CN112257054B - Software application unauthorized risk detection method, electronic equipment and storage medium - Google Patents
Software application unauthorized risk detection method, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN112257054B CN112257054B CN202011140562.8A CN202011140562A CN112257054B CN 112257054 B CN112257054 B CN 112257054B CN 202011140562 A CN202011140562 A CN 202011140562A CN 112257054 B CN112257054 B CN 112257054B
- Authority
- CN
- China
- Prior art keywords
- code
- authority
- unauthorized
- authority verification
- determining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Stored Programmes (AREA)
Abstract
One or more embodiments of the present disclosure provide a software application unauthorized risk detection method, an electronic device, and a storage medium, which can comprehensively and accurately detect a logic vulnerability of an unauthorized behavior class. The method comprises the following steps: acquiring a source code of a software program to be detected, analyzing the source code, determining a permission verification related code and an action range, and generating a permission-range mapping table; performing authority verification logic instrumentation on the source code according to the authority-range mapping table to generate instrumentation intermediate representation codes to determine a corresponding information flow diagram; and detecting the unauthorized risk path by using the information flow graph, and determining the unauthorized risk path. The electronic device includes a memory, a processor, and a computer program stored on the memory and executable on the processor to implement the unauthorized risk detection method. The non-transitory computer-readable storage medium stores computer instructions for causing the computer to perform the software application override risk detection method.
Description
Technical Field
One or more embodiments of the present disclosure relate to the field of computer software security technologies, and in particular, to a software application unauthorized risk detection method, an electronic device, and a storage medium.
Background
With the continuous development of information systems and internet technologies, the functions of application programs are increased, the sizes of program source codes are larger and larger, and security holes which are easy to be utilized, code backdoors and logic errors in the codes are not limited to the past forms any more, so that the detection of the security holes in the source codes by using a traditional software testing method is very difficult, and the information security and the software security face unprecedented huge challenges.
The static analysis technology is one of the common source code defect detection technologies at present, and the method is mainly characterized in that program codes do not need to be actually operated when code bugs and logic errors are detected, manual intervention is not needed in the detection process, and potential software defects and security bugs can be found only by scanning all or part of the source codes of a project to be detected by a detection program. Compared with a dynamic analysis technology, the static analysis technology has the advantages of higher coverage rate, lower rate of missing reports and the like.
The existing static analysis tool for the program source code has greater dependence on known bugs, focuses more on conventional code defects, such as bugs of information data leakage, dangerous API (application program interface) interfaces, password management and the like, and cannot well detect logic bugs of unauthorized behaviors; the program source codes with larger scale usually use a third-party open source framework to realize certain service functions, a mode of plane-oriented programming (AOP) is adopted when the frameworks are used, and the existing static analysis method cannot effectively find codes switched into service logic in the service logic, so that logic loopholes existing in corresponding codes cannot be found in time or the detection result has higher false negative rate.
Disclosure of Invention
In view of this, one or more embodiments of the present disclosure are directed to a method, an electronic device, and a storage medium for detecting an unauthorized risk of a software application, which can comprehensively and accurately detect a logic vulnerability of an unauthorized behavior class that may exist in a software application.
In view of the above, one or more embodiments of the present specification provide a software application unauthorized risk detection method, including:
acquiring a source code of a software program to be detected, analyzing the source code, determining a permission verification related code and an action range, and correspondingly generating a permission-range mapping table;
performing authority verification logic instrumentation on the source code according to the authority-range mapping table to generate an instrumentation intermediate representation code;
determining an information flow diagram of the source code according to the instrumentation intermediate representation code;
and selecting a sensitive behavior node in the information flow graph, carrying out unauthorized risk path detection by taking the sensitive behavior node as a starting point, and determining an unauthorized risk path.
Optionally, the analyzing the source code, determining the authority verification-related code and the action range, and correspondingly generating the authority-range mapping table includes:
determining a security framework used by the source code;
according to the semantic rule of the safety framework, an analyzer is used for analyzing the configuration file and annotation information of the source code;
acquiring the authority verification related code and the corresponding action range according to the analysis result, wherein the authority verification related code comprises a package name, a class name, a method function name, a parameter list and a return value type where the authority verification code is located, and the action range refers to a specific package, a specific class, a specific method function and a specific statement corresponding to the authority verification related code;
and generating the authority-range mapping table according to the authority verification related code and the action range.
Optionally, the performing authority verification logical instrumentation on the source code according to the authority-range mapping table to generate an instrumented intermediate representation code includes:
reading the authority-range mapping table, and determining a corresponding code position in the source code according to the action range corresponding to the range field in the authority-range mapping table and carrying out code calibration;
determining a permission field corresponding to the range field according to the permission-range mapping table, and determining a corresponding permission verification code according to the permission field;
and performing authority verification logic code instrumentation at the calibrated code position according to the authority verification code to generate the instrumented intermediate representation code.
Optionally, the determining a corresponding code position in the source code to perform code calibration includes:
searching a matched code object in the source code according to the action range;
if the code object is a specific package, calibrating a first statement in a method body of each method of each class in the package;
if the code object is a specific method function, calibrating a first statement of the method weight of the method function;
and if the code object is a specific statement, calibrating the statement.
Optionally, performing authority verification logic code instrumentation at the calibrated code position according to the authority verification code to generate the instrumented intermediate representation code, including:
determining a corresponding authority verification logic code according to the authority verification code;
traversing all calibration code positions in the source code, taking the action range corresponding to the calibration code positions as a key and taking the authority verification logic code corresponding to the calibration code positions as a value, and constructing a Map object;
and in the process of converting the source code into the intermediate code, inserting the authority verification logic code into the intermediate code according to the Map object to generate the instrumented intermediate representation code.
Optionally, the information flow graph includes a function call relationship graph, a control flow graph, and a data flow graph.
Optionally, the selecting a sensitive behavior node from the information flow graph, and performing unauthorized risk path detection with the sensitive behavior node as a starting point includes:
acquiring an unauthorized sensitive operation list, wherein the unauthorized sensitive operation list comprises a to-be-verified authority and unauthorized sensitive operations related to the to-be-verified authority;
comparing the sensitive operation with the information flow graph, and screening out a function or a statement corresponding to the sensitive operation from the information flow graph for node marking;
in the information flow graph, reverse traversal is carried out from a marking node, and whether an authority verification logic code exists in a reverse traversal path or not is judged;
if the authority verification logic code is not detected until the end point, an override risk exists in the reverse traversal path;
if the authority verification logic code exists, judging whether the authority verification logic code is matched with the authority to be verified corresponding to the marking node, if not, an override risk exists in a reverse traversal path from the marking node to the authority verification logic code.
Optionally, the determining an unauthorized risk path includes:
extracting the reverse traversal path with the override risk, and determining a risk intermediate code path according to the corresponding relation between the information flow graph and the instrumentation intermediate representation code;
and restoring and converting the risk intermediate code path into a corresponding path in the source code to obtain the override risk path, and outputting the override risk path.
In view of the above, one or more embodiments of the present specification provide an electronic device for software application unauthorized risk detection, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the program to implement the following method:
acquiring a source code of a software program to be detected, analyzing the source code, determining a permission verification related code and an action range, and correspondingly generating a permission-range mapping table;
performing authority verification logic pile insertion on the source code according to the authority-range mapping table to generate a pile insertion intermediate representation code;
determining an information flow diagram of the source code according to the instrumentation intermediate representation code;
and selecting a sensitive behavior node in the information flow graph, carrying out unauthorized risk path detection by taking the sensitive behavior node as a starting point, and determining an unauthorized risk path.
In view of the above, one or more embodiments of the present specification provide a non-transitory computer-readable storage medium storing computer instructions for causing a computer to perform a method of software application override risk detection, the method comprising:
acquiring a source code of a software program to be detected, analyzing the source code, determining a permission verification related code and an action range, and correspondingly generating a permission-range mapping table;
performing authority verification logic pile insertion on the source code according to the authority-range mapping table to generate a pile insertion intermediate representation code;
determining an information flow diagram of the source code according to the instrumentation intermediate representation code;
and selecting a sensitive behavior node in the information flow graph, and performing unauthorized risk path detection by taking the sensitive behavior node as a starting point to determine an unauthorized risk path.
As can be seen from the foregoing, in one or more embodiments of the present disclosure, a software application unauthorized risk detection method, an electronic device, and a storage medium are provided, which take into account a security framework related to a software application, determine an authority verification related code and an action range thereof by analyzing a source code of the software application, and generate a corresponding authority-range mapping table; according to the authority-range mapping table, when the intermediate representation form is generated by analyzing the source code, authority verification logic pile insertion is carried out in the service logic of the source code, and the intermediate representation form is generated after pile insertion; acquiring a related information flow graph on the basis of the intermediate representation form; combining the information flow graph represented in the middle with an override behavior detection strategy to detect the override behavior of the system code logic; and acquiring a high-risk path of the unauthorized behavior and a detection result. The method avoids the false negative report of some potential unauthorized behaviors when the third-party framework is used, and simultaneously adopts a method of combining the authority verification logic and the business logic in a way of inserting piles based on intermediate codes, thereby realizing the detection of the unauthorized behavior risk on the basis of not damaging the original source codes, further ensuring the safety of application software and an information system at the source and fundamentally and realizing the comprehensive and accurate detection of the logic loopholes of the unauthorized behaviors which possibly exist.
Drawings
In order to more clearly illustrate one or more embodiments or prior art solutions of the present specification, the drawings that are needed in the description of the embodiments or prior art will be briefly described below, it is obvious that the drawings in the description below are only one or more embodiments of the present specification, and that other drawings may be obtained by those skilled in the art without inventive effort.
FIG. 1 is a schematic diagram of a software application unauthorized risk detection method according to one or more embodiments of the present disclosure;
FIG. 2 is a diagram illustrating a method for generating a privilege-scope mapping table in a software application unauthorized risk detection method according to one or more embodiments of the present disclosure;
FIG. 3 is a method intent for generating instrumented intermediate representation code in a software application override risk detection method provided in one or more embodiments of the present description;
fig. 4 is a schematic structural diagram of an electronic device for detecting unauthorized risk of a software application according to one or more embodiments of the present disclosure.
Detailed Description
To make the objects, technical solutions and advantages of the present disclosure more apparent, the present disclosure will be described in further detail below with reference to specific embodiments and the accompanying drawings.
It is to be noted that unless otherwise defined, technical or scientific terms used in one or more embodiments of the present specification should have the ordinary meaning as understood by those of ordinary skill in the art to which this disclosure belongs. The use of "first," "second," and similar terms in one or more embodiments of the specification is not intended to indicate any order, quantity, or importance, but rather is used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that the element or item listed before the word covers the element or item listed after the word and its equivalents, but does not exclude other elements or items. The terms "connected" or "coupled" and the like are not restricted to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", and the like are used only to indicate relative positional relationships, and when the absolute position of the object being described is changed, the relative positional relationships may also be changed accordingly.
In one aspect, embodiments of the present specification provide a software application unauthorized risk detection method.
As shown in fig. 1, one or more alternative embodiments of the present specification provide a software application unauthorized risk detection method, including:
s1: acquiring a source code of a software program to be detected, analyzing the source code, determining a permission verification related code and an action range, and correspondingly generating a permission-range mapping table;
some optional methods for obtaining the source code of the software program to be detected upload the compressed package of the source code of the software project to be detected by a user, and automatically pull the source code of the project by designating the code storage position, such as the Github address and the Gitlab address, by the user.
S2: performing authority verification logic instrumentation on the source code according to the authority-range mapping table to generate an instrumentation intermediate representation code;
s3: determining an information flow diagram of the source code according to the instrumentation intermediate representation code;
s4: and selecting a sensitive behavior node in the information flow graph, carrying out unauthorized risk path detection by taking the sensitive behavior node as a starting point, and determining an unauthorized risk path.
The software application unauthorized risk detection method comprises the steps of analyzing a source code of a software application to determine an authority verification related code and an action range thereof and generating a corresponding authority-range mapping table; according to the authority-range mapping table, when the intermediate representation form is generated by analyzing the source code, authority verification logic pile insertion is carried out in the service logic of the source code, and the intermediate representation form is generated after pile insertion; acquiring a related information flow diagram on the basis of the intermediate representation form; combining the information flow graph represented in the middle with an override behavior detection strategy to detect the override behavior of the system code logic; and acquiring a high-risk path of the unauthorized behavior and a detection result. The method has the advantages that the third-party framework used in the source code analysis is taken into consideration, so that the false negative of potential unauthorized behaviors in the method using the third-party framework is avoided, meanwhile, the method of combining the authority verification logic and the service logic in the pile inserting mode based on the intermediate code is adopted, and the detection of the unauthorized behavior risk is realized on the basis of not damaging the original source code, so that the safety of application software and an information system is fundamentally ensured at the source, and the comprehensive and accurate detection of the logic loopholes of the unauthorized behaviors which possibly exist can be realized.
As shown in fig. 2, in a software application unauthorized risk detection method provided in one or more alternative embodiments of this specification, the parsing the source code, determining the code related to the authority verification and the scope of action, and correspondingly generating the authority-scope mapping table includes:
s201: determining a security framework used by the source code;
s202: according to the semantic rule of the safety framework, an analyzer is used for analyzing the configuration file and annotation information of the source code;
s203: acquiring the authority verification related codes and the corresponding action ranges according to the analysis result, wherein the authority verification related codes comprise package names, class names, method function names, parameter lists and return value types of the authority verification codes, and the action ranges refer to specific packages, specific classes, specific method functions and specific sentences corresponding to the authority verification related codes;
s204: and generating the authority-range mapping table according to the authority verification related code and the action range.
In the software application unauthorized risk detection method, the used security framework can be determined according to the configuration file of the source code. For example, java language is widely used in Web application systems and Android platforms for mobile applications of mobile phones, and using Java language programming application software as an example, a used security framework, such as a third-party open source framework like Springsecurity, shiro, etc., can be automatically identified according to a configuration file of the source code of a Java software project to be tested. The configuration files such as XML and the like and the related annotations can be analyzed according to the parser built in the detection system or the parser customized by the user and the grammar of the corresponding security detection framework, and the related information is extracted, so that the authority verification related code and the corresponding action range are determined. And then combining the related codes of the authority verification and the acted range to generate an authority-range mapping table, wherein the related codes of the authority verification comprise a package name, a class name, a method function, a parameter list and a return value type of the authority verification code, and the acted range comprises a specific package, a specific class, a specific method function and a specific statement.
As shown in fig. 3, in a software application unauthorized risk detection method provided in one or more alternative embodiments of this specification, the performing, according to the authority-range mapping table, authority verification logical instrumentation on the source code to generate instrumentation intermediate representation code includes:
s301: reading the authority-range mapping table, and determining a corresponding code position in the source code and carrying out code calibration according to the action range corresponding to the range field in the authority-range mapping table;
in some optional embodiment modes, a permission-range mapping table is read first, where a permission field represents a code related to permission verification, a range field represents a range in which a permission code acts, the range in which the permission code corresponds is obtained according to a value of the range field, and the range in which the permission code acts includes a specific packet, a specific class, a specific method function, and a specific statement, and the determined range may be stored in a List type. And then scanning the source code position of the Java item matched with the scope of the action of the authority code, and calibrating the code.
S302: determining a permission field corresponding to the range field according to the permission-range mapping table, and determining a corresponding permission verification code according to the permission field;
s303: and performing authority verification logic code instrumentation at the calibrated code position according to the authority verification code to generate the instrumented intermediate representation code.
And acquiring the authority verification code corresponding to the authority-mapping table according to the range value corresponding to the specific position of the calibrated code, performing instrumentation operation on the authority verification code at the position of the calibrated code of the project program to be tested through a writing program, inserting the authority verification logic code corresponding to the authority verification code, and generating the instrumented intermediate representation code.
In one or more alternative embodiments of the present specification, in a software application unauthorized risk detection method, determining a corresponding code position in the source code for code calibration includes:
searching a matched code object in the source code according to the action range;
if the code object is a specific package, calibrating a first statement in the method body of each method of each class in the package;
if the code object is a specific method function, calibrating a first statement of the method weight of the method function;
and if the code object is a specific statement, calibrating the statement.
And performing authority verification logic code instrumentation at the calibrated code position, namely performing authority verification logic code instrumentation operation before the calibrated statement.
In one or more alternative embodiments of the present specification, in a software application unauthorized risk detection method, the performing, according to the permission verification code, permission verification logic code instrumentation at a calibrated code position to generate the instrumented intermediate representation code includes:
determining a corresponding authority verification logic code according to the authority verification code;
traversing all calibration code positions in the source code, taking the action range corresponding to the calibration code positions as a key and taking the authority verification logic code corresponding to the calibration code positions as a value, and constructing a Map object;
and in the process of converting the source code into the intermediate code, inserting the authority verification logic code into the intermediate code according to the Map object to generate the instrumented intermediate representation code.
In the software application unauthorized risk detection method, authority verification logic code instrumentation is carried out at the position of a calibration code of a source code, the integrity and the originality of the source code are not changed, and therefore, errors caused by the reasons of the integrity and the originality can be avoided when an information flow graph is generated according to the intermediate representation code of the instrumentation.
In one or more alternative embodiments of the present specification, a software application override risk detection method is provided, where the information flow graph includes a function call relation graph, a control flow graph, and a data flow graph. The function call graph, the data flow graph, the control flow graph and other information flow graphs all contain authority verification logic implanted after instrumentation and are generated based on intermediate representation.
In one or more optional embodiments of the present specification, in a software application unauthorized risk detection method, selecting a sensitive behavior node from an information flow graph, and performing unauthorized risk path detection using the sensitive behavior node as a starting point includes:
acquiring an unauthorized sensitive operation list, wherein the unauthorized sensitive operation list comprises an authorization to be verified and unauthorized sensitive operations related to the authorization to be verified;
the unauthorized sensitive operation list can be set by pre-extraction or manual setting, and is mainly used for reflecting different possible unauthorized behaviors and sensitive operation information corresponding to the unauthorized behaviors.
Comparing the sensitive operation with the information flow graph, and screening out a function or a statement corresponding to the sensitive operation from the information flow graph for node marking;
here, a regular matching mode may be used to determine whether or not the related function or statement of the unauthorized sensitive operation exists in the information flow graph and the existing position, and if so, the related node position may be obtained and marked; and then, the next item of the unauthorized sensitive operation list needing to be verified and the unauthorized sensitive operation related to the authorization needing to be verified are read again, and matching is carried out again.
For the screened marking nodes, in the information flow graph, reverse traversal is carried out from the marking nodes, and whether authority verification logic codes exist in a reverse traversal path or not is judged;
the unauthorized behavior mainly comprises a method that an unauthorized user can access to be authenticated and a method that the unauthorized user can access to be authorized, for the concerned unauthorized behavior risk, the operation logic of normally obtaining authentication is to firstly carry out authority authentication, and execute corresponding sensitive operation after the authentication is passed, namely, the corresponding relation between the unauthorized sensitive behavior and the authority verification should exist, therefore, in the software application unauthorized risk detection method, a function or a statement corresponding to the sensitive operation is firstly determined, then, the software application unauthorized risk detection method is traced forwards, the one-to-one corresponding relation between the unauthorized sensitive behavior and the authority verification is judged, specifically, reverse traversal is carried out from a mark node, and whether an authority verification logic code exists in a reverse traversal path is judged;
if the authority verification logic code is not detected until the end point, an override risk exists in the reverse traversal path;
under the condition that the authority verification logic code is not detected until the end point, the authority authentication is not carried out before sensitive operation is executed, so that the unauthorized risk exists;
if the authority verification logic code exists, judging whether the authority verification logic code is matched with the authority to be verified corresponding to the marking node;
if not, an override risk exists in a reverse traversal path from the marking node to the authority verification logic code.
Even if the authority verification logic code is detected, the corresponding relation between the detected authority verification logic code and the override sensitive operation still needs to be judged, and the override risk still exists for the condition that the detected authority verification logic code and the override sensitive operation are not matched. In some optional embodiments, the method for determining whether the two match is as follows: and comparing the obtained authority verification logic information with the authority corresponding to the marked node on the path in the override sensitive operation list, wherein the authority includes the operation authority, the user parameter for obtaining the transmission of the authority, the order of the authority verification logic and the like, if the information comparison and verification are the same, the authority verification logic in the path is correct, the detected authority verification logic code is matched with the override sensitive operation, and the risk of override behavior does not exist.
In one or more alternative embodiments of the present specification, a software application unauthorized risk detection method is provided, in which the determining an unauthorized risk path includes:
extracting the reverse traversal path with the unauthorized risk, and determining a risk intermediate code path according to the corresponding relation between the information flow graph and the instrumentation intermediate representation code;
and restoring and converting the risk intermediate code path into a corresponding path in the source code to obtain the unauthorized risk path, and outputting the unauthorized risk path.
In some optional embodiments, when the override risk path is restored and converted, the function, the variable and the function call of the corresponding source code and the corresponding position and category are called according to the function name, the variable and the function corresponding to the intermediate code path, and when the override risk path is output, the position and category information corresponding to the override operation and the function, the variable and the function call information of the source code are also output.
The foregoing description of specific embodiments has been presented for purposes of illustration and description. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
In another aspect, embodiments of the present specification provide a software application unauthorized risk detection electronic device.
The electronic equipment comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor executes the program to realize the software application unauthorized risk detection method:
acquiring a source code of a software program to be detected, analyzing the source code, determining a permission verification related code and an action range, and correspondingly generating a permission-range mapping table;
performing authority verification logic instrumentation on the source code according to the authority-range mapping table to generate an instrumentation intermediate representation code;
determining an information flow diagram of the source code according to the instrumentation intermediate representation code;
and selecting a sensitive behavior node in the information flow graph, and performing unauthorized risk path detection by taking the sensitive behavior node as a starting point to determine an unauthorized risk path.
Fig. 4 is a schematic diagram illustrating a more specific hardware structure of an electronic device according to this embodiment, where the device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein the processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 are communicatively coupled to each other within the device via a bus 1050.
The processor 1010 may be implemented by a general-purpose CPU (central processing unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits, and is configured to execute related programs to implement the software application unauthorized risk detection method provided in the embodiments of the present specification.
The memory 1020 may be implemented in the form of a ROM (read only memory), a RAM (random access memory), a static storage device, a dynamic storage device, or the like. The memory 1020 may store an operating system and other application programs, and when the software application unauthorized risk detection method provided by the embodiments of the present specification is implemented by software or firmware, the relevant program codes are stored in the memory 1020 and called by the processor 1010 to be executed.
The input/output interface 1030 is used for connecting an input/output module to input and output information. The i/o module may be configured as a component within the device (not shown) or may be external to the device to provide corresponding functionality. The input devices may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and the output devices may include a display, a speaker, a vibrator, an indicator light, etc.
The communication interface 1040 is used for connecting a communication module (not shown in the drawings) to implement communication interaction between the present apparatus and other apparatuses. The communication module can realize communication in a wired mode (such as USB, network cable and the like) and also can realize communication in a wireless mode (such as mobile network, WIFI, bluetooth and the like).
It should be noted that although the above-mentioned device only shows the processor 1010, the memory 1020, the input/output interface 1030, the communication interface 1040 and the bus 1050, in a specific implementation, the device may also include other components necessary for normal operation. In addition, those skilled in the art will appreciate that the above-described apparatus may also include only the components necessary to implement the software application unauthorized risk detection method described in the embodiments of the present specification, and not necessarily all of the components shown in the figures.
In another aspect, embodiments of the present specification provide a software application unauthorized risk detection storage medium.
The software application unauthorized risk detection non-transitory computer-readable storage medium provided by one or more embodiments of this specification stores computer instructions for causing the computer to perform the software application unauthorized risk detection method of:
acquiring a source code of a software program to be detected, analyzing the source code, determining a permission verification related code and an action range, and correspondingly generating a permission-range mapping table;
performing authority verification logic instrumentation on the source code according to the authority-range mapping table to generate an instrumentation intermediate representation code;
determining an information flow diagram of the source code according to the instrumentation intermediate representation code;
and selecting a sensitive behavior node in the information flow graph, and performing unauthorized risk path detection by taking the sensitive behavior node as a starting point to determine an unauthorized risk path.
Computer-readable media of the present embodiments, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, is limited to these examples; features from the above embodiments, or from different embodiments, may also be combined, steps may be implemented in any order, and there are many other variations of the different aspects of one or more embodiments of the present description, as described above, which are not provided in detail for the sake of brevity.
In addition, well-known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown within the provided figures for simplicity of illustration and discussion, and so as not to obscure one or more embodiments of the description. Furthermore, devices may be shown in block diagram form in order to avoid obscuring the understanding of one or more embodiments of the present description, and this also takes into account the fact that specifics with respect to implementation of such block diagram devices are highly dependent upon the platform within which the one or more embodiments of the present description will be implemented (i.e., specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the disclosure, it should be apparent to one skilled in the art that one or more embodiments of the disclosure can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative instead of restrictive.
While the present disclosure has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of these embodiments will be apparent to those of ordinary skill in the art in light of the foregoing description. For example, other memory architectures, such as Dynamic RAM (DRAM), may use the discussed embodiments.
It is intended that the one or more embodiments of the present specification embrace all such alternatives, modifications and variations as fall within the broad scope of the appended claims. Therefore, any omissions, modifications, substitutions, improvements, and the like that may be made without departing from the spirit and principles of one or more embodiments of the present disclosure are intended to be included within the scope of the present disclosure.
Claims (10)
1. A software application unauthorized risk detection method is characterized by comprising the following steps:
acquiring a source code of a software program to be detected, analyzing the source code, determining a security framework used by the source code, determining a related code and an action range of authority verification, and correspondingly generating an authority-range mapping table;
performing authority verification logic instrumentation on the source code according to the authority-range mapping table to generate an instrumentation intermediate representation code;
determining an information flow diagram of the source code according to the instrumentation intermediate representation code;
and selecting a sensitive behavior node in the information flow graph, carrying out unauthorized risk path detection by taking the sensitive behavior node as a starting point, and determining an unauthorized risk path.
2. The method of claim 1, wherein the parsing the source code, determining a security framework used by the source code, determining a code related to privilege verification and an action scope, and generating a privilege-scope mapping table correspondingly comprises:
according to the semantic rule of the safety framework, an analyzer is used for analyzing the configuration file and annotation information of the source code;
acquiring the authority verification related code and the corresponding action range according to the analysis result, wherein the authority verification related code comprises a package name, a class name, a method function name, a parameter list and a return value type where the authority verification code is located, and the action range refers to a specific package, a specific class, a specific method function and a specific statement corresponding to the authority verification related code;
and generating the authority-range mapping table according to the authority verification related code and the action range.
3. The method of claim 1, wherein said performing authority verification logic instrumentation on the source code according to the authority-range mapping table to generate instrumented intermediate representation code comprises:
reading the authority-range mapping table, and determining a corresponding code position in the source code and carrying out code calibration according to the action range corresponding to the range field in the authority-range mapping table;
determining a permission field corresponding to the range field according to the permission-range mapping table, and determining a corresponding permission verification code according to the permission field;
and performing authority verification logic code instrumentation at the calibrated code position according to the authority verification code to generate the instrumented intermediate representation code.
4. The method of claim 3, wherein determining the corresponding code location in the source code for code calibration comprises:
searching a matched code object in the source code according to the action range;
if the code object is a specific package, calibrating a first statement in a method body of each method of each class in the package;
if the code object is a specific method function, calibrating a first statement in a method body of the method function;
and if the code object is a specific statement, calibrating the statement.
5. The method according to claim 3, wherein said performing rights verification logic code instrumentation at the marked code locations according to the rights verification code, generating the instrumented intermediate representation code, comprises:
determining a corresponding authority verification logic code according to the authority verification code;
traversing all calibration code positions in the source code, taking the action range corresponding to the calibration code positions as a key and taking the authority verification logic code corresponding to the calibration code positions as a value, and constructing a Map object;
and in the process of converting the source code into the intermediate code, inserting the authority verification logic code into the intermediate code according to the Map object to generate the instrumented intermediate representation code.
6. The method of claim 1, wherein the information flow graph comprises a function call relationship graph, a control flow graph, and a data flow graph.
7. The method of claim 1, wherein selecting sensitive behavior nodes in the information flow graph and performing unauthorized risk path detection with the sensitive behavior nodes as a starting point comprises:
acquiring an unauthorized sensitive operation list, wherein the unauthorized sensitive operation list comprises a to-be-verified authority and unauthorized sensitive operations related to the to-be-verified authority;
comparing the sensitive operation with the information flow graph, and screening out a function or a statement corresponding to the sensitive operation from the information flow graph for node marking;
in the information flow graph, starting reverse traversal from a marking node, and judging whether an authority verification logic code exists in a reverse traversal path or not;
if the authority verification logic code is not detected until the end point, an override risk exists in the reverse traversal path;
if the authority verification logic code exists, whether the authority verification logic code is matched with the authority to be verified corresponding to the marking node is judged, and if not, an unauthorized risk exists in a reverse traversal path from the marking node to the authority verification logic code.
8. The method of claim 7, wherein determining the unauthorized risk path comprises:
extracting the reverse traversal path with the unauthorized risk, and determining a risk intermediate code path according to the corresponding relation between the information flow graph and the instrumentation intermediate representation code;
and restoring and converting the risk intermediate code path into a corresponding path in the source code to obtain the unauthorized risk path, and outputting the unauthorized risk path.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method according to any of claims 1 to 8 when executing the program.
10. A non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the method of any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011140562.8A CN112257054B (en) | 2020-10-22 | 2020-10-22 | Software application unauthorized risk detection method, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011140562.8A CN112257054B (en) | 2020-10-22 | 2020-10-22 | Software application unauthorized risk detection method, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112257054A CN112257054A (en) | 2021-01-22 |
| CN112257054B true CN112257054B (en) | 2022-11-15 |
Family
ID=74264026
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011140562.8A Active CN112257054B (en) | 2020-10-22 | 2020-10-22 | Software application unauthorized risk detection method, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112257054B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112783513B (en) * | 2021-03-18 | 2024-02-27 | 中国工商银行股份有限公司 | Code risk checking method, device and equipment |
| CN113609487B (en) * | 2021-07-16 | 2023-05-12 | 深圳开源互联网安全技术有限公司 | Method for detecting backdoor code through static analysis |
| CN115529171A (en) * | 2022-09-16 | 2022-12-27 | 浙江网商银行股份有限公司 | Behavior detection method and device |
| CN115982724B (en) * | 2023-03-20 | 2023-05-30 | 北京万道数智科技有限公司 | Code-level security protection method, storage medium and electronic equipment |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR101886203B1 (en) * | 2016-07-19 | 2018-09-06 | 주식회사 스패로우 | Apparatus and method for analyzing programs |
| CN107133518B (en) * | 2017-04-10 | 2019-09-24 | 中国民生银行股份有限公司 | Source code based on parameter and information flow is gone beyond one's commission detection method and device |
| CN108846282A (en) * | 2018-06-04 | 2018-11-20 | 西安电子科技大学 | Android application program permission based on the analysis of static stain reveals leak detection method |
| CN110688659B (en) * | 2019-09-10 | 2020-10-16 | 深圳开源互联网安全技术有限公司 | Method and system for dynamically detecting horizontal override based on IAST test tool |
-
2020
- 2020-10-22 CN CN202011140562.8A patent/CN112257054B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN112257054A (en) | 2021-01-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112257054B (en) | Software application unauthorized risk detection method, electronic equipment and storage medium | |
| US9697108B2 (en) | System, method, and apparatus for automatic recording and replaying of application executions | |
| US20130117855A1 (en) | Apparatus for automatically inspecting security of applications and method thereof | |
| TWI575397B (en) | Point-wise protection of application using runtime agent and dynamic security analysis | |
| US8572747B2 (en) | Policy-driven detection and verification of methods such as sanitizers and validators | |
| CN112733158B (en) | Android system vulnerability detection method, electronic equipment and storage medium | |
| US10681076B1 (en) | Automated security analysis of software libraries | |
| JP5303795B2 (en) | Application analysis method, analysis system, and analysis program | |
| US20150143342A1 (en) | Functional validation of software | |
| CN111709026B (en) | Static security detection method, device, computer equipment and storage medium | |
| US20140372988A1 (en) | Using a Static Analysis for Configuring a Follow-On Dynamic Analysis for the Evaluation of Program Code | |
| US20140208428A1 (en) | Mitigating security risks via code movement | |
| WO2023159920A1 (en) | Script error processing method and apparatus, device, and storage medium | |
| US8875297B2 (en) | Interactive analysis of a security specification | |
| Black et al. | Source code security analysis tool functional specification version 1.0 | |
| Usman et al. | Test case generation from android mobile applications focusing on context events | |
| CN105608383A (en) | ActiveX control loophole testing method and system | |
| CN111459802B (en) | Method, device and equipment for testing WebView page of Android application program based on GUI | |
| US9171168B2 (en) | Determine anomalies in web application code based on authorization checks | |
| CN111460448B (en) | Malicious software family detection method and device | |
| CN115618363B (en) | Vulnerability path mining method and related equipment | |
| CN116521538A (en) | Automatic testing method and device for command line interface, electronic equipment and storage medium | |
| CN112861134B (en) | Vulnerability detection method, device, equipment and medium based on optimization variation strategy | |
| CN113051153B (en) | Application software vulnerability scanning method and related equipment | |
| KR20190118056A (en) | Credibility test result management data auto generation method and credibility test result management data auto generation apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |