CN-122027261-A - Cloud password service-oriented fuzzy test and compliance assessment platform and method

Abstract

The invention discloses a fuzzy test and compliance assessment platform and method for cloud password service, and relates to the technical field of cloud computing and password security assessment. The evaluation platform comprises a demand analysis module, a test case generation module, a fuzzy test execution module, a compliance detection module, a result fusion analysis module and a report generation module, wherein the result fusion analysis module is respectively connected with the fuzzy test execution module and the compliance detection module and is used for carrying out association analysis on response data, an abnormal log and a compliance detection result acquired by the fuzzy test, identifying the security hole type and the compliance defect level of the cloud password service and removing repeated detection results. According to the cloud password service management system, the fuzzy test and the compliance detection are organically integrated, and the result of the fuzzy test and the compliance detection are associatively analyzed through the result fusion analysis module, so that the problem that the test of the fuzzy test and the result of the compliance detection are difficult to integrate in the prior art is solved, and the safety compliance condition of the cloud password service can be comprehensively reflected.

Inventors

• CHEN QIANG
• ZHENG SHENGXIN
• LIN GAN
• LIN JING
• CHEN YU

Assignees

• 福建智安信息技术有限公司

Dates

Publication Date

20260512

Application Date

20260202

Claims (10)

1. 1. Cloud password service-oriented fuzzy test and compliance integrated evaluation platform is characterized by comprising: The demand analysis module is used for acquiring an API/SDK interface specification document of the cloud password service and a preset compliance standard, and analyzing to obtain interface parameter information, calling constraint and compliance detection index; The test case generation module is connected with the demand analysis module, generates a basic test case based on interface parameter information obtained through analysis, generates a fuzzy test case set by combining the cryptographic attack characteristic and the fuzzy test strategy expansion, and generates a compliance detection case based on the compliance detection index; The fuzzy test execution module is connected with the test case generation module and is used for loading a fuzzy test case set, establishing communication with the target cloud password service in an API call or SDK integration mode, executing a fuzzy test and collecting interface response data, abnormal logs and service state information in the test process in real time; the compliance detection module is connected with the demand analysis module and is used for loading a compliance detection use case, automatically detecting the cryptographic algorithm selection, the key management flow, the access control strategy and the audit log integrity of the cloud cryptographic service according to a preset compliance standard, and collecting a compliance detection result; The result fusion analysis module is respectively connected with the fuzzy test execution module and the compliance detection module and is used for carrying out association analysis on response data, an abnormal log and a compliance detection result acquired by the fuzzy test, identifying the security vulnerability type and the compliance defect level of the cloud password service and removing repeated detection results; And the report generation module is connected with the result fusion analysis module and is used for generating an integrated evaluation report containing security hole details, compliance ratings and rectification suggestions according to the fusion analysis result.
2. 2. The cloud password service-oriented fuzzy test and compliance integrated evaluation platform according to claim 1, wherein the demand analysis module comprises an interface analysis unit and a compliance standard analysis unit; The interface analysis unit adopts a mode of combining natural language processing with grammar analysis to extract interface names, parameter types, parameter ranges, necessary filling items, return value formats and error code information from an API/SDK interface specification document; The compliance standard analysis unit is used for analyzing preset national/industry password compliance standards and generating quantifiable compliance detection indexes.
3. 3. The cloud password service-oriented fuzzy test and compliance integrated evaluation platform according to claim 1, wherein the test case generation module comprises a basic case generation unit, a fuzzy case expansion unit and a compliance case generation unit; the basic use case generating unit generates a forward test use case which accords with the interface calling specification based on the normal value range of the interface parameter; The fuzzy use case expansion unit adopts a fuzzy test strategy based on variation to carry out random variation, boundary value variation and special character injection variation on parameters of a basic test case, and simultaneously designs a targeted variation rule by combining with the cryptography characteristics, wherein the targeted variation rule comprises abnormal variation of key length, illegal variation of algorithm parameters and disordered variation of an encrypted data format; and the compliance use case generating unit generates a detection use case covering the password algorithm compliance, key life cycle management, access control authority and audit log record scene according to the compliance detection index.
4. 4. The cloud password service-oriented fuzzy test and compliance integrated evaluation platform according to claim 1, wherein the fuzzy test execution module comprises a communication adaptation unit, a use case execution unit and a data acquisition unit; the communication adaptation unit provides adaptation interfaces of a plurality of types of APIs/SDKs; The case execution unit supports concurrent execution of fuzzy test cases, and configures a test rate, a retry mechanism and a timeout time; The data acquisition unit acquires the return code, the return data and the response time of the interface, and the system log, the abnormal breakdown information and the resource occupation condition of the cloud password service in real time.
5. 5. The cloud password service-oriented fuzzy test and compliance integrated evaluation method is characterized by comprising the following steps of: S1, analyzing requirements, namely acquiring an API/SDK interface specification document and a preset compliance standard of a target cloud password service, and analyzing to obtain interface parameter information, calling constraint and compliance detection indexes; S2, generating a test case, generating a basic test case based on interface parameter information, generating a fuzzy test case set by combining the cryptographic characteristics and the fuzzy test strategy expansion, and generating a compliance detection case based on compliance detection indexes; s3, performing fuzzy test, loading a fuzzy test case set, establishing communication with a target cloud password service in an API call or SDK integration mode, performing fuzzy test and collecting test process data in real time; S4, detecting compliance, loading a compliance detection use case, automatically detecting the integrity of a cryptographic algorithm, a key management flow, an access control strategy and an audit log of the cloud cryptographic service according to a preset compliance standard, and collecting a compliance detection result; s5, carrying out result fusion analysis, carrying out association analysis on response data, abnormal logs and compliance detection results acquired by the fuzzy test, identifying the type of security holes and the level of compliance defects, and removing repeated detection results; and S6, generating a report, namely generating an integrated evaluation report containing security hole details, compliance ratings and rectification suggestions according to the fusion analysis result.
6. 6. The cloud crypto service-oriented fuzzy test and compliance integrated evaluation method according to claim 5, wherein in step S1, the interface parameter information includes an interface name, a parameter type, a parameter range, a mandatory entry, a return value format and error code information; the compliance detection indexes comprise a cryptographic algorithm compliance index, a key management compliance index, an access control compliance index and an audit log compliance index.
7. 7. The cloud cryptographic service-oriented fuzzy test and compliance integrated evaluation method as claimed in claim 5, wherein in step S2, the generating process of the fuzzy test case set includes: S21, generating a forward basic test case based on a normal value range of the interface parameter; s22, carrying out random variation, boundary value variation and special character injection variation on parameters of the forward basic test case to generate a universal fuzzy test case; s23, designing a targeted mutation rule by combining the cryptography characteristics, and mutating key length, algorithm parameters and key parameters of an encrypted data format to generate a special fuzzy test case of the password; S24, integrating the universal fuzzy test cases and the password special fuzzy test cases to form a fuzzy test case set, and de-duplicating and prioritizing the cases.
8. 8. The cloud password service-oriented fuzzy test and compliance integrated evaluation method according to claim 5, wherein in step S3, the test process data includes an interface return code, return data, response time, a system log of the cloud password service, abnormal crash information, and CPU and memory resource occupation conditions; In the execution process of the fuzzy test, if the cloud password service is detected to be crashed, unresponsive or returns an abnormal error code, the cloud password service is marked as a potential security hole, and a corresponding fuzzy test case is recorded.
9. 9. The cloud cryptography service-oriented fuzzy test and compliance assessment method of claim 5, wherein in step S4, the specific process of compliance detection includes: S41, detecting whether a cryptographic algorithm supported by the cloud cryptographic service meets a preset compliance standard or not, and judging whether a forbidden algorithm exists or not; S42, detecting whether the flow of generating, storing, backing up and destroying the secret key meets the compliance requirement, and verifying whether the length of the secret key meets the compliance; s43, detecting an access control strategy of the cloud password service, and verifying whether a minimum authority principle, multi-factor authentication and authority approval process are realized; s44, detecting the integrity and traceability of the audit log, verifying whether the log contains key information of user operation, key change and service abnormality, and whether the log retention time meets the requirements.
10. 10. The cloud password service-oriented fuzzy test and compliance integrated assessment method according to claim 5 is characterized in that in step S5, the association analysis comprises the steps of associating abnormal responses found by the fuzzy test with defects found by compliance detection, judging whether security holes caused by the compliance defects exist or not, aggregating security holes of the same type with the compliance defects, determining defect sources, and comprehensively grading the security compliance of the cloud password service according to the hazard degree of the holes and the severity level of the compliance defects.

Description

Cloud password service-oriented fuzzy test and compliance assessment platform and method Technical Field The invention relates to the technical field of cloud computing and password security assessment, in particular to a cloud password service-oriented fuzzy test and compliance integrated assessment platform and method, which are suitable for carrying out integrated automatic detection and assessment on security and compliance of cloud password services (such as cloud key management service KMS and cloud digital certificate service) provided in an API/SDK form. Background With the rapid development of cloud computing technology, cloud password service is widely applied to a plurality of fields such as finance, government affairs, enterprises and the like as a core infrastructure for guaranteeing the security of cloud computing environment data. Cloud cryptographic services typically provide services to users in the form of APIs (application program interfaces) or SDKs (software development kits), including cloud Key Management Services (KMS), cloud digital certificate services, cloud encryption and decryption services, and the like. Because the cloud password service directly processes encryption, decryption and key management of sensitive data, the security and compliance of the cloud password service directly relate to the security and privacy protection of user data. Currently, the evaluation of cloud password service is mainly divided into two independent fields of security test and compliance detection. In the aspect of security test, common methods include fuzzy test and penetration test, wherein the fuzzy test detects whether the service has security problems such as crashes and loopholes by inputting abnormal data to a service interface, but the conventional fuzzy test tools are mostly universal tools, lack of customized test strategies aiming at cryptography characteristics, and are difficult to accurately find security loopholes (such as key management loopholes, algorithm implementation defects and the like) specific to the cloud password service. In the aspect of compliance detection, the detection is mainly carried out by manually comparing national/industry compliance standards (such as GM/T0054-2018 and GB/T35273-2020), the detection efficiency is low, the subjectivity is strong, and the association analysis with a security test result is difficult, so that the evaluation process is cracked, and the security compliance condition of the cloud password service cannot be comprehensively reflected. In addition, most of existing assessment tools are single-function tools, integrated assessment of safety and compliance cannot be achieved, assessment staff are required to use various tools to conduct testing respectively, and assessment results are integrated manually, so that assessment cost is increased, and result omission or misjudgment is easy to occur due to manual operation. Therefore, an evaluation scheme capable of realizing integration and automation of cloud password service fuzzy test and compliance detection is needed, so that evaluation efficiency and comprehensiveness are improved, and powerful support is provided for safety compliance guarantee of cloud password service. Disclosure of Invention Aiming at the technical problems in the prior art, the invention provides a cloud password service-oriented fuzzy test and compliance integrated evaluation platform and a cloud password service-oriented fuzzy test and compliance integrated evaluation method, which can effectively solve the technical problems in the prior art. The invention adopts the following technical scheme: cloud password service-oriented fuzzy test and compliance integrated evaluation platform comprises: The demand analysis module is used for acquiring an API/SDK interface specification document of the cloud password service and a preset compliance standard, and analyzing to obtain interface parameter information, calling constraint and compliance detection index; The test case generation module is connected with the demand analysis module, generates a basic test case based on interface parameter information obtained through analysis, generates a fuzzy test case set by combining the cryptographic attack characteristic and the fuzzy test strategy expansion, and generates a compliance detection case based on the compliance detection index; The fuzzy test execution module is connected with the test case generation module and is used for loading a fuzzy test case set, establishing communication with the target cloud password service in an API call or SDK integration mode, executing a fuzzy test and collecting interface response data, abnormal logs and service state information in the test process in real time; the compliance detection module is connected with the demand analysis module and is used for loading a compliance detection use case, automatically detecting the cryptographic algorithm selection, the key management fl