CN102622299A - Working method of software detection system - Google Patents
Working method of software detection system Download PDFInfo
- Publication number
- CN102622299A CN102622299A CN2012100541075A CN201210054107A CN102622299A CN 102622299 A CN102622299 A CN 102622299A CN 2012100541075 A CN2012100541075 A CN 2012100541075A CN 201210054107 A CN201210054107 A CN 201210054107A CN 102622299 A CN102622299 A CN 102622299A
- Authority
- CN
- China
- Prior art keywords
- software
- code
- program
- plug
- leak
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 56
- 238000001514 detection method Methods 0.000 claims abstract description 14
- 238000004458 analytical method Methods 0.000 claims description 28
- 230000003068 static effect Effects 0.000 claims description 27
- 230000005540 biological transmission Effects 0.000 claims description 19
- 230000008569 process Effects 0.000 claims description 19
- 238000003909 pattern recognition Methods 0.000 claims description 10
- 238000012545 processing Methods 0.000 claims description 8
- 230000002123 temporal effect Effects 0.000 claims description 8
- 238000012544 monitoring process Methods 0.000 abstract description 11
- 238000006243 chemical reaction Methods 0.000 abstract description 2
- 238000005336 cracking Methods 0.000 abstract description 2
- 238000005303 weighing Methods 0.000 abstract 1
- 230000006870 function Effects 0.000 description 39
- 238000005516 engineering process Methods 0.000 description 12
- 238000005259 measurement Methods 0.000 description 9
- 238000004891 communication Methods 0.000 description 8
- 238000013461 design Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 3
- 238000007726 management method Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 230000010365 information processing Effects 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 230000002452 interceptive effect Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 230000008447 perception Effects 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- PEDCQBHIVMGVHV-UHFFFAOYSA-N Glycerine Chemical compound OCC(O)CO PEDCQBHIVMGVHV-UHFFFAOYSA-N 0.000 description 1
- BQCADISMDOOEFD-UHFFFAOYSA-N Silver Chemical compound [Ag] BQCADISMDOOEFD-UHFFFAOYSA-N 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 238000005267 amalgamation Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000004888 barrier function Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 239000008358 core component Substances 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000005611 electricity Effects 0.000 description 1
- 239000000446 fuel Substances 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 230000005012 migration Effects 0.000 description 1
- 238000013508 migration Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000011897 real-time detection Methods 0.000 description 1
- VEMKTZHHVJILDY-UHFFFAOYSA-N resmethrin Chemical compound CC1(C)C(C=C(C)C)C1C(=O)OCC1=COC(CC=2C=CC=CC=2)=C1 VEMKTZHHVJILDY-UHFFFAOYSA-N 0.000 description 1
- 239000000523 sample Substances 0.000 description 1
- 229910052709 silver Inorganic materials 0.000 description 1
- 239000004332 silver Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000003860 storage Methods 0.000 description 1
- 238000003786 synthesis reaction Methods 0.000 description 1
- 238000004454 trace mineral analysis Methods 0.000 description 1
Images
Abstract
The invention relates to a software detection method and a software detector and a software detection system using the method. The software detection method is used for detecting program flow information of utility software in operation in real time, model detection is used for judging whether a specific structure or a leak exists or not after code instrumentation of software to be detected, code execution tracks are found out, and then the program flow information is sent to a supervision node or a supervision network in a wireless or wired mode. The method can conduct real-time monitoring on the software operated inside a computer system in the legal supervision field. The software detection system forms a legal metering monitoring network to monitor use of metering tools, provides service and support for fast reaction of law enforcement and cracking of fake products. The method can detect specific objectives of back door programs, cheating commands and the like in electronic weighing instrument software or financial regulation software, and enables detected information to be transmitted to outside to enable a supervision authority to conduct real-time monitoring.
Description
The application is
On April 13rd, 2010The application number of submitting to does
201010146146.9, the name be called
The software probe and the software probe system of software probe method and this method of applicationDivide an application.
Technical field
The present invention relates to the network system of a kind of software probe technology and software probe device and software probe, specifically is a kind of software probe method that procedure information in the running software is surveyed and the software probe and the software probe system of this method of application.
Background technology
A large amount of the popularizing of computer systems and networks makes the whole world stride into the information age.But; Just since modern society in almost all in " computerize "; Management as in economic activity (produce, circulate, exchange, the consume) process is all moving based on computer system fully, and the core of computer system is " software ", that is to say all to be based on " software (program) " in operation; So from technological layer; If the operation to these softwares can not detect and monitor effectively, supervision will " lack " so, causes a hidden trouble for country or global finance and social safety.
At home, important legal system supervision field has tens, like finance (prison is supervised, protected to silver prison, card), and state-run assets, the tax, finance, audit, safety supervision, electricity are supervised, environment ... Deng.If the running software to these legal system supervision fields can not detect effectively, monitor, consequence is hardly imaginable.
In the quality inspection metering system, the legal system measuring products cheatings such as closely-related fuel charger, valuation scale, taximeter of living with the people take place again and again.On the one hand, owing to receive the restriction of software engineering means, the quality technical supervision enforcer of administration can't effectively obtain relevant cheating evidence, and illegal retailer and operator's punishment is lacked foundation, has damaged consumers in general's interests to a certain extent; On the other hand, because the principle of fair competition can seriously have been violated through software being carried out malicious modification or in software, leave back door to enlarge market outlet by illegal manufacturer.The target that legal system is measured supervisory network is the situation of the cheating on the face in the supervision use, mainly is Gonna breakthrough and the core technology of grasping software cheating detection (or title " software probe " or " software probe sensor ").So it is the real-time monitoring of carrying out from range and dynamically supervision, can be compared to be now at road traffic, the video camera that generally uses aspect keeping a lookout of public security surveys supervisory system, the operation that makes calling program by invisible, uncontrollable become visible controlled again.Therefore in legal system metering supervision field, how surveying " backdoor programs " and specific objectives such as " cheating password " in the electronic scale software, is the technical barrier of this area.
In " software test " field, the existing software automated test tool generally all is to carry out fault to follow the tracks of and detect in program inside both at home and abroad, and the information that will not follow the tracks of, detects is externally transmitted and sent.In " wireless sense network " field, " physical quantity " that existing sensors is often can only perception conventional or " chemistry amount ", can not the perception computing machine in the information of running software.Therefore, supervision department can't carry out real time monitoring to software.
Legal system measuring software detector characteristics of development and requirement have:
1, wants to gather and to send measurement instrument software identification information and sensor node identification information
Measurement instrument software identification information, the electronic identity information (ID-0) of the scale software that is equivalent to valuate; Software probe sensor node identification information just indicates the electronic identity information (ID-1) of software sensors itself.Can discern the true and false of measurement instrument software and software probe sensor node itself through comparison.
2, the cheating information in the time of will following the tracks of and send the measurement instrument use comprises:
The time and the quantity of
cheating: the cheating time comprise year, the moon, day, the time, branch, second; Cheating quantity, overproof ratio, etc.;
The amount of money of
cheating: comprise the amount of money of each cheating and the amount of money of accumulative total cheating.For law enforcement provides foundation;
The password of
cheating: the password that can lock cheating through trace analysis;
The person liable of
cheating: comprise volume coordinate point (province, city, district, place), the identity (organization mechanism code, identification card number) of monitored object, etc.;
The historical record of
cheating: cheating information can all be placed on record;
Management, protection and the security function that 3, will have measurement monitoring sensing net software probe sensor node self.
Summary of the invention
Technical matters to be solved by this invention provides and a kind ofly is used for " backdoor programs " of electronic scale software or financial supervision software and specific objectives such as " cheating password " is surveyed and with externally transmission and sending of the information that detects, so that the software probe method that supervision department can real time monitoring and the software probe and the software probe system of this method of application.
For solving the problems of the technologies described above, software probe method of the present invention comprises the steps:
A, start-up code plug-in mounting step; This step comprises: virtual execution tested software; Promptly the program source code to tested software carries out lexical analysis and grammatical analysis, and to identify feature code, this feature code comprises: variable, function, subroutine and OO class; Then the program circuit of said program source code is divided by data block; With the dividing data of the program structure that obtains explaining said tested software and static flow process and deposit in the static database, this static database prestores normal procedure structure and the static flow process that the function declaration book according to tested software obtains simultaneously; In said program source code, insert instrumentation code then corresponding to said feature code; Become executable program to the program source code compiling link that has inserted said instrumentation code at last; Said instrumentation code is one section code or function, is used to collect the dynamic data that generates when said executable program moves; This dynamic data comprises: function, subroutine call record; OO type message transmission, and program structure and control flow during the said tested software operation that constitutes by the message transmission of calling record and OO type of said function, subroutine;
B, pattern recognition step; This step is used for said executable program execution model is detected, that is: program structure and control flow when the tested software that the normal procedure structure that prestores in the said static database and static flow process and said instrumentation code is obtained moves compare; If the two unanimity judges that then said executable program is normal; Otherwise, then judge to have " particular structural " or " leak " in the said executable program; Said " particular structural " be meant with the incoherent variable of function declaration book of tested software, function, subroutine or type the message transmission; Said " leak " is meant the message transmission that lacks due variable, function, subroutine or class in the function declaration book tested software according to tested software;
C, after finding there be " particular structural " or " leak ", the execution pattern analytical procedure, this step is used to analyze the control flow of said executable program, carries out track to find out and to report the code that causes " particular structural " or " leak "; It is the program circuit that set constituted by a series of codes that cause execution " particular structural " or " leak " that this code is carried out track;
D, execution data processing and transmitting step; This step is used for carrying out track according to said code; Draw tested software and have the information of " particular structural " and/or " leak " and the temporal information and the number of run of operation thereof; Through wireless or wired mode, be transferred to supervisory node and/or supervisory network then.
Said instrumentation code is used for: the structured analysis of program module; Fault is followed the tracks of and fault processing; Multithread analyzing (for example: judge deadlock and share conflict etc.); Executing efficiency (for example: bottleneck analysis etc.) is analyzed; Initialization node, structure chained list form tested program and move needed data structure.
Said control flow is meant: virtual execution tested software; Promptly the program source code to tested software carries out lexical analysis and grammatical analysis; Identify feature code, then the control stream of said program source code is divided by piece, obtain the flow process of the procedure division data of said tested software.
Said static flow process is meant: become executable program to the program source code compiling link that has inserted said instrumentation code; Program circuit when moving the tested software operation that this executable program obtains.
Said program circuit also is static flow process.
For solving the problems of the technologies described above; The software probe of the above-mentioned software probe method of application of the present invention comprises: the detection controller that links to each other with the processor that is used to carry out said executable program, with survey wireless receiver and/or the cable data transceiver that controller links to each other; After said detection controller is found to have " particular structural " and/or " leak "; Carry out said pattern analysis step, then tested software is existed " particular structural " and/or " leak " information, and should " particular structural " and/or " leak " temporal information and the number of run of operation be sent to said supervisory node and/or supervisory network through said wireless receiver and/or cable data transceiver.
For solving the problems of the technologies described above, the software probe system of the above-mentioned software probe of application of the present invention comprises: as the host computer of said supervisory node, the supervision server system that links to each other with a plurality of said host computer that is distributed in different regions; Said host computer is used for being connected with communicating by letter through wireless and/or wired mode with a plurality of said software probe in the region.
For solving the problems of the technologies described above, hierarchical model is adopted in the software platform overall design of software probe of the present invention system, and the software systems layering, thereby restriction system changes the influence that brings.Each layer can be independent design, independent evolution, upgrading.This has just improved the flexible and stable of system greatly, can deal with changes in demand widely.
What hierarchical model was the most basic is three layer model, comprises presentation layer, logical layer and data Layer.Presentation layer is a message channel, and what logical layer provided should be a reality reflection, and data Layer provides the measurement of reality system.The such characteristics of the same embodiment of the logical model of application system, it has comprised the big level of displaying, data and applied logic.
Generally speaking, the layering of typical software systems is bottom-up is data Layer, data maintenance layer, data semantic layer, communication layers, applied logic layer successively, show logical layer, presentation layer.Such system has embodied the dirigibility and the stability of hierarchical model.
Data Layer: the data that can use various forms;
Data maintenance layer: then need safeguard, guarantee the quality of data to the logical storage form of each data;
The data semantic layer: then very flexibly, can carry out the extraction of data from a plurality of data sources, amalgamation and processing come the common semantic requirement of accomplishing.
Communication layers: the visit for data is used in communication control module control, also supports the visit for other application modules.Here scope check, scheduling of resource, case mechanism or the like have been comprised;
Applied logic layer: obtain the information that meets semantic requirements that semantic layer provides through communication control module.Below semantic layer, system handles all be data, just become information and crossed semantic layer.Whole information all is employed layer and uses, and preserves whole processing logics and applied logic here;
Show logical layer: determine here for certain type of visit, should use what mode to show, which informational needs is showed;
Presentation layer: real carries out with client or client alternately.More than the applied logic layer, logical message has become interactive information, here can encode, decodes, encrypts, processing such as deciphering.Simultaneously, can be according to client's displaying logic, add back(ing) board and interactive information merges processing or the like, finally be shown to the client at presentation layer by rights.
The software platform general frame of software probe system is compared with the software systems of general multi-layer framework, and characteristics are mainly at bottom, i.e. data Layer.
Compared with prior art, the present invention has the following advantages:
(1) software probe method of the present invention has been realized using the real-time detection of the program circuit information that software is in operation; After tested software is carried out code instrumentation; Detect through model, judge whether to exist " particular structural " or " leak ", and find out code and carry out track; Then said program circuit information is handled, adopted wireless or wired mode that this information is sent to supervisory node or supervisory network at last.
(2) the present invention can monitor the software of inside computer system operation in legal system supervision field in real time, can fast detecting arrive real data and information.As, can form " backdoor programs " and the specific objectives such as " cheating password " of legal system measurement monitoring network during measurement instrument is used and survey and real time monitoring, for the law enforcement rapid reaction of cracking down on counterfeit goods provides services and support; Can survey and with externally transmission and sending of the information that detects, so that supervision department can monitor and supervise in real time the running software that legal system is supervised the field.
(3) software probe system synthesis of the present invention software probe technology, embedded computing technique, modern network and wireless communication technology, distributed information processing etc.; Can probe software the information of operation; Through embedded system information is handled, and the running software information of surveying is sent to supervision layer or supervision center through communication network.
(4) wireless receiver that adopts of software probe is based on the data transmission module of TD or GSM, and it is made up of radio-frequency antenna, internal flash, TD or GSM BBP, coupling power supply and Zip socket.Wherein TD or GSM BBP are core components, are used for handling the AT instruction that external system sends over through serial ports.Its outside integrated standard RS232 interface, power interface, analogue audio frequency IO interface and SIM as long as the serial ports of its serial ports with PC or single-chip microcomputer linked to each other, just can order with AT be provided with it, and its traffic rate is 9600bps.The signal of mobile communication has almost been realized seamless covering at present, therefore, utilizes its complete network to carry out the focus that data transmission just becomes application.Adopt the communications setting of AT instruction carrying out between single-chip microcomputer and mobile module, select short message communication mode, can communicate by letter reliably at any time like this, and can save the cost and the network operation spending of wireless transmission with forms such as data, texts.Also can adopt other wireless data transceiving mode, for example frequency modulation, pulse signals etc.
Description of drawings
Fig. 1 is the exemplary block diagram of the software probe among the embodiment;
Fig. 2 is the exemplary block diagram of the code instrumentation subsystem among the embodiment;
Fig. 3 is the structure principle chart of the software probe among the embodiment;
Fig. 4 is the hardware platform general frame figure of the software probe system among the embodiment;
Fig. 5 is the software platform logical level Organization Chart of the software probe system among the embodiment;
Fig. 6 be among the embodiment before carrying out SUM-PRO.exe, the code tracking number of times is that 0 program is carried out synoptic diagram;
Fig. 7 is that the tracking data among the embodiment is carried out synoptic diagram by the program of automatically upgrading.
Embodiment
Be described further below in conjunction with Fig. 1-5 couple the present invention.
(embodiment 1)
Software probe method of the present invention comprises the steps:
A, start-up code plug-in mounting step; This step comprises: virtual execution tested software; Promptly the program source code to tested software carries out lexical analysis and grammatical analysis, and to identify feature code, this feature code comprises: variable, function, subroutine and OO class; Then the program circuit of said program source code is divided by data block; With the dividing data of the program structure that obtains explaining said tested software and static flow process and deposit in the static database, this static database prestores normal procedure structure and the static flow process that the function declaration book according to tested software obtains simultaneously; In said program source code, insert instrumentation code then corresponding to said feature code; Become executable program to the program source code compiling link that has inserted said instrumentation code at last; Said instrumentation code is one section code or function, is used to collect the dynamic data that generates when said executable program moves; This dynamic data comprises: function, subroutine call record; OO type message transmission, and program structure and control flow during the said tested software operation that constitutes by the message transmission of calling record and OO type of said function, subroutine;
B, pattern recognition step; This step is used for said executable program execution model is detected, that is: whether program structure and control flow when the normal procedure structure that prestores in the more said static database is moved with the tested software that static flow process and said instrumentation code are obtained be consistent; If the two unanimity judges that then said executable program is normal; Otherwise, then judge to have " particular structural " or " leak " in the said executable program; Said " particular structural " be meant with the incoherent variable of function declaration book of tested software, function, subroutine or type the message transmission; Said " leak " is meant the message transmission that lacks due variable, function, subroutine or class in the function declaration book tested software according to tested software;
C, after finding there be " particular structural " or " leak ", the execution pattern analytical procedure, this step is used to analyze the control flow of said executable program, carries out track to find out and to report the code that causes " particular structural " or " leak "; It is the program circuit that set constituted by a series of codes that cause execution " particular structural " or " leak " that this code is carried out track;
D, execution data processing and transmitting step; This step is used for carrying out track according to said code; Draw tested software and have the information of " particular structural " and/or " leak " and the temporal information and the number of run of operation thereof; Through wireless or wired mode, be transferred to supervisory node and/or supervisory network then.
Described code instrumentation step also comprises: be based upon the dynamic data library file of the said dynamic data that being used to of generating when carrying out said grammatical analysis produce when writing down and being kept at said executable program operation, comprise:
The DD file, the accumulative total number of run of the said feature code of each RP when being used to be recorded in said executable program operation, last number of run and working time information;
The DDC file, each is judged when being used to be recorded in said executable program operation, condition is once for true or be false data;
The DDH file, the historical data that whether the corresponding program statement of each RP moved when being used to be recorded in said executable program operation.
Said when carrying out lexical analysis, read in the source code file that needs plug-in mounting, identify terminal symbol (Token) and the needed information of Semantic Actions (like row number, the side-play amount of Token etc.), and pass to syntax analyzer.Simultaneously, lexical analyzer also deposits terminal symbol in symbol table; The Hash method is a kind of in the technology of tabling look-up, filling in a form and can both carry out at a high speed aspect two.Therefore, the symbol table that adopts the Hash technology to organize usually is the Hash symbol table; The grammer of the source program of syntax analyzer discriminance analysis inserts code, and generates various dynamic data library files: DD file, DDH file and DDC file on the plug-in mounting point of definition.In dynamic running process, the ruuning situation of source program just is recorded in these files.
Be example with the C language below, the code instrumentation subsystem 100 of source program described:
(1) analyzes C code project file (* .mak), obtain all C source files;
(2) for each C source files of program
The execution number of times of
statistics label post code, statistics will be saved in the DD file.
(3) be example with the plug-in mounting to conditional expression a||b&&c, this conditional expression is feature code, and it before plug-in mounting is: a||b&&c
Behind the plug-in mounting:
(((a)? The HUA_local-of (_ _>con [0] |=0xcc [annotating 1], 1)
: (_ _ HUA_local->con [0] |=0x33 [annotating 2], 0)) || ((b)
The HUA_local-of (_ _>con [1] |=0xcc [annotating 3], 1)
: (_ _ HUA_local->con [1] |=0x33 [annotating 4], 0)) && ((c))
The HUA_local-of (_ _>con [2] |=0xcc [annotating 5], 1)
: (_ _ HUA_local->con [2] |=0x33 [annotating 6], 0))
The HUA_local-of (_ _>con [3] |=0xcc [annotating 7], 1)
: (_ _ HUA_local->con [3] |=0x33 [annotating 8], 0)
[annotating 1] a once was true.
[annotating 2] a once was false.
[annotating 3] b once was true.
[annotating 4] b once was false.
[annotating 5] c once was true.
[annotating 6] c once was false.
[annotating 7] whole a||b&&c once was true.
[annotating 8] whole a||b&&c once was false.
In the said code instrumentation step, when identifying feature code, generate the plug-in mounting information chained list simultaneously; In said program source code, insert instrumentation code according to this plug-in mounting information chained list then corresponding to said feature code; Said position according to plug-in mounting information chained list plug-in mounting source program comprises: plug-in mounting source files of program head, plug-in mounting function head, plug-in mounting conditional expression, plug-in mounting control flow statement and plug-in mounting labelled statement.
Be example with the VB language below, the plug-in mounting information chained list that generates when identifying feature code in the pattern analysis step is described:
(1) major function
The pattern analysis subsystem of C Plus Plus is realized with the static library program.The effect of static library program is to handle relevant operation to file, comprise check file existence whether, the statistics in the internal memory is write file etc.
Because VB language call dynamic link library is relatively convenient, the pattern analysis subsystem of VB language is realized with dynamic link library.The effect of dynamic link library is:
Initialization node, structure chained list form and are moved needed data structure by routine analyzer.
When calling dynamic link library first, hang up the function that to carry out when being withdrawed from by routine analyzer.
Whether the file that inspection is used for preserving statistics exists.
Statistics in the internal memory is write file.
(2) entering of dynamic link library and withdrawing from
In Windows operating system; Calling dynamic link library has a characteristic to utilize; Here it is when the program of calling dynamic link library or thread are out of service; Meeting release is quoted dynamic link library, in dynamic link library, can know this incident, the operation of user's appointment when withdrawing from.Concerning the plug-in mounting program, when program withdrawed from, the operation that should carry out was to call built-in function the data in the internal memory are write in the file.
A kind of in addition know by routine analyzer withdraw from, the method for operating of user's appointment when withdrawing from is as C Plus Plus; The function that will carry out when withdrawing from hangs on the functional-link that withdraws from execution; When but this operation is called Dynamic Link Library Function first by routine analyzer (Process attach); Accomplished by dynamic link library, specific practice is following:
(3) output function introduction
RegistLocalNode()
The registration local node; Mainly be operating as: distribute the internal memory of a node,, distribute to cover the internal memory of surveying array and condition detection array according to the internal memory of the parameter allocate file pathname that imports into; The node chain on detection data node chain, is returned the memory address of the node of distribution.Function declaration is following:
HUADLL_API?struct__03HUA_record*_stdcall?RegistLocalNode(
char*src_file,char*ddfile,char*confile,
int?rp_no,unsigned?int?con_num,unsigned?int?deci_rp_num)
SetCurrentDD()
Tell the source files of program of the current operation of dynamic link library, parameter _ _ node address that HUA_local the time returns for registration.Function declaration is:
HUADLL_API?void_stdcall?SetCurrentDD(struct__03HUA_record*__HUA_local);
CountRP()
Accumulative total covers sensing point, and parameter p Node surveys array place node address for covering, and No is the numbering of sensing point, i.e. the numbering of array element.Function declaration is:
HUADLL_API?void_stdcall?CountRP(struct__03HUA_record*pNode,unsigned?int?No);
CountCP()
Statistical condition sensing point, parameter p Node are that condition is surveyed array place node address, and No is the numbering of sensing point, i.e. the numbering of array element, and Cond is a condition.Function declaration is:
HUADLL_API?void_stdcall?CountCP(
struct__03HUA_record*pNode,unsigned?int?No,bool?Cond);
Said pattern recognition type analysis comprises the pattern-recognition of normal type and the pattern-recognition of particular type.
The pattern-recognition of said normal type is used for said executable program execution model is detected; That is: program structure and control flow during the tested software operation of the normal procedure structure that prestores in the said static database and static flow process and said instrumentation code being obtained compare, to judge whether have program structure and control flow in the said executable program normal.
The pattern-recognition of said specific type is used for said executable program execution model is detected; That is: program structure and control flow during the tested software operation of the normal procedure structure that prestores in the said static database and static flow process and said instrumentation code being obtained compare, to judge whether there be " particular structural " and " leak " in the said executable program.
Said " particular structural " be meant with the incoherent variable of function declaration book of tested software, function, subroutine or type the message transmission; Said " leak " is meant the message transmission that lacks due variable, function, subroutine or class in the function declaration book tested software according to tested software.
The coding that in the code of plug-in mounting, just includes the characteristic information that inserts code reads this coding and decodes and just can reduce the characteristic information of plug-in mounting code.
The step of said pattern-recognition comprises: the program node detection mode is analyzed and the program segment detection mode is analyzed, and is used for the program circuit of said program source code is analyzed by data block, marks off said data block then.
The analysis of said program node detection mode comprises: the entrance of judgement and exit point, if ... The entrance and the exit point of the entrance of the else in the else statement and exit point, the entrance that is connected and exit point and program element;
The analysis of said program segment detection mode is meant two program statement sequences between continuous program branches point; Said program branches point comprises: the position between program node and unconditional transfer statement and next the bar statement; So-called unconditional transfer statement is an example with the C Plus Plus, is exactly these quasi-sentences such as goto statement, return statement, break statement and continue statement.
When pattern-recognition, in internal memory each of a program comprise the source files of program of function all corresponding a node, the data structure of node is:
Below to survey the if statement be example through inserting instrumentation code:
One, the if statement source code program before not having the plug-in mounting instrumentation code is following:
Two, the above-mentioned if statement code program after the plug-in mounting instrumentation code is following:
Below be example through inserting instrumentation code probe function head:
One, there is not the preceding function source code of plug-in mounting:
Two, the function head program in machine code after the plug-in mounting instrumentation code:
(embodiment 2)
A kind of software probe of using above-mentioned software probe method comprises: the detection controller that links to each other with the processor that is used to carry out said executable program, with survey wireless receiver and/or the cable data transceiver that controller links to each other; After said processor is found to have " particular structural " or " leak "; Carry out said pattern analysis step; Then tested software is existed " particular structural " and/or " leak " information, and should " particular structural " and/or " leak " temporal information and the number of run of operation be sent to said detection controller, survey that there is the information of " particular structural " and/or " leak " through said wireless receiver and/or cable data transceiver in controller with said tested software and the temporal information and the number of run that move reach said supervisory node and/or supervisory network.
(embodiment 3)
A kind of software probe system that uses above-mentioned software probe comprises: as the host computer of said supervisory node, the supervision server system that links to each other with a plurality of said host computer that is distributed in different regions; Said host computer is used for being connected with communicating by letter through wireless and/or wired mode with a plurality of said software probe in the region.
See that Fig. 4 is the hardware platform general frame figure of the software probe system among the embodiment.
A kind of overall system software architecture design of using the software probe system of above-mentioned software probe is made up of following three parts: detector (claiming " extraction apparatus subsystem ", single-chip microcomputer in an embodiment), supervision host computer (PC), filesystem server.Its overall system software architecture design is as shown in Figure 5.
A kind of server end design of using the software probe system of above-mentioned software probe comprises: system server terminal is used to supervise information processing; And for supervising host computer node (host computer subsystem; Client) Web Service based on the XML-RPC interface is provided, overall architecture has been used the MVC framework Symfony based on PHP, this framework is ripe, flexibly, extendability is strong; Be applicable to the exploitation of large scale system, for server-side system provides solid stable basis.
Database design has adopted the ORM technology based on Propel that Symfony provides, and makes the programmer can use OO method that database is conducted interviews, and constructing SQL code by hand not, this has also stopped the danger that SQL injects.
Propel has used the PDO module of PHP in addition, and this can be so that the operation of database and database engine be separate, thus migration data storehouse easily.For example; We use the database based on SQLite 3.x when test; And in practice, only need revise the configuration file of database, just can use other data base management system (DBMS) such as MySQL; Oracle and SQLServer replace it, need not make any modification to code itself.
The configuration that Propel comes descriptive data base with an XML file dynamically generates a PHP class relevant with database object then, and we just can directly use this type to come database has been operated then.In Symfony; The automatic major key of the general of the field of mark id by name as database table; The attribute that has AUTO_INCREMENT simultaneously; The field name that stops after in the name with id being will be automatically as the external key of database table, and created_at is used to preserve the time when creating record then as timestamp.These all are the acquiescence agreements of database design, and in Symfony, simplify, and make the not only easy but also standard of establishment of database.
System can provide directly to database increase, delete, change, look into operation, the database access of use authority as required, the user who has only login and obtain the database access authority could operate database accordingly.
(software probe program trace example 1)
SUM-PRODUCT is an example procedure with the C++ programming, and it requires input three integer variable Low, High and Max.These integer values can not be for negative, otherwise, will export an error message; And when SUM-PRODUCT accepts three integer values, Low in the High scope to each digital K (but it can not greater than Max), the value of output K+K and K*K; If the value of high-end (High) is less than the value of low side (Low), program directly finishes, and has no output.
We can move by trace routine through the input data, carry out comprehensive, multi-level monitoring.
1, example procedure source code
This SUM-PRO.cpp source code listing is following:
2, the original state before the operation
Before carrying out SUM-PRO.exe, the code tracking number of times is 0, reflects as shown in Figure 6.
Visible by Fig. 6: all unit are not all followed the tracks of and anti-showing.
3, program time operation is followed the tracks of
Under suitable catalogue, squeeze into SUM-PRO.exe immediately, remove to carry out example procedure:
c:>\SUM-PRO\SUM-PRO.exe
Enter?positive?integers?Low,HIGH,and?Max:2?8?0
Through example procedure SUM-PRO, italicized character is shown, and outstanding above characters displayed is by input immediately.Tracking data is automatically upgraded, and is as shown in Figure 7.
The above embodiment of the present invention is merely explains giving an example that the present invention did, and embodiment of the present invention is not limited thereto.The modification of doing for belonging under spirit of the present invention and the principle, combination, simplification, substitute etc. is the equivalence replacement, all still is included within protection scope of the present invention.
Claims (3)
1. a software probe method is characterized in that comprising the steps:
A, start-up code plug-in mounting step; This step comprises: virtual execution tested software; Promptly the program source code to tested software carries out lexical analysis and grammatical analysis, and to identify feature code, this feature code comprises: variable, function, subroutine and OO class; Then the program circuit of said program source code is divided by data block; With the dividing data of the program structure that obtains explaining said tested software and static flow process and deposit in the static database, this static database prestores normal procedure structure and the static flow process that the function declaration book according to tested software obtains simultaneously; In said program source code, insert instrumentation code then corresponding to said feature code; Become executable program to the program source code compiling link that has inserted said instrumentation code at last; Said instrumentation code is used to collect the dynamic data that generates when said executable program moves; This dynamic data comprises: function, subroutine call record; OO type message transmission, and program structure and control flow during the said tested software operation that constitutes by the message transmission of calling record and OO type of said function, subroutine;
B, pattern recognition step; This step is used for said executable program execution model is detected, that is: program structure and control flow when the tested software that the normal procedure structure that prestores in the said static database and static flow process and said instrumentation code is obtained moves compare; If the two unanimity judges that then said executable program is normal; Otherwise, then judge to have " particular structural " or " leak " in the said executable program; Said " particular structural " be meant with the incoherent variable of function declaration book of tested software, function, subroutine or type the message transmission; Said " leak " is meant the message transmission that lacks due variable, function, subroutine or class in the function declaration book tested software according to tested software;
C, after finding there be " particular structural " or " leak ", the execution pattern analytical procedure, this step is used to analyze the control flow of said executable program, carries out track to find out and to report the code that causes " particular structural " or " leak "; It is the program circuit that set constituted by a series of codes that cause execution " particular structural " or " leak " that this code is carried out track;
D, execution data processing and transmitting step; This step is used for carrying out track according to said code; Draw tested software and have the information of " particular structural " and/or " leak " and the temporal information and the number of run of operation thereof; Through wireless or wired mode, be transferred to supervisory node and/or supervisory network then;
Said control flow is meant: virtual execution tested software; Promptly the program source code to tested software carries out lexical analysis and grammatical analysis; Identify feature code, then the control stream of said program source code is divided by piece, obtain the flow process of the procedure division data of said tested software;
Said static flow process is meant: become executable program to the program source code compiling link that has inserted said instrumentation code; Program circuit when moving the tested software operation that this executable program obtains;
Described code instrumentation step also comprises: be based upon the dynamic data library file of the said dynamic data that being used to of generating when carrying out said grammatical analysis produce when writing down and being kept at said executable program operation, comprise:
The DD file, the accumulative total number of run of the said feature code of each RP when being used to be recorded in said executable program operation, last number of run and working time information;
The DDC file, each is judged when being used to be recorded in said executable program operation, condition is once for true or be false data;
The DDH file, the historical data that whether the corresponding program statement of each RP moved when being used to be recorded in said executable program operation;
In the said code instrumentation step, when identifying feature code, generate the plug-in mounting information chained list simultaneously; In said program source code, insert instrumentation code according to this plug-in mounting information chained list then corresponding to said feature code; Said position according to plug-in mounting information chained list plug-in mounting source program comprises: plug-in mounting source files of program head, plug-in mounting function head, plug-in mounting conditional expression, plug-in mounting control flow statement and plug-in mounting labelled statement.
2. use the method for work that aforesaid right requires the software probe of 1 described software probe method for one kind, it is characterized in that software probe comprises: the detection controller that links to each other with the processor that is used to carry out said executable program, with survey wireless receiver and/or the cable data transceiver that controller links to each other;
After said processor is found to have " particular structural " and/or " leak "; Carry out said pattern analysis step; Then tested software is existed " particular structural " and/or " leak " information, and should " particular structural " and/or " leak " temporal information and the number of run of operation be sent to said detection controller, survey that there is the information of " particular structural " and/or " leak " through said wireless receiver and/or cable data transceiver in controller with said tested software and the temporal information and the number of run that move are sent to said supervisory node and/or supervisory network.
3. use the software probe system that aforesaid right requires 2 described software probes for one kind, it is characterized in that comprising: as the host computer of said supervisory node, the supervision server system that links to each other with a plurality of said host computer that is distributed in different regions; Said host computer is used for being connected with communicating by letter through wireless and/or wired mode with a plurality of said software probe in the region.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210054107.5A CN102622299B (en) | 2010-04-13 | 2010-04-13 | Working method of software detection system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210054107.5A CN102622299B (en) | 2010-04-13 | 2010-04-13 | Working method of software detection system |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010101461469A Division CN101923510B (en) | 2010-04-13 | 2010-04-13 | Software detection method as well as software detector and software detection system applying same |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102622299A true CN102622299A (en) | 2012-08-01 |
| CN102622299B CN102622299B (en) | 2014-10-01 |
Family
ID=46562226
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210054107.5A Active CN102622299B (en) | 2010-04-13 | 2010-04-13 | Working method of software detection system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102622299B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106446690A (en) * | 2016-09-05 | 2017-02-22 | 北京蓝海讯通科技股份有限公司 | Application vulnerability restoration apparatus, method and system |
| US11170113B2 (en) * | 2017-01-04 | 2021-11-09 | Checkmarx Ltd. | Management of security vulnerabilities |
| CN115422555A (en) * | 2022-11-04 | 2022-12-02 | 北京华云安信息技术有限公司 | Back door program detection method and device, electronic equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060026387A1 (en) * | 2004-07-31 | 2006-02-02 | Dinechin Christophe D | Method and system for recognizing instructions and instruction blocks in computer code |
| CN2894106Y (en) * | 2006-04-19 | 2007-04-25 | 哈尔滨工程大学 | Computer network credibility estimating device based on event implanting |
| EP1208425B1 (en) * | 1998-11-16 | 2008-09-03 | Esmertec AG | Method and system for testing computer code |
| CN101609338A (en) * | 2008-06-18 | 2009-12-23 | 北京摩软科技有限公司 | A kind of method and device to test of embedded device Real-time and Dynamic and localization of fault |
-
2010
- 2010-04-13 CN CN201210054107.5A patent/CN102622299B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1208425B1 (en) * | 1998-11-16 | 2008-09-03 | Esmertec AG | Method and system for testing computer code |
| US20060026387A1 (en) * | 2004-07-31 | 2006-02-02 | Dinechin Christophe D | Method and system for recognizing instructions and instruction blocks in computer code |
| CN2894106Y (en) * | 2006-04-19 | 2007-04-25 | 哈尔滨工程大学 | Computer network credibility estimating device based on event implanting |
| CN101609338A (en) * | 2008-06-18 | 2009-12-23 | 北京摩软科技有限公司 | A kind of method and device to test of embedded device Real-time and Dynamic and localization of fault |
Non-Patent Citations (2)
| Title |
|---|
| WEI LIANG: "Security Framework of Mobile Internet", 《ZTE COMMUNICATIONS》 * |
| 顾韵华 等: "Web应用安全扫描系统及关键技术研究", 《计算机工程与设计》 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106446690A (en) * | 2016-09-05 | 2017-02-22 | 北京蓝海讯通科技股份有限公司 | Application vulnerability restoration apparatus, method and system |
| CN106446690B (en) * | 2016-09-05 | 2019-08-02 | 北京蓝海讯通科技股份有限公司 | A kind of pair of device, method and the system repaired using loophole |
| US11170113B2 (en) * | 2017-01-04 | 2021-11-09 | Checkmarx Ltd. | Management of security vulnerabilities |
| CN115422555A (en) * | 2022-11-04 | 2022-12-02 | 北京华云安信息技术有限公司 | Back door program detection method and device, electronic equipment and storage medium |
| CN115422555B (en) * | 2022-11-04 | 2023-02-28 | 北京华云安信息技术有限公司 | Back door program detection method and device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102622299B (en) | 2014-10-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101923510B (en) | Software detection method as well as software detector and software detection system applying same | |
| Lenarduzzi et al. | The technical debt dataset | |
| Ampatzoglou et al. | The effect of GoF design patterns on stability: a case study | |
| US8984485B2 (en) | Analysis of source code changes | |
| CN101553769B (en) | Method and system for tracking and monitoring computer applications | |
| CN105765560B (en) | The component software executed based on multiple tracking is recommended | |
| CN105787367B (en) | A kind of the patch safety detecting method and system of software upgrading | |
| CN106559438A (en) | A kind of program method for uploading and device based on objective network platform | |
| CN102236549A (en) | Visualization of runtime analysis across dynamic boundaries | |
| Vural et al. | Does domain-driven design lead to finding the optimal modularity of a microservice? | |
| CN102567200A (en) | Parallelization security hole detecting method based on function call graph | |
| CN110287097A (en) | Batch testing method, device and computer readable storage medium | |
| CN103593605A (en) | Android platform applications dynamic analysis system based on permission use behaviors | |
| CN103927473A (en) | Method, device and system for detecting source code safety of mobile intelligent terminal | |
| CN110196790A (en) | The method and apparatus of abnormal monitoring | |
| CN108111364A (en) | The test method and device of a kind of operation system | |
| CN101894299A (en) | Fast freight departure and entry intelligent declaration system capable of supporting RFID and HS coding and image processing | |
| CN102622299B (en) | Working method of software detection system | |
| CN112860556B (en) | Coverage rate statistics method, coverage rate statistics device, computer system and readable storage medium | |
| CN103176786A (en) | Security configuration checking framework based on plug-in unit and construction method thereof | |
| CN113886832A (en) | Intelligent contract vulnerability detection method, system, computer equipment and storage medium | |
| Fabre et al. | Building dependable COTS microkernel-based systems using MAFALDA | |
| US20230297744A1 (en) | Systems and methods for ai/ml based digital twin for power system | |
| CN102662827B (en) | Software detection method | |
| Flake et al. | Past-and future-oriented time-bounded temporal properties with OCL |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: ZHANG MING Free format text: FORMER OWNER: CHANGZHOU YUNBO SOFTWARE ENGINEERING TECHNOLOGY CO., LTD. Effective date: 20140902 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 213022 CHANGZHOU, JIANGSU PROVINCE TO: 315700 NINGBO, ZHEJIANG PROVINCE |
|
| TA01 | Transfer of patent application right |
Effective date of registration: 20140902 Address after: 315700 Binhai Industrial Park, Xiangshan County, Zhejiang, Ningbo Applicant after: Zhang Mi Address before: 213022 software park, 9 East Taihu Road, Xinbei District, Jiangsu, Changzhou A408 Applicant before: Changzhou Yunbo Software Engineering Technology Co., Ltd. |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee | ||
| CP02 | Change in the address of a patent holder |
Address after: Xinghua City, Jiangsu province 225762 Taizhou City Jade Town neighborhood Patentee after: Zhang Mi Address before: 315700 Binhai Industrial Park, Xiangshan County, Zhejiang, Ningbo Patentee before: Zhang Mi |
|
| C56 | Change in the name or address of the patentee | ||
| CP02 | Change in the address of a patent holder |
Address after: 213000, unit 302, unit 7, Pu Bei Village, Tianning District, Jiangsu, Changzhou Patentee after: Zhang Mi Address before: Xinghua City, Jiangsu province 225762 Taizhou City Jade Town neighborhood Patentee before: Zhang Mi |
|
| CP02 | Change in the address of a patent holder | ||
| CP02 | Change in the address of a patent holder |
Address after: 225321 Taizhou, Zhejiang Province, high port road, Port Road, Jin Nan Road, No. 2, No. Patentee after: Zhang Mi Address before: 213000, unit 302, unit 7, Pu Bei Village, Tianning District, Jiangsu, Changzhou Patentee before: Zhang Mi |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20181227 Address after: 430000 No. 01, 1-4 Floors, 9 Building 1-4, Shenzhou Digital Wuhan Science Park, No. 7, Financial Port Road, Donghu New Technology Development Zone, Wuhan City, Hubei Province Patentee after: Optics Valley technology stock company Address before: 225321 2 Port Jinggang Road, Taizhou port, Jiangsu Patentee before: Zhang Mi |
|
| TR01 | Transfer of patent right | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Working method of software detection system Effective date of registration: 20190828 Granted publication date: 20141001 Pledgee: Wuhan rural commercial bank Limited by Share Ltd Optics Valley branch Pledgor: Optics Valley technology stock company Registration number: Y2019420000007 |
|
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PC01 | Cancellation of the registration of the contract for pledge of patent right |
Date of cancellation: 20200813 Granted publication date: 20141001 Pledgee: Guanggu Branch of Wuhan Rural Commercial Bank Co.,Ltd. Pledgor: OPTICAL VALLEY TECHNOLOGY Co.,Ltd. Registration number: Y2019420000007 |
|
| PC01 | Cancellation of the registration of the contract for pledge of patent right | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: A working method of software detection system Effective date of registration: 20200818 Granted publication date: 20141001 Pledgee: Guanggu Branch of Wuhan Rural Commercial Bank Co.,Ltd. Pledgor: OPTICAL VALLEY TECHNOLOGY Co.,Ltd. Registration number: Y2020420000053 |
|
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 430000 No. 01, 1-4 Floors, 9 Building 1-4, Shenzhou Digital Wuhan Science Park, No. 7, Financial Port Road, Donghu New Technology Development Zone, Wuhan City, Hubei Province Patentee after: Optical Valley Technology Co.,Ltd. Address before: 430000 No. 01, 1-4 Floors, 9 Building 1-4, Shenzhou Digital Wuhan Science Park, No. 7, Financial Port Road, Donghu New Technology Development Zone, Wuhan City, Hubei Province Patentee before: OPTICAL VALLEY TECHNOLOGY Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder | ||
| PC01 | Cancellation of the registration of the contract for pledge of patent right | ||
| PC01 | Cancellation of the registration of the contract for pledge of patent right |
Date of cancellation: 20220609 Granted publication date: 20141001 Pledgee: Guanggu Branch of Wuhan Rural Commercial Bank Co.,Ltd. Pledgor: OPTICAL VALLEY TECHNOLOGY Co.,Ltd. Registration number: Y2020420000053 |