CN117272331B

CN117272331B - Cross-thread vulnerability analysis method, device, equipment and medium based on code vaccine

Info

Publication number: CN117272331B
Application number: CN202311569441.9A
Authority: CN
Inventors: 张涛; 杜玉洁; 刘恩炙; 蔡智强; 张弛
Original assignee: Beijing Anpro Information Technology Co ltd
Current assignee: Beijing Anpro Information Technology Co ltd
Priority date: 2023-11-23
Filing date: 2023-11-23
Publication date: 2024-02-02
Anticipated expiration: 2043-11-23
Also published as: CN117272331A

Abstract

The embodiment of the invention provides a code vaccine-based cross-thread vulnerability analysis method, a device, equipment and a medium, and relates to the technical field of network security. The code vaccine-based cross-thread vulnerability analysis method comprises the following steps: installing a probe in a tested program, and pre-inserting piles through the probe; establishing a requested stain pool according to the intercepted request information of the request; creating root nodes in the stain pool according to each monitored stain source function; creating propagation child nodes in the stain pool according to each monitored propagation point function; respectively creating a sink sub-node in the stain pool according to each monitored sink point function; and generating a tainted propagation path based on the hierarchical relationship of all the root nodes, all the propagation child nodes and all the convergence child nodes. The embodiment of the invention can realize the cross-thread tracking of the stain propagation path and effectively avoid the technical effect of missing report.

Description

Cross-thread vulnerability analysis method, device, equipment and medium based on code vaccine

Technical Field

The invention relates to the technical field of network security, in particular to a code vaccine-based cross-thread vulnerability analysis method, a device, equipment and a medium.

Background

When a user performs a transaction on a transaction website, a plurality of unidirectional requests, such as a request for acquiring commodity information, a request for submitting a transaction order, a request for providing a payment portal, etc., are required to be initiated to a service end of the transaction website, and the service end of the transaction website is required to process the unidirectional requests initiated by a plurality of users at the same time. In order to improve the response speed and throughput of the server, multithreading is generally adopted, i.e. a plurality of unidirectional requests are put in a plurality of threads for asynchronous processing.

At present, mainly aiming at single service, under the scene of processing single line Cheng Wudian tracking and safety protection, according to the identification of entering a reference, information is transferred, thread private variables are stored in a thread local class of java, the thread local is identified and placed at an entrance, and the stain propagation tracking associated with the thread can be realized by directly obtaining the thread local during subsequent use, so that the safety protection requirement is realized. However, in the scenario of multi-request multi-threading processing the same business logic, when a thread pool is used in the processing process or a new sub-thread is created, the data flow cannot be tracked directly through the readlocal, because the corresponding value is not stored in the readlocal map of the new thread. When a thread pool is used for executing tasks or re-creating threads, when some parameters are stored in the thread, new threads cannot access the thread data held by the original threads, the content stored in the thread variable is lost, at the moment, the association relation between the threads cannot be acquired, namely if other threads are started in a request, the stain is lost, the stain is spread and interrupted, and the stain tracking and the loophole protection cannot be performed. Obviously, the existing stain propagation tracking method is only aimed at a single-service single-thread analysis process, and the cross-thread propagation condition of stains is not considered, so that the problem of missing report is easy to occur.

Disclosure of Invention

The embodiment of the invention aims to provide a code vaccine-based cross-thread vulnerability analysis method, device, equipment and medium, which are used for realizing cross-thread tracking of a stain propagation path and effectively avoiding the technical effect of missing report.

In a first aspect, an embodiment of the present invention provides a cross-thread vulnerability analysis method based on a code vaccine, including:

installing a probe in a tested program, and pre-inserting piles through the probe;

establishing a stain pool of the request according to the intercepted request information of the request;

according to each monitored stain source function, chi Chuangjian nodes are arranged on the stains;

creating propagation child nodes in the stain pool according to each monitored propagation point function;

creating a sink child node in the stain pool according to each monitored sink point function;

and generating a taint propagation path based on the hierarchical relationship among all the root nodes, all the propagation child nodes and all the convergence child nodes.

In the implementation process, the probe is installed in the tested program to perform pre-pile insertion, the pollution point source function, the propagation point function and the convergence point function are monitored, the root node, the propagation child node and the convergence child node are created in the pollution pool, the tree-shaped pollution propagation structure is constructed to generate the pollution propagation path, the pollution propagation path can be tracked in a cross-process mode, and the problem of missing report is effectively avoided.

Further, before the requesting information according to the intercepted request establishes the stain pool of the request, the method further comprises:

when the request information of the request is acquired, the request information of the request is stored in a wirecontext class.

In the implementation process, the request information of the request is stored in the wirecontext class, so that the inter-thread tracing of the taint propagation path can be realized better by adopting inter-thread copying and other modes, and the problem of missing report is effectively avoided.

Further, according to each monitored stain source function, at the Chi Chuangjian root node of the stain, the method specifically includes:

for each stain source function, acquiring parameters of the stain source function and acquiring function information of the stain source function;

creating the root node in a stain propagation structure of the stain pool, so that the root node corresponds to parameters of the stain source function, and node information of the root node comprises function information of the stain source function;

writing the input parameters and the output parameters of the stain source function into a hash table of the stain pool; the function information of the stain source function comprises an input parameter and an output parameter of the stain source function.

In the implementation process, root nodes are created in the taint pond according to each monitored taint source function respectively, so that each root node can be correspondingly established in the taint propagation structure of the taint pond aiming at each requested taint source, a tree-shaped taint propagation structure is completely built by combining all root nodes to generate a taint propagation path, cross-line tracking of the taint propagation path is better realized, and the problem of missing report is effectively avoided.

Further, the creating a propagation child node in the taint pool according to each monitored propagation point function specifically includes:

for each propagation point function, judging whether the propagation point function is a propagation point function of an asynchronous task;

if not, taking the propagation point function as a synchronous propagation point function, and creating synchronous propagation child nodes in the stain pool according to the synchronous propagation point function;

if yes, the propagation point function is used as an asynchronous propagation point function, and an asynchronous propagation child node is created in the taint pool according to the asynchronous propagation point function.

In the implementation process, whether the monitored propagation point function is the propagation point function of the asynchronous task is judged, the synchronous/asynchronous propagation sub-node is created in the taint pond according to the judging result, the tree-shaped taint propagation structure is built by combining the synchronous/asynchronous propagation sub-node to generate the taint propagation path, the synchronous propagation sub-node and the asynchronous propagation sub-node can be created in the taint pond in a distinguishing mode, the cross-thread tracking of the taint propagation path is better realized, and the problem of missing report is effectively avoided.

Further, the determining whether the propagation point function is a propagation point function of an asynchronous task specifically includes:

when a propagation task submitted by a thread pool is monitored, copying the taint pool to a thread executing the propagation task;

when the transmission task does not use the parameter of the request or the parameter of the last transmission point function and the hash table of the taint pool has the parameter of the transmission point function, judging that the transmission point function is the transmission point function of the synchronous task;

and when the propagation task uses the parameter of the request or the parameter of the last propagation point function and the hash table of the taint pool has the parameter of the propagation point function, judging that the propagation point function is the propagation point function of an asynchronous task.

In the implementation process, whether the propagation point function is the propagation point function of the asynchronous task or not is judged, so that the synchronous/asynchronous propagation point function can be accurately distinguished, the follow-up accurate establishment of synchronous/asynchronous propagation child nodes in the taint pool is ensured, the taint propagation path is tracked in a cross-process mode better, and the problem of missing report is effectively avoided.

Further, the creating a synchronous propagation child node in the taint pool according to the synchronous propagation point function specifically includes:

Acquiring parameters of the synchronous propagation point function and acquiring function information of the synchronous propagation point function;

creating a child node corresponding to the root node in a taint propagation structure of the taint pool as the synchronous propagation child node, so that the synchronous propagation child node corresponds to the parameter of the synchronous propagation point function, and the node information of the synchronous propagation child node comprises the function information of the synchronous propagation point function;

writing the output parameters of the synchronous propagation point function into a hash table of the stain pool; wherein the function information of the synchronous propagation point function comprises the parameter of the synchronous propagation point function.

In the implementation process, the synchronous propagation sub-nodes are created in the taint propagation structure of the taint pool according to the synchronous propagation point function, so that the taint propagation path can be generated by combining the synchronous propagation sub-nodes to construct a tree-shaped taint propagation structure, the taint propagation path can be tracked in a well-crossing mode, and the problem of missing report is effectively avoided.

Further, the creating an asynchronous propagation child node in the taint pool according to the asynchronous propagation point function specifically includes:

acquiring parameters of the asynchronous propagation point function, function information of the asynchronous propagation point function and parameters used by the propagation task;

When the parameters used by the propagation task are the parameters of the request, creating a child node corresponding to the root node in a taint propagation structure of the taint pool as an asynchronous propagation child node, so that the asynchronous propagation child node corresponds to the parameters of the asynchronous propagation point function, and node information of the asynchronous propagation child node comprises function information and asynchronous information of the asynchronous propagation point function;

when the parameters used by the propagation task are parameter output of the last propagation point function, creating a child node corresponding to the last asynchronous propagation child node in a taint propagation structure of the taint pool as the asynchronous propagation child node, so that the asynchronous propagation child node corresponds to the parameters of the asynchronous propagation point function, and node information of the asynchronous propagation child node comprises function information and asynchronous information of the asynchronous propagation point function;

writing the output parameters of the asynchronous propagation point function into a hash table of the stain pool; wherein the function information of the asynchronous propagation point function comprises an argument of the asynchronous propagation point function.

In the implementation process, the asynchronous propagation sub-nodes are created in the taint propagation structure of the taint pool according to the asynchronous propagation point function, so that the taint propagation path can be generated by combining the asynchronous propagation sub-nodes to construct a tree-shaped taint propagation structure, the taint propagation path can be tracked in a well-crossing mode, and the problem of missing report is effectively avoided.

Further, creating a sink child node in the stain pool according to each monitored sink point function, which specifically includes:

judging whether the convergent point function is a convergent point function of an asynchronous task or not for each convergent point function;

if not, taking the convergence point function as a synchronous convergence point function, and creating a synchronous convergence child node in the stain pool according to the synchronous convergence point function;

if yes, the convergence point function is used as an asynchronous convergence point function, and an asynchronous convergence child node is built in the stain pool according to the asynchronous convergence point function.

In the implementation process, whether the monitored convergence point function is the convergence point function of the asynchronous task is judged, the synchronous/asynchronous convergence sub-node is established in the stain pool according to the judging result, a tree-shaped stain propagation structure is established by combining the synchronous/asynchronous convergence sub-node to generate a stain propagation path, the synchronous convergence sub-node and the asynchronous convergence sub-node can be established in the stain pool in a distinguishing mode, the cross-thread tracking of the stain propagation path is better realized, and the problem of missing report is effectively avoided.

Further, the determining whether the aggregation point function is an aggregation point function of an asynchronous task specifically includes:

When monitoring a converging task submitted by a thread pool, copying the stain pool to a thread executing the converging task;

when the convergence task does not use the requested parameters or any parameters of the propagation point functions and the hash table of the stain pool has the parameters of the convergence point functions, judging that the convergence point functions are the convergence point functions of the synchronous task;

and when the convergence task uses the parameter of the request or the parameter of any propagation point function and the hash table of the stain pool has the parameter of the convergence point function, judging that the convergence point function is the convergence point function of an asynchronous task.

In the implementation process, whether the convergence point function is the convergence point function of the asynchronous task or not is judged, so that the synchronous/asynchronous convergence point function can be accurately distinguished, the synchronous/asynchronous convergence child node is ensured to be accurately built in a stain pool in the follow-up process, the inter-thread tracking of the stain propagation path is better realized, and the problem of missing report is effectively avoided.

Further, the creating a synchronous convergence child node in the stain pool according to the synchronous convergence point function specifically includes:

acquiring parameters of the synchronous convergence point function and acquiring function information of the synchronous convergence point function;

Creating a child node corresponding to the propagation child node in the stain propagation structure of the stain pool as the synchronous convergence child node, so that the synchronous convergence child node corresponds to the parameter of the synchronous convergence point function, and the node information of the synchronous convergence child node comprises the function information of the synchronous convergence point function.

In the implementation process, the synchronous convergent sub-nodes are established in the stain propagation structure of the stain pool according to the synchronous convergent point function, so that the synchronous convergent sub-nodes can be combined to construct a tree-shaped stain propagation structure to generate a stain propagation path, the stain propagation path can be tracked in a cross-process mode better, and the problem of missing report is effectively avoided.

Further, the creating an asynchronous convergence child node in the stain pool according to the asynchronous convergence point function specifically includes:

acquiring parameters of the asynchronous convergence point function and acquiring function information of the asynchronous convergence point function;

creating a child node corresponding to the propagation child node in the stain propagation structure of the stain pool as the asynchronous convergence child node, so that the asynchronous convergence child node corresponds to the parameter of the asynchronous convergence point function, and the node information of the asynchronous convergence child node comprises the function information and the asynchronous information of the asynchronous convergence point function.

In the implementation process, the asynchronous convergent sub-nodes are established in the stain propagation structure of the stain pool according to the asynchronous convergent point function, so that the stain propagation path can be generated by combining the asynchronous convergent sub-nodes to construct a tree-shaped stain propagation structure, the stain propagation path can be tracked in a cross-process manner better, and the problem of missing report is effectively avoided.

Further, the asynchronous information includes asynchronous tag information and asynchronous thread information.

In the implementation process, in the process of creating the asynchronous propagation/convergence sub-node in the taint propagation structure of the taint pool, the node information of the asynchronous propagation/convergence sub-node comprises the asynchronous mark information and the asynchronous thread information, so that the asynchronous propagation flow process can be rapidly positioned in the tree-shaped taint propagation structure, the taint propagation path can be tracked by crossing the threads better, and the problem of missing report is effectively avoided.

In a second aspect, an embodiment of the present invention provides a code vaccine-based cross-thread vulnerability analysis apparatus, including:

the probe pre-pile inserting module is used for installing a probe in a tested program and carrying out pre-pile inserting through the probe;

the stain pool establishment module is used for establishing a stain pool of the request according to the intercepted request information of the request;

The root node creation module is used for creating Chi Chuangjian root nodes on the spots according to each monitored spot source function;

the propagation child node creation module is used for creating propagation child nodes in the stain pool according to each monitored propagation point function;

the aggregation child node creation module is used for creating an aggregation child node in the stain pool according to each monitored aggregation point function;

and the taint propagation tracking module is used for generating a taint propagation path based on the hierarchical relationship among all the root nodes, all the propagation child nodes and all the convergence child nodes.

In a third aspect, embodiments of the present invention provide an electronic device comprising a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor; the memory is coupled to the processor and the processor, when executing the computer program, implements a code vaccine based cross-thread vulnerability analysis method as described above.

In a fourth aspect, embodiments of the present invention provide a computer-readable storage medium including a stored computer program; and controlling the equipment where the computer readable storage medium is located to execute the code vaccine-based cross-process vulnerability analysis method when the computer program runs.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments of the present invention will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and should not be considered as limiting the scope, and other related drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1 is a schematic flow chart of a cross-thread vulnerability analysis method based on a code vaccine according to a first embodiment of the present invention;

FIG. 2 is a data flow diagram of an exemplary smudge propagation process in accordance with an alternative embodiment of the present invention;

FIG. 3 is a schematic view of an exemplary smudge-propagation structure according to an alternative embodiment of the first embodiment of the present invention;

fig. 4 is a schematic structural diagram of a cross-thread vulnerability analysis device based on a code vaccine according to a second embodiment of the present invention;

fig. 5 is a schematic structural diagram of an electronic device according to a third embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be described below with reference to the accompanying drawings in the embodiments of the present invention.

It should be noted that: in the description of the present invention, the terms "first," "second," and the like are used merely to distinguish between descriptions and are not to be construed as indicating or implying relative importance. Meanwhile, step numbers herein are only for convenience of explanation of the embodiments of the present invention, and are not used as limiting the order of execution of the steps. The method provided by the embodiment of the invention can be executed by the related terminal equipment, and the following description takes the server side as an execution main body as an example.

Referring to fig. 1, fig. 1 is a flow chart of a cross-thread vulnerability analysis method based on a code vaccine according to a first embodiment of the present invention. The first embodiment of the invention provides a code vaccine-based cross-thread vulnerability analysis method, which comprises the following steps of S101-S106:

s101, installing a probe in a tested program, and pre-inserting piles through the probe;

s102, establishing a requested stain pool according to the intercepted request information of the request;

s103, creating a root node in the stain pool according to each monitored stain source function;

s104, creating propagation child nodes in the stain pool according to each monitored propagation point function;

s105, creating a sink child node in the stain pool according to each monitored sink point function;

S106, generating a taint propagation path based on the hierarchical relationship among all the root nodes, all the propagation child nodes and all the convergence child nodes.

As an example, when the client sends a request to the server of the transaction website, the server can respond to the request quickly, ensure that the transaction proceeds smoothly, place multiple parameters of the request on multiple threads for asynchronous processing, and implement quick rendering, at this time, the multiple asynchronous threads submit tasks to the thread pool, and the server cannot track the stain propagation path under such asynchronous scene.

For the purpose of taint propagation, when an application program obtains data from external input such as HTTP (HyperText Transfer Protocol ) request, RPC (Remote Procedure Call Protocol, remote procedure call protocol) request, file, message queue and the like, the data is marked as initial taint, the data is transferred and communicated between various methods/objects of the application program, the taint flows, operations such as replication, change and the like of the taint form the taint propagation in the taint flowing process, and when the taint propagates to a dangerous function to trigger dangerous actions, loopholes can appear.

In view of this, in order to ensure the security of the network, it is necessary to track the taint propagation path across threads in an asynchronous scene, so as to avoid the problem of missing report caused by taint loss, taint propagation interruption, and disordered asynchronous propagation relationship in the asynchronous scene.

And installing a probe in the tested program before the tested program runs according to actual test requirements, and pre-inserting at least one byte code through the probe to monitor the related function.

The instrumentation refers to a method for acquiring program operation data by executing detection logic codes in the running process of a tested program and analyzing the program operation data to obtain control flow and data flow of the tested program and further obtain dynamic information such as logic coverage and the like by inserting byte codes into probes in the tested program on the basis of ensuring the original logic integrity of the tested program, namely detecting the logic codes.

According to the actual test requirement, at least one instrumentation point in the tested program is determined, the program operation data required to be captured at each instrumentation point is considered, a byte code with a corresponding capturing function is designed, and corresponding byte codes are inserted at each instrumentation point through probes in the tested program, so that the required program operation data is captured through each byte code of the probe pre-instrumentation.

According to actual test requirements, only one byte code can be pre-instrumented at one instrumentation point in the tested program by the probe, and a plurality of different byte codes can be pre-instrumented at a plurality of different instrumentation points in the tested program by the probe.

The location of the instrumentation point includes a native thread related method, a thread pool commit task related method, a concurrent flow fork join framework (a framework provided by java for executing tasks in parallel) related method, and a timed task framework related method.

The method related to the native thread comprises the following steps: thread start method; the method related to the task submitting of the thread pool comprises the following steps: the execute method of ThreadPoolExecutor, the submit method of ThreadPoolExecutor; the concurrent flow forkjoin framework related method comprises the following steps: the execute method of forkJoinPool, and the submit method of forkJoinPool; the method related to the timing task framework comprises the following steps: the scheduledThreadPool scheduledFixedRate method, the scheduledThreadPool scheduleWithFixedDelay method, the scheduledThreadPool execte method, the scheduledThreadPool submix method.

The instrumented objects include request related functions, synchronous/asynchronous propagation point related methods, synchronous/asynchronous convergence point related methods.

Wherein the request related function comprises: an entry method of HTTP Request processing, a related method of acquiring external parameters by a Request object, and a related method of returning data by a Response object; the synchronous/asynchronous propagation related method comprises string operations such as string splicing, string interception, string inversion and the like, java set type operations, java file IO/network IO operations, base64 encryption and decryption, AES/DES encryption and decryption, RSA encryption and decryption and the like; the synchronous/asynchronous convergence correlation method comprises the following steps: SMTP operation method, HTTP request sending correlation method, XML decoding correlation method, system command executing correlation method, LDAP query executing correlation method, XPATH query executing correlation method, file operation correlation method, JSON deserialization correlation method, etc.

When the server receives the request, the request information of the request can be intercepted by utilizing byte codes inserted by the probe at the function related to the request in the tested program, and the request information of the request comprises various parameters of the request. The server establishes a stain pool of the request according to the request information of the request, wherein the stain pool comprises an initialized stain propagation structure and an initialized hash table.

When the server side obtains the request information of the request, each parameter of the request is used as a dirty point source, such as query, form, path, form-data, body and other parameters of the request are used as dirty point sources, the dirty source functions can be monitored by using byte codes inserted by the probe at the dirty source functions in the tested program, and a root node is created in the dirty pool according to each monitored dirty source function.

The server side can monitor the propagation point functions by utilizing the byte codes inserted by the probes at the propagation point functions in the tested program, and creates propagation child nodes in the taint pool according to each monitored propagation point function.

The server side can monitor the convergent point functions by utilizing byte codes inserted by the probe at the convergent point functions in the tested program, and creates convergent child nodes in the stain pool according to each monitored convergent point function.

And combining all the root nodes, all the propagation child nodes and all the convergence child nodes, constructing a tree-shaped taint propagation structure, and generating a taint propagation path based on the hierarchical relationship among all the root nodes, all the propagation child nodes and all the convergence child nodes.

Wherein, the tree-shaped stain propagation structure is: at least one propagation sub-node is connected under each root node, and at least one propagation sub-node and/or at least one convergence sub-node are connected under each propagation sub-node. And backtracking from all the propagation child nodes and the bottommost child node in all the aggregation child nodes to the connected root node according to the sequence from the aggregation child node to the propagation child node to the root node in the tree-shaped stain propagation structure based on the stain pool, and generating a stain propagation path.

According to the embodiment of the invention, the probe is installed in the tested program to perform pre-pile insertion, the pollution point source function, the propagation point function and the convergence point function are monitored, the root node, the propagation child node and the convergence child node are created in the pollution pool, and the tree-shaped pollution propagation structure is constructed to generate the pollution propagation path, so that the pollution propagation path can be tracked in a cross-process manner, and the problem of missing report is effectively avoided.

In an alternative embodiment, before the establishing the requested spot pool according to the request information of the intercepted request, the method further includes: when the request information of the request is acquired, the request information of the request is stored in a wirecontext class.

Illustratively, the thread context (request, response) in java is uniformly managed and named by a thread class (there may be multiple thread classes), but the thread class only supports cross threads under thread, cannot support thread pools or asynchronous threads generated by other special modes, and in complex scenarios, the thread class also causes memory leakage.

In this regard, default processing of the wireadelocal class is not adopted to support cross-threads, a wireadecontext class is newly established, all wireadelocal classes are replaced by wireadecontext classes, and context information of an IAST (interactive application security test) is unified through the wireadecontext classes, so that cross-thread copy support, current data copy and the like are realized.

A wirecontext class is created, and since the wirecontext class has the responsibility of uniformly and globally managing all the context information of IAST, all the variables in the wirecontext class are final modified in order to prevent malicious modification. When a request starts, the detection environment is initialized by using a wirecontext class, which specifically includes: and acquiring request and response related information, and initializing the stain pool. It will be appreciated that the unified global context avoids the dispersion of multiple wirelocal classes, and also makes subsequent cross-thread replication easier to implement.

The server stores the request information intercepted by the probe in a wirecontext class, namely IAST context information. The following cross-thread replication is mainly divided into the following cases when entering a cross-thread propagation point:

1. the native thread starts:

after the native thread is started, snapshot copy of the thread class is performed by using asm injection byte codes in the process of constructing the thread, the snapshot copy is changed into a local variable of the thread, then a start method of the thread is intercepted, a pointer of the local variable is added into the thread class, and a recovery method of the thread snapshot is called to copy a stain pool to an asynchronous thread.

In this way, a large number of variable replications are avoided, almost equal to zero overhead.

2. Thread pool commit:

the thread pool submission of java is generally performed by methods such as a subset method, a FutureTask and a FutureTask Callable, runable, replacing FutureTask, callable and Runneable with custom classes IastFutureTask, iastCallable and Iastrenable after reconstruction, copying a wirecontext snapshot in the internal of the classes, and then intercepting get, call, run. The snapshot content is restored to the wirelocal class before the method is executed, and then the snapshot is cleaned after the method is executed.

To solve the custom class loader compatibility problem, the cross-thread technique needs to operate the jdk system class, but this needs to consider various complex scenarios to achieve complete non-intrusive and adaptation to users, which is difficult to accomplish under the agent's (agent) instrumentation technique. Because the class of the user and the system class of jdk may be processed by various kinds of loaders, the bridging technology is used to put the class of the cross-thread tracking into an iast-async-track-support packet, so that the support packet is loaded by a c++ loader of jvm, namely a jvm root loader, and the fact that the class of the cross-thread tracking is visible in the agent and the user code is ensured. The same is true for the Forkjoin framework.

When the server intercepts the request information of the request through the probe, the request information of the request is stored in a wirecontext class, and the stain propagation path is tracked by the wirecontext class in a cross-thread copy mode and the like.

According to the embodiment of the invention, the request information of the request is stored in the wirecontext class, so that the inter-thread tracing of the taint propagation path can be realized better by adopting inter-thread copying and other modes, and the problem of missing report is effectively avoided.

In an alternative embodiment, the creating a root node in the stain pool according to each monitored stain source function includes: for each stain source function, acquiring parameters of a stain point source function and acquiring function information of the stain source function; creating a root node in a stain propagation structure of the stain pool, so that the root node corresponds to parameters of a stain source function, and node information of the root node comprises function information of the stain source function; writing the input parameters and the output parameters of the stain source function into a hash table of a stain pool; the function information of the stain source function comprises an input parameter and an output parameter of the stain source function.

Illustratively, the server monitors the taint source functions by using byte codes inserted by probes at the taint source functions in the tested program, acquires parameters of the taint point source functions for each taint source function, and acquires function information of the taint source functions. The function information of the taint source function comprises the data types of the taint as a source, the function name of the taint source function, the input parameters and the output parameters of the taint source function, stack tracking information and the like.

The server creates a root node in the stain propagation structure of the stain pool, so that the root node corresponds to parameters of the stain source function, and node information of the root node comprises function information of all the stain source functions.

The server side hashes the addresses of the input parameter and the output parameter of the taint source function into a hash table of the taint pool. It will be appreciated that the hash table is used to determine whether the exit and entry of the subsequent propagation point are corrupted, e.g., if it is determined that the entry references the hash table, it is determined that the entry is also a corrupted fragment, and the fragment is marked as a valid propagation point.

According to the embodiment of the invention, the root nodes are created in the taint pond according to each monitored taint source function, so that each root node can be correspondingly established in the taint propagation structure of the taint pond aiming at each requested taint source, and a tree-shaped taint propagation structure is completely constructed by combining all root nodes to generate a taint propagation path, so that the taint propagation path can be tracked across threads, and the problem of missing report can be effectively avoided.

In an alternative embodiment, the creating the propagation child node in the taint pool according to each monitored propagation point function specifically includes: for each propagation point function, judging whether the propagation point function is a propagation point function of an asynchronous task; if not, taking the propagation point function as a synchronous propagation point function, and creating synchronous propagation child nodes in the stain pool according to the synchronous propagation point function; if yes, the propagation point function is used as an asynchronous propagation point function, and an asynchronous propagation child node is created in the taint pool according to the asynchronous propagation point function.

As an example, the server monitors the propagation point functions by using the bytecodes inserted by the probes at the propagation point functions in the tested program, and for each monitored propagation point function, judges whether the propagation point function is a propagation point function of an asynchronous task, if the propagation point function is a propagation point function of a synchronous task, the propagation point function is used as a synchronous propagation point function, and synchronous propagation child nodes are created in the stain pool according to the synchronous propagation point functions; if the propagation point function is the propagation point function of the asynchronous task, the propagation point function is used as the asynchronous propagation point function, and the asynchronous propagation child node is created in the stain pool according to the asynchronous propagation point function.

According to the embodiment of the invention, whether the monitored propagation point function is the propagation point function of the asynchronous task is judged, the synchronous/asynchronous propagation sub-node is created in the taint pool according to the judging result, the tree-shaped taint propagation structure is built by combining the synchronous/asynchronous propagation sub-node to generate the taint propagation path, the synchronous propagation sub-node and the asynchronous propagation sub-node can be created in the taint pool in a distinguishing mode, the cross-thread tracking of the taint propagation path is better realized, and the problem of missing report is effectively avoided.

In an alternative embodiment, the determining whether the propagation point function is a propagation point function of an asynchronous task specifically includes: when the transmission task submitted by the thread pool is monitored, copying the taint pool to the thread executing the transmission task; when the transmission task does not use the parameter of the request or the parameter of the last transmission point function and the hash table of the taint pool has the parameter of the transmission point function, judging that the transmission point function is the transmission point function of the synchronous task; when the propagation task uses the parameter of the request or the parameter of the last propagation point function and the hash table of the taint pool has the parameter of the propagation point function, the propagation point function is judged to be the propagation point function of the asynchronous task.

As an example, for each monitored propagation point function, the server monitors the propagation task submitted by the thread pool by using the byte code inserted by the probe at the method related to the task submitted by the thread pool in the tested program, copies the taint pool to the thread executing the propagation task when the propagation task is monitored, so as to ensure that the data in the taint pool can be searched later, judges whether the propagation task uses the requested parameter or the parameter of the last propagation point function (can be searched in the hash table of the taint pool), judges whether the hash table of the taint pool has the address hash of the entry of the propagation point function, and judges that the propagation point function is the propagation point function of the synchronous task if the propagation task does not use the requested parameter or the address hash of the entry of the last propagation point function; if the propagation task has the parameter of the use request or the parameter of the last propagation point function and the hash table of the taint pool has the address hash of the parameter of the propagation point function, the propagation point function is judged to be the propagation point function of the asynchronous task.

When a propagation task submitted by a thread pool is monitored, in order to ensure that data in a stain pool can be searched later, a task object submitted by the thread pool can be proxied, a jar packet is independently written, and the jar packet comprises a custom proxy class.

In the proxy process, firstly, the problem of pile insertion brought by parent delegation needs to be solved. Since jdk exists a parent delegation mechanism: the system class loader- > the extension class loader- > the root loader, and the thread related processing and the logic of the thread pool are loaded by the root loader, so unless-Xboost asspath\p is added to the current jar packet, there is no way to operate the thread class. If the code is directly injected into the root loader, the root loader is visible to all the loaders, and all the business codes can access the instrumentation logic, then a certain business hidden danger still exists. In view of this, only some bridging classes such as IastRunable, iastCallable and iastfururetask are reserved in the jar packet supported asynchronously, and specific code implementation is performed on the bridging classes in the core code, so that cross-thread replication can be still supported without the aid of-xbootclaspath\p.

The improvement to jar package is specifically to replace FutureTask, callable and Runneable with custom classes IastFutureTask, iastCallable and IactRNA after reconstruction, copy the wirecontext snapshot inside these classes, then intercept get, call, run and other methods, restore the wirecontext snapshot content into wirecontext before the method is executed, and then clean the wirecontext snapshot after the method is executed.

When the task object is constructed, the stain pool is copied to a local variable in the same thread at present as a stain pool in the thread for executing the propagation task (because the subsequent asynchronous execution cannot be accessed), so that the task object can access the local variable in a pile inserting mode when the asynchronous thread is executed, restore the snapshot to a thread context, mark the thread context as executing the asynchronous operation, record the name and id of the current asynchronous thread, and particularly acquire the request identification code traceId of java.

The main process of accessing the local variable by the instrumentation method is to first obtain a snapshot of the current thread, copy the stain pool and the current thread execution context (including setting an asynchronous flag, etc.), for example:

“ThreadContextSnapshot snapshot = ThreadContext.createSnapshot()

Snapshot.markCurrentThread(asyncThread)”，

it is then restored at the asynchronous thread, such as:

“ThreadContext.recoverySnapshot(snapshot)”。

subsequently, after creating the propagation child node in the taint pool, the asynchronous propagation logic is exited, and the local variable is emptied, such as: "threadcontext.

When entering asynchronous propagation logic, i.e. when the propagation task submitted by the thread pool is an asynchronous task, it is possible to use the tainted fragments of the propagation points, or it is also possible to directly use part of the parameters in the request as a splice. For example, when the transmission task is executed, the content of the short message sent by the sender and the designated receiver may be transferred in the request, or may be transferred after logic processing, for example, the transfer is id, the target short message template is matched through id, and the request data is filled into the target short message template to asynchronously send the short message.

In this regard, if the propagation task submitted by the thread pool does not use the parameter of the request or the parameter of the last propagation point function and the hash table of the taint pool has the address of the entry of the propagation point function, then the synchronous propagation logic is considered to be entered, the propagation point function is used as the synchronous propagation point function, and synchronous propagation child nodes are created in the taint pool according to the synchronous propagation point function; if the propagation task submitted by the thread pool uses the parameter of the request or the parameter of the last propagation point function and the hash table of the taint pool has the address hash of the parameter of the propagation point function, the asynchronous propagation logic is considered to be entered, the propagation point function is used as the asynchronous propagation point function, and the asynchronous propagation child node is created in the taint pool according to the asynchronous propagation point function.

The embodiment of the invention can accurately distinguish the synchronous/asynchronous propagation point functions by judging whether the propagation point function is the propagation point function of the asynchronous task, ensure that synchronous/asynchronous propagation child nodes are accurately built in a taint pool in the follow-up process, better realize the cross-thread tracking of the taint propagation path and effectively avoid the problem of missing report.

In an alternative embodiment, the creating the synchronous propagation child node in the taint pool according to the synchronous propagation point function specifically includes: acquiring parameters of a synchronous propagation point function and acquiring function information of the synchronous propagation point function; creating a child node corresponding to a root node in a taint propagation structure of the taint pool as a synchronous propagation child node, so that the synchronous propagation child node corresponds to a parameter of a synchronous propagation point function, and the node information of the synchronous propagation child node comprises function information of the synchronous propagation point function; writing the output parameters of the synchronous propagation point function into a hash table of the stain pool; wherein the function information of the synchronous propagation point function comprises an argument of the synchronous propagation point function.

As an example, when the server determines that the propagation point function is the synchronous propagation point function, the server obtains parameters of the synchronous propagation point function, obtains function information of the synchronous propagation point function, and establishes a child node corresponding to the root node in the dirty pool as a synchronous propagation child node, so that the synchronous propagation child node corresponds to the parameters of the synchronous propagation point function, and the node information of the synchronous propagation child node includes the function information of the synchronous propagation point function. The function information of the synchronous propagation point function comprises the data types of the taint, such as propagation, names of the propagation point function, in-parameters and out-parameters of the propagation point function, stack tracking information and the like.

The server also writes the output parameters of the synchronous propagation point function into the hash table of the stain pool.

According to the embodiment of the invention, the synchronous propagation sub-nodes are created in the taint propagation structure of the taint pond according to the synchronous propagation point function, so that the taint propagation path can be generated by combining the synchronous propagation sub-nodes to construct the tree-shaped taint propagation structure, the taint propagation path can be tracked in a cross-process manner, and the problem of missing report can be effectively avoided.

In an alternative embodiment, the creating the asynchronous propagation child node in the taint pool according to the asynchronous propagation point function specifically includes: acquiring parameters of an asynchronous propagation point function, function information of the asynchronous propagation point function and parameters used by a propagation task; when the parameters used by the propagation task are the requested parameters, creating a child node corresponding to the root node in a stain propagation structure of the stain pool as an asynchronous propagation child node, so that the asynchronous propagation child node corresponds to the parameters of an asynchronous propagation point function, and the node information of the asynchronous propagation child node comprises the function information and the asynchronous information of the asynchronous propagation point function; when the parameter used by the propagation task is the parameter of the last propagation point function, creating a child node corresponding to the last asynchronous propagation child node in the taint propagation structure of the taint pool as an asynchronous propagation child node, so that the asynchronous propagation child node corresponds to the parameter of the asynchronous propagation point function, and the node information of the asynchronous propagation child node comprises the function information and the asynchronous information of the asynchronous propagation point function; writing the output parameters of the asynchronous propagation point function into a hash table of the stain pool; wherein the function information of the asynchronous propagation point function comprises an argument of the asynchronous propagation point function.

As an example, when the server determines that the propagation point function is an asynchronous propagation point function, the server obtains parameters of the asynchronous propagation point function, function information of the asynchronous propagation point function, and parameters used by the propagation task.

In the taint propagation process, whether to create an asynchronous propagation child node under a root node or a last asynchronous propagation child node is selected according to whether a parameter used by a propagation task is a requested parameter or a parameter of a last propagation point.

When the parameters used by the propagation task are the requested parameters, creating a child node corresponding to the root node in a taint propagation structure of the taint pool as an asynchronous propagation child node, so that the asynchronous propagation child node corresponds to the parameters of an asynchronous propagation point function, and the node information of the asynchronous propagation child node comprises the function information and the asynchronous information of the asynchronous propagation point function.

When the parameter used by the propagation task is the parameter of the last propagation point function, creating a child node corresponding to the last asynchronous propagation child node in the taint propagation structure of the taint pool as an asynchronous propagation child node, so that the asynchronous propagation child node corresponds to the parameter of the asynchronous propagation point function, and the node information of the asynchronous propagation child node comprises the function information and the asynchronous information of the asynchronous propagation point function. The function information of the asynchronous propagation point function comprises the data types of the stain, such as propagation, names of the propagation point function, in-parameters and out-parameters of the propagation point function, stack tracking information and the like.

The server also writes the output parameters of the asynchronous propagation point function into the hash table of the stain pool.

Since asynchronous operations may be multiple at the same time, multiple child nodes may appear in a parent node. For example, a data flow diagram of the smudge propagation flow is shown in fig. 2, and a schematic diagram of the smudge propagation structure is shown in fig. 3.

According to the embodiment of the invention, the asynchronous propagation sub-nodes are created in the taint propagation structure of the taint pool according to the asynchronous propagation point function, so that the taint propagation path can be generated by combining the asynchronous propagation sub-nodes to construct a tree-shaped taint propagation structure, the taint propagation path can be tracked in a cross-process manner, and the problem of missing report can be effectively avoided.

In an alternative embodiment, the creating the sink child node in the stain pool according to each monitored sink point function includes: judging whether the convergence point function is the convergence point function of the asynchronous task or not for each convergence point function; if not, using the convergence point function as a synchronous convergence point function, and creating a synchronous convergence child node in the stain pool according to the synchronous convergence point function; if yes, the convergence point function is used as an asynchronous convergence point function, and an asynchronous convergence child node is established in the stain pool according to the asynchronous convergence point function.

As an example, the server monitors the convergent point functions by using byte codes inserted by the probe at the convergent point functions, for each convergent point function, determines whether the convergent point function is a convergent point function of an asynchronous task, if the convergent point function is a convergent point function of a synchronous task, uses the convergent point function as a synchronous convergent point function, and creates a synchronous convergent child node in the stain pool according to the synchronous convergent point function; if the aggregation point function is the aggregation point function of the asynchronous task, the aggregation point function is used as the asynchronous aggregation point function, and the asynchronous aggregation child node is created in the stain pool according to the asynchronous aggregation point function.

According to the embodiment of the invention, whether the monitored convergence point function is the convergence point function of the asynchronous task is judged, the synchronous/asynchronous convergence sub-node is created in the stain pool according to the judging result, the tree-shaped stain propagation structure is built by combining the synchronous/asynchronous convergence sub-node to generate the stain propagation path, the synchronous convergence sub-node and the asynchronous convergence sub-node can be created in the stain pool in a distinguishing mode, the inter-thread tracking of the stain propagation path is better realized, and the problem of missing report is effectively avoided.

In an alternative embodiment, the determining whether the convergence point function is a convergence point function of an asynchronous task specifically includes: when the converging task submitted by the thread pool is monitored, copying the stain pool to the thread executing the converging task; when the convergence task does not use the requested parameters or parameters of any propagation point function and the hash table of the stain pool has the parameters of the convergence point function, judging that the convergence point function is the convergence point function of the synchronous task; when the converging task uses the requested parameters or parameters of any propagation point function and the hash table of the stain pool has the parameters of the converging point function, judging that the converging point function is the converging point function of the asynchronous task.

As an example, for each monitored convergent point function, the server monitors the convergent task submitted by the thread pool by using the byte code inserted by the probe at the method related to the task submitted by the thread pool in the tested program, when the convergent task is monitored, copies the taint pool to the thread executing the convergent task so as to ensure the data in the subsequent searchable taint pool, judges whether the convergent task uses the requested parameter or the parameter of any propagation point function (can be searched in the hash table of the taint pool), judges whether the hash table of the taint pool has the address hash of the entry of the convergent point function, and if the convergent task does not use the requested parameter or the parameter of any propagation point function and the hash table of the taint pool has the address hash of the entry of the convergent point function, judges that the convergent point function is the convergent point function of the synchronous task; if the convergence task has the parameters of the using request or the parameters of any propagation point function and the hash table of the stain pool has the address hash of the convergence point function entering the parameters, judging that the convergence point function is the convergence point function of the asynchronous task.

When the converging task submitted by the thread pool is monitored, in order to ensure that data in a stain pool can be searched later, a task object submitted by the thread pool can be proxied, a jar packet is independently written, and the jar packet comprises a custom proxy class. The proxy process may refer to the above and will not be described in detail herein.

When the task object is constructed, the stain pool is copied to the local variable in the same thread at present as the stain pool in the thread for executing the convergence task (because the subsequent asynchronous execution cannot be accessed), so that the task object accesses the local variable in a pile inserting mode when the asynchronous thread is executed, and the task logic is executed through a specific interface (the asynchronous of java has a specific interface), so that the snapshot is restored to the wirecontext, and the pointer of the wirecontext is modified actually, thereby realizing the 0 overhead.

The modification of the pointer of the wirecontext is specifically: and accessing the byte code of the java by using an ASM technology, extracting a pointer corresponding to a local variable wirecontext, and resetting the pointer position in the current thread to realize cross-thread copy.

For example, for a synchronous execution code, the wirecontext is set within the wirelocal of the current thread, and when asynchronously propagated, the wirecontext is disconnected, so a snapshot needs to be created first, and then the pointer of the snapshot needs to be reset into the current thread.

And marking the wirecontext as executing asynchronous operation, recording the name and id of the current asynchronous thread, and acquiring the current asynchronous thread through the request identification code traceId of java.

The subsequent asynchronous convergence logic is similar to the asynchronous propagation logic and reference is made to the above and will not be repeated here.

The embodiment of the invention can accurately distinguish the synchronous/asynchronous convergent point functions by judging whether the convergent point function is the convergent point function of the asynchronous task, ensure that the synchronous/asynchronous convergent child nodes are accurately built in the stain pool in the follow-up process, better realize the inter-thread tracking of the stain propagation path and effectively avoid the problem of missing report.

In an alternative embodiment, the creating the synchronous sink child node in the stain pool according to the synchronous sink point function specifically includes: acquiring parameters of a synchronous convergent point function and acquiring function information of the synchronous convergent point function; creating a child node corresponding to a propagation child node in a stain propagation structure of the stain pool as a synchronous convergence child node, so that the synchronous convergence child node corresponds to parameters of a synchronous convergence point function, and node information of the synchronous convergence child node comprises function information of the synchronous convergence point function.

As an example, when the server determines that the aggregation point function is the synchronous aggregation point function, the server obtains parameters of the synchronous aggregation point function, obtains function information of the synchronous aggregation point function, and establishes a child node corresponding to the propagation child node in the stain pool as the synchronous aggregation child node, so that the synchronous aggregation child node corresponds to the parameters of the synchronous aggregation point function, and the node information of the synchronous aggregation child node includes the function information of the synchronous aggregation point function. The function information of the synchronous convergence point function comprises the data types of the stain, such as convergence, names of the convergence point function, in-parameter and out-parameter of the convergence point function, stack tracking information and the like.

According to the embodiment of the invention, the synchronous convergent sub-nodes are created in the stain propagation structure of the stain pool according to the synchronous convergent point function, so that the synchronous convergent sub-nodes can be combined to construct a tree-shaped stain propagation structure to generate a stain propagation path, the inter-thread tracking of the stain propagation path is better realized, and the problem of missing report is effectively avoided.

In an alternative embodiment, the creating the asynchronous sink child node in the stain pool according to the asynchronous sink point function specifically includes: acquiring parameters of an asynchronous convergence point function and acquiring function information of the asynchronous convergence point function; creating a child node corresponding to a propagation child node in a stain propagation structure of the stain pool as an asynchronous convergence child node, so that the asynchronous convergence child node corresponds to parameters of an asynchronous convergence point function, and node information of the asynchronous convergence child node comprises function information and asynchronous information of the asynchronous convergence point function.

As an example, when the server determines that the aggregation point function is an asynchronous aggregation point function, the server obtains parameters of the asynchronous aggregation point function, obtains function information of the asynchronous propagation point function, and creates a child node corresponding to a propagation child node in a stain propagation structure of the stain pool as the asynchronous aggregation child node, so that the asynchronous aggregation child node corresponds to the parameters of the asynchronous aggregation point function, and node information of the asynchronous aggregation child node includes function information and asynchronous information of the asynchronous aggregation point function. The function information of the asynchronous convergence point function comprises the data types of the stain, such as convergence, names of the convergence point function, in-parameter and out-parameter of the convergence point function, stack tracking information and the like.

According to the embodiment of the invention, the asynchronous convergent sub-node is created in the stain propagation structure of the stain pool according to the asynchronous convergent point function, so that the stain propagation path can be generated by combining the asynchronous convergent sub-node to construct a tree-shaped stain propagation structure, the stain propagation path can be tracked in a cross-process manner, and the problem of missing report can be effectively avoided.

In an alternative embodiment, the asynchronous information includes asynchronous tag information and asynchronous thread information.

By way of example, the asynchronous information includes asynchronous tag information and asynchronous thread information.

The asynchronous flag information is a flag indicating whether a thread is asynchronous in the current propagation/sink node information. The current propagation/aggregation child node may be identified by a special flag, follow, at the time of determination of cross-thread.

Considering that synchronous tracking has a certain sequency, the execution sequence of thread tasks is uncontrolled during asynchronous tracking, so the current propagation/aggregation child node is defined as a follow child node, and node labels of cross-thread asynchronous tracking are mounted on parent nodes of the nodes in a side-by-side mode under the same parent node.

If asynchronous trace node data and synchronous trace node data are not distinguished, a problem of data display confusion arises. Assuming that there are three nodes b, c and d under the current propagation child node a, if there is no follow mark, the three nodes b, c and d sometimes appear in the order of a→b→c→d, and sometimes appear in the form of b→d without c, which is quite confusing, and adding this follow mark to identify an asynchronous child node is beneficial to accurately locating the asynchronous propagation flow.

The asynchronous thread information comprises the name, id, priority, running state and the like of the current asynchronous thread, so that the details of the asynchronous thread processed by the current spreading/converging node can be conveniently and rapidly obtained.

In the embodiment of the invention, in the process of creating the asynchronous propagation/convergence child node in the taint propagation structure of the taint pool, the node information of the asynchronous propagation/convergence child node comprises the asynchronous mark information and the asynchronous thread information, so that the asynchronous propagation flow process can be rapidly positioned in the taint propagation structure of a tree, the taint propagation path can be tracked by crossing the threads better, and the problem of missing report can be effectively avoided.

Referring to fig. 4, fig. 4 is a schematic structural diagram of a cross-thread vulnerability analysis method based on a code vaccine according to a second embodiment of the present invention. The second embodiment of the invention provides a code vaccine-based cross-thread vulnerability analysis device, which comprises: a probe pre-stake-inserting module 201, which is used for installing a probe in a tested program and performing pre-stake-inserting through the probe; a stain pool establishing module 202, configured to establish a stain pool of the request according to the intercepted request information of the request; a root node creating module 203, configured to create a root node in the stain pool according to each monitored stain source function; a propagation child node creating module 204, configured to create a propagation child node in the taint pool according to each monitored propagation point function; the sink child node creation module 205 is configured to create a sink child node in the stain pool according to each monitored sink point function; the taint propagation tracking module 206 is configured to generate a taint propagation path based on the hierarchical relationships among all the root nodes, all the propagation child nodes, and all the convergence child nodes.

In an alternative embodiment, the stain pool establishing module 202 is further configured to store the requested request information in a wirecontext class when the requested request information is acquired before the establishment of the requested stain pool according to the requested information of the intercepted request.

The implementation process of the functions and roles of each module in the above device is specifically shown in the implementation process of the corresponding steps in the above method, and will not be described herein again.

Referring to fig. 5, fig. 5 is a schematic structural diagram of an electronic device according to a third embodiment of the present invention. A third embodiment of the invention provides an electronic device 30 comprising a processor 301, a memory 302 and a computer program stored in the memory 302 and configured to be executed by the processor 301; the memory 302 is coupled to the processor 301, and the processor 301 implements the cross-thread vulnerability analysis method based on the code vaccine according to the first embodiment of the present invention when executing the computer program, and can achieve the same advantages as the above.

The method according to any embodiment of the code vaccine based cross-thread vulnerability analysis method according to the first embodiment of the present invention may be implemented when the processor 301 reads the computer program from the memory 302 via the bus 303 and executes the computer program.

The processor 301 may process digital signals and may include various computing structures. Such as a complex instruction set computer architecture, a reduced instruction set computer architecture, or an architecture that implements a combination of instruction sets. In some examples, processor 301 may be a microprocessor.

Memory 302 may be used for storing instructions to be executed by processor 301 or data relating to the execution of instructions. Such instructions and/or data may include code to implement some or all of the functions of one or more of the modules described in embodiments of the present invention. The processor 301 of the disclosed embodiment may be configured to execute instructions in the memory 302 to implement a code vaccine-based cross-thread vulnerability analysis method according to the first embodiment of the present invention. Memory 302 includes dynamic random access memory, static random access memory, flash memory, optical memory, or other memory known to those skilled in the art.

A fourth embodiment of the present invention provides a computer-readable storage medium including a stored computer program; the device where the computer readable storage medium is located is controlled to execute the code vaccine-based cross-thread vulnerability analysis method according to the first embodiment of the invention when the computer program runs, and the same beneficial effects as the method can be achieved.

In summary, the embodiment of the invention provides a code vaccine-based cross-thread vulnerability analysis method, a device, equipment and a medium, wherein the code vaccine-based cross-thread vulnerability analysis method comprises the following steps: installing a probe in a tested program, and pre-inserting piles through the probe; establishing a requested stain pool according to the intercepted request information of the request; creating root nodes in the stain pool according to each monitored stain source function; creating propagation child nodes in the stain pool according to each monitored propagation point function; respectively creating a sink sub-node in the stain pool according to each monitored sink point function; and generating a taint propagation path based on the hierarchical relationship among all the root nodes, all the propagation child nodes and all the convergence child nodes. According to the embodiment of the invention, the probe is installed in the tested program to perform pre-pile insertion, the pollution point source function, the propagation point function and the convergence point function are monitored, the root node, the propagation child node and the convergence child node are created in the pollution pool, and the tree-shaped pollution propagation structure is constructed to generate the pollution propagation path, so that the pollution propagation path can be tracked in a cross-process manner, and the problem of missing report is effectively avoided.

In the several embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other manners. The apparatus embodiments described above are merely illustrative, for example, flow diagrams and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

In addition, functional modules in the embodiments of the present invention may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.

The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.

The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any person skilled in the art will readily appreciate variations or alternatives within the scope of the present invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.

Claims

1. The cross-thread vulnerability analysis method based on the code vaccine is characterized by comprising the following steps of:

creating propagation child nodes in the taint pool according to each monitored propagation point function, wherein the propagation child nodes specifically comprise: for each propagation point function, judging whether the propagation point function is a propagation point function of an asynchronous task; if not, taking the propagation point function as a synchronous propagation point function, and creating synchronous propagation child nodes in the stain pool according to the synchronous propagation point function; if yes, the propagation point function is used as an asynchronous propagation point function, and an asynchronous propagation child node is created in the stain pool according to the asynchronous propagation point function;

the step of creating synchronous propagation child nodes in the taint pool according to the synchronous propagation point function specifically comprises the following steps: acquiring parameters of the synchronous propagation point function and acquiring function information of the synchronous propagation point function; creating a child node corresponding to the root node in a taint propagation structure of the taint pool as the synchronous propagation child node, so that the synchronous propagation child node corresponds to the parameter of the synchronous propagation point function, and the node information of the synchronous propagation child node comprises the function information of the synchronous propagation point function; writing the output parameters of the synchronous propagation point function into a hash table of the stain pool; wherein the function information of the synchronous propagation point function comprises the parameter of the synchronous propagation point function;

2. The code vaccine based cross-thread vulnerability analysis method of claim 1, further comprising, before the establishing the taint pool of the request based on the request information of the intercepted request:

3. The code vaccine based cross-thread vulnerability analysis method of claim 1, wherein the steps at the node Chi Chuangjian of the taint according to each monitored taint source function respectively comprise:

4. The code vaccine based cross-thread vulnerability analysis method of claim 1, wherein the determining whether the propagation point function is a propagation point function of an asynchronous task comprises:

5. The code vaccine based cross-thread vulnerability analysis method of claim 4, wherein creating asynchronous propagation child nodes in the taint pool according to the asynchronous propagation point function comprises:

6. The code vaccine-based cross-thread vulnerability analysis method of claim 1, wherein creating a sink child node in the pool of spots according to each monitored sink point function, comprises:

7. The code vaccine based cross-thread vulnerability analysis method of claim 6, wherein the determining whether the convergent point function is an asynchronous task convergent point function comprises:

8. The code vaccine based cross-thread vulnerability analysis method of claim 6, wherein the creating a synchronous sink child node in the pool of spots according to the synchronous sink point function specifically comprises:

9. The code vaccine based cross-thread vulnerability analysis method of claim 7, wherein creating an asynchronous sink child node in the pool of blobs according to the asynchronous sink point function comprises:

10. The code vaccine based cross-thread vulnerability analysis method of claim 5 or 9, wherein the asynchronous information comprises asynchronous tag information and asynchronous thread information.

11. A code vaccine-based cross-thread vulnerability analysis apparatus, comprising:

12. An electronic device comprising a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor; the memory is coupled to the processor and the processor when executing the computer program implements the code vaccine based cross-thread vulnerability analysis method according to any one of claims 1 to 10.

13. A computer readable storage medium, wherein the computer readable storage medium comprises a stored computer program; wherein the computer program, when run, controls the device in which the computer readable storage medium resides to perform the code vaccine based cross-thread vulnerability analysis method according to any one of claims 1 to 10.