CN111177727A - Vulnerability detection method and device - Google Patents

Vulnerability detection method and device Download PDF

Info

Publication number
CN111177727A
CN111177727A CN201910900010.3A CN201910900010A CN111177727A CN 111177727 A CN111177727 A CN 111177727A CN 201910900010 A CN201910900010 A CN 201910900010A CN 111177727 A CN111177727 A CN 111177727A
Authority
CN
China
Prior art keywords
detection result
vulnerability
information
stack
current page
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910900010.3A
Other languages
Chinese (zh)
Inventor
李振环
陈楠
刘深荣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201910900010.3A priority Critical patent/CN111177727A/en
Publication of CN111177727A publication Critical patent/CN111177727A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The embodiment of the disclosure provides a vulnerability detection method and a vulnerability detection device, which relate to the technical field of computers, and the method comprises the following steps: acquiring memory associated information required by vulnerability operation; if the access operation of the target application to the current page is detected, detecting the preset information of the current page according to the memory associated information to obtain a detection result; and if the detection result is determined to be illegal, determining that the vulnerability exists in the current page. The technical scheme of the embodiment of the disclosure can timely and quickly discover the bugs and improve the security.

Description

Vulnerability detection method and device
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a vulnerability detection method and a vulnerability detection apparatus.
Background
With the continuous development of internet technology, the problem of network security is more and more concerned, and how to timely find the bugs existing in the browser, which are not discovered by the authorities but are designed by hackers and embedded into web pages, is a problem which needs to be solved urgently.
In the related art, in order to find the vulnerability in time, whether the associated starting process information meets a preset abnormal condition or not is detected by acquiring the associated starting process information corresponding to the browser process. But the method has hysteresis and limitation, and is likely to be discovered after the hacker attack is completed; in addition, hackers can easily evade the detection method, namely, attack is not carried out in a mode of creating a new process, so that the vulnerability cannot be accurately detected.
In view of the above, there is a need in the art to develop a new vulnerability detection method.
It is to be noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the present application and therefore may include information that does not constitute prior art known to a person of ordinary skill in the art.
Disclosure of Invention
The embodiment of the disclosure provides a vulnerability detection method and a vulnerability detection device, so that the problem of whether a current page has a vulnerability can be timely and accurately detected at least to a certain extent, and the vulnerability detection efficiency and accuracy are improved.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows, or in part will be obvious from the description, or may be learned by practice of the disclosure.
According to an aspect of the embodiments of the present disclosure, a vulnerability detection method is provided, which includes: acquiring memory associated information required by vulnerability operation; if the access operation of the target application to the current page is detected, detecting the preset information of the current page according to the memory associated information to obtain a detection result; and if the detection result is determined to be illegal, determining that the vulnerability exists in the current page.
According to an aspect of the present disclosure, there is provided a vulnerability detection apparatus, including: the information acquisition module is used for acquiring the memory associated information required by the vulnerability operation; the detection result determining module is used for detecting the preset information of the current page according to the memory associated information to acquire a detection result if the access operation of the target application to the current page is detected; and the vulnerability determining module is used for determining that the vulnerability exists in the current page if the detection result is determined to be illegal.
In an exemplary embodiment of the present disclosure, the preset information includes a caller; based on the scheme, the detection result determining module comprises: the caller detection module is used for detecting the caller according to the memory associated information to obtain a first detection result for indicating whether the caller is legal or not; and the first determining module is used for determining that the detection result is illegal if the first detection result is that the caller is illegal.
In an exemplary embodiment of the disclosure, based on the foregoing solution, the caller detection module includes: a return address determining module, configured to obtain a return address through the stack frame; and the first detection result determining module is used for acquiring a previous instruction of the return address and judging whether the previous instruction is a call instruction or not so as to determine the first detection result.
In an exemplary embodiment of the present disclosure, the preset information includes a call stack; based on the scheme, the detection result determining module comprises: a call stack detection module, configured to detect the call stack according to the memory association information if the first detection result indicates that the caller is legal, so as to obtain a second detection result used for indicating whether the call stack is legal; and the second determining module is used for determining that the detection result is illegal if the second detection result is that the call stack is illegal.
In an exemplary embodiment of the present disclosure, based on the foregoing solution, the call stack detection module includes: the historical stack frame acquisition module is used for acquiring a historical stack frame through the current stack frame; a second detection result determining module, configured to determine that the second detection result is that the call stack is legal if it is detected that each historical stack frame is within the limit range of the current thread; and the second detection result generation module is used for determining that the second detection result is that the call stack is illegal if the historical stack frames which are not in the limit range of the current thread are detected to exist in all the historical stack frames.
In an exemplary embodiment of the present disclosure, based on the foregoing solution, the call stack detection module includes: a history return address obtaining module, configured to obtain a history return address through a current stack frame; and the attribute judging module is used for detecting each historical return address and determining that the second detection result is that the call stack is illegal when the memory page where the attribute is located is determined to be the unexecutable historical return address.
In an exemplary embodiment of the present disclosure, based on the foregoing scheme, after determining that the vulnerability exists in the current page, the apparatus further includes: and the execution prohibition module is used for sending the information of the current page and the information of the target application to a server and storing the information of the current page to a list for showing execution prohibition so as to prohibit the execution of the current page.
In an exemplary embodiment of the present disclosure, based on the foregoing solution, the apparatus further includes: and the continuous execution module is used for continuously executing the current page if the detection result is determined to be legal.
In an exemplary embodiment of the present disclosure, based on the foregoing solution, the apparatus further includes: and the information early warning module is used for providing prompt information for reminding the detection result to carry out early warning if the detection result is determined to be illegal.
In the technical solutions provided in some embodiments of the present disclosure, when an access operation of a target application to a current page is detected, preset information of the current page may be detected according to acquired memory association information required by operation of a vulnerability, so as to determine whether the vulnerability exists in the current page according to whether a detection result is legal. On one hand, the preset information of the current page is judged directly according to the memory associated information required by vulnerability operation, so that the hysteresis for detecting the vulnerability in the related technology is avoided, the vulnerability can be detected and intercepted in an execution principle, the vulnerability can be timely and quickly found, the vulnerability attack is failed, the vulnerability detection efficiency is improved, and the limitation is reduced. On the other hand, the current page is detected through the memory associated information, so that the vulnerability can be detected in time, the vulnerability attack of a hacker can be found and prevented in time, and the information security is protected.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure. It is to be understood that the drawings in the following description are merely exemplary of the disclosure, and that other drawings may be derived from those drawings by one of ordinary skill in the art without the exercise of inventive faculty. In the drawings:
fig. 1 shows a schematic diagram of an exemplary system architecture to which technical aspects of embodiments of the present disclosure may be applied;
fig. 2 schematically shows a flow diagram of a vulnerability detection method according to an embodiment of the present disclosure;
FIG. 3 schematically illustrates a hacker performing a vulnerability attack according to one embodiment of the disclosure;
FIG. 4 schematically illustrates a first detection of a current page according to one embodiment of the present disclosure;
FIG. 5 schematically illustrates a second detection of a current page according to an embodiment of the present disclosure;
FIG. 6 schematically shows a schematic diagram of determining a second detection result from a historical stack frame according to one embodiment of the present disclosure;
FIG. 7 schematically illustrates a schematic diagram of an architecture for vulnerability detection, according to one embodiment of the present disclosure;
FIG. 8 schematically illustrates a flow diagram for vulnerability detection according to one embodiment of the present disclosure;
FIG. 9 schematically illustrates a block diagram of a vulnerability detection apparatus, according to one embodiment of the present disclosure;
FIG. 10 illustrates a schematic structural diagram of a computer system suitable for use in implementing an electronic device of an embodiment of the present disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the subject matter of the present disclosure can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and so forth. In other instances, well-known methods, devices, implementations, or operations have not been shown or described in detail to avoid obscuring aspects of the disclosure.
The block diagrams shown in the figures are functional entities only and do not necessarily correspond to physically separate entities. I.e. these functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor means and/or microcontroller means.
The flow charts shown in the drawings are merely illustrative and do not necessarily include all of the contents and operations/steps, nor do they necessarily have to be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the actual execution sequence may be changed according to the actual situation.
In view of the problems in the related art, the embodiments of the present disclosure first provide a vulnerability detection method, which may be used in any vulnerability detection scenario, for example, a vulnerability detection scenario when a certain browser or a certain application runs a malicious page provided by a hacker server, and the like.
Fig. 1 shows a schematic diagram of an exemplary system architecture to which the technical solutions of the embodiments of the present disclosure may be applied.
As shown in fig. 1, system architecture 100 may include a client 101, a network 102, a server 103, a server 104, and a server 105. The client 101 may be a terminal device such as a portable computer, a desktop computer, a smart phone, etc. having a display screen and capable of connecting to a network access page or an application program; a browser is installed on the client 101, and a browser plug-in is installed on the browser, so that vulnerability detection can be performed through the browser plug-in; network 102 is the medium used to provide communication links between clients 101 and servers 103 or between clients 101 and servers 105. Network 102 may include various types of connections, such as wired communication links, wireless communication links, and so forth, and in embodiments of the present disclosure, network 102 between client 101 and server 103 and client 101 and server 105 may be a wired communication link, such as may be provided by a serial connection line, or a wireless communication link, such as may be provided by a wireless network.
It should be understood that the number of clients, networks, and servers in FIG. 1 is merely illustrative. There may be any number of clients, networks, and servers, as desired for an implementation. For example, server 103 and server 105 may be a server cluster composed of a plurality of servers.
In one embodiment of the present disclosure, a browser or an application is running on the client 101, and the browser or the application accesses a page when running. The method comprises the steps that a plug-in is further installed in a browser on a client side, vulnerability detection is carried out when the browser runs, and the plug-ins of different browsers can be the same or different. The server 103 may be a web address for executing browser input or a server corresponding to a link. The server 104 may be a hacking server that may attack server software, e.g., deposit malicious pages to attack. The server 105 may be a secure server, and when detecting that there is a vulnerability, the client 101 may send page information and browser information accessed by the client to the server 105 through the network 102, so that the server 105 performs subsequent processing.
It should be noted that the vulnerability detection method provided by the embodiment of the present disclosure is generally executed by a plug-in installed on a browser in the client 101, and accordingly, the vulnerability detection apparatus is generally disposed in the client 101. However, in other embodiments of the present disclosure, the server may also have a similar function as the client, so as to execute the vulnerability detection method provided by the embodiments of the present disclosure.
Fig. 2 schematically shows a flowchart of a vulnerability detection method according to an embodiment of the present disclosure, which may be performed by a plug-in with vulnerability detection function installed on a browser in a client. Referring to fig. 2, the vulnerability detection method at least includes steps S210 to S230, wherein:
in step S210, obtaining memory associated information required for vulnerability operation;
in step S220, if an access operation of a target application to a current page is detected, detecting preset information of the current page according to the memory associated information to obtain a detection result;
in step S230, if it is determined that the detection result is illegal, it is determined that the vulnerability exists in the current page.
According to the technical scheme of the embodiment of the disclosure, on one hand, since the judgment is directly carried out according to the memory associated information required by the vulnerability operation, the hysteresis of vulnerability detection in the related technology is avoided, and the detection and interception can be carried out from the execution principle, so that the vulnerability can be timely and quickly found, the detection efficiency is improved, and the limitation is reduced. On the other hand, the current page is detected through the memory associated information, so that the vulnerability can be detected in time, the vulnerability attack of a hacker can be found and prevented in time, and the information security is protected.
Next, a vulnerability detection method in the embodiments of the present disclosure will be described in detail with reference to the accompanying drawings.
In step S210, memory related information required for the bug operation is obtained.
In the embodiment of the present disclosure, a vulnerability is a defect existing in hardware, software, a specific implementation of a protocol, or a system security policy, so that an attacker can access or destroy a system without authorization. The vulnerability in the embodiment of the disclosure refers to a browser 0day vulnerability, the browser 0day vulnerability refers to that before the vulnerability of the browser is not discovered by an official (namely before the official has not issued a corresponding patch), a hacker designs malicious codes and embeds the malicious codes into a webpage aiming at the vulnerability which is not discovered by the official, and when a user opens the webpage under the unknown condition, the hacker attacks the webpage through the browser of the user.
The memory related information may include memory related functions, which are necessary or necessary to describe the vulnerability. Specifically, it may intercept memory related functions by using Hook technology, where the memory related functions are necessary for hackers to exploit vulnerabilities, that is, functions necessary for vulnerability operation. Specific memory related functions include, but are not limited to: VirtualAlloc, VirtualAllocEx, VirtualProtect, VirtualProtectEx, and the like.
There are many Hook technologies for obtaining the memory related function, for example, the Hook technologies may include, but are not limited to, an Inline Hook technology and an IAT Hook technology. The Inline Hook technology specifically comprises the following steps: and modifying the instruction at the head of the function to be jmp xxx, executing own code at the xxx position, and finally returning to the code below the jmp xxx of the original function to continue executing. The IAT Hook technology specifically comprises the following steps: directly modifying the function table of the import table of the browser, modifying the target function into the function address of the browser, and jumping to the function of the browser when the browser calls the import function.
In step S220, if the access operation of the target application to the current page is detected, the preset information of the current page is detected according to the memory associated information, so as to obtain a detection result.
In the embodiment of the present disclosure, the target application refers to client software used by a user to browse a web page, and may include, for example, a browser or other application program as long as the function of browsing a web page is achieved. When a user accesses a hacking server through a target application, the user is attacked. In the embodiment of the present disclosure, a target application is taken as an example for explanation. The current page refers to a webpage that is being accessed by the target application, and the type of the current page may be a malicious page or other types of abnormal pages, and the like. The malicious page comprises a webpage file of 0day vulnerability exploitation malicious codes, and the malicious page can be a page which is arranged in advance by a hacker through a hacker server and is used for running the browser. Wherein, the hacking server refers to server software for hacking a user, in which a malicious page is stored.
Upon detecting that the browser runs the malicious page, a hacker may perform a ROP (Return-organized Programming) attack through the malicious page. An ROP attack is an attack that exploits a return address on a stack. ROP is a hacking exploit technology, and its main objective is to bypass DEP (Data execution prediction) and CFG protection of a browser, and achieve the purpose of invoking any function by constructing an ROP chain and using ret instruction.
DEP is a set of software and hardware techniques that can perform additional checks on memory to help prevent malicious code from running on the system, and can help prevent data pages from executing code. Typically, code is not executed from the default heap and stack. Hardware-implemented DEP detects code running from these locations and raises exceptions when execution conditions are discovered. Software-implemented DEP can help prevent malicious code from corrupting with exception handling mechanisms in Windows.
Fig. 3 schematically shows a flow diagram of executing a vulnerability attack, and referring to fig. 3, in a process of running a malicious page by a browser, a flow of a hacker executing an ROP vulnerability attack specifically includes the following steps:
step S310, constructing a vulnerability ROP chain: through the Heap spread technology, that is, the controllable data objects are created in batches, such as Array, TypedArray, and the like, a section of continuously controllable memory is built in the memory, and the required data is filled in the continuously controllable memory and is used as a ROP chain. The ROP chain usually contains a series of code addresses, which are not directed to a certain function, but are instruction fragments, which exist in the browser itself and are carefully selected by hackers, such as pop xxx, push xxx, jmpxxx, ret, etc., and through the combination of these instruction fragments, the hackers can bypass the protection of DEP and CFG to achieve the purpose of executing their shellcode. Wherein, shellcode is a code segment for executing by using software bugs, and shellcode is a 16-system machine code. The shellcode can be stuffed with a section of shellcode machine code that can be executed by the CPU after the temporary memory eip overflows, so that the computer can execute any instruction of an attacker.
Step S320, vulnerability triggering: different 0day bugs have different triggering methods, and the purpose is to cause the damage of the memory and achieve the goal of modifying the memory with any address.
Step S330, controlling the EIP register: after the vulnerability triggered in the last step, a hacker controls the EIP to the ROP chain, and the step is usually carried out by stack overturning, fake virtual function table and other methods, so as to reach a call [ eax +0xX ] or ret instruction target.
And the EIP register is used for storing the address of the instruction to be read by the CPU, and the instruction to be executed is read by the CPU through the EIP register. The value of the EIP register is incremented each time the CPU has executed the corresponding assembler instruction.
Step S340, executing the vulnerability ROP chain: the step is to carry out ROP, at the moment, the browser enters a ROP chain constructed by a hacker, the ROP chain is further executed along with an instruction fragment of the ROP, the ROP chain cannot run according to normal logic of the browser, and the hacker initially achieves the purpose of controlling the program flow at present.
Step S350, ROP jumps: this is the execution process of ROP, since the instruction fragment in the browser that meets the needs of the hacker ROP chain does not exist continuously in one address but is scattered in different functions, this requires the hacker to jump continuously with the ret instruction, where the reason why the call instruction is not used is the existence of CFG.
After the hacker server finishes the ROP attack after the ROP jump is carried out, predetermined operations are necessarily executed to bypass the data to execute the protection DEP. The predetermined operation may be modifying a memory attribute, and modifying the memory attribute may be performed by executing a memory-related function. The modified memory attribute may be, for example: the method comprises the steps of modifying an original memory attribute 'unexecutable' into a memory attribute 'executable'; or the original memory attribute is modified to be "writable" as the memory attribute, where "non-writable" may be specifically "readable" or "executable" and the like.
Based on this, in the process of bypassing the data to execute the protection DEP, a hacker can enter the memory related function intercepted through the Hook technology, so that the detection module is mounted on the key function of the browser by using the Hook technology, and the vulnerability detection process is executed through the intercepted memory related function.
The preset information may include a caller or any one of call stacks, and the vulnerability detection process may be divided into two processes, namely a first type detection process and a second type detection process, according to the difference of the preset information. Correspondingly, the first type detection includes but is not limited to caller detection, and the second type detection includes but is not limited to call stack detection. When the vulnerability detection is carried out, only one of the first type detection and the second type detection can be executed, or two types of the first type detection and the second type detection can be executed in sequence, and the vulnerability detection accuracy can be improved by selecting according to actual demand conditions. The detection result may be determined based on only the first detection result, or may be determined based on both the first detection result and the second detection result, and is not particularly limited herein.
Fig. 4 schematically shows a schematic diagram of a first detection on a current page, and referring to fig. 4, the method mainly includes step 410 and step S420, where:
in step S410, the caller is detected according to the memory-related information, so as to obtain a first detection result indicating whether the caller is legal.
In the embodiment of the present disclosure, a caller refers to a domain in which a function is called, and may be understood as a function itself. For example, function A calls function B, and function A is the caller. The caller may be detected using the frame return address to determine whether the caller is legitimate, thereby obtaining a first detection result. Specifically, the step of obtaining the first detection result by using the frame return address may include: first, a return address is obtained through a stack frame. The return address refers to an instruction address of the main program which continues to execute after returning from the subprogram, so that the return address is an address of an instruction which follows the call instruction in the main program. Specifically, the return address of the stack may be obtained by the stack frame. The stack frame is a recording unit of related information related to each function call stored on the user stack. The stack frames represent function call records of the program, and not all stack frames are the same size. Based on this, the return address of the stack can be found by stack frame [ ESP ] or [ EBP +4 ]. Wherein, the stack frame [ ESP ] is an ESP register, which is specially used to store the stack top address to point to the top of the current stack frame, i.e. the stack top pointer of the current function. The function frame (current frame) represented by the stack top is the function currently being called. The stack frame [ EBP +4] is a register EBP +4, and the EBP register is used for storing a frame pointer, namely a pointer for storing the head address of each frame. Here, stack frame [ EBP +4] is used to indicate a return address. Thus, the return address of the stack may be found through the top register or return address register of the current stack frame.
And secondly, acquiring a previous instruction of the return address, and judging whether the previous instruction is a call instruction or not so as to determine the first detection result. Because the return address is the address of an instruction behind the call instruction, if the browser is in a normal call calling process, the last instruction of the return address is the call instruction. Based on this, the call instruction may then be a call instruction. Each sentence of the call instruction will actually push its next sentence. Whether the last instruction of the return address is a call instruction can be determined through instruction comparison or according to the number of the instruction. If the last instruction is determined to be a call instruction, the call process can be considered to have no exception, and the first detection result can be that the caller is legal. If the last instruction is determined not to be a call instruction, it may be considered that a RET jump is used and a ROP attack is performed. The RET jump is the next sentence directly back to the last call instruction, not the next sentence of the first call. For example, if one function calls another function, the RET jump is used after execution returns to the original function. And in the process of executing the loophole, a hacker needs to jump without stopping by using RET jump to execute the instruction fragment which is consistent with the condition that the ROP chain of the hacker needs to be positioned in discontinuous addresses. Since it is determined that the RET hop is performed, it can be considered that the call was performed by a hacker, not the function itself. Therefore, the first detection result at this time may be that the caller is illegal.
In step S420, if the first detection result is that the caller is illegal, it is determined that the detection result is illegal.
In the embodiment of the present disclosure, if it is determined that the last instruction of the return address is not the call instruction, the first detection result is considered to be that the caller is illegal, for example, the caller is a hacker, and the caller is considered to be illegal. Because the caller is determined to be illegal, whether other parameters and operations are legal or not does not need to be further judged, and the final detection result of the preset information can be determined to be illegal directly according to the illegal result of the caller.
In the embodiment of the disclosure, the caller detection is carried out on the memory correlation function, so that the caller detection is carried out through the memory correlation function to obtain the first detection result, and then whether the detection result is legal or not is determined, and the vulnerability detection can be carried out more accurately and more timely.
Fig. 5 schematically illustrates a schematic diagram of performing a second detection on a current page, and referring to fig. 5, the second detection mainly includes step S510 and step S520, where:
in step S510, if the first detection result is that the caller is legal, the call stack is detected according to the memory association information, so as to obtain a second detection result used for indicating whether the call stack is legal.
In the embodiment of the present disclosure, the preset information of the current page may further include a call stack in addition to the caller. And the detection can be carried out only by the caller or can be carried out together by the call stack when the caller is detected normally. That is, the use condition of the call stack is performed in a case where the caller has not detected it. If the caller is determined to be legal through the return address and the last instruction of the return address, the detection process of the call stack can be continuously mounted in the memory associated information, so that the call stack is continuously detected based on the memory associated information, and a second detection result for describing whether the call stack is legal or not is obtained. When determining the second detection result, whether the call stack is legal or not can be determined according to the historical information, so that the accuracy is improved. Wherein the history information may include at least one of a history stack frame and a return address (history return address).
Fig. 6 schematically shows a flowchart for determining a second detection result according to a history stack frame, and referring to fig. 6, mainly determining whether a call stack is legal according to the history stack frame, which specifically includes steps S610 to S630, where:
in step S610, a history stack frame is acquired through the current stack frame.
In the embodiment of the present disclosure, the stack frame is used to represent a function call record of the program, that is, a recording unit of related information related to each function call stored on the user stack. The current stack frame refers to the current function call record, and the historical stack frame refers to the historical function call record. Specifically, the history stack frame can be obtained through stack backtracking. The principle of stack backtracking is as follows: the instruction address returned by the EBP and the function can trace back the function calling relation of the whole process step by step. For example, in the process of calling the function B by the function a, the EBP value of the called function B is the memory first address for storing the EBP value of the calling function, i.e., the function a. If the trace is traced from the function B, the EBP of the function a is obtained through the EBP of the function B, and the return address next to the memory is additionally taken out, so that which key function is located in can be obtained through the return address. The positioning can be quickly realized through the backtracking of the stack.
In the embodiment of the present disclosure, due to the specification of the compiler, [ EBP ] stores the EBP called by the previous layer, and [ EBP +4] stores the return address, all historical stack frames (EBP) and return addresses can be traced back through the EBP of the current stack frame, so as to quickly and accurately obtain the historical stack frame corresponding to the current stack frame.
In step S620, if it is detected that each history stack frame is within the limit range of the current thread, it is determined that the second detection result is that the call stack is legal.
In the embodiment of the present disclosure, the thread in which each history stack frame is located may be determined, so as to determine whether the call stack is legal according to the thread in which the history stack frame is located. Specifically, the thread in which each history stack frame is located may be obtained, and it may be determined whether the thread is within the limit of the current thread. The current thread refers to a thread that is executing and may include multiple stack frames. Therefore, the limit range of the current process refers to the limit range of the stack frame corresponding to the current process, and can be specifically represented by StackBase to StackLimit. Wherein, the StackBase is used for representing a stack base address, the StackLimit is used for representing a stack limit, and the StackBase and the StackLimit together represent the range of the stack of the current thread in the memory. If a certain historical stack frame is matched with one of the stack frames corresponding to the current thread, the historical stack frame can be considered to be in the limit range of the current thread. Whether all historical stack frames are within the limit range of the current thread can be judged one by one or simultaneously through the same matching method. It should be noted that when all the history stack frames are within the limit range of the current thread, it is stated that the call stack outside the limit range is not used, and therefore it can be determined that the call stack is legal. For example, if the historical stack frames A, B, C are all within the limits of the stack frames included in the current process, then the second detection result used to describe the call stack may be determined to be that the call stack is legal.
In step S630, if it is detected that there is a history stack frame that is not within the limited range of the current thread in all history stack frames, it is determined that the second detection result is that the call stack is illegal.
In the embodiment of the present disclosure, the existence of a history stack frame that is not within the limit range of the current thread may be understood as: not all historical stack frames are within the limits of the current thread. Similarly to step S620, the thread in which each historical stack frame is located may be acquired, and it is determined whether the thread is within the limit of the stack frame corresponding to the current thread. If a certain historical stack frame is matched with one of the stack frames corresponding to the current thread, the historical stack frame can be considered to be in the limit range of the current thread. If a certain historical stack frame is not matched with all stack frames corresponding to the current thread, the historical stack frame is not considered to be in the limit range of the current thread. If it is determined that at least one history stack frame in all the history stack frames is not matched with all the stack frames corresponding to the current thread, a call stack outside the use limit range can be considered to exist, and therefore the call stack can be determined to be illegal. For example, if the historical stack frames A, B, C are all within the limit of the stack frame included in the current process, but the historical stack frame D is not within the limit of the stack frame included in the current process, it may be determined that the second detection result for describing the call stack is a call stack that is illegal.
Continuing to refer to fig. 5, in step S520, if the second detection result is that the call stack is illegal, it is determined that the detection result is illegal.
In the embodiment of the present disclosure, since the detection result may be described according to the caller or in combination with the caller and the call stack, if it is determined that the second detection result used for describing the call stack is illegal on the basis that the first detection result is legal, it may be directly determined that the detection result is illegal. If the second detection result used for describing the call stack is legal on the basis of the first detection result being legal, the detection result can be determined to be legal.
In addition to this, the second detection result may be determined based on the return address in the history information. The method specifically comprises the following steps: acquiring a historical return address through a current stack frame; and detecting each history return address, and when determining that the attribute of the memory page where the history return address exists is the unexecutable history return address, determining that the second detection result is that the call stack is illegal. The history return address can be a return address in the history calling process, and the return address can be represented by [ EBP +4 ]. The history return address can be obtained by stack backtracking through the current stack frame, the memory page where the history return address is located is further determined, and the execution state of the attribute of the memory page where the history return address is located is determined, where the execution state may include executable and non-executable. After determining the execution status of the attribute of the memory page, a second detection result may be obtained according to the execution status. Specifically, the execution states of the attributes of the memory pages where all the history return addresses are located are determined, and whether each history return address is executable or not is judged. And if the attributes of the memory pages where all the historical return addresses are located are executable, determining that the second detection result is that the call stack is legal. If the attributes of the memory pages where all the historical return addresses are located are executable or non-executable (that is, the attributes of the memory pages where at least one historical return address is located are non-executable), the non-executable indicates that the call process is abnormal, and therefore it is determined that the second detection result is that the call stack is illegal. Note that, when the detection is performed by the history return address, it is necessary to perform the detection on the basis that the caller is legitimate, and if the caller is illegitimate, it is not necessary to perform the detection on the history return address. In the embodiment of the present disclosure, the second detection result may be determined more accurately and more quickly according to the attribute of the memory page of the history return address.
According to the technical scheme, the detection result can be determined through at least one of the caller and the call stack. And the detection result can be determined as illegal under the condition that the caller is illegal or the caller is legal and the call stack is illegal. Because the caller and the call stack of the current page are detected based on the memory related information required by the vulnerability operation to obtain the detection result, the accuracy and the timeliness of determining the detection result are improved.
Continuing to refer to fig. 2, in step S230, if it is determined that the detection result is illegal, it is determined that the vulnerability exists in the current page.
In the embodiment of the disclosure, when the detection result is determined to be illegal according to at least one of the first detection result and the second detection result, it may be directly determined that a bug exists in the current page, where the bug is a detected browser 0day bug. By the method in the embodiment of the disclosure, based on the memory related information required by vulnerability operation, the caller and the call stack of the current page can be detected from the execution principle, so that the browser 0day vulnerability is determined to exist when the detection result is illegal. At the moment, the vulnerability can be timely and accurately identified before the vulnerability is executed due to the fact that the vulnerability is detected in the principle dimension, so that the vulnerability is prevented from being executed, the accuracy and timeliness of vulnerability detection can be improved, the limitation is avoided, unnecessary loss caused by the fact that the vulnerability can be remedied after operation is reduced, and the safety is improved.
After determining that the current page has the bug, sending a stop execution instruction to the browser, so that the browser stops the access operation on the current page in response to the stop execution instruction. By stopping executing the current page, the security problem caused by the current page can be avoided, and the security is improved. Further, after it is determined that a vulnerability exists in the current page, the information of the current page and the information of the target application may be sent to a server, and the information of the current page is added to a list for indicating that execution is prohibited, so as to prohibit execution of the current page. The information of the current page may include: URL (Uniform Resource Locator) information of the current page, content fragment, refer information of the page, IP and its variation time, variation frequency, etc. The refer information is used for acquiring the user's incoming URL and further telling which page the user comes from, and can be used for counting the user sources accessing the website. The target application refers to a browser or an application program, and when the target application is a browser, the information of the target application includes at least one of a type, a version, a network access manner, browser kernel information, and a browser language of the browser, and may be specifically obtained by request header information sent when a web page is opened.
After obtaining the information of the current page and the information of the target application, the information can be sent to the server. The server is referred to as a security server, and the security server is used for carrying out subsequent analysis on the security of the browser and the current page. Meanwhile, when the vulnerability is determined to exist, the information of the current page can be stored in a list for indicating that the execution is forbidden. The list indicating prohibited execution may be a blacklist, and a current page located in the blacklist may not be executed. By storing the information of the current page with the vulnerability in the list for representing the prohibited execution, the problem that the current page is subjected to vulnerability attack due to the incorrect execution can be avoided, and the safety of user operation is improved. Of course, if the detection result is determined to be legal, that is, it is determined that no bug exists, the current page may be continuously executed.
In order to enable the user to stop executing the current page in advance so as to avoid vulnerability attack, when the detection result is determined to be illegal through the first detection result and the second detection result or the first detection result, prompt information for prompting the detection result can be provided to warn. The prompt message may be any form of message, such as text type, symbol type, voice type, or other type. In the embodiment of the present disclosure, the prompt information may be in the form of a dialog box, which is used to prompt the user to be attacked by the vulnerability. Through the prompt information, the leak detection method and the system can timely and conveniently early warn the leak of the current page so as to timely stop the current page, avoid hysteresis and increase timeliness and accuracy of leak detection.
Based on this, an architecture for implementing the vulnerability detection method is provided in the embodiments of the present disclosure, and referring to fig. 7, the architecture may include: hacker server 701, malicious page 702, browser 703 detect plug-in 704 with a vulnerability, where:
the hacking server 701 is server software used by a hacker to attack a user, and stores malicious pages. The malicious page 702 contains a web page file of 0day exploit malicious code. The browser 703 is client software that a user uses to browse a web page, and is attacked when accessing a hacking server. The vulnerability detection plug-in 704 is a browser plug-in for detecting a 0day vulnerability, and if a vulnerability is detected, the browser is prevented from continuing to execute and an alarm is given. The vulnerability detection plug-in includes: hook module 7041: and mounting the detection module on a key function of the browser by using Hook. ROP detection module 7042: and the ROP is detected to judge whether the vulnerability attack exists. Interrupt and alarm module 7043: and after the vulnerability attack is determined, the browser is informed to interrupt the continuous execution of the page, and the malicious page information and the browser information are transmitted to the security server.
Fig. 8 schematically shows a flowchart of vulnerability detection, and with reference to fig. 8, the method mainly includes the following steps:
in step S801, the vulnerability detection plug-in is turned on. In step S802, a memory related function of the Hook browser is executed. In step S803, an access to a malicious page and an execution operation are detected. In step S804, the hacker makes a vulnerability attack. In step S805, the return address caller checks. In step S806, it is determined whether the caller is legitimate; if yes, go to step S807; if not, go to step S808. In step S807, a call stack check is performed and it goes to step S809. In step S808, it is determined that an ROP vulnerability attack exists and it proceeds to step S811. In step S809, it is determined whether the call stack is legal; if yes, go to step S810; if not, go to step S808. In step S810, the current page is executed normally. In step S811, the execution of the current page is interrupted and an early warning is performed.
In the technical solutions in fig. 7 and 8, since the vulnerability can be accurately identified in time before the vulnerability is executed by detecting the principle dimension (memory related function) of vulnerability execution through the browser plug-in, so as to prevent the vulnerability from being executed, the accuracy and timeliness of vulnerability detection can be improved, the limitation is avoided, unnecessary loss caused by remediation after the vulnerability is executed is reduced, and the security is improved.
The following describes an embodiment of an apparatus of the present disclosure, which may be used to execute the vulnerability detection method in the foregoing embodiment of the present disclosure. For details not disclosed in the embodiments of the apparatus of the present disclosure, please refer to the embodiments of the vulnerability detection method described above in the present disclosure.
Fig. 9 schematically shows a block diagram of a vulnerability detection apparatus according to an embodiment of the present disclosure.
Referring to fig. 9, a vulnerability detection apparatus 900 according to an embodiment of the present disclosure includes: an information acquisition module 901, a detection result determination module 902 and a vulnerability determination module 903. Wherein:
an information obtaining module 901, configured to obtain memory association information required by vulnerability operation; a detection result determining module 902, configured to, if it is detected that the target application accesses the current page, detect preset information of the current page according to the memory association information to obtain a detection result; a vulnerability determining module 903, configured to determine that the vulnerability exists in the current page if the detection result is determined to be illegal.
In an exemplary embodiment of the present disclosure, the preset information includes a caller; the detection result determining module comprises: the caller detection module is used for detecting the caller according to the memory associated information to obtain a first detection result for indicating whether the caller is legal or not; and the first determining module is used for determining that the detection result is illegal if the first detection result is that the caller is illegal.
In an exemplary embodiment of the present disclosure, the caller detection module includes: a return address determining module, configured to obtain a return address through the stack frame; and the first detection result determining module is used for acquiring a previous instruction of the return address and judging whether the previous instruction is a call instruction or not so as to determine the first detection result.
In an exemplary embodiment of the present disclosure, the preset information includes a call stack; the detection result determining module comprises: a call stack detection module, configured to detect the call stack according to the memory association information if the first detection result indicates that the caller is legal, so as to obtain a second detection result used for indicating whether the call stack is legal; and the second determining module is used for determining that the detection result is illegal if the second detection result is that the call stack is illegal.
In an exemplary embodiment of the present disclosure, the call stack detection module includes: the historical stack frame acquisition module is used for acquiring a historical stack frame through the current stack frame; a second detection result determining module, configured to determine that the second detection result is that the call stack is legal if it is detected that each historical stack frame is within the limit range of the current thread; and the second detection result generation module is used for determining that the second detection result is that the call stack is illegal if the historical stack frames which are not in the limit range of the current thread are detected to exist in all the historical stack frames.
In an exemplary embodiment of the present disclosure, the call stack detection module includes: a history return address obtaining module, configured to obtain a history return address through a current stack frame; and the attribute judging module is used for detecting each historical return address and determining that the second detection result is that the call stack is illegal when the memory page where the attribute is located is determined to be the unexecutable historical return address.
In an exemplary embodiment of the present disclosure, after determining that the vulnerability exists in the current page, the apparatus further includes: and the execution prohibition module is used for sending the information of the current page and the information of the target application to a server and storing the information of the current page to a list for showing execution prohibition so as to prohibit the execution of the current page.
In an exemplary embodiment of the present disclosure, the apparatus further includes: and the continuous execution module is used for continuously executing the current page if the detection result is determined to be legal.
In an exemplary embodiment of the present disclosure, the apparatus further includes: and the information early warning module is used for providing prompt information for reminding the detection result to carry out early warning if the detection result is determined to be illegal.
FIG. 10 illustrates a schematic structural diagram of a computer system suitable for use in implementing an electronic device of an embodiment of the present disclosure.
It should be noted that the computer system 1000 of the electronic device shown in fig. 10 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 10, the computer system 1000 includes a Central Processing Unit (CPU)1001 that can perform various appropriate actions and processes according to a program stored in a Read-Only Memory (ROM) 1002 or a program loaded from a storage section 1008 into a Random Access Memory (RAM) 1003. In the RAM 1003, various programs and data necessary for system operation are also stored. The CPU1001, ROM 1002, and RAM 1003 are connected to each other via a bus 1004. An Input/Output (I/O) interface 1005 is also connected to the bus 1004.
The following components are connected to the I/O interface 1005: an input section 1006 including a keyboard, a mouse, and the like; an output section 1007 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and a speaker; a storage portion 1008 including a hard disk and the like; and a communication section 1009 including a network interface card such as a LAN (Local area network) card, a modem, or the like. The communication section 1009 performs communication processing via a network such as the internet. The driver 1010 is also connected to the I/O interface 1005 as necessary. A removable medium 1011 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 1010 as necessary, so that a computer program read out therefrom is mounted into the storage section 1008 as necessary.
In particular, the processes described below with reference to the flowcharts may be implemented as computer software programs, according to embodiments of the present disclosure. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication part 1009 and/or installed from the removable medium 1011. When the computer program is executed by a Central Processing Unit (CPU)1001, various functions defined in the system of the present application are executed.
It should be noted that the computer readable medium shown in the embodiments of the present disclosure may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a Read-Only Memory (ROM), an Erasable Programmable Read-Only Memory (EPROM), a flash Memory, an optical fiber, a portable Compact Disc Read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the present disclosure, a computer-readable signal medium may include a propagated data signal with computer-readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present disclosure may be implemented by software, or may be implemented by hardware, and the described units may also be disposed in a processor. Wherein the names of the elements do not in some way constitute a limitation on the elements themselves.
As another aspect, the present disclosure also provides a computer-readable medium, which may be contained in the electronic device described in the above embodiments; or may exist separately without being assembled into the electronic device. The computer readable medium carries one or more programs which, when executed by an electronic device, cause the electronic device to implement the method described in the above embodiments.
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a touch terminal, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains.
It will be understood that the present disclosure is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Claims (10)

1. A vulnerability detection method is characterized by comprising the following steps:
acquiring memory associated information required by vulnerability operation;
if the access operation of the target application to the current page is detected, detecting the preset information of the current page according to the memory associated information to obtain a detection result;
and if the detection result is determined to be illegal, determining that the vulnerability exists in the current page.
2. The vulnerability detection method of claim 1, wherein the preset information comprises a caller;
the detecting the preset information of the current page according to the memory associated information to obtain a detection result includes:
detecting the caller according to the memory associated information to obtain a first detection result for indicating whether the caller is legal or not;
and if the first detection result is that the caller is illegal, determining that the detection result is illegal.
3. The vulnerability detection method according to claim 2, wherein the detecting the caller according to the memory association information to obtain a first detection result for indicating whether the caller is legal comprises:
acquiring a return address through a stack frame;
and acquiring a previous instruction of the return address, and judging whether the previous instruction is a call instruction or not so as to determine the first detection result.
4. The vulnerability detection method of claim 2, wherein the preset information comprises a call stack;
the detecting the preset information of the current page according to the memory associated information to obtain a detection result includes:
if the first detection result is that the caller is legal, detecting the call stack according to the memory association information to obtain a second detection result for indicating whether the call stack is legal or not;
and if the second detection result is that the call stack is illegal, determining that the detection result is illegal.
5. The vulnerability detection method according to claim 4, wherein the detecting the call stack according to the memory association information to obtain a second detection result for indicating whether the call stack is legal comprises:
acquiring a historical stack frame through a current stack frame;
if each history stack frame is detected to be within the limit range of the current thread, determining that the second detection result is that the call stack is legal;
and if the historical stack frames which are not in the limit range of the current thread exist in all the historical stack frames, determining that the second detection result is that the call stack is illegal.
6. The vulnerability detection method according to claim 4, wherein the detecting the call stack according to the memory association information to obtain a second detection result for indicating whether the call stack is legal comprises:
acquiring a historical return address through a current stack frame;
and detecting each history return address, and when determining that the attribute of the memory page where the history return address exists is the unexecutable history return address, determining that the second detection result is that the call stack is illegal.
7. The vulnerability detection method of claim 1, wherein after determining that the vulnerability exists in the current page, the method further comprises:
and sending the information of the current page and the information of the target application to a server, and storing the information of the current page to a list for representing that the execution is forbidden so as to forbid the execution of the current page.
8. The vulnerability detection method of claim 1, wherein the method further comprises:
and if the detection result is determined to be legal, continuing to execute the current page.
9. The vulnerability detection method of claim 1, wherein the method further comprises:
and if the detection result is determined to be illegal, providing prompt information for prompting the detection result so as to perform early warning.
10. A vulnerability detection apparatus, comprising:
the information acquisition module is used for acquiring the memory associated information required by the vulnerability operation;
the detection result determining module is used for detecting the preset information of the current page according to the memory associated information to acquire a detection result if the access operation of the target application to the current page is detected;
and the vulnerability determining module is used for determining that the vulnerability exists in the current page if the detection result is determined to be illegal.
CN201910900010.3A 2019-09-23 2019-09-23 Vulnerability detection method and device Pending CN111177727A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910900010.3A CN111177727A (en) 2019-09-23 2019-09-23 Vulnerability detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910900010.3A CN111177727A (en) 2019-09-23 2019-09-23 Vulnerability detection method and device

Publications (1)

Publication Number Publication Date
CN111177727A true CN111177727A (en) 2020-05-19

Family

ID=70655764

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910900010.3A Pending CN111177727A (en) 2019-09-23 2019-09-23 Vulnerability detection method and device

Country Status (1)

Country Link
CN (1) CN111177727A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112422553A (en) * 2020-11-17 2021-02-26 杭州安恒信息技术股份有限公司 Method, device and equipment for detecting VBScript vulnerability exploitation
CN113885958A (en) * 2021-09-30 2022-01-04 杭州默安科技有限公司 Method and system for intercepting dirty data
CN114398192A (en) * 2021-12-29 2022-04-26 安芯网盾(北京)科技有限公司 Method and device for detecting CFG bypassing Windows control flow protection
CN114741694A (en) * 2022-03-07 2022-07-12 安芯网盾(北京)科技有限公司 Method, device and equipment for detecting execution of shellcode and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102043919A (en) * 2010-12-27 2011-05-04 北京安天电子设备有限公司 Universal vulnerability detection method and system based on script virtual machine
CN104239801A (en) * 2014-09-28 2014-12-24 北京奇虎科技有限公司 Identification method and device for 0day bug
CN105678168A (en) * 2015-12-29 2016-06-15 北京神州绿盟信息安全科技股份有限公司 Method and apparatus for detecting Shellcode based on stack frame abnormity
CN106407815A (en) * 2016-09-30 2017-02-15 北京奇虎科技有限公司 Vulnerability detection method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102043919A (en) * 2010-12-27 2011-05-04 北京安天电子设备有限公司 Universal vulnerability detection method and system based on script virtual machine
CN104239801A (en) * 2014-09-28 2014-12-24 北京奇虎科技有限公司 Identification method and device for 0day bug
CN105678168A (en) * 2015-12-29 2016-06-15 北京神州绿盟信息安全科技股份有限公司 Method and apparatus for detecting Shellcode based on stack frame abnormity
CN106407815A (en) * 2016-09-30 2017-02-15 北京奇虎科技有限公司 Vulnerability detection method and device

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112422553A (en) * 2020-11-17 2021-02-26 杭州安恒信息技术股份有限公司 Method, device and equipment for detecting VBScript vulnerability exploitation
CN113885958A (en) * 2021-09-30 2022-01-04 杭州默安科技有限公司 Method and system for intercepting dirty data
CN113885958B (en) * 2021-09-30 2023-10-31 杭州默安科技有限公司 Method and system for intercepting dirty data
CN114398192A (en) * 2021-12-29 2022-04-26 安芯网盾(北京)科技有限公司 Method and device for detecting CFG bypassing Windows control flow protection
CN114741694A (en) * 2022-03-07 2022-07-12 安芯网盾(北京)科技有限公司 Method, device and equipment for detecting execution of shellcode and storage medium
CN114741694B (en) * 2022-03-07 2023-03-10 安芯网盾(北京)科技有限公司 Method, device and equipment for detecting execution of shellcode and storage medium

Similar Documents

Publication Publication Date Title
US11244044B1 (en) Method to detect application execution hijacking using memory protection
US10728274B2 (en) Method and system for injecting javascript into a web page
US9876816B2 (en) Detecting stored cross-site scripting vulnerabilities in web applications
US8353036B2 (en) Method and system for protecting cross-domain interaction of a web application on an unmodified browser
CN111177727A (en) Vulnerability detection method and device
US8191147B1 (en) Method for malware removal based on network signatures and file system artifacts
EP3349137A1 (en) Client-side attack detection in web applications
US20100037317A1 (en) Mehtod and system for security monitoring of the interface between a browser and an external browser module
Hassanshahi et al. Web-to-application injection attacks on android: Characterization and detection
KR102271545B1 (en) Systems and Methods for Domain Generation Algorithm (DGA) Malware Detection
US20170353434A1 (en) Methods for detection of reflected cross site scripting attacks
JP2016534460A (en) Dynamic application security verification
WO2018052979A1 (en) Systems and methods for agent-based detection of hacking attempts
CN106548075B (en) Vulnerability detection method and device
CN104517054A (en) Method, device, client and server for detecting malicious APK
US9038161B2 (en) Exploit nonspecific host intrusion prevention/detection methods and systems and smart filters therefor
Continella et al. Prometheus: Analyzing WebInject-based information stealers
US20190294760A1 (en) Protecting an application via an intra-application firewall
CN106250761B (en) Equipment, device and method for identifying web automation tool
Song et al. Understanding javascript vulnerabilities in large real-world android applications
CN106953845B (en) Method and device for protecting sensitive information input to webpage
EP3535681B1 (en) System and method for detecting and for alerting of exploits in computerized systems
Kim et al. Extending a hand to attackers: browser privilege escalation attacks via extensions
US11736512B1 (en) Methods for automatically preventing data exfiltration and devices thereof
CN111177726A (en) System vulnerability detection method, device, equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination