| Abstract: | 隨著電腦網路越來越發達及網路資料存取日益增加,在雲端運算的架構中,電腦需要處置存取龐大的資料,其中提供一個快速處理速度的平台是個必備的要求。Apache軟體基金會便提供了一套雲端運平台的開放源碼-Hadoop來處理因應這項網路資源的管理與存取的問題。
在使用Hadoop套件做相關開發時,通常會引進Hadoop服務的軟體框架(Framework)進行開發,而且在使用時通常不會去考慮此框架是否有安全性問題,是否存在著不為人知的漏洞,因而造成重大危害及損失。因此,其平台開放之源碼是否符合現代資訊安全的要求,便是一個重要課題。
本研究利用源碼掃描工具-HP Fortify及Yasca來檢查驗證此套開放源碼-Hadoop雲端運算平台,找出Hadoop平台核心Core下不安全的程式碼,做風險等級的分類,並依風險重大等級提出優先處理的有效建議及改善方法,處理及防範可能潛在的資安威脅。
As the computer networks become more popular, the need to retrieve and process large amounts of data rapidly, in a cloud computation architecture, becomes a definite necessity. The Apache Hadoop is a framework that is open-sourced, and developed to meet the challenge of managing and processing internet resources.
When using the Hadoop library in development, one usually incorporates the Hadoop framework in the development library. This is usually done without considering whether the framework has any unknown structural flaw or inherent security issues.These security weakness are going to change into a major risk and cause significant loss later on. Therefore, whether or not the open-source code meets modern requirements for information security becomes a important issue.
This study aims to examine the Apache Hadoop framework using HP-Fortify and Yasca to identify any unsafe code within the Hadoop Common set of utilities. Any security risk is categorized by its severity. For each category, we propose suggestions to develop a process to handle the security problems and to enhance the security of the software. |
