CN104573522B - A kind of leak analysis method and apparatus - Google Patents
A kind of leak analysis method and apparatus Download PDFInfo
- Publication number
- CN104573522B CN104573522B CN201310495759.7A CN201310495759A CN104573522B CN 104573522 B CN104573522 B CN 104573522B CN 201310495759 A CN201310495759 A CN 201310495759A CN 104573522 B CN104573522 B CN 104573522B
- Authority
- CN
- China
- Prior art keywords
- function
- computer system
- information
- application program
- prompt
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the invention discloses leak analysis method and apparatus, are applied to field of computer technology.In the leak analysis method of the embodiment of the present invention, leak analysis device can identify the first function in all functions that computer system is called when running the application program, and the information of the second function in all functions for being called when running application program of logger computer system in addition to first function, then leak analysis is carried out to the information of second function, and user's prompt is carried out to the information with security strategy defect.Since wherein first function is the function of calling required for computer system self-operating, then it can not need to carry out leak analysis to computer system self-operating in the method for the present embodiment, save the analysis time to application program;It also avoids carrying out user's prompt for the loophole of computer system self-operating simultaneously, that is, reduces rate of false alarm during leak analysis for vulnerability of application program.
Description
Technical field
The present invention relates to field of computer technology, in particular to leak analysis method and apparatus.
Background technique
Computer system mainly calls this being loaded into computer system memory to apply journey when running application program
The executable file of sequence, if the calling of the executable file haves the defects that i.e. the application program has leakage in security strategy
Hole, then other attackers can access or destroy the application program in the case where unauthorized.Therefore it needs to application program
It is analyzed to avoid loophole, in the prior art during analyzing application program, mainly first needs to run the application
Program, and analyze all executable codes in the executable file of calling and whether there is security strategy defect, then to presence
Security strategy defect carry out user prompt i.e. carry out loophole report.
Summary of the invention
The embodiment of the present invention provides leak analysis method and apparatus, reduces leak analysis in the process to the rate of false alarm of loophole.
The embodiment of the present invention provides a kind of leak analysis method, comprising:
By in all functions that computer system is called when running the application program first function identify
Come, the first function is the function called required for the computer system self-operating;
It records in all functions that the computer system is called when running the application program except first letter
The information of second function except number;
Leak analysis is carried out to the information of the second function, and user is carried out to the information with security strategy defect and is mentioned
Show.
The embodiment of the present invention also provides a kind of leak analysis device, comprising:
Recognition unit, first in all functions for being called computer system when running the application program
Function identifies that the first function is the function called required for the computer system self-operating;
Recording unit, for recording in all functions that the computer system is called when running the application program
The information of second function in addition to the first function of recognition unit identification;
Analytical unit carries out leak analysis for the information to the second function, and to security strategy defect
Information carries out user's prompt.
As it can be seen that leak analysis device can run computer system in the leak analysis method of the embodiment of the present invention
The first function in all functions called when the application program identifies, and logger computer system is applied in operation
The information of second function in all functions called when program in addition to first function, then to the information of second function into
Row leak analysis, and user's prompt is carried out to the information with security strategy defect.Since wherein first function is department of computer science
Unite self-operating required for call function, then can not needed in the method for the present embodiment to computer system self-operating into
Row leak analysis saves the analysis time to application program;The leakage for computer system self-operating is also avoided simultaneously
Hole carries out user's prompt, and the loophole of computer system self-operating is not the loophole of an application program, the present embodiment
Method can be prevented from not reporting the loophole of nonusable routine, that is, be reduced during to leak analysis for using journey
The rate of false alarm of sequence loophole.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention without any creative labor, may be used also for those of ordinary skill in the art
To obtain other drawings based on these drawings.
Fig. 1 is a kind of flow chart of leak analysis method provided in an embodiment of the present invention;
Fig. 2 is the flow chart of another leak analysis method provided in an embodiment of the present invention;
Fig. 3 is the flow chart of another leak analysis method provided in an embodiment of the present invention;
Fig. 4 is the flow chart of another leak analysis method provided in an embodiment of the present invention;
Fig. 5 is a kind of structural schematic diagram of leak analysis device provided in an embodiment of the present invention;
Fig. 6 is the structural schematic diagram of another leak analysis device provided in an embodiment of the present invention;
Fig. 7 is the structural schematic diagram of another leak analysis device provided in an embodiment of the present invention;
Fig. 8 is the structural schematic diagram for the terminal that leak analysis method provided in an embodiment of the present invention is applied to.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
The embodiment of the present invention provides a kind of leak analysis method, the mainly method to application program progress leak analysis,
Flow chart is as shown in Figure 1, comprising:
Step 101, the first function identification in all functions computer system called when running application program
Out, first function is the function called required for computer system self-operating, i.e. system function and library function, wherein system
Function is the function that computer system is realized, and library function is the function provided by the compiler of compiling application program, such as
Strcpy and strcat etc. is system function, and free and fopen etc. is library function.
It is appreciated that leak analysis device can initiate the application program being currently running the analysis process of the present embodiment;
And the application program for being not currently running, leak analysis device need first to trigger computer system and run the application program, tool
Body, the executable file of application program is loaded into the memory of computer system by triggering computer system, and executes load
Executable file, then analyzed according still further to the process of the present embodiment.Wherein it can wrap in the executable file of load
Include the information for the function that computer system is called.
Due to first having to the normal operation for guaranteeing computer system, then just when computer system runs application program
The application program can be run, in order to save the time to application program analysis, leak analysis device can be first by computer system
Function, that is, the first function called required for self-operating identifies, then to the other letters called when running application program
Number is analyzed, and the time that the function called to computer system self-operating is analyzed is saved.Specifically, computer
System can all identify the initial address of first function, end address and function name, i.e., will be performed by computer system
Executable file in about the information of first function be reduced to the information indicated with assembler language or other high-level languages.
Step 102, in all functions that logger computer system is called when running application program except first function it
The information of outer second function, wherein second function is function specific to this application program, is the letter that application program is realized
Number, the information of the second function recorded in the present embodiment are the required information when carrying out leak analysis to application program,
It can include but is not limited to following at least one information: recalls information, register information and memory information of second function etc..
Step 103, leak analysis is carried out to the information of second function, and the information with security strategy defect is used
Family prompt.Leak analysis is mainly whether to have the analysis of security strategy defect to application program, and security strategy defect can be with
Including but not limited to following information: logic error (including decision logic etc.), in the mistake and protocol authentication mode in programming
Weakness etc. threaten the defect of system safety.
It should be noted that above-mentioned first function and second function are not offered as ordinal relation, but in order to illustrate difference
Function.
As it can be seen that leak analysis device can run computer system in the leak analysis method of the embodiment of the present invention
The first function in all functions called when the application program identifies, and logger computer system is applied in operation
The information of second function in all functions called when program in addition to first function, then to the information of second function into
Row leak analysis, and user's prompt is carried out to the information with security strategy defect.Since wherein first function is department of computer science
Unite self-operating required for call function, then can not needed in the method for the present embodiment to computer system self-operating into
Row leak analysis saves the analysis time to application program;The leakage for computer system self-operating is also avoided simultaneously
Hole carries out user's prompt, and the loophole of computer system self-operating is not the loophole of an application program, the present embodiment
Method can be prevented from not reporting the loophole of nonusable routine, that is, be reduced during to leak analysis for using journey
The rate of false alarm of sequence loophole.
In a specific embodiment, leak analysis device, specifically can be by as follows when executing above-mentioned steps 101
The step of realize, flow chart is as shown in Figure 2, comprising:
A1: to computer system, when running application program, corresponding executable file carries out dis-assembling processing.Computer
Executable file performed by system is with after compiling and application that the language that can be identified by computer system indicates
Program code is needed in the present embodiment to carry out dis-assembling processing to executable file, i.e., will be answered represented by language after compiling
The application code indicated with programming language (such as assembler language or other high-level languages) is reduced into program code.
A2: dis-assembling is determined treated initial address, end address and the function name of each function in executable file.
A3: the function name for the function that judgment step A2 is obtained and preset the called function of computer system self-operating
Whether function name is consistent, if unanimously, function is identified as first function, if it is inconsistent, the function is not the first letter
Number.
It should be noted that above-mentioned steps A2 and A3 can be executed sequentially, i.e., by dis-assembling treated executable file
In all functions information all determine after, then execute the judgement in step A3;Step A2 and A3 are also to execute parallel, that is, work as determination
After the information of one function, the information for withouting waiting for all functions is all got, so that it may execute the judgement in step A3.
First function can be identified that then leak analysis device is in execution by so through the above steps A1 to A3
When stating the record in step 102, can initial address according to the first function that step A2 and A3 are obtained and end address, will count
In all functions that calculation machine system is called when running application program, the information of other functions other than these addresses is recorded
Get off.
For example, in the specific application process, disassemblers such as IDA is first usually started to can by leak analysis device
It executes file and carries out dis-assembling operation;And by waiting (wait) function that can hang up perform script, when until disassemblers pair
It after executable file is analyzed, begins to execute the perform script, which, which refers to, executes above-mentioned steps A2 and A3
Script.The implementing result of above-mentioned steps A2 and A3 can also be stored in destination by leak analysis device in this process,
It can freely be read when needing, specifically, operation can be started by the order line about parameter "-A ", "-S " and "-C " originally
The disassemblers of inventive embodiments such as IDA.Wherein, parameter "-A " indicates that IDA will not show dialog box, and parameter "-S " can be with
It is specified to execute which perform script, and by by the storage of the result of perform script where, parameter "-C " indicates one text of dis-assembling
Part.
Such as when with following order line to start operation IDA, the perform script that leak analysis device then executes is
" dumpfune.idc ", and the combination identified to first function can be automatically saved in the fune.txt of E disk:
Idaq-C-A-S " dumpfune.idc E: fune.txt " E: test.dll
In another specific embodiment, leak analysis device, specifically can be by more when executing above-mentioned steps 103
Kind of mode is analyzed, and is illustrated by taking two kinds of analysis modes as an example below.
(1) stain is analyzed, refering to what is shown in Fig. 3, specifically including:
B1: it is marked for the corresponding stain of parametric distribution of function each in second function, may include more in a function
The parameter of a program point, these parameters can be marked with stain and carry out unique identification, so just according to relationship between parameters
Can know that some parameter propagated in application program operational process where, one of program point refers to a line of program, and
One stroke ordered pair answers a program address.
It is pre- to judge that stain marks propagation of corresponding parameter during computer system runs application program whether to meet by B2
The strategy set illustrates that the stain marks the parameter of corresponding function that may have security strategy defect, then holds if do not met
Row step B3 does not have to carry out user's prompt if met.Wherein it is preparatory according to actual needs to can be user for preset strategy
It is arranged in computer systems, for example some parameter should propagate where wait strategies, wherein the propagation of a certain parameter is
Refer to where where just the parameter be called to propagation.
Wherein stain marks the information of corresponding parameter transformation that can acquire from the information of second function.
B3: corresponding second function is marked to carry out user's prompt to stain is not met.
(2) boundary condition is analyzed, and this analysis mode is primarily to whether the decision logic checked in application program has
Accidentally, further to improve application program.Refering to what is shown in Fig. 4, specifically including:
C1: the condition in the information of the second function determined in judgment step 102 judges whether sentence corresponding informance meets
The condition judges the boundary condition of sentence defined, if met, do not need progress user's prompt has if do not met
The possible condition judges that mistake may occur for the logic of sentence, needs to be implemented step C2.
C2: user's prompt is carried out to the information for not meeting boundary condition.In this case, computer system can also be into
Step 104 is executed to one step, i.e., by the information of the second function determined in step 102, meets the condition and judges that sentence is advised
The corresponding computing with words of fixed boundary condition judges under sentence to the condition.
It should be noted that analyze can be with for the boundary condition analysis of above-mentioned steps C1 and C2 and the stain of step B1 to B3
It carries out, can also sequentially execute simultaneously, can choose any one of them mode also to analyze.A kind of concrete implementation mistake wherein
Cheng Zhong, if when advanced row bound condition analysis, after carrying out user's prompt according to above-mentioned steps C2, can further execute
Above-mentioned steps 104 eliminate the mistake of logic of language;Then carry out the operation of stain analysis again, then can be to recombinating after
Second function information carry out stain analysis.In this way when analyzing application program has the mistake of decision logic, pass through step
104 pairs of application programs improve, and then carry out other analyses again, can allow the analysis of corresponding program deeper into
The analysis of other aspects.
The embodiment of the present invention also provides a kind of leak analysis device, and structural schematic diagram is as shown in Figure 5, comprising:
Recognition unit 10, in all functions for being called computer system when running the application program
One function identifies that the first function is the function called required for the computer system self-operating;
Recording unit 11, all functions called for recording the computer system when running the application program
In except the recognition unit 10 identification first function in addition to second function information;
The information of analytical unit 12, the second function for recording to the recording unit 11 carries out leak analysis, and right
Information with security strategy defect carries out user's prompt.
In the leak analysis device of the embodiment of the present invention, computer system can run the application by recognition unit 10
The first function in all functions called when program identifies, and is being run by 11 logger computer system of recording unit
The information of second function in all functions called when application program in addition to first function, then analytical unit 12 is to
The information of two functions carries out leak analysis, and carries out user's prompt to the information with security strategy defect.Due to wherein first
Function is the function called required for computer system self-operating, then can not need in the method for the present embodiment to computer
System self-operating carries out leak analysis, saves the analysis time to application program;It also avoids simultaneously for department of computer science
The loophole of system self-operating carries out user's prompt, and the loophole of computer system self-operating is not the leakage of an application program
Hole, the method for the present embodiment can prevent from not reporting the loophole of nonusable routine, that is, reduce and analysing process to loophole
In for vulnerability of application program rate of false alarm.
Refering to what is shown in Fig. 6, in a specific embodiment, on the basis of above-mentioned leak analysis device shown in fig. 5,
Recognition unit 10 therein can by dis-assembling unit 110, function determination unit 120 and first function recognition unit 130 come
It realizes, specifically:
Dis-assembling unit 110, for the computer system when running the application program corresponding executable text
Part carries out dis-assembling processing;
Function determination unit 120 the dis-assembling unit 110 carries out dis-assembling treated executable file for determining
In each function initial address, end address and function name;
First function recognition unit 130, if the function name of the function determined for the function determination unit 120 and pre-
The function name for the called function of computer system self-operating set is consistent, then the function is identified as first letter
Number.
In the present embodiment, recognition unit 10 can be known by first function recognition unit 130 and function determination unit 120
Not Chu first function, and obtain initial address and the end address of first function, then recording unit 11 is in record second function
It, will be other than these addresses specifically when computer system runs application program in all functions for calling when information
The information of other functions record.
Refering to what is shown in Fig. 7, leak analysis device is in addition to may include as shown in Figure 5 in another specific embodiment
Structure outside, can also include recomposition unit 13 and execution unit 14, and analytical unit therein 12 can pass through label distribution
Unit 112 and the first prompt unit 122, and/or, it is realized by the second prompt unit 132, specifically:
Allocation unit 112 is marked, for the corresponding stain label of parametric distribution for each function in the second function;
First prompt unit 122 is applied if marking corresponding parameter to run in the computer system for the stain
Propagation in program process does not meet preset strategy, marks corresponding second function to carry out user's prompt in the stain.
Second prompt unit 132, if the condition in the information of the second function judges sentence corresponding informance not
Meet the boundary condition that the condition judges sentence defined, user's prompt is carried out to the information for not meeting boundary condition.
Recomposition unit 13, for the side that the condition judges sentence defined in the information of the second function, will to be met
Condition corresponding computing with words in boundary's judges under sentence to the condition.
Execution unit 14, for the executable file of the application program to be loaded into the memory of the computer system
In, and execute the executable file of the load.
In the present embodiment, when needing to analyze some application program, execution unit 14 can be first passed through to execute
The corresponding executable file of the application program;Then the information of second function is recorded by recognition unit 10 and recording unit 11
Get off;Finally by analytical unit 12 label allocation unit 112 and first prompt unit 122 recorded according to recording unit 11
Information carries out stain analysis, and carries out boundary condition point according to the information that recording unit 11 records by the second prompt unit 132
Analysis.
Wherein during a kind of concrete implementation, analytical unit 12 can with advanced row bound condition analysis, if second
Prompt unit 132 has carried out user's prompt, can also be recombinated, be eliminated by information of the recomposition unit 13 to second function
The mistake of logic of language;Then the behaviour of stain analysis can be carried out by label allocation unit 112 and the first prompt unit 122 again
Make, specifically stain analysis can be carried out to the information of the second function after recombinating.
Mainly it is applied to come in terminal for example, the terminal can be in the leak analysis method of the embodiment of the present invention below
Including smart phone, tablet computer, pocket computer on knee and desktop computer etc..
Referring to FIG. 8, it illustrates the structural schematic diagrams of terminal involved in the embodiment of the present invention, specifically:
Terminal may include radio frequency (Radio Frequency, RF) circuit 20, include one or more computer
The memory 21 of readable storage medium storing program for executing, display unit 23, includes one or more than one processing core at input unit 22
The components such as processor 24 and power supply 25.It will be understood by those skilled in the art that terminal structure shown in Fig. 8 is not constituted
Restriction to terminal may include perhaps combining certain components or different component cloth than illustrating more or fewer components
It sets.Wherein:
RF circuit 20 can be used for receiving and sending messages, particularly, by received downlink information transfer to one or more than one at
Device 24 is managed to handle.In general, RF circuit 20 includes but is not limited to antenna, at least one amplifier, tuner, one or more oscillations
Device, transceiver, coupler, low-noise amplifier (Low Noise Amplifier, LNA), duplexer etc..In addition, RF circuit
20 can also communicate with network and other equipment by wireless communication.Any communication standard or association can be used in the wireless communication
View, including but not limited to global system for mobile communications (Global System of Mobile communication, GSM) are led to
With grouping wireless service (General Packet Radio Service, GPRS), CDMA (Code Division
Multiple Access, CDMA), wideband code division multiple access (Wideband Code Division Multiple Access,
WCDMA), long term evolution (Long Term Evolution, LTE) etc..
Memory 21 can be used for storing software program and module, and processor 24 is stored in the soft of memory 21 by operation
Part program and module, thereby executing various function application and data processing.Memory 21 can mainly include storing program area
The storage data area and, wherein storing program area can (such as the sound of application program needed for storage program area, at least one function
Sound playing function, image player function etc.) etc.;Storage data area can store according to terminal use created data (such as
Audio data, phone directory etc.) etc..In addition, memory 21 may include high-speed random access memory, it can also include non-volatile
Property memory, a for example, at least disk memory, flush memory device or other volatile solid-state parts.Correspondingly, it deposits
Reservoir 21 can also include Memory Controller, to provide the access of processor 24 and input unit 22 to memory 21.
Input unit 22 can be used for receiving the number or character information of input, and generate and user setting and function control
Make related keyboard, mouse, operating stick, optics or trackball signal input.Specifically, in a specific embodiment,
Input unit 22 may include touch sensitive surface 221 and other input equipments 222.Touch sensitive surface 221, also referred to as touch display screen or
Person's Trackpad, collecting the touch operation of user on it or nearby, (for example user uses any suitable object such as finger, stylus
The operation of body or attachment on touch sensitive surface 221 or near touch sensitive surface 221), and phase is driven according to preset formula
The attachment device answered.Optionally, touch sensitive surface 221 may include both touch detecting apparatus and touch controller.Wherein, it touches
The touch orientation of detection device detection user is touched, and detects touch operation bring signal, transmits a signal to touch controller;
Touch controller receives touch information from touch detecting apparatus, and is converted into contact coordinate, then gives processor 24, and
The order that processor 24 is sent can be received and executed.Furthermore, it is possible to using resistance-type, condenser type, infrared ray and surface
The multiple types such as sound wave realize touch sensitive surface 221.In addition to touch sensitive surface 221, input unit 22 can also include that other inputs are set
Standby 222.Specifically, other input equipments 222 can include but is not limited to physical keyboard, function key (such as volume control button,
Switch key etc.), trace ball, mouse, one of operating stick etc. or a variety of.
Display unit 23 can be used for showing information input by user or be supplied to user information and terminal it is various
Graphical user interface, these graphical user interface can be made of figure, text, icon, video and any combination thereof.Display
Unit 23 may include display panel 231, optionally, can using liquid crystal display (Liquid Crystal Display,
LCD), the forms such as Organic Light Emitting Diode (Organic Light-Emitting Diode, OLED) configure display panel
231.Further, touch sensitive surface 221 can cover display panel 231, when touch sensitive surface 221 detects touching on it or nearby
After touching operation, processor 24 is sent to determine the type of touch event, is followed by subsequent processing device 24 and is existed according to the type of touch event
Corresponding visual output is provided on display panel 231.Although in fig. 8, touch sensitive surface 221 and display panel 231 are as two
A independent component realizes input and input function, but in some embodiments it is possible to by touch sensitive surface 221 and display surface
Plate 231 is integrated and realizes and outputs and inputs function.
Processor 24 is the control centre of terminal, using the various pieces of various interfaces and connection whole mobile phone, is led to
It crosses operation or executes the software program and/or module being stored in memory 21, and call the number being stored in memory 21
According to, execute terminal various functions and processing data, thus to mobile phone carry out integral monitoring.Optionally, processor 24 may include
One or more processing cores;Preferably, processor 27 can integrate application processor and modem processor, wherein application
The main processing operation system of processor, user interface and application program etc., modem processor mainly handles wireless communication.It can
With understanding, above-mentioned modem processor can not also be integrated into processor 24.
Terminal further includes the power supply 25(such as battery powered to all parts), it is preferred that power supply can pass through power supply pipe
Reason system and processor 24 are logically contiguous, to realize management charging, electric discharge and power managed etc. by power-supply management system
Function.Power supply 25 can also include one or more direct current or AC power source, recharging system, power failure monitor electricity
The random components such as road, power adapter or inverter, power supply status indicator.
Although being not shown, terminal can also include camera, bluetooth module etc., and details are not described herein.Specifically in this implementation
In example, processor 24 in terminal can execute store in memory 21 one or more and answer according to following instruction
With the corresponding executable file of the process of program, to realize various functions:
First function in all functions that processor 24 is called when running the application program is identified,
The first function is the function called required for 24 self-operating of processor;The processor 24 is recorded described in the operation
The information of second function in all functions called when application program in addition to the first function;To the of the record
The information of two functions carries out leak analysis, and carries out user's prompt to the information with security strategy defect.Due to wherein first
Function is the function called required for 24 self-operating of processor, then can not need in the method for the present embodiment to processor 24
Self-operating carries out leak analysis, saves the analysis time to application program;It also avoids simultaneously for processor 24 itself
The loophole of operation carries out user's prompt, that is, reduces rate of false alarm during to leak analysis.
Wherein in a specific embodiment, processor 24, specifically can be to the place when identifying first function
It manages the corresponding executable file when running the application program of device 24 and carries out dis-assembling processing;It determines at the progress dis-assembling
The initial address of each function, end address and function name in executable file after reason;If the letter of the function of the determination
It is several consistent with the preset function name of the called function of 24 self-operating of the processor, then the function is identified as described
First function.Initial address and the end address of first function are thus obtained, then processor 24 is in record second function
It, will be other than these addresses specifically when processor 24 runs application program in all functions for calling when information
The information of other functions is recorded.
In another specific embodiment, when needing to analyze some application program, can first pass through first by
The executable file of the application program is loaded into memory 21 by processor 24, and executes the executable text of the load
Then part is recorded the information of second function, finally carried out by information of the processor 24 to the second function recorded
Stain analysis and/or boundary condition analysis, in which:
For stain analysis, processor 24 is mainly to correspond to for the parametric distribution of each function in the second function
Stain label;If the stain marks corresponding parameter, the propagation during processor 24 runs application program is not inconsistent
Preset strategy is closed, marks corresponding second function to carry out user's prompt in the stain;For boundary condition analysis, place
Reason device 24 is mainly that the condition in the information of the second function judges that sentence corresponding informance does not meet the condition and judges language
The boundary condition of sentence defined carries out user's prompt to the information for not meeting boundary condition.
Further, during a kind of concrete implementation, processor 24 can with advanced row bound condition analysis, if into
User's prompt is gone, processor 24 can also judge sentence defined for the condition in the information of the second function, is met
The corresponding computing with words of boundary condition judge under sentence to the condition, eliminate the mistake of logic of language;It then can be with
Again by carrying out the operation of stain analysis, specifically stain analysis can be carried out to the information of the second function after recombinating.
Those of ordinary skill in the art will appreciate that all or part of the steps in the various methods of above-described embodiment is can
It is completed with instructing relevant hardware by program, which can be stored in a computer readable storage medium, storage
Medium may include: read-only memory (ROM), random-access memory (ram), disk or CD etc..
Leak analysis method and apparatus are provided for the embodiments of the invention above to be described in detail, it is used herein
A specific example illustrates the principle and implementation of the invention, and the above embodiments are only used to help understand
Method and its core concept of the invention;At the same time, for those skilled in the art is having according to the thought of the present invention
There will be changes in body embodiment and application range, in conclusion the content of the present specification should not be construed as to the present invention
Limitation.
Claims (12)
1. a kind of leak analysis method characterized by comprising
Leak analysis device identifies the first function in all functions that computer system is called when running application program
Come, the first function is the function called required for the computer system self-operating;
Leak analysis device records in all functions that the computer system is called when running the application program except institute
State the initial address of first function and the information of the second function except end address;
Leak analysis device carries out leak analysis to the information of the second function, and to the information with security strategy defect into
Row user prompt.
2. the method as described in claim 1, which is characterized in that described to call computer system when running application program
First function in all functions identifies, specifically includes:
To the computer system, when running the application program, corresponding executable file carries out dis-assembling processing;
Determine the dis-assembling treated initial address, end address and the function name of each function in executable file;
If the function name of the function is consistent with the preset function name of the called function of computer system self-operating,
The function is then identified as the first function.
3. method according to claim 1 or 2, which is characterized in that the information to the second function carries out loophole point
Analysis, specifically includes:
For the corresponding stain label of parametric distribution of each function in the second function;
If it is pre- that the stain marks propagation of the corresponding parameter during computer system runs application program not meet
The strategy set marks corresponding second function to carry out user's prompt in the stain.
4. method according to claim 1 or 2, which is characterized in that the information to the second function carries out loophole point
Analysis, specifically includes:
If the condition in the information of the second function judges that sentence corresponding informance does not meet the condition and judges that sentence is advised
Fixed boundary condition carries out user's prompt to the information for not meeting boundary condition.
5. method as claimed in claim 4, which is characterized in that the method also includes: by the information of the second function,
Meet the condition and judges that the corresponding computing with words of the boundary condition of sentence defined judges under sentence to the condition.
6. method according to claim 1 or 2, which is characterized in that it is described by computer system when running application program tune
First function in all functions identifies, before further include:
The executable file of the application program is loaded into the memory of the computer system, and execute the load can
Execute file.
7. a kind of leak analysis device characterized by comprising
Recognition unit, the first function in all functions for calling computer system when running application program identify
Come, the first function is the function called required for the computer system self-operating;
Recording unit, for recording in all functions that the computer system is called when running the application program except institute
State the initial address of the first function of recognition unit identification and the information of the second function except end address;
Analytical unit carries out leak analysis for the information to the second function, and to the information with security strategy defect
Carry out user's prompt.
8. device as claimed in claim 7, which is characterized in that the recognition unit specifically includes:
Dis-assembling unit, for corresponding executable file to carry out instead when running the application program to the computer system
Compilation process;
Function determination unit, the initial address of each function, knot in treated for determining dis-assembling executable file
Beam address and function name;
First function recognition unit, if function name and the preset computer system self-operating institute for the function
It calls the function name of function consistent, then the function is identified as the first function.
9. device as claimed in claim 7 or 8, which is characterized in that the analysis specifically includes:
Allocation unit is marked, for the corresponding stain label of parametric distribution for each function in the second function;
First prompt unit, if marking corresponding parameter to run application program process in the computer system for the stain
In propagation do not meet preset strategy, mark corresponding second function to carry out user's prompt in the stain.
10. device as claimed in claim 7 or 8, which is characterized in that the analytical unit specifically includes:
Second prompt unit, if it is described to judge that sentence corresponding informance is not met for the condition in the information of the second function
Condition judges the boundary condition of sentence defined, carries out user's prompt to the information for not meeting boundary condition.
11. device as claimed in claim 10, which is characterized in that further include: recomposition unit, for by the second function
In information, meet the condition judge the corresponding computing with words of the boundary condition of sentence defined to the condition judge sentence it
Under.
12. device as claimed in claim 7 or 8, which is characterized in that further include:
Execution unit for the executable file of the application program to be loaded into the memory of the computer system, and is held
The executable file of the row load.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310495759.7A CN104573522B (en) | 2013-10-21 | 2013-10-21 | A kind of leak analysis method and apparatus |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310495759.7A CN104573522B (en) | 2013-10-21 | 2013-10-21 | A kind of leak analysis method and apparatus |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104573522A CN104573522A (en) | 2015-04-29 |
CN104573522B true CN104573522B (en) | 2018-12-11 |
Family
ID=53089560
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310495759.7A Active CN104573522B (en) | 2013-10-21 | 2013-10-21 | A kind of leak analysis method and apparatus |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104573522B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104915211B (en) * | 2015-06-18 | 2018-04-17 | 西安交通大学 | Intrinsic function recognition methods based on Subgraph Isomorphism matching algorithm in decompiling |
CN106709335B (en) * | 2015-11-17 | 2020-12-04 | 阿里巴巴集团控股有限公司 | Vulnerability detection method and device |
CN106874767B (en) * | 2015-12-14 | 2019-10-01 | 阿里巴巴集团控股有限公司 | A kind of detection method of program bug, terminal and server |
CN106709330B (en) * | 2016-07-29 | 2020-04-21 | 腾讯科技(深圳)有限公司 | Method and device for recording file execution behaviors |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101154257A (en) * | 2007-08-14 | 2008-04-02 | 电子科技大学 | Dynamic mend performing method based on characteristics of loopholes |
CN102651060A (en) * | 2012-03-31 | 2012-08-29 | 北京奇虎科技有限公司 | Method and system for detecting vulnerability |
CN102955914A (en) * | 2011-08-19 | 2013-03-06 | 百度在线网络技术(北京)有限公司 | Method and device for detecting security flaws of source files |
CN103282913A (en) * | 2010-12-29 | 2013-09-04 | 维亚塞斯公司 | Method for loading the code of at least one software module |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100274755A1 (en) * | 2009-04-28 | 2010-10-28 | Stewart Richard Alan | Binary software binary image analysis |
-
2013
- 2013-10-21 CN CN201310495759.7A patent/CN104573522B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101154257A (en) * | 2007-08-14 | 2008-04-02 | 电子科技大学 | Dynamic mend performing method based on characteristics of loopholes |
CN103282913A (en) * | 2010-12-29 | 2013-09-04 | 维亚塞斯公司 | Method for loading the code of at least one software module |
CN102955914A (en) * | 2011-08-19 | 2013-03-06 | 百度在线网络技术(北京)有限公司 | Method and device for detecting security flaws of source files |
CN102651060A (en) * | 2012-03-31 | 2012-08-29 | 北京奇虎科技有限公司 | Method and system for detecting vulnerability |
Also Published As
Publication number | Publication date |
---|---|
CN104573522A (en) | 2015-04-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108519945A (en) | Coverage rate test method, apparatus and storage device | |
CN107357725B (en) | Application testing method and device | |
CN105491067B (en) | Service security verification method and device based on key | |
CN106202441A (en) | Data processing method based on relevant database, device and system | |
CN104573522B (en) | A kind of leak analysis method and apparatus | |
CN108932429A (en) | Analysis method, terminal and the storage medium of application program | |
CN104932963B (en) | The method and device of management terminal | |
CN105593868A (en) | Fingerprint identification method and apparatus, and mobile terminal | |
CN107291586B (en) | Application program analysis method and device | |
CN105005735B (en) | Downloading management method and download management device | |
CN106453692B (en) | A kind of domain name analytic method, device and system | |
CN106708734A (en) | Software abnormality detection method and apparatus | |
CN104298587A (en) | Code coverage test method, device and system | |
CN107967427A (en) | Monitor the method, apparatus and terminal device of loophole attack | |
CN106155717A (en) | A kind of method and apparatus that SDK is integrated into third party APK | |
CN107908407A (en) | Compilation Method, device and terminal device | |
CN107276602A (en) | Radio frequency interference processing method, device, storage medium and terminal | |
CN106959859A (en) | The call method and device of system call function | |
CN105807908B (en) | A kind of method and apparatus of switching working mode | |
CN106487798A (en) | Method of data synchronization and device | |
CN105471888B (en) | Service verification method and device based on biological information | |
CN106681884B (en) | A kind of monitoring method and device of system calling | |
CN110471832A (en) | Processing method, device and the computer readable storage medium of program operation | |
CN107015866A (en) | A kind of data processing method and device | |
CN104978237B (en) | The method and apparatus for repairing dynamic link library file |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |