CN105224868B - The detection method and device of system vulnerability attack - Google Patents

Abstract

The invention discloses a kind of detection method and device of system vulnerability attack.Wherein, detection method includes: according to an aspect of an embodiment of the present invention, provide a kind of detection method of system vulnerability attack, the detection method includes: to obtain the operation information of the account currently performed operation in systems with nonsystematic highest permission, and judge whether the operation of operation information instruction is that the permission of account is revised as system highest permission from nonsystematic highest permission, if the operation of operation information instruction is that the permission of account is revised as system highest permission from nonsystematic highest permission, judge that there are loophole attacks in system.Using the present invention, solve the problems, such as detection in the prior art mention power loophole attack Detection accuracy it is low, realize the effect of accurate detection system loophole attack in real time.

Description

The detection method and device of system vulnerability attack

Technical field

The present invention relates to Hole Detection fields, in particular to a kind of detection method and device of system vulnerability attack.

Background technique

When hacker attacks system can be made by mentioning power loophole, the highest permission of system is obtained, to obtain the control to server Power.Hacker, which mentions power loophole using this, can easily break through common driving firewall, and around most Initiative Defense softwares, directly Connect the information security for threatening computer user.

Briefly, power loophole is mentioned that is an original very low rights, being restricted many users, promotes the system of arriving In sovereign permission (such as administrator right), permission control be system safety foundation stone and all security softwares base Stone, once such a threshold is broken, any defensive measure is all invalid.Proposing power attack is that hacker's utilisation system mentions It weighs loophole and promotes own right, hacker can directly attack into system kernel from least privilege, or even around the user of system System is attacked in permission control, once the privilege-escalation of hacker is to the highest permission (such as administrator right) of system, then and it is black Visitor can be planted wooden horse with any file in operating system, hacker, control machine, be grasped to any file in system Make, so that system is in very unsafe state.

In the prior art, it can find to propose power attack by data analysis, it specifically, can be with the number of collection system process According to, send special data analysis system for the data being collected into, pass through data analysis system observe process permission variation Detection proposes power attack, by under the authority records of process when process initiation, the power for the user being then related in the process The process is determined as when limit changes to propose the process of power attack.In the prior art, many normal users also can Permission switching is carried out, if being judged to proposing power attack for all permission switchings, will limit many normal users；And it is black Visitor mention weighing to attack and not necessarily carries out proposing power by the switching of process, by the above method it is possible that many missing inspections or mistake The case where inspection.

In the prior art can also by mention power attack tool feature detect hack tool, specifically, can using with The similar method of virus scan, scanning system file, the feature detection by matching known hack tool mention power loophole.Using This kind of method can not detect unknown hack tool, this kind inspection due to carrying out matched being known hack tool Survey method is very passive, has very strong hysteresis quality, and omission factor is high.

The low problem of Detection accuracy that power loophole attack is proposed for above-mentioned detection, not yet proposes effective solution side at present Case.

Summary of the invention

The embodiment of the invention provides a kind of detection method and device of system vulnerability attack, propose power at least to solve detection The low problem of the Detection accuracy of loophole attack.

According to an aspect of an embodiment of the present invention, a kind of detection method of system vulnerability attack, the detection side are provided Method includes: to obtain the operation information of the account currently performed operation in systems with nonsystematic highest permission, and judge to grasp Whether the operation for making information instruction is that the permission of account is revised as system highest permission from nonsystematic highest permission, if operation letter The operation of breath instruction is that the permission of account is revised as system highest permission from nonsystematic highest permission, then judges to deposit in system In loophole attack.

According to another aspect of an embodiment of the present invention, a kind of detection device of system vulnerability attack, the detection are additionally provided Device includes: the first acquisition module, for obtaining the account currently performed operation in systems with nonsystematic highest permission Operation information；First judgment module, for judging whether the operation of operation information instruction is by the permission of account from nonsystematic Highest permission is revised as system highest permission；First determining module, if the operation for operation information instruction is by the power of account Limit is revised as system highest permission from nonsystematic highest permission, then judges that there are loophole attacks in system.

Using the embodiment of the present invention, to the behaviour of the currently performed operation in systems of the account with nonsystematic highest permission It is analyzed as information, whether the operation according to operation information instruction is to be revised as the permission of account from nonsystematic highest permission System highest permission is come in judgement system with the presence or absence of loophole attack, independent of the variation of analysis process rights state, To will not pairing method user normal authority switching judge by accident；As long as and the account with nonsystematic highest permission is held The operation that the permission of account is revised as to system highest permission from nonsystematic highest permission is gone, it can exist in decision-making system Loophole attack can be not limited to have been found that without carrying out loophole attack detecting by the feature for proposing power loophole attack Propose power loophole attack, can detecte loophole attack unknown in the prior art so that the detection of loophole attack is more accurate, To solve the problems, such as it is in the prior art detection mention power loophole attack Detection accuracy it is low, realize accurate detection system The effect of loophole attack.

Detailed description of the invention

The drawings described herein are used to provide a further understanding of the present invention, constitutes part of this application, this hair Bright illustrative embodiments and their description are used to explain the present invention, and are not constituted improper limitations of the present invention.In the accompanying drawings:

Fig. 1 is a kind of flow chart of the detection method of system vulnerability attack according to an embodiment of the present invention；

Fig. 2 is a kind of optional flow chart for obtaining system call information according to an embodiment of the present invention；

Fig. 3 is the structure that hacker according to an embodiment of the present invention mention to server implementation environment involved in power attack Schematic diagram；

Fig. 4 is a kind of flow chart of the detection method of optional system vulnerability attack according to an embodiment of the present invention；

Fig. 5 is the schematic diagram of the detection device of loophole attack according to the system in the embodiment of the present invention；

Fig. 6 is a kind of schematic diagram of the detection device of optional system vulnerability attack according to an embodiment of the present invention；And

Fig. 7 is a kind of structural block diagram of terminal according to an embodiment of the present invention.

Specific embodiment

In order to enable those skilled in the art to better understand the solution of the present invention, below in conjunction in the embodiment of the present invention Attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is only The embodiment of a part of the invention, instead of all the embodiments.Based on the embodiments of the present invention, ordinary skill people The model that the present invention protects all should belong in member's every other embodiment obtained without making creative work It encloses.

It should be noted that description and claims of this specification and term " first " in above-mentioned attached drawing, " Two " etc. be to be used to distinguish similar objects, without being used to describe a particular order or precedence order.It should be understood that using in this way Data be interchangeable under appropriate circumstances, so as to the embodiment of the present invention described herein can in addition to illustrating herein or Sequence other than those of description is implemented.In addition, term " includes " and " having " and their any deformation, it is intended that cover Cover it is non-exclusive include, for example, the process, method, system, product or equipment for containing a series of steps or units are not necessarily limited to Step or unit those of is clearly listed, but may include be not clearly listed or for these process, methods, product Or other step or units that equipment is intrinsic.

Embodiment 1

According to embodiments of the present invention, a kind of embodiment of the detection method of system vulnerability attack is provided, needs to illustrate It is that step shown in the flowchart of the accompanying drawings can execute in a computer system such as a set of computer executable instructions, Also, although logical order is shown in flow charts, and it in some cases, can be to be different from sequence execution herein Shown or described step.

According to embodiments of the present invention, a kind of detection method of system vulnerability attack is provided, as shown in Figure 1, the detection side Method can be achieved by the steps of:

Step S102: obtain have nonsystematic highest permission account in systems currently performed operation operation letter Breath.

Step S104: whether the operation for judging operation information instruction is to modify the permission of account from nonsystematic highest permission For system highest permission.

Step S106: if the operation of operation information instruction is that the permission of account is revised as system from nonsystematic highest permission Highest permission then judges that there are loophole attacks in system.

Specifically, after executing step S104, if the operation of operation information instruction for by the permission of account from non-system System highest permission is revised as system highest permission, then judges that there is no loophole attacks in system.

Using the embodiment of the present invention, to the behaviour of the currently performed operation in systems of the account with nonsystematic highest permission It is analyzed as information, whether the operation according to operation information instruction is to be revised as the permission of account from nonsystematic highest permission System highest permission is come in judgement system with the presence or absence of loophole attack, independent of the variation of analysis process rights state, To will not pairing method user normal authority switching judge by accident；As long as and the account with nonsystematic highest permission is held The operation that the permission of account is revised as to system highest permission from nonsystematic highest permission is gone, it can exist in decision-making system Loophole attack can be not limited to have been found that without carrying out loophole attack detecting by the feature for proposing power loophole attack Propose power loophole attack, can detecte loophole attack unknown in the prior art so that the detection of loophole attack is more accurate, To solve the problems, such as it is in the prior art detection mention power loophole attack Detection accuracy it is low, realize accurate detection system The effect of loophole attack.

Through the embodiment of the present invention, it can be completed it is not necessary that operation information is sent to special data analysis system to loophole The detection of attack also shortens the time of detection loophole attack.

In the above embodiment of the invention, it can be exported in determining system there are in the case where loophole attack Warning information, and generate alarm log.

Wherein, the nonsystematic highest weight in above-described embodiment is limited to non-root authority, and system highest weight is limited to root authority； The above embodiment of the present invention can be applied to the operating systems such as linux system, uinx system.Below in linux system Using the present invention is discussed in detail for the present invention.

Linux system is (to be belonged to time sharing operating system based on posix (portable operating system interface) and unix, be one Kind of multitask, multi-user operating system, support various processor framework) multi-user, multitask, support multithreading, multi -CPU The operating system of (processor).The system can run main unix tool software, application program and network protocol.He can be with Support 32 and 64 hardware.

Specifically, there can be the account of nonsystematic highest permission currently performed behaviour in linux system by obtaining The operation information of work, then judge operation information instruction operation whether be promoted account permission operation specifically judge to grasp Whether the operation for making information instruction is that the permission of account is revised as system highest permission from nonsystematic highest permission, if operation The operation of information instruction is that the permission of account is revised as system highest permission from nonsystematic highest permission, then judges in system There are loophole attacks；If operation information instruction operation be the permission of account is revised as from nonsystematic highest permission be System highest permission then judges that there is no loophole attacks in system.

Nonsystematic highest permission in above-described embodiment is non-root authority.Root authority is the highest weight of system permission Limit, root authority user is the super keepe user account in linux system, and it is sovereign which possesses whole system Right, all objects he can all operate.So needing the user non-root authority to mention when many hacker attacks systems It is upgraded to the user of root authority, obtaining root authority means to obtain the highest permission of system, possesses the user of root authority The operation that can be executed by increasing, delete, change, look into for any file in system.

In the above embodiment of the invention, obtaining has the account of nonsystematic highest permission currently performed in systems The operation information of operation may include: that response operation acquisition has the account of nonsystematic highest permission currently performed in systems The operation information of operation；Alternatively, obtaining every predetermined period, there is the account of nonsystematic highest permission currently to execute in systems Operation operation information.

Operation information can be obtained, in real time through the foregoing embodiment so as to detect the attack that springs a leak in time.

In the above embodiment of the invention, whether the operation for judging operation information instruction is by the permission of account from non-system It may include: to obtain predetermined registration operation information that system highest permission, which is revised as system highest permission, wherein predetermined registration operation information is default For the permission of account to be revised as to the operation information of system highest permission from nonsystematic highest permission；To predetermined registration operation information It is matched with operation information, to judge whether the operation of operation information instruction is by the permission of account from nonsystematic highest permission It is revised as system highest permission；If predetermined registration operation information is consistent with operation information, judge that the operation of operation information instruction is No is that the permission of account is revised as system highest permission from nonsystematic highest permission；If predetermined registration operation information and operation information are not Unanimously, then whether the operation for judging operation information instruction is that the permission of account is revised as system most from nonsystematic highest permission High permission.

Wherein, predetermined registration operation information is to pre-set for the permission of account to be revised as from nonsystematic highest permission The operation information of system highest permission.That is, if the account with nonsystematic highest permission performs in predetermined registration operation information The operation information of record can then determine that the account with nonsystematic highest permission is performed the permission of account from nonsystematic most High permission is revised as the operation of system highest permission.

Specifically, the system call information of available system, system call information are system in system calling kernel letter The data generated in several processes may include that the above-mentioned account with nonsystematic highest permission is worked as in the system call information The operation information of the operation of preceding execution, it is then that predetermined registration operation information and the account with nonsystematic highest permission is currently performed The operation information of operation carries out matching treatment, under predetermined registration operation information and operation information unanimous circumstances, judges that this has The account of nonsystematic highest permission performs the behaviour that the permission of account is revised as to system highest permission from nonsystematic highest permission Make；In the case where predetermined registration operation information and operation information are inconsistent, judge that the account with nonsystematic highest permission does not have There is the operation for executing and the permission of account being revised as to system highest permission from nonsystematic highest permission.

The process that system in above-described embodiment is called includes: that the request of application program is transmitted to system kernel, calls phase The kernel function answered is completed to request corresponding processing, and processing result is returned to the process of application program.In this process A series of data can be generated, in the above embodiment of the invention, acquire this generated during system is called in real time A little data, it may include above-mentioned operation information that system, which calls data,.Specifically, the operation in being called by response system Obtain the operation information with the account currently performed operation in systems of nonsystematic highest permission；Alternatively, every predetermined week Phase obtain system call data in the account with nonsystematic highest permission in systems currently performed operation operation believe Breath.

In the above embodiment of the invention, system calling can be the journey for operating in user space (such as on computer) The service that sequence needs higher permission to run to operating system nucleus request, system calling can provide user program and operating system Between interface.

2 application of the embodiment of the present invention in linux system is discussed in detail with reference to the accompanying drawing.

Specifically, the system call information that linux system can be obtained in real time, then to predetermined registration operation information and system tune Matching treatment is carried out with the operation information of the currently performed operation of account in information with nonsystematic highest permission, according to matching As a result whether determining, there is the account of nonsystematic highest permission, which to perform, is revised as the permission of account from nonsystematic highest permission The operation of system highest permission.

It in the above embodiment of the invention, can be by the auditing service of Lunix system to predetermined registration operation information and behaviour Make information and carries out matching treatment.Wherein, auditing service can be by using log events, such as record system tune in Linux With and file access, system manager can evaluate these logs, determine safe breach that may be present in system, for example fail Login attempt or user to the unsuccessful access of system file.

Specifically, as shown in Fig. 2, being carried out in the above embodiment of the present invention to predetermined registration operation information and operation information matched Step can be realized by following methods:

Step S202: it using the first configuration file of the first monitoring programme of predetermined registration operation information modification linux system, obtains To the second monitoring programme.

Specifically, the first monitoring programme in above-described embodiment can be the audit auditing service in linux system (Auditd).Auditing auditing service (Auditd) is linux system kernel events auditing system, can be by configuring the service Rule in the configuration file of (the first monitoring programme i.e. in above-described embodiment) records system kernel event.Wherein ,/etc/ Audit.rules is the first above-mentioned configuration file, which can be defaulted as empty file, of the invention upper It states and modifies the first configuration file using predetermined registration operation information in embodiment and obtain the second configuration file (second configuration file is Carry the configuration file of predetermined registration operation information), obtain the second monitoring programme.

Specific manifestation form of the predetermined registration operation information in the audit auditing service in linux system in above-described embodiment For configuration rule.

Step S204: the second monitoring programme is executed in linux system.

Specifically, after obtaining the second monitoring programme, restart the audit auditing service (Auditd) of linux system, with The second monitoring programme is run, so as to begin to use the calling process of the second monitor logging system, and carries out log note Record.

Step S206: judge the operation information of the non-account with system highest permission in system call information and preset Whether operation information is consistent.

Wherein, under operation information and predetermined registration operation information unanimous circumstances, determining has the account of nonsystematic highest permission The operation that the permission of account is revised as to system highest permission from nonsystematic highest permission number is performed, step S208 is executed；? In the case that predetermined registration operation information and operation information are inconsistent, determine that the account with nonsystematic highest permission is not carried out account Number permission the operation of system highest permission is revised as from nonsystematic highest permission, continue to execute step S204.

Step S208: the corresponding calling process of the operation information is recorded.

Specifically, calling process can periodically be analyzed by generating audit statement and search log.

The above embodiment of the present invention is discussed in detail in 3 and Fig. 4 with reference to the accompanying drawing.

Fig. 3 shows the structural schematic diagram that hacker mention to server implementation environment involved in power attack.Such as Fig. 3 institute Show, which may include: account terminal 10 and server 20.Specifically, hacker can be taken by 10 Duis of account terminal Business device 20 carries out proposing power attack, and the processor in server 20 starts the second monitoring programme and calls to the system in server system Data carry out the matching of operation information, judge that the account with nonsystematic highest permission recorded in system call information is currently held Whether the operation information of capable operation is consistent with the predetermined registration operation information carried in the second monitoring programme, if unanimously, it is determined that The currently performed operation of the account with nonsystematic highest permission belongs to the operation that hacker propose power attack, determines system In there are loophole attack, outputting alarm simultaneously generates alarm log.

It is communicated between account terminal 10 and server 20 by network, which can be wireless network or wired network Network.Wherein, server can be Linux system server.

Account terminal in above-described embodiment can be mobile terminal or personal computer terminal.

Fig. 4 is a kind of flow chart of the detection method of optional system vulnerability attack according to an embodiment of the present invention.

As shown in figure 4, this method can be realized by the following method:

Step S402: the second monitoring journey is obtained using the first configuration file that predetermined registration operation information modifies the first monitoring programme Sequence.

Specifically, the implementation method of the step is consistent with the above-mentioned implementation method of step S202, and details are not described herein.

Step S404: start the second monitoring programme on the server of linux system.

Specifically, the implementation method of the step is consistent with the above-mentioned implementation method of step S204, and details are not described herein.

Step S406: the system call information of system is obtained.

Wherein, system call information includes: the operation letter of the currently performed operation of user with nonsystematic highest permission Breath.

Step S408: judge there is whether the currently performed operation of the user of nonsystematic highest permission is by the permission of account System highest permission is revised as from nonsystematic highest permission.

Specifically, can be judged by the second monitoring programme operation information whether with predetermined registration operation information whether unanimously come real It is existing: if operation information is consistent with predetermined registration operation information, to judge that currently performed operation is by the permission of account from non-system System highest permission is revised as system highest permission, then confirms the currently performed operation of the account with nonsystematic highest permission to mention Loophole attack operation is weighed, execute step S410: there are loophole attacks in confirmation system；If operation information and predetermined registration operation Information is inconsistent, then judges that currently performed operation is not that the permission of account is revised as system most from nonsystematic highest permission High permission then confirms that the currently performed operation of the account with nonsystematic highest permission to propose power loophole attack operation, executes step Rapid S412: loophole attack is not present in confirmation system.

Step S414: there are the warning information of loophole attack for output system.

Step S416: alarm log is generated.

Specifically, it being serviced in the server using auditd, the warning information that will acquire (i.e. audit message) writes/ In var/log/audit.log.Above-mentioned alarm log is text file, and the format of file is the received format from kernel, Sequence is also possible to sequence when receiving.May include: in alarm log audit event ID, filename, UID, type of message and System calls the information such as name.

Predetermined registration operation information in the above-described embodiments can be following format :-a report is about access vector buffer The message of (access vector cache, AVC)；- f reports the message about file；- s report disappears about what system was called Breath.

Specifically, the event for being equal or earlier than specific time can also be shown by-t, where indicating you with number format The date and time in place, and the time was indicated with 24 hours formats processed.It can be in predetermined registration operation information by auditing service The respective option is matched to obtain matching result.

In the above-described embodiments, information (i.e. above-described embodiment that Auditd service generates system kernel in monitoring process Middle system call information) it is written on hard disk, these information are by application program and the triggered generation of system activity.

In the above embodiment of the invention, whether the operation for judging operation information instruction is by the permission of account from non-system System highest permission be revised as system highest permission may include: judge process that account uses whether execute by the permission of account from Nonsystematic highest permission is revised as the operation of system highest permission；If process that account uses is executed the permission of account from non-system System highest permission is revised as the operation of system highest permission, then judges that the operation of operated information instruction is by the permission of account System highest permission is revised as from nonsystematic highest permission；Otherwise, the operation for judging operated information instruction is not by account Permission be revised as system highest permission from nonsystematic highest permission.

In an optional embodiment of the present invention, judge whether process that account uses executes the permission of account from non- The operation that system highest permission is revised as system highest permission may include: to judge whether the process that account uses executes loophole The operation of attack code write-in preset address, wherein loophole attack code is used for the permission of account from nonsystematic highest permission It is revised as the code of the operation of system highest permission；It is executed in the process that account uses and preset address is written into loophole attack code Operation in the case where, judge that process that account uses executes and the permission of account be revised as system from nonsystematic highest permission The operation of highest permission；The case where the process that account uses is not carried out the operation by loophole attack code write-in preset address Under, judge that process that account uses is not carried out and the permission of account is revised as system highest permission from nonsystematic highest permission Operation.

Wherein, preset address can be the address field that initial address is 0 address of memory, and loophole attack code is written for execution The operation of preset address can be by calling mapping function to realize.

In the above embodiment of the invention, monitor non-root authority account (i.e. with the account of nonsystematic highest permission) The mapping function whether process used executes calling system executes the operation that loophole attack code is written to 0 address of memory, with Judge whether the operation is the operation for promoting user right.If it is, confirm the operation be promoted user right operation (i.e. The permission of account is revised as to the operation of system highest permission from nonsystematic highest permission), the process be mention power loophole attack into Journey exists in confirmation system and proposes power loophole attack.

In the application scenarios of linux system, the first configuration text of the first monitoring programme can be modified in linux system Above-mentioned predetermined registration operation information (i.e. audit rule) can be increased in the first configuration file, obtain the second configuration text by part Part.Specifically, above-mentioned predetermined registration operation information can be with are as follows: non-root authority account uses mmap Function Mapping loophole attack code First parameter is to 0 address of memory.

Wherein, mmap function is the function that a file or other objects are mapped into memory.0 address of memory is to map The initial address in area, namely mapping file or object first character mapping address；The address memory 0x0 is hexadecimal Representation method indicate memory address, 0 address of memory be metric representation method indicate memory address.

In this embodiment, predetermined registration operation information may include: the account with nonsystematic highest permission using code expression Number account ID to be not zero, call the mapping address of first parameter of the mapping of mapping function be that zero-address and the mapping are grasped It runs succeeded.Such as: auditctl-a exit, always-S mmap2-F uid！=0-F a0=0-F a2=7-F Success=1.

Therein ,-a indicates message of the report about access vector buffer (access vector cache, AVC), at this In embodiment are as follows: exit, always, as long as that is, the calling of system kernel function completes i.e. starting monitoring thread.- s report is closed In the message that system is called, in this embodiment are as follows: mmap2, namely the system kernel function called is mapping function, above-mentioned The working principle of mmap function is elaborated in embodiment, details are not described herein.- f reports the message about file, upper Stating includes four file messages in embodiment, and one is uid！=0, uid are that the account ID, ID in above-described embodiment are identity Identification number, that is, the account ID of the account with nonsystematic highest permission is not equal to zero, the root authority in linux system The account ID (i.e. uid) of account (i.e. with the account of system highest permission) is equal to zero；Second is a0=0, and a0 therein is The mapping address of first parameter mapped when calling mmap function, the mapping address of first parameter are 0 address；Third For-F a2=7, indicate to call the mapping address (i.e. 7 address of memory) of the third parameter of mmap Function Mapping it is readable it is writeable can It executes.4th is success=1, and success=1 indicates that mapping movement runs succeeded.

It in the above-described embodiments, will if the operation information of some map operation meets above-mentioned predetermined registration operation information Kernel code (the loophole attack code i.e. in above-described embodiment) mmap maps to the address 0x0, then hacking tool can lead to Triggering kernel BUG (i.e. loophole) is crossed to execute malice shellcode (the loophole attack code i.e. in above-described embodiment), the mapping Operation is judged as loophole attack operation, it is determined that loophole attack has occurred in system.Wherein, loophole attack code may be used also To include: the code for distorting system file.

For the loophole of Kernel null pointer dereference (kernel null pointer dereference) type, Ji Ketong It crosses above-mentioned map operation realization and power attack is mentioned to the loophole.

Specifically, monitor whether the process that non-root authority account (i.e. with the account of nonsystematic highest permission) uses is held The mapping function of row calling system can be with by the operation of loophole attack code write-in 0 address of memory are as follows: extracts from operation information Account ID, the mapping address of first parameter of mapping and the execution knot of map operation of account with nonsystematic highest permission Fruit；Judge whether the mapping address of first parameter of mapping is zero-address, whether the implementing result of map operation indicates executes Whether success, account ID are not zero；It is zero-address, the implementing result of map operation in the mapping address of first parameter of mapping In the case that instruction runs succeeded and whether account ID is not zero, judge that operation information is consistent with the predetermined registration operation information； It is that zero-address, the instruction of the implementing result of map operation run succeeded and account in the mapping address of first parameter of mapping ID be not zero in any one information it is invalid in the case where, judge that operation information and the predetermined registration operation information are inconsistent.

In another of the invention optional embodiment, judge process that account uses whether execute by the permission of account from The operation that nonsystematic highest permission is revised as system highest permission may include: to judge whether the process that account uses executes account Number account ID be revised as the operation of preset value；It is executed in the process that account uses and the account ID of account is revised as preset value In the case where operation, the permission of account is revised as system most from nonsystematic highest permission by the process execution for judging that account uses The operation of high permission；The case where account ID of account is revised as the operation of preset value is not carried out in the process that account uses Under, judge that process that account uses is not carried out and the permission of account is revised as system highest permission from nonsystematic highest permission Operation.

Wherein, preset value is corresponding with system highest permission, and preset value can be zero, and the account ID of account is revised as by execution The operation of preset value can be realized by calling identity that function is arranged.

In embodiments of the present invention, monitor what non-root authority account (i.e. with the account of nonsystematic highest permission) used The identity setting function whether process executes calling system kernel executes the operation that the account ID of account is revised as to preset value, with Judge whether the operation is the operation for promoting user right.If it is, confirm the operation be promoted user right operation (i.e. The permission of account is revised as to the operation of system highest permission from nonsystematic highest permission), the process be mention power loophole attack into Journey exists in confirmation system and proposes power loophole attack.

In the application scenarios of linux system, the first configuration file is modified in linux system, it can will be above-mentioned pre- If operation information (i.e. audit rule) increases in the first configuration file, the second configuration file is obtained.Specifically, predetermined registration operation Information can be with are as follows: the permission of account is switched to root using identity setting function (i.e. setuid function) by non-root authority account The operation of permission.

Wherein, setuid function is the function of set uid, and actual account number ID and effective account can be set by the function Number ID.Specifically, in linux system, if account (but the euid=of the account of the non-root authority of non-root authority 0, i.e., effective account ID is zero) to call the function, and the account ID of current account is revised as uid=0, by the then non-root authority Account be revised as the account of root authority.

In the above embodiment of the invention, predetermined registration operation information may include: with nonsystematic highest weight by code The account ID of limit is not zero to run succeeded with identity change operation.Such as: auditctl-a exit, always-S setuid32-F uid！=0-F euid=0-F success=1.

Therein ,-a indicates message of the report about access vector buffer (access vector cache, AVC), at this In embodiment are as follows: exit, always, as long as that is, the calling of system kernel function completes i.e. starting monitoring thread.- s report is closed In the message that system is called, in this embodiment are as follows: setuid32, namely the system kernel function called is mapping function, The working principle of setuid function is elaborated in above-described embodiment, details are not described herein, and therein 32 indicate 32 Hardware device.- f reports the message about file, in the above-described embodiments includes three file messages, and one is uid！=0, Uid is that the account ID, ID of the default access user in above-described embodiment is identity number, that is, having nonsystematic most The account ID of the account of high permission is not equal to zero, and root authority account is (i.e. with the account of system highest permission in linux system Number) account ID (i.e. uid) be equal to zero；Second-F euid=0 indicates that the real account numbers ID of current account is zero；Another Indicate that the identity change operation runs succeeded and (function called to modify uid success) for success=1, success=1.On The identity change movement stated in embodiment is to change the movement of account ID.

In the above-described embodiments, if the operation information of some identity change operation meets above-mentioned predetermined registration operation information, It then determines that the permission of account is revised as root authority by the account with nonsystematic highest permission, i.e., is attacked by loophole, when Preceding account has obtained root authority (i.e. its account uid has been modified to 0), which has passed through setuid function and obtained root power Limit is to start shell (command interpreter) process, and to carry out subsequent attack operation, then the operation is judged as loophole attack Operation, it is determined that loophole attack has occurred in system.

It can by the account ID of the account operation for being revised as preset value it should be further noted that judging whether account executes To include: to extract account ID and identity from the operation information of the account with nonsystematic highest permission in system call information The implementing result of change operation；Judge account ID whether be not zero with the implementing result of identity change operation whether indicate execute at Function；In the case where account ID is not zero and the instruction of the implementing result of identity change operation runs succeeded, predetermined registration operation is judged Information is consistent with operation information；The case where account ID is zero and/or the instruction of the implementing result of identity change operation executes failure Under, judge that predetermined registration operation information is consistent with operation information.

It should be noted that for the various method embodiments described above, for simple description, therefore, it is stated as a series of Combination of actions, but those skilled in the art should understand that, the present invention is not limited by the sequence of acts described because According to the present invention, some steps may be performed in other sequences or simultaneously.Secondly, those skilled in the art should also know It knows, the embodiments described in the specification are all preferred embodiments, and related actions and modules is not necessarily of the invention It is necessary.

Through the above description of the embodiments, those skilled in the art can be understood that according to above-mentioned implementation The method of example can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but it is very much In the case of the former be more preferably embodiment.Based on this understanding, technical solution of the present invention is substantially in other words to existing The part that technology contributes can be embodied in the form of software products, which is stored in a storage In medium (such as ROM/RAM, magnetic disk, CD), including some instructions are used so that a terminal device (can be mobile phone, calculate Machine, server or network equipment etc.) execute method described in each embodiment of the present invention.

Embodiment 2

According to embodiments of the present invention, a kind of detection dress that the system vulnerability for implementing above-described embodiment is attacked is additionally provided It sets, which can be realized by the test method being related in embodiment, be carried out below to the implementation process of the application detailed Thin description.

Fig. 5 is the schematic diagram of the detection device of loophole attack according to the system in the embodiment of the present invention.As shown in figure 5, the inspection Surveying device may include: the first acquisition module 21, first judgment module 23 and the first determining module 25.

Wherein, first module is obtained, it is currently performed in systems for obtaining the account with nonsystematic highest permission The operation information of operation.

First judgment module, for judging whether the operation of operation information instruction is by the permission of account from nonsystematic highest Permission is revised as system highest permission.

First determining module, if the operation for operation information instruction is to repair the permission of account from nonsystematic highest permission It is changed to system highest permission, then judges that there are loophole attacks in system.

Specifically, if the first determining module be also used to the operation of operation information instruction for by the permission of account from nonsystematic Highest permission is revised as system highest permission, then judges that there is no loophole attacks in system.

Using the embodiment of the present invention, to the behaviour of the currently performed operation in systems of the account with nonsystematic highest permission It is analyzed as information, whether the operation according to operation information instruction is to be revised as the permission of account from nonsystematic highest permission System highest permission is come in judgement system with the presence or absence of loophole attack, independent of the variation of analysis process rights state, To will not pairing method user normal authority switching judge by accident；As long as and the account with nonsystematic highest permission is held The operation that the permission of account is revised as to system highest permission from nonsystematic highest permission is gone, it can exist in decision-making system Loophole attack can be not limited to have been found that without carrying out loophole attack detecting by the feature for proposing power loophole attack Propose power loophole attack, can detecte loophole attack unknown in the prior art so that the detection of loophole attack is more accurate, To solve the problems, such as it is in the prior art detection mention power loophole attack Detection accuracy it is low, realize accurate detection system The effect of loophole attack.

Through the embodiment of the present invention, it can be completed it is not necessary that operation information is sent to special data analysis system to loophole The detection of attack also shortens the time of detection loophole attack.

In the above embodiment of the invention, can pass through in determining system there are in the case where loophole attack Output module outputting alarm information, and alarm log is generated by generation module.

Wherein, the nonsystematic highest weight in above-described embodiment is limited to non-root authority, and system highest weight is limited to root authority； The above embodiment of the present invention can be applied to the operating systems such as linux system, uinx system.Below in linux system Using the present invention is discussed in detail for the present invention.

Linux system is (to be belonged to time sharing operating system based on posix (portable operating system interface) and unix, be one Kind of multitask, multi-user operating system, support various processor framework) multi-user, multitask, support multithreading, multi -CPU The operating system of (processor).The system can run main unix tool software, application program and network protocol.He can be with Support 32 and 64 hardware.

Specifically, there can be the account of nonsystematic highest permission currently performed behaviour in linux system by obtaining The operation information of work, then judge operation information instruction operation whether be promoted account permission operation specifically judge to grasp Whether the operation for making information instruction is that the permission of account is revised as system highest permission from nonsystematic highest permission, if operation The operation of information instruction is that the permission of account is revised as system highest permission from nonsystematic highest permission, then judges in system There are loophole attacks；If operation information instruction operation be the permission of account is revised as from nonsystematic highest permission be System highest permission then judges that there is no loophole attacks in system.

Nonsystematic highest permission in above-described embodiment is non-root authority.Root authority is the highest weight of system permission Limit, root authority user is the super keepe user account in linux system, and it is sovereign which possesses whole system Right, all objects he can all operate.So needing the user non-root authority to mention when many hacker attacks systems It is upgraded to the user of root authority, obtaining root authority means to obtain the highest permission of system, possesses the user of root authority The operation that can be executed by increasing, delete, change, look into for any file in system.

In the above embodiment of the invention, the first acquisition module 21 may include: respond module 211, for responding It states operation and obtains the operation information with the account currently performed operation in systems of nonsystematic highest permission；Alternatively, obtaining Submodule 213, for obtaining the account currently performed operation in systems with nonsystematic highest permission every predetermined period Operation information.

Operation information can be obtained, in real time through the foregoing embodiment so as to detect the attack that springs a leak in time.

Optionally, first judgment module 23 may include: the second acquisition module 231, for obtaining predetermined registration operation information, In, predetermined registration operation information is preset for the permission of account to be revised as to the behaviour of system highest permission from nonsystematic highest permission Make information；Matching module 233, for being matched to predetermined registration operation information with operation information, to judge operation information instruction Whether operation is that the permission of account is revised as system highest permission from nonsystematic highest permission；6th determining module 235, is used for If predetermined registration operation information is consistent with operation information, whether the operation for judging operation information instruction is by the permission of account from non- System highest permission is revised as system highest permission, if the 6th determining module 235 is also used to predetermined registration operation information and operation information It is inconsistent, then judge whether the operation of operation information instruction is that the permission of account is revised as system from nonsystematic highest permission Highest permission.

Wherein, predetermined registration operation information is to pre-set for the permission of account to be revised as from nonsystematic highest permission The operation information of system highest permission.That is, if the account with nonsystematic highest permission performs in predetermined registration operation information The operation information of record can then determine that the account with nonsystematic highest permission is performed the permission of account from nonsystematic most High permission is revised as the operation of system highest permission.

Specifically, the system call information of available system, system call information are system in system calling kernel letter The data generated in several processes may include that the above-mentioned account with nonsystematic highest permission is worked as in the system call information The operation information of the operation of preceding execution, it is then that predetermined registration operation information and the account with nonsystematic highest permission is currently performed The operation information of operation carries out matching treatment, under predetermined registration operation information and operation information unanimous circumstances, judges that this has The account of nonsystematic highest permission performs the behaviour that the permission of account is revised as to system highest permission from nonsystematic highest permission Make；In the case where predetermined registration operation information and operation information are inconsistent, judge that the account with nonsystematic highest permission does not have There is the operation for executing and the permission of account being revised as to system highest permission from nonsystematic highest permission.

The process that system in above-described embodiment is called includes: that the request of application program is transmitted to system kernel, calls phase The kernel function answered is completed to request corresponding processing, and processing result is returned to the process of application program.In this process A series of data can be generated, in the above embodiment of the invention, acquire this generated during system is called in real time A little data, it may include above-mentioned operation information that system, which calls data,.Specifically, the operation in being called by response system Obtain the operation information with the account currently performed operation in systems of nonsystematic highest permission；Alternatively, every predetermined week Phase obtain system call data in the account with nonsystematic highest permission in systems currently performed operation operation believe Breath.

Modules in above-described embodiment are identical but unlimited as the example and application scenarios that corresponding step is realized In above-described embodiment disclosure of that, and above-mentioned module may operate in terminal or mobile terminal, can be by soft Part or hardware realization.

In the above embodiment of the invention, first judgment module may include: the first judging submodule, for judging account Whether number process used executes the operation that the permission of account is revised as to system highest permission from nonsystematic highest permission；First It determines submodule, the permission of account is revised as system highest from nonsystematic highest permission if executing for the process that account uses The operation of permission judges the operation of operated information instruction then to be revised as the permission of account from nonsystematic highest permission to be System highest permission；Otherwise, the operation for judging operated information instruction is not to repair the permission of account from nonsystematic highest permission It is changed to system highest permission.

In an optional embodiment of the present invention, the first judging submodule may include: second judgment submodule, be used for Judge whether the process that account uses executes the operation of loophole attack code write-in preset address, wherein loophole attack code For the permission of account to be revised as to the code of the operation of system highest permission from nonsystematic highest permission；Second determines submodule Block, in the case that the process for using in account executes the operation by loophole attack code write-in preset address, judgement is entered an item of expenditure in the accounts Number process used executes the operation that the permission of account is revised as to system highest permission from nonsystematic highest permission；Third determines Submodule, in the case that the process for using in account is not carried out the operation by loophole attack code write-in preset address, Judge that process that account uses is not carried out and the permission of account is revised as system highest permission from nonsystematic highest permission Operation.

Wherein, preset address can be the address field that initial address is 0 address of memory, and loophole attack code is written for execution The operation of preset address can be by calling mapping function to realize.

In the above embodiment of the invention, monitor non-root authority account (i.e. with the account of nonsystematic highest permission) The mapping function whether process used executes calling system executes the operation that loophole attack code is written to 0 address of memory, with Judge whether the operation is the operation for promoting user right.If it is, confirm the operation be promoted user right operation (i.e. The permission of account is revised as to the operation of system highest permission from nonsystematic highest permission), the process be mention power loophole attack into Journey exists in confirmation system and proposes power loophole attack.

In the application scenarios of linux system, the first configuration text of the first monitoring programme can be modified in linux system Above-mentioned predetermined registration operation information (i.e. audit rule) can be increased in the first configuration file, obtain the second configuration text by part Part.Specifically, above-mentioned predetermined registration operation information can be with are as follows: non-root authority account uses mmap Function Mapping loophole attack code First parameter is to 0 address of memory.

In another optional embodiment of the invention, the first judging submodule may include: third judging submodule, use The account ID of account is revised as to the operation of preset value in judging whether process that account uses executes；4th determines submodule, In the case that the account ID of account is revised as the operation of preset value by the process execution for using in account, judge that account makes Process executes the operation that the permission of account is revised as to system highest permission from nonsystematic highest permission；5th determines submodule Block, the process for using in account is not carried out in the case that the account ID of account is revised as the operation of preset value, judgement The process that account uses out is not carried out the operation that the permission of account is revised as to system highest permission from nonsystematic highest permission.

Wherein, preset value is corresponding with system highest permission, and preset value can be zero, and the account ID of account is revised as by execution The operation of preset value can be realized by calling identity that function is arranged.

In embodiments of the present invention, monitor what non-root authority account (i.e. with the account of nonsystematic highest permission) used The identity setting function whether process executes calling system kernel executes the operation that the account ID of account is revised as to preset value, with Judge whether the operation is the operation for promoting user right.If it is, confirm the operation be promoted user right operation (i.e. The permission of account is revised as to the operation of system highest permission from nonsystematic highest permission), the process be mention power loophole attack into Journey exists in confirmation system and proposes power loophole attack.

In the application scenarios of linux system, the first configuration file is modified in linux system, it can will be above-mentioned pre- If operation information (i.e. audit rule) increases in the first configuration file, the second configuration file is obtained.Specifically, predetermined registration operation Information can be with are as follows: the permission of account is switched to root using identity setting function (i.e. setuid function) by non-root authority account The operation of permission.

Modules in above-described embodiment are identical but unlimited as the example and application scenarios that corresponding step is realized In above-described embodiment disclosure of that, and above-mentioned module may operate in terminal or mobile terminal, can be by soft Part or hardware realization.

Embodiment 3

The embodiments of the present invention also provide a kind of terminals.Optionally, in the present embodiment, above-mentioned terminal, which can execute, is It unites the detection method of loophole attack, the detection device of the system vulnerability attack in above-described embodiment can be set on the terminal.

Fig. 7 is a kind of structural block diagram of terminal according to an embodiment of the present invention.As shown in fig. 7, the terminal 30 may include: One or more (one is only shown in figure) processors 31, memory 33 and transmitting device 35.

Wherein, memory 33 can be used for storing software program and module, such as the security breaches inspection in the embodiment of the present invention Survey the corresponding program instruction/module of method and apparatus, processor 31 by software program that operation is stored in memory 33 with And module realizes the detection method of above-mentioned system vulnerability attack thereby executing various function application and data processing.It deposits Reservoir 33 may include high speed random access memory, can also include nonvolatile memory, as one or more magnetic storage fills It sets, flash memory or other non-volatile solid state memories.In some instances, memory 33 can further comprise relative to place The remotely located memory of device 31 is managed, these remote memories can pass through network connection to terminal 30.The example of above-mentioned network Including but not limited to internet, intranet, local area network, mobile radio communication and combinations thereof.

Above-mentioned transmitting device 35 is used to that data to be received or sent via a network, can be also used for processor and deposits Data transmission between reservoir.Above-mentioned network specific example may include cable network and wireless network.In an example, it passes Defeated device 35 includes a network adapter (Network Interface Controller, NIC), can pass through cable and its His network equipment is connected to communicate with internet or local area network with router.In an example, transmitting device 15 For radio frequency (Radio Frequency, RF) module, it is used to wirelessly be communicated with internet.

Wherein, specifically, memory 33 is for storing predetermined registration operation information and application program.

Processor 31 can call the predetermined registration operation information of the storage of memory 33 by transmitting device 35 and apply journey Sequence, to execute following step: obtaining the operation letter with the currently performed operation in systems of the account of nonsystematic highest permission Breath, and judge whether the operation of operation information instruction is that the permission of account is revised as system highest weight from nonsystematic highest permission Limit is sentenced if the operation of operation information instruction is that the permission of account is revised as system highest permission from nonsystematic highest permission There are loophole attacks in disconnected system out.

In the above-described embodiments, the operation that processor 31 is also used to indicate in operation information for by the permission of account from non- In the case that system highest permission is revised as system highest permission, judge that there is no loophole attacks in system.

Using the embodiment of the present invention, to the behaviour of the currently performed operation in systems of the account with nonsystematic highest permission It is analyzed as information, whether the operation according to operation information instruction is to be revised as the permission of account from nonsystematic highest permission System highest permission is come in judgement system with the presence or absence of loophole attack, independent of the variation of analysis process rights state, To will not pairing method user normal authority switching judge by accident；As long as and the account with nonsystematic highest permission is held The operation that the permission of account is revised as to system highest permission from nonsystematic highest permission is gone, it can exist in decision-making system Loophole attack can be not limited to have been found that without carrying out loophole attack detecting by the feature for proposing power loophole attack Propose power loophole attack, can detecte loophole attack unknown in the prior art so that the detection of loophole attack is more accurate, To solve the problems, such as it is in the prior art detection mention power loophole attack Detection accuracy it is low, realize accurate detection system The effect of loophole attack.

Through the embodiment of the present invention, it is not necessary that operation information is sent to special data analysis system, in the processing of system The detection to loophole attack can be completed in device 31, also shorten the time of detection loophole attack.

Nonsystematic highest weight in above-described embodiment is limited to non-root authority, and system highest weight is limited to root authority.

In the above embodiment of the invention, processor is also used to execute operations described below: obtaining has nonsystematic highest weight The operation information of currently performed operation may include: to respond operation and obtain to have nonsystematic highest weight to the account of limit in systems The operation information of the account of limit currently performed operation in systems；Alternatively, obtaining every predetermined period has nonsystematic highest The operation information of the account of permission currently performed operation in systems.

In the above embodiment of the invention, processor is also used to execute operations described below: the process for judging that account uses is It is no to execute the operation that the permission of account is revised as to system highest permission from nonsystematic highest permission；If the process that account uses is held The permission for being about to account is revised as the operation of system highest permission from nonsystematic highest permission, then judges operated information instruction Operation be that the permission of account is revised as system highest permission from nonsystematic highest permission；Otherwise, judge operated information The operation of instruction is not that the permission of account is revised as system highest permission from nonsystematic highest permission.

Operation information can be obtained, in real time through the foregoing embodiment so as to detect the attack that springs a leak in time.

Optionally, processor is also used to execute operations described below: judging whether process that account uses executes and attacks loophole The operation of code write-in preset address, wherein loophole attack code is used to modify the permission of account from nonsystematic highest permission For the code of the operation of system highest permission；It executes in the process that account uses by the behaviour of loophole attack code write-in preset address In the case where work, the permission of account is revised as system highest from nonsystematic highest permission by the process execution for judging that account uses The operation of permission；In the case where the process that account uses is not carried out the operation by loophole attack code write-in preset address, Judge that process that account uses is not carried out and the permission of account is revised as system highest permission from nonsystematic highest permission Operation.

In the above embodiment of the invention, processor is also used to execute operations described below: the process for judging that account uses is No to execute the operation that the account ID of account is revised as to preset value, wherein preset value is corresponding with system highest permission；Make in account In the case that process executes the operation that the account ID of account is revised as to preset value, judge that the process that account uses executes The permission of account is revised as to the operation of system highest permission from nonsystematic highest permission；It is not carried out in the process that account uses In the case where the operation that the account ID of account is revised as to preset value, judge that the process that account uses is not carried out account Permission is revised as the operation of system highest permission from nonsystematic highest permission.

Optionally, processor is also used to execute operations described below: obtaining predetermined registration operation information, wherein predetermined registration operation information is The preset operation information for being used to for the permission of account being revised as system highest permission from nonsystematic highest permission；To predetermined registration operation Information is matched with operation information, to judge whether the operation of operation information instruction is by the permission of account from nonsystematic highest Permission is revised as system highest permission；If predetermined registration operation information is consistent with operation information, the behaviour of operation information instruction is judged It whether is that the permission of account is revised as system highest permission from nonsystematic highest permission；If predetermined registration operation information and operation are believed Cease it is inconsistent, then judge operation information instruction operation whether be the permission of account is revised as from nonsystematic highest permission be System highest permission.

It will appreciated by the skilled person that structure shown in Fig. 7 is only to illustrate, terminal can be smart phone (such as Android phone, iOS mobile phone), tablet computer, applause computer and mobile internet device (Mobile Internet Devices, MID), the terminal devices such as PAD.Fig. 7 it does not cause to limit to the structure of above-mentioned electronic device.For example, terminal 30 It may also include the more perhaps less component (such as network interface, display device) than shown in Fig. 7 or have and Fig. 7 institute Show different configurations.

Those of ordinary skill in the art will appreciate that all or part of the steps in the various methods of above-described embodiment is can It is completed with instructing the relevant hardware of terminal device by program, which can store in a computer readable storage medium In, storage medium may include: flash disk, read-only memory (Read-Only Memory, ROM), random access device (Random Access Memory, RAM), disk or CD etc..

Embodiment 4

The embodiments of the present invention also provide a kind of storage mediums.Optionally, in the present embodiment, above-mentioned storage medium Store the program code of the detection method for executing system vulnerability attack.

Optionally, in the present embodiment, above-mentioned storage medium can be located in terminal shown in embodiment 3.

Optionally, in the present embodiment, storage medium is arranged to store the program code for executing following steps:

Step S102: obtain have nonsystematic highest permission account in systems currently performed operation operation letter Breath.

Step S104: whether the operation for judging operation information instruction is to modify the permission of account from nonsystematic highest permission For system highest permission.

Step S106: if the operation of operation information instruction is that the permission of account is revised as system from nonsystematic highest permission Highest permission then judges that there are loophole attacks in system.

Specifically, storage medium is arranged to store the program code for executing following steps: if operation information indicates Operation not for the permission of account is revised as system highest permission from nonsystematic highest permission, then judge to be not present in system Loophole attack.

Using the embodiment of the present invention, to the behaviour of the currently performed operation in systems of the account with nonsystematic highest permission It is analyzed as information, whether the operation according to operation information instruction is to be revised as the permission of account from nonsystematic highest permission System highest permission is come in judgement system with the presence or absence of loophole attack, independent of the variation of analysis process rights state, To will not pairing method user normal authority switching judge by accident；As long as and the account with nonsystematic highest permission is held The operation that the permission of account is revised as to system highest permission from nonsystematic highest permission is gone, it can exist in decision-making system Loophole attack can be not limited to have been found that without carrying out loophole attack detecting by the feature for proposing power loophole attack Propose power loophole attack, can detecte loophole attack unknown in the prior art so that the detection of loophole attack is more accurate, To solve the problems, such as it is in the prior art detection mention power loophole attack Detection accuracy it is low, realize accurate detection system The effect of loophole attack.

Optionally, storage medium is also configured to store the program code for executing following steps: obtaining has non-system The operation information of currently performed operation may include: to respond operation and obtain to have non-system to the account for highest permission of uniting in systems The operation information of the account currently performed operation in systems for highest permission of uniting；Alternatively, obtaining every predetermined period with non- The operation information of the account of system highest permission currently performed operation in systems.

Optionally, storage medium is also configured to store the program code for executing following steps: obtaining predetermined registration operation Information, wherein predetermined registration operation information is preset for the permission of account to be revised as system highest from nonsystematic highest permission The operation information of permission；Predetermined registration operation information is matched with operation information, with judge operation information instruction operation whether For the permission of account is revised as system highest permission from nonsystematic highest permission；If predetermined registration operation information and operation information one It causes, then judges whether the operation of operation information instruction is that the permission of account is revised as system highest from nonsystematic highest permission Permission；If predetermined registration operation information is inconsistent with operation information, judge whether the operation of operation information instruction is by account Permission is revised as system highest permission from nonsystematic highest permission.

Optionally, in the present embodiment, above-mentioned storage medium can include but is not limited to: USB flash disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), mobile hard disk, magnetic disk or The various media that can store program code such as CD.

Optionally, the specific example in the present embodiment can be shown with reference to described in above-described embodiment 1 and embodiment 2 Example, details are not described herein for the present embodiment.

The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.

In the above embodiment of the invention, it all emphasizes particularly on different fields to the description of each embodiment, does not have in some embodiment The part of detailed description, reference can be made to the related descriptions of other embodiments.

In several embodiments provided herein, it should be understood that disclosed terminal, it can be by another way It realizes.Wherein, the apparatus embodiments described above are merely exemplary, such as the division of the unit, only a kind of Logical function partition, there may be another division manner in actual implementation, such as multiple units or components can combine or can To be integrated into another system, or some features can be ignored or not executed.Another point, shown or discussed is mutual Coupling, direct-coupling or communication connection can be through some interfaces, the indirect coupling or communication connection of unit or module, It can be electrical or other forms.

The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme 's.

It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list Member both can take the form of hardware realization, can also realize in the form of software functional units.

If the integrated unit is realized in the form of SFU software functional unit and sells or use as independent product When, can store can extract in storage medium in a computer.Based on this understanding, technical solution of the present invention is substantially The all or part of the part that contributes to existing technology or the technical solution can be in the form of software products in other words It embodies, which is stored in a storage medium, including some instructions are used so that a computer Equipment (can for personal computer, server or network equipment etc.) execute each embodiment the method for the present invention whole or Part steps.And storage medium above-mentioned includes: that USB flash disk, read-only memory (ROM, Read-Only Memory), arbitrary access are deposited Reservoir (RAM, Random Access Memory), mobile hard disk, magnetic or disk etc. be various to can store program code Medium.

The above is only a preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art For member, various improvements and modifications may be made without departing from the principle of the present invention, these improvements and modifications are also answered It is considered as protection scope of the present invention.

Claims (12)

1. a kind of detection method of system vulnerability attack characterized by comprising

Obtain the operation information with the account currently performed operation in systems of nonsystematic highest permission；

Obtain predetermined registration operation information, wherein the predetermined registration operation information be it is preset for by the permission of the account from described Nonsystematic highest permission is revised as the information of system highest permission；

The predetermined registration operation information is matched with the operation information；

If the predetermined registration operation information is consistent with the operation information, judge that the operation of the operation information instruction is The permission of the account is revised as system highest permission from the nonsystematic highest permission；

If the operation of the operation information instruction is to be revised as the permission of the account from the nonsystematic highest permission The system highest permission then judges that there are loophole attacks in the system.

2. detection method according to claim 1, which is characterized in that described to the predetermined registration operation information and the operation Information carries out matching

Judge whether process that the account uses executes to be revised as the permission of the account from the nonsystematic highest permission The operation of the system highest permission；

If the process that the account uses, which is executed, is revised as the system from the nonsystematic highest permission for the permission of the account The operation for highest permission of uniting, the then operation for judging operation information instruction are by the permission of the account from described non- System highest permission is revised as the system highest permission；Otherwise, the operation for judging operation information instruction is not The permission of the account is revised as the system highest permission from the nonsystematic highest permission.

3. detection method according to claim 2, which is characterized in that described to judge whether the process that the account uses is held The permission for being about to the account includes: from the operation that the nonsystematic highest permission is revised as the system highest permission

Whether the process for judging that the account uses executes the operation that loophole attack code is written to preset address, In, the loophole attack code is to be used to indicate the permission of the account being revised as the system from the nonsystematic highest permission The code of the operation for highest permission of uniting；

The feelings that the loophole attack code is written to the operation of the preset address are executed in the process that the account uses Under condition, the permission of the account is revised as institute from the nonsystematic highest permission by the process execution for judging that the account uses State the operation of system highest permission；

The operation that the loophole attack code is written to the preset address is not carried out in the process that the account uses In the case where, judge that process that the account uses is not carried out the permission of the account from the nonsystematic highest permission It is revised as the operation of the system highest permission.

4. detection method according to claim 2, which is characterized in that described to judge whether the process that the account uses is held The permission for being about to the account includes: from the operation that the nonsystematic highest permission is revised as the system highest permission

Whether the process for judging that the account uses executes the operation that the account ID of the account is revised as to preset value, In, the preset value is corresponding with the system highest permission；

The feelings that the account ID of the account is revised as to the operation of the preset value are executed in the process that the account uses Under condition, the permission of the account is revised as institute from the nonsystematic highest permission by the process execution for judging that the account uses State the operation of system highest permission；

The operation that the account ID of the account is revised as to the preset value is not carried out in the process that the account uses In the case where, judge that process that the account uses is not carried out the permission of the account from the nonsystematic highest permission It is revised as the operation of the system highest permission.

5. detection method according to any one of claim 1 to 4, which is characterized in that

The operation information of currently performed operation includes: to respond to the account of the acquisition with nonsystematic highest permission in systems The operation obtains the operation information with the account currently performed operation in systems of nonsystematic highest permission；Alternatively, every The operation information with the account currently performed operation in systems of nonsystematic highest permission is obtained every predetermined period；

It is described the predetermined registration operation information is matched with the operation information after, further includes: if the predetermined registration operation information It is inconsistent with the operation information, then judge operation information instruction the operation be not by the permission of the account from The nonsystematic highest permission is revised as system highest permission.

6. detection method according to any one of claim 1 to 4, which is characterized in that the nonsystematic highest weight is limited to Non- root authority, the system highest weight are limited to root authority.

7. a kind of detection device of system vulnerability attack characterized by comprising

First obtains module, for obtaining the operation with the account currently performed operation in systems of nonsystematic highest permission Information；

First judgment module, comprising: second obtains module, matching module and the 6th determining module, wherein described second obtains Module, for obtaining predetermined registration operation information, wherein the predetermined registration operation information be it is preset for by the permission of the account from The nonsystematic highest permission is revised as the information of system highest permission；The matching module, for believing the predetermined registration operation Breath is matched with the operation information；6th determining module, if believing for the predetermined registration operation information and the operation Breath is consistent, then the operation for judging the operation information instruction is by the permission of the account from the nonsystematic highest weight Limit is revised as system highest permission；

First determining module, if the operation for operation information instruction is by the permission of the account from the non-system System highest permission is revised as the system highest permission, then judges that there are loophole attacks in the system.

8. detection device according to claim 7, which is characterized in that the first judgment module includes:

First judging submodule, for judging whether process that the account uses executes the permission of the account from described non- System highest permission is revised as the operation of the system highest permission；

First determines submodule, if the process used for the account is executed the permission of the account from the nonsystematic most High permission is revised as the operation of the system highest permission, then judge operation information instruction the operation be will be described The permission of account is revised as the system highest permission from the nonsystematic highest permission；Otherwise, judge the operation information The operation indicated is not that the permission of the account is revised as the system highest permission from the nonsystematic highest permission.

9. detection device according to claim 8, which is characterized in that first judging submodule includes:

Second judgment submodule, for judging whether the process that the account uses executes the write-in of loophole attack code in advance If the operation of address, wherein the loophole attack code is to be used to indicate the permission of the account from the nonsystematic highest Permission is revised as the code of the operation of the system highest permission；

Second determines submodule, and the process for using in the account executes will be described in loophole attack code write-in In the case where the operation of preset address, judge that process that the account uses is executed the permission of the account from the non-system System highest permission is revised as the operation of the system highest permission；

Third determines submodule, and the process for using in the account is not carried out, and the loophole attack code is written In the case where the operation of the preset address, judge process that the account uses be not carried out by the permission of the account from The nonsystematic highest permission is revised as the operation of the system highest permission.

10. detection device according to claim 8, which is characterized in that first judging submodule includes:

Third judging submodule repairs the account ID of the account for judging whether the process that the account uses executes It is changed to the operation of preset value, wherein the preset value is corresponding with the system highest permission；

4th determines submodule, and the process for using in the account, which is executed, is revised as institute for the account ID of the account In the case where the operation for stating preset value, judge that process that the account uses is executed the permission of the account from the non-system System highest permission is revised as the operation of the system highest permission；

5th determines submodule, and the process for using in the account, which is not carried out, modifies the account ID of the account In the case where operation for the preset value, judge process that the account uses be not carried out by the permission of the account from The nonsystematic highest permission is revised as the operation of the system highest permission.

11. detection device according to any one of claims 7 to 10, which is characterized in that

The first acquisition module includes: respond module, obtains the account with nonsystematic highest permission for responding the operation The operation information of number operation currently performed in systems；Alternatively, acquisition submodule, for obtaining every predetermined period with non- The operation information of the account of system highest permission currently performed operation in systems；

6th determining module judges institute if being also used to the predetermined registration operation information and the operation information is inconsistent The operation for stating operation information instruction is not that the permission of the account is revised as system most from the nonsystematic highest permission High permission.

12. detection device according to any one of claims 7 to 10, which is characterized in that the nonsystematic highest permission For non-root authority, the system highest weight is limited to root authority.