CN114647853A - Method and system for improving distributed application program vulnerability detection accuracy - Google Patents
Method and system for improving distributed application program vulnerability detection accuracy Download PDFInfo
- Publication number
- CN114647853A CN114647853A CN202210200375.7A CN202210200375A CN114647853A CN 114647853 A CN114647853 A CN 114647853A CN 202210200375 A CN202210200375 A CN 202210200375A CN 114647853 A CN114647853 A CN 114647853A
- Authority
- CN
- China
- Prior art keywords
- data
- time window
- taint
- request data
- sliding time
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a method and a system for improving distributed application program vulnerability detection accuracy, wherein the method comprises the following steps: at a calling party, registering the request data together with the taint data propagation process information in the request data into a sliding time window; at a called party, taking received request data positioned in a sliding time window as taint data to perform data flow tracking vulnerability detection based on the taint data, and registering related data information into the sliding time window; at the calling party, binding the request data with the returned response data corresponding to the request data; in a sliding time window, matching data of a calling party and data of a called party, and combining and reporting a propagation stage of the matched taint data of the calling party and an output stage of the taint data of the called party; in the detection method, the accuracy of detecting the distributed application program vulnerability based on data flow tracking is ensured through the sliding time window and the consistency of the request and the response data.
Description
Technical Field
The invention relates to the technical field of distributed application program vulnerability detection, in particular to a method and a system for improving distributed application program vulnerability detection accuracy.
Background
At present, the conventional vulnerability detection tool cannot effectively detect vulnerabilities of application programs of a large-scale distributed architecture (also called micro-service architecture, such as dubbo). Because many requests and response data in the micro-service architecture are buried in service internal calls, many requested response data are transmitted in the service calls based on black box detection, and the requested response data cannot obtain useful information; the gray box detection based on the probe technology usually uses a single JVM virtual machine to ensure the detection accuracy (the single JVM can utilize the identityHashCode method to ensure the uniqueness of the memory address of the taint data in the IAST technology, even if two identical character strings are mapped into different memory addresses in different requests, the hashCode method can only ensure that the identical character strings obtain the same hash value in different requests), and the enough accuracy cannot be ensured in the cross-JVM calling. Therefore, the accuracy of the vulnerability detection of the application program based on the distributed architecture cannot be improved no matter the principle of black box detection or the principle of gray box (IAST) detection based on the probe technology.
Disclosure of Invention
The present invention provides a method and a system for improving the accuracy of detecting vulnerabilities of a distributed application program to solve the above technical problem, so as to improve the accuracy of detecting vulnerabilities of a distributed application system based on a data stream tracking method.
In order to achieve the above object, the present invention discloses a method for improving the bug detection accuracy of a distributed application program, which comprises:
at a calling party, registering request data with taint data and taint data propagation process information in the request data into a sliding time window;
after a called party receives request data which is sent by the calling party and is positioned in the sliding time window, the request data is taken as taint data, data flow tracking vulnerability detection based on the taint data is carried out, and if a vulnerability is detected, the request data, the response data corresponding to the request data and the detected vulnerability information are registered in the sliding time window;
at the calling party, binding the request data and the returned response data corresponding to the request data and updating the bound request data and the bound response data into the sliding time window;
and in the sliding time window, mutually bound request data and response data from the calling party are used as matching values for matching, and if the same data pair is matched, the transmission stage of the taint data of the calling party and the output stage of the taint data of the called party corresponding to the matching value are combined and reported.
Preferably, the time length of the sliding time window is one minute.
Preferably, the instrumentation process is performed on the application program to be tested operating on the distributed architecture based on the IAST instrumentation tool, so that the context of each request execution process of the application program to be tested can be obtained in each step of the detection process.
The invention also discloses a system for improving the vulnerability detection accuracy of the distributed application program, which comprises a calling party data tracking module, a called party data tracking module, a binding updating module and a matching output module;
the caller data tracking module is used for the caller to register the request data with the taint data and the taint data transmission process information in the request data with the taint data into a sliding time window;
the called party data tracking module is used for taking the request data as taint data and carrying out data flow tracking vulnerability detection based on the taint data after the called party receives the request data which is sent by the calling party and is positioned in the sliding time window, and registering the request data, the response data corresponding to the request data and the detected vulnerability information into the sliding time window if a vulnerability is detected;
the binding update module is used for binding the request data and the returned response data corresponding to the request data and the returned response data at the calling party and updating the bound request data and the bound response data into the sliding time window;
and the matching output module is used for matching by taking the request data and the response data bound with each other from the calling party as matching values in the sliding time window, and combining and reporting the propagation stage of the taint data of the calling party and the output stage of the taint data of the called party corresponding to the matching values.
Preferably, the length of the sliding time window is one minute.
Preferably, the system further comprises an instrumentation module, where the instrumentation module is configured to perform instrumentation on the application program to be tested that operates based on the distributed architecture based on an iatt instrumentation tool, so that in the detection process of each step, the context of each request execution process of the application program to be tested can be acquired.
The invention also discloses another system for improving the distributed application program vulnerability detection accuracy, which comprises the following steps:
one or more processors;
a memory;
and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the programs including instructions for performing the method of improving distributed application vulnerability detection accuracy as described above.
The present invention also discloses a computer readable storage medium comprising a computer program executable by a processor to perform the method of improving distributed application vulnerability detection accuracy as described above.
Compared with the prior art, the detection method provided by the invention detects the vulnerability by tracking the data flow of the taint data, adopts a sliding time window to frame the request data of the caller, the propagation process information of the taint data and the response data of the taint data in the detection process, frames the request data, the response data and the taint information of the callee through the same sliding time window, finally finds out the request data and the response data which respectively come from the caller and the callee and correspond to each taint point in the sliding time window in a matching way, and then combines and reports the matched propagation stage of the taint data of the caller and the output stage of the taint data of the callee which correspond to the taint point; therefore, in the detection method, the time effectiveness of data analysis is ensured through the setting of the sliding time window, and the consistency of the request data and the response data corresponding to the vulnerability point is ensured through the binding of the caller request data and the response data and the matching search in the sliding time window, so that the accuracy of detecting the distributed application program vulnerability based on data flow tracking is ensured in a large length.
Drawings
FIG. 1 is a flowchart illustrating a detection method according to an embodiment of the present invention.
FIG. 2 is a flow chart of an inspection method according to another embodiment of the present invention.
FIG. 3 is a system diagram of an inspection system according to an embodiment of the present invention.
Detailed Description
In order to explain technical contents, structural features, and objects and effects of the present invention in detail, the following detailed description is given with reference to the accompanying drawings in conjunction with the embodiments.
The embodiment discloses a method for improving accuracy of detecting a distributed application program vulnerability, which is used for improving accuracy of detecting the distributed application program vulnerability based on a data flow tracking mode, and specifically, as shown in fig. 1, the detection method comprises the following steps:
s1: before a calling party sends a request to a called party, judging whether the request data contains taint data or not, if so, registering the current request data and taint data transmission process information in the current request data into a sliding time window, and waiting for data information returned by the called party; if taint data is not present in the requested data, it means that the vulnerability cannot be detected by means of data flow tracing, so the act of registering the requested data within the sliding time window is not performed, i.e., analysis of such requested data is abandoned.
S2: after a called party receives request data sent by the calling party, whether the request data exist is searched in the sliding time window, if yes, the request data is taken as taint data, data flow tracking vulnerability detection based on the taint data is continued, and if vulnerability is detected, the request data, the response data corresponding to the request data and the detected vulnerability information are registered in the sliding time window. If no vulnerabilities are detected, at the callee, the act of registering data with a sliding time window is aborted.
S3: and at the caller, after the response data returned by the callee is obtained, binding the request data of the caller with the returned response data corresponding to the request data, and updating the bound request data and the bound response data into the sliding time window.
S4: and in the sliding time window, mutually bound request data and response data from the calling party are used as matching values for matching, and if the same data pair is matched, namely the data which is the same as the mutually bound request data and response data is found in the sliding time window, the transmission stage of the taint data of the calling party and the output stage of the taint data of the called party corresponding to the matching values are combined and reported.
The sliding time window in the above embodiment is also called a time sequence, that is, the time sequence can be framed according to the specified unit length, so as to calculate the statistical index in the frame, which is equivalent to that a slider with a specified length slides on the scale, and data in the slider can be fed back every time a unit slides.
In the step S2, since the application to be tested in this embodiment operates based on a distributed framework, it is possible that one request may be decomposed and processed by multiple micro-services, that is, one caller corresponds to multiple callers (also referred to as servers), and thus, there may be a vulnerability in multiple micro-services, and in order to track a complete vulnerability chain, multiple registrations are required, that is, for any caller, as long as a vulnerability is detected in the execution process of the current request, current request data, response data corresponding to the request data, and detected vulnerability information are registered together in the sliding time window, so as to ensure the integrity of the data chain in the sliding time window.
For the step S3, since multiple users may send out the same request at the same time point or within the same time period, a situation that a single callee corresponds to multiple callers may occur, but after the same request sent by multiple callers passes through the same callee, the vulnerability detection result is different, that is, different response data may occur, and therefore, in order to ensure the consistency between the request and the response, the caller needs to bind the request data and the response data of the response to avoid confusion with the responses of other callers. Since the request data and the response data in which the bug occurs are bound at the caller, the bound request data and response data from the caller may be matched as a unique matching value to match the request data and response data from the callee at step S4.
More specifically, the length of time of the sliding time window is preferably one minute.
Further, as shown in fig. 2, the above detection method further includes the following steps S0 before the step S1;
s0: and based on an IAST instrumentation tool, performing instrumentation processing on the application program to be tested working based on the distributed architecture, so that the context of each request execution process of the application program to be tested can be acquired in the detection process of each step.
In summary, in the detection method disclosed in the above embodiment, the bug is detected by tracking the data stream of the taint data, during the detection, a sliding time window is used to frame the request data, the propagation process information of the taint data, and the response data of the taint data, and the request data, the response data, and the bug information of the called party are framed by the same sliding time window, and finally, the request data and the response data corresponding to each bug point and respectively from the calling party and the called party are found out in the sliding time window in a matching manner, and then the propagation stage of the taint data of the calling party and the output stage of the taint data of the called party, which are matched and correspond to the bug point, are combined and reported. Therefore, in the detection method, the time effectiveness of data analysis is ensured through the setting of the sliding time window, and the consistency of the request data and the response data corresponding to the vulnerability point is ensured through the binding of the caller request data and the response data and the matching search in the sliding time window, so that the accuracy of detecting the distributed application program vulnerability based on data flow tracking is ensured in a large length.
The invention also discloses a system for improving the distributed application program vulnerability detection accuracy, which comprises a calling party data tracking module 11, a called party data tracking module 12, a binding updating module 13 and a matching output module 14, as shown in fig. 2.
The caller data tracking module 11 is used for the caller to register the request data with the taint data in a sliding time window together with the taint data propagation process information.
The callee data tracking module 12 is configured to, after receiving the request data sent by the caller and located in the sliding time window, the callee, regard the request data as taint data and perform data flow tracking vulnerability detection based on the taint data, and if a vulnerability is detected, register the request data, the response data corresponding to the request data, and the detected vulnerability information in the sliding time window.
The binding update module 13 is configured to bind, at the caller, the request data and the response data corresponding to the request data and the response data, and update the bound request data and response data into the sliding time window.
And the matching output module 14 is configured to match, within the sliding time window, the request data and the response data bound to each other from the caller as a matching value, and combine and report a propagation stage of the taint data of the caller and an output stage of the taint data of the callee corresponding to the matching value.
Further, the time length of the sliding time window is one minute.
Further, the system further includes an instrumentation module 10, where the instrumentation module 10 is configured to perform instrumentation processing on the application program to be tested that operates based on the distributed architecture based on an iatt instrumentation tool, so that in the detection process of each step, the context of each request execution process of the application program to be tested may be obtained.
It should be noted that the working principle and the working mode of the detection system in this embodiment are detailed in the inspection method in the above embodiment, and are not described herein again.
The invention also discloses another system for improving the accuracy of distributed application program vulnerability detection, which comprises one or more processors, a memory and one or more programs, wherein the one or more programs are stored in the memory and are configured to be executed by the one or more processors, and the programs comprise instructions for executing the method for improving the accuracy of distributed application program vulnerability detection. The processor may adopt a general-purpose Central Processing Unit (CPU), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits, and is configured to execute a related program, so as to implement a function that needs to be executed by a module in the system for improving the accuracy of detecting the vulnerability of the distributed Application program according to the embodiment of the present Application, or execute the method for improving the accuracy of detecting the vulnerability of the distributed Application program according to the embodiment of the present Application.
The present invention also discloses a computer readable storage medium comprising a computer program executable by a processor to perform the method of improving distributed application vulnerability detection accuracy as described above. The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that includes one or more of the available media. The usable medium may be a read-only memory (ROM), or a Random Access Memory (RAM), or a magnetic medium, such as a floppy disk, a hard disk, a magnetic tape, a magnetic disk, or an optical medium, such as a Digital Versatile Disk (DVD), or a semiconductor medium, such as a Solid State Disk (SSD).
The embodiment of the application also discloses a computer program product or a computer program, which comprises computer instructions, and the computer instructions are stored in a computer readable storage medium. The processor of the electronic device reads the computer instructions from the computer-readable storage medium, and executes the computer instructions, so that the electronic device executes the method for improving the vulnerability detection accuracy of the distributed application program.
The above disclosure is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the scope of the present invention, therefore, the present invention is not limited by the appended claims.
Claims (8)
1. A method for improving distributed application program vulnerability detection accuracy is characterized by comprising the following steps:
at a calling party, registering request data with taint data and taint data propagation process information in the request data into a sliding time window;
after receiving request data which is sent by the calling party and is positioned in the sliding time window, the called party takes the request data as taint data and carries out data flow tracking vulnerability detection based on the taint data, and if a vulnerability is detected, the request data, the response data corresponding to the request data and the detected vulnerability information are registered in the sliding time window;
at the calling party, binding the request data and the returned response data corresponding to the request data and updating the bound request data and the bound response data into the sliding time window;
and in the sliding time window, mutually bound request data and response data from the calling party are used as matching values for matching, and if the same data pair is matched, the transmission stage of the taint data of the calling party and the output stage of the taint data of the called party corresponding to the matching value are combined and reported.
2. The method of improving distributed application vulnerability detection accuracy of claim 1, wherein the length of time of the sliding time window is one minute.
3. The method for improving distributed application program vulnerability detection accuracy according to claim 1, wherein based on IAST instrumentation, instrumentation is performed on an application program to be detected operating based on a distributed architecture, so that in each step of detection process, context of each request execution process of the application program to be detected can be obtained.
4. A system for improving distributed application program vulnerability detection accuracy is characterized by comprising a calling party data tracking module, a called party data tracking module, a binding updating module and a matching output module;
the caller data tracking module is used for the caller to register the request data with the taint data and the taint data transmission process information in the request data with the taint data into a sliding time window;
the called party data tracking module is used for taking the request data as taint data and carrying out data flow tracking vulnerability detection based on the taint data after the called party receives the request data which is sent by the calling party and is positioned in the sliding time window, and registering the request data, the response data corresponding to the request data and the detected vulnerability information into the sliding time window if a vulnerability is detected;
the binding update module is used for binding the request data and the returned response data corresponding to the request data and the returned response data at the calling party and updating the bound request data and the bound response data into the sliding time window;
and the matching output module is used for matching by taking the request data and the response data bound with each other from the calling party as matching values in the sliding time window, and combining and reporting the propagation stage of the taint data of the calling party and the output stage of the taint data of the called party corresponding to the matching values.
5. The system for improving distributed application vulnerability detection accuracy according to claim 4, wherein the length of the sliding time window is one minute.
6. The system according to claim 4, further comprising an instrumentation module, wherein the instrumentation module is configured to perform instrumentation on an application to be tested that operates based on the distributed architecture based on an IAST instrumentation tool, so that a context of each requested execution process of the application to be tested can be obtained in each step of the detection process.
7. A system for improving distributed application program vulnerability detection accuracy, comprising:
one or more processors;
a memory;
and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the programs comprising instructions for performing the method of improving distributed application vulnerability detection accuracy of any of claims 1-3.
8. A computer-readable storage medium comprising a computer program executable by a processor to perform the method of improving distributed application vulnerability detection accuracy of any of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210200375.7A CN114647853B (en) | 2022-03-01 | 2022-03-01 | Method and system for improving vulnerability detection accuracy of distributed application program |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210200375.7A CN114647853B (en) | 2022-03-01 | 2022-03-01 | Method and system for improving vulnerability detection accuracy of distributed application program |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114647853A true CN114647853A (en) | 2022-06-21 |
| CN114647853B CN114647853B (en) | 2023-06-23 |
Family
ID=81993552
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210200375.7A Active CN114647853B (en) | 2022-03-01 | 2022-03-01 | Method and system for improving vulnerability detection accuracy of distributed application program |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114647853B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115186274A (en) * | 2022-09-14 | 2022-10-14 | 深圳开源互联网安全技术有限公司 | IAST-based security test method and device |
| CN115203060A (en) * | 2022-09-14 | 2022-10-18 | 深圳开源互联网安全技术有限公司 | IAST-based security test method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111240991A (en) * | 2020-01-20 | 2020-06-05 | 重庆富民银行股份有限公司 | Dynamic stain detection method and system for resisting implicit stain propagation |
| US20200320202A1 (en) * | 2019-04-04 | 2020-10-08 | International Business Machines Corporation | Privacy vulnerability scanning of software applications |
| CN111798018A (en) * | 2019-04-09 | 2020-10-20 | Oppo广东移动通信有限公司 | Behavior prediction method, behavior prediction device, storage medium and electronic equipment |
| CN112035839A (en) * | 2020-08-12 | 2020-12-04 | 绿盟科技集团股份有限公司 | Detection method and device for race condition vulnerability exploitation |
-
2022
- 2022-03-01 CN CN202210200375.7A patent/CN114647853B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20200320202A1 (en) * | 2019-04-04 | 2020-10-08 | International Business Machines Corporation | Privacy vulnerability scanning of software applications |
| CN111798018A (en) * | 2019-04-09 | 2020-10-20 | Oppo广东移动通信有限公司 | Behavior prediction method, behavior prediction device, storage medium and electronic equipment |
| CN111240991A (en) * | 2020-01-20 | 2020-06-05 | 重庆富民银行股份有限公司 | Dynamic stain detection method and system for resisting implicit stain propagation |
| CN112035839A (en) * | 2020-08-12 | 2020-12-04 | 绿盟科技集团股份有限公司 | Detection method and device for race condition vulnerability exploitation |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115186274A (en) * | 2022-09-14 | 2022-10-14 | 深圳开源互联网安全技术有限公司 | IAST-based security test method and device |
| CN115203060A (en) * | 2022-09-14 | 2022-10-18 | 深圳开源互联网安全技术有限公司 | IAST-based security test method and device |
| CN115203060B (en) * | 2022-09-14 | 2022-12-13 | 深圳开源互联网安全技术有限公司 | IAST-based security testing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114647853B (en) | 2023-06-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7844692B2 (en) | Web server multiplier for analyzing resource leaks | |
| CN111221743A (en) | Automatic testing method and system | |
| CN114647853A (en) | Method and system for improving distributed application program vulnerability detection accuracy | |
| CN110474900B (en) | Game protocol testing method and device | |
| US7913233B2 (en) | Performance analyzer | |
| CN111831562A (en) | Fuzzy test case generation method based on machine learning, computer equipment and readable storage medium for operating method | |
| CN111190551B (en) | Redis data migration system, migration method, migration device and terminal | |
| CN115186274A (en) | IAST-based security test method and device | |
| CN110046086B (en) | Expected data generation method and device for test and electronic equipment | |
| CN114490394A (en) | Test range determining method, device, equipment and medium | |
| CN113407458B (en) | Interface testing method and device, electronic equipment and computer readable medium | |
| CN111797104A (en) | Method and device for acquiring data change condition and electronic equipment | |
| CN115052037B (en) | Client detection method, device, storage medium and equipment | |
| CN115357899A (en) | Method and system for detecting storage type loophole based on IAST technology | |
| CN111221742A (en) | Test case updating method and device, storage medium and server | |
| CN114240654A (en) | Performance capability perspective method, system, equipment and readable storage medium based on transaction link | |
| CN112631905A (en) | Execution process data management method and device, computer equipment and storage medium | |
| CN113094283A (en) | Data acquisition method, device, equipment and storage medium | |
| US20210208998A1 (en) | Function analyzer, function analysis method, and function analysis program | |
| CN115203060B (en) | IAST-based security testing method and device | |
| CN111800409A (en) | Interface attack detection method and device | |
| CN116501451B (en) | Binary translation method, translation control method, instruction execution method and device | |
| CN112099838B (en) | Method, device and storage medium for determining version difference | |
| US20080307395A1 (en) | Providing Registration of a Communication | |
| CN114979100B (en) | Cloud resource inspection method and related device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |