阅读说明：本技术 用于分析源代码的方法 (Method for analyzing source code ) 是由 M·S·P·斯托廷格 R·佩里奇 于 2019-07-25 设计创作，主要内容包括：本发明涉及一种用于分析源代码(10)的方法,其具有以下步骤：识别易受实施攻击影响的源代码漏洞(14),其中,在主动源代码开发期间识别源代码漏洞(14),而无需进行程序编译。(The invention relates to a method for analyzing source code (10), comprising the following steps: a source code vulnerability (14) susceptible to an implementation attack is identified, wherein the source code vulnerability (14) is identified during active source code development without requiring program compilation.)

1. A method for analyzing source code (10), comprising the steps of:

-identifying a source code vulnerability (14) susceptible to an implementation attack;

it is characterized in that the preparation method is characterized in that,

source code vulnerabilities (14) are identified during active source code development without requiring program compilation.

2. The method of claim 1, wherein identifying a source code vulnerability (14) susceptible to implementation attacks comprises at least one of:

-identifying a source code vulnerability (14) susceptible to a side channel attack;

-identifying a source code vulnerability (14) susceptible to a fault injection attack.

3. Method according to claim 1 or 2, characterized by the steps of:

visually highlighting the identified source code vulnerability (14),

wherein the identified source code vulnerabilities are visually highlighted (14) during active source code development without requiring program compilation.

4. The method of any of the preceding claims, wherein the identification of the source code vulnerability (14) and/or the visual highlighting of the source code vulnerability (14) is performed in real-time during active source code development.

5. The method according to any of the preceding claims, characterized by at least one of the following steps:

-automatically loading a description of the storage for the identified source code vulnerability (14);

-automatically generating a description for the identified source code vulnerability (14);

-automatically displaying the loaded description or the generated description for the identified source code vulnerability (14).

6. The method according to any one of the preceding claims,

characterized by at least one of the following steps:

-automatically generating an alternative source code for the identified source code vulnerability (14);

-automatically displaying the alternate source code generated for the identified source code vulnerability (14).

7. The method of claim 6, wherein the first and second light sources are selected from the group consisting of,

the method is characterized by comprising the following steps:

-automatically replacing (14) the identified source code vulnerability by the generated alternative source code based on a correction command entered by the source code developer.

8. An apparatus for data processing, comprising a processor configured to perform the method of any of the preceding claims.

9. A computer program product comprising instructions which, when the program is executed by a computer, cause the computer to carry out the method according to any one of claims 1 to 8.

10. A computer readable medium having stored thereon the computer program product of claim 9.

Technical Field

The invention relates to a method for analyzing source code/source text, comprising the following steps: a source code vulnerability susceptible to implementation attacks is identified.

The invention further relates to a device for data processing, a computer program product and a computer-readable data carrier.

Background

In developing source code, for example, using an integrated development environment, source code developers are regularly supported in the generation of source code in order to accelerate source code development and reduce the error rate of later software. Developers known in the prior art support emphasizing syntax, wherein source code is syntax checked during active source code development, so that source code errors can be identified during active source code development. During active source code development, a source code developer is brought to the attention of a source code paragraph by visually highlighting the identified source code paragraph. By syntactic emphasis, errors that occur in the compilation stage are reduced, thereby speeding up software development.

In addition to the syntax highlighting, it is also known to check the source code in real time, checking the source code against unsafe standard functions (such as strcpy or printf) during active source code development. In this case, the source code can be matched, for example, to a dictionary of predefined, non-secure standard functions. This is merely a static check by which a source code vulnerability that is vulnerable to implementation attacks cannot be identified.

Source code vulnerabilities susceptible to implementation attacks can only be identified so far during program execution, i.e. after programming and implementation are complete. For this purpose, for example, software simulation or analysis of the test system is necessary. Therefore, program compilation or binary files are required in order to identify the corresponding source code bugs. Thus, if this type of source code vulnerability is identified, source code development needs to be performed again, thus requiring time consuming and expensive development cycles to fix the identified vulnerability.

Furthermore, known methods for analyzing binary files do not typically appear sensitive to the corresponding vulnerability patterns by the source code developer. Thus, the known methods do not lead to learning advances by the source code developer.

Disclosure of Invention

It is therefore an object of the invention to accelerate and/or simplify the development of source code that is not susceptible to implementation attacks.

This object is achieved by a method of the type mentioned at the outset in which a source code vulnerability is identified during active source code development without requiring program compilation.

The present invention utilizes the following knowledge: by identifying source code vulnerabilities that are vulnerable to implementation attacks during active source code development, time consuming and expensive development cycles involving simulation software or test system analysis may be avoided. In addition, identification of the corresponding source code vulnerability during active source code development enables direct feedback to the source code developer, thereby enabling sensitization of the source code developer to the corresponding source code vulnerability.

Thus, source code analysis covers the dynamic enforcement behavior of the source code, not just against insecure standard functions such as strcpy or printf. Thus, in the sense of the present invention, the term "implementation attack" does not include attacks that are only performed at the software level.

Preferably, the method is performed partially or completely in an integrated development environment. In particular, a binary file need not be generated to identify a corresponding source code vulnerability. In summary, a significant acceleration of the development process is achieved and the susceptibility of the source code to implementation attacks is significantly reduced.

In a preferred embodiment of the method of the present invention, identifying a source code vulnerability susceptible to implementation attacks includes: identifying a source code vulnerability susceptible to a side-channel attack and/or identifying a source code vulnerability susceptible to a fault injection attack. Side-channel attacks and fault injection attacks represent subtypes of implementation attacks. Side Channel attacks may also be referred to as Side Channel Attach (SCA). Side-channel attacks make use of the physical implementation of cryptographic systems in devices or in software. In this case, the device is observed during the implementation of the cryptographic algorithm and the correlation between the observed information and the used key is checked. A corresponding side-channel attack may, for example, involve an analysis of the runtime of the algorithm, the energy consumption during the calculation process, or the electromagnetic radiation. The Fault Injection Attack may also be referred to as Fault Injection Attach (FIA). In the case of a fault injection, for example, a fault (glitch) can be introduced into the supply voltage of the device. Another error injection involves inserting a disturbance into the clock signal of the device. Furthermore, fault injection attacks are also known in which the attacked device is exposed to radiation.

Furthermore, the method according to the present invention is advantageously improved by visually highlighting the identified source code vulnerabilities, wherein the identified source code vulnerabilities are visually highlighted during active source code development without requiring the program to be compiled. The visual highlighting may be performed, for example, by a monochrome background, a changed text color setting, and/or a changed font setting. Alternatively or additionally, upon identifying a corresponding source code vulnerability, a pop-up window may pop-up that indicates the source code vulnerability identified by the source code developer. By visually highlighting or indicating the identified source code vulnerability, a learning effect is achieved for the source code developer. The method realizes the sensitization of the source code developer to the source code vulnerability which is easily affected by implementation attack.

In a further preferred embodiment of the method according to the invention, the identification of the source code vulnerability and/or the visual highlighting of the identified source code vulnerability is effected in real time during the active source code development. In this manner, the respective source code vulnerability can be modified or replaced by the source code developer immediately at the time of programming. The entire development process is accelerated significantly in this way.

The method according to the invention is further advantageously further developed in that the stored specification for the identified source code vulnerability is automatically loaded. Alternatively or additionally, a description of the identified source code vulnerability is automatically generated. Depending on the complexity of the identified source code vulnerability, it is sufficient that: the stored description is used to make the source code developer notice the source code vulnerability and/or to provide the source code developer with supplemental information for the identified source code vulnerability through the stored description. In other cases, the identified source code vulnerabilities can be used to generate corresponding specifications such that the generated specifications include source code specific elements that are related to the source code actually represented by the source code developer. Alternatively or additionally, the method may include automatically displaying a description loaded or generated for the identified source code vulnerability.

In an advantageous embodiment of the method according to the present invention, an alternative source code for the identified source code vulnerability is automatically generated and/or displayed. Preferably, the alternate source code preferably does not include source code vulnerabilities that are vulnerable to implementation attacks. In particular, the alternate source code may have a new source code structure.

Furthermore, a method according to the present invention is preferred, wherein the identified source code vulnerability is automatically replaced by the generated replacement source code based on a correction command input by the source code developer. In this manner, no elaborate manual matching of source code is required in order to eliminate the identified source code vulnerabilities. In this way, source code development is further accelerated.

The method according to the invention can be used for analyzing source code used in vehicles, in particular in automobiles. In particular, the source code is for a control device inside the vehicle. Other application areas include the development of smart card software, development related to the internet of things, industry 4.0, and other developments in areas where devices interact with each other and require a high degree of security.

The object of the invention is also achieved by an apparatus for data processing comprising a processor configured to perform a method for analyzing source code according to one of the above-mentioned embodiments. For the advantages and modifications of the device according to the invention, reference is made to the advantages and modifications of the method according to the invention.

The object of the invention is also achieved by a computer program product comprising instructions which, when the program is executed by a computer, cause the computer to carry out the method for analyzing source code according to one of the above-mentioned embodiments. With regard to advantages and modifications of the computer program product according to the invention, reference is made to advantages and modifications of the method according to the invention.

The object of the invention is also solved by a computer-readable data carrier on which the computer program product described above is stored.

Drawings

Preferred embodiments of the present invention will be described and illustrated in detail below with reference to the accompanying drawings. In the drawings:

FIG. 1 illustrates a portion of an integrated development environment for the device invocation of the present invention that may be used for data processing.

Detailed Description

The integrated development environment shown in FIG. 1 schematically illustrates an embodiment of a method for analyzing source code 10 in accordance with the present invention.

The method is performed by a data processing apparatus comprising a processor configured to perform the method described below. The method is based on a computer program product comprising commands which, when the program is executed by a computer, cause the program to carry out the method accordingly.

During the execution of the method, a source code vulnerability 14 is identified in source code 10 entered by a source code developer. A source code developer enters source code 10 into editor 12 via an input device configured as a keyboard. During active source code development, source code vulnerabilities 14 are identified in real time without requiring the program to be compiled.

Within the scope of the method, a source code vulnerability 14 susceptible to implementation attacks, such as a side-channel attack or a fault injection attack, is identified. Thus, source code analysis does not extend to insecure standard functions such as strcpy or printf, but rather involves the enforcement behavior of source code 10.

When a source code vulnerability 14 that is susceptible to an implementation attack is identified, the identified source code vulnerability 14 is visually highlighted to bring the source code developer's attention to the source code vulnerability 14 during active source code development. Thus, a visual highlighting of the identified source code vulnerability 14 is also achieved in a timely manner in time, i.e., during active source code development, without the need to compile the program.

Here, the source code 10 includes a for statement and an if statement. Both statements are identified as vulnerable to implementation and visually highlighted.

Within the scope of the method, If statements are identified as source code vulnerabilities 14, which are vulnerable to side channel attacks. For an if statement, a window 16a is opened that includes sections 18a, 18 b. In section 18a, the source code developer is shown a description of the storage for the identified source code vulnerability 14, i.e., if statements are unbalanced, and therefore abusive temporal characteristics may occur. In section 18b, correction suggestions for eliminating the source code vulnerability 14 are displayed to the source code developer, i.e., if statements are to be combined with else statements.

Within the scope of the method, the For statement is identified as a source code vulnerability 14 susceptible to a fault injection attack. For a for statement, a window 16b is opened that includes sections 20a, 20 b. In section 20a, a description of the storage for the identified source code vulnerability 14 is displayed for the source code developer, i.e., no control flow tampering has ended for the for loop definition and thus abuse may occur. In section 20b, a correction recommendation is displayed to the source code developer to eliminate the source code vulnerability 14, i.e., a second numerical value is inserted that checks whether all iterations of the for loop have been performed. Furthermore, it is suggested to insert else statements in section 20b to eliminate the source code vulnerability 14.

Thus, the alternative source code shown may have a modified and/or extended source code structure. The source code developer may cause the identified source code vulnerability 14 to be replaced by the displayed replacement source code by entering a corresponding correction command.

List of reference numerals:

10 source code

12 editor

14 source code vulnerabilities

16a, 16b window

18a, 18b section

20a, 20b section