CN106446690B - A kind of pair of device, method and the system repaired using loophole - Google Patents

A kind of pair of device, method and the system repaired using loophole Download PDF

Info

Publication number
CN106446690B
CN106446690B CN201610803096.4A CN201610803096A CN106446690B CN 106446690 B CN106446690 B CN 106446690B CN 201610803096 A CN201610803096 A CN 201610803096A CN 106446690 B CN106446690 B CN 106446690B
Authority
CN
China
Prior art keywords
loophole
application
vulnerability information
information
protection segment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610803096.4A
Other languages
Chinese (zh)
Other versions
CN106446690A (en
Inventor
刘再耀
王义明
王新泉
何晓阳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Ruixiang Technology Co.,Ltd.
Original Assignee
Beijing Oneapm Communication Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Oneapm Communication Technology Co Ltd filed Critical Beijing Oneapm Communication Technology Co Ltd
Priority to CN201610803096.4A priority Critical patent/CN106446690B/en
Publication of CN106446690A publication Critical patent/CN106446690A/en
Application granted granted Critical
Publication of CN106446690B publication Critical patent/CN106446690B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Debugging And Monitoring (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a kind of devices repaired to application loophole, which includes: communication module, are suitable for obtaining vulnerability information to security server;Scan module, whether suitable for being depended on according to vulnerability information detection application, there are the objects of loophole;Monitoring module, if suitable for detecting using the first object depended on there are the object of loophole, where obtaining loophole position from vulnerability information, the operation of detection the first object of load;Module is inserted, suitable for when detecting that the first object will be loaded on memory, obtaining corresponding protection segment;It is further adapted for that segment will be protected to insert to the first object to generate the second object;Engine is handled, suitable for executing the second object when to execute the first object, wherein be further adapted for executing the protection segment in the second object, to judge whether there is the malicious event for utilizing loophole, if so, intercepting the malicious event and recording event information.The invention also discloses a kind of accordingly to the method and system repaired using loophole.

Description

A kind of pair of device, method and the system repaired using loophole
Technical field
The present invention relates to internet security technical field more particularly to a kind of devices repaired to application loophole, side Method and system.
Background technique
With becoming increasingly popular for internet, more and more enterprises pass through each in network server and application server Class application provides a user various products and service.Using ubiquitous, and be normally operated in enterprises be able to access that it is quick Feel data, and the application of large corporation's operation becomes increasingly complex and multiplicity, wherein further comprising many third-party software libraries.And Statistics show the loophole present in, and user is caused to be faced with all multi-risk Systems, for example can suffer from cross site scripting and attack It hits, SQL injection attack, malware attacks and some other attack.
It in the prior art, with static application safety test (DAST and SAST) is dynamically more commonly used loophole inspection Tool, these software tools analyze application, attempt the loophole in discovery application, it can be difficult to what discovery application was relied on The loophole of third equation and service device.And much application only provides interface, is unable to get code, and it is leaky even if finding It can not be repaired.In addition, even if third party software quotient is ready to repair loophole, but when this usually requires to wait longer one section Between, during this period of time application is still exposed in danger, still can not be protected using the attack of loophole.Further, Even if loophole has been repaired by third party software manufacturer, upgrading rely on library and server also and can be brought higher risk to application (such as New loophole etc. is introduced after compatibility issue, upgrading).
It is, therefore, desirable to provide a kind of more convenient more effective application loophole recovery scenario.
Summary of the invention
For this purpose, the present invention provides a kind of application security monitoring scheme, it is existing above to try hard to solve or at least alleviate At least one problem.
According to an aspect of the invention, there is provided it is a kind of to the device repaired using loophole, it resides in using clothes It is engaged in device, by network connection, security server is stored at least one loophole at least for application server and security server One vulnerability information, there are the first objects where loophole position in the object of loophole and the object for vulnerability information instruction, and Including corresponding protection segment, which includes: communication module, is suitable for obtaining vulnerability information to security server;Scan module, Whether suitable for being depended on according to vulnerability information detection application, there are the objects of loophole;Monitoring module detects if being suitable for scan module The first object there are the object of loophole, where obtaining loophole position from the vulnerability information of the loophole, detection are depended on to application The operation of the first object is loaded, the first object can be executed to accomplish respective logic;Module is inserted, is suitable for examining when monitoring module When memory will be loaded on by measuring first object, corresponding protection segment is obtained from vulnerability information;It is further adapted for will acquire Protection segment is inserted into first object, to generate the second object;Engine is handled, suitable for when to execute the first object, The second object is executed to complete to execute respective logic when the first object, wherein be further adapted for executing the protective sheet in the second object Section, to judge whether there is the malicious event using loophole according to the key parameter for completing respective logic, if so, intercepting the evil Meaning event simultaneously records event information.
Optionally, in a device in accordance with the invention, include at least one of following there are the object of loophole: there is leakage Web container, third square bearer, application server, library and the class in hole.
Optionally, in a device in accordance with the invention, the first object includes at least one of following: class, interface and Method, parameter defined in it, return value and variable.
Optionally, in a device in accordance with the invention, vulnerability information also indicates inserting of the protection segment in the first object Position, inserting module are further adapted for that segment will be protected to be inserted into corresponding inserting position, generate the second object.
Optionally, in a device in accordance with the invention, inserting position includes at least one of lower column position: the first object Method in the position of initialization, the first object starts to execute and/or terminate the position executed.
Optionally, in a device in accordance with the invention, event information includes that user requests details, program stack information and leakage Hole description.
Optionally, in a device in accordance with the invention, loophole includes at least one of following: the operation of Struts frame The loophole of not set HttpOnly in Classloader loophole, Session Cookie, in JavaSDK caused by parseDouble Refusal service loophole Java unserializing attack loophole and Struts frame Remote Code Execution Vulnerability.
Optionally, in a device in accordance with the invention, communication module is further adapted for the event information being sent to the peace Full server, to store and generate report for user query.
According to another aspect of the present invention, a kind of application loophole repair system is provided, comprising: application according to the present invention Loophole prosthetic device;And security server, suitable for storing at least one vulnerability information of at least one loophole, vulnerability information refers to Show that there are the first objects where loophole position in the object of loophole and the object, and including corresponding protection segment;It is also suitable Report is generated for user query in the event information for receiving and storing malicious event, and according to event information.
According to another aspect of the present invention, a kind of method repaired to application loophole is provided, is suitable for taking in application It is executed in business device, by network connection, security server is stored at least one loophole for application server and security server At least one vulnerability information, there are first pairs where loophole position in the object of loophole and the object for vulnerability information instruction As, and including corresponding protection segment, this method comprises: obtaining vulnerability information to security server;It is detected according to vulnerability information Using whether dependent on there are the objects of loophole;If detecting using dependent on there are the objects of loophole, from the loophole of the loophole The first object where acquisition of information loophole position, the operation of detection the first object of load, the first object can be performed with complete At respective logic;When detecting that the first object will be loaded on memory, corresponding protection segment is obtained from vulnerability information;It will obtain The protection segment taken is inserted into the first object, to generate the second object;When to execute the first object, execute the second object with Complete to execute respective logic when the first object, wherein the protection segment in the second object is executed, accordingly to patrol according to completion The key parameter collected judges whether there is the malicious event using loophole, if so, intercepting the malicious event and recording event information.
Optionally, in the method according to the invention, include at least one of following there are the object of loophole: there is leakage Web container, third square bearer, application server, library and the class in hole.
Optionally, in the method according to the invention, the first object includes at least one of following: class, interface and Method, parameter defined in it, return value and variable.
Optionally, in the method according to the invention, vulnerability information also indicates inserting of the protection segment in the first object Position, the step that the protection segment that will acquire is inserted into the first object include: that protection segment is inserted into corresponding inserting position It sets, generates the second object.
Optionally, in the method according to the invention, inserting position includes at least one of lower column position: the first object Method in the position of initialization, the first object starts to execute and/or terminate the position executed.
Optionally, in the method according to the invention, event information includes that user requests details, program stack information and leakage Hole description.
Optionally, in the method according to the invention, loophole includes at least one of following: the operation of Struts frame The loophole of not set HttpOnly in Classloader loophole, Session Cookie, in JavaSDK caused by parseDouble Refusal service loophole Java unserializing attack loophole and Struts frame Remote Code Execution Vulnerability.
Optionally, in the method according to the invention, it further comprises the steps of: and event information is sent to the security service Device, to store and generate report for user query.
It is of the invention using loophole recovery scenario by detection application whether dependent on there are the objects of loophole, and exist Inserting protection segment, next quick patching bugs eliminate user without very long scanning repair process automatically in the object of loophole The difficulty for the object that modification or upgrade application rely on and the risk faced.
Meanwhile entire scheme is easy to dispose management, only needs easy configuration, it is not necessary to modify the codes of application, eliminate exploitation Person adds the trouble of code manually.
Detailed description of the invention
To the accomplishment of the foregoing and related purposes, certain illustrative sides are described herein in conjunction with following description and drawings Face, these aspects indicate the various modes that can practice principles disclosed herein, and all aspects and its equivalent aspect It is intended to fall in the range of theme claimed.Read following detailed description in conjunction with the accompanying drawings, the disclosure it is above-mentioned And other purposes, feature and advantage will be apparent.Throughout the disclosure, identical appended drawing reference generally refers to identical Component or element.
Fig. 1 shows the structural frames using loophole repair system 100 of an illustrative embodiments according to the present invention Figure;
Fig. 2 shows an illustrative embodiments according to the present invention to the device 110 repaired using loophole Structural block diagram;And
Fig. 3 shows the method 200 repaired to application loophole according to one exemplary embodiment Flow chart.
Specific embodiment
Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing the disclosure in attached drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure It is fully disclosed to those skilled in the art.
Fig. 1 shows the structural block diagram using loophole repair system 100 according to one exemplary embodiment. As shown in Figure 1, may include to the device 110 and security server repaired using loophole using loophole repair system 100 120.Wherein, security server 120 is stored at least one vulnerability information of at least one loophole, and vulnerability information instruction has leakage The first object in the object in hole and the object where loophole position, and including corresponding protection segment.
There are the first objects where loophole position in the object of loophole and object can obtain from network collection, corresponding Protection segment can by analyze program source code (open source software) and interface (business software) acquisition.For example, loophole And its vulnerability information at least may include at least one of following: the operation Classloader loophole of Struts frame, occur In web frame Struts1 and Struts2;The loophole of not set HttpOnly in Session Cookie occurs in web services In device tomcat6.0.20 and WebSphere8.0;Refusal service loophole caused by parseDouble, occurs in JavaSDK In jre1.5.0_27 and version before;Java unserializing attacks loophole, occurs in library Apache Commons Collections (3.x and 4.x), Spring Beans/Core (4.x), in and Groovy (2.3.x);Struts frame Frame Remote Code Execution Vulnerability occurs at 2.3.20 editions to 2.3.28 editions.
The device 110 repaired using loophole is resident in the application server, application server can pass through network It is connect with security server 120.One or more application is stored on application server, so that application server receives user Access request when call accordingly application handled.User can be by web browser or applications client via network Access application server.Application server receive user access request, and in response to handle the access request, need to adjust With the application in application server.Access request can be via http (s) agreement and be transferred to application server 120.
Application server calls application processing user access request, according to the present invention at this time to repair to using loophole Device 110 include in the application server that can work environment at runtime, deeply application is internal, understand application up and down Text, whether detection application is dependent on there are the objects of loophole, if so, being come more precisely more quickly using protection segment injection technique Patching bugs, while the influence generated to the system performance of application operation is also smaller.
Fig. 2 shows the devices 110 repaired to application loophole according to one exemplary embodiment Structural block diagram.As shown in Fig. 2, may include communication module 111, scan module to the device 110 repaired using loophole 112, monitoring module 113, inserting module 114 and processing engine 115.
Communication module 111 obtains its vulnerability information stored to security server 120.Vulnerability information indicates that there are loopholes Object, monitoring module 112 connect with communication module 111, can be scanned to application, be detected according to the vulnerability information of acquisition Using whether dependent on there are the objects of loophole.Here the object that there is loophole is usually web container, third square bearer, third Application server, library and the class of side.It is applied generally for Java, monitoring module 112 can check the version of Java, third-party library The object there are loophole is determined whether it is with the version of server and specific class name etc..
If scan module 112 is detected using dependent on the monitoring mould there are the object of loophole, connecting with scan module 112 The first object where block 113 from the vulnerability information of loophole acquisition loophole position, that is, determine need to monitor in application first Object.First object can be executed to accomplish respective logic, and may include at least one of following: class, interface, with Method, parameter defined in and its, return value and variable.
Then, when application server calls application processing user access request, in the detection load application of monitoring module 113 The operation of first object.Executed in the Java Virtual Machine (JVM) in general, Java is applied, specifically, Java source code via Java compiler is converted into Java bytecode, and Java bytecode is loaded into Java Virtual Machine by Classloader (classloader) It executes, wherein needing Java bytecode being loaded onto memory.Whether monitoring module 113 can detecte the first object therein will be by It is loaded onto memory.
When monitoring module 113 detects that the first object will be loaded on memory, the inserting mould that is connect with monitoring module 113 Block 114 can obtain corresponding protection segment from vulnerability information.The protection segment can be one section of protection code, can be performed To complete the reparation to application loophole.
Then, the protection segment that inserting module 114 will acquire is inserted into the first object that will be loaded on memory, with Generate the second object.Java is applied, which is byte chip segment, is turned in Java source code via Java compiler After turning to Java bytecode, inserting module 114 can use Java instrumentation technology for corresponding protection Java bytecode segment is inserted to the Java bytecode of application.
Specifically, above-mentioned vulnerability information also indicates inserting position of the protection segment in the first object, then inserts module 114 The corresponding inserting position that segment can will be protected to be inserted into vulnerability information instruction, generates the second object.Wherein, inserting position can To include at least one of lower column position: the position of the first object initialization;Method in first object start execute and/or Terminate the position executed.
Next when to execute the first object, the processing engine 115 connecting with inserting module 114 can execute second pair As to complete to execute respective logic when the first object.For example, applying for Java, inserting module 114 is examined in monitoring module 113 When measuring Classloader object A.class being loaded onto memory, matched protection byte is inserted into the bytecode of A.class Code generates A ' .class.Then when A.class will be called by receiving request, Java Virtual Machine needs find and execute A ' .class, the regular traffic logic of A.class is completed by A ' .class, and returns to implementing result.Here, A.class is exactly An object, A ' .class are the second object generated.
It is to be appreciated that processing engine 115, when executing the second object generated, protection segment can also be held together Row.For example, the method for the second object is performed, can execute the method logic of the first object before or after, execute anti- The method of bluff piece section.
Wherein, processing engine 115 executes the protection segment in the second object, so as to according to the crucial ginseng for completing respective logic Number (such as input parameter and/or output parameter) judges whether there is the malicious event using loophole, if so, intercepting the malice thing Part simultaneously records event information.Wherein event information may include that user requests details, program stack information and loophole description.It intercepts Movement can be the input parameter filtering being involved in or modify, skip or the execution for modifying method etc..
For example, Struts frame Remote Code Execution Vulnerability occurs to arrive 2.3.28 at Apache Struts 2.3.20 editions Version usually can use the loophole remotely to execute code and attacked.Specifically, which can be in the dynamic side of Struts In the case that method calls (Dynamic Method Invocation) to be turned on, rogue program is executed using OGNL expression formula.
Therefore, vulnerability information can indicate the object there are the loophole are as follows: Apache Struts 2.3.20 editions are arrived 2.3.28 version, the first object where loophole position are as follows: the class and method of ONGL expression formula are specifically executed in Struts code, i.e., SetMethod (String in org.apache.struts2.dispatcher.mapper.ActionMapping class Method) method.When class and method where monitoring module 114 detects the loophole are called, processing engine 115 can lead to The protection segment for executing inserting is crossed, it is whether legal using regular expression inspection input parameter method.If it is determined that input ginseng Number method mismatch regular expressions, then determine it is malice method call, there is malicious event using loophole, intercept the evil Meaning event simultaneously records event information.The pseudocode of protection segment can be such that
It determines there are malicious event and after recording event information, processing engine 115 can also be by communication module 111 by thing Part information is sent to security server 120 and is stored, and after security server 120 receives event information according to event information Report is generated for user query.
To sum up, it by detection application whether dependent on there are the objects of loophole, and is inserted automatically in the object there are loophole Dress protection segment, carrys out quick patching bugs, without very long scanning repair process, eliminate user's modification or upgrade application according to The difficulty of bad object and the risk faced.
Meanwhile entire scheme is easy to dispose management, only needs easy configuration, it is not necessary to modify the codes of application, eliminate exploitation Person adds the trouble of code manually.
Fig. 3 shows the method 200 repaired to application loophole according to one exemplary embodiment Flow chart.This method 200 is suitable for executing in the application server, and application server and security server 120 pass through network connection, Security server 120 is stored at least one vulnerability information of at least one loophole, and there are the objects of loophole for vulnerability information instruction And the first object in the object where loophole position, and including corresponding protection segment.Wherein, loophole and its vulnerability information May include at least one of following: the operation Classloader loophole of Struts frame, occur in web frame Struts1 and In Struts2;The loophole of not set HttpOnly in Session Cookie, occur in web server tomcat6.0.20 and In WebSphere8.0;In JavaSDK caused by parseDouble refusal service loophole, occur jre1.5.0_27 and before Version in;Java unserializing attacks loophole, occurs in library Apache Commons Collections (3.x and 4.x), in Spring Beans/Core (4.x), and Groovy (2.3.x);Struts frame Remote Code Execution Vulnerability, hair Life is at 2.3.20 editions to 2.3.28 editions.
As shown in figure 3, this method 200 starts from step S210, in step S210, loophole is obtained to security server 120 Information.Then in step S220, according to vulnerability information detection application whether dependent on there are the objects of loophole.There are loopholes Object may include at least one of following: there are the web container of loophole, third square bearer, application server, library and classes.
If detecting using dependent on there are the objects of loophole, in step S230, obtained from the vulnerability information of the loophole The first object where loophole position is taken, which can be executed to accomplish respective logic.Wherein, the first object can be with Including at least one of following: class, interface and method defined in it, parameter, return value and variable.
Then in step S240, the operation of detection the first object of load.In detecting that the first object will be loaded on When depositing, in step s 250, obtained and corresponding protection segment from vulnerability information.
In step S260, the protection segment that will acquire is inserted into the first object, to generate the second object.Specifically, Vulnerability information also indicates inserting position of the protection segment in the first object, therefore step S260 can also include: by protective sheet Section is inserted into corresponding inserting position, generates the second object.Inserting position may include at least one of lower column position: first Method in the position of object initialization, the first object starts to execute and/or terminate the position executed.
After generating the second object, in step S270, when to execute the first object, the second object is executed to complete to hold Respective logic when the first object of row, for example, the method for the second object is performed, it can be in the method logic for executing the first object Before or after, execute the method for protecting segment.
Wherein, the protection segment in the second object is executed, to judge whether according to the key parameter for completing respective logic In the presence of the malicious event using loophole, if so, intercepting the malicious event and recording event information.Wherein, event information includes using Request details, program stack information and loophole description in family.
Finally, according to embodiment of the present invention, method 200 can be comprising steps of event information be sent to Security server 120, to store and generate report for user query.
Above to each step in illustrating the specific descriptions using the principle of loophole repair system 100 in conjunction with FIG. 1 to FIG. 2 Respective handling in rapid is explained in detail, and is no longer repeated here duplicate contents.
It should be appreciated that in order to simplify the disclosure and help to understand one or more of the various inventive aspects, it is right above In the description of exemplary embodiment of the present invention, each feature of the invention be grouped together into sometimes single embodiment, figure or In person's descriptions thereof.However, the disclosed method should not be interpreted as reflecting the following intention: i.e. claimed hair Bright requirement is than feature more features expressly recited in each claim.More precisely, as the following claims As book reflects, inventive aspect is all features less than single embodiment disclosed above.Therefore, it then follows specific real Thus the claims for applying mode are expressly incorporated in the specific embodiment, wherein each claim itself is used as this hair Bright separate embodiments.
Those skilled in the art should understand that the module of the equipment in example disclosed herein or unit or groups Part can be arranged in equipment as depicted in this embodiment, or alternatively can be positioned at and the equipment in the example In different one or more equipment.Module in aforementioned exemplary can be combined into a module or furthermore be segmented into multiple Submodule.
Those skilled in the art will understand that can be carried out adaptively to the module in the equipment in embodiment Change and they are arranged in one or more devices different from this embodiment.It can be the module or list in embodiment Member or component are combined into a module or unit or component, and furthermore they can be divided into multiple submodule or subelement or Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it can use any Combination is to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and so disclosed All process or units of what method or apparatus are combined.Unless expressly stated otherwise, this specification is (including adjoint power Benefit require, abstract and attached drawing) disclosed in each feature can carry out generation with an alternative feature that provides the same, equivalent, or similar purpose It replaces.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments In included certain features rather than other feature, but the combination of the feature of different embodiments mean it is of the invention Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed Meaning one of can in any combination mode come using.
In addition, be described as herein can be by the processor of computer system or by executing by some in the embodiment The combination of method or method element that other devices of the function are implemented.Therefore, have for implementing the method or method The processor of the necessary instruction of element forms the device for implementing this method or method element.In addition, Installation practice Element described in this is the example of following device: the device be used for implement as in order to implement the purpose of the invention element performed by Function.
As used in this, unless specifically stated, come using ordinal number " first ", " second ", " third " etc. Description plain objects, which are merely representative of, is related to the different instances of similar object, and is not intended to imply that the object being described in this way must Must have the time it is upper, spatially, sequence aspect or given sequence in any other manner.
The invention also includes: A6, the device as described in any one of A1-5, wherein the event information includes that user asks Ask details, program stack information and loophole description.A7, the device as described in A6, wherein the loophole include in following at least The operation Classloader loophole of one: Struts frame, the loophole of not set HttpOnly in Session Cookie, Refusal service loophole Java unserializing attack loophole and Struts frame caused by parseDouble are long-range in JavaSDK Code executes loophole.A8, the device as described in any one of A1-7, wherein the communication module is further adapted for believing the event Breath is sent to the security server, to store and generate report for user query.
B14, the method as described in B13, wherein the inserting position includes at least one of lower column position: first couple As the method in the position of initialization, the first object starts to execute and/or terminate the position executed.It is any in B15, such as B10-14 Method described in, wherein the event information includes that user requests details, program stack information and loophole description.B16, such as Method described in B15, wherein the loophole includes at least one of following: the operation Classloader loophole of Struts frame, The loophole of not set HttpOnly in Session Cookie, refusal service loophole caused by parseDouble in JavaSDK Java unserializing attacks loophole and Struts frame Remote Code Execution Vulnerability.B17, as described in any one of B10-16 Method, wherein further comprise the steps of: and the event information be sent to the security server, to store and to generate report For user query.
Although the embodiment according to limited quantity describes the present invention, above description, the art are benefited from It is interior it is clear for the skilled person that in the scope of the present invention thus described, it can be envisaged that other embodiments.Additionally, it should be noted that Language used in this specification primarily to readable and introduction purpose and select, rather than in order to explain or limit Determine subject of the present invention and selects.Therefore, without departing from the scope and spirit of the appended claims, for this Many modifications and changes are obvious for the those of ordinary skill of technical field.For the scope of the present invention, to this Invent done disclosure be it is illustrative and not restrictive, it is intended that the scope of the present invention be defined by the claims appended hereto.

Claims (17)

1. it is a kind of to the device repaired using loophole, it is resident in the application server, is stored on the application server One or more application calls application accordingly to handle, the application server in the access request for receiving user With security server by network connection, the security server is stored at least one vulnerability information of at least one loophole, There are the first objects where loophole position in the object of loophole and the object for the vulnerability information instruction, and including corresponding Segment is protected, described device includes:
Communication module is suitable for obtaining vulnerability information to the security server;
Scan module, whether suitable for being depended on according to vulnerability information detection application, there are the objects of loophole;
Monitoring module, if detecting suitable for scan module using dependent on there are the objects of loophole, from the vulnerability information of the loophole The first object where loophole position is obtained, detection loads the operation of first object, and first object can be performed To complete respective logic;
Module is inserted, suitable for when monitoring module detects that first object will be loaded on memory, from the vulnerability information Obtain corresponding protection segment;The protection segment for being further adapted for will acquire is inserted into first object, to generate the second object;
Engine is handled, accordingly patrolling when suitable for when to execute the first object, executing the second object to complete the first object of execution Volume, wherein it is further adapted for executing the protection segment in the second object, to be judged whether according to the key parameter for completing respective logic In the presence of the malicious event using loophole, if so, intercepting the malicious event and recording event information.
2. device as described in claim 1, wherein the object there are loophole includes at least one of following: being existed Web container, third square bearer, application server, library and the class of loophole.
3. device as claimed in claim 1 or 2, wherein the first object includes at least one of following: class, interface and Method, parameter defined in it, return value and variable.
4. device as described in claim 1, wherein the vulnerability information also indicates the protection segment in the first object Position is inserted, the inserting module is further adapted for for the protection segment being inserted into corresponding inserting position, generates the second object.
5. device as claimed in claim 4, wherein the inserting position includes at least one of lower column position: first pair As the method in the position of initialization, the first object starts to execute and/or terminate the position executed.
6. device as described in claim 1, wherein the event information include user request details, program stack information and Loophole description.
7. device as claimed in claim 6, wherein the loophole includes at least one of following: the behaviour of Struts frame Make that Classloader loophole, the loophole of not set HttpOnly in Session Cookie, parseDouble is caused in JavaSDK Refusal service loophole Java unserializing attack loophole and Struts frame Remote Code Execution Vulnerability.
8. device as described in claim 1, wherein the communication module is further adapted for the event information being sent to the peace Full server, to store and generate report for user query.
9. a kind of application loophole repair system, comprising:
Such as device of any of claims 1-8;And
Security server, suitable for storing at least one vulnerability information of at least one loophole, there is leakage in the vulnerability information instruction The first object in the object in hole and the object where loophole position, and including corresponding protection segment;It is further adapted for receiving simultaneously The event information of malicious event is stored, and report is generated for user query according to event information.
10. a kind of deposit the method repaired using loophole suitable for executing in the application server on the application server One or more application is contained, application accordingly is called to handle in the access request for receiving user, the application clothes By network connection, the security server is stored at least one loophole letter of at least one loophole for business device and security server Breath, there are the first objects where loophole position in the object of loophole and the object for the vulnerability information instruction, and including right The protection segment answered, which comprises
Vulnerability information is obtained to the security server;
According to vulnerability information detection application whether dependent on there are the objects of loophole;
If detecting first for applying and depending on there are the object of loophole, where the vulnerability information of loophole acquisition loophole position Object, detection load the operation of first object, and first object can be executed to accomplish respective logic;
When detecting that first object will be loaded on memory, corresponding protection segment is obtained from the vulnerability information;
The protection segment that will acquire is inserted into first object, to generate the second object;
When to execute the first object, the second object is executed to complete to execute respective logic when the first object, wherein execute the Protection segment in two objects, to judge whether there is the malice thing using loophole according to the key parameter for completing respective logic Part, if so, intercepting the malicious event and recording event information.
11. method as claimed in claim 10, wherein the object there are loophole includes at least one of following: being deposited In the web container of loophole, third square bearer, application server, library and class.
12. method as described in claim 10 or 11, wherein the first object includes at least one of following: class, interface, And method, parameter defined in it, return value and variable.
13. method as claimed in claim 10, wherein the vulnerability information also indicates the protection segment in the first object Inserting position, the step that the protection segment that will acquire is inserted into the first object includes:
The protection segment is inserted into corresponding inserting position, generates the second object.
14. method as claimed in claim 13, wherein the inserting position includes at least one of lower column position: first Method in the position of object initialization, the first object starts to execute and/or terminate the position executed.
15. method as claimed in claim 10, wherein the event information includes that user requests details, program stack information It is described with loophole.
16. method as claimed in claim 15, wherein the loophole includes at least one of following: Struts frame Operation Classloader loophole, the loophole of not set HttpOnly in Session Cookie, parseDouble makes in JavaSDK At refusal service loophole Java unserializing attack loophole and Struts frame Remote Code Execution Vulnerability.
17. method as claimed in claim 10, wherein further comprise the steps of:
The event information is sent to the security server, to store and generate report for user query.
CN201610803096.4A 2016-09-05 2016-09-05 A kind of pair of device, method and the system repaired using loophole Active CN106446690B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610803096.4A CN106446690B (en) 2016-09-05 2016-09-05 A kind of pair of device, method and the system repaired using loophole

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610803096.4A CN106446690B (en) 2016-09-05 2016-09-05 A kind of pair of device, method and the system repaired using loophole

Publications (2)

Publication Number Publication Date
CN106446690A CN106446690A (en) 2017-02-22
CN106446690B true CN106446690B (en) 2019-08-02

Family

ID=58164268

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610803096.4A Active CN106446690B (en) 2016-09-05 2016-09-05 A kind of pair of device, method and the system repaired using loophole

Country Status (1)

Country Link
CN (1) CN106446690B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108121899B (en) * 2017-12-13 2021-07-30 中国科学院软件研究所 Anti-repackaging method and system for application program
CN111506904B (en) * 2020-04-21 2024-01-12 北京同邦卓益科技有限公司 Method and device for online bug repair
CN113312631A (en) * 2021-06-11 2021-08-27 杭州安恒信息安全技术有限公司 Vulnerability detection method and related device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102622299A (en) * 2010-04-13 2012-08-01 常州云博软件工程技术有限公司 Working method of software detection system
CN103731429A (en) * 2014-01-08 2014-04-16 深信服网络科技(深圳)有限公司 Method and device for web application vulnerability detection
CN103793653A (en) * 2014-02-19 2014-05-14 中国科学院信息工程研究所 Program dependence relationship analysis method and system based on tree optimization
CN104021073A (en) * 2014-05-06 2014-09-03 南京大学 Software vulnerability detection method based on pointer analysis
CN104079528A (en) * 2013-03-26 2014-10-01 北大方正集团有限公司 Method and system of safety protection of Web application
CN104683179A (en) * 2015-02-12 2015-06-03 北京蓝海讯通科技有限公司 Method, device and system for monitoring execution performance of objects

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102622299A (en) * 2010-04-13 2012-08-01 常州云博软件工程技术有限公司 Working method of software detection system
CN104079528A (en) * 2013-03-26 2014-10-01 北大方正集团有限公司 Method and system of safety protection of Web application
CN103731429A (en) * 2014-01-08 2014-04-16 深信服网络科技(深圳)有限公司 Method and device for web application vulnerability detection
CN103793653A (en) * 2014-02-19 2014-05-14 中国科学院信息工程研究所 Program dependence relationship analysis method and system based on tree optimization
CN104021073A (en) * 2014-05-06 2014-09-03 南京大学 Software vulnerability detection method based on pointer analysis
CN104683179A (en) * 2015-02-12 2015-06-03 北京蓝海讯通科技有限公司 Method, device and system for monitoring execution performance of objects

Also Published As

Publication number Publication date
CN106446690A (en) 2017-02-22

Similar Documents

Publication Publication Date Title
US11907378B2 (en) Automated application vulnerability and risk assessment
US9015814B1 (en) System and methods for detecting harmful files of different formats
CN105068932B (en) A kind of detection method of Android application programs shell adding
CN105574411B (en) A kind of dynamic hulling method, device and equipment
EP3647981A1 (en) Security scanning method and apparatus for mini program, and electronic device
US11748487B2 (en) Detecting a potential security leak by a microservice
CN106446690B (en) A kind of pair of device, method and the system repaired using loophole
Zhang et al. Ripple: Reflection analysis for android apps in incomplete information environments
CN108989355A (en) A kind of leak detection method and device
CN104732145A (en) Parasitic course detection method and device in virtual machine
CN112685745B (en) Firmware detection method, device, equipment and storage medium
US20180032735A1 (en) System and method for enhancing static analysis of software applications
US11397812B2 (en) System and method for categorization of .NET applications
US8572729B1 (en) System, method and computer program product for interception of user mode code execution and redirection to kernel mode
CN116324773A (en) Method and apparatus for protecting smart contracts from attack
CN113312618A (en) Program vulnerability detection method and device, electronic equipment and medium
EP3975021B1 (en) Method and system for data flow monitoring to identify application security vulnerabilities and to detect and prevent attacks
Jensen et al. Thaps: automated vulnerability scanning of php applications
CN106407802B (en) The safe device being monitored of a kind of pair of application, method and system
Güler et al. Atropos: Effective fuzzing of web applications for server-side vulnerabilities
Nirumand et al. A model‐based framework for inter‐app Vulnerability analysis of Android applications
Hernandez et al. Toward automated firmware analysis in the iot era
CN106101086A (en) The cloud detection method of optic of program file and system, client, cloud server
Bu et al. When program analysis meets mobile security: an industrial study of misusing android internet sockets
Takata et al. The Uncontrolled Web: Measuring Security Governance on the Web

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20220712

Address after: 100193 room 101-216, 2nd floor, building 4, East District, yard 10, northwest Wangdong Road, Haidian District, Beijing

Patentee after: Beijing Ruixiang Technology Co.,Ltd.

Address before: 100191 floors 3 and 4, building a-5, Dongsheng Science Park, Zhongguancun, No. 66, xixiaokou Road, Haidian District, Beijing

Patentee before: BEIJING ONEAPM Co.,Ltd.

TR01 Transfer of patent right