CN105224868B - The detection method and device of system vulnerability attack - Google Patents
The detection method and device of system vulnerability attack Download PDFInfo
- Publication number
- CN105224868B CN105224868B CN201410243549.3A CN201410243549A CN105224868B CN 105224868 B CN105224868 B CN 105224868B CN 201410243549 A CN201410243549 A CN 201410243549A CN 105224868 B CN105224868 B CN 105224868B
- Authority
- CN
- China
- Prior art keywords
- account
- permission
- nonsystematic
- highest permission
- revised
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 74
- 238000000034 method Methods 0.000 claims description 129
- 230000008569 process Effects 0.000 claims description 100
- 230000008439 repair process Effects 0.000 claims description 3
- 230000000694 effects Effects 0.000 abstract description 7
- 230000006870 function Effects 0.000 description 39
- 230000015654 memory Effects 0.000 description 32
- 238000013507 mapping Methods 0.000 description 29
- 238000012544 monitoring process Methods 0.000 description 19
- 230000006399 behavior Effects 0.000 description 13
- 238000012550 audit Methods 0.000 description 12
- 230000008859 change Effects 0.000 description 11
- 238000010586 diagram Methods 0.000 description 7
- 238000012545 processing Methods 0.000 description 7
- 238000012790 confirmation Methods 0.000 description 6
- 238000007405 data analysis Methods 0.000 description 6
- 238000004458 analytical method Methods 0.000 description 5
- 238000007689 inspection Methods 0.000 description 5
- 230000001737 promoting effect Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 239000004575 stone Substances 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 235000013399 edible fruits Nutrition 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000026676 system process Effects 0.000 description 1
- 238000010998 test method Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 238000005303 weighing Methods 0.000 description 1
Landscapes
- Computer And Data Communications (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of detection method and device of system vulnerability attack.Wherein, detection method includes: according to an aspect of an embodiment of the present invention, provide a kind of detection method of system vulnerability attack, the detection method includes: to obtain the operation information of the account currently performed operation in systems with nonsystematic highest permission, and judge whether the operation of operation information instruction is that the permission of account is revised as system highest permission from nonsystematic highest permission, if the operation of operation information instruction is that the permission of account is revised as system highest permission from nonsystematic highest permission, judge that there are loophole attacks in system.Using the present invention, solve the problems, such as detection in the prior art mention power loophole attack Detection accuracy it is low, realize the effect of accurate detection system loophole attack in real time.
Description
Technical field
The present invention relates to Hole Detection fields, in particular to a kind of detection method and device of system vulnerability attack.
Background technique
When hacker attacks system can be made by mentioning power loophole, the highest permission of system is obtained, to obtain the control to server
Power.Hacker, which mentions power loophole using this, can easily break through common driving firewall, and around most Initiative Defense softwares, directly
Connect the information security for threatening computer user.
Briefly, power loophole is mentioned that is an original very low rights, being restricted many users, promotes the system of arriving
In sovereign permission (such as administrator right), permission control be system safety foundation stone and all security softwares base
Stone, once such a threshold is broken, any defensive measure is all invalid.Proposing power attack is that hacker's utilisation system mentions
It weighs loophole and promotes own right, hacker can directly attack into system kernel from least privilege, or even around the user of system
System is attacked in permission control, once the privilege-escalation of hacker is to the highest permission (such as administrator right) of system, then and it is black
Visitor can be planted wooden horse with any file in operating system, hacker, control machine, be grasped to any file in system
Make, so that system is in very unsafe state.
In the prior art, it can find to propose power attack by data analysis, it specifically, can be with the number of collection system process
According to, send special data analysis system for the data being collected into, pass through data analysis system observe process permission variation
Detection proposes power attack, by under the authority records of process when process initiation, the power for the user being then related in the process
The process is determined as when limit changes to propose the process of power attack.In the prior art, many normal users also can
Permission switching is carried out, if being judged to proposing power attack for all permission switchings, will limit many normal users;And it is black
Visitor mention weighing to attack and not necessarily carries out proposing power by the switching of process, by the above method it is possible that many missing inspections or mistake
The case where inspection.
In the prior art can also by mention power attack tool feature detect hack tool, specifically, can using with
The similar method of virus scan, scanning system file, the feature detection by matching known hack tool mention power loophole.Using
This kind of method can not detect unknown hack tool, this kind inspection due to carrying out matched being known hack tool
Survey method is very passive, has very strong hysteresis quality, and omission factor is high.
The low problem of Detection accuracy that power loophole attack is proposed for above-mentioned detection, not yet proposes effective solution side at present
Case.
Summary of the invention
The embodiment of the invention provides a kind of detection method and device of system vulnerability attack, propose power at least to solve detection
The low problem of the Detection accuracy of loophole attack.
According to an aspect of an embodiment of the present invention, a kind of detection method of system vulnerability attack, the detection side are provided
Method includes: to obtain the operation information of the account currently performed operation in systems with nonsystematic highest permission, and judge to grasp
Whether the operation for making information instruction is that the permission of account is revised as system highest permission from nonsystematic highest permission, if operation letter
The operation of breath instruction is that the permission of account is revised as system highest permission from nonsystematic highest permission, then judges to deposit in system
In loophole attack.
According to another aspect of an embodiment of the present invention, a kind of detection device of system vulnerability attack, the detection are additionally provided
Device includes: the first acquisition module, for obtaining the account currently performed operation in systems with nonsystematic highest permission
Operation information;First judgment module, for judging whether the operation of operation information instruction is by the permission of account from nonsystematic
Highest permission is revised as system highest permission;First determining module, if the operation for operation information instruction is by the power of account
Limit is revised as system highest permission from nonsystematic highest permission, then judges that there are loophole attacks in system.
Using the embodiment of the present invention, to the behaviour of the currently performed operation in systems of the account with nonsystematic highest permission
It is analyzed as information, whether the operation according to operation information instruction is to be revised as the permission of account from nonsystematic highest permission
System highest permission is come in judgement system with the presence or absence of loophole attack, independent of the variation of analysis process rights state,
To will not pairing method user normal authority switching judge by accident;As long as and the account with nonsystematic highest permission is held
The operation that the permission of account is revised as to system highest permission from nonsystematic highest permission is gone, it can exist in decision-making system
Loophole attack can be not limited to have been found that without carrying out loophole attack detecting by the feature for proposing power loophole attack
Propose power loophole attack, can detecte loophole attack unknown in the prior art so that the detection of loophole attack is more accurate,
To solve the problems, such as it is in the prior art detection mention power loophole attack Detection accuracy it is low, realize accurate detection system
The effect of loophole attack.
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present invention, constitutes part of this application, this hair
Bright illustrative embodiments and their description are used to explain the present invention, and are not constituted improper limitations of the present invention.In the accompanying drawings:
Fig. 1 is a kind of flow chart of the detection method of system vulnerability attack according to an embodiment of the present invention;
Fig. 2 is a kind of optional flow chart for obtaining system call information according to an embodiment of the present invention;
Fig. 3 is the structure that hacker according to an embodiment of the present invention mention to server implementation environment involved in power attack
Schematic diagram;
Fig. 4 is a kind of flow chart of the detection method of optional system vulnerability attack according to an embodiment of the present invention;
Fig. 5 is the schematic diagram of the detection device of loophole attack according to the system in the embodiment of the present invention;
Fig. 6 is a kind of schematic diagram of the detection device of optional system vulnerability attack according to an embodiment of the present invention;And
Fig. 7 is a kind of structural block diagram of terminal according to an embodiment of the present invention.
Specific embodiment
In order to enable those skilled in the art to better understand the solution of the present invention, below in conjunction in the embodiment of the present invention
Attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is only
The embodiment of a part of the invention, instead of all the embodiments.Based on the embodiments of the present invention, ordinary skill people
The model that the present invention protects all should belong in member's every other embodiment obtained without making creative work
It encloses.
It should be noted that description and claims of this specification and term " first " in above-mentioned attached drawing, "
Two " etc. be to be used to distinguish similar objects, without being used to describe a particular order or precedence order.It should be understood that using in this way
Data be interchangeable under appropriate circumstances, so as to the embodiment of the present invention described herein can in addition to illustrating herein or
Sequence other than those of description is implemented.In addition, term " includes " and " having " and their any deformation, it is intended that cover
Cover it is non-exclusive include, for example, the process, method, system, product or equipment for containing a series of steps or units are not necessarily limited to
Step or unit those of is clearly listed, but may include be not clearly listed or for these process, methods, product
Or other step or units that equipment is intrinsic.
Embodiment 1
According to embodiments of the present invention, a kind of embodiment of the detection method of system vulnerability attack is provided, needs to illustrate
It is that step shown in the flowchart of the accompanying drawings can execute in a computer system such as a set of computer executable instructions,
Also, although logical order is shown in flow charts, and it in some cases, can be to be different from sequence execution herein
Shown or described step.
According to embodiments of the present invention, a kind of detection method of system vulnerability attack is provided, as shown in Figure 1, the detection side
Method can be achieved by the steps of:
Step S102: obtain have nonsystematic highest permission account in systems currently performed operation operation letter
Breath.
Step S104: whether the operation for judging operation information instruction is to modify the permission of account from nonsystematic highest permission
For system highest permission.
Step S106: if the operation of operation information instruction is that the permission of account is revised as system from nonsystematic highest permission
Highest permission then judges that there are loophole attacks in system.
Specifically, after executing step S104, if the operation of operation information instruction for by the permission of account from non-system
System highest permission is revised as system highest permission, then judges that there is no loophole attacks in system.
Using the embodiment of the present invention, to the behaviour of the currently performed operation in systems of the account with nonsystematic highest permission
It is analyzed as information, whether the operation according to operation information instruction is to be revised as the permission of account from nonsystematic highest permission
System highest permission is come in judgement system with the presence or absence of loophole attack, independent of the variation of analysis process rights state,
To will not pairing method user normal authority switching judge by accident;As long as and the account with nonsystematic highest permission is held
The operation that the permission of account is revised as to system highest permission from nonsystematic highest permission is gone, it can exist in decision-making system
Loophole attack can be not limited to have been found that without carrying out loophole attack detecting by the feature for proposing power loophole attack
Propose power loophole attack, can detecte loophole attack unknown in the prior art so that the detection of loophole attack is more accurate,
To solve the problems, such as it is in the prior art detection mention power loophole attack Detection accuracy it is low, realize accurate detection system
The effect of loophole attack.
Through the embodiment of the present invention, it can be completed it is not necessary that operation information is sent to special data analysis system to loophole
The detection of attack also shortens the time of detection loophole attack.
In the above embodiment of the invention, it can be exported in determining system there are in the case where loophole attack
Warning information, and generate alarm log.
Wherein, the nonsystematic highest weight in above-described embodiment is limited to non-root authority, and system highest weight is limited to root authority;
The above embodiment of the present invention can be applied to the operating systems such as linux system, uinx system.Below in linux system
Using the present invention is discussed in detail for the present invention.
Linux system is (to be belonged to time sharing operating system based on posix (portable operating system interface) and unix, be one
Kind of multitask, multi-user operating system, support various processor framework) multi-user, multitask, support multithreading, multi -CPU
The operating system of (processor).The system can run main unix tool software, application program and network protocol.He can be with
Support 32 and 64 hardware.
Specifically, there can be the account of nonsystematic highest permission currently performed behaviour in linux system by obtaining
The operation information of work, then judge operation information instruction operation whether be promoted account permission operation specifically judge to grasp
Whether the operation for making information instruction is that the permission of account is revised as system highest permission from nonsystematic highest permission, if operation
The operation of information instruction is that the permission of account is revised as system highest permission from nonsystematic highest permission, then judges in system
There are loophole attacks;If operation information instruction operation be the permission of account is revised as from nonsystematic highest permission be
System highest permission then judges that there is no loophole attacks in system.
Nonsystematic highest permission in above-described embodiment is non-root authority.Root authority is the highest weight of system permission
Limit, root authority user is the super keepe user account in linux system, and it is sovereign which possesses whole system
Right, all objects he can all operate.So needing the user non-root authority to mention when many hacker attacks systems
It is upgraded to the user of root authority, obtaining root authority means to obtain the highest permission of system, possesses the user of root authority
The operation that can be executed by increasing, delete, change, look into for any file in system.
In the above embodiment of the invention, obtaining has the account of nonsystematic highest permission currently performed in systems
The operation information of operation may include: that response operation acquisition has the account of nonsystematic highest permission currently performed in systems
The operation information of operation;Alternatively, obtaining every predetermined period, there is the account of nonsystematic highest permission currently to execute in systems
Operation operation information.
Operation information can be obtained, in real time through the foregoing embodiment so as to detect the attack that springs a leak in time.
In the above embodiment of the invention, whether the operation for judging operation information instruction is by the permission of account from non-system
It may include: to obtain predetermined registration operation information that system highest permission, which is revised as system highest permission, wherein predetermined registration operation information is default
For the permission of account to be revised as to the operation information of system highest permission from nonsystematic highest permission;To predetermined registration operation information
It is matched with operation information, to judge whether the operation of operation information instruction is by the permission of account from nonsystematic highest permission
It is revised as system highest permission;If predetermined registration operation information is consistent with operation information, judge that the operation of operation information instruction is
No is that the permission of account is revised as system highest permission from nonsystematic highest permission;If predetermined registration operation information and operation information are not
Unanimously, then whether the operation for judging operation information instruction is that the permission of account is revised as system most from nonsystematic highest permission
High permission.
Wherein, predetermined registration operation information is to pre-set for the permission of account to be revised as from nonsystematic highest permission
The operation information of system highest permission.That is, if the account with nonsystematic highest permission performs in predetermined registration operation information
The operation information of record can then determine that the account with nonsystematic highest permission is performed the permission of account from nonsystematic most
High permission is revised as the operation of system highest permission.
Specifically, the system call information of available system, system call information are system in system calling kernel letter
The data generated in several processes may include that the above-mentioned account with nonsystematic highest permission is worked as in the system call information
The operation information of the operation of preceding execution, it is then that predetermined registration operation information and the account with nonsystematic highest permission is currently performed
The operation information of operation carries out matching treatment, under predetermined registration operation information and operation information unanimous circumstances, judges that this has
The account of nonsystematic highest permission performs the behaviour that the permission of account is revised as to system highest permission from nonsystematic highest permission
Make;In the case where predetermined registration operation information and operation information are inconsistent, judge that the account with nonsystematic highest permission does not have
There is the operation for executing and the permission of account being revised as to system highest permission from nonsystematic highest permission.
The process that system in above-described embodiment is called includes: that the request of application program is transmitted to system kernel, calls phase
The kernel function answered is completed to request corresponding processing, and processing result is returned to the process of application program.In this process
A series of data can be generated, in the above embodiment of the invention, acquire this generated during system is called in real time
A little data, it may include above-mentioned operation information that system, which calls data,.Specifically, the operation in being called by response system
Obtain the operation information with the account currently performed operation in systems of nonsystematic highest permission;Alternatively, every predetermined week
Phase obtain system call data in the account with nonsystematic highest permission in systems currently performed operation operation believe
Breath.
In the above embodiment of the invention, system calling can be the journey for operating in user space (such as on computer)
The service that sequence needs higher permission to run to operating system nucleus request, system calling can provide user program and operating system
Between interface.
2 application of the embodiment of the present invention in linux system is discussed in detail with reference to the accompanying drawing.
Specifically, the system call information that linux system can be obtained in real time, then to predetermined registration operation information and system tune
Matching treatment is carried out with the operation information of the currently performed operation of account in information with nonsystematic highest permission, according to matching
As a result whether determining, there is the account of nonsystematic highest permission, which to perform, is revised as the permission of account from nonsystematic highest permission
The operation of system highest permission.
It in the above embodiment of the invention, can be by the auditing service of Lunix system to predetermined registration operation information and behaviour
Make information and carries out matching treatment.Wherein, auditing service can be by using log events, such as record system tune in Linux
With and file access, system manager can evaluate these logs, determine safe breach that may be present in system, for example fail
Login attempt or user to the unsuccessful access of system file.
Specifically, as shown in Fig. 2, being carried out in the above embodiment of the present invention to predetermined registration operation information and operation information matched
Step can be realized by following methods:
Step S202: it using the first configuration file of the first monitoring programme of predetermined registration operation information modification linux system, obtains
To the second monitoring programme.
Specifically, the first monitoring programme in above-described embodiment can be the audit auditing service in linux system
(Auditd).Auditing auditing service (Auditd) is linux system kernel events auditing system, can be by configuring the service
Rule in the configuration file of (the first monitoring programme i.e. in above-described embodiment) records system kernel event.Wherein ,/etc/
Audit.rules is the first above-mentioned configuration file, which can be defaulted as empty file, of the invention upper
It states and modifies the first configuration file using predetermined registration operation information in embodiment and obtain the second configuration file (second configuration file is
Carry the configuration file of predetermined registration operation information), obtain the second monitoring programme.
Specific manifestation form of the predetermined registration operation information in the audit auditing service in linux system in above-described embodiment
For configuration rule.
Step S204: the second monitoring programme is executed in linux system.
Specifically, after obtaining the second monitoring programme, restart the audit auditing service (Auditd) of linux system, with
The second monitoring programme is run, so as to begin to use the calling process of the second monitor logging system, and carries out log note
Record.
Step S206: judge the operation information of the non-account with system highest permission in system call information and preset
Whether operation information is consistent.
Wherein, under operation information and predetermined registration operation information unanimous circumstances, determining has the account of nonsystematic highest permission
The operation that the permission of account is revised as to system highest permission from nonsystematic highest permission number is performed, step S208 is executed;?
In the case that predetermined registration operation information and operation information are inconsistent, determine that the account with nonsystematic highest permission is not carried out account
Number permission the operation of system highest permission is revised as from nonsystematic highest permission, continue to execute step S204.
Step S208: the corresponding calling process of the operation information is recorded.
Specifically, calling process can periodically be analyzed by generating audit statement and search log.
The above embodiment of the present invention is discussed in detail in 3 and Fig. 4 with reference to the accompanying drawing.
Fig. 3 shows the structural schematic diagram that hacker mention to server implementation environment involved in power attack.Such as Fig. 3 institute
Show, which may include: account terminal 10 and server 20.Specifically, hacker can be taken by 10 Duis of account terminal
Business device 20 carries out proposing power attack, and the processor in server 20 starts the second monitoring programme and calls to the system in server system
Data carry out the matching of operation information, judge that the account with nonsystematic highest permission recorded in system call information is currently held
Whether the operation information of capable operation is consistent with the predetermined registration operation information carried in the second monitoring programme, if unanimously, it is determined that
The currently performed operation of the account with nonsystematic highest permission belongs to the operation that hacker propose power attack, determines system
In there are loophole attack, outputting alarm simultaneously generates alarm log.
It is communicated between account terminal 10 and server 20 by network, which can be wireless network or wired network
Network.Wherein, server can be Linux system server.
Account terminal in above-described embodiment can be mobile terminal or personal computer terminal.
Fig. 4 is a kind of flow chart of the detection method of optional system vulnerability attack according to an embodiment of the present invention.
As shown in figure 4, this method can be realized by the following method:
Step S402: the second monitoring journey is obtained using the first configuration file that predetermined registration operation information modifies the first monitoring programme
Sequence.
Specifically, the implementation method of the step is consistent with the above-mentioned implementation method of step S202, and details are not described herein.
Step S404: start the second monitoring programme on the server of linux system.
Specifically, the implementation method of the step is consistent with the above-mentioned implementation method of step S204, and details are not described herein.
Step S406: the system call information of system is obtained.
Wherein, system call information includes: the operation letter of the currently performed operation of user with nonsystematic highest permission
Breath.
Step S408: judge there is whether the currently performed operation of the user of nonsystematic highest permission is by the permission of account
System highest permission is revised as from nonsystematic highest permission.
Specifically, can be judged by the second monitoring programme operation information whether with predetermined registration operation information whether unanimously come real
It is existing: if operation information is consistent with predetermined registration operation information, to judge that currently performed operation is by the permission of account from non-system
System highest permission is revised as system highest permission, then confirms the currently performed operation of the account with nonsystematic highest permission to mention
Loophole attack operation is weighed, execute step S410: there are loophole attacks in confirmation system;If operation information and predetermined registration operation
Information is inconsistent, then judges that currently performed operation is not that the permission of account is revised as system most from nonsystematic highest permission
High permission then confirms that the currently performed operation of the account with nonsystematic highest permission to propose power loophole attack operation, executes step
Rapid S412: loophole attack is not present in confirmation system.
Step S414: there are the warning information of loophole attack for output system.
Step S416: alarm log is generated.
Specifically, it being serviced in the server using auditd, the warning information that will acquire (i.e. audit message) writes/
In var/log/audit.log.Above-mentioned alarm log is text file, and the format of file is the received format from kernel,
Sequence is also possible to sequence when receiving.May include: in alarm log audit event ID, filename, UID, type of message and
System calls the information such as name.
Predetermined registration operation information in the above-described embodiments can be following format :-a report is about access vector buffer
The message of (access vector cache, AVC);- f reports the message about file;- s report disappears about what system was called
Breath.
Specifically, the event for being equal or earlier than specific time can also be shown by-t, where indicating you with number format
The date and time in place, and the time was indicated with 24 hours formats processed.It can be in predetermined registration operation information by auditing service
The respective option is matched to obtain matching result.
In the above-described embodiments, information (i.e. above-described embodiment that Auditd service generates system kernel in monitoring process
Middle system call information) it is written on hard disk, these information are by application program and the triggered generation of system activity.
In the above embodiment of the invention, whether the operation for judging operation information instruction is by the permission of account from non-system
System highest permission be revised as system highest permission may include: judge process that account uses whether execute by the permission of account from
Nonsystematic highest permission is revised as the operation of system highest permission;If process that account uses is executed the permission of account from non-system
System highest permission is revised as the operation of system highest permission, then judges that the operation of operated information instruction is by the permission of account
System highest permission is revised as from nonsystematic highest permission;Otherwise, the operation for judging operated information instruction is not by account
Permission be revised as system highest permission from nonsystematic highest permission.
In an optional embodiment of the present invention, judge whether process that account uses executes the permission of account from non-
The operation that system highest permission is revised as system highest permission may include: to judge whether the process that account uses executes loophole
The operation of attack code write-in preset address, wherein loophole attack code is used for the permission of account from nonsystematic highest permission
It is revised as the code of the operation of system highest permission;It is executed in the process that account uses and preset address is written into loophole attack code
Operation in the case where, judge that process that account uses executes and the permission of account be revised as system from nonsystematic highest permission
The operation of highest permission;The case where the process that account uses is not carried out the operation by loophole attack code write-in preset address
Under, judge that process that account uses is not carried out and the permission of account is revised as system highest permission from nonsystematic highest permission
Operation.
Wherein, preset address can be the address field that initial address is 0 address of memory, and loophole attack code is written for execution
The operation of preset address can be by calling mapping function to realize.
In the above embodiment of the invention, monitor non-root authority account (i.e. with the account of nonsystematic highest permission)
The mapping function whether process used executes calling system executes the operation that loophole attack code is written to 0 address of memory, with
Judge whether the operation is the operation for promoting user right.If it is, confirm the operation be promoted user right operation (i.e.
The permission of account is revised as to the operation of system highest permission from nonsystematic highest permission), the process be mention power loophole attack into
Journey exists in confirmation system and proposes power loophole attack.
In the application scenarios of linux system, the first configuration text of the first monitoring programme can be modified in linux system
Above-mentioned predetermined registration operation information (i.e. audit rule) can be increased in the first configuration file, obtain the second configuration text by part
Part.Specifically, above-mentioned predetermined registration operation information can be with are as follows: non-root authority account uses mmap Function Mapping loophole attack code
First parameter is to 0 address of memory.
Wherein, mmap function is the function that a file or other objects are mapped into memory.0 address of memory is to map
The initial address in area, namely mapping file or object first character mapping address;The address memory 0x0 is hexadecimal
Representation method indicate memory address, 0 address of memory be metric representation method indicate memory address.
In this embodiment, predetermined registration operation information may include: the account with nonsystematic highest permission using code expression
Number account ID to be not zero, call the mapping address of first parameter of the mapping of mapping function be that zero-address and the mapping are grasped
It runs succeeded.Such as: auditctl-a exit, always-S mmap2-F uid!=0-F a0=0-F a2=7-F
Success=1.
Therein ,-a indicates message of the report about access vector buffer (access vector cache, AVC), at this
In embodiment are as follows: exit, always, as long as that is, the calling of system kernel function completes i.e. starting monitoring thread.- s report is closed
In the message that system is called, in this embodiment are as follows: mmap2, namely the system kernel function called is mapping function, above-mentioned
The working principle of mmap function is elaborated in embodiment, details are not described herein.- f reports the message about file, upper
Stating includes four file messages in embodiment, and one is uid!=0, uid are that the account ID, ID in above-described embodiment are identity
Identification number, that is, the account ID of the account with nonsystematic highest permission is not equal to zero, the root authority in linux system
The account ID (i.e. uid) of account (i.e. with the account of system highest permission) is equal to zero;Second is a0=0, and a0 therein is
The mapping address of first parameter mapped when calling mmap function, the mapping address of first parameter are 0 address;Third
For-F a2=7, indicate to call the mapping address (i.e. 7 address of memory) of the third parameter of mmap Function Mapping it is readable it is writeable can
It executes.4th is success=1, and success=1 indicates that mapping movement runs succeeded.
It in the above-described embodiments, will if the operation information of some map operation meets above-mentioned predetermined registration operation information
Kernel code (the loophole attack code i.e. in above-described embodiment) mmap maps to the address 0x0, then hacking tool can lead to
Triggering kernel BUG (i.e. loophole) is crossed to execute malice shellcode (the loophole attack code i.e. in above-described embodiment), the mapping
Operation is judged as loophole attack operation, it is determined that loophole attack has occurred in system.Wherein, loophole attack code may be used also
To include: the code for distorting system file.
For the loophole of Kernel null pointer dereference (kernel null pointer dereference) type, Ji Ketong
It crosses above-mentioned map operation realization and power attack is mentioned to the loophole.
Specifically, monitor whether the process that non-root authority account (i.e. with the account of nonsystematic highest permission) uses is held
The mapping function of row calling system can be with by the operation of loophole attack code write-in 0 address of memory are as follows: extracts from operation information
Account ID, the mapping address of first parameter of mapping and the execution knot of map operation of account with nonsystematic highest permission
Fruit;Judge whether the mapping address of first parameter of mapping is zero-address, whether the implementing result of map operation indicates executes
Whether success, account ID are not zero;It is zero-address, the implementing result of map operation in the mapping address of first parameter of mapping
In the case that instruction runs succeeded and whether account ID is not zero, judge that operation information is consistent with the predetermined registration operation information;
It is that zero-address, the instruction of the implementing result of map operation run succeeded and account in the mapping address of first parameter of mapping
ID be not zero in any one information it is invalid in the case where, judge that operation information and the predetermined registration operation information are inconsistent.
In another of the invention optional embodiment, judge process that account uses whether execute by the permission of account from
The operation that nonsystematic highest permission is revised as system highest permission may include: to judge whether the process that account uses executes account
Number account ID be revised as the operation of preset value;It is executed in the process that account uses and the account ID of account is revised as preset value
In the case where operation, the permission of account is revised as system most from nonsystematic highest permission by the process execution for judging that account uses
The operation of high permission;The case where account ID of account is revised as the operation of preset value is not carried out in the process that account uses
Under, judge that process that account uses is not carried out and the permission of account is revised as system highest permission from nonsystematic highest permission
Operation.
Wherein, preset value is corresponding with system highest permission, and preset value can be zero, and the account ID of account is revised as by execution
The operation of preset value can be realized by calling identity that function is arranged.
In embodiments of the present invention, monitor what non-root authority account (i.e. with the account of nonsystematic highest permission) used
The identity setting function whether process executes calling system kernel executes the operation that the account ID of account is revised as to preset value, with
Judge whether the operation is the operation for promoting user right.If it is, confirm the operation be promoted user right operation (i.e.
The permission of account is revised as to the operation of system highest permission from nonsystematic highest permission), the process be mention power loophole attack into
Journey exists in confirmation system and proposes power loophole attack.
In the application scenarios of linux system, the first configuration file is modified in linux system, it can will be above-mentioned pre-
If operation information (i.e. audit rule) increases in the first configuration file, the second configuration file is obtained.Specifically, predetermined registration operation
Information can be with are as follows: the permission of account is switched to root using identity setting function (i.e. setuid function) by non-root authority account
The operation of permission.
Wherein, setuid function is the function of set uid, and actual account number ID and effective account can be set by the function
Number ID.Specifically, in linux system, if account (but the euid=of the account of the non-root authority of non-root authority
0, i.e., effective account ID is zero) to call the function, and the account ID of current account is revised as uid=0, by the then non-root authority
Account be revised as the account of root authority.
In the above embodiment of the invention, predetermined registration operation information may include: with nonsystematic highest weight by code
The account ID of limit is not zero to run succeeded with identity change operation.Such as: auditctl-a exit, always-S setuid32-F
uid!=0-F euid=0-F success=1.
Therein ,-a indicates message of the report about access vector buffer (access vector cache, AVC), at this
In embodiment are as follows: exit, always, as long as that is, the calling of system kernel function completes i.e. starting monitoring thread.- s report is closed
In the message that system is called, in this embodiment are as follows: setuid32, namely the system kernel function called is mapping function,
The working principle of setuid function is elaborated in above-described embodiment, details are not described herein, and therein 32 indicate 32
Hardware device.- f reports the message about file, in the above-described embodiments includes three file messages, and one is uid!=0,
Uid is that the account ID, ID of the default access user in above-described embodiment is identity number, that is, having nonsystematic most
The account ID of the account of high permission is not equal to zero, and root authority account is (i.e. with the account of system highest permission in linux system
Number) account ID (i.e. uid) be equal to zero;Second-F euid=0 indicates that the real account numbers ID of current account is zero;Another
Indicate that the identity change operation runs succeeded and (function called to modify uid success) for success=1, success=1.On
The identity change movement stated in embodiment is to change the movement of account ID.
In the above-described embodiments, if the operation information of some identity change operation meets above-mentioned predetermined registration operation information,
It then determines that the permission of account is revised as root authority by the account with nonsystematic highest permission, i.e., is attacked by loophole, when
Preceding account has obtained root authority (i.e. its account uid has been modified to 0), which has passed through setuid function and obtained root power
Limit is to start shell (command interpreter) process, and to carry out subsequent attack operation, then the operation is judged as loophole attack
Operation, it is determined that loophole attack has occurred in system.
It can by the account ID of the account operation for being revised as preset value it should be further noted that judging whether account executes
To include: to extract account ID and identity from the operation information of the account with nonsystematic highest permission in system call information
The implementing result of change operation;Judge account ID whether be not zero with the implementing result of identity change operation whether indicate execute at
Function;In the case where account ID is not zero and the instruction of the implementing result of identity change operation runs succeeded, predetermined registration operation is judged
Information is consistent with operation information;The case where account ID is zero and/or the instruction of the implementing result of identity change operation executes failure
Under, judge that predetermined registration operation information is consistent with operation information.
It should be noted that for the various method embodiments described above, for simple description, therefore, it is stated as a series of
Combination of actions, but those skilled in the art should understand that, the present invention is not limited by the sequence of acts described because
According to the present invention, some steps may be performed in other sequences or simultaneously.Secondly, those skilled in the art should also know
It knows, the embodiments described in the specification are all preferred embodiments, and related actions and modules is not necessarily of the invention
It is necessary.
Through the above description of the embodiments, those skilled in the art can be understood that according to above-mentioned implementation
The method of example can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but it is very much
In the case of the former be more preferably embodiment.Based on this understanding, technical solution of the present invention is substantially in other words to existing
The part that technology contributes can be embodied in the form of software products, which is stored in a storage
In medium (such as ROM/RAM, magnetic disk, CD), including some instructions are used so that a terminal device (can be mobile phone, calculate
Machine, server or network equipment etc.) execute method described in each embodiment of the present invention.
Embodiment 2
According to embodiments of the present invention, a kind of detection dress that the system vulnerability for implementing above-described embodiment is attacked is additionally provided
It sets, which can be realized by the test method being related in embodiment, be carried out below to the implementation process of the application detailed
Thin description.
Fig. 5 is the schematic diagram of the detection device of loophole attack according to the system in the embodiment of the present invention.As shown in figure 5, the inspection
Surveying device may include: the first acquisition module 21, first judgment module 23 and the first determining module 25.
Wherein, first module is obtained, it is currently performed in systems for obtaining the account with nonsystematic highest permission
The operation information of operation.
First judgment module, for judging whether the operation of operation information instruction is by the permission of account from nonsystematic highest
Permission is revised as system highest permission.
First determining module, if the operation for operation information instruction is to repair the permission of account from nonsystematic highest permission
It is changed to system highest permission, then judges that there are loophole attacks in system.
Specifically, if the first determining module be also used to the operation of operation information instruction for by the permission of account from nonsystematic
Highest permission is revised as system highest permission, then judges that there is no loophole attacks in system.
Using the embodiment of the present invention, to the behaviour of the currently performed operation in systems of the account with nonsystematic highest permission
It is analyzed as information, whether the operation according to operation information instruction is to be revised as the permission of account from nonsystematic highest permission
System highest permission is come in judgement system with the presence or absence of loophole attack, independent of the variation of analysis process rights state,
To will not pairing method user normal authority switching judge by accident;As long as and the account with nonsystematic highest permission is held
The operation that the permission of account is revised as to system highest permission from nonsystematic highest permission is gone, it can exist in decision-making system
Loophole attack can be not limited to have been found that without carrying out loophole attack detecting by the feature for proposing power loophole attack
Propose power loophole attack, can detecte loophole attack unknown in the prior art so that the detection of loophole attack is more accurate,
To solve the problems, such as it is in the prior art detection mention power loophole attack Detection accuracy it is low, realize accurate detection system
The effect of loophole attack.
Through the embodiment of the present invention, it can be completed it is not necessary that operation information is sent to special data analysis system to loophole
The detection of attack also shortens the time of detection loophole attack.
In the above embodiment of the invention, can pass through in determining system there are in the case where loophole attack
Output module outputting alarm information, and alarm log is generated by generation module.
Wherein, the nonsystematic highest weight in above-described embodiment is limited to non-root authority, and system highest weight is limited to root authority;
The above embodiment of the present invention can be applied to the operating systems such as linux system, uinx system.Below in linux system
Using the present invention is discussed in detail for the present invention.
Linux system is (to be belonged to time sharing operating system based on posix (portable operating system interface) and unix, be one
Kind of multitask, multi-user operating system, support various processor framework) multi-user, multitask, support multithreading, multi -CPU
The operating system of (processor).The system can run main unix tool software, application program and network protocol.He can be with
Support 32 and 64 hardware.
Specifically, there can be the account of nonsystematic highest permission currently performed behaviour in linux system by obtaining
The operation information of work, then judge operation information instruction operation whether be promoted account permission operation specifically judge to grasp
Whether the operation for making information instruction is that the permission of account is revised as system highest permission from nonsystematic highest permission, if operation
The operation of information instruction is that the permission of account is revised as system highest permission from nonsystematic highest permission, then judges in system
There are loophole attacks;If operation information instruction operation be the permission of account is revised as from nonsystematic highest permission be
System highest permission then judges that there is no loophole attacks in system.
Nonsystematic highest permission in above-described embodiment is non-root authority.Root authority is the highest weight of system permission
Limit, root authority user is the super keepe user account in linux system, and it is sovereign which possesses whole system
Right, all objects he can all operate.So needing the user non-root authority to mention when many hacker attacks systems
It is upgraded to the user of root authority, obtaining root authority means to obtain the highest permission of system, possesses the user of root authority
The operation that can be executed by increasing, delete, change, look into for any file in system.
In the above embodiment of the invention, the first acquisition module 21 may include: respond module 211, for responding
It states operation and obtains the operation information with the account currently performed operation in systems of nonsystematic highest permission;Alternatively, obtaining
Submodule 213, for obtaining the account currently performed operation in systems with nonsystematic highest permission every predetermined period
Operation information.
Operation information can be obtained, in real time through the foregoing embodiment so as to detect the attack that springs a leak in time.
Optionally, first judgment module 23 may include: the second acquisition module 231, for obtaining predetermined registration operation information,
In, predetermined registration operation information is preset for the permission of account to be revised as to the behaviour of system highest permission from nonsystematic highest permission
Make information;Matching module 233, for being matched to predetermined registration operation information with operation information, to judge operation information instruction
Whether operation is that the permission of account is revised as system highest permission from nonsystematic highest permission;6th determining module 235, is used for
If predetermined registration operation information is consistent with operation information, whether the operation for judging operation information instruction is by the permission of account from non-
System highest permission is revised as system highest permission, if the 6th determining module 235 is also used to predetermined registration operation information and operation information
It is inconsistent, then judge whether the operation of operation information instruction is that the permission of account is revised as system from nonsystematic highest permission
Highest permission.
Wherein, predetermined registration operation information is to pre-set for the permission of account to be revised as from nonsystematic highest permission
The operation information of system highest permission.That is, if the account with nonsystematic highest permission performs in predetermined registration operation information
The operation information of record can then determine that the account with nonsystematic highest permission is performed the permission of account from nonsystematic most
High permission is revised as the operation of system highest permission.
Specifically, the system call information of available system, system call information are system in system calling kernel letter
The data generated in several processes may include that the above-mentioned account with nonsystematic highest permission is worked as in the system call information
The operation information of the operation of preceding execution, it is then that predetermined registration operation information and the account with nonsystematic highest permission is currently performed
The operation information of operation carries out matching treatment, under predetermined registration operation information and operation information unanimous circumstances, judges that this has
The account of nonsystematic highest permission performs the behaviour that the permission of account is revised as to system highest permission from nonsystematic highest permission
Make;In the case where predetermined registration operation information and operation information are inconsistent, judge that the account with nonsystematic highest permission does not have
There is the operation for executing and the permission of account being revised as to system highest permission from nonsystematic highest permission.
The process that system in above-described embodiment is called includes: that the request of application program is transmitted to system kernel, calls phase
The kernel function answered is completed to request corresponding processing, and processing result is returned to the process of application program.In this process
A series of data can be generated, in the above embodiment of the invention, acquire this generated during system is called in real time
A little data, it may include above-mentioned operation information that system, which calls data,.Specifically, the operation in being called by response system
Obtain the operation information with the account currently performed operation in systems of nonsystematic highest permission;Alternatively, every predetermined week
Phase obtain system call data in the account with nonsystematic highest permission in systems currently performed operation operation believe
Breath.
Modules in above-described embodiment are identical but unlimited as the example and application scenarios that corresponding step is realized
In above-described embodiment disclosure of that, and above-mentioned module may operate in terminal or mobile terminal, can be by soft
Part or hardware realization.
In the above embodiment of the invention, first judgment module may include: the first judging submodule, for judging account
Whether number process used executes the operation that the permission of account is revised as to system highest permission from nonsystematic highest permission;First
It determines submodule, the permission of account is revised as system highest from nonsystematic highest permission if executing for the process that account uses
The operation of permission judges the operation of operated information instruction then to be revised as the permission of account from nonsystematic highest permission to be
System highest permission;Otherwise, the operation for judging operated information instruction is not to repair the permission of account from nonsystematic highest permission
It is changed to system highest permission.
In an optional embodiment of the present invention, the first judging submodule may include: second judgment submodule, be used for
Judge whether the process that account uses executes the operation of loophole attack code write-in preset address, wherein loophole attack code
For the permission of account to be revised as to the code of the operation of system highest permission from nonsystematic highest permission;Second determines submodule
Block, in the case that the process for using in account executes the operation by loophole attack code write-in preset address, judgement is entered an item of expenditure in the accounts
Number process used executes the operation that the permission of account is revised as to system highest permission from nonsystematic highest permission;Third determines
Submodule, in the case that the process for using in account is not carried out the operation by loophole attack code write-in preset address,
Judge that process that account uses is not carried out and the permission of account is revised as system highest permission from nonsystematic highest permission
Operation.
Wherein, preset address can be the address field that initial address is 0 address of memory, and loophole attack code is written for execution
The operation of preset address can be by calling mapping function to realize.
In the above embodiment of the invention, monitor non-root authority account (i.e. with the account of nonsystematic highest permission)
The mapping function whether process used executes calling system executes the operation that loophole attack code is written to 0 address of memory, with
Judge whether the operation is the operation for promoting user right.If it is, confirm the operation be promoted user right operation (i.e.
The permission of account is revised as to the operation of system highest permission from nonsystematic highest permission), the process be mention power loophole attack into
Journey exists in confirmation system and proposes power loophole attack.
In the application scenarios of linux system, the first configuration text of the first monitoring programme can be modified in linux system
Above-mentioned predetermined registration operation information (i.e. audit rule) can be increased in the first configuration file, obtain the second configuration text by part
Part.Specifically, above-mentioned predetermined registration operation information can be with are as follows: non-root authority account uses mmap Function Mapping loophole attack code
First parameter is to 0 address of memory.
In another optional embodiment of the invention, the first judging submodule may include: third judging submodule, use
The account ID of account is revised as to the operation of preset value in judging whether process that account uses executes;4th determines submodule,
In the case that the account ID of account is revised as the operation of preset value by the process execution for using in account, judge that account makes
Process executes the operation that the permission of account is revised as to system highest permission from nonsystematic highest permission;5th determines submodule
Block, the process for using in account is not carried out in the case that the account ID of account is revised as the operation of preset value, judgement
The process that account uses out is not carried out the operation that the permission of account is revised as to system highest permission from nonsystematic highest permission.
Wherein, preset value is corresponding with system highest permission, and preset value can be zero, and the account ID of account is revised as by execution
The operation of preset value can be realized by calling identity that function is arranged.
In embodiments of the present invention, monitor what non-root authority account (i.e. with the account of nonsystematic highest permission) used
The identity setting function whether process executes calling system kernel executes the operation that the account ID of account is revised as to preset value, with
Judge whether the operation is the operation for promoting user right.If it is, confirm the operation be promoted user right operation (i.e.
The permission of account is revised as to the operation of system highest permission from nonsystematic highest permission), the process be mention power loophole attack into
Journey exists in confirmation system and proposes power loophole attack.
In the application scenarios of linux system, the first configuration file is modified in linux system, it can will be above-mentioned pre-
If operation information (i.e. audit rule) increases in the first configuration file, the second configuration file is obtained.Specifically, predetermined registration operation
Information can be with are as follows: the permission of account is switched to root using identity setting function (i.e. setuid function) by non-root authority account
The operation of permission.
Modules in above-described embodiment are identical but unlimited as the example and application scenarios that corresponding step is realized
In above-described embodiment disclosure of that, and above-mentioned module may operate in terminal or mobile terminal, can be by soft
Part or hardware realization.
Embodiment 3
The embodiments of the present invention also provide a kind of terminals.Optionally, in the present embodiment, above-mentioned terminal, which can execute, is
It unites the detection method of loophole attack, the detection device of the system vulnerability attack in above-described embodiment can be set on the terminal.
Fig. 7 is a kind of structural block diagram of terminal according to an embodiment of the present invention.As shown in fig. 7, the terminal 30 may include:
One or more (one is only shown in figure) processors 31, memory 33 and transmitting device 35.
Wherein, memory 33 can be used for storing software program and module, such as the security breaches inspection in the embodiment of the present invention
Survey the corresponding program instruction/module of method and apparatus, processor 31 by software program that operation is stored in memory 33 with
And module realizes the detection method of above-mentioned system vulnerability attack thereby executing various function application and data processing.It deposits
Reservoir 33 may include high speed random access memory, can also include nonvolatile memory, as one or more magnetic storage fills
It sets, flash memory or other non-volatile solid state memories.In some instances, memory 33 can further comprise relative to place
The remotely located memory of device 31 is managed, these remote memories can pass through network connection to terminal 30.The example of above-mentioned network
Including but not limited to internet, intranet, local area network, mobile radio communication and combinations thereof.
Above-mentioned transmitting device 35 is used to that data to be received or sent via a network, can be also used for processor and deposits
Data transmission between reservoir.Above-mentioned network specific example may include cable network and wireless network.In an example, it passes
Defeated device 35 includes a network adapter (Network Interface Controller, NIC), can pass through cable and its
His network equipment is connected to communicate with internet or local area network with router.In an example, transmitting device 15
For radio frequency (Radio Frequency, RF) module, it is used to wirelessly be communicated with internet.
Wherein, specifically, memory 33 is for storing predetermined registration operation information and application program.
Processor 31 can call the predetermined registration operation information of the storage of memory 33 by transmitting device 35 and apply journey
Sequence, to execute following step: obtaining the operation letter with the currently performed operation in systems of the account of nonsystematic highest permission
Breath, and judge whether the operation of operation information instruction is that the permission of account is revised as system highest weight from nonsystematic highest permission
Limit is sentenced if the operation of operation information instruction is that the permission of account is revised as system highest permission from nonsystematic highest permission
There are loophole attacks in disconnected system out.
In the above-described embodiments, the operation that processor 31 is also used to indicate in operation information for by the permission of account from non-
In the case that system highest permission is revised as system highest permission, judge that there is no loophole attacks in system.
Using the embodiment of the present invention, to the behaviour of the currently performed operation in systems of the account with nonsystematic highest permission
It is analyzed as information, whether the operation according to operation information instruction is to be revised as the permission of account from nonsystematic highest permission
System highest permission is come in judgement system with the presence or absence of loophole attack, independent of the variation of analysis process rights state,
To will not pairing method user normal authority switching judge by accident;As long as and the account with nonsystematic highest permission is held
The operation that the permission of account is revised as to system highest permission from nonsystematic highest permission is gone, it can exist in decision-making system
Loophole attack can be not limited to have been found that without carrying out loophole attack detecting by the feature for proposing power loophole attack
Propose power loophole attack, can detecte loophole attack unknown in the prior art so that the detection of loophole attack is more accurate,
To solve the problems, such as it is in the prior art detection mention power loophole attack Detection accuracy it is low, realize accurate detection system
The effect of loophole attack.
Through the embodiment of the present invention, it is not necessary that operation information is sent to special data analysis system, in the processing of system
The detection to loophole attack can be completed in device 31, also shorten the time of detection loophole attack.
Nonsystematic highest weight in above-described embodiment is limited to non-root authority, and system highest weight is limited to root authority.
In the above embodiment of the invention, processor is also used to execute operations described below: obtaining has nonsystematic highest weight
The operation information of currently performed operation may include: to respond operation and obtain to have nonsystematic highest weight to the account of limit in systems
The operation information of the account of limit currently performed operation in systems;Alternatively, obtaining every predetermined period has nonsystematic highest
The operation information of the account of permission currently performed operation in systems.
In the above embodiment of the invention, processor is also used to execute operations described below: the process for judging that account uses is
It is no to execute the operation that the permission of account is revised as to system highest permission from nonsystematic highest permission;If the process that account uses is held
The permission for being about to account is revised as the operation of system highest permission from nonsystematic highest permission, then judges operated information instruction
Operation be that the permission of account is revised as system highest permission from nonsystematic highest permission;Otherwise, judge operated information
The operation of instruction is not that the permission of account is revised as system highest permission from nonsystematic highest permission.
Operation information can be obtained, in real time through the foregoing embodiment so as to detect the attack that springs a leak in time.
Optionally, processor is also used to execute operations described below: judging whether process that account uses executes and attacks loophole
The operation of code write-in preset address, wherein loophole attack code is used to modify the permission of account from nonsystematic highest permission
For the code of the operation of system highest permission;It executes in the process that account uses by the behaviour of loophole attack code write-in preset address
In the case where work, the permission of account is revised as system highest from nonsystematic highest permission by the process execution for judging that account uses
The operation of permission;In the case where the process that account uses is not carried out the operation by loophole attack code write-in preset address,
Judge that process that account uses is not carried out and the permission of account is revised as system highest permission from nonsystematic highest permission
Operation.
In the above embodiment of the invention, processor is also used to execute operations described below: the process for judging that account uses is
No to execute the operation that the account ID of account is revised as to preset value, wherein preset value is corresponding with system highest permission;Make in account
In the case that process executes the operation that the account ID of account is revised as to preset value, judge that the process that account uses executes
The permission of account is revised as to the operation of system highest permission from nonsystematic highest permission;It is not carried out in the process that account uses
In the case where the operation that the account ID of account is revised as to preset value, judge that the process that account uses is not carried out account
Permission is revised as the operation of system highest permission from nonsystematic highest permission.
Optionally, processor is also used to execute operations described below: obtaining predetermined registration operation information, wherein predetermined registration operation information is
The preset operation information for being used to for the permission of account being revised as system highest permission from nonsystematic highest permission;To predetermined registration operation
Information is matched with operation information, to judge whether the operation of operation information instruction is by the permission of account from nonsystematic highest
Permission is revised as system highest permission;If predetermined registration operation information is consistent with operation information, the behaviour of operation information instruction is judged
It whether is that the permission of account is revised as system highest permission from nonsystematic highest permission;If predetermined registration operation information and operation are believed
Cease it is inconsistent, then judge operation information instruction operation whether be the permission of account is revised as from nonsystematic highest permission be
System highest permission.
It will appreciated by the skilled person that structure shown in Fig. 7 is only to illustrate, terminal can be smart phone
(such as Android phone, iOS mobile phone), tablet computer, applause computer and mobile internet device (Mobile Internet
Devices, MID), the terminal devices such as PAD.Fig. 7 it does not cause to limit to the structure of above-mentioned electronic device.For example, terminal 30
It may also include the more perhaps less component (such as network interface, display device) than shown in Fig. 7 or have and Fig. 7 institute
Show different configurations.
Those of ordinary skill in the art will appreciate that all or part of the steps in the various methods of above-described embodiment is can
It is completed with instructing the relevant hardware of terminal device by program, which can store in a computer readable storage medium
In, storage medium may include: flash disk, read-only memory (Read-Only Memory, ROM), random access device (Random
Access Memory, RAM), disk or CD etc..
Embodiment 4
The embodiments of the present invention also provide a kind of storage mediums.Optionally, in the present embodiment, above-mentioned storage medium
Store the program code of the detection method for executing system vulnerability attack.
Optionally, in the present embodiment, above-mentioned storage medium can be located in terminal shown in embodiment 3.
Optionally, in the present embodiment, storage medium is arranged to store the program code for executing following steps:
Step S102: obtain have nonsystematic highest permission account in systems currently performed operation operation letter
Breath.
Step S104: whether the operation for judging operation information instruction is to modify the permission of account from nonsystematic highest permission
For system highest permission.
Step S106: if the operation of operation information instruction is that the permission of account is revised as system from nonsystematic highest permission
Highest permission then judges that there are loophole attacks in system.
Specifically, storage medium is arranged to store the program code for executing following steps: if operation information indicates
Operation not for the permission of account is revised as system highest permission from nonsystematic highest permission, then judge to be not present in system
Loophole attack.
Using the embodiment of the present invention, to the behaviour of the currently performed operation in systems of the account with nonsystematic highest permission
It is analyzed as information, whether the operation according to operation information instruction is to be revised as the permission of account from nonsystematic highest permission
System highest permission is come in judgement system with the presence or absence of loophole attack, independent of the variation of analysis process rights state,
To will not pairing method user normal authority switching judge by accident;As long as and the account with nonsystematic highest permission is held
The operation that the permission of account is revised as to system highest permission from nonsystematic highest permission is gone, it can exist in decision-making system
Loophole attack can be not limited to have been found that without carrying out loophole attack detecting by the feature for proposing power loophole attack
Propose power loophole attack, can detecte loophole attack unknown in the prior art so that the detection of loophole attack is more accurate,
To solve the problems, such as it is in the prior art detection mention power loophole attack Detection accuracy it is low, realize accurate detection system
The effect of loophole attack.
Optionally, storage medium is also configured to store the program code for executing following steps: obtaining has non-system
The operation information of currently performed operation may include: to respond operation and obtain to have non-system to the account for highest permission of uniting in systems
The operation information of the account currently performed operation in systems for highest permission of uniting;Alternatively, obtaining every predetermined period with non-
The operation information of the account of system highest permission currently performed operation in systems.
Optionally, storage medium is also configured to store the program code for executing following steps: obtaining predetermined registration operation
Information, wherein predetermined registration operation information is preset for the permission of account to be revised as system highest from nonsystematic highest permission
The operation information of permission;Predetermined registration operation information is matched with operation information, with judge operation information instruction operation whether
For the permission of account is revised as system highest permission from nonsystematic highest permission;If predetermined registration operation information and operation information one
It causes, then judges whether the operation of operation information instruction is that the permission of account is revised as system highest from nonsystematic highest permission
Permission;If predetermined registration operation information is inconsistent with operation information, judge whether the operation of operation information instruction is by account
Permission is revised as system highest permission from nonsystematic highest permission.
Optionally, in the present embodiment, above-mentioned storage medium can include but is not limited to: USB flash disk, read-only memory (ROM,
Read-Only Memory), random access memory (RAM, Random Access Memory), mobile hard disk, magnetic disk or
The various media that can store program code such as CD.
Optionally, the specific example in the present embodiment can be shown with reference to described in above-described embodiment 1 and embodiment 2
Example, details are not described herein for the present embodiment.
The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.
In the above embodiment of the invention, it all emphasizes particularly on different fields to the description of each embodiment, does not have in some embodiment
The part of detailed description, reference can be made to the related descriptions of other embodiments.
In several embodiments provided herein, it should be understood that disclosed terminal, it can be by another way
It realizes.Wherein, the apparatus embodiments described above are merely exemplary, such as the division of the unit, only a kind of
Logical function partition, there may be another division manner in actual implementation, such as multiple units or components can combine or can
To be integrated into another system, or some features can be ignored or not executed.Another point, shown or discussed is mutual
Coupling, direct-coupling or communication connection can be through some interfaces, the indirect coupling or communication connection of unit or module,
It can be electrical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple
In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme
's.
It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit
It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list
Member both can take the form of hardware realization, can also realize in the form of software functional units.
If the integrated unit is realized in the form of SFU software functional unit and sells or use as independent product
When, can store can extract in storage medium in a computer.Based on this understanding, technical solution of the present invention is substantially
The all or part of the part that contributes to existing technology or the technical solution can be in the form of software products in other words
It embodies, which is stored in a storage medium, including some instructions are used so that a computer
Equipment (can for personal computer, server or network equipment etc.) execute each embodiment the method for the present invention whole or
Part steps.And storage medium above-mentioned includes: that USB flash disk, read-only memory (ROM, Read-Only Memory), arbitrary access are deposited
Reservoir (RAM, Random Access Memory), mobile hard disk, magnetic or disk etc. be various to can store program code
Medium.
The above is only a preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art
For member, various improvements and modifications may be made without departing from the principle of the present invention, these improvements and modifications are also answered
It is considered as protection scope of the present invention.
Claims (12)
1. a kind of detection method of system vulnerability attack characterized by comprising
Obtain the operation information with the account currently performed operation in systems of nonsystematic highest permission;
Obtain predetermined registration operation information, wherein the predetermined registration operation information be it is preset for by the permission of the account from described
Nonsystematic highest permission is revised as the information of system highest permission;
The predetermined registration operation information is matched with the operation information;
If the predetermined registration operation information is consistent with the operation information, judge that the operation of the operation information instruction is
The permission of the account is revised as system highest permission from the nonsystematic highest permission;
If the operation of the operation information instruction is to be revised as the permission of the account from the nonsystematic highest permission
The system highest permission then judges that there are loophole attacks in the system.
2. detection method according to claim 1, which is characterized in that described to the predetermined registration operation information and the operation
Information carries out matching
Judge whether process that the account uses executes to be revised as the permission of the account from the nonsystematic highest permission
The operation of the system highest permission;
If the process that the account uses, which is executed, is revised as the system from the nonsystematic highest permission for the permission of the account
The operation for highest permission of uniting, the then operation for judging operation information instruction are by the permission of the account from described non-
System highest permission is revised as the system highest permission;Otherwise, the operation for judging operation information instruction is not
The permission of the account is revised as the system highest permission from the nonsystematic highest permission.
3. detection method according to claim 2, which is characterized in that described to judge whether the process that the account uses is held
The permission for being about to the account includes: from the operation that the nonsystematic highest permission is revised as the system highest permission
Whether the process for judging that the account uses executes the operation that loophole attack code is written to preset address,
In, the loophole attack code is to be used to indicate the permission of the account being revised as the system from the nonsystematic highest permission
The code of the operation for highest permission of uniting;
The feelings that the loophole attack code is written to the operation of the preset address are executed in the process that the account uses
Under condition, the permission of the account is revised as institute from the nonsystematic highest permission by the process execution for judging that the account uses
State the operation of system highest permission;
The operation that the loophole attack code is written to the preset address is not carried out in the process that the account uses
In the case where, judge that process that the account uses is not carried out the permission of the account from the nonsystematic highest permission
It is revised as the operation of the system highest permission.
4. detection method according to claim 2, which is characterized in that described to judge whether the process that the account uses is held
The permission for being about to the account includes: from the operation that the nonsystematic highest permission is revised as the system highest permission
Whether the process for judging that the account uses executes the operation that the account ID of the account is revised as to preset value,
In, the preset value is corresponding with the system highest permission;
The feelings that the account ID of the account is revised as to the operation of the preset value are executed in the process that the account uses
Under condition, the permission of the account is revised as institute from the nonsystematic highest permission by the process execution for judging that the account uses
State the operation of system highest permission;
The operation that the account ID of the account is revised as to the preset value is not carried out in the process that the account uses
In the case where, judge that process that the account uses is not carried out the permission of the account from the nonsystematic highest permission
It is revised as the operation of the system highest permission.
5. detection method according to any one of claim 1 to 4, which is characterized in that
The operation information of currently performed operation includes: to respond to the account of the acquisition with nonsystematic highest permission in systems
The operation obtains the operation information with the account currently performed operation in systems of nonsystematic highest permission;Alternatively, every
The operation information with the account currently performed operation in systems of nonsystematic highest permission is obtained every predetermined period;
It is described the predetermined registration operation information is matched with the operation information after, further includes: if the predetermined registration operation information
It is inconsistent with the operation information, then judge operation information instruction the operation be not by the permission of the account from
The nonsystematic highest permission is revised as system highest permission.
6. detection method according to any one of claim 1 to 4, which is characterized in that the nonsystematic highest weight is limited to
Non- root authority, the system highest weight are limited to root authority.
7. a kind of detection device of system vulnerability attack characterized by comprising
First obtains module, for obtaining the operation with the account currently performed operation in systems of nonsystematic highest permission
Information;
First judgment module, comprising: second obtains module, matching module and the 6th determining module, wherein described second obtains
Module, for obtaining predetermined registration operation information, wherein the predetermined registration operation information be it is preset for by the permission of the account from
The nonsystematic highest permission is revised as the information of system highest permission;The matching module, for believing the predetermined registration operation
Breath is matched with the operation information;6th determining module, if believing for the predetermined registration operation information and the operation
Breath is consistent, then the operation for judging the operation information instruction is by the permission of the account from the nonsystematic highest weight
Limit is revised as system highest permission;
First determining module, if the operation for operation information instruction is by the permission of the account from the non-system
System highest permission is revised as the system highest permission, then judges that there are loophole attacks in the system.
8. detection device according to claim 7, which is characterized in that the first judgment module includes:
First judging submodule, for judging whether process that the account uses executes the permission of the account from described non-
System highest permission is revised as the operation of the system highest permission;
First determines submodule, if the process used for the account is executed the permission of the account from the nonsystematic most
High permission is revised as the operation of the system highest permission, then judge operation information instruction the operation be will be described
The permission of account is revised as the system highest permission from the nonsystematic highest permission;Otherwise, judge the operation information
The operation indicated is not that the permission of the account is revised as the system highest permission from the nonsystematic highest permission.
9. detection device according to claim 8, which is characterized in that first judging submodule includes:
Second judgment submodule, for judging whether the process that the account uses executes the write-in of loophole attack code in advance
If the operation of address, wherein the loophole attack code is to be used to indicate the permission of the account from the nonsystematic highest
Permission is revised as the code of the operation of the system highest permission;
Second determines submodule, and the process for using in the account executes will be described in loophole attack code write-in
In the case where the operation of preset address, judge that process that the account uses is executed the permission of the account from the non-system
System highest permission is revised as the operation of the system highest permission;
Third determines submodule, and the process for using in the account is not carried out, and the loophole attack code is written
In the case where the operation of the preset address, judge process that the account uses be not carried out by the permission of the account from
The nonsystematic highest permission is revised as the operation of the system highest permission.
10. detection device according to claim 8, which is characterized in that first judging submodule includes:
Third judging submodule repairs the account ID of the account for judging whether the process that the account uses executes
It is changed to the operation of preset value, wherein the preset value is corresponding with the system highest permission;
4th determines submodule, and the process for using in the account, which is executed, is revised as institute for the account ID of the account
In the case where the operation for stating preset value, judge that process that the account uses is executed the permission of the account from the non-system
System highest permission is revised as the operation of the system highest permission;
5th determines submodule, and the process for using in the account, which is not carried out, modifies the account ID of the account
In the case where operation for the preset value, judge process that the account uses be not carried out by the permission of the account from
The nonsystematic highest permission is revised as the operation of the system highest permission.
11. detection device according to any one of claims 7 to 10, which is characterized in that
The first acquisition module includes: respond module, obtains the account with nonsystematic highest permission for responding the operation
The operation information of number operation currently performed in systems;Alternatively, acquisition submodule, for obtaining every predetermined period with non-
The operation information of the account of system highest permission currently performed operation in systems;
6th determining module judges institute if being also used to the predetermined registration operation information and the operation information is inconsistent
The operation for stating operation information instruction is not that the permission of the account is revised as system most from the nonsystematic highest permission
High permission.
12. detection device according to any one of claims 7 to 10, which is characterized in that the nonsystematic highest permission
For non-root authority, the system highest weight is limited to root authority.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410243549.3A CN105224868B (en) | 2014-06-03 | 2014-06-03 | The detection method and device of system vulnerability attack |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410243549.3A CN105224868B (en) | 2014-06-03 | 2014-06-03 | The detection method and device of system vulnerability attack |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105224868A CN105224868A (en) | 2016-01-06 |
CN105224868B true CN105224868B (en) | 2019-07-23 |
Family
ID=54993830
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410243549.3A Active CN105224868B (en) | 2014-06-03 | 2014-06-03 | The detection method and device of system vulnerability attack |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105224868B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
RU2797716C1 (en) * | 2022-06-15 | 2023-06-08 | Акционерное общество "Лаборатория Касперского" | System and method for detecting the presence of a vulnerability in the operating system based on data on processes and threads |
Families Citing this family (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106778242B (en) * | 2016-11-28 | 2020-10-16 | 北京奇虎科技有限公司 | Kernel vulnerability detection method and device based on virtual machine |
CN106650423A (en) * | 2016-11-28 | 2017-05-10 | 北京奇虎科技有限公司 | Object sample file detecting method and device |
CN106778284B (en) * | 2016-11-28 | 2021-03-26 | 北京奇虎科技有限公司 | Method and device for detecting kernel vulnerability back end |
CN109711169A (en) * | 2018-05-04 | 2019-05-03 | 360企业安全技术(珠海)有限公司 | Means of defence and device, system, storage medium, the electronic device of system file |
WO2020132877A1 (en) * | 2018-12-25 | 2020-07-02 | 奇安信安全技术(珠海)有限公司 | Operation detection method and system, and electronic device |
CN110489963A (en) * | 2019-08-09 | 2019-11-22 | 四川虹美智能科技有限公司 | A kind of Android system smart machine guard method and device |
CN112199672A (en) * | 2020-10-10 | 2021-01-08 | 北京微步在线科技有限公司 | Account authority lifting behavior detection method and device and readable storage medium |
CN113779561B (en) * | 2021-09-09 | 2024-03-01 | 安天科技集团股份有限公司 | Kernel vulnerability processing method and device, storage medium and electronic equipment |
CN116956310B (en) * | 2023-09-21 | 2023-12-29 | 腾讯科技(深圳)有限公司 | Vulnerability protection method, device, equipment and readable storage medium |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101442533A (en) * | 2008-12-25 | 2009-05-27 | 上海交通大学 | Method for generating network authority hoisting route based on data digging technology |
CN103023871A (en) * | 2012-11-16 | 2013-04-03 | 华中科技大学 | Android privilege escalation attack detection system and method based on cloud platform |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030140253A1 (en) * | 2001-11-16 | 2003-07-24 | Mark Crosbie | Method of and apparatus for detecting creation of set user identification (setuid) files, and computer program for enabling such detection |
KR100874948B1 (en) * | 2007-06-18 | 2008-12-19 | 한국전자통신연구원 | Apparatus and method to detect and control processes which access lower privileged object |
-
2014
- 2014-06-03 CN CN201410243549.3A patent/CN105224868B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101442533A (en) * | 2008-12-25 | 2009-05-27 | 上海交通大学 | Method for generating network authority hoisting route based on data digging technology |
CN103023871A (en) * | 2012-11-16 | 2013-04-03 | 华中科技大学 | Android privilege escalation attack detection system and method based on cloud platform |
Non-Patent Citations (1)
Title |
---|
Android中权限提升漏洞的动态防御技术;张一 等;《信息安全与通信保密》;20131110(第239期);第71-74,79页 |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
RU2797716C1 (en) * | 2022-06-15 | 2023-06-08 | Акционерное общество "Лаборатория Касперского" | System and method for detecting the presence of a vulnerability in the operating system based on data on processes and threads |
Also Published As
Publication number | Publication date |
---|---|
CN105224868A (en) | 2016-01-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105224868B (en) | The detection method and device of system vulnerability attack | |
US11729199B2 (en) | Security evaluation system, security evaluation method, and program | |
CN109766700A (en) | Access control method and device, the storage medium, electronic device of file | |
CA3016392A1 (en) | Systems and methods for cyber intrusion detection and prevention | |
JP2021513170A (en) | Unmonitored spoofing detection from traffic data on mobile networks | |
EP3276907A1 (en) | A method and apparatus for testing a security of communication of a device under test | |
CN104025635A (en) | Mobile risk assessment | |
CN104811453B (en) | Active defense method and device | |
CN110493238A (en) | Defence method, device, honey pot system and honey jar management server based on honey jar | |
CN103581185B (en) | Resist the cloud checking and killing method of test free to kill, Apparatus and system | |
CN107071052A (en) | A kind of devices, systems, and methods that cloud back-end services are provided to internet of things equipment | |
CN110427785A (en) | Acquisition methods and device, the storage medium and electronic device of device-fingerprint | |
US20200410109A1 (en) | Security evaluation system, security evaluation method, and program | |
CN104221024A (en) | Unified scan engine | |
CN109213857A (en) | A kind of fraud recognition methods and device | |
CN109547426B (en) | Service response method and server | |
CN106462694A (en) | Device control system, device controller, device control method, and program | |
CN112035303B (en) | Data testing method and device, computer and readable storage medium | |
CN112732135A (en) | Health information display method and device, storage medium and electronic equipment | |
CN110351237A (en) | Honey jar method and device for numerically-controlled machine tool | |
CN108073499A (en) | The test method and device of application program | |
CN109711149A (en) | Dynamic Updating Mechanism determination method and application Life cycle behavior monitoring method | |
CN114531258B (en) | Network attack behavior processing method and device, storage medium and electronic equipment | |
CN105659247A (en) | Context-aware proactive threat management system | |
CN107196969B (en) | The automatic identification and verification method and system of attack traffic |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right | ||
TR01 | Transfer of patent right |
Effective date of registration: 20240111 Address after: 518000 Tencent Building, No. 1 High-tech Zone, Nanshan District, Shenzhen City, Guangdong Province, 35 Floors Patentee after: TENCENT TECHNOLOGY (SHENZHEN) Co.,Ltd. Patentee after: TENCENT CLOUD COMPUTING (BEIJING) Co.,Ltd. Address before: 2, 518000, East 403 room, SEG science and Technology Park, Zhenxing Road, Shenzhen, Guangdong, Futian District Patentee before: TENCENT TECHNOLOGY (SHENZHEN) Co.,Ltd. |