1400800)资助
国家重点基础研究发展计划项目(2015CB358800)资助
国家自然科学基金项目(61602123
61602121
U1636204
U1736208)资助
