计算机应用 ›› 2013, Vol. 33 ›› Issue (01): 19-22.DOI: 10.3724/SP.J.1087.2013.00019

• 第九届中国信息和通信安全学术会议(CCICS 2012)论文 • 上一篇    下一篇

基于信息熵和攻击面的软件安全度量

张璇1,2,廖鸿志1,2,李彤1,2,徐晶1,张倩茹1,钱晔1   

  1. 1. 云南大学 软件学院, 昆明 650091
    2. 云南省软件工程重点实验室(云南大学), 昆明 650091
  • 收稿日期:2012-08-27 出版日期:2013-01-01 发布日期:2013-01-09
  • 通讯作者: 张璇
  • 作者简介:张璇(1978-),女,江苏南京人,副教授,博士研究生,主要研究方向:信息安全、软件工程;廖鸿志(1946-),男,云南昭通人,教授,硕士,主要研究方向:系统科学、数据挖掘;李彤(1963-),男,河北石家庄人,教授,博士,CCF高级会员,主要研究方向:软件工程、信息安全;徐晶(1991-),女,湖南长沙人,主要研究方向:信息安全;张倩茹(1990-),女,云南个旧人,主要研究方向:信息安全;钱晔(1984-),女,安徽巢湖人,博士研究生,CCF会员,主要研究方向:软件工程。
  • 基金资助:

    国家自然科学基金资助项目(61262025, 61262024);云南省教育厅科学研究基金资助项目(2012Y257);云南省软件工程重点实验室开放基金资助项目(2011SE09)

Software security measurement based on information entropy and attack surface

ZHANG Xuan1,2,LIAO Hongzhi1,2,LI Tong1,2,XU Jing2,ZHANG Qianru2,QIAN Ye2   

  1. 1. Key Laboratory of Software Engineering of Yunnan Province (Yunnan University), Kunming Yunnan 650091, China
    2. School of Software, Yunnan University, Kunming Yunnan 650091, China
  • Received:2012-08-27 Online:2013-01-01 Published:2013-01-09
  • Contact: ZHANG Xuan

摘要: 对软件实施安全度量是开发安全的软件产品和实施软件安全改进的关键基础。基于Manadhata等(MANADHATA P K, TAN K M C, MAXION R A, et al. An approach to measuring a system's attack surface, CMU-CS-07-146. Pittsburgh: Carnegie Mellon University, 2007; MANADHATA P K, WING J M. An attack surface metric. IEEE Transactions on Software Engineering, 2011, 37(3): 371-386)提出的攻击面方法,结合信息熵理论,提出结合信息熵和攻击面的软件安全度量方法,可以有效地利用信息熵的计算方法对软件攻击面的各项资源进行威胁评估,从而提供具有针对性的威胁指标量化权值。在此基础之上,通过计算软件攻击面各项资源的指标值可以实现软件的安全度量。最后,通过具体的实例分析说明结合信息熵和攻击面的方法可以有效地应用于软件的安全开发过程和软件安全改进过程,为软件的安全设计开发指明可能存在的安全威胁,帮助提早避免软件产品中可能存在的漏洞;而对于已经开发完成待实施安全改进的软件则可以指出明确的改进方向。

关键词: 攻击面, 熵, 软件安全度量, 软件开发, 软件安全改进

Abstract: Software security measurement is critical to the development of software and improvement of software security. Based on the entropy and attack surface proposed by Manadhata et al. (MANADHATA P K, TAN K M C, MAXION R A, et al. An approach to measuring a system's attack surface, CMU-CS-07-146. Pittsburgh: Carnegie Mellon University, 2007; MANADHATA P K, WING J M. An attack surface metric. IEEE Transactions on Software Engineering, 2011, 37(3): 371-386), a method of software security measurement was used to assess the threat of the software's resources and provide the threat weight of these resources. Based on the threat weight, the attack surface metric was calculated for determining whether a software product is secure in design, or in what aspect the software product can be improved. The method is demonstrated in a case to show that, when using the method, the probable security threats can be found as early as possible to prevent from producing the software products that may have vulnerabilities, and the directions for the improvement of software security are pointed out clearly.

Key words: attack surface, entropy, software security measurement, software development, improvement of software security

中图分类号: