CN106446690B - A kind of pair of device, method and the system repaired using loophole - Google Patents
A kind of pair of device, method and the system repaired using loophole Download PDFInfo
- Publication number
- CN106446690B CN106446690B CN201610803096.4A CN201610803096A CN106446690B CN 106446690 B CN106446690 B CN 106446690B CN 201610803096 A CN201610803096 A CN 201610803096A CN 106446690 B CN106446690 B CN 106446690B
- Authority
- CN
- China
- Prior art keywords
- loophole
- application
- vulnerability information
- information
- protection segment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- Debugging And Monitoring (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a kind of devices repaired to application loophole, which includes: communication module, are suitable for obtaining vulnerability information to security server;Scan module, whether suitable for being depended on according to vulnerability information detection application, there are the objects of loophole;Monitoring module, if suitable for detecting using the first object depended on there are the object of loophole, where obtaining loophole position from vulnerability information, the operation of detection the first object of load;Module is inserted, suitable for when detecting that the first object will be loaded on memory, obtaining corresponding protection segment;It is further adapted for that segment will be protected to insert to the first object to generate the second object;Engine is handled, suitable for executing the second object when to execute the first object, wherein be further adapted for executing the protection segment in the second object, to judge whether there is the malicious event for utilizing loophole, if so, intercepting the malicious event and recording event information.The invention also discloses a kind of accordingly to the method and system repaired using loophole.
Description
Technical field
The present invention relates to internet security technical field more particularly to a kind of devices repaired to application loophole, side
Method and system.
Background technique
With becoming increasingly popular for internet, more and more enterprises pass through each in network server and application server
Class application provides a user various products and service.Using ubiquitous, and be normally operated in enterprises be able to access that it is quick
Feel data, and the application of large corporation's operation becomes increasingly complex and multiplicity, wherein further comprising many third-party software libraries.And
Statistics show the loophole present in, and user is caused to be faced with all multi-risk Systems, for example can suffer from cross site scripting and attack
It hits, SQL injection attack, malware attacks and some other attack.
It in the prior art, with static application safety test (DAST and SAST) is dynamically more commonly used loophole inspection
Tool, these software tools analyze application, attempt the loophole in discovery application, it can be difficult to what discovery application was relied on
The loophole of third equation and service device.And much application only provides interface, is unable to get code, and it is leaky even if finding
It can not be repaired.In addition, even if third party software quotient is ready to repair loophole, but when this usually requires to wait longer one section
Between, during this period of time application is still exposed in danger, still can not be protected using the attack of loophole.Further,
Even if loophole has been repaired by third party software manufacturer, upgrading rely on library and server also and can be brought higher risk to application (such as
New loophole etc. is introduced after compatibility issue, upgrading).
It is, therefore, desirable to provide a kind of more convenient more effective application loophole recovery scenario.
Summary of the invention
For this purpose, the present invention provides a kind of application security monitoring scheme, it is existing above to try hard to solve or at least alleviate
At least one problem.
According to an aspect of the invention, there is provided it is a kind of to the device repaired using loophole, it resides in using clothes
It is engaged in device, by network connection, security server is stored at least one loophole at least for application server and security server
One vulnerability information, there are the first objects where loophole position in the object of loophole and the object for vulnerability information instruction, and
Including corresponding protection segment, which includes: communication module, is suitable for obtaining vulnerability information to security server;Scan module,
Whether suitable for being depended on according to vulnerability information detection application, there are the objects of loophole;Monitoring module detects if being suitable for scan module
The first object there are the object of loophole, where obtaining loophole position from the vulnerability information of the loophole, detection are depended on to application
The operation of the first object is loaded, the first object can be executed to accomplish respective logic;Module is inserted, is suitable for examining when monitoring module
When memory will be loaded on by measuring first object, corresponding protection segment is obtained from vulnerability information;It is further adapted for will acquire
Protection segment is inserted into first object, to generate the second object;Engine is handled, suitable for when to execute the first object,
The second object is executed to complete to execute respective logic when the first object, wherein be further adapted for executing the protective sheet in the second object
Section, to judge whether there is the malicious event using loophole according to the key parameter for completing respective logic, if so, intercepting the evil
Meaning event simultaneously records event information.
Optionally, in a device in accordance with the invention, include at least one of following there are the object of loophole: there is leakage
Web container, third square bearer, application server, library and the class in hole.
Optionally, in a device in accordance with the invention, the first object includes at least one of following: class, interface and
Method, parameter defined in it, return value and variable.
Optionally, in a device in accordance with the invention, vulnerability information also indicates inserting of the protection segment in the first object
Position, inserting module are further adapted for that segment will be protected to be inserted into corresponding inserting position, generate the second object.
Optionally, in a device in accordance with the invention, inserting position includes at least one of lower column position: the first object
Method in the position of initialization, the first object starts to execute and/or terminate the position executed.
Optionally, in a device in accordance with the invention, event information includes that user requests details, program stack information and leakage
Hole description.
Optionally, in a device in accordance with the invention, loophole includes at least one of following: the operation of Struts frame
The loophole of not set HttpOnly in Classloader loophole, Session Cookie, in JavaSDK caused by parseDouble
Refusal service loophole Java unserializing attack loophole and Struts frame Remote Code Execution Vulnerability.
Optionally, in a device in accordance with the invention, communication module is further adapted for the event information being sent to the peace
Full server, to store and generate report for user query.
According to another aspect of the present invention, a kind of application loophole repair system is provided, comprising: application according to the present invention
Loophole prosthetic device;And security server, suitable for storing at least one vulnerability information of at least one loophole, vulnerability information refers to
Show that there are the first objects where loophole position in the object of loophole and the object, and including corresponding protection segment;It is also suitable
Report is generated for user query in the event information for receiving and storing malicious event, and according to event information.
According to another aspect of the present invention, a kind of method repaired to application loophole is provided, is suitable for taking in application
It is executed in business device, by network connection, security server is stored at least one loophole for application server and security server
At least one vulnerability information, there are first pairs where loophole position in the object of loophole and the object for vulnerability information instruction
As, and including corresponding protection segment, this method comprises: obtaining vulnerability information to security server;It is detected according to vulnerability information
Using whether dependent on there are the objects of loophole;If detecting using dependent on there are the objects of loophole, from the loophole of the loophole
The first object where acquisition of information loophole position, the operation of detection the first object of load, the first object can be performed with complete
At respective logic;When detecting that the first object will be loaded on memory, corresponding protection segment is obtained from vulnerability information;It will obtain
The protection segment taken is inserted into the first object, to generate the second object;When to execute the first object, execute the second object with
Complete to execute respective logic when the first object, wherein the protection segment in the second object is executed, accordingly to patrol according to completion
The key parameter collected judges whether there is the malicious event using loophole, if so, intercepting the malicious event and recording event information.
Optionally, in the method according to the invention, include at least one of following there are the object of loophole: there is leakage
Web container, third square bearer, application server, library and the class in hole.
Optionally, in the method according to the invention, the first object includes at least one of following: class, interface and
Method, parameter defined in it, return value and variable.
Optionally, in the method according to the invention, vulnerability information also indicates inserting of the protection segment in the first object
Position, the step that the protection segment that will acquire is inserted into the first object include: that protection segment is inserted into corresponding inserting position
It sets, generates the second object.
Optionally, in the method according to the invention, inserting position includes at least one of lower column position: the first object
Method in the position of initialization, the first object starts to execute and/or terminate the position executed.
Optionally, in the method according to the invention, event information includes that user requests details, program stack information and leakage
Hole description.
Optionally, in the method according to the invention, loophole includes at least one of following: the operation of Struts frame
The loophole of not set HttpOnly in Classloader loophole, Session Cookie, in JavaSDK caused by parseDouble
Refusal service loophole Java unserializing attack loophole and Struts frame Remote Code Execution Vulnerability.
Optionally, in the method according to the invention, it further comprises the steps of: and event information is sent to the security service
Device, to store and generate report for user query.
It is of the invention using loophole recovery scenario by detection application whether dependent on there are the objects of loophole, and exist
Inserting protection segment, next quick patching bugs eliminate user without very long scanning repair process automatically in the object of loophole
The difficulty for the object that modification or upgrade application rely on and the risk faced.
Meanwhile entire scheme is easy to dispose management, only needs easy configuration, it is not necessary to modify the codes of application, eliminate exploitation
Person adds the trouble of code manually.
Detailed description of the invention
To the accomplishment of the foregoing and related purposes, certain illustrative sides are described herein in conjunction with following description and drawings
Face, these aspects indicate the various modes that can practice principles disclosed herein, and all aspects and its equivalent aspect
It is intended to fall in the range of theme claimed.Read following detailed description in conjunction with the accompanying drawings, the disclosure it is above-mentioned
And other purposes, feature and advantage will be apparent.Throughout the disclosure, identical appended drawing reference generally refers to identical
Component or element.
Fig. 1 shows the structural frames using loophole repair system 100 of an illustrative embodiments according to the present invention
Figure;
Fig. 2 shows an illustrative embodiments according to the present invention to the device 110 repaired using loophole
Structural block diagram;And
Fig. 3 shows the method 200 repaired to application loophole according to one exemplary embodiment
Flow chart.
Specific embodiment
Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing the disclosure in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
It is fully disclosed to those skilled in the art.
Fig. 1 shows the structural block diagram using loophole repair system 100 according to one exemplary embodiment.
As shown in Figure 1, may include to the device 110 and security server repaired using loophole using loophole repair system 100
120.Wherein, security server 120 is stored at least one vulnerability information of at least one loophole, and vulnerability information instruction has leakage
The first object in the object in hole and the object where loophole position, and including corresponding protection segment.
There are the first objects where loophole position in the object of loophole and object can obtain from network collection, corresponding
Protection segment can by analyze program source code (open source software) and interface (business software) acquisition.For example, loophole
And its vulnerability information at least may include at least one of following: the operation Classloader loophole of Struts frame, occur
In web frame Struts1 and Struts2;The loophole of not set HttpOnly in Session Cookie occurs in web services
In device tomcat6.0.20 and WebSphere8.0;Refusal service loophole caused by parseDouble, occurs in JavaSDK
In jre1.5.0_27 and version before;Java unserializing attacks loophole, occurs in library Apache Commons
Collections (3.x and 4.x), Spring Beans/Core (4.x), in and Groovy (2.3.x);Struts frame
Frame Remote Code Execution Vulnerability occurs at 2.3.20 editions to 2.3.28 editions.
The device 110 repaired using loophole is resident in the application server, application server can pass through network
It is connect with security server 120.One or more application is stored on application server, so that application server receives user
Access request when call accordingly application handled.User can be by web browser or applications client via network
Access application server.Application server receive user access request, and in response to handle the access request, need to adjust
With the application in application server.Access request can be via http (s) agreement and be transferred to application server 120.
Application server calls application processing user access request, according to the present invention at this time to repair to using loophole
Device 110 include in the application server that can work environment at runtime, deeply application is internal, understand application up and down
Text, whether detection application is dependent on there are the objects of loophole, if so, being come more precisely more quickly using protection segment injection technique
Patching bugs, while the influence generated to the system performance of application operation is also smaller.
Fig. 2 shows the devices 110 repaired to application loophole according to one exemplary embodiment
Structural block diagram.As shown in Fig. 2, may include communication module 111, scan module to the device 110 repaired using loophole
112, monitoring module 113, inserting module 114 and processing engine 115.
Communication module 111 obtains its vulnerability information stored to security server 120.Vulnerability information indicates that there are loopholes
Object, monitoring module 112 connect with communication module 111, can be scanned to application, be detected according to the vulnerability information of acquisition
Using whether dependent on there are the objects of loophole.Here the object that there is loophole is usually web container, third square bearer, third
Application server, library and the class of side.It is applied generally for Java, monitoring module 112 can check the version of Java, third-party library
The object there are loophole is determined whether it is with the version of server and specific class name etc..
If scan module 112 is detected using dependent on the monitoring mould there are the object of loophole, connecting with scan module 112
The first object where block 113 from the vulnerability information of loophole acquisition loophole position, that is, determine need to monitor in application first
Object.First object can be executed to accomplish respective logic, and may include at least one of following: class, interface, with
Method, parameter defined in and its, return value and variable.
Then, when application server calls application processing user access request, in the detection load application of monitoring module 113
The operation of first object.Executed in the Java Virtual Machine (JVM) in general, Java is applied, specifically, Java source code via
Java compiler is converted into Java bytecode, and Java bytecode is loaded into Java Virtual Machine by Classloader (classloader)
It executes, wherein needing Java bytecode being loaded onto memory.Whether monitoring module 113 can detecte the first object therein will be by
It is loaded onto memory.
When monitoring module 113 detects that the first object will be loaded on memory, the inserting mould that is connect with monitoring module 113
Block 114 can obtain corresponding protection segment from vulnerability information.The protection segment can be one section of protection code, can be performed
To complete the reparation to application loophole.
Then, the protection segment that inserting module 114 will acquire is inserted into the first object that will be loaded on memory, with
Generate the second object.Java is applied, which is byte chip segment, is turned in Java source code via Java compiler
After turning to Java bytecode, inserting module 114 can use Java instrumentation technology for corresponding protection
Java bytecode segment is inserted to the Java bytecode of application.
Specifically, above-mentioned vulnerability information also indicates inserting position of the protection segment in the first object, then inserts module 114
The corresponding inserting position that segment can will be protected to be inserted into vulnerability information instruction, generates the second object.Wherein, inserting position can
To include at least one of lower column position: the position of the first object initialization;Method in first object start execute and/or
Terminate the position executed.
Next when to execute the first object, the processing engine 115 connecting with inserting module 114 can execute second pair
As to complete to execute respective logic when the first object.For example, applying for Java, inserting module 114 is examined in monitoring module 113
When measuring Classloader object A.class being loaded onto memory, matched protection byte is inserted into the bytecode of A.class
Code generates A ' .class.Then when A.class will be called by receiving request, Java Virtual Machine needs find and execute A '
.class, the regular traffic logic of A.class is completed by A ' .class, and returns to implementing result.Here, A.class is exactly
An object, A ' .class are the second object generated.
It is to be appreciated that processing engine 115, when executing the second object generated, protection segment can also be held together
Row.For example, the method for the second object is performed, can execute the method logic of the first object before or after, execute anti-
The method of bluff piece section.
Wherein, processing engine 115 executes the protection segment in the second object, so as to according to the crucial ginseng for completing respective logic
Number (such as input parameter and/or output parameter) judges whether there is the malicious event using loophole, if so, intercepting the malice thing
Part simultaneously records event information.Wherein event information may include that user requests details, program stack information and loophole description.It intercepts
Movement can be the input parameter filtering being involved in or modify, skip or the execution for modifying method etc..
For example, Struts frame Remote Code Execution Vulnerability occurs to arrive 2.3.28 at Apache Struts 2.3.20 editions
Version usually can use the loophole remotely to execute code and attacked.Specifically, which can be in the dynamic side of Struts
In the case that method calls (Dynamic Method Invocation) to be turned on, rogue program is executed using OGNL expression formula.
Therefore, vulnerability information can indicate the object there are the loophole are as follows: Apache Struts 2.3.20 editions are arrived
2.3.28 version, the first object where loophole position are as follows: the class and method of ONGL expression formula are specifically executed in Struts code, i.e.,
SetMethod (String in org.apache.struts2.dispatcher.mapper.ActionMapping class
Method) method.When class and method where monitoring module 114 detects the loophole are called, processing engine 115 can lead to
The protection segment for executing inserting is crossed, it is whether legal using regular expression inspection input parameter method.If it is determined that input ginseng
Number method mismatch regular expressions, then determine it is malice method call, there is malicious event using loophole, intercept the evil
Meaning event simultaneously records event information.The pseudocode of protection segment can be such that
It determines there are malicious event and after recording event information, processing engine 115 can also be by communication module 111 by thing
Part information is sent to security server 120 and is stored, and after security server 120 receives event information according to event information
Report is generated for user query.
To sum up, it by detection application whether dependent on there are the objects of loophole, and is inserted automatically in the object there are loophole
Dress protection segment, carrys out quick patching bugs, without very long scanning repair process, eliminate user's modification or upgrade application according to
The difficulty of bad object and the risk faced.
Meanwhile entire scheme is easy to dispose management, only needs easy configuration, it is not necessary to modify the codes of application, eliminate exploitation
Person adds the trouble of code manually.
Fig. 3 shows the method 200 repaired to application loophole according to one exemplary embodiment
Flow chart.This method 200 is suitable for executing in the application server, and application server and security server 120 pass through network connection,
Security server 120 is stored at least one vulnerability information of at least one loophole, and there are the objects of loophole for vulnerability information instruction
And the first object in the object where loophole position, and including corresponding protection segment.Wherein, loophole and its vulnerability information
May include at least one of following: the operation Classloader loophole of Struts frame, occur in web frame Struts1 and
In Struts2;The loophole of not set HttpOnly in Session Cookie, occur in web server tomcat6.0.20 and
In WebSphere8.0;In JavaSDK caused by parseDouble refusal service loophole, occur jre1.5.0_27 and before
Version in;Java unserializing attacks loophole, occurs in library Apache Commons Collections (3.x and
4.x), in Spring Beans/Core (4.x), and Groovy (2.3.x);Struts frame Remote Code Execution Vulnerability, hair
Life is at 2.3.20 editions to 2.3.28 editions.
As shown in figure 3, this method 200 starts from step S210, in step S210, loophole is obtained to security server 120
Information.Then in step S220, according to vulnerability information detection application whether dependent on there are the objects of loophole.There are loopholes
Object may include at least one of following: there are the web container of loophole, third square bearer, application server, library and classes.
If detecting using dependent on there are the objects of loophole, in step S230, obtained from the vulnerability information of the loophole
The first object where loophole position is taken, which can be executed to accomplish respective logic.Wherein, the first object can be with
Including at least one of following: class, interface and method defined in it, parameter, return value and variable.
Then in step S240, the operation of detection the first object of load.In detecting that the first object will be loaded on
When depositing, in step s 250, obtained and corresponding protection segment from vulnerability information.
In step S260, the protection segment that will acquire is inserted into the first object, to generate the second object.Specifically,
Vulnerability information also indicates inserting position of the protection segment in the first object, therefore step S260 can also include: by protective sheet
Section is inserted into corresponding inserting position, generates the second object.Inserting position may include at least one of lower column position: first
Method in the position of object initialization, the first object starts to execute and/or terminate the position executed.
After generating the second object, in step S270, when to execute the first object, the second object is executed to complete to hold
Respective logic when the first object of row, for example, the method for the second object is performed, it can be in the method logic for executing the first object
Before or after, execute the method for protecting segment.
Wherein, the protection segment in the second object is executed, to judge whether according to the key parameter for completing respective logic
In the presence of the malicious event using loophole, if so, intercepting the malicious event and recording event information.Wherein, event information includes using
Request details, program stack information and loophole description in family.
Finally, according to embodiment of the present invention, method 200 can be comprising steps of event information be sent to
Security server 120, to store and generate report for user query.
Above to each step in illustrating the specific descriptions using the principle of loophole repair system 100 in conjunction with FIG. 1 to FIG. 2
Respective handling in rapid is explained in detail, and is no longer repeated here duplicate contents.
It should be appreciated that in order to simplify the disclosure and help to understand one or more of the various inventive aspects, it is right above
In the description of exemplary embodiment of the present invention, each feature of the invention be grouped together into sometimes single embodiment, figure or
In person's descriptions thereof.However, the disclosed method should not be interpreted as reflecting the following intention: i.e. claimed hair
Bright requirement is than feature more features expressly recited in each claim.More precisely, as the following claims
As book reflects, inventive aspect is all features less than single embodiment disclosed above.Therefore, it then follows specific real
Thus the claims for applying mode are expressly incorporated in the specific embodiment, wherein each claim itself is used as this hair
Bright separate embodiments.
Those skilled in the art should understand that the module of the equipment in example disclosed herein or unit or groups
Part can be arranged in equipment as depicted in this embodiment, or alternatively can be positioned at and the equipment in the example
In different one or more equipment.Module in aforementioned exemplary can be combined into a module or furthermore be segmented into multiple
Submodule.
Those skilled in the art will understand that can be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more devices different from this embodiment.It can be the module or list in embodiment
Member or component are combined into a module or unit or component, and furthermore they can be divided into multiple submodule or subelement or
Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it can use any
Combination is to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and so disclosed
All process or units of what method or apparatus are combined.Unless expressly stated otherwise, this specification is (including adjoint power
Benefit require, abstract and attached drawing) disclosed in each feature can carry out generation with an alternative feature that provides the same, equivalent, or similar purpose
It replaces.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments
In included certain features rather than other feature, but the combination of the feature of different embodiments mean it is of the invention
Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed
Meaning one of can in any combination mode come using.
In addition, be described as herein can be by the processor of computer system or by executing by some in the embodiment
The combination of method or method element that other devices of the function are implemented.Therefore, have for implementing the method or method
The processor of the necessary instruction of element forms the device for implementing this method or method element.In addition, Installation practice
Element described in this is the example of following device: the device be used for implement as in order to implement the purpose of the invention element performed by
Function.
As used in this, unless specifically stated, come using ordinal number " first ", " second ", " third " etc.
Description plain objects, which are merely representative of, is related to the different instances of similar object, and is not intended to imply that the object being described in this way must
Must have the time it is upper, spatially, sequence aspect or given sequence in any other manner.
The invention also includes: A6, the device as described in any one of A1-5, wherein the event information includes that user asks
Ask details, program stack information and loophole description.A7, the device as described in A6, wherein the loophole include in following at least
The operation Classloader loophole of one: Struts frame, the loophole of not set HttpOnly in Session Cookie,
Refusal service loophole Java unserializing attack loophole and Struts frame caused by parseDouble are long-range in JavaSDK
Code executes loophole.A8, the device as described in any one of A1-7, wherein the communication module is further adapted for believing the event
Breath is sent to the security server, to store and generate report for user query.
B14, the method as described in B13, wherein the inserting position includes at least one of lower column position: first couple
As the method in the position of initialization, the first object starts to execute and/or terminate the position executed.It is any in B15, such as B10-14
Method described in, wherein the event information includes that user requests details, program stack information and loophole description.B16, such as
Method described in B15, wherein the loophole includes at least one of following: the operation Classloader loophole of Struts frame,
The loophole of not set HttpOnly in Session Cookie, refusal service loophole caused by parseDouble in JavaSDK
Java unserializing attacks loophole and Struts frame Remote Code Execution Vulnerability.B17, as described in any one of B10-16
Method, wherein further comprise the steps of: and the event information be sent to the security server, to store and to generate report
For user query.
Although the embodiment according to limited quantity describes the present invention, above description, the art are benefited from
It is interior it is clear for the skilled person that in the scope of the present invention thus described, it can be envisaged that other embodiments.Additionally, it should be noted that
Language used in this specification primarily to readable and introduction purpose and select, rather than in order to explain or limit
Determine subject of the present invention and selects.Therefore, without departing from the scope and spirit of the appended claims, for this
Many modifications and changes are obvious for the those of ordinary skill of technical field.For the scope of the present invention, to this
Invent done disclosure be it is illustrative and not restrictive, it is intended that the scope of the present invention be defined by the claims appended hereto.
Claims (17)
1. it is a kind of to the device repaired using loophole, it is resident in the application server, is stored on the application server
One or more application calls application accordingly to handle, the application server in the access request for receiving user
With security server by network connection, the security server is stored at least one vulnerability information of at least one loophole,
There are the first objects where loophole position in the object of loophole and the object for the vulnerability information instruction, and including corresponding
Segment is protected, described device includes:
Communication module is suitable for obtaining vulnerability information to the security server;
Scan module, whether suitable for being depended on according to vulnerability information detection application, there are the objects of loophole;
Monitoring module, if detecting suitable for scan module using dependent on there are the objects of loophole, from the vulnerability information of the loophole
The first object where loophole position is obtained, detection loads the operation of first object, and first object can be performed
To complete respective logic;
Module is inserted, suitable for when monitoring module detects that first object will be loaded on memory, from the vulnerability information
Obtain corresponding protection segment;The protection segment for being further adapted for will acquire is inserted into first object, to generate the second object;
Engine is handled, accordingly patrolling when suitable for when to execute the first object, executing the second object to complete the first object of execution
Volume, wherein it is further adapted for executing the protection segment in the second object, to be judged whether according to the key parameter for completing respective logic
In the presence of the malicious event using loophole, if so, intercepting the malicious event and recording event information.
2. device as described in claim 1, wherein the object there are loophole includes at least one of following: being existed
Web container, third square bearer, application server, library and the class of loophole.
3. device as claimed in claim 1 or 2, wherein the first object includes at least one of following: class, interface and
Method, parameter defined in it, return value and variable.
4. device as described in claim 1, wherein the vulnerability information also indicates the protection segment in the first object
Position is inserted, the inserting module is further adapted for for the protection segment being inserted into corresponding inserting position, generates the second object.
5. device as claimed in claim 4, wherein the inserting position includes at least one of lower column position: first pair
As the method in the position of initialization, the first object starts to execute and/or terminate the position executed.
6. device as described in claim 1, wherein the event information include user request details, program stack information and
Loophole description.
7. device as claimed in claim 6, wherein the loophole includes at least one of following: the behaviour of Struts frame
Make that Classloader loophole, the loophole of not set HttpOnly in Session Cookie, parseDouble is caused in JavaSDK
Refusal service loophole Java unserializing attack loophole and Struts frame Remote Code Execution Vulnerability.
8. device as described in claim 1, wherein the communication module is further adapted for the event information being sent to the peace
Full server, to store and generate report for user query.
9. a kind of application loophole repair system, comprising:
Such as device of any of claims 1-8;And
Security server, suitable for storing at least one vulnerability information of at least one loophole, there is leakage in the vulnerability information instruction
The first object in the object in hole and the object where loophole position, and including corresponding protection segment;It is further adapted for receiving simultaneously
The event information of malicious event is stored, and report is generated for user query according to event information.
10. a kind of deposit the method repaired using loophole suitable for executing in the application server on the application server
One or more application is contained, application accordingly is called to handle in the access request for receiving user, the application clothes
By network connection, the security server is stored at least one loophole letter of at least one loophole for business device and security server
Breath, there are the first objects where loophole position in the object of loophole and the object for the vulnerability information instruction, and including right
The protection segment answered, which comprises
Vulnerability information is obtained to the security server;
According to vulnerability information detection application whether dependent on there are the objects of loophole;
If detecting first for applying and depending on there are the object of loophole, where the vulnerability information of loophole acquisition loophole position
Object, detection load the operation of first object, and first object can be executed to accomplish respective logic;
When detecting that first object will be loaded on memory, corresponding protection segment is obtained from the vulnerability information;
The protection segment that will acquire is inserted into first object, to generate the second object;
When to execute the first object, the second object is executed to complete to execute respective logic when the first object, wherein execute the
Protection segment in two objects, to judge whether there is the malice thing using loophole according to the key parameter for completing respective logic
Part, if so, intercepting the malicious event and recording event information.
11. method as claimed in claim 10, wherein the object there are loophole includes at least one of following: being deposited
In the web container of loophole, third square bearer, application server, library and class.
12. method as described in claim 10 or 11, wherein the first object includes at least one of following: class, interface,
And method, parameter defined in it, return value and variable.
13. method as claimed in claim 10, wherein the vulnerability information also indicates the protection segment in the first object
Inserting position, the step that the protection segment that will acquire is inserted into the first object includes:
The protection segment is inserted into corresponding inserting position, generates the second object.
14. method as claimed in claim 13, wherein the inserting position includes at least one of lower column position: first
Method in the position of object initialization, the first object starts to execute and/or terminate the position executed.
15. method as claimed in claim 10, wherein the event information includes that user requests details, program stack information
It is described with loophole.
16. method as claimed in claim 15, wherein the loophole includes at least one of following: Struts frame
Operation Classloader loophole, the loophole of not set HttpOnly in Session Cookie, parseDouble makes in JavaSDK
At refusal service loophole Java unserializing attack loophole and Struts frame Remote Code Execution Vulnerability.
17. method as claimed in claim 10, wherein further comprise the steps of:
The event information is sent to the security server, to store and generate report for user query.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610803096.4A CN106446690B (en) | 2016-09-05 | 2016-09-05 | A kind of pair of device, method and the system repaired using loophole |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610803096.4A CN106446690B (en) | 2016-09-05 | 2016-09-05 | A kind of pair of device, method and the system repaired using loophole |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106446690A CN106446690A (en) | 2017-02-22 |
CN106446690B true CN106446690B (en) | 2019-08-02 |
Family
ID=58164268
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610803096.4A Active CN106446690B (en) | 2016-09-05 | 2016-09-05 | A kind of pair of device, method and the system repaired using loophole |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106446690B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108121899B (en) * | 2017-12-13 | 2021-07-30 | 中国科学院软件研究所 | Anti-repackaging method and system for application program |
CN111506904B (en) * | 2020-04-21 | 2024-01-12 | 北京同邦卓益科技有限公司 | Method and device for online bug repair |
CN113312631A (en) * | 2021-06-11 | 2021-08-27 | 杭州安恒信息安全技术有限公司 | Vulnerability detection method and related device |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102622299A (en) * | 2010-04-13 | 2012-08-01 | 常州云博软件工程技术有限公司 | Working method of software detection system |
CN103731429A (en) * | 2014-01-08 | 2014-04-16 | 深信服网络科技(深圳)有限公司 | Method and device for web application vulnerability detection |
CN103793653A (en) * | 2014-02-19 | 2014-05-14 | 中国科学院信息工程研究所 | Program dependence relationship analysis method and system based on tree optimization |
CN104021073A (en) * | 2014-05-06 | 2014-09-03 | 南京大学 | Software vulnerability detection method based on pointer analysis |
CN104079528A (en) * | 2013-03-26 | 2014-10-01 | 北大方正集团有限公司 | Method and system of safety protection of Web application |
CN104683179A (en) * | 2015-02-12 | 2015-06-03 | 北京蓝海讯通科技有限公司 | Method, device and system for monitoring execution performance of objects |
-
2016
- 2016-09-05 CN CN201610803096.4A patent/CN106446690B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102622299A (en) * | 2010-04-13 | 2012-08-01 | 常州云博软件工程技术有限公司 | Working method of software detection system |
CN104079528A (en) * | 2013-03-26 | 2014-10-01 | 北大方正集团有限公司 | Method and system of safety protection of Web application |
CN103731429A (en) * | 2014-01-08 | 2014-04-16 | 深信服网络科技(深圳)有限公司 | Method and device for web application vulnerability detection |
CN103793653A (en) * | 2014-02-19 | 2014-05-14 | 中国科学院信息工程研究所 | Program dependence relationship analysis method and system based on tree optimization |
CN104021073A (en) * | 2014-05-06 | 2014-09-03 | 南京大学 | Software vulnerability detection method based on pointer analysis |
CN104683179A (en) * | 2015-02-12 | 2015-06-03 | 北京蓝海讯通科技有限公司 | Method, device and system for monitoring execution performance of objects |
Also Published As
Publication number | Publication date |
---|---|
CN106446690A (en) | 2017-02-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11907378B2 (en) | Automated application vulnerability and risk assessment | |
US9015814B1 (en) | System and methods for detecting harmful files of different formats | |
CN105068932B (en) | A kind of detection method of Android application programs shell adding | |
CN105574411B (en) | A kind of dynamic hulling method, device and equipment | |
EP3647981A1 (en) | Security scanning method and apparatus for mini program, and electronic device | |
US11748487B2 (en) | Detecting a potential security leak by a microservice | |
CN106446690B (en) | A kind of pair of device, method and the system repaired using loophole | |
Zhang et al. | Ripple: Reflection analysis for android apps in incomplete information environments | |
CN108989355A (en) | A kind of leak detection method and device | |
CN104732145A (en) | Parasitic course detection method and device in virtual machine | |
CN112685745B (en) | Firmware detection method, device, equipment and storage medium | |
US20180032735A1 (en) | System and method for enhancing static analysis of software applications | |
US11397812B2 (en) | System and method for categorization of .NET applications | |
US8572729B1 (en) | System, method and computer program product for interception of user mode code execution and redirection to kernel mode | |
CN116324773A (en) | Method and apparatus for protecting smart contracts from attack | |
CN113312618A (en) | Program vulnerability detection method and device, electronic equipment and medium | |
EP3975021B1 (en) | Method and system for data flow monitoring to identify application security vulnerabilities and to detect and prevent attacks | |
Jensen et al. | Thaps: automated vulnerability scanning of php applications | |
CN106407802B (en) | The safe device being monitored of a kind of pair of application, method and system | |
Güler et al. | Atropos: Effective fuzzing of web applications for server-side vulnerabilities | |
Nirumand et al. | A model‐based framework for inter‐app Vulnerability analysis of Android applications | |
Hernandez et al. | Toward automated firmware analysis in the iot era | |
CN106101086A (en) | The cloud detection method of optic of program file and system, client, cloud server | |
Bu et al. | When program analysis meets mobile security: an industrial study of misusing android internet sockets | |
Takata et al. | The Uncontrolled Web: Measuring Security Governance on the Web |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right |
Effective date of registration: 20220712 Address after: 100193 room 101-216, 2nd floor, building 4, East District, yard 10, northwest Wangdong Road, Haidian District, Beijing Patentee after: Beijing Ruixiang Technology Co.,Ltd. Address before: 100191 floors 3 and 4, building a-5, Dongsheng Science Park, Zhongguancun, No. 66, xixiaokou Road, Haidian District, Beijing Patentee before: BEIJING ONEAPM Co.,Ltd. |
|
TR01 | Transfer of patent right |