CN112035354A - Method, device and equipment for positioning risk code and storage medium - Google Patents

Method, device and equipment for positioning risk code and storage medium Download PDF

Info

Publication number
CN112035354A
CN112035354A CN202010889811.7A CN202010889811A CN112035354A CN 112035354 A CN112035354 A CN 112035354A CN 202010889811 A CN202010889811 A CN 202010889811A CN 112035354 A CN112035354 A CN 112035354A
Authority
CN
China
Prior art keywords
thread
operating system
code
file
test
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010889811.7A
Other languages
Chinese (zh)
Inventor
游南南
王伟
陈电波
桂艳峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Zhizhangyi Technology Co ltd
Original Assignee
Beijing Zhizhangyi Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Zhizhangyi Technology Co ltd filed Critical Beijing Zhizhangyi Technology Co ltd
Priority to CN202010889811.7A priority Critical patent/CN112035354A/en
Publication of CN112035354A publication Critical patent/CN112035354A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/362Software debugging
    • G06F11/366Software debugging using diagnostics
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Quality & Reliability (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The embodiment of the invention discloses a method, a device, equipment and a storage medium for positioning a risk code. The method comprises the following steps: the method comprises the steps of carrying out operation test on an application program to be tested installed in an operating system, and obtaining a log file and a thread record file corresponding to the operating system after the test is finished; the log file comprises description information of at least one system function executed by the operating system in the test process, and the thread record file comprises an inter-thread calling relationship of the operating system in the test process; analyzing the log file, and identifying a realization thread of a target system function for acquiring the user privacy information; and recursively inquiring the thread record file according to the implementation thread, acquiring an origin thread matched with the implementation thread, and positioning a risk code matched with the origin thread. According to the technical scheme of the embodiment of the invention, the dynamic violation of the application program to be detected can be detected, and the risk code causing the violation can be accurately positioned.

Description

Method, device and equipment for positioning risk code and storage medium
Technical Field
The embodiment of the invention relates to the technical field of computers, in particular to a method, a device, equipment and a storage medium for positioning a risk code.
Background
With the improvement of related laws for protecting the privacy of the citizens, the behavior of the terminal application for invading the privacy of the citizens is more and more emphasized.
In the prior art, when an abnormal crash occurs in a business logic, a stack is automatically printed out to help a developer trace back to a source code with a problem. However, illegal behaviors such as the invasion of the individual privacy of citizens belong to normal logic in the program logic, no alarm exists when the program runs, and the position of the privacy invasion risk code in the source code cannot be prompted.
Disclosure of Invention
The invention provides a method, a device, equipment and a storage medium for positioning a risk code, which are used for detecting a dynamic violation of an application program to be detected and accurately positioning the risk code causing the violation.
In a first aspect, an embodiment of the present invention provides a method for locating a risk code, including:
the method comprises the steps of carrying out operation test on an application program to be tested installed in an operating system, and obtaining a log file and a thread record file corresponding to the operating system after the test is finished;
the log file comprises description information of at least one system function executed by the operating system in the test process, and the thread record file comprises an inter-thread calling relationship of the operating system in the test process;
analyzing the log file, and identifying a realization thread of a target system function for acquiring the user privacy information;
and recursively inquiring the thread record file according to the implementation thread, acquiring an origin thread matched with the implementation thread, and positioning a risk code matched with the origin thread.
Optionally, before performing operation test on the application program to be tested installed in the operating system, the method further includes:
acquiring a source code file of an operating system;
adding a dotting code at a new thread creating position in a source code file, and adding a dotting code at least one system function position to be monitored in the source code file;
and installing a source code file added with the dotting code in the test terminal to generate an operating system, and installing an application program to be tested in the test terminal.
Optionally, the running test of the application to be tested installed in the operating system includes:
carrying out operation test on the application program to be tested installed in the sandbox; the sandbox is installed in the operating system;
before the running test is performed on the application program to be tested installed in the operating system, the method further comprises the following steps:
intercepting a new thread creating position in a source code file of an operating system by using a sandbox, and adding a dotting code at the new thread creating position;
intercepting at least one system function position to be monitored in a source code file of an operating system by using a sandbox, and adding a dotting code at each system function position to be monitored;
and installing a sandbox added with the dotting code in the test terminal, and installing the application program to be tested in the sandbox.
Optionally, the running test of the application to be tested installed in the operating system includes:
responding to the trigger operation of the dotting code of the new thread creating position in the source code file, acquiring the identification of a father thread, the identification of a child thread and the calling stack of the father thread, and storing the identification of the father thread, the identification of the child thread and the calling stack of the father thread into a thread record file corresponding to an operating system;
and responding to the trigger operation of the dotting code of at least one system function position to be monitored in the source code file, acquiring the identifier of the current thread, the operation information of the current position and the call stack of the current thread, and storing the current thread identifier, the operation information of the current position and the call stack of the current thread into a log file corresponding to the operating system.
Optionally, the running test of the application to be tested installed in the operating system includes:
responding to the trigger operation of the dotting code of the new thread creating position in the sandbox, acquiring the identification of a father thread, the identification of a child thread and the calling stack of the father thread, and storing the identification of the father thread, the identification of the child thread and the calling stack of the father thread into a thread record file corresponding to the sandbox;
and responding to the trigger operation of the dotting code of at least one system function position to be monitored in the sandbox, acquiring the identifier of the current thread, the operation information of the current position and the call stack of the current thread, and storing the current thread identifier, the operation information of the current position and the call stack of the current thread into a log file corresponding to the sandbox.
Optionally, parsing the log file, and identifying a thread for implementing a target system function for obtaining the user privacy information includes:
acquiring target operation information in a log file, and judging whether the target operation information comprises user privacy information;
and if the target operation information comprises the user privacy information, taking the identifier of the target thread matched with the target operation information in the log file as the identifier of the implementation thread of the target system function for acquiring the user privacy information.
Optionally, locating a risk code that matches the originating thread comprises:
acquiring a call stack of a source thread in a log file, and searching a function name of a first non-operating system from the call stack according to the sequence from the bottom of the stack to the top of the stack;
a risk code is located that matches the originating thread based on the function name of the first non-operating system.
In a second aspect, an embodiment of the present invention further provides a device for locating a risk code, including:
the acquisition module is used for carrying out operation test on the application program to be tested installed in the operating system and acquiring a log file and a thread record file corresponding to the operating system after the test is finished;
the log file comprises description information of at least one system function executed by the operating system in the test process, and the thread record file comprises an inter-thread calling relationship of the operating system in the test process;
the analysis module is used for analyzing the log file and identifying a realization thread of a target system function for acquiring the user privacy information;
and the positioning module is used for recursively inquiring the thread record file according to the implementation thread, acquiring the origin thread matched with the implementation thread, and positioning the risk code matched with the origin thread.
In a third aspect, an embodiment of the present invention further provides an electronic device, where the electronic device includes:
one or more processors;
a storage device for storing one or more programs,
when the one or more programs are executed by the one or more processors, the one or more processors implement the method for locating a risk code provided by any of the embodiments of the present invention.
In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method for locating a risk code provided in any embodiment of the present invention.
According to the technical scheme of the embodiment of the invention, the running test is carried out on the application program to be tested installed in the operating system, and after the test is finished, the log file and the thread record file corresponding to the operating system are obtained; the log file comprises description information of at least one system function executed by the operating system in the test process, and the thread record file comprises an inter-thread calling relationship of the operating system in the test process; analyzing the log file, and identifying a realization thread of a target system function for acquiring the user privacy information; according to the method, a thread record file is inquired according to an implementation thread recursion, an origin thread matched with the implementation thread is obtained, and a risk code matched with the origin thread is positioned, so that the problem that the position of a risk code invading privacy in a source code cannot be traced in the prior art is solved, the dynamic violation of an application program to be detected can be detected, and the risk code causing the violation can be accurately positioned.
Drawings
Fig. 1 is a flowchart of a method for locating a risk code according to a first embodiment of the present invention;
FIG. 2 is a flowchart of a method for locating a risk code according to a second embodiment of the present invention;
FIG. 3 is a schematic structural diagram of a risk code location device according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of an electronic device in a fourth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Example one
Fig. 1 is a flowchart of a method for locating a risk code according to a first embodiment of the present invention, where the present embodiment is applicable to determining a risk code causing an illegal action, and in a case of a specific location in an application or an operating system to be tested, the method may be performed by a device for locating a risk code, where the device may be implemented by hardware and/or software, and may be generally integrated in an electronic device providing a risk code location service, such as a terminal device. As shown in fig. 1, the method includes:
and 110, performing operation test on the application program to be tested installed in the operating system, and acquiring a log file and a thread record file corresponding to the operating system after the test is finished.
The log file comprises description information of at least one system function executed by the operating system in the test process, and the thread record file comprises the calling relation among threads of the operating system in the test process.
In this embodiment, the operating system may be an iOS operating system, an android operating system, or another operating system that can run an application program, and after the application program to be tested is installed in the operating system, the application program to be tested is normally run in the operating system, so as to detect whether the application program to be tested or the operating system has a violation that violates the user privacy information.
In this embodiment, in order to record suspicious operation information of the operating system or the application program to be tested in real time during the running process of the application program to be tested in the operating system, a dotting code may be added to a location where a user privacy behavior may be violated in a source code of the operating system in advance.
Optionally, before performing operation test on the application program to be tested installed in the operating system, the method may further include: acquiring a source code file of an operating system; adding a dotting code at a new thread creating position in a source code file, and adding a dotting code at least one system function position to be monitored in the source code file; and installing a source code file added with the dotting code in the test terminal to generate an operating system, and installing an application program to be tested in the test terminal.
In this embodiment, the source code file of the operating system is obtained for a situation that the source code of the operating system can be obtained, for example, for an open-source android operating system, the source code file of the operating system may be downloaded. Then, the source code which may violate the user privacy behavior is searched in the source code file, for example, the source code of a new thread created by the operating system or the source code corresponding to the system function which calls the camera, opens the microphone and waits to be monitored, and the dotting code is added to the new thread creating position and at least one position of the system function to be monitored. And then, installing the source code file added with the dotting code into a test terminal where the application program to be tested is located so as to generate an operating system in the test terminal, and installing the application program to be tested in the operating system so as to monitor whether a risk code invading the privacy behavior of the user exists in the application program to be tested or the operating system.
The system function to be monitored can be any function provided by the operating system for the application program to be monitored, the system function to be monitored is realized by the operating system instead of the application program to be monitored, and the application program to be monitored only uses the system function.
Optionally, the performing operation test on the application program to be tested installed in the operating system may include: carrying out operation test on the application program to be tested installed in the sandbox; the sandbox is installed in the operating system;
before performing operation test on the application program to be tested installed in the operating system, the method may further include: intercepting a new thread creating position in a source code file of an operating system by using a sandbox, and adding a dotting code at the new thread creating position; intercepting at least one system function position to be monitored in a source code file of an operating system by using a sandbox, and adding a dotting code at each system function position to be monitored; and installing a sandbox added with the dotting code in the test terminal, and installing the application program to be tested in the sandbox.
In this embodiment, for a situation that a source code of an operating system cannot be obtained, in order to record an application program to be tested or suspicious operation information of the operating system in real time during a running process of the application program to be tested, a sandbox technology may be used, a new thread creation position and at least one system function position to be monitored in a source code file of the operating system are captured by a hook function, and a dotting code is added at each position. And then installing the sandbox added with the dotting code into the operating system, providing a virtual operating system environment by the sandbox, and installing the application program to be tested into the sandbox, so that the sandbox can acquire all the operating information of the application program to be tested and the operating system.
Optionally, the performing operation test on the application program to be tested installed in the operating system may include: responding to the trigger operation of the dotting code of the new thread creating position in the source code file, acquiring the identification of a father thread, the identification of a child thread and the calling stack of the father thread, and storing the identification of the father thread, the identification of the child thread and the calling stack of the father thread into a thread record file corresponding to an operating system; and responding to the trigger operation of the dotting code of at least one system function position to be monitored in the source code file, acquiring the identifier of the current thread, the operation information of the current position and the call stack of the current thread, and storing the current thread identifier, the operation information of the current position and the call stack of the current thread into a log file corresponding to the operating system.
In this embodiment, when the operating system creates a new thread, the dotting code added at the new thread creation position is called to obtain the identifier of the parent thread, the identifier of the newly created child thread, and the call stack of the parent thread, and the obtained identifiers are stored in the thread record file to record the relationship between the threads. The identification of the thread can be obtained by combining the identifier of the thread and the identifier of the corresponding process of the thread in the operating system. The function names called by the threads are sequentially stored in the calling stack of the threads from the bottom of the stack to the top of the stack, and can be used for recording the calling sequence of the functions and positioning the positions of the risk codes in the source codes. When the operating system realizes the function of the system to be monitored, the dotting code added at the position is called to record the characteristic information of the operating system, such as the operating type, specific operation, operating data and the like at the position, realize the identification of the thread of the function to be monitored and the call stack of the thread, and save the recorded data in a log file. Wherein the operation type and the specific operation are used to analyze a violation type of the violation.
Optionally, the performing operation test on the application program to be tested installed in the operating system may include: responding to the trigger operation of the dotting code of the new thread creating position in the sandbox, acquiring the identification of a father thread, the identification of a child thread and the calling stack of the father thread, and storing the identification of the father thread, the identification of the child thread and the calling stack of the father thread into a thread record file corresponding to the sandbox; and responding to the trigger operation of the dotting code of at least one system function position to be monitored in the sandbox, acquiring the identifier of the current thread, the operation information of the current position and the call stack of the current thread, and storing the current thread identifier, the operation information of the current position and the call stack of the current thread into a log file corresponding to the sandbox.
In this embodiment, when a thread is newly created through a sandbox, a dotting code added at a new thread creation position is called to obtain an identifier of a parent thread, an identifier of a newly created child thread, and a call stack of the parent thread, and the obtained identifiers are stored in a thread record file to record a relationship between the threads. When the function of the system to be monitored is realized through the sandbox, the dotting code added at the position is called to record the operation type, specific operation, operation data and other characteristic information of the sandbox at the position, realize the identification of the thread of the function to be monitored and the call stack of the thread, and save the recorded data in the log file.
And step 120, analyzing the log file, and identifying the implementation thread of the target system function for acquiring the user privacy information.
Optionally, parsing the log file, and identifying an implementation thread of a target system function for obtaining the user privacy information may include: acquiring target operation information in a log file, and judging whether the target operation information comprises user privacy information; and if the target operation information comprises the user privacy information, taking the identifier of the target thread matched with the target operation information in the log file as the identifier of the implementation thread of the target system function for acquiring the user privacy information.
In this embodiment, after the log file and the thread record file are obtained, each operation information is obtained from the log record file, and whether a thread corresponding to each operation information has a violation is sequentially determined. Taking the target operation information as an example, judging whether the target operation information includes plaintext of the user privacy information, such as information of a user contact way, a user identity card number, a user mailbox and the like, if so, considering that the illegal action is captured, and using a thread identifier matched with the target operation information as an identifier of a realization thread of a target system function for acquiring the user privacy information.
And step 130, recursively inquiring the thread record file according to the implementation thread, acquiring an origin thread matched with the implementation thread, and positioning a risk code matched with the origin thread.
In this embodiment, after capturing an implementation thread with an irregular behavior, in order to trace back to a creator of the implementation thread and find a real thread caller, the implementation thread may be used as a current thread, a thread record file is recursively queried according to an identifier of the current thread, an identifier of a parent thread of the current thread is obtained, the parent thread is used as the current thread, an operation of recursively querying the thread record file according to the identifier of the current thread is returned until the parent thread of the current thread cannot be found, and the current thread is used as an origin thread matched with the implementation thread. The source thread may be a thread in the application under test or a thread in the operating system.
Optionally, locating a risk code that matches the originating thread may include: acquiring a call stack of a source thread in a log file, and searching a function name of a first non-operating system from the call stack according to the sequence from the bottom of the stack to the top of the stack; a risk code is located that matches the originating thread based on the function name of the first non-operating system.
In this embodiment, since function names sequentially called by the thread are stored in the call stack of the thread from the bottom to the top of the stack, after the origin thread is determined, the call stack of the origin thread is obtained from the log file, and according to the function call sequence, the function name of the non-operating system called first is searched one by one from the function names from the bottom to the top of the stack, and then the function name is the function name of the illegal function called by the origin thread, and according to the function name, the specific position of the risk code causing the illegal behavior in the source code can be located, so that the risk code can be modified, and the illegal behavior is prevented from occurring continuously.
According to the technical scheme of the embodiment of the invention, the running test is carried out on the application program to be tested installed in the operating system, and after the test is finished, the log file and the thread record file corresponding to the operating system are obtained; the log file comprises description information of at least one system function executed by the operating system in the test process, and the thread record file comprises an inter-thread calling relationship of the operating system in the test process; analyzing the log file, and identifying a realization thread of a target system function for acquiring the user privacy information; according to the method, a thread record file is inquired according to an implementation thread recursion, an origin thread matched with the implementation thread is obtained, and a risk code matched with the origin thread is positioned, so that the problem that the position of a risk code invading privacy in a source code cannot be traced in the prior art is solved, the dynamic violation of an application program to be detected can be detected, and the risk code causing the violation can be accurately positioned.
Example two
Fig. 2 is a flowchart of a method for locating a risk code according to a second embodiment of the present invention, which is further detailed based on the above-mentioned embodiment. A method for locating a risk code according to a second embodiment of the present application is described below with reference to fig. 2, which includes the following steps:
step 210, judging whether a source code file of an operating system of a test terminal where the application program to be tested is located can be acquired, if so, executing step 220, otherwise, executing step 250.
In this embodiment, in order to record suspicious operation information of the operating system or the application program to be tested in real time during the running process of the application program to be tested, a dotting code needs to be added to a position, where a user privacy behavior may be violated, in a source code of the operating system in advance, and therefore, it is necessary to determine whether a source code file of the operating system can be directly acquired first.
For example, it is assumed that whether a plaintext of personal information of a user is submitted in an http request of an android browser application is to be detected, that is, an application program to be detected is the android browser, an operating system is the android operating system, and since the android operating system is an open source, a source code file of the operating system can be acquired. If it is determined that a file written by an iOS application contains a user id number plaintext, that is, the os is an iOS operating system, the iOS operating system is not open-source, and therefore a source code file of the os cannot be acquired.
Step 220, obtaining a source code file of the operating system, adding a dotting code at a new thread creating position in the source code file to record the identifications of the parent thread and the created child thread and the call stack of the parent thread, and storing the identifications and the call stack of the parent thread into a thread record file corresponding to the operating system.
Illustratively, dotting code is added to a position where a new thread is created in a source code file of the android operating system, such as java.
Step 230, adding a dotting code to at least one system function position to be monitored in the source code file to record the identifier of the current thread, the operation information of the current position and the call stack of the current thread, and storing the dotting code in a log file corresponding to the operating system.
The system function position to be monitored can be a calling position of system authority and other function positions which are easy to violate.
Illustratively, a dotting code is embedded in the org.apache.http.client.methods.http.htpget class and org.apache.http.client.method.httppost class of the android operating system, so that when the dotting code is triggered, the operation information of the location is recorded, for example, the operation type of the location is a network operation, the specific operation action is HttpGet or HttpPost, the operation content is submitted text, the identification of the current thread and the call stack of the thread, and the data are written into a log file, so as to analyze whether there is a violation behavior according to the log file.
And 240, compiling the source code file added with the dotting code, generating a ROM, burning the ROM into the test terminal, and installing the application program to be tested into the test terminal.
Illustratively, a source code file of an android operating system added with dotting codes is compiled, a ROM is generated and burnt to a Google native mobile phone, and an android browser to be detected is also installed on the mobile phone. For the android system, a ROM generated by compiling a system source code is a file named system.
And step 250, intercepting and capturing the position of creating the new thread by using the sandbox through a hook technology, adding a dotting code to record the identifications of the father thread and the created child thread and the call stack of the father thread, and storing the identifications and the call stack of the father thread into a thread record file corresponding to the sandbox.
Illustratively, using the iOS sandbox, a location in a source code file of the operating system where a new thread is created, for example, an NSThread class in the hook source code file, is intercepted by a hook function, and a dotting code is added, so that when the NSThread class is executed, an identification of a parent thread, an identification of a child thread, and a call stack of the parent thread can be correspondingly stored in a thread record file, and a relationship between the threads is recorded.
And step 260, intercepting at least one system function position to be monitored in the source code file by using a hook function and adding a dotting code by using a sandbox so as to record the identification of the current thread, the operation information of the current position and the call stack of the current thread, and storing the operation information and the call stack in a log file corresponding to the sandbox.
In this embodiment, a sandbox is used to intercept a call position of a system right in a source code file and other function positions that are prone to violation, a dotting code, for example, an NSFileManager class in a hook source code file, is added to each position, and is added to each position, so that when the dotting code is triggered, the operation type at the position is recorded as a file operation, a specific operation is a write file, the operation content is a stored data text, an identifier of a current thread and a call stack of the thread, and the data is written into a log file, so that whether there is a violation behavior is analyzed according to the log file subsequently.
For the iOS operating system, the system permission refers to the ability to invoke permissions such as a camera, a microphone, and positioning, and only if the user explicitly clicks permission authorization and grants the permissions to the application program to be tested, the application program to be tested can use resources such as the camera and the microphone of the operating system.
And 270, compiling the sandbox added with the dotting codes and installing the sandbox into the test terminal, and installing the application program to be tested into the test terminal in a sandbox application mode.
In this embodiment, the sandbox added with the dotting code is compiled and installed in the test terminal, and then the application program to be tested is installed in the sandbox.
Step 280, running the application program to be tested, and simultaneously capturing the log file and the thread record file.
Illustratively, an android browser is operated in an operating system, or an iOS application is operated in a sandbox, the function of the application program to be tested is normally used, and meanwhile, a log file and a thread record file generated in the operation process of the application program to be tested are captured.
Step 290, analyzing the log file and the thread record file, and tracing the risk code through the call stack of the thread in the file.
Illustratively, a log file and a thread record file corresponding to an operating system can be checked, logs of an http set class and an http post class in the log file are checked, whether operation content in the logs contains plaintext of user personal information is checked, if the operation content in the logs contains the plaintext of the user personal information, a browser application violation is determined, and at the moment, a specific position of a source code triggering the violation can be accurately traced through a call stack of a thread in the thread record file.
Illustratively, a log file and a thread record file corresponding to a sandbox can be checked, a log of an NSFileManager class in the log file is checked, whether operation content in the log contains a user identity number plaintext or not is checked, if yes, it is determined that the iOS application has a violation behavior, and at this time, a specific position of a source code triggering the violation can be accurately traced through a call stack of a thread in the thread record file.
In this embodiment, locating the risk code triggering the violation according to the call stack of the thread may include: the method comprises the steps of taking an identification of a target thread matched with target operation information in a log file as an identification of a realization thread of a target system function for acquiring user privacy information, recursively inquiring a thread record file according to the identification of the realization thread, acquiring an origin thread matched with the realization thread, acquiring a calling stack of the origin thread from the log file, searching a function name of a first called non-operating system one by one from function names from the bottom to the top of a stack according to a function calling sequence, wherein the function name is the function name of an illegal function called by the origin thread, and positioning a specific position of a risk code causing illegal behaviors in a source code according to the function name.
According to the technical scheme of the embodiment of the invention, the running test is carried out on the application program to be tested installed in the operating system, and after the test is finished, the log file and the thread record file corresponding to the operating system are obtained; the log file comprises description information of at least one system function executed by the operating system in the test process, and the thread record file comprises an inter-thread calling relationship of the operating system in the test process; analyzing the log file, and identifying a realization thread of a target system function for acquiring the user privacy information; according to the method, a thread record file is inquired according to an implementation thread recursion, an origin thread matched with the implementation thread is obtained, and a risk code matched with the origin thread is positioned, so that the problem that the position of a risk code invading privacy in a source code cannot be traced in the prior art is solved, the dynamic violation of an application program to be detected can be detected, and the risk code causing the violation can be accurately positioned.
EXAMPLE III
Fig. 3 is a schematic structural diagram of a risk code positioning apparatus in a third embodiment of the present invention, which is applicable to determining a risk code causing an illegal action, and in a case of a specific location in an application or an operating system to be tested, the apparatus may be implemented by hardware and/or software, and may be generally integrated in an electronic device, such as a terminal device, providing a risk code positioning service. As shown in fig. 3, the apparatus includes:
the obtaining module 310 is configured to perform an operation test on an application to be tested installed in an operating system, and obtain a log file and a thread record file corresponding to the operating system after the test is finished;
the log file comprises description information of at least one system function executed by the operating system in the test process, and the thread record file comprises an inter-thread calling relationship of the operating system in the test process;
the analysis module 320 is configured to analyze the log file and identify a thread for implementing a target system function for obtaining the user privacy information;
and the positioning module 330 is configured to recursively query the thread record file according to the implementation thread, acquire an origin thread matching the implementation thread, and position a risk code matching the origin thread.
According to the technical scheme of the embodiment of the invention, the running test is carried out on the application program to be tested installed in the operating system, and after the test is finished, the log file and the thread record file corresponding to the operating system are obtained; the log file comprises description information of at least one system function executed by the operating system in the test process, and the thread record file comprises an inter-thread calling relationship of the operating system in the test process; analyzing the log file, and identifying a realization thread of a target system function for acquiring the user privacy information; according to the method, a thread record file is inquired according to an implementation thread recursion, an origin thread matched with the implementation thread is obtained, and a risk code matched with the origin thread is positioned, so that the problem that the position of a risk code invading privacy in a source code cannot be traced in the prior art is solved, the dynamic violation of an application program to be detected can be detected, and the risk code causing the violation can be accurately positioned.
Optionally, the method further includes: the first embedded point module is used for acquiring a source code file of an operating system before running and testing an application program to be tested installed in the operating system; adding a dotting code at a new thread creating position in a source code file, and adding a dotting code at least one system function position to be monitored in the source code file; and installing a source code file added with the dotting code in the test terminal to generate an operating system, and installing an application program to be tested in the test terminal.
Optionally, the obtaining module 310 is configured to: carrying out operation test on the application program to be tested installed in the sandbox; the sandbox is installed in the operating system;
the device still includes: the second point burying module is used for intercepting a new thread creating position in a source code file of the operating system by using a sandbox before running and testing an application program to be tested and installed in the operating system, and adding a dotting code at the new thread creating position; intercepting at least one system function position to be monitored in a source code file of an operating system by using a sandbox, and adding a dotting code at each system function position to be monitored; and installing a sandbox added with the dotting code in the test terminal, and installing the application program to be tested in the sandbox.
Optionally, the obtaining module 310 includes: the first acquiring subunit is used for responding to the trigger operation of the dotting code of the new thread creating position in the source code file, acquiring the identifier of a father thread, the identifier of a child thread and the call stack of the father thread, and storing the identifiers into a thread record file corresponding to an operating system; and responding to the trigger operation of the dotting code of at least one system function position to be monitored in the source code file, acquiring the identifier of the current thread, the operation information of the current position and the call stack of the current thread, and storing the current thread identifier, the operation information of the current position and the call stack of the current thread into a log file corresponding to the operating system.
Optionally, the obtaining module 310 includes: the second acquiring subunit is used for responding to the trigger operation of the dotting code of the new thread creating position in the sandbox, acquiring the identifier of the father thread, the identifier of the child thread and the calling stack of the father thread, and storing the identifiers into the thread record file corresponding to the sandbox; and responding to the trigger operation of the dotting code of at least one system function position to be monitored in the sandbox, acquiring the identifier of the current thread, the operation information of the current position and the call stack of the current thread, and storing the current thread identifier, the operation information of the current position and the call stack of the current thread into a log file corresponding to the sandbox.
Optionally, the parsing module 320 is configured to: acquiring target operation information in a log file, and judging whether the target operation information comprises user privacy information; and if the target operation information comprises the user privacy information, taking the identifier of the target thread matched with the target operation information in the log file as the identifier of the implementation thread of the target system function for acquiring the user privacy information.
Optionally, the positioning module 330 is configured to: acquiring a call stack of a source thread in a log file, and searching a function name of a first non-operating system from the call stack according to the sequence from the bottom of the stack to the top of the stack; a risk code is located that matches the originating thread based on the function name of the first non-operating system.
The positioning device for the risk codes provided by the embodiment of the invention can execute the positioning method for the risk codes provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Example four
Fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present invention. Fig. 4 illustrates a block diagram of an exemplary device 12 suitable for use in implementing embodiments of the present invention. The device 12 shown in fig. 4 is only an example and should not bring any limitation to the function and scope of use of the embodiments of the present invention.
As shown in FIG. 4, device 12 is in the form of a general purpose computing device. The components of device 12 may include, but are not limited to: one or more processors or processing units 16, a system memory 28, and a bus 18 that couples various system components including the system memory 28 and the processing unit 16.
Bus 18 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, such architectures include, but are not limited to, Industry Standard Architecture (ISA) bus, micro-channel architecture (MAC) bus, enhanced ISA bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.
Device 12 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by device 12 and includes both volatile and nonvolatile media, removable and non-removable media.
The system memory 28 may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM)30 and/or cache memory 32. Device 12 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 34 may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 4, and commonly referred to as a "hard drive"). Although not shown in FIG. 4, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In these cases, each drive may be connected to bus 18 by one or more data media interfaces. Memory 28 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the invention.
A program/utility 40 having a set (at least one) of program modules 42 may be stored, for example, in memory 28, such program modules 42 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each of which examples or some combination thereof may comprise an implementation of a network environment. Program modules 42 generally carry out the functions and/or methodologies of the described embodiments of the invention.
Device 12 may also communicate with one or more external devices 14 (e.g., keyboard, pointing device, display 24, etc.), with one or more devices that enable a user to interact with device 12, and/or with any devices (e.g., network card, modem, etc.) that enable device 12 to communicate with one or more other computing devices. Such communication may be through an input/output (I/O) interface 22. Also, the device 12 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet) via the network adapter 20. As shown, the network adapter 20 communicates with the other modules of the device 12 via the bus 18. It should be understood that although not shown in the figures, other hardware and/or software modules may be used in conjunction with device 12, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
The processing unit 16 executes programs stored in the system memory 28 to perform various functional applications and data processing, such as implementing a risk code location method provided by an embodiment of the present invention.
Namely: the positioning method for realizing the risk code comprises the following steps: the method comprises the steps of carrying out operation test on an application program to be tested installed in an operating system, and obtaining a log file and a thread record file corresponding to the operating system after the test is finished; the log file comprises description information of at least one system function executed by the operating system in the test process, and the thread record file comprises an inter-thread calling relationship of the operating system in the test process; analyzing the log file, and identifying a realization thread of a target system function for acquiring the user privacy information; and recursively inquiring the thread record file according to the implementation thread, acquiring an origin thread matched with the implementation thread, and positioning a risk code matched with the origin thread.
EXAMPLE five
An embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program is used to execute a method for locating a risk code when executed by a computer processor, and the method includes:
the method comprises the steps of carrying out operation test on an application program to be tested installed in an operating system, and obtaining a log file and a thread record file corresponding to the operating system after the test is finished; the log file comprises description information of at least one system function executed by the operating system in the test process, and the thread record file comprises an inter-thread calling relationship of the operating system in the test process; analyzing the log file, and identifying a realization thread of a target system function for acquiring the user privacy information; and recursively inquiring the thread record file according to the implementation thread, acquiring an origin thread matched with the implementation thread, and positioning a risk code matched with the origin thread.
Computer storage media for embodiments of the invention may employ any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + +, or the like, as well as conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments illustrated herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims (10)

1. A method for locating a risk code, comprising:
the method comprises the steps of carrying out operation test on an application program to be tested installed in an operating system, and obtaining a log file and a thread record file corresponding to the operating system after the test is finished;
the log file comprises description information of at least one system function executed by the operating system in the test process, and the thread record file comprises an inter-thread calling relationship of the operating system in the test process;
analyzing the log file, and identifying a realization thread of a target system function for acquiring the user privacy information;
and recursively inquiring the thread record file according to the implementation thread, acquiring an origin thread matched with the implementation thread, and positioning a risk code matched with the origin thread.
2. The method of claim 1, further comprising, prior to performing runtime testing of an application under test installed in an operating system:
acquiring a source code file of the operating system;
adding a dotting code at a new thread creating position in the source code file, and adding a dotting code at least one system function position to be monitored in the source code file;
and installing the source code file added with the dotting code in a test terminal to generate the operating system, and installing the application program to be tested in the test terminal.
3. The method of claim 1, wherein performing the operation test on the application under test installed in the operating system comprises:
carrying out operation test on the application program to be tested installed in the sandbox; the sandbox is installed in an operating system;
before the running test is performed on the application program to be tested installed in the operating system, the method further comprises the following steps:
intercepting a new thread creating position in a source code file of an operating system by using a sandbox, and adding a dotting code at the new thread creating position;
intercepting at least one system function position to be monitored in a source code file of an operating system by using a sandbox, and adding a dotting code into each system function position to be monitored;
and installing a sandbox added with the dotting code in the test terminal, and installing an application program to be tested in the sandbox.
4. The method of claim 2, wherein performing the operation test on the application under test installed in the operating system comprises:
responding to the trigger operation of the dotting code at the new thread creating position in the source code file, acquiring the identifier of a father thread, the identifier of a child thread and the call stack of the father thread, and storing the identifiers into a thread record file corresponding to the operating system;
and responding to the trigger operation of the dotting code of at least one system function position to be monitored in the source code file, acquiring the identifier of the current thread, the operation information of the current position and the call stack of the current thread, and storing the current thread identifier, the operation information of the current position and the call stack of the current thread into a log file corresponding to the operating system.
5. The method of claim 3, wherein performing the operation test on the application under test installed in the operating system comprises:
responding to the trigger operation of the dotting code of the new thread creating position in the sandbox, acquiring the identification of a father thread, the identification of a child thread and the call stack of the father thread, and storing the identification of the father thread, the identification of the child thread and the call stack of the father thread into a thread record file corresponding to the sandbox;
and responding to the trigger operation of the dotting code of at least one system function position to be monitored in the sandbox, acquiring the identifier of the current thread, the operation information of the current position and the call stack of the current thread, and storing the current thread identifier, the operation information of the current position and the call stack of the current thread into a log file corresponding to the sandbox.
6. The method according to claim 4 or 5, wherein parsing the log file and identifying a thread of implementation of a target system function for obtaining user privacy information comprises:
acquiring target operation information in the log file, and judging whether the target operation information comprises user privacy information;
and if the target operation information comprises user privacy information, taking the identifier of the target thread matched with the target operation information in the log file as the identifier of the implementation thread of the target system function for acquiring the user privacy information.
7. The method of claim 6, wherein locating a risk code that matches the originating thread comprises:
acquiring a call stack of an origin thread in the log file, and searching a function name of a first non-operating system from the call stack according to the sequence from the stack bottom to the stack top;
and locating a risk code matched with the origin thread according to the function name of the first non-operating system.
8. A device for locating a risk code, comprising:
the acquisition module is used for carrying out operation test on the application program to be tested installed in the operating system and acquiring a log file and a thread record file corresponding to the operating system after the test is finished;
the log file comprises description information of at least one system function executed by the operating system in the test process, and the thread record file comprises an inter-thread calling relationship of the operating system in the test process;
the analysis module is used for analyzing the log file and identifying a realization thread of a target system function for acquiring the privacy information of the user;
and the positioning module is used for recursively inquiring the thread record file according to the implementation thread, acquiring an origin thread matched with the implementation thread, and positioning a risk code matched with the origin thread.
9. An electronic device, characterized in that the electronic device comprises:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement a method of locating risk codes as claimed in any one of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out a method for locating a risk code according to any one of claims 1 to 7.
CN202010889811.7A 2020-08-28 2020-08-28 Method, device and equipment for positioning risk code and storage medium Pending CN112035354A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010889811.7A CN112035354A (en) 2020-08-28 2020-08-28 Method, device and equipment for positioning risk code and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010889811.7A CN112035354A (en) 2020-08-28 2020-08-28 Method, device and equipment for positioning risk code and storage medium

Publications (1)

Publication Number Publication Date
CN112035354A true CN112035354A (en) 2020-12-04

Family

ID=73587121

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010889811.7A Pending CN112035354A (en) 2020-08-28 2020-08-28 Method, device and equipment for positioning risk code and storage medium

Country Status (1)

Country Link
CN (1) CN112035354A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112882902A (en) * 2021-03-05 2021-06-01 深圳市迅雷网络技术有限公司 Thread source obtaining method, electronic equipment and computer readable storage device
CN113190835A (en) * 2021-02-04 2021-07-30 恒安嘉新(北京)科技股份公司 Application program violation detection method, device, equipment and storage medium
CN113221099A (en) * 2021-05-06 2021-08-06 支付宝(杭州)信息技术有限公司 Processing method and device for interface call request
CN113485686A (en) * 2021-07-22 2021-10-08 苏州万戈软件科技有限公司 Method and device for generating information system program, electronic device and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100218194A1 (en) * 2009-02-24 2010-08-26 Siemens Product Lifecycle Management Software Inc. System and method for thread scheduling in processors
CN110427752A (en) * 2019-08-06 2019-11-08 北京智游网安科技有限公司 A kind of method, mobile terminal and the storage medium of sandbox monitoring application program
CN110764945A (en) * 2019-10-23 2020-02-07 北京博睿宏远数据科技股份有限公司 Crash log processing method, device, equipment and storage medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100218194A1 (en) * 2009-02-24 2010-08-26 Siemens Product Lifecycle Management Software Inc. System and method for thread scheduling in processors
CN110427752A (en) * 2019-08-06 2019-11-08 北京智游网安科技有限公司 A kind of method, mobile terminal and the storage medium of sandbox monitoring application program
CN110764945A (en) * 2019-10-23 2020-02-07 北京博睿宏远数据科技股份有限公司 Crash log processing method, device, equipment and storage medium

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113190835A (en) * 2021-02-04 2021-07-30 恒安嘉新(北京)科技股份公司 Application program violation detection method, device, equipment and storage medium
CN112882902A (en) * 2021-03-05 2021-06-01 深圳市迅雷网络技术有限公司 Thread source obtaining method, electronic equipment and computer readable storage device
CN112882902B (en) * 2021-03-05 2023-02-14 深圳市迅雷网络技术有限公司 Thread source obtaining method, electronic equipment and computer readable storage device
CN113221099A (en) * 2021-05-06 2021-08-06 支付宝(杭州)信息技术有限公司 Processing method and device for interface call request
CN113485686A (en) * 2021-07-22 2021-10-08 苏州万戈软件科技有限公司 Method and device for generating information system program, electronic device and storage medium
CN113485686B (en) * 2021-07-22 2023-10-20 苏州万戈软件科技有限公司 Information system program generation method and device, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
CN112035354A (en) Method, device and equipment for positioning risk code and storage medium
CN108133139B (en) Android malicious application detection system based on multi-operation environment behavior comparison
CN108667855B (en) Network flow abnormity monitoring method and device, electronic equipment and storage medium
US8914890B2 (en) Determining the vulnerability of computer software applications to privilege-escalation attacks
Gianazza et al. Puppetdroid: A user-centric ui exerciser for automatic dynamic analysis of similar android applications
CN105956474A (en) Abnormal behavior detection system of Android platform software
CN111416811A (en) Unauthorized vulnerability detection method, system, equipment and storage medium
US20130185803A1 (en) Marking and obscuring sensitive values in traces
CN110933103A (en) Anti-crawler method, device, equipment and medium
CN111654495B (en) Method, apparatus, device and storage medium for determining traffic generation source
CN110597704A (en) Application program pressure testing method, device, server and medium
CN114036526A (en) Vulnerability testing method and device, computer equipment and storage medium
CN112632547A (en) Data processing method and related device
US10015181B2 (en) Using natural language processing for detection of intended or unexpected application behavior
Mostafa et al. Netdroid: Summarizing network behavior of android apps for network code maintenance
CN112464176B (en) Authority management method and device, electronic equipment and storage medium
US10002253B2 (en) Execution of test inputs with applications in computer security assessment
CN110069926B (en) Malicious code positioning method, storage medium and terminal for Android repackaging application
CN112506782A (en) Application program testing method, device, equipment and storage medium
CN115398431A (en) User information violation acquisition detection method and related equipment
CN112699369A (en) Method and device for detecting abnormal login through stack backtracking
CN111666581A (en) Data protection method, device, equipment and medium
CN111488230A (en) Method and device for modifying log output level, electronic equipment and storage medium
CN116450533B (en) Security detection method and device for application program, electronic equipment and medium
CN117742897B (en) Method for realizing automatic repair of vulnerability based on container mirror image

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination