基于静态分析的安全代码检测毕业论文.doc

基于静态分析的安全代码检测 【摘要】 随着软件应用规模的日益扩大和软件应用环境的日益复杂，保障软件质量是一个必不可少的系统活动，贯穿整个软件开发过程；它的一个重要原则就是缺陷发现的时间越早越好，缺陷被遗漏到下一阶段将使得修复缺陷的成本扩大到原来的5～10倍，甚至造成无法修复的局面。根据静态分析的创始者M.E.Fagan的统计，在设计和编码阶段的软件静态分析可以发现软件30﹪～70﹪的缺陷。 随着计算机辅助技术的发展，手工静态分析开始向计算机自动静态分析发展。文详细了文在研究现有静态分析技术与理论的基础上，针对Java面向对象语言的特性，利用Java解析器生成源代码的抽象语法树，给出了以抽象语法树为基础的软件静态分析阐述了该工具中各个模块的设计与实现方法，从而提高软件质量和评审效率。 Secure Code Test Based on Static Analysis [Abstract] As the scale of software applications grows increasingly, meanwhile the applications situation becomes more complex, protecting software quality is an indispensable system activity ,which is through the whole software development process. One of most important principle is that the earlier the faults are detected the better the result will be ,for adjusting cost will extend to five to 10 times as much as former if rectifying is delayed to next phase, what s worse ,it will induce an unable recover situation. According to the statistics provided by the founder of static analysis , M.E.Fagan, 30 percent to 70 percent of faults are detected in the design and coding phase. With the development of computer-assisted technology, computer automatic static analysis are replacing manual static analysis step by step. This dissertation is about static analysis. First of all, it introduces the concept of secure code and the principles of writing secure code as well as two methods detecting secure code: static analysis and dynamic analysis. Secondly, it deeply analyzes the techniques that static analysis needs, for example constructing models and analysis algorithms. Then illustrates the manual static test process. Whats more, based on the research of static analysis techniques and theory, and according to the java languages object-oriented character ,by using abstract syntax tree producing by JavaCC , it proposes a static analysis model basing on AST, and implementation method of some crucial modules, improving software quality and efficiency assessment. [Key word] Secure Code S