the history and development of code security

Posted by punzalan at 2020-03-01

1、 Code Security Overview

With the rapid development of computer and communication technology, software has become an important infrastructure of information construction. Numerous facts have proved that the security loopholes in software are the root cause of frequent security incidents. The diversity of software functions and the complexity of structure will inevitably lead to the increase of the attack area of information system and infrastructure, and greatly improve the probability of security threats. Therefore, it has always been the direction of academia and industry to find and repair software security vulnerabilities as early as possible.

As the original form of software, the security defect of source code is the direct source of software vulnerability. Therefore, it is an important method to find the security flaws in the source code by static analysis. And because the work is implemented before the program goes online, the repair cost can be greatly reduced. After more than 40 years of development, the function and performance of source code analysis technology and tools have been greatly improved, and the software code security methods based on them are also booming. At present, many countries and enterprises are gradually aware of the importance of source code analysis and assurance, and standardize this work through various policies and methodologies.

2、 Mainstream code security analysis technology

The development of source code static analysis technology is closely related to the progress of compilation technology and computer hardware equipment. Most of the source code security analysis technologies are put forward on the basis of compilation technology or program verification technology. At present, the mainstream analysis technologies mainly include the following four categories:

1. Lexical analysis technology

Lexical analysis only matches the text or token stream of the code with the known defect patterns, but does not deeply analyze the semantics and context of the code. The efficiency of lexical analysis is high, but only simple defects can be found, and the false alarm rate is high.

2. Abstract Interpretation Technology

This kind of technology is used to prove that a piece of code has no errors, but it does not guarantee the authenticity of the reported errors. The basic principle of this technology is to map the value of program variable to a simpler abstract domain and simulate the execution of the program. Therefore, the accuracy and performance of this technique depend on the approximation of abstract domain to real program value domain.

3. Program simulation technology

This kind of technology can simulate all the execution states, and the analysis results are more accurate. It is mainly used to find the defects with complex logic and harsh triggering conditions, but it is difficult to improve the performance. It mainly includes model checking and symbolic execution. Model checking constructs the software as abstract models such as state machine or directed graph, and uses formal expressions such as modal / temporal logic formula to describe security attributes, traverses the model to verify whether these attributes are satisfied; symbol execution uses symbol value to represent program variable value, and simulates program execution to find the situation that meets vulnerability detection rules.

4. The technology of theorem proving

This technique describes the premise of program errors and the program itself as a set of logical expressions. Then, based on the satisfiability theory, it uses constraint solver to find the execution path that may lead to program errors. This method is more flexible, can use logical formula to describe software defects easily, and can adjust constraints according to different requirements of analysis performance and accuracy, which is more effective for large-scale industrial software analysis.

3、 Current situation of software code security

The United States and other developed countries attach great importance to the work of software code security, and promote the implementation of code security from the government, research institutions, industry and other aspects. At present, a relatively complete system of overall design, standards and specifications, defective resources, tool research and development, and open source plan has been formed. However, the position of code security in the national or industrial information system security system is not prominent enough, and its role has not been better played.

As early as 2005, the annual report on information security of the president's Information Technology Advisory Committee pointed out that the software products used by important departments such as the U.S. government and the military must strengthen security detection measures, especially the software code level security detection.

Under the joint support of the Department of Homeland Security (DHS) and the National Security Administration (NSA), mitre company has carried out the research on software code defects, and established the software code Defect Classification Library CWE (common vulnerability enumeration) to uniformly classify and identify software code defects.

The U.S. Department of homeland security has funded the software security assurance program (SAP), which puts the reduction of software security risks in a very prominent position; it has funded the development of "built in security" (BSI), whose basic principle is that software security is essentially a software engineering problem, which must be managed in a systematic way throughout the software development life cycle; in addition, in its Under the support of NIST, the National Institute of standards and Technology (NIST) proposed and carried out the research on samate, a Software Assurance measurement and tool testing project. The source code defect analysis is an important part of the project. This database contains the actual software applications and known errors or holes for vulnerability analysis and search. DHS also funded the open source software code testing program, which Since 2006, it has been undertaken by Coverity company of the United States. Its purpose is to screen and reinforce the security risks of widely used open source software code. The specific test data are not open to the public. As of February 2017, it has detected more than 7000 kinds of open source software and found a large number of security defects.

Cert, sans, OWASP and other third-party research institutions in the United States have also carried out a lot of work in the field of software code security assurance. For example, cert has released a series of security programming (C / C + + / Java, etc.) standards. SANS and OWASP have released top 25 and top 10 serious code defects each year, which are used to guide developers to code safely and avoid security defects in the code as much as possible.

In the enterprise community, including Microsoft, Cisco, Intel, sap, juniper, EMC and other large companies, software source code defect analysis system has been or is being deployed. In addition, Microsoft, Cisco and other companies also put forward the concept of security development life cycle (SDL), and put security measures throughout the whole process of software life cycle to minimize the vulnerabilities in design, code and documents. Gartner put forward the concept of DevSecOps in 2012, aiming to run security throughout the agile development and operation, and stressed: "if possible, security control must be programmable and automated", which makes the importance of code security and security development more prominent. At present, many teams are committed to the implementation of DevSecOps in the enterprise.

4、 Current status of code security review in various countries

Code security review refers to the systematic verification of the source code of software products to determine whether there are errors, defects, undeclared functions and other problems. Many countries have established network security review systems from the perspective of maintaining key infrastructure and supply chain security, in which source code review plays an important role. At present, the countries implementing the source code review include the United States, the United Kingdom, Russia, Australia, India, etc., of which the United States, the United Kingdom and India are the most typical. At present, China has also begun to implement the network security review system, but for the audit and review of source code, there are only principles, there is no detailed and standardized requirements.

The United States paid attention to the source code security review earlier, and took various measures from the government to the enterprise. In terms of network security review, the United States has formed a set of laws and regulations around the procurement, use, operation and management of information technology products, among which the requirements for supply chain security are more prominent; in 2007, the U.S. air force established the application software quality assurance center to detect code defects in the application software; in 2008, California election software failed to pass the code security review It was cancelled; in the same year, the center for device and radiation health of the food and Drug Administration began to use code defect detection tools to detect medical equipment in case of problems and accidents; in 2009, code defect review was conducted on the aircraft navigation system of the Federal Aviation Administration of the United States, and more than 700 high-risk vulnerabilities were found; in early 2010, the United States Department of Commerce carried out the census software The code security check found 80 serious defects, resulting in project delay. At the same time, American business circles also pay more and more attention to code security detection work and service. Microsoft, Google, HP, Cisco and other companies move code security risk control forward to the design and development stage of software life cycle, and take code security detection as an important link in product production.

The scale of the UK's local IT industry is relatively limited, and there are many cases of using the network information technology products and services of enterprises from other countries, and the supply chain is more complex. Therefore, the network security review mechanism in the UK does not have systematic security performance requirements for government procurement of information technology products and services, but adopts a relatively market-oriented evaluation mechanism, which includes in-depth source code review and testing to detect whether there are security defects or loopholes in relevant products or services. The UK requires equipment manufacturers to build their own network security assessment center, which is supervised by relevant agencies and operated independently of equipment manufacturers, and test and verify the code delivered by equipment manufacturers. However, source code audit methods, processes, technical means and implementation details are highly confidential.

As a large software development country, India has higher requirements on code security, including the mandatory requirements for software code security testing of equipment imported from China, which leads to Chinese enterprises being unable to enter the Indian market due to the failure of code security testing. In early May 2010, the Indian government banned Indian telecom operators from purchasing Huawei and ZTE telecom equipment from China on the grounds of code security and spyware. Huawei had to announce that it would allow customers access to its software code and hire fortify, the US, to test its software code in order to allay India's concerns about the safety of its equipment.

China's "network security law" and "measures for security review of network products and services" have been implemented in the first half of 2017. The system provisions and top-level design have been carried out in terms of network operation security, network information security, network security review, etc., in which the important position of the level protection system has been clarified, and the principle of code security for systems above level II has been provided in the level protection system However, there is a lack of detailed review methods and technical standards in the field of code security in China. Of course, we are also glad to see that in recent years, domestic research institutions and enterprises have made some breakthroughs in code security technology research, tool research and development, standard setting, etc., and the gap with the international community is gradually narrowing. We believe that in the near future, the source code security detection products with independent intellectual property rights in China will certainly contribute to the network security review in China Power.

*Author: Huang Yonggang, general manager of code security business department of 360 enterprise security group, reprint please indicate that it is from