CN104573522B - A kind of leak analysis method and apparatus - Google Patents

A kind of leak analysis method and apparatus Download PDF

Info

Publication number
CN104573522B
CN104573522B CN201310495759.7A CN201310495759A CN104573522B CN 104573522 B CN104573522 B CN 104573522B CN 201310495759 A CN201310495759 A CN 201310495759A CN 104573522 B CN104573522 B CN 104573522B
Authority
CN
China
Prior art keywords
function
computer system
information
application program
prompt
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310495759.7A
Other languages
Chinese (zh)
Other versions
CN104573522A (en
Inventor
李天祥
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Tencent Computer Systems Co Ltd
Original Assignee
Shenzhen Tencent Computer Systems Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Tencent Computer Systems Co Ltd filed Critical Shenzhen Tencent Computer Systems Co Ltd
Priority to CN201310495759.7A priority Critical patent/CN104573522B/en
Publication of CN104573522A publication Critical patent/CN104573522A/en
Application granted granted Critical
Publication of CN104573522B publication Critical patent/CN104573522B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The embodiment of the invention discloses leak analysis method and apparatus, are applied to field of computer technology.In the leak analysis method of the embodiment of the present invention, leak analysis device can identify the first function in all functions that computer system is called when running the application program, and the information of the second function in all functions for being called when running application program of logger computer system in addition to first function, then leak analysis is carried out to the information of second function, and user's prompt is carried out to the information with security strategy defect.Since wherein first function is the function of calling required for computer system self-operating, then it can not need to carry out leak analysis to computer system self-operating in the method for the present embodiment, save the analysis time to application program;It also avoids carrying out user's prompt for the loophole of computer system self-operating simultaneously, that is, reduces rate of false alarm during leak analysis for vulnerability of application program.

Description

A kind of leak analysis method and apparatus
Technical field
The present invention relates to field of computer technology, in particular to leak analysis method and apparatus.
Background technique
Computer system mainly calls this being loaded into computer system memory to apply journey when running application program The executable file of sequence, if the calling of the executable file haves the defects that i.e. the application program has leakage in security strategy Hole, then other attackers can access or destroy the application program in the case where unauthorized.Therefore it needs to application program It is analyzed to avoid loophole, in the prior art during analyzing application program, mainly first needs to run the application Program, and analyze all executable codes in the executable file of calling and whether there is security strategy defect, then to presence Security strategy defect carry out user prompt i.e. carry out loophole report.
Summary of the invention
The embodiment of the present invention provides leak analysis method and apparatus, reduces leak analysis in the process to the rate of false alarm of loophole.
The embodiment of the present invention provides a kind of leak analysis method, comprising:
By in all functions that computer system is called when running the application program first function identify Come, the first function is the function called required for the computer system self-operating;
It records in all functions that the computer system is called when running the application program except first letter The information of second function except number;
Leak analysis is carried out to the information of the second function, and user is carried out to the information with security strategy defect and is mentioned Show.
The embodiment of the present invention also provides a kind of leak analysis device, comprising:
Recognition unit, first in all functions for being called computer system when running the application program Function identifies that the first function is the function called required for the computer system self-operating;
Recording unit, for recording in all functions that the computer system is called when running the application program The information of second function in addition to the first function of recognition unit identification;
Analytical unit carries out leak analysis for the information to the second function, and to security strategy defect Information carries out user's prompt.
As it can be seen that leak analysis device can run computer system in the leak analysis method of the embodiment of the present invention The first function in all functions called when the application program identifies, and logger computer system is applied in operation The information of second function in all functions called when program in addition to first function, then to the information of second function into Row leak analysis, and user's prompt is carried out to the information with security strategy defect.Since wherein first function is department of computer science Unite self-operating required for call function, then can not needed in the method for the present embodiment to computer system self-operating into Row leak analysis saves the analysis time to application program;The leakage for computer system self-operating is also avoided simultaneously Hole carries out user's prompt, and the loophole of computer system self-operating is not the loophole of an application program, the present embodiment Method can be prevented from not reporting the loophole of nonusable routine, that is, be reduced during to leak analysis for using journey The rate of false alarm of sequence loophole.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention without any creative labor, may be used also for those of ordinary skill in the art To obtain other drawings based on these drawings.
Fig. 1 is a kind of flow chart of leak analysis method provided in an embodiment of the present invention;
Fig. 2 is the flow chart of another leak analysis method provided in an embodiment of the present invention;
Fig. 3 is the flow chart of another leak analysis method provided in an embodiment of the present invention;
Fig. 4 is the flow chart of another leak analysis method provided in an embodiment of the present invention;
Fig. 5 is a kind of structural schematic diagram of leak analysis device provided in an embodiment of the present invention;
Fig. 6 is the structural schematic diagram of another leak analysis device provided in an embodiment of the present invention;
Fig. 7 is the structural schematic diagram of another leak analysis device provided in an embodiment of the present invention;
Fig. 8 is the structural schematic diagram for the terminal that leak analysis method provided in an embodiment of the present invention is applied to.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall within the protection scope of the present invention.
The embodiment of the present invention provides a kind of leak analysis method, the mainly method to application program progress leak analysis, Flow chart is as shown in Figure 1, comprising:
Step 101, the first function identification in all functions computer system called when running application program Out, first function is the function called required for computer system self-operating, i.e. system function and library function, wherein system Function is the function that computer system is realized, and library function is the function provided by the compiler of compiling application program, such as Strcpy and strcat etc. is system function, and free and fopen etc. is library function.
It is appreciated that leak analysis device can initiate the application program being currently running the analysis process of the present embodiment; And the application program for being not currently running, leak analysis device need first to trigger computer system and run the application program, tool Body, the executable file of application program is loaded into the memory of computer system by triggering computer system, and executes load Executable file, then analyzed according still further to the process of the present embodiment.Wherein it can wrap in the executable file of load Include the information for the function that computer system is called.
Due to first having to the normal operation for guaranteeing computer system, then just when computer system runs application program The application program can be run, in order to save the time to application program analysis, leak analysis device can be first by computer system Function, that is, the first function called required for self-operating identifies, then to the other letters called when running application program Number is analyzed, and the time that the function called to computer system self-operating is analyzed is saved.Specifically, computer System can all identify the initial address of first function, end address and function name, i.e., will be performed by computer system Executable file in about the information of first function be reduced to the information indicated with assembler language or other high-level languages.
Step 102, in all functions that logger computer system is called when running application program except first function it The information of outer second function, wherein second function is function specific to this application program, is the letter that application program is realized Number, the information of the second function recorded in the present embodiment are the required information when carrying out leak analysis to application program, It can include but is not limited to following at least one information: recalls information, register information and memory information of second function etc..
Step 103, leak analysis is carried out to the information of second function, and the information with security strategy defect is used Family prompt.Leak analysis is mainly whether to have the analysis of security strategy defect to application program, and security strategy defect can be with Including but not limited to following information: logic error (including decision logic etc.), in the mistake and protocol authentication mode in programming Weakness etc. threaten the defect of system safety.
It should be noted that above-mentioned first function and second function are not offered as ordinal relation, but in order to illustrate difference Function.
As it can be seen that leak analysis device can run computer system in the leak analysis method of the embodiment of the present invention The first function in all functions called when the application program identifies, and logger computer system is applied in operation The information of second function in all functions called when program in addition to first function, then to the information of second function into Row leak analysis, and user's prompt is carried out to the information with security strategy defect.Since wherein first function is department of computer science Unite self-operating required for call function, then can not needed in the method for the present embodiment to computer system self-operating into Row leak analysis saves the analysis time to application program;The leakage for computer system self-operating is also avoided simultaneously Hole carries out user's prompt, and the loophole of computer system self-operating is not the loophole of an application program, the present embodiment Method can be prevented from not reporting the loophole of nonusable routine, that is, be reduced during to leak analysis for using journey The rate of false alarm of sequence loophole.
In a specific embodiment, leak analysis device, specifically can be by as follows when executing above-mentioned steps 101 The step of realize, flow chart is as shown in Figure 2, comprising:
A1: to computer system, when running application program, corresponding executable file carries out dis-assembling processing.Computer Executable file performed by system is with after compiling and application that the language that can be identified by computer system indicates Program code is needed in the present embodiment to carry out dis-assembling processing to executable file, i.e., will be answered represented by language after compiling The application code indicated with programming language (such as assembler language or other high-level languages) is reduced into program code.
A2: dis-assembling is determined treated initial address, end address and the function name of each function in executable file.
A3: the function name for the function that judgment step A2 is obtained and preset the called function of computer system self-operating Whether function name is consistent, if unanimously, function is identified as first function, if it is inconsistent, the function is not the first letter Number.
It should be noted that above-mentioned steps A2 and A3 can be executed sequentially, i.e., by dis-assembling treated executable file In all functions information all determine after, then execute the judgement in step A3;Step A2 and A3 are also to execute parallel, that is, work as determination After the information of one function, the information for withouting waiting for all functions is all got, so that it may execute the judgement in step A3.
First function can be identified that then leak analysis device is in execution by so through the above steps A1 to A3 When stating the record in step 102, can initial address according to the first function that step A2 and A3 are obtained and end address, will count In all functions that calculation machine system is called when running application program, the information of other functions other than these addresses is recorded Get off.
For example, in the specific application process, disassemblers such as IDA is first usually started to can by leak analysis device It executes file and carries out dis-assembling operation;And by waiting (wait) function that can hang up perform script, when until disassemblers pair It after executable file is analyzed, begins to execute the perform script, which, which refers to, executes above-mentioned steps A2 and A3 Script.The implementing result of above-mentioned steps A2 and A3 can also be stored in destination by leak analysis device in this process, It can freely be read when needing, specifically, operation can be started by the order line about parameter "-A ", "-S " and "-C " originally The disassemblers of inventive embodiments such as IDA.Wherein, parameter "-A " indicates that IDA will not show dialog box, and parameter "-S " can be with It is specified to execute which perform script, and by by the storage of the result of perform script where, parameter "-C " indicates one text of dis-assembling Part.
Such as when with following order line to start operation IDA, the perform script that leak analysis device then executes is " dumpfune.idc ", and the combination identified to first function can be automatically saved in the fune.txt of E disk:
Idaq-C-A-S " dumpfune.idc E: fune.txt " E: test.dll
In another specific embodiment, leak analysis device, specifically can be by more when executing above-mentioned steps 103 Kind of mode is analyzed, and is illustrated by taking two kinds of analysis modes as an example below.
(1) stain is analyzed, refering to what is shown in Fig. 3, specifically including:
B1: it is marked for the corresponding stain of parametric distribution of function each in second function, may include more in a function The parameter of a program point, these parameters can be marked with stain and carry out unique identification, so just according to relationship between parameters Can know that some parameter propagated in application program operational process where, one of program point refers to a line of program, and One stroke ordered pair answers a program address.
It is pre- to judge that stain marks propagation of corresponding parameter during computer system runs application program whether to meet by B2 The strategy set illustrates that the stain marks the parameter of corresponding function that may have security strategy defect, then holds if do not met Row step B3 does not have to carry out user's prompt if met.Wherein it is preparatory according to actual needs to can be user for preset strategy It is arranged in computer systems, for example some parameter should propagate where wait strategies, wherein the propagation of a certain parameter is Refer to where where just the parameter be called to propagation.
Wherein stain marks the information of corresponding parameter transformation that can acquire from the information of second function.
B3: corresponding second function is marked to carry out user's prompt to stain is not met.
(2) boundary condition is analyzed, and this analysis mode is primarily to whether the decision logic checked in application program has Accidentally, further to improve application program.Refering to what is shown in Fig. 4, specifically including:
C1: the condition in the information of the second function determined in judgment step 102 judges whether sentence corresponding informance meets The condition judges the boundary condition of sentence defined, if met, do not need progress user's prompt has if do not met The possible condition judges that mistake may occur for the logic of sentence, needs to be implemented step C2.
C2: user's prompt is carried out to the information for not meeting boundary condition.In this case, computer system can also be into Step 104 is executed to one step, i.e., by the information of the second function determined in step 102, meets the condition and judges that sentence is advised The corresponding computing with words of fixed boundary condition judges under sentence to the condition.
It should be noted that analyze can be with for the boundary condition analysis of above-mentioned steps C1 and C2 and the stain of step B1 to B3 It carries out, can also sequentially execute simultaneously, can choose any one of them mode also to analyze.A kind of concrete implementation mistake wherein Cheng Zhong, if when advanced row bound condition analysis, after carrying out user's prompt according to above-mentioned steps C2, can further execute Above-mentioned steps 104 eliminate the mistake of logic of language;Then carry out the operation of stain analysis again, then can be to recombinating after Second function information carry out stain analysis.In this way when analyzing application program has the mistake of decision logic, pass through step 104 pairs of application programs improve, and then carry out other analyses again, can allow the analysis of corresponding program deeper into The analysis of other aspects.
The embodiment of the present invention also provides a kind of leak analysis device, and structural schematic diagram is as shown in Figure 5, comprising:
Recognition unit 10, in all functions for being called computer system when running the application program One function identifies that the first function is the function called required for the computer system self-operating;
Recording unit 11, all functions called for recording the computer system when running the application program In except the recognition unit 10 identification first function in addition to second function information;
The information of analytical unit 12, the second function for recording to the recording unit 11 carries out leak analysis, and right Information with security strategy defect carries out user's prompt.
In the leak analysis device of the embodiment of the present invention, computer system can run the application by recognition unit 10 The first function in all functions called when program identifies, and is being run by 11 logger computer system of recording unit The information of second function in all functions called when application program in addition to first function, then analytical unit 12 is to The information of two functions carries out leak analysis, and carries out user's prompt to the information with security strategy defect.Due to wherein first Function is the function called required for computer system self-operating, then can not need in the method for the present embodiment to computer System self-operating carries out leak analysis, saves the analysis time to application program;It also avoids simultaneously for department of computer science The loophole of system self-operating carries out user's prompt, and the loophole of computer system self-operating is not the leakage of an application program Hole, the method for the present embodiment can prevent from not reporting the loophole of nonusable routine, that is, reduce and analysing process to loophole In for vulnerability of application program rate of false alarm.
Refering to what is shown in Fig. 6, in a specific embodiment, on the basis of above-mentioned leak analysis device shown in fig. 5, Recognition unit 10 therein can by dis-assembling unit 110, function determination unit 120 and first function recognition unit 130 come It realizes, specifically:
Dis-assembling unit 110, for the computer system when running the application program corresponding executable text Part carries out dis-assembling processing;
Function determination unit 120 the dis-assembling unit 110 carries out dis-assembling treated executable file for determining In each function initial address, end address and function name;
First function recognition unit 130, if the function name of the function determined for the function determination unit 120 and pre- The function name for the called function of computer system self-operating set is consistent, then the function is identified as first letter Number.
In the present embodiment, recognition unit 10 can be known by first function recognition unit 130 and function determination unit 120 Not Chu first function, and obtain initial address and the end address of first function, then recording unit 11 is in record second function It, will be other than these addresses specifically when computer system runs application program in all functions for calling when information The information of other functions record.
Refering to what is shown in Fig. 7, leak analysis device is in addition to may include as shown in Figure 5 in another specific embodiment Structure outside, can also include recomposition unit 13 and execution unit 14, and analytical unit therein 12 can pass through label distribution Unit 112 and the first prompt unit 122, and/or, it is realized by the second prompt unit 132, specifically:
Allocation unit 112 is marked, for the corresponding stain label of parametric distribution for each function in the second function;
First prompt unit 122 is applied if marking corresponding parameter to run in the computer system for the stain Propagation in program process does not meet preset strategy, marks corresponding second function to carry out user's prompt in the stain.
Second prompt unit 132, if the condition in the information of the second function judges sentence corresponding informance not Meet the boundary condition that the condition judges sentence defined, user's prompt is carried out to the information for not meeting boundary condition.
Recomposition unit 13, for the side that the condition judges sentence defined in the information of the second function, will to be met Condition corresponding computing with words in boundary's judges under sentence to the condition.
Execution unit 14, for the executable file of the application program to be loaded into the memory of the computer system In, and execute the executable file of the load.
In the present embodiment, when needing to analyze some application program, execution unit 14 can be first passed through to execute The corresponding executable file of the application program;Then the information of second function is recorded by recognition unit 10 and recording unit 11 Get off;Finally by analytical unit 12 label allocation unit 112 and first prompt unit 122 recorded according to recording unit 11 Information carries out stain analysis, and carries out boundary condition point according to the information that recording unit 11 records by the second prompt unit 132 Analysis.
Wherein during a kind of concrete implementation, analytical unit 12 can with advanced row bound condition analysis, if second Prompt unit 132 has carried out user's prompt, can also be recombinated, be eliminated by information of the recomposition unit 13 to second function The mistake of logic of language;Then the behaviour of stain analysis can be carried out by label allocation unit 112 and the first prompt unit 122 again Make, specifically stain analysis can be carried out to the information of the second function after recombinating.
Mainly it is applied to come in terminal for example, the terminal can be in the leak analysis method of the embodiment of the present invention below Including smart phone, tablet computer, pocket computer on knee and desktop computer etc..
Referring to FIG. 8, it illustrates the structural schematic diagrams of terminal involved in the embodiment of the present invention, specifically:
Terminal may include radio frequency (Radio Frequency, RF) circuit 20, include one or more computer The memory 21 of readable storage medium storing program for executing, display unit 23, includes one or more than one processing core at input unit 22 The components such as processor 24 and power supply 25.It will be understood by those skilled in the art that terminal structure shown in Fig. 8 is not constituted Restriction to terminal may include perhaps combining certain components or different component cloth than illustrating more or fewer components It sets.Wherein:
RF circuit 20 can be used for receiving and sending messages, particularly, by received downlink information transfer to one or more than one at Device 24 is managed to handle.In general, RF circuit 20 includes but is not limited to antenna, at least one amplifier, tuner, one or more oscillations Device, transceiver, coupler, low-noise amplifier (Low Noise Amplifier, LNA), duplexer etc..In addition, RF circuit 20 can also communicate with network and other equipment by wireless communication.Any communication standard or association can be used in the wireless communication View, including but not limited to global system for mobile communications (Global System of Mobile communication, GSM) are led to With grouping wireless service (General Packet Radio Service, GPRS), CDMA (Code Division Multiple Access, CDMA), wideband code division multiple access (Wideband Code Division Multiple Access, WCDMA), long term evolution (Long Term Evolution, LTE) etc..
Memory 21 can be used for storing software program and module, and processor 24 is stored in the soft of memory 21 by operation Part program and module, thereby executing various function application and data processing.Memory 21 can mainly include storing program area The storage data area and, wherein storing program area can (such as the sound of application program needed for storage program area, at least one function Sound playing function, image player function etc.) etc.;Storage data area can store according to terminal use created data (such as Audio data, phone directory etc.) etc..In addition, memory 21 may include high-speed random access memory, it can also include non-volatile Property memory, a for example, at least disk memory, flush memory device or other volatile solid-state parts.Correspondingly, it deposits Reservoir 21 can also include Memory Controller, to provide the access of processor 24 and input unit 22 to memory 21.
Input unit 22 can be used for receiving the number or character information of input, and generate and user setting and function control Make related keyboard, mouse, operating stick, optics or trackball signal input.Specifically, in a specific embodiment, Input unit 22 may include touch sensitive surface 221 and other input equipments 222.Touch sensitive surface 221, also referred to as touch display screen or Person's Trackpad, collecting the touch operation of user on it or nearby, (for example user uses any suitable object such as finger, stylus The operation of body or attachment on touch sensitive surface 221 or near touch sensitive surface 221), and phase is driven according to preset formula The attachment device answered.Optionally, touch sensitive surface 221 may include both touch detecting apparatus and touch controller.Wherein, it touches The touch orientation of detection device detection user is touched, and detects touch operation bring signal, transmits a signal to touch controller; Touch controller receives touch information from touch detecting apparatus, and is converted into contact coordinate, then gives processor 24, and The order that processor 24 is sent can be received and executed.Furthermore, it is possible to using resistance-type, condenser type, infrared ray and surface The multiple types such as sound wave realize touch sensitive surface 221.In addition to touch sensitive surface 221, input unit 22 can also include that other inputs are set Standby 222.Specifically, other input equipments 222 can include but is not limited to physical keyboard, function key (such as volume control button, Switch key etc.), trace ball, mouse, one of operating stick etc. or a variety of.
Display unit 23 can be used for showing information input by user or be supplied to user information and terminal it is various Graphical user interface, these graphical user interface can be made of figure, text, icon, video and any combination thereof.Display Unit 23 may include display panel 231, optionally, can using liquid crystal display (Liquid Crystal Display, LCD), the forms such as Organic Light Emitting Diode (Organic Light-Emitting Diode, OLED) configure display panel 231.Further, touch sensitive surface 221 can cover display panel 231, when touch sensitive surface 221 detects touching on it or nearby After touching operation, processor 24 is sent to determine the type of touch event, is followed by subsequent processing device 24 and is existed according to the type of touch event Corresponding visual output is provided on display panel 231.Although in fig. 8, touch sensitive surface 221 and display panel 231 are as two A independent component realizes input and input function, but in some embodiments it is possible to by touch sensitive surface 221 and display surface Plate 231 is integrated and realizes and outputs and inputs function.
Processor 24 is the control centre of terminal, using the various pieces of various interfaces and connection whole mobile phone, is led to It crosses operation or executes the software program and/or module being stored in memory 21, and call the number being stored in memory 21 According to, execute terminal various functions and processing data, thus to mobile phone carry out integral monitoring.Optionally, processor 24 may include One or more processing cores;Preferably, processor 27 can integrate application processor and modem processor, wherein application The main processing operation system of processor, user interface and application program etc., modem processor mainly handles wireless communication.It can With understanding, above-mentioned modem processor can not also be integrated into processor 24.
Terminal further includes the power supply 25(such as battery powered to all parts), it is preferred that power supply can pass through power supply pipe Reason system and processor 24 are logically contiguous, to realize management charging, electric discharge and power managed etc. by power-supply management system Function.Power supply 25 can also include one or more direct current or AC power source, recharging system, power failure monitor electricity The random components such as road, power adapter or inverter, power supply status indicator.
Although being not shown, terminal can also include camera, bluetooth module etc., and details are not described herein.Specifically in this implementation In example, processor 24 in terminal can execute store in memory 21 one or more and answer according to following instruction With the corresponding executable file of the process of program, to realize various functions:
First function in all functions that processor 24 is called when running the application program is identified, The first function is the function called required for 24 self-operating of processor;The processor 24 is recorded described in the operation The information of second function in all functions called when application program in addition to the first function;To the of the record The information of two functions carries out leak analysis, and carries out user's prompt to the information with security strategy defect.Due to wherein first Function is the function called required for 24 self-operating of processor, then can not need in the method for the present embodiment to processor 24 Self-operating carries out leak analysis, saves the analysis time to application program;It also avoids simultaneously for processor 24 itself The loophole of operation carries out user's prompt, that is, reduces rate of false alarm during to leak analysis.
Wherein in a specific embodiment, processor 24, specifically can be to the place when identifying first function It manages the corresponding executable file when running the application program of device 24 and carries out dis-assembling processing;It determines at the progress dis-assembling The initial address of each function, end address and function name in executable file after reason;If the letter of the function of the determination It is several consistent with the preset function name of the called function of 24 self-operating of the processor, then the function is identified as described First function.Initial address and the end address of first function are thus obtained, then processor 24 is in record second function It, will be other than these addresses specifically when processor 24 runs application program in all functions for calling when information The information of other functions is recorded.
In another specific embodiment, when needing to analyze some application program, can first pass through first by The executable file of the application program is loaded into memory 21 by processor 24, and executes the executable text of the load Then part is recorded the information of second function, finally carried out by information of the processor 24 to the second function recorded Stain analysis and/or boundary condition analysis, in which:
For stain analysis, processor 24 is mainly to correspond to for the parametric distribution of each function in the second function Stain label;If the stain marks corresponding parameter, the propagation during processor 24 runs application program is not inconsistent Preset strategy is closed, marks corresponding second function to carry out user's prompt in the stain;For boundary condition analysis, place Reason device 24 is mainly that the condition in the information of the second function judges that sentence corresponding informance does not meet the condition and judges language The boundary condition of sentence defined carries out user's prompt to the information for not meeting boundary condition.
Further, during a kind of concrete implementation, processor 24 can with advanced row bound condition analysis, if into User's prompt is gone, processor 24 can also judge sentence defined for the condition in the information of the second function, is met The corresponding computing with words of boundary condition judge under sentence to the condition, eliminate the mistake of logic of language;It then can be with Again by carrying out the operation of stain analysis, specifically stain analysis can be carried out to the information of the second function after recombinating.
Those of ordinary skill in the art will appreciate that all or part of the steps in the various methods of above-described embodiment is can It is completed with instructing relevant hardware by program, which can be stored in a computer readable storage medium, storage Medium may include: read-only memory (ROM), random-access memory (ram), disk or CD etc..
Leak analysis method and apparatus are provided for the embodiments of the invention above to be described in detail, it is used herein A specific example illustrates the principle and implementation of the invention, and the above embodiments are only used to help understand Method and its core concept of the invention;At the same time, for those skilled in the art is having according to the thought of the present invention There will be changes in body embodiment and application range, in conclusion the content of the present specification should not be construed as to the present invention Limitation.

Claims (12)

1. a kind of leak analysis method characterized by comprising
Leak analysis device identifies the first function in all functions that computer system is called when running application program Come, the first function is the function called required for the computer system self-operating;
Leak analysis device records in all functions that the computer system is called when running the application program except institute State the initial address of first function and the information of the second function except end address;
Leak analysis device carries out leak analysis to the information of the second function, and to the information with security strategy defect into Row user prompt.
2. the method as described in claim 1, which is characterized in that described to call computer system when running application program First function in all functions identifies, specifically includes:
To the computer system, when running the application program, corresponding executable file carries out dis-assembling processing;
Determine the dis-assembling treated initial address, end address and the function name of each function in executable file;
If the function name of the function is consistent with the preset function name of the called function of computer system self-operating, The function is then identified as the first function.
3. method according to claim 1 or 2, which is characterized in that the information to the second function carries out loophole point Analysis, specifically includes:
For the corresponding stain label of parametric distribution of each function in the second function;
If it is pre- that the stain marks propagation of the corresponding parameter during computer system runs application program not meet The strategy set marks corresponding second function to carry out user's prompt in the stain.
4. method according to claim 1 or 2, which is characterized in that the information to the second function carries out loophole point Analysis, specifically includes:
If the condition in the information of the second function judges that sentence corresponding informance does not meet the condition and judges that sentence is advised Fixed boundary condition carries out user's prompt to the information for not meeting boundary condition.
5. method as claimed in claim 4, which is characterized in that the method also includes: by the information of the second function, Meet the condition and judges that the corresponding computing with words of the boundary condition of sentence defined judges under sentence to the condition.
6. method according to claim 1 or 2, which is characterized in that it is described by computer system when running application program tune First function in all functions identifies, before further include:
The executable file of the application program is loaded into the memory of the computer system, and execute the load can Execute file.
7. a kind of leak analysis device characterized by comprising
Recognition unit, the first function in all functions for calling computer system when running application program identify Come, the first function is the function called required for the computer system self-operating;
Recording unit, for recording in all functions that the computer system is called when running the application program except institute State the initial address of the first function of recognition unit identification and the information of the second function except end address;
Analytical unit carries out leak analysis for the information to the second function, and to the information with security strategy defect Carry out user's prompt.
8. device as claimed in claim 7, which is characterized in that the recognition unit specifically includes:
Dis-assembling unit, for corresponding executable file to carry out instead when running the application program to the computer system Compilation process;
Function determination unit, the initial address of each function, knot in treated for determining dis-assembling executable file Beam address and function name;
First function recognition unit, if function name and the preset computer system self-operating institute for the function It calls the function name of function consistent, then the function is identified as the first function.
9. device as claimed in claim 7 or 8, which is characterized in that the analysis specifically includes:
Allocation unit is marked, for the corresponding stain label of parametric distribution for each function in the second function;
First prompt unit, if marking corresponding parameter to run application program process in the computer system for the stain In propagation do not meet preset strategy, mark corresponding second function to carry out user's prompt in the stain.
10. device as claimed in claim 7 or 8, which is characterized in that the analytical unit specifically includes:
Second prompt unit, if it is described to judge that sentence corresponding informance is not met for the condition in the information of the second function Condition judges the boundary condition of sentence defined, carries out user's prompt to the information for not meeting boundary condition.
11. device as claimed in claim 10, which is characterized in that further include: recomposition unit, for by the second function In information, meet the condition judge the corresponding computing with words of the boundary condition of sentence defined to the condition judge sentence it Under.
12. device as claimed in claim 7 or 8, which is characterized in that further include:
Execution unit for the executable file of the application program to be loaded into the memory of the computer system, and is held The executable file of the row load.
CN201310495759.7A 2013-10-21 2013-10-21 A kind of leak analysis method and apparatus Active CN104573522B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310495759.7A CN104573522B (en) 2013-10-21 2013-10-21 A kind of leak analysis method and apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310495759.7A CN104573522B (en) 2013-10-21 2013-10-21 A kind of leak analysis method and apparatus

Publications (2)

Publication Number Publication Date
CN104573522A CN104573522A (en) 2015-04-29
CN104573522B true CN104573522B (en) 2018-12-11

Family

ID=53089560

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310495759.7A Active CN104573522B (en) 2013-10-21 2013-10-21 A kind of leak analysis method and apparatus

Country Status (1)

Country Link
CN (1) CN104573522B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104915211B (en) * 2015-06-18 2018-04-17 西安交通大学 Intrinsic function recognition methods based on Subgraph Isomorphism matching algorithm in decompiling
CN106709335B (en) * 2015-11-17 2020-12-04 阿里巴巴集团控股有限公司 Vulnerability detection method and device
CN106874767B (en) * 2015-12-14 2019-10-01 阿里巴巴集团控股有限公司 A kind of detection method of program bug, terminal and server
CN106709330B (en) * 2016-07-29 2020-04-21 腾讯科技(深圳)有限公司 Method and device for recording file execution behaviors

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101154257A (en) * 2007-08-14 2008-04-02 电子科技大学 Dynamic mend performing method based on characteristics of loopholes
CN102651060A (en) * 2012-03-31 2012-08-29 北京奇虎科技有限公司 Method and system for detecting vulnerability
CN102955914A (en) * 2011-08-19 2013-03-06 百度在线网络技术(北京)有限公司 Method and device for detecting security flaws of source files
CN103282913A (en) * 2010-12-29 2013-09-04 维亚塞斯公司 Method for loading the code of at least one software module

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100274755A1 (en) * 2009-04-28 2010-10-28 Stewart Richard Alan Binary software binary image analysis

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101154257A (en) * 2007-08-14 2008-04-02 电子科技大学 Dynamic mend performing method based on characteristics of loopholes
CN103282913A (en) * 2010-12-29 2013-09-04 维亚塞斯公司 Method for loading the code of at least one software module
CN102955914A (en) * 2011-08-19 2013-03-06 百度在线网络技术(北京)有限公司 Method and device for detecting security flaws of source files
CN102651060A (en) * 2012-03-31 2012-08-29 北京奇虎科技有限公司 Method and system for detecting vulnerability

Also Published As

Publication number Publication date
CN104573522A (en) 2015-04-29

Similar Documents

Publication Publication Date Title
CN108519945A (en) Coverage rate test method, apparatus and storage device
CN107357725B (en) Application testing method and device
CN105491067B (en) Service security verification method and device based on key
CN106202441A (en) Data processing method based on relevant database, device and system
CN104573522B (en) A kind of leak analysis method and apparatus
CN108932429A (en) Analysis method, terminal and the storage medium of application program
CN104932963B (en) The method and device of management terminal
CN105593868A (en) Fingerprint identification method and apparatus, and mobile terminal
CN107291586B (en) Application program analysis method and device
CN105005735B (en) Downloading management method and download management device
CN106453692B (en) A kind of domain name analytic method, device and system
CN106708734A (en) Software abnormality detection method and apparatus
CN104298587A (en) Code coverage test method, device and system
CN107967427A (en) Monitor the method, apparatus and terminal device of loophole attack
CN106155717A (en) A kind of method and apparatus that SDK is integrated into third party APK
CN107908407A (en) Compilation Method, device and terminal device
CN107276602A (en) Radio frequency interference processing method, device, storage medium and terminal
CN106959859A (en) The call method and device of system call function
CN105807908B (en) A kind of method and apparatus of switching working mode
CN106487798A (en) Method of data synchronization and device
CN105471888B (en) Service verification method and device based on biological information
CN106681884B (en) A kind of monitoring method and device of system calling
CN110471832A (en) Processing method, device and the computer readable storage medium of program operation
CN107015866A (en) A kind of data processing method and device
CN104978237B (en) The method and apparatus for repairing dynamic link library file

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant