With the rapid development of information technology,audit objects and audit itself are more and more inseparable from software.As an important means of software security audit,code security audit will become an impor...With the rapid development of information technology,audit objects and audit itself are more and more inseparable from software.As an important means of software security audit,code security audit will become an important aspect of future audit that cannot be ignored.However,the existing code security audit ismainly based on source code,which is difficult to meet the audit needs of more and more programming languages and binary commercial software.Based on the idea of normalized transformation,this paper constructs a cross language code security audit framework(CLCSA).CLCSA first uses compile/decompile technology to convert different highlevel programming languages and binary codes into normalized representation,and then usesmachine learning technology to build a cross language code security audit model based on normalized representation to evaluate code security and find out possible code security vulnerabilities.Finally,for the discovered vulnerabilities,the heuristic search strategy will be used to find the best repair scheme from the existing normalized representation sample library for automatic repair,which can improve the effectiveness of code security audit.CLCSA realizes the normalized code security audit of different types and levels of code,which provides a strong support for improving the breadth and depth of code security audit.展开更多
网络语音电话(Voice over Internet Protocol,VoIP)技术在Android平台上的广泛使用为大众提供了更多的语音通信手段,对其安全性的研究,尤其是漏洞挖掘和漏洞成因的分析尤为重要。考虑到Android VoIP实现的复杂性,漏洞挖掘方法采用了模...网络语音电话(Voice over Internet Protocol,VoIP)技术在Android平台上的广泛使用为大众提供了更多的语音通信手段,对其安全性的研究,尤其是漏洞挖掘和漏洞成因的分析尤为重要。考虑到Android VoIP实现的复杂性,漏洞挖掘方法采用了模糊测试和代码审计两种方法,系统性地挖掘潜在漏洞。研究中共发现9个安全漏洞,涵盖了多种类型,且均得到厂商确认与致谢。分析表明,这些漏洞源于代码实现的复杂性和不一致性。研究结果强调了对Android VoIP安全性进行审查的必要性,为后续的安全增强提供了指导,同时也对研究中的改进方向进行了展望。展开更多
基金This work was supported by the Universities Natural Science Research Project of Jiangsu Province under Grant 20KJB520026the Natural Science Foundation of Jiangsu Province under Grant BK20180821.
文摘With the rapid development of information technology,audit objects and audit itself are more and more inseparable from software.As an important means of software security audit,code security audit will become an important aspect of future audit that cannot be ignored.However,the existing code security audit ismainly based on source code,which is difficult to meet the audit needs of more and more programming languages and binary commercial software.Based on the idea of normalized transformation,this paper constructs a cross language code security audit framework(CLCSA).CLCSA first uses compile/decompile technology to convert different highlevel programming languages and binary codes into normalized representation,and then usesmachine learning technology to build a cross language code security audit model based on normalized representation to evaluate code security and find out possible code security vulnerabilities.Finally,for the discovered vulnerabilities,the heuristic search strategy will be used to find the best repair scheme from the existing normalized representation sample library for automatic repair,which can improve the effectiveness of code security audit.CLCSA realizes the normalized code security audit of different types and levels of code,which provides a strong support for improving the breadth and depth of code security audit.
文摘网络语音电话(Voice over Internet Protocol,VoIP)技术在Android平台上的广泛使用为大众提供了更多的语音通信手段,对其安全性的研究,尤其是漏洞挖掘和漏洞成因的分析尤为重要。考虑到Android VoIP实现的复杂性,漏洞挖掘方法采用了模糊测试和代码审计两种方法,系统性地挖掘潜在漏洞。研究中共发现9个安全漏洞,涵盖了多种类型,且均得到厂商确认与致谢。分析表明,这些漏洞源于代码实现的复杂性和不一致性。研究结果强调了对Android VoIP安全性进行审查的必要性,为后续的安全增强提供了指导,同时也对研究中的改进方向进行了展望。