王蕾,李丰,李炼,冯晓兵.污点分析技术的原理和实践应用.软件学报,2017,28(4):860-882 |
污点分析技术的原理和实践应用 |
Principle and Practice of Taint Analysis |
投稿时间:2016-06-18 修订日期:2016-09-08 |
DOI:10.13328/j.cnki.jos.005190 |
中文关键词: 污点分析 信息流分析 软件安全 静态分析与动态分析 Android Web |
英文关键词:taint analysis information flow analysis software security static and dynamic analyses Android Web |
基金项目:国家自然科学基金(61303053,61402303) |
|
摘要点击次数: 3529 |
全文下载次数: 9174 |
中文摘要: |
信息流分析可以有效保证计算机系统中信息的保密性和完整性,污点分析作为其实践,被广泛用于软件系统的安全保障技术领域.对近些年来面向解决应用程序安全问题的污点分析技术进行综述:首先,总结了污点分析的基本原理以及在应用中的通用技术,即,使用动态和静态的方法解决污点传播;随后,分析该技术在移动终端、互联网平台上的应用过程中遇到的问题和解决方案,包括解决Android应用隐私泄露与检测Web系统安全漏洞的污点分析技术;最后,展望该技术的研究前景和发展趋势. |
英文摘要: |
Information flow analysis is a promising approach for protecting the confidentiality and integrity of information manipulated by computing systems. Taint analysis, as in practice, is widely used in the area of software security assurance. This survey summarizes the latest advances on taint analysis, especially the solutions applied in different platform applications. Firstly, the basic principle of taint analysis is introduced along with the general technology of taint propagation implemented by dynamic and static analyses. Then, the proposals applied in different platform frameworks, including techniques for protecting privacy leakage on Android and finding security vulnerabilities on Web, are analyzed. Lastly, further research directions and future work are discussed. |
HTML 下载PDF全文 查看/发表评论 下载PDF阅读器 |