一种软件脆弱性自动分析定位的方法

摘要： 为了更好地满足航空航天领域中使用的多种嵌入式软件的高可靠性要求，设计一种软件脆弱性自动分析定位的方法.该方法基于程序切片技术，改进现有的前向计算动态切片算法，利用动态程序切片收集程序运行时的动态信息，构造程序切片谱，设定相关统计量统计程序语句的脆弱性可疑度，生成脆弱性定位报告.在发现软件中存在的脆弱性后，该方法对导致此脆弱性的程序代码根源实现了自动分析定位.基于此方法设计开发了软件脆弱性自动定位工具并进行了实例验证分析，实验证明了该方法的有效性.

A Method of Analyzing and Localizing Software Vulnerability Automatically

Abstract：In order to meet the requirements of high reliability that is required by many embedded software in aerospace field, a method is designed to analyze and localize the software vulnerability automatically. Based on program slicing technique and improved forward computation algorithm of dynamic slicing, firstly this method collects the program dynamic information at runtime via using dynamic slicing; and then it constructs the program slice spectrum and calculates the likelihood of each slicing statement being vulnerable by some statistics; and last it reports the localization result of software vulnerability. After discovering the vulnerability in the software, this method can analyze and localize the root that causes this vulnerability. We develop a tool to test this method and the experiment proves its effectiveness.