-
摘要:
针对软件缺陷与软件安全漏洞研究中存在的概念混淆问题,对DevSecOps框架下的软件安全漏洞生存期进行研究。基于软件安全漏洞生存期引入漏洞的4种情况,结合漏洞的特点提出软件安全漏洞模式定义,并采用本体方法进行表示。本体是概念化明确的规范说明,能够解决软件安全漏洞研究领域存在的二义性、不一致性、难以共享,以及由分析知识分散所导致的对人员知识和经验过度依赖的问题。以软件安全漏洞模式的分析为基础,兼顾宏观事件表现,构造漏洞分析的3层模型,即事件表示层、行为动作层和漏洞技术层。实例应用所构模型的层次结构实施渗透测试,包括安全风险分析、威胁建模、漏洞分析及渗透攻击等。实验结果表明:基于所提软件安全漏洞模式本体库的改进渗透测试具有科学性和有效性。
Abstract:This paper studies the lifetime of software security vulnerabilities under the DevSecOps framework aiming at the conceptual confusion problem of research on software errors and software security vulnerabilities. This work provides a definition of software security vulnerability pattern together with vulnerability characteristics, and uses ontology to represent it. It is based on four scenarios of introducing vulnerabilities in the life cycle of software security vulnerabilities. An ontology is an explicit specification of a conceptualization, which can solve the problems of ambiguity, inconsistency, difficulty in sharing, and excessive dependence on personnel knowledge and experience caused by the dispersion of analysis knowledge in the field of software security vulnerability research. A three-layer model for vulnerability analysis is built, comprising the event representation layer, behavior action layer, and vulnerability technology layer, based on the study of software security vulnerability patterns and accounting for the macro event performance. The example application implements penetration testing according to the hierarchical structure of the bulit model, including security risk analysis, threat modeling, vulnerability analysis, and penetration attacks. The experimental results show that the improved penetration testing method based on the software security vulnerability pattern ontology library proposed in this paper is scientific and effective.
-
Key words:
- software error /
- software security vulnerabilities /
- pattern /
- ontology /
- penetration testing
-
图 1 软件缺陷、软件安全漏洞和软件故障间的关系模型
Figure 1. Relational model of software errors, software security vulnerabilities and software faults
图 2 以需求/设计阶段引入漏洞为例的软件安全漏洞生存期模型
Figure 2. Software security vulnerability lifetime model as an example of introduction of vulnerabilities in requirements/design phase
图 3 软件安全漏洞表现形式类层次结构
Figure 3. Class hierarchy of software security vulnerabilities manifestation
图 6 SQL执行漏洞模式漏洞利用链
Figure 6. Vulnerability exploitation chain of SQL execution vulnerability pattern
图 13 以软件安全漏洞为核心的概念和关联关系的本体表示
Figure 13. Ontology representation of concepts and relationships with software security vulnerabilities as core
图 14 IoT系统基于漏洞分析3层模型的威胁建模
Figure 14. IoT system threat modeling based on a three-layer model of vulnerability analysis
图 15 对应图13的工具调用命令和参数截图
Figure 15. Screenshot of Tool call commands and parameters corresponding to Fig.13
表 1 软件安全漏洞分类方法比较
Table 1. Comparison of software security vulnerabilities classification methods
分类方法 特点 不足 CWE 社区开发的常见软件和硬件安全弱点列表;是弱点识别、缓解
和预防工作的基准①将软件漏洞和硬件漏洞混杂在一起,降低了信息的有效性,并容易造成二义性和不一致性问题;②仅关注漏洞本身,缺乏对整个漏洞利用链的描述和分析;③缺乏对漏洞解决方案的描述 CVE 包含了已知漏洞和安全缺陷的标准化名称的概念字典表 ①分类较为粗糙,无法对软件安全漏洞进行精准识别和分类,并容易造成二义性和不一致性问题;②仅关注漏洞本身,缺乏对整个漏洞利用链的描述和分析;③针对漏洞的解决方案较为宏观,缺乏漏洞机理层的分析 SSVP 对代码层面软件安全漏洞结构化的分类和描述;组成元素的多
视角(测试者、使用者(包括攻击者)、开发者),提升了完备性;通
过将分类漏洞中的语义信息转化为度量,能及时为开发人员提
供反馈,并能指导安全漏洞修正①仅考虑了代码层面的软件安全漏洞,范围较为局限;②在未来的自动化分析过程中由于涉及到漏洞利用链分析,可能导致路径爆炸问题,从而影响资源占用率和性能 
下载: 导出CSV
表 2 IoT系统安全风险分析
Table 2. IoT system security risk analysis
风险类型 攻击点 攻击面 硬件风险 部署环境 攻击者进行盗窃、破坏;恶劣温、湿度环境;信号干扰或屏蔽 供电能力 供电可靠性不足以支撑正常运行 设备接口 存在闲置的外部接口,如联合测试工作组(joint test action group,JTAG)串口、通用异步收发器(universal asynchronous receiver/transmitter,UART)串口、晶体管-晶体管逻辑(transistor transistor logic,TTL)串口等,攻击者可以转储/重新编程闪存 接入风险 接入认证 基于媒体存取控制(media access control,MAC)或网络身份标识的身份鉴别机制失效 访问控制 终端访问控制策略不严格,造成非授权访问或控制;绕过认证环节进行远程控制;篡改用户标识实现越权访问 通信风险 保密性 敏感信息/密钥明文传输或将敏感信息/密钥明文写在固件中;安全套接层(secure sockets layer,SSL)/传输层安全(transport layer security,TLS)不可用或配置不当;有线等效保密(wired equivalent privacy,WEP)密码破解;Wi-Fi网络安全接入(Wi-Fi protected access,WPA)/WPA2爆破;个人身份识别码(personal identification number,PIN)穷举攻击(Wi-Fi保护设置(Wi-Fi protected setup,WPS)破解) 完整性 缺乏完整性校验,攻击者通过截取数据后,篡改重放 系统风险 身份鉴别 存在用户标识或身份冒用,身份鉴别存在弱口令或空口令 权限控制 存在不同用户未严格限制数据的读、写、可执行权限 固件升级 固件存在隐藏后门;远程发布恶意更新指令;固件未进行安全测试;无法验证固件合法性或真实性;固件不支持升级
功能数据风险 数据保密性 非授权用户非法取得信息导致终端本地存储的敏感或隐私信息泄露 数据完整性 恶意篡改、破坏信息输入和传输过程导致数据源无法追溯、校验 数据可用性 合法用户对信息和资源的使用被不当拒绝导致终端采集或监控的数据传输过程超
出规定造成失效
下载: 导出CSV
-
[1] DENNING D E R. Cryptography and data security[M]. Boston: Addison-Wesley, 1982: 191-265. [2] LONGLEY D, SHAIN M, CAELLI W. Information security: Dictionary of concepts, standards and terms[M]. New York: Macmillan, 1992: 9-23. [3] BISHOP M, BAILEY D. A critical analysis of vulnerability taxonomies: CSE-96-11 [R]. Davis: Department of Computer Science at the University of California at Davis, 1996: 1-15. [4] KISSEL R. Glossary of key information security terms: NIST IR 7298 Revision 2[R]. Gaithersburg: NIST, 2013: 212-213. [5] 国家市场监督管理总局, 国家标准化管理委员会. 信息安全技术 术语: GB/T25069—2010 [S]. 北京: 中国标准出版社, 2011: 42-43.State Administration for Market Regulation, Standardization Administration of the People’s Republic of China. Information security technology-glossary : GB/T25069—2010 [S]. Beijing: Standards Press of China, 2011: 42-43(in Chinese). [6] SHIREY R. Internet security glossary, version 2: FYI, RFC 4949[R]. Virginia: Network Working Group, 2007: 333-334. [7] 袁子牧, 肖扬, 吴炜, 等. 知识、探索与状态平面组织的软件漏洞分析架构研究[J]. 信息安全学报, 2019, 4(6): 10-33.YUAN Z M, XIAO Y, WU W, et al. Research on the software vulnerability analysis architecture with the knowledge, exploration and state plane[J]. Journal of Cyber Security, 2019, 4(6): 10-33 (in Chinese). [8] SHAHMEHRI N, MAMMAR A, DE OCA E M, et al. An advanced approach for modeling and detecting software vulnerabilities[J]. Information and Software Technology, 2012, 54(9): 997-1013. doi: 10.1016/j.infsof.2012.03.004 [9] WANG J, GUO M M, CAMARGO J. An ontological approach to computer system security[J]. Information Security Journal: A Global Perspective, 2010, 19(2): 61-73. doi: 10.1080/19393550903404902 [10] 慕冬亮. 软件漏洞发现、识别及诊断技术的研究[D]. 南京: 南京大学, 2019: 1-2.MU D L. A research on vulnerability discovery, identification and diagnosis[D]. Nanjing: Nanjing University, 2019: 1-2(in Chinese) . [11] BASS L, WEBER I, ZHU L. DevOps: A software architect’s perspective[M]. New Jersey: Addison-Wesley Professional, 2015: 80-105. [12] KIM G, HUMBLE J, DEBOIS P, 等. DevOps实践指南[M]. 刘征, 王磊, 马博文, 等, 译. 北京: 人民邮电出版社, 2018: 4-22.KIM G, HUMBLE J, DEBOIS P, et al. The DevOps handbook[M]. Translated by PLIU Z, WANG L, MA B W, et al, Beijing: osts&telecom Press, 2018: 4-22(in Chinese). [13] MACDONALD N, HEAD I. DevSecOps: How to seamlessly integrate security into DevOps[EB/OL]. (2016-09-30)[2022-06-27]. https://www.gartner.com/en/documents/3463417/devsecops-how-to-seamlessly-integrate-security-into-devo. [14] 徐仁佐. 基于软件知识的测试方法[J]. 武汉大学学报(自然科学版), 2000, 46(1): 61-62.XU R Z. The testing method based on software knowledge[J]. Wuhan University Journal (Natural Science Edition), 2000, 46(1): 61-62 (in Chinese). [15] ALEXANDER C. The timeless way of building[M]. New York: Oxford University Press, 1979: 246-248. [16] 国家市场监督管理总局, 国家标准化管理委员会. 信息安全技术 网络安全漏洞分类分级指南: GB/T 30279—2020[S]. 北京: 中国标准出版社, 2020: 1-5.State Administration for Market Regulation, Standardization Administration of the People’s Republic of China. Information security technology—Guidelines for categorization and classification of cybersecurity vulnerability: GB/T 30279—2020[S]. Beijing: Standards Press of China, 2020: 1-5(in Chinese). [17] 张雪芹, 徐金瑜, 顾春华. 基于本体的信息安全漏洞关联分析[J]. 华东理工大学学报(自然科学版), 2014, 40(1): 125-131. doi: 10.3969/j.issn.1006-3080.2014.01.022ZHANG X Q, XU J Y, GU C H. Information security vulnerability association analysis based on ontology technology[J]. Journal of East China University of Science and Technology (Natural Science Edition), 2014, 40(1): 125-131 (in Chinese). doi: 10.3969/j.issn.1006-3080.2014.01.022 [18] GRUBER T R. A translation approach to portable ontology specifications[J]. Knowledge Acquisition, 1993, 5(2): 199-220. doi: 10.1006/knac.1993.1008 [19] GRUBER T R. Toward principles for the design of ontologies used for knowledge sharing[J]. International Journal of Human-Computer Studies, 1995, 43(5-6): 907-928. doi: 10.1006/ijhc.1995.1081 [20] KUREYCHIK V M, SAFRONENKOVA I B. Ontology-based approach to design problem formalization[C]//Proceedings of the International Seminar on Electron Devices Design and Production. Piscataway: IEEE Press, 2019: 1-5. [21] 李霖, 王红. 基于形式化本体的基础地理信息分类[J]. 武汉大学学报(信息科学版), 2006, 31(6): 523-526.LI L, WANG H. Classification of fundamental geographic information based on formal ontology[J]. Geomatics and Information Science of Wuhan University, 2006, 31(6): 523-526 (in Chinese). [22] HU X, LIU J. Ontology construction and evaluation of UAV FCMS software requirement elicitation considering geographic environment factors[J]. IEEE Access, 2020, 8: 106165-106182. doi: 10.1109/ACCESS.2020.2998843 [23] HAMDULLA A, YILAHUN H, ABDURAHMAN K, et al. A hierarchical clustering based relation extraction method for domain ontology[C]//Proceedings of the 9th International Symposium on Parallel Architectures, Algorithms and Programming. Piscataway: IEEE Press, 2018: 36-40. [24] NICKERSON C, KENNED D, SMITH E, et al. Penetration testing execution standard[EB/OL]. (2014-08-16)[2024-06-27]. http://www.pentest-standard.org/index.php/Main_Page. [25] MORAIS S V, DE SÁ A O, RUST L F, et al. Malicious traffic description: Toward a data model for mitigating security threats to home IoT[J]. IEEE Communications Standards Magazine, 2021, 5(3): 48-55. doi: 10.1109/MCOMSTD.011.2100011 [26] 孙跃, 司冠林, 徐小天, 等. 电力物联网终端设备渗透测试技术研究[C]//全国智能用电工程建设经验交流会论文集. 湛江: 中国会议, 2020: 19-22.SUN Y, SI G L, XU X T, et al. Research on penetration testing technology of power IoT terminal equipment[C]//Proceedings of the National Intelligent Electricity Engineering Construction Experience Exchange Conference. Zhanjiang: China Conference, 2020: 19-22(in Chinese). [27] 中国信息通信研究院. 物联网安全态势综述[J]. 保密科学技术, 2018(9): 12-20.China Academy of Information and Communications Technology. Overview of internet of things security situation[J]. Secrecy Science and Technology, 2018(9): 12-20(in Chinese). [28] 王海峰, 李朝阳, 吕政权, 等. 泛在电力物联网环境下网络安全攻击研究[J]. 浙江电力, 2019, 38(12): 76-81.WANG H F, LI Z Y, LYU Z Q, et al. Survey on cyber attack in the context of ubiquitous power Internet of Things[J]. Zhejiang Electric Power, 2019, 38(12): 76-81 (in Chinese). -
下载:
点击查看大图
计量
- 文章访问数: 251
- HTML全文浏览量: 109
- PDF下载量: 8
- 被引次数: 0
