CN112560022A - System interface call detection method and device - Google Patents
System interface call detection method and device Download PDFInfo
- Publication number
- CN112560022A CN112560022A CN202011398294.XA CN202011398294A CN112560022A CN 112560022 A CN112560022 A CN 112560022A CN 202011398294 A CN202011398294 A CN 202011398294A CN 112560022 A CN112560022 A CN 112560022A
- Authority
- CN
- China
- Prior art keywords
- interface
- calling
- information
- target application
- function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 136
- 238000000034 method Methods 0.000 claims abstract description 80
- 238000009434 installation Methods 0.000 claims abstract description 43
- 230000006870 function Effects 0.000 claims description 329
- 238000012544 monitoring process Methods 0.000 claims description 5
- 230000004044 response Effects 0.000 claims description 3
- 230000008569 process Effects 0.000 description 28
- 238000010586 diagram Methods 0.000 description 12
- 238000004590 computer program Methods 0.000 description 9
- 230000006872 improvement Effects 0.000 description 9
- 238000012545 processing Methods 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 4
- 238000012216 screening Methods 0.000 description 4
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000000737 periodic effect Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 229920001296 polysiloxane Polymers 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Virology (AREA)
- Medical Informatics (AREA)
- Databases & Information Systems (AREA)
- Telephonic Communication Services (AREA)
- User Interface Of Digital Computer (AREA)
Abstract
One or more embodiments of the present specification provide a method and an apparatus for detecting a system interface call, where the method includes: acquiring interface calling information of a service function module in a target application aiming at a system interface; the interface calling information is generated based on an interface calling request of a service function module when the target application is in a running state; acquiring interface declaration information determined by a binary file in an application installation package based on the target application; the interface declaration information is used for representing the function name of the callable interface declared by the target application; and generating a risk detection result of the interface calling request aiming at the system interface based on the acquired interface calling information and interface declaration information.
Description
Technical Field
The present invention relates to the field of internet technologies, and in particular, to a method and an apparatus for detecting a system interface call.
Background
At present, with the coming of the internet era, the internet is widely applied to daily study, work and life of people. Various daily transactions can be processed and presented through the internet. Meanwhile, with the rapid development of the mobile internet, each internet service provider provides corresponding business services for users by developing respective application programs, and the users can install corresponding application programs, such as game applications, video applications, chat applications, shopping applications, payment applications and the like, in the smart phones according to respective actual requirements.
However, an application installed on a user terminal has a need to call a system interface to acquire required information, but there may be a case where a private interface of an operating system is called privately to steal user privacy information, which will cause the user privacy information to be leaked or abused, and in order to protect the security of the user privacy information, the operating system will take corresponding control measures for the application, and even will perform off-shelf processing on the application called by the private interface.
Disclosure of Invention
One or more embodiments of the present specification aim to provide a method of detecting a system interface call. The detection method for the system interface call comprises the following steps:
acquiring interface calling information of a service function module in a target application aiming at a system interface; the interface calling information is generated based on an interface calling request of the business function module when the target application is in a running state. Acquiring interface declaration information determined based on a binary file in an application installation package of the target application; wherein the interface declaration information is used to characterize a function name of a callable interface of the target application declaration. And generating a risk detection result of the interface calling request based on the interface calling information and the interface declaration information.
One or more embodiments of the present specification aim to provide a system interface call detection apparatus. The detection device for system interface calling comprises:
the calling information acquisition module acquires interface calling information of a service function module in the target application aiming at a system interface; the interface calling information is generated based on an interface calling request of the business function module when the target application is in a running state. A declaration information obtaining module that obtains interface declaration information determined based on a binary file in an application installation package of the target application; wherein the interface declaration information is used to characterize a function name of a callable interface of the target application declaration. And the detection result generation module generates a risk detection result of the interface calling request based on the interface calling information and the interface declaration information.
An object of one or more embodiments of the present specification is to provide a system interface call detection apparatus, including: a processor; and a memory arranged to store computer executable instructions.
The computer executable instructions, when executed, cause the processor to obtain interface call information of a business function module in a target application for a system interface; the interface calling information is generated based on an interface calling request of the business function module when the target application is in a running state. Acquiring interface declaration information determined based on a binary file in an application installation package of the target application; wherein the interface declaration information is used to characterize a function name of a callable interface of the target application declaration. And generating a risk detection result of the interface calling request based on the interface calling information and the interface declaration information.
It is an object of one or more embodiments of the present specification to provide a storage medium for storing computer-executable instructions. The executable instruction is executed by the processor to obtain interface calling information of a service function module in the target application aiming at a system interface; the interface calling information is generated based on an interface calling request of the business function module when the target application is in a running state. Acquiring interface declaration information determined based on a binary file in an application installation package of the target application; wherein the interface declaration information is used to characterize a function name of a callable interface of the target application declaration. And generating a risk detection result of the interface calling request based on the interface calling information and the interface declaration information.
Drawings
In order to more clearly illustrate one or more embodiments or prior art solutions of the present specification, the drawings that are needed in the description of the embodiments or prior art will be briefly described below, it is obvious that the drawings in the following description are only some of the embodiments described in one or more of the specification, and that other drawings can be obtained by those skilled in the art without inventive exercise.
Fig. 1 is a first flowchart of a method for detecting a system interface call according to one or more embodiments of the present disclosure;
fig. 2 is a second flowchart of a method for detecting a system interface call according to one or more embodiments of the present disclosure;
fig. 3 is a third flowchart illustrating a method for detecting a system interface call according to one or more embodiments of the present disclosure;
fig. 4 is a fourth flowchart illustrating a method for detecting a system interface call according to one or more embodiments of the present disclosure;
FIG. 5 is a schematic diagram illustrating an implementation principle of a method for detecting a system interface call according to one or more embodiments of the present disclosure;
fig. 6 is a schematic block diagram illustrating a detection apparatus for system interface call according to one or more embodiments of the present disclosure;
fig. 7 is a schematic structural diagram of a detection device for a system interface call according to one or more embodiments of the present disclosure.
Detailed Description
In order to make the technical solutions in one or more embodiments of the present disclosure better understood, the technical solutions in one or more embodiments of the present disclosure will be clearly and completely described below with reference to the accompanying drawings in one or more embodiments of the present disclosure, and it is obvious that the described embodiments are only a part of one or more embodiments of the present disclosure, but not all embodiments. All other embodiments that can be derived by a person skilled in the art from the embodiments given in one or more of the present specification without inventive step shall fall within the scope of protection of this document.
It should be noted that one or more embodiments and features of the embodiments in the present description may be combined with each other without conflict. Reference will now be made in detail to one or more embodiments of the disclosure, examples of which are illustrated in the accompanying drawings.
One or more embodiments of the present disclosure provide a method and an apparatus for detecting system interface invocation, where interface invocation information for a system interface is obtained in real time during a running process of a target application, and a risk invocation detection is performed on an interface invocation request of a service function module in the target application by using interface declaration information determined by a binary file in an application installation package based on the target application, so that the interface invocation request with a risk is intercepted in time, interface invocation security of the target application is improved, and acquisition of user privacy data by performing private invocation on a system interface of an operating system is avoided, thereby improving security of the user privacy data.
Fig. 1 is a first flowchart of a method for detecting a system interface call according to one or more embodiments of the present disclosure, where the method in fig. 1 can be executed by a client, a server, or both, as shown in fig. 1, and the method at least includes the following steps:
s102, acquiring interface calling information of a service function module in the target application aiming at a system interface; the interface calling information is generated based on an interface calling request of a service function module when the target application is in a running state;
wherein, above-mentioned target application is the application program APP that detects, and above-mentioned business function module can be the internal function module who realizes specific service function in the target application, or the three-party function module in the third party software development kit SDK of integrated, and above-mentioned system interface includes: a public system interface or a non-public system interface (i.e., a private interface) of an operating system of a client running a target application;
the application scenario for detecting the system interface call may be that the client detects whether the target application has a private interface for the operating system to call, or the target application detects whether the third-party SDK integrated with the target application has a private interface for the operating system to call, that is, the target application performs risk interface call self-check in the running process;
specifically, for detecting whether a third-party SDK integrated in the target application calls a private interface of the operating system, a detection code for executing system interface calling is written in an application installation package of the target application in advance, so that when the target application is in an operating state, the target application automatically runs the detection code called by the system interface to detect whether an interface calling request sent from the target application at present is a calling request of the third-party SDK to the private interface of the operating system, so that the target application timely intercepts the calling request of the third-party SDK to the private interface of the operating system, and the situation that the target application is automatically limited by the operating system to be installed or is off shelf from an application mall due to a calling behavior of the third-party SDK to the private interface of the operating system is avoided.
S104, acquiring interface declaration information determined by a binary file in an application installation package based on the target application; the interface declaration information is used for representing the function name of the callable interface declared by the target application;
specifically, before an application installation package of a target application is obtained and the target application is installed to a client, the application installation package is analyzed to obtain a callable interface function name stated by the target application, where the callable interface function name includes: and realizing the name of the interface function and introducing the name of the interface function.
And S106, generating a risk detection result of the interface calling request based on the acquired interface calling information and interface declaration information.
Wherein, the risk detection result comprises: the interface to be called is an interface declared by the target application, or the interface to be called is a private interface of the operating system and calls at least one item from a third-party SDK; the risk detection result may further include: calling source information of the interface calling request; if the risk detection result is that the interface to be called is a private interface of the operating system, determining that the interface calling request is the risk calling request, or if the risk detection result is that the interface to be called is the private interface of the operating system and the calling is from a third-party SDK, determining that the interface calling request is the risk calling request; when the interface calling request is a risk calling request, the interface calling request needs to be managed and controlled according to a preset management and control mode, wherein the preset management and control mode corresponds to the risk detection result, and specifically, different management and control modes can be adopted to manage and control the interface calling request according to different risk detection results.
Specifically, considering that the target application calls a private interface of the operating system through the system reflection function in a reflection calling mode, a preset proxy function intercepts an interface calling request for the system interface through the system reflection function, generates corresponding interface calling information based on the interface calling request, and performs risk identification on the interface calling request based on the interface calling information and predetermined interface declaration information.
In one or more embodiments of the present disclosure, interface call information for a system interface is obtained in real time during a running process of a target application, and a risk call detection is performed on an interface call request of a service function module in the target application by using interface declaration information determined by a binary file in an application installation package based on the target application, so that the interface call request with a risk is intercepted in time, interface call security of the target application is improved, private call of a system interface of an operating system is avoided to obtain user privacy data, and further security of the user privacy data is improved.
Wherein, the interface calling information includes: function names of interfaces to be called; correspondingly, considering that the third-party SDK is usually provided to the integrator in a binary integration manner in the process of integrating the third-party SDK into the target application, therefore, developers of the target application do not know the code implementation of the third-party SDK, and there may be a problem of private calling of the third-party SDK to the private interface of the operating system of the user terminal, so that there is a possibility of obtaining the private information of the user through calling to the private interface, which further causes the target application to be automatically restricted or off-shelf by the operating system, based on this, when performing risk calling detection for an interface calling request, it is detected whether there is a call to the private interface of the operating system, and also detected whether the call to the private interface is from the third-party SDK, so as to conveniently manage and control the abnormal third-party SDK, and ensure the normal operation of the target application, specifically, as shown in fig. 2, the step S106 of generating a risk detection result of the interface invocation request based on the acquired interface invocation information and interface declaration information includes:
s1062, generating a detection result of the type of the calling interface based on the function name of the interface to be called in the interface calling information and the function name of the calling interface in the interface declaration information;
the detection result of the type of the call interface is used to characterize whether the interface to be called to which the interface call request is directed is a private interface of an operating system running the target application, and the function name of the interface to be called may include a class name and a method name of an interface function to be called captured by the proxy function.
S1064, if the interface to be called is a private interface of the operating system, generating a calling source detection result based on the acquired interface calling information;
the calling source detection result is used for representing whether the interface calling request is from a third-party SDK integrated in the target application, namely determining whether the calling request aiming at the private interface of the operating system is from a service function module of the third-party SDK integrated in the target application, but not from the service function module of the target application;
correspondingly, if the interface to be called is not a private interface of the operating system, it is determined that the interface calling request is not a risk calling request, and at this time, the interface calling request needs to be normally responded, that is, a function pointer corresponding to the interface to be called is returned to the service function module.
S1066, generating a risk detection result of the interface call request based on the call interface type detection result and the call source detection result.
Wherein, the risk detection result may include: the system comprises a detection result used for representing whether an interface calling request is a risk calling request or not, and at least one item of identification information, calling source information and calling timestamp information of an interface to be called;
specifically, if the interface to be called is a private interface of the operating system, the interface calling request may be directly determined as a risk calling request, and the interface calling request is controlled according to a first control mode; or, based on the interface calling information, generating a calling source detection result, that is, determining the source of the interface calling request, determining the interface calling request as a risk calling request if the interface to be called is a private interface of the operating system and the interface calling request is from the third-party SDK, and managing and controlling the interface calling request according to a second management and control mode; correspondingly, if the interface to be called is a private interface of the operating system and the calling source of the interface calling request is not the third-party SDK, the interface calling request is determined as a risk calling request, and the interface calling request is controlled according to a third control mode, wherein the first control mode, the second control mode and the third control mode are different from each other, and each preset control mode can be set according to an actual application scene.
Further, after determining a corresponding risk detection result for the currently monitored interface call request, determining whether the currently monitored interface call request is a risk call request based on the risk detection result, and further performing interception processing or normal response processing on the interface call request, based on which, in the above S106, after generating a risk detection result for the interface call request based on the obtained interface call information and interface declaration information, the method further includes:
judging whether the interface calling request is a risk calling request or not based on the risk detection result;
if so, returning preset feedback information to the service function module to intercept the interface to be called, which is called by the service function module by the interface calling request;
the preset feedback information can be a preset null value or other preset character strings, so that the service function module cannot acquire corresponding user privacy information from the interface to be called based on the preset feedback information, and the purpose of intercepting the risk calling request is achieved.
If not, returning a function pointer corresponding to the interface to be called to the service function module so as to allow the service function module to call the interface to be called to which the interface calling request aims based on the function pointer;
when the interface calling request is determined not to be a risk calling request, a function pointer of the interface to be called needs to be returned to the service function module according to a conventional calling request response mode, so that the service function module can obtain corresponding information from the interface to be called based on the function pointer, and further provide a corresponding service function for a user based on the information.
Specifically, for the case of intercepting an interface call request sent to a system reflection function by a service function module in a target application through a proxy function, the proxy function determines interface call information corresponding to the interface call request based on the intercepted interface call request, wherein the interface call information includes: at least one item of function name, calling stack information and calling environment information of the interface to be called;
after a risk detection result of an interface calling request is generated based on the interface calling information and predetermined interface declaration information, if the interface calling request is determined to be the risk calling request, preset feedback information is directly returned to the corresponding service function module by the proxy function, or the preset feedback information is sent to the system reflection function by the proxy function, and then the preset feedback information is returned to the corresponding service function module by the system reflection function;
correspondingly, if the interface calling request is determined not to be a risk calling request, the proxy function triggers the system reflection function to acquire the function pointer of the interface to be called from the interface to be called, namely the proxy function returns the code execution right to the system reflection function, the system reflection function acquires the function pointer of the interface to be called, the system reflection function returns the function pointer to the proxy function, and the proxy function returns the function pointer to the corresponding service function module, or the system reflection function directly returns the function pointer to the corresponding service function module.
As shown in fig. 3, the step S102 of obtaining interface call information of the service function module in the target application for the system interface includes:
s1022, monitoring an interface calling request of a service function module in the target application for the system reflection function; the interface calling request carries the function name of the interface to be called;
in order to implement some special service functions, a system reflection function is called through a corresponding service function module to trigger the system reflection function to acquire a corresponding function pointer from an interface to be called and return the function pointer to the service function module, so that the service function module acquires corresponding information based on the function pointer, for example, if the service function corresponding to the service function module is to acquire a mac address of a client, a function name of the interface to be called is an interface name used for acquiring the mac address.
S1024, routing the interface calling request to a preset proxy function by using a section-oriented programming mode;
the preset proxy function is a function implementation in the target application, and a calling logic aiming at the system reflection function is called to another function (namely the preset proxy function) through a tangent plane means to be used as a function carrier for monitoring the calling logic aiming at the system reflection function; in specific implementation, the call to the system reflection function (NSClassFromString, NSSelectorFromString, @ performSelector: @ selector (privateApiName)) can be transferred to the preset proxy function by a function replacement mode; the function replacement mode can be realized through method _ exchange implementations or fisherhook; specifically, in the process of calling the system reflection function by the service function module, the system reflection function is replaced by a preset proxy function, the preset proxy function can record the function name of the interface to be called carried by the interface calling request, namely, the acquisition capability of the reflection calling function information is realized through the section capability, and then the calling behavior of the three-party library in the target application for the system private interface is detected in real time by combining the function name of the calling interface stated by the target application, so that the risk calling request is dynamically intercepted and blocked.
S1026, obtaining calling link information corresponding to the interface calling request through a preset proxy function; wherein the call link information includes: calling stack information and/or calling environment information;
s1028, generating interface calling information of a service function module in the target application aiming at a system interface based on the function name of the interface to be called and the calling link information; wherein, the interface calling information at least comprises: the method comprises the steps of obtaining a function name of an interface to be called and calling link information, wherein the function name of the interface to be called is used for determining the type of the calling interface of a current interface calling request to be detected, and the calling link information is used for determining calling source information of the current interface calling request to be detected.
Before the obtaining of the application installation package of the target application and the installation of the target application to the client, for the determining process of the interface declaration information of the target application, before the obtaining of the interface declaration information determined based on the binary file in the application installation package of the target application in the above S104, the method further includes:
s108, acquiring an application installation package of the target application;
s110, extracting a binary file for controlling the global configuration of the target application from the obtained application installation package; extracting info.plist from the obtained application installation package, and determining the name of a binary file for controlling the global configuration of the target application based on the info.plist;
s112, determining interface declaration information declared for the target application based on the realization interface function name corresponding to the realization function section and the introduction interface function name corresponding to the introduction function section in the extracted binary file; wherein, the implementation function section and the introduction function section may include: __ obj _ classlst, __ obj _ classname, __ obj _ methnem.
In specific implementation, info.plist can be extracted from the application installation package, the name of the required binary file is acquired through the Executable file field of the info.plist, and the function name stated by the binary file is quickly acquired by adopting the open source tool classdump.
The process of determining the interface declaration information of the target application based on the application installation package of the target application can be executed by a client or a server; correspondingly, the process of comparing the function name of the interface to be called acquired when the target application is in the running state with the function name of the interface which can be called in the predetermined interface declaration information can be executed by the client or the server;
specifically, aiming at the situation that the function name of the interface to be called is compared with the function name of the interface to be called by the client, and the interface declaration information of the target application is determined by the server, the server sends the interface declaration information to the client after determining the interface declaration information of the target application, and the client stores the interface declaration information locally at the client, so that the interface declaration information of the target application can be directly obtained locally in the subsequent process of controlling the interface calling request by the client.
Correspondingly, aiming at the conditions that the function name of the interface to be called is compared with the function name of the interface to be called by the client, and the interface declaration information of the target application is determined by the client, the client determines the interface declaration information of the target application based on the application installation package after receiving the application installation package of the target application, and stores the interface declaration information in the local of the client, so that the interface declaration information of the target application can be directly obtained from the local in the subsequent process of controlling the interface calling request by the client.
Correspondingly, aiming at the conditions that the server compares the function name of the interface to be called with the function name of the interface to be called and determines the interface declaration information of the target application, the server determines and stores the interface declaration information of the target application based on the application installation package after acquiring the application installation package of the target application; after receiving interface calling information which is sent by a client and determined according to a current interface calling request to be detected, a server compares the interface calling information with interface declaration information of a target application to obtain a corresponding interface comparison result, and sends the interface comparison result to the client so that the client generates a risk detection result of the interface calling request based on the interface comparison result; or the server generates a risk detection result of the interface calling request based on the interface comparison result, and sends the risk detection result to the client.
It should be noted that, the implementation steps involved in the risk detection process for the interface call request are all within the scope of protection of one or more embodiments of the present specification, and are not described herein again.
Specifically, in order to improve the control accuracy and control pertinence of the private interface call of the operating system, after the interface call request is routed to the preset proxy function by the system reflection function, the preset proxy function not only obtains the function name of the interface to be called from the interface call request by parsing, but also obtains the interface call link information corresponding to the currently detected interface call request from the corresponding system interface, and determines the function name of the interface to be called and the interface call link information as the interface call information, based on which, the interface call information further includes: the interface calls the information of the periodic line, the interface calls the information of the periodic line and is used for confirming the source information of calling of the interface call request;
correspondingly, as shown in fig. 4, in the step S1064, if the interface to be called is a private interface of the operating system, the generating a call source detection result based on the obtained interface call information specifically includes:
s10642, if the interface to be called is a private interface of the operating system, determining functional module identification information of the service functional module based on interface calling link information in the obtained interface calling information;
s10644, based on the determined function module identification information, judging whether the service function module belongs to a third-party SDK integrated into the target application;
if the judgment result is yes, S10646, generating a call source detection result for representing that the interface call request is from the third-party SDK integrated into the target application;
if the determination result is negative, S10648 generates a call source detection result for characterizing that the call source of the interface call request is not the third-party SDK of the target application.
Specifically, for the determination process of the functional module identification information of the service functional module, call stack information and call environment information may be introduced at the same time, on one hand, the determination accuracy of the functional module identification information may be improved, and on the other hand, it may be avoided that the call source detection result cannot be correctly generated due to an error in the identification information determined based on the call stack information or the call environment information, and based on this, the interface call link information includes: calling stack information and calling environment information;
correspondingly, in S10642, determining the function module identifier information of the service function module based on the interface call link information in the acquired interface call information includes:
determining a first calling source identifier for initially sending the interface calling request based on the calling stack information; specifically, when the target application calls a certain interface, the function is called downwards layer by layer, corresponding calling stack information is formed when the current layer is called, and then the calling stack information is analyzed, so that the topmost calling source of the interface calling request can be determined.
Determining a second calling source identifier corresponding to the service page where the target application is located based on the calling environment information; specifically, considering that the call link information belongs to a function call sequence of a technical level, the operation page where the target application is currently located cannot be determined, so that call stack information and call environment information can be introduced at the same time, a first call source identifier is determined based on the function call sequence, a second call source identifier is determined based on the operation page where the target application is currently located, and then function module identifier information of the service function module is determined;
determining function module identification information of the service function module based on the first calling source identification and the second calling source identification;
specifically, the first call source identifier includes an initial call sequence determined based on a function call sequence; the second calling source identifier includes a page identifier of an operation page where the target application is currently located, and determines an initial calling sequence determined based on the calling stack information and identifier information of a service function module corresponding to the operation page where the target application is currently located as function module identifier information of the service function module.
Further, in order to improve the detection efficiency of system interface calling, after each interface calling request is determined to be a risk calling request, an interface calling interception rule corresponding to the risk calling request is determined and stored, so that a corresponding interface calling interception rule can be generated based on interface calling information corresponding to a previously identified risk interface calling request, after the interface calling request to be detected is monitored, the interface calling information corresponding to the interface calling request is matched with the interface calling interception rule which is stored in advance, thereby realizing primary screening aiming at the interface calling request, if the primary screening result shows that the interface calling request is not the risk calling request, secondary risk identification is carried out on the interface calling request based on the interface calling information and the interface declaration information, and if the primary screening interface shows that the interface calling request is the risk calling request, then, directly performing risk management and control on the interface invocation request, and based on this, after generating, at S10646, a invocation source detection result for characterizing that the interface invocation request originates from the third-party SDK integrated into the target application, the method further includes:
generating an interface calling interception rule based on the function name of the interface to be called and the interface calling link information;
adding the interface calling interception rule to a calling interception rule set established aiming at the target application; specifically, the call interception rule set is used as a preliminary screening basis for risk detection of a next interface call request of the target application.
The generation process of the interface calling interception rule can be executed by a client or a server, and the server is required to issue the interface calling interception rule to the client according to the condition of execution by the server, so that the client adds the interface calling interception rule to a calling interception rule set established for target application; and for the condition executed by the client, the client directly adds the interface calling interception rule to a calling interception rule set established for the target application so as to perform preliminary risk identification on the interface calling request monitored next time.
Specifically, in S1062, a detection result of the type of the calling interface is generated based on the function name of the interface to be called in the interface calling information and the function name of the interface that can be called in the interface declaration information, and specifically includes:
matching the acquired interface calling information with interface calling interception rules in a calling interception rule set corresponding to a target application to obtain a corresponding interception rule matching result;
step two, if the interception rule matching result indicates that no interface calling interception rule matched with the interface calling information exists, comparing the function name of the interface to be called with the function name of the interface to be called to obtain a corresponding function name comparison result;
step three, generating a calling interface type detection result according to the function name comparison result; specifically, if the function name of the callable interface includes: if the function name of the interface to be called is the symbol A or the symbol B, determining that the interface to be called to which the interface calling request aims is not a private interface of an operating system running the target application, namely safe interface calling; if the function name of the interface to be called is the symbol C, determining that the interface to be called to which the interface calling request aims is a private interface of an operating system running the target application, namely unsafe interface calling;
specifically, for the condition that the interface call interception rule set does not have an interface call interception rule matched with the current interface call request to be detected, the function name of the interface to be called needs to be continuously compared with the function name of the interface to be called, whether the interface call request is a risk call request is further determined, and the call interface type and the call interface source identification of the interface call request are continuously performed.
Specifically, for the determination process of the detection result of the type of the calling interface, in the third step, the detection result of the type of the calling interface is generated according to the comparison result of the function name, and the method specifically includes:
if the function name comparison result is that the function name of the interface to be called does not belong to the function name of the interface to be called, generating a calling interface type detection result for representing that the interface to be called to which the interface calling request aims is a private interface of an operating system for running the target application;
and if the function name comparison result is that the function name of the interface to be called belongs to the function name of the interface to be called, generating a calling interface type detection result for representing that the interface to be called to which the interface calling request aims is not a private interface of the operating system running the target application.
Further, under the condition that an interface call interception rule matched with the interface call request to be detected currently exists in the call interception rule set, a risk detection result that the interface call request is determined to be the risk call request can be directly generated, and then the interface call request is intercepted and controlled, specifically, in step one, the obtained interface call information is matched with the interface call interception rule in the call interception rule set corresponding to the target application, and after a corresponding interception rule matching result is obtained, the method further includes:
and if the interception rule matching result is that the interface calling interception rule matched with the interface calling information exists, determining that the interface calling request is a risk calling request.
Specifically, if the interface calling information is matched with any original interface calling interception rule in the previously stored calling interception rule set or an interface calling interception rule obtained by combination, determining that the monitored interface calling request is a risk calling request;
correspondingly, if the interface calling information is not matched with any original interface calling intercepting rule in the previously stored calling intercepting rule set and the combined interface calling intercepting rule, determining that the monitored interface calling request is not a risk calling request.
When the method is specifically implemented, the interface calling information comprises a function name and calling link information of an interface to be called, the interface calling interception rule comprises a function name of a private interface to which a risk calling request is directed and risk calling link information corresponding to the risk calling request, and if the function name of the interface to be called is the same as the function name of the private interface and the calling link information corresponding to the interface calling request to be detected is the same as the risk calling link information, the interface calling interception rule matched with the interface calling information exists as an interception rule matching result. Correspondingly, the interface call interception rule obtained by the combination may be an interface call interception rule obtained by combining a function name of a private interface in the first interception rule and risk call link information in the second interception rule, where the first interception rule and the second interception rule are different interface call interception rules in a call interception rule set corresponding to the target application.
In a specific embodiment, as shown in fig. 5, the specific process of the detection method called by the system interface includes:
monitoring an interface calling request of a service function module in a target application for a system reflection function; the interface calling request carries the function name of the interface to be called; the service function module can be any one of the service function module 1 to the service function module n, the interface to be called can be any one of the system interface 1 to the system interface m, and any one of the system interface 1 to the system interface m can be a system public interface or a system private interface;
routing the interface calling request to a preset proxy function by using a section-oriented programming mode;
acquiring calling link information corresponding to the interface calling request through a preset proxy function; wherein the call link information includes: calling stack information and/or calling environment information;
matching the function name and calling link information of the interface to be called with interface calling interception rules in a calling interception rule set corresponding to the target application;
if the interface calling interception rule matched with the interface calling request is determined to exist, determining the interface calling request as a risk calling request, and returning a character string representing a null value to the service function module through a preset proxy function;
if the interface calling interception rule matched with the interface calling request does not exist, comparing the function name of the interface to be called with the function name of the preset calling interface;
if the function name of the interface to be called is determined not to belong to the function name of the interface to be called, namely the interface to be called is a system private interface, determining whether the interface calling request is from a third-party SDK integrated to the target application based on the calling link information, if the calling source is the third-party SDK, determining that the interface calling request is a risk calling request, and returning a character string representing a null value to the service function module through a preset proxy function; correspondingly, if the calling source is not the third-party SDK, returning a character string representing a null value or abnormal calling prompt information to the service function module through a preset proxy function;
if the function name of the interface to be called belongs to the function name of the interface to be called, namely the interface to be called is not a system private interface, calling a system reflection function by a preset proxy function to obtain a function pointer of the interface to be called, and returning the function pointer to the service function module by the preset reflection function or the proxy function so that the service function module obtains required information based on the function pointer.
In the detection method for system interface calling in one or more embodiments of the present specification, interface calling information of a service function module in a target application for a system interface is obtained; the interface calling information is generated based on an interface calling request of a service function module when the target application is in a running state; acquiring interface declaration information determined by a binary file in an application installation package based on the target application; the interface declaration information is used for representing the function name of the callable interface declared by the target application; and generating a risk detection result of the interface calling request aiming at the system interface based on the acquired interface calling information and interface declaration information. Interface calling information aiming at a system interface is acquired in real time in the running process of a target application, and risk calling detection is carried out on an interface calling request of a business function module in the target application by means of interface declaration information determined by a binary file in an application installation package based on the target application, so that the interface calling request with risks is intercepted in time, interface calling safety of the target application is improved, private calling of the system interface of an operating system is avoided to acquire user privacy data, and further safety of the user privacy data is improved.
Corresponding to the detection method for system interface call described in fig. 1 to 5, based on the same technical concept, one or more embodiments of the present specification further provide a detection apparatus for system interface call, fig. 6 is a schematic diagram of modules of the detection apparatus for system interface call provided in one or more embodiments of the present specification, the apparatus is configured to execute the detection method for system interface call described in fig. 1 to 5, as shown in fig. 6, the apparatus includes:
a calling information obtaining module 602, which obtains interface calling information of a service function module in a target application for a system interface; the interface calling information is generated based on an interface calling request of the business function module when the target application is in a running state;
a declaration information obtaining module 604 that obtains interface declaration information determined based on a binary file in an application installation package of the target application; wherein the interface declaration information is used for characterizing a function name of a callable interface of the target application declaration;
a detection result generating module 606, configured to generate a risk detection result of the interface invocation request based on the interface invocation information and the interface declaration information.
In one or more embodiments of the present description, a detection apparatus for system interface call obtains interface call information of a service function module in a target application for a system interface; the interface calling information is generated based on an interface calling request of a service function module when the target application is in a running state; acquiring interface declaration information determined by a binary file in an application installation package based on the target application; the interface declaration information is used for representing the function name of the callable interface declared by the target application; and generating a risk detection result of the interface calling request aiming at the system interface based on the acquired interface calling information and interface declaration information. Interface calling information aiming at a system interface is acquired in real time in the running process of a target application, and risk calling detection is carried out on an interface calling request of a business function module in the target application by means of interface declaration information determined by a binary file in an application installation package based on the target application, so that the interface calling request with risks is intercepted in time, interface calling safety of the target application is improved, private calling of the system interface of an operating system is avoided to acquire user privacy data, and further safety of the user privacy data is improved.
It should be noted that, the embodiment of the detection apparatus related to system interface call in this specification and the embodiment of the detection method related to system interface call in this specification are based on the same inventive concept, and therefore, for specific implementation of this embodiment, reference may be made to implementation of the detection method related to system interface call in the foregoing, and repeated details are not described again.
Further, corresponding to the methods shown in fig. 1 to fig. 5, based on the same technical concept, one or more embodiments of the present specification further provide a system interface call detection device, where the device is configured to perform the method for detecting a system interface call, as shown in fig. 7.
The detection device for the system interface call may be configured or have different performance, and may include one or more processors 701 and a memory 702, where the memory 702 may store one or more stored applications or data. Memory 702 may be, among other things, transient storage or persistent storage. The application program stored in memory 702 may include one or more modules (not shown), each of which may include a series of computer-executable instructions in a detection device for system interface calls. Still further, the processor 701 may be configured to communicate with the memory 702 to execute a series of computer-executable instructions in the memory 702 on a detection device of a system interface call. The detection apparatus of system interface calls may also include one or more power supplies 703, one or more wired or wireless network interfaces 704, one or more input-output interfaces 705, one or more keyboards 706, and the like.
In one particular embodiment, the detection apparatus of the system interface call includes a memory, and one or more programs, wherein the one or more programs are stored in the memory, and the one or more programs may include one or more modules, and each module may include a series of computer-executable instructions in the detection apparatus of the system interface call, and configured for execution by one or more processors the one or more programs including computer-executable instructions for:
acquiring interface calling information of a service function module in a target application aiming at a system interface; the interface calling information is generated based on an interface calling request of the business function module when the target application is in a running state;
acquiring interface declaration information determined based on a binary file in an application installation package of the target application; wherein the interface declaration information is used for characterizing a function name of a callable interface of the target application declaration;
and generating a risk detection result of the interface calling request based on the interface calling information and the interface declaration information.
In one or more embodiments of the present description, a detection device for system interface call obtains interface call information of a service function module in a target application for a system interface; the interface calling information is generated based on an interface calling request of a service function module when the target application is in a running state; acquiring interface declaration information determined by a binary file in an application installation package based on the target application; the interface declaration information is used for representing the function name of the callable interface declared by the target application; and generating a risk detection result of the interface calling request aiming at the system interface based on the acquired interface calling information and interface declaration information. Interface calling information aiming at a system interface is acquired in real time in the running process of a target application, and risk calling detection is carried out on an interface calling request of a business function module in the target application by means of interface declaration information determined by a binary file in an application installation package based on the target application, so that the interface calling request with risks is intercepted in time, interface calling safety of the target application is improved, private calling of the system interface of an operating system is avoided to acquire user privacy data, and further safety of the user privacy data is improved.
It should be noted that, the embodiment of the detection device related to the system interface call in this specification and the embodiment of the detection method related to the system interface call in this specification are based on the same inventive concept, and therefore, for specific implementation of this embodiment, reference may be made to implementation of the detection method related to the system interface call in the foregoing description, and repeated details are not described here again.
Further, based on the same technical concept, corresponding to the methods shown in fig. 1 to fig. 5, one or more embodiments of the present specification further provide a storage medium for storing computer-executable instructions, where in a specific embodiment, the storage medium may be a usb disk, an optical disk, a hard disk, and the like, and the storage medium stores computer-executable instructions that, when executed by a processor, implement the following processes:
acquiring interface calling information of a service function module in a target application aiming at a system interface; the interface calling information is generated based on an interface calling request of the business function module when the target application is in a running state;
acquiring interface declaration information determined based on a binary file in an application installation package of the target application; wherein the interface declaration information is used for characterizing a function name of a callable interface of the target application declaration;
and generating a risk detection result of the interface calling request based on the interface calling information and the interface declaration information.
The computer-executable instructions stored in the storage medium in one or more embodiments of the present specification, when executed by the processor, obtain interface call information of a service function module in a target application for a system interface; the interface calling information is generated based on an interface calling request of a service function module when the target application is in a running state; acquiring interface declaration information determined by a binary file in an application installation package based on the target application; the interface declaration information is used for representing the function name of the callable interface declared by the target application; and generating a risk detection result of the interface calling request aiming at the system interface based on the acquired interface calling information and interface declaration information. Interface calling information aiming at a system interface is acquired in real time in the running process of a target application, and risk calling detection is carried out on an interface calling request of a business function module in the target application by means of interface declaration information determined by a binary file in an application installation package based on the target application, so that the interface calling request with risks is intercepted in time, interface calling safety of the target application is improved, private calling of the system interface of an operating system is avoided to acquire user privacy data, and further safety of the user privacy data is improved.
It should be noted that the embodiment of the storage medium in this specification and the embodiment of the detection method for system interface call in this specification are based on the same inventive concept, and therefore specific implementation of this embodiment may refer to implementation of the detection method for system interface call described above, and repeated details are not described again.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
In the 90 s of the 20 th century, improvements in a technology could clearly distinguish between improvements in hardware (e.g., improvements in circuit structures such as diodes, transistors, switches, etc.) and improvements in software (improvements in process flow). However, as technology advances, many of today's process flow improvements have been seen as direct improvements in hardware circuit architecture. Designers almost always obtain the corresponding hardware circuit structure by programming an improved method flow into the hardware circuit. Thus, it cannot be said that an improvement in the process flow cannot be realized by hardware physical modules. For example, a Programmable Logic Device (PLD), such as a Field Programmable Gate Array (FPGA), is an integrated circuit whose Logic functions are determined by programming the Device by a user. A digital system is "integrated" on a PLD by the designer's own programming without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Furthermore, nowadays, instead of manually making an Integrated Circuit chip, such Programming is often implemented by "logic compiler" software, which is similar to a software compiler used in program development and writing, but the original code before compiling is also written by a specific Programming Language, which is called Hardware Description Language (HDL), and HDL is not only one but many, such as abel (advanced Boolean Expression Language), ahdl (alternate Hardware Description Language), traffic, pl (core universal Programming Language), HDCal (jhdware Description Language), lang, Lola, HDL, laspam, hardward Description Language (vhr Description Language), vhal (Hardware Description Language), and vhigh-Language, which are currently used in most common. It will also be apparent to those skilled in the art that hardware circuitry that implements the logical method flows can be readily obtained by merely slightly programming the method flows into an integrated circuit using the hardware description languages described above.
The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, and an embedded microcontroller, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic for the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller as pure computer readable program code, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may thus be considered a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be regarded as being both a software module for performing the method and a structure within a hardware component.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the various elements may be implemented in the same one or more software and/or hardware implementations of one or more of the present descriptions.
As will be appreciated by one skilled in the art, one or more embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, one or more of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, one or more of the present description may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied in the medium.
One or more of the present specification has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to one or more embodiments of the specification. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, one or more embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, one or more of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, one or more of the present description may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied in the medium.
One or more of the present specification can be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. One or more of the present specification can also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is merely illustrative of one or more embodiments of the present disclosure and is not intended to limit one or more embodiments of the present disclosure. Various modifications and alterations to one or more of the present descriptions will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement or the like made within the spirit and principle of one or more of the present specification should be included in the scope of one or more claims of the present specification.
Claims (24)
1. A method for detecting a system interface call comprises the following steps:
acquiring interface calling information of a service function module in a target application aiming at a system interface; the interface calling information is generated based on an interface calling request of the business function module when the target application is in a running state;
acquiring interface declaration information determined based on a binary file in an application installation package of the target application; wherein the interface declaration information is used for characterizing a function name of a callable interface of the target application declaration;
and generating a risk detection result of the interface calling request based on the interface calling information and the interface declaration information.
2. The method of claim 1, wherein the interface call information comprises: function names of interfaces to be called;
generating a risk detection result of the interface calling request based on the interface calling information and the interface declaration information, including:
generating a calling interface type detection result based on the function name of the interface to be called and the function name of the calling interface, wherein the calling interface type detection result is used for representing whether the interface to be called to which the interface calling request is directed is a private interface of an operating system running the target application;
if the interface to be called is a private interface of the operating system, generating a calling source detection result based on the interface calling information, wherein the calling source detection result is used for representing whether the interface calling request is from a third-party SDK integrated to the target application;
and generating a risk detection result of the interface calling request based on the calling interface type detection result and the calling source detection result.
3. The method of claim 1, wherein after generating a risk detection result for the interface invocation request based on the interface invocation information and the interface declaration information, further comprising:
judging whether the interface calling request is a risk calling request or not based on the risk detection result;
if so, returning preset feedback information to the service function module to intercept the interface to be called, which is called by the interface calling request and is aimed at by the service function module;
if not, returning a function pointer corresponding to the interface to be called to the service function module so as to allow the service function module to call the interface to be called to which the interface calling request aims based on the function pointer.
4. The method of claim 1, wherein the obtaining interface call information of a service function module in a target application for a system interface comprises:
monitoring an interface calling request of a service function module in a target application for a system reflection function; the interface calling request carries the function name of the interface to be called;
routing the interface calling request to a preset proxy function by using a section-oriented programming mode;
acquiring calling link information corresponding to the interface calling request through the preset proxy function;
and generating interface calling information of the service function module aiming at the system interface based on the function name of the interface to be called and the calling link information.
5. The method of claim 1, wherein prior to obtaining interface declaration information determined based on a binary file in an application installation package for the target application, further comprising:
acquiring an application installation package of the target application;
extracting a binary file for controlling a global configuration of the target application from the application installation package;
and determining interface declaration information declared for the target application based on the implementation interface function name corresponding to the implementation function section and the introduction interface function name corresponding to the introduction function section in the binary file.
6. The method of claim 2, wherein the interface call information further comprises: the interface calls the link information;
generating a calling source detection result based on the interface calling information, wherein the generating comprises:
determining functional module identification information of the service functional module based on the interface calling link information;
judging whether the service function module belongs to a third-party SDK integrated to the target application or not based on the function module identification information;
and if so, generating a calling source detection result for representing that the interface calling request is from a third-party SDK integrated to the target application.
7. The method of claim 6, wherein after generating a call source detection result that characterizes the interface call request as originating from a third-party SDK integrated into the target application, further comprising:
generating an interface calling interception rule based on the function name of the interface to be called and the interface calling link information;
adding the interface call interception rule to a set of call interception rules established for the target application.
8. The method according to claim 2, wherein the generating a calling interface type detection result based on the function name of the interface to be called and the function name of the interface that can be called comprises:
matching the interface calling information with interface calling interception rules in a calling interception rule set corresponding to the target application to obtain a corresponding interception rule matching result;
if the interception rule matching result indicates that no interface calling interception rule matched with the interface calling information exists, comparing the function name of the interface to be called with the function name of the calling interface to obtain a corresponding function name comparison result;
and generating a calling interface type detection result according to the function name comparison result.
9. The method of claim 8, wherein the generating a call interface type detection result according to the function name comparison result comprises:
if the function name comparison result is that the function name of the interface to be called does not belong to the function name of the callable interface, generating a calling interface type detection result for representing that the interface to be called to which the interface calling request aims is a private interface of an operating system running the target application;
and if the function name comparison result is that the function name of the interface to be called belongs to the function name of the callable interface, generating a calling interface type detection result for representing that the interface to be called to which the interface calling request aims is not a private interface of the operating system running the target application.
10. The method of claim 8, wherein after matching the interface call information with interface call interception rules in the call interception rule set corresponding to the target application to obtain a corresponding interception rule matching result, the method further comprises:
and if the interception rule matching result is that the interface calling interception rule matched with the interface calling information exists, determining that the interface calling request is a risk calling request.
11. The method of claim 6, wherein the interface invoking link information comprises: calling stack information and calling environment information;
determining the function module identification information of the service function module based on the interface calling link information, including:
determining a first calling source identifier for initially sending the interface calling request based on the calling stack information;
determining a second calling source identifier corresponding to the service page where the target application is located based on the calling environment information;
and determining the function module identification information of the service function module based on the first calling source identification and the second calling source identification.
12. An apparatus for detecting a system interface call, comprising:
the calling information acquisition module acquires interface calling information of a service function module in the target application aiming at a system interface; the interface calling information is generated based on an interface calling request of the business function module when the target application is in a running state;
a declaration information obtaining module that obtains interface declaration information determined based on a binary file in an application installation package of the target application; wherein the interface declaration information is used for characterizing a function name of a callable interface of the target application declaration;
and the detection result generation module generates a risk detection result of the interface calling request based on the interface calling information and the interface declaration information.
13. The apparatus of claim 12, wherein the interface call information comprises: function names of interfaces to be called;
the detection result generation module is configured to:
generating a calling interface type detection result based on the function name of the interface to be called and the function name of the calling interface, wherein the calling interface type detection result is used for representing whether the interface to be called to which the interface calling request is directed is a private interface of an operating system running the target application;
if the interface to be called is a private interface of the operating system, generating a calling source detection result based on the interface calling information, wherein the calling source detection result is used for representing whether the interface calling request is from a third-party SDK integrated to the target application;
and generating a risk detection result of the interface calling request based on the calling interface type detection result and the calling source detection result.
14. The apparatus of claim 12, wherein the apparatus further comprises: a call request response module that:
judging whether the interface calling request is a risk calling request or not based on the risk detection result;
if so, returning preset feedback information to the service function module to intercept the interface to be called, which is called by the interface calling request and is aimed at by the service function module;
if not, returning a function pointer corresponding to the interface to be called to the service function module so as to allow the service function module to call the interface to be called to which the interface calling request aims based on the function pointer.
15. The apparatus of claim 12, wherein the invocation information obtaining module:
monitoring an interface calling request of a service function module in a target application for a system reflection function; the interface calling request carries the function name of the interface to be called;
routing the interface calling request to a preset proxy function by using a section-oriented programming mode;
acquiring calling link information corresponding to the interface calling request through the preset proxy function;
and generating interface calling information of the service function module aiming at the system interface based on the function name of the interface to be called and the calling link information.
16. The apparatus of claim 12, wherein the apparatus further comprises: a claim information determination module that:
acquiring an application installation package of the target application;
extracting a binary file for controlling a global configuration of the target application from the application installation package;
and determining interface declaration information declared for the target application based on the implementation interface function name corresponding to the implementation function section and the introduction interface function name corresponding to the introduction function section in the binary file.
17. The apparatus of claim 13, wherein the interface call information further comprises: the interface calls the link information;
the detection result generation module is configured to:
determining functional module identification information of the service functional module based on the interface calling link information;
judging whether the service function module belongs to a third-party SDK integrated to the target application or not based on the function module identification information;
and if so, generating a calling source detection result for representing that the interface calling request is from a third-party SDK integrated to the target application.
18. The apparatus of claim 17, wherein the apparatus further comprises: an interception rule storage module that:
generating an interface calling interception rule based on the function name of the interface to be called and the interface calling link information;
adding the interface call interception rule to a set of call interception rules established for the target application.
19. The apparatus of claim 13, wherein the detection result generation module is to:
matching the interface calling information with interface calling interception rules in a calling interception rule set corresponding to the target application to obtain a corresponding interception rule matching result;
if the interception rule matching result indicates that no interface calling interception rule matched with the interface calling information exists, comparing the function name of the interface to be called with the function name of the calling interface to obtain a corresponding function name comparison result;
and generating a calling interface type detection result according to the function name comparison result.
20. The apparatus of claim 19, wherein the detection result generation module is to:
if the function name comparison result is that the function name of the interface to be called does not belong to the function name of the callable interface, generating a calling interface type detection result for representing that the interface to be called to which the interface calling request aims is a private interface of an operating system running the target application;
and if the function name comparison result is that the function name of the interface to be called belongs to the function name of the callable interface, generating a calling interface type detection result for representing that the interface to be called to which the interface calling request aims is not a private interface of the operating system running the target application.
21. The apparatus of claim 19, wherein the detection result generation module is to:
and if the interception rule matching result is that the interface calling interception rule matched with the interface calling information exists, determining that the interface calling request is a risk calling request.
22. The apparatus of claim 17, wherein the interface invoking link information comprises: calling stack information and calling environment information;
the detection result generation module is configured to:
determining a first calling source identifier for initially sending the interface calling request based on the calling stack information;
determining a second calling source identifier corresponding to the service page where the target application is located based on the calling environment information;
and determining the function module identification information of the service function module based on the first calling source identification and the second calling source identification.
23. A device for detecting system interface calls, comprising:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to:
acquiring interface calling information of a service function module in a target application aiming at a system interface; the interface calling information is generated based on an interface calling request of the business function module when the target application is in a running state;
acquiring interface declaration information determined based on a binary file in an application installation package of the target application; wherein the interface declaration information is used for characterizing a function name of a callable interface of the target application declaration;
and generating a risk detection result of the interface calling request based on the interface calling information and the interface declaration information.
24. A storage medium storing computer-executable instructions that, when executed by a processor, implement a method of:
acquiring interface calling information of a service function module in a target application aiming at a system interface; the interface calling information is generated based on an interface calling request of the business function module when the target application is in a running state;
acquiring interface declaration information determined based on a binary file in an application installation package of the target application; wherein the interface declaration information is used for characterizing a function name of a callable interface of the target application declaration;
and generating a risk detection result of the interface calling request based on the interface calling information and the interface declaration information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011398294.XA CN112560022B (en) | 2020-12-03 | 2020-12-03 | Method and device for detecting system interface call |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011398294.XA CN112560022B (en) | 2020-12-03 | 2020-12-03 | Method and device for detecting system interface call |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112560022A true CN112560022A (en) | 2021-03-26 |
| CN112560022B CN112560022B (en) | 2024-03-12 |
Family
ID=75047880
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011398294.XA Active CN112560022B (en) | 2020-12-03 | 2020-12-03 | Method and device for detecting system interface call |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112560022B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112948824A (en) * | 2021-03-31 | 2021-06-11 | 支付宝(杭州)信息技术有限公司 | Program communication method, device and equipment based on privacy protection |
| CN113221098A (en) * | 2021-05-06 | 2021-08-06 | 支付宝(杭州)信息技术有限公司 | Processing method and device for interface call request |
| CN113221099A (en) * | 2021-05-06 | 2021-08-06 | 支付宝(杭州)信息技术有限公司 | Processing method and device for interface call request |
| CN113536319A (en) * | 2021-07-07 | 2021-10-22 | 上海浦东发展银行股份有限公司 | Interface risk prediction method and device, computer equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102663320A (en) * | 2012-04-12 | 2012-09-12 | 福建联迪商用设备有限公司 | Method for terminal identification developers and dividing developers with different permissions |
| CN106096394A (en) * | 2016-06-16 | 2016-11-09 | 北京奇虎科技有限公司 | A kind of Ad blocking method and apparatus of Android application |
| CN106446672A (en) * | 2016-07-25 | 2017-02-22 | 中国科学院大学 | Privilege isolation method and device of Android third-party class library |
| CN107169320A (en) * | 2017-04-20 | 2017-09-15 | 北京小米移动软件有限公司 | Method of calibration and device |
| EP3495978A1 (en) * | 2017-12-07 | 2019-06-12 | Virtual Forge GmbH | Method for detecting vulnerabilities in software |
-
2020
- 2020-12-03 CN CN202011398294.XA patent/CN112560022B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102663320A (en) * | 2012-04-12 | 2012-09-12 | 福建联迪商用设备有限公司 | Method for terminal identification developers and dividing developers with different permissions |
| CN106096394A (en) * | 2016-06-16 | 2016-11-09 | 北京奇虎科技有限公司 | A kind of Ad blocking method and apparatus of Android application |
| CN106446672A (en) * | 2016-07-25 | 2017-02-22 | 中国科学院大学 | Privilege isolation method and device of Android third-party class library |
| CN107169320A (en) * | 2017-04-20 | 2017-09-15 | 北京小米移动软件有限公司 | Method of calibration and device |
| EP3495978A1 (en) * | 2017-12-07 | 2019-06-12 | Virtual Forge GmbH | Method for detecting vulnerabilities in software |
Non-Patent Citations (2)
| Title |
|---|
| 吴敬征;武延军;武志飞;杨牧天;罗天悦;王永吉;: "基于有向信息流的Android隐私泄露类恶意应用检测方法", 中国科学院大学学报, no. 06 * |
| 段立东, 何永熹, 史阿云: "Protel99SE与产品数据管理系统(PDM)的集成", 计算机辅助设计与制造, no. 09 * |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112948824A (en) * | 2021-03-31 | 2021-06-11 | 支付宝(杭州)信息技术有限公司 | Program communication method, device and equipment based on privacy protection |
| CN112948824B (en) * | 2021-03-31 | 2022-04-26 | 支付宝(杭州)信息技术有限公司 | Program communication method, device and equipment based on privacy protection |
| CN113221098A (en) * | 2021-05-06 | 2021-08-06 | 支付宝(杭州)信息技术有限公司 | Processing method and device for interface call request |
| CN113221099A (en) * | 2021-05-06 | 2021-08-06 | 支付宝(杭州)信息技术有限公司 | Processing method and device for interface call request |
| WO2022233270A1 (en) * | 2021-05-06 | 2022-11-10 | 支付宝(杭州)信息技术有限公司 | Processing method and apparatus for interface calling request |
| CN113536319A (en) * | 2021-07-07 | 2021-10-22 | 上海浦东发展银行股份有限公司 | Interface risk prediction method and device, computer equipment and storage medium |
| CN113536319B (en) * | 2021-07-07 | 2022-12-13 | 上海浦东发展银行股份有限公司 | Interface risk prediction method and device, computer equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112560022B (en) | 2024-03-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112560022B (en) | Method and device for detecting system interface call | |
| CN107426169B (en) | Service processing method and device based on permission | |
| Chan et al. | Static detection of Android malware by using permissions and API calls | |
| CN109032825B (en) | Fault injection method, device and equipment | |
| CN107018174B (en) | Unitized system service processing method and device and business processing system | |
| CN111291374B (en) | Application program detection method, device and equipment | |
| CN113079200A (en) | Data processing method, device and system | |
| CN115378735B (en) | Data processing method and device, storage medium and electronic equipment | |
| CN110781192B (en) | Verification method, device and equipment of block chain data | |
| CN115374481B (en) | Data desensitization processing method and device, storage medium and electronic equipment | |
| CN111179061A (en) | Resource transfer processing method, device and equipment | |
| CN112565026A (en) | Test frame generation method, device and equipment | |
| CN113282628A (en) | Big data platform access method and device, big data platform and electronic equipment | |
| CN114547024A (en) | SQL statement risk detection method, device, equipment and medium | |
| CN111753270A (en) | Application program login verification method, device, equipment and storage medium | |
| CN111741120A (en) | Traffic mirroring method, device and equipment | |
| CN112948824B (en) | Program communication method, device and equipment based on privacy protection | |
| US20190065223A1 (en) | Disabling Just-In-Time Translation For Application Functions | |
| CN111078435A (en) | Service processing method and device and electronic equipment | |
| CN113992429B (en) | Event processing method, device and equipment | |
| EP3702921B1 (en) | Clipboard listener detector | |
| CN106203087B (en) | Injection protection method, system, terminal and storage medium | |
| CN115828247B (en) | Method, device and equipment for detecting abnormality of applet and readable storage medium | |
| US20240103818A1 (en) | Annotation driven just in time and state-based rbac policy control | |
| CN110569644A (en) | Call request processing method, call request processing device, call function calling device and call request calling equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |