浙江大学学报(工学版)
浙江大學學報(工學版)
절강대학학보(공학판)
JOURNAL OF ZHEJIANG UNIVERSITY(ENGINEERING SCIENCE)
2015年
4期
683-691
,共9页
漏洞检测%静态分析%信息流跟踪%数据流分析%输入验证%FindBugs%Web应用程序
漏洞檢測%靜態分析%信息流跟蹤%數據流分析%輸入驗證%FindBugs%Web應用程序
루동검측%정태분석%신식류근종%수거류분석%수입험증%FindBugs%Web응용정서
vulnerability detection%static analysis%information flow tracking%dataflow analysis%input validation%FindBugs%Web application
针对基于静态分析的漏洞检测技术的高误报率问题,提出基于静态信息流跟踪技术的输入验证漏洞检测方法.在静态代码分析工具FindBugs上实现了该方法,对该方法的漏洞检测精确度和性能进行评估.实验结果表明,采用该方法能够有效地检测输入验证漏洞,在不明显降低运行性能的前提下,将 FindBugs的输入验证漏洞检测误报率降低了55.7%.
針對基于靜態分析的漏洞檢測技術的高誤報率問題,提齣基于靜態信息流跟蹤技術的輸入驗證漏洞檢測方法.在靜態代碼分析工具FindBugs上實現瞭該方法,對該方法的漏洞檢測精確度和性能進行評估.實驗結果錶明,採用該方法能夠有效地檢測輸入驗證漏洞,在不明顯降低運行性能的前提下,將 FindBugs的輸入驗證漏洞檢測誤報率降低瞭55.7%.
침대기우정태분석적루동검측기술적고오보솔문제,제출기우정태신식류근종기술적수입험증루동검측방법.재정태대마분석공구FindBugs상실현료해방법,대해방법적루동검측정학도화성능진행평고.실험결과표명,채용해방법능구유효지검측수입험증루동,재불명현강저운행성능적전제하,장 FindBugs적수입험증루동검측오보솔강저료55.7%.
An approach based on static information flow tracking was proposed to detect input validation vulnerabilities in order to reduce the false positive rate of vulnerability detection techniques based on static analysis . The approach was implemented on top of the static code analysis tool FindBugs . The performance and precision of our approach were evaluated .Experimental results show that our approach can effectively detect input validation vulnerabilities .The false positive rate of FindBugs was reduced by 55 .7% without significantly slowing the performance .
