CN106650462A - Method and device for detecting Flash vulnerability exploitation - Google Patents
Method and device for detecting Flash vulnerability exploitation Download PDFInfo
- Publication number
- CN106650462A CN106650462A CN201611064559.6A CN201611064559A CN106650462A CN 106650462 A CN106650462 A CN 106650462A CN 201611064559 A CN201611064559 A CN 201611064559A CN 106650462 A CN106650462 A CN 106650462A
- Authority
- CN
- China
- Prior art keywords
- flash
- reading
- specified object
- writing data
- read
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Abstract
The invention discloses a method and device for detecting Flash vulnerability exploitation. The method includes the steps that in the running process of a Flash module of an application program, a read-write operation event on an appointed object in the Flash module is monitored; when the read-write operation event on the appointed object is monitored, the appointed object is acquired, and whether the value of a length element in the appointed object is larger than a preset threshold value or not is judged; if yes, it is determined that vulnerability exploitation exists in a Flash file run by the Flash module; otherwise, it is determined that no vulnerability exploitation exists in the Flash file run by the Flash module. According to the scheme, corresponding universal solutions are proposed according to different conditions based on the Flash vulnerability exploitation principle, convenience and high efficiency are ensured, both current known vulnerability exploitation attacks and potential threats likely to appear can be prevented, and the method has quite high feasibility.
Description
Technical field
The present invention relates to Internet technical field, and in particular to a kind of method and apparatus of detection Flash vulnerability exploits.
Background technology
With the continuous development of Internet technology, people are further frequent for the use of network, can be carried out by network
Many matters such as work, study, life, amusement, have brought great convenience.However, people are using interconnection
During net there is leak in used many files, and the leak of these files is to malice developer with opportunity, malice
Developers can utilize the leak of these files to attack the application program for opening these files.
Several years ago the leak of Java is the main media of many attacker's Infection Action systems, and Adobe Flash at present
Player leaks (hereinafter referred to as Flash leaks) then become new attack medium.Flash file is a kind of based on the dynamic of vector
File is drawn, they include abundant video, sound and figure.Widely it is embedded in webpage.Contain during the first quarter in 2015
There are the malicious web pages for Flash Player players to occupy 93.3% in overall malicious web pages, and to fourth quarter then
Rise violently 99.2%.
After Hacking Team attacks for the previous period, Flash has produced serious Oday leaks again, the time,
The safety of numerous Flash user is all gone, a set of general Flash vulnerability exploit detection modes of our exigences, no
It is only capable of guarding against currently known leak attack, moreover it is possible to which the potentiality that prevention is likely to occur is threatened.
The content of the invention
In view of the above problems, it is proposed that the present invention so as to provide one kind overcome the problems referred to above or at least in part solve on
The method and apparatus for stating the detection Flash vulnerability exploits of problem.
According to one aspect of the present invention, there is provided a kind of method of detection Flash vulnerability exploits, including:
In the running of the Flash modules of application program, the specified object in monitoring to Flash modules is written and read
The event of operation;
When listen to the event of operation is written and read to the specified object when, obtain the specified object, judge described
Whether the value of the length element in specified object is more than predetermined threshold value;
It is then, to determine in the Flash file that Flash modules are run there is vulnerability exploit;
Otherwise, it determines there is no vulnerability exploit in the Flash file that run of Flash modules.
Alternatively, the method is further included:
When it is determined that there is vulnerability exploit in the Flash file that run of Flash modules, forbid entering the specified object
Row read-write operation is continued executing with;
When it is determined that there is no vulnerability exploit in the Flash file that run of Flash modules, it is allowed to the specified object
It is written and read continuing executing with for operation.
Alternatively, the method is further included:Before the Flash modules operation of application program, in knowing Flash modules
The reading and writing data function of operation is written and read to the specified object;
The monitoring to Flash modules in specified object be written and read the event of operation and include:Monitor the data to read
That writes function calls event;
It is described when listen to the event of operation is written and read to the specified object when, obtaining the specified object includes:
When the event being called to the reading and writing data function is listened to, the specified object is obtained.
Alternatively, the event of calling for monitoring the reading and writing data function includes:
The carry Hook Function on the reading and writing data function;
The message for indicating to be called to the reading and writing data function is intercepted by the Hook Function, the finger is not allowed
Show the continuation transmission of the message being called to the reading and writing data function.
Alternatively, it is described when it is determined that there is vulnerability exploit in the Flash file that run of Flash modules, forbid to institute
State specified object be written and read operation continue executing with including:
When it is determined that there is vulnerability exploit in the Flash file that run of Flash modules, forced by the Hook Function
Terminate the continuation transmission of the message for indicating and being called to the reading and writing data function.
Alternatively, when it is determined that there is no vulnerability exploit in the Flash file that run of Flash modules, it is allowed to described
Specified object be written and read operation continue executing with including:
When it is determined that there is no vulnerability exploit in the Flash file that run of Flash modules, put by the Hook Function
The row message for indicating to be called the reading and writing data function so that the instruction is carried out to the reading and writing data function
The message called continues to transmit.
Alternatively, it is described to know the reading and writing data function bag for being written and read operation in Flash modules to the specified object
Include:
Static analysis is carried out to Flash modules, is known in Flash modules to the specified object according to staticaanalysis results
It is written and read the reading and writing data function of operation.
Alternatively, when it is determined that there is vulnerability exploit in the Flash file that run of Flash modules, the method is further
Including:
The value of the length element in the specified object is reverted to into original value.
Alternatively, the specified object includes:Vector objects, and/or, ByteArray objects;
Length element in the specified object includes:Length elements, and/or, capacity elements.
Alternatively, the application program includes following one or more:
Web browser, word-processing application, PowerPoint application program, spreadsheet applications, at figure
Reason application program.
According to another aspect of the present invention, there is provided a kind of device of detection Flash vulnerability exploits, including:
Monitoring unit, is suitable in the running of the Flash modules of application program, monitors to the finger in Flash modules
Determine the event that object is written and read operation;Notify at detection when listening to and being written and read the event of operation to the specified object
Reason unit;
The detection process unit, is suitable to, when notice is received, obtain the specified object, judges the specified object
In the value of length element whether be more than predetermined threshold value;It is then, to determine and exist in the Flash file that Flash modules are run leakage
Hole utilizes;Otherwise, it determines there is no vulnerability exploit in the Flash file that run of Flash modules.
Alternatively, the detection process unit, is further adapted in the Flash file that Flash modules are run is determined
When there is vulnerability exploit, forbid being written and read operation to the specified object continuing executing with;And, it is suitable to as determination Flash
When there is no vulnerability exploit in the Flash file that module is run, it is allowed to be written and read the continuation of operation to the specified object
Perform.
Alternatively, the monitoring unit, was further adapted for before the Flash modules operation of application program, knew Flash
The reading and writing data function of operation is written and read in module to the specified object;That monitors the reading and writing data function calls thing
Part;The detection process unit is notified when the event being called to the reading and writing data function is listened to.
Alternatively, the event of calling for monitoring the reading and writing data function includes:
The monitoring unit, is suitable to the carry Hook Function on the reading and writing data function;Blocked by the Hook Function
The message for indicating to be called to the reading and writing data function is cut, does not allow the instruction to adjust the reading and writing data function
The continuation transmission of message.
Alternatively, the detection process unit, is suitable to the presence of leakage in the Flash file that Flash modules are run is determined
Hole utilize when, by the Hook Function force terminate it is described indicate the reading and writing data function is called message after
Resume and pass.
Alternatively, the detection process unit, is suitable to determine do not exist in the Flash file that Flash modules are run
During vulnerability exploit, by the Hook Function clearance message for indicating to be called the reading and writing data function so that
The message for indicating to be called the reading and writing data function continues to transmit.
Alternatively, the monitoring unit, is suitable to carry out static analysis to Flash modules, is known according to staticaanalysis results
The reading and writing data function of operation is written and read in Flash modules to the specified object.
Alternatively, the detection process unit, is further adapted in the Flash file that Flash modules are run is determined
When there is vulnerability exploit, the value of the length element in the specified object is reverted to into original value.
Alternatively, the specified object includes:Vector objects, and/or, ByteArray objects;
Length element in the specified object includes:Length elements, and/or, capacity elements.
Alternatively, the application program includes following one or more:
Web browser, word-processing application, PowerPoint application program, spreadsheet applications, at figure
Reason application program.
From the foregoing, the technical scheme that the present invention is provided runs the mistake of Flash file in the Flash modules of application program
Cheng Zhong, by monitoring to Flash modules in specified object be written and read the event of operation realizing the finger in Flash modules
Determine to judge whether the value of the length element for specifying object is maliciously tampered by larger numerical value when object is written and read operation
Process, when the value of the length element for finding to specify object is excessive, determines malicious attacker by inciting somebody to action according to leak Attack Theory
The length element of specified object is changed to larger numerical value to obtain the literacy of any memory address, i.e. application program
There is vulnerability exploit in the Flash file that Flash modules are run, conversely, determining the Flash file that Flash modules are run
Have no problem, and then realize for the dynamic detection of Flash vulnerability exploits.Principle of this programme according to Flash vulnerability exploits
Suiting measures to different conditions ground proposes corresponding general counter-measure, and convenient and efficient can not only take precautions against currently known vulnerability exploit and attack, moreover it is possible to
The potentiality that prevention is likely to occur is threatened, with very high exploitativeness.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention,
And can be practiced according to the content of specification, and in order to allow the above and other objects of the present invention, feature and advantage can
Become apparent, below especially exemplified by the specific embodiment of the present invention.
Description of the drawings
By the detailed description for reading hereafter preferred embodiment, various other advantages and benefit is common for this area
Technical staff will be clear from understanding.Accompanying drawing is only used for illustrating the purpose of preferred embodiment, and is not considered as to the present invention
Restriction.And in whole accompanying drawing, it is denoted by the same reference numerals identical part.In the accompanying drawings:
Fig. 1 shows a kind of flow chart of the method for detection Flash vulnerability exploits according to an embodiment of the invention;
Fig. 2 shows the schematic diagram of the local primary code that Flash modules according to an embodiment of the invention are generated;
Fig. 3 shows a kind of schematic diagram of the device of detection Flash vulnerability exploits according to an embodiment of the invention.
Specific embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in accompanying drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure and should not be by embodiments set forth here
Limited.On the contrary, there is provided these embodiments are able to be best understood from the disclosure, and can be by the scope of the present disclosure
Complete conveys to those skilled in the art.
In order to become apparent from dripping the embodiment of explanation this programme, first the principle of current Flash vulnerability exploits is said
It is bright:
During Flash vulnerability exploits, attack carrier and have to obtain the literacy of any memory address, and then
Remaining attack process can be completed.For the Flash modules in application program, wherein normally specifying object certain
Can not carry out the memory read-write of arbitrary address, their own suffer from operable memory range restriction, but if attack
The person of hitting is modified using some way to this restriction, and they just have the ability of any internal memory of operation.
With Vector structure example explanations:
In Vector the value in length domains limit the Vector objects operable Vector datarams region
Size, it is assumed that Vector<int>The length values of object A are 1, and data are stored in address B, then under normal circumstances we pass through A
The address realm that can be read and write only has:
[B, B+1*sizeof (int)],
If method can be realized for length values being revised as 10, then the address realm that A can read and write is:
[B, b+10*sizeof (int)],
As long as attacker by length change it is sufficiently large, then can just operate the internal memory of any range, attacker also can borrow
This carrys out the data for distorting crucial memory address of malice, lays out the code of oneself to affect the flow process of program performing, completes Lou
Hole utilizes.
During whole vulnerability exploit, attacker triggers leak by well-designed Flash file, so as to repair
Changing is used for the length for running specified object in the Flash modules of Flash file in application program, for this purpose, this programme for
The detection thinking of Flash vulnerability exploits is monitored by the length elements of the specified object in Flash modules, from
And judge whether current process is leaky by malicious exploitation.
Fig. 1 shows a kind of flow chart of the method for detection Flash vulnerability exploits according to an embodiment of the invention.Such as
Shown in Fig. 1, the method includes:
Step S110 is specified right in monitoring to Flash modules in the running of the Flash modules of application program
Event as being written and read operation.
Step S120, when listen to the event of operation is written and read to the specified object when, obtain the specified object,
Whether the value for judging the length element in the specified object is more than predetermined threshold value.
Step S130, is then, to determine in the Flash file that Flash modules are run there is vulnerability exploit.
Step S140, otherwise, it determines there is no vulnerability exploit in the Flash file that run of Flash modules.
It can be seen that, the method shown in Fig. 1 application program Flash modules operation Flash file during, by monitor
Specified object in Flash modules is written and read the event of operation to realize that the specified object in Flash modules is carried out
Whether the value that the length element for specifying object is judged during read-write operation is maliciously tampered by the process of larger numerical value, when discovery refers to
Determine the length element of object value it is excessive when, determine malicious attacker by by the length of specified object according to leak Attack Theory
What the Flash modules that element is changed to larger numerical value to obtain the literacy of any memory address, i.e. application program were run
There is vulnerability exploit in Flash file, conversely, determining that the Flash file that Flash modules are run has no problem, and then realize
For the dynamic detection of Flash vulnerability exploits.This programme proposes corresponding logical according to the principle suiting measures to different conditions of Flash vulnerability exploits
With counter-measure, convenient and efficient, currently known vulnerability exploit can not only be taken precautions against and attacked, moreover it is possible to which it is potential that prevention is likely to occur
Property threaten, with very high exploitativeness.
In one embodiment of the invention, the method shown in Fig. 1 is further included:
Step S150, when it is determined that there is vulnerability exploit in the Flash file that run of Flash modules, forbids to described
Specified object is written and read continuing executing with for operation.
Step S160, when it is determined that there is no vulnerability exploit in the Flash file that run of Flash modules, it is allowed to institute
State specified object and be written and read continuing executing with for operation.
It is also known that open the process of Flash file being in the application:Application program first loads Flash file,
After the completion of loading, the Flash file for being loaded is sent to the Flash modules of application program, rendered and opened by Flash modules
The Flash file, starts running of the Flash modules to Flash file.In order to specified right in monitoring to Flash modules
Event as being written and read operation, in one embodiment of the invention, before the Flash modules operation of application program, Fig. 1
Shown method first needs to know in Flash modules and is written and read the reading and writing data function of operation to the specified object;Flash
Module is in running, if reading and writing data function is called, explanation is to specifying object to be written and read operation therefore above-mentioned
Specified object in monitoring in step S110- step S120 to Flash modules is written and read the event of operation, when listening to institute
When stating specified object and being written and read the event of operation, obtaining the specified object includes:Monitor the tune of the reading and writing data function
Use event;When the event being called to the reading and writing data function is listened to, the specified object in carrying out to Flash modules
Judgement, that is, obtain and specify object, to specifying object in the value of length element be analyzed, to judge the specified element
In the value of length element whether be maliciously tampered as larger value.Wherein, it is above-mentioned to know in Flash modules to described specified right
As the reading and writing data function for being written and read operation includes:Static analysis is carried out to Flash modules, is known according to staticaanalysis results
The reading and writing data function of operation is written and read in Flash modules to the specified object.
Specifically, the process of event of calling of the above-mentioned monitoring reading and writing data function can be accomplished by:
To specifying object to be written and read carry Hook Function on the reading and writing data function of operation in Flash modules;When Flash modules exist
When needing in running to specifying object to be written and read operation, needs call the data to specifying object to be written and read operation to read
Function is write, its mode is that the message for indicating to be called to the reading and writing data function is sent to reading and writing data function, then we
Case intercepts the message for indicating to be called to the reading and writing data function by the Hook Function, does not allow the instruction to institute
State the continuation transmission of the message that reading and writing data function is called.Intercept instruction when Hook Function is carried out to data read/write function
During the message called, this programme carry out to Flash modules in specified object judgement, that is, obtain specify object, to specify it is right
The value of the length element as in is analyzed, with judge specify object in length element value whether be maliciously tampered as
Larger value, is then, to determine in the Flash file that Flash modules are run there is vulnerability exploit, is forbidden to the specified object
It is written and read continuing executing with for operation, Ke Yishi, when it is determined that there is vulnerability exploit in the Flash file that run of Flash modules
When, force the continuation for terminating the message for indicating and being called to the reading and writing data function to pass by the Hook Function
Pass;Otherwise, it determines there is no vulnerability exploit in the Flash file that run of Flash modules, it is allowed to which the specified object is carried out
Read-write operation is continued executing with, Ke Yishi, when it is determined that there is no vulnerability exploit in the Flash file that run of Flash modules,
By the Hook Function clearance message for indicating to be called the reading and writing data function so that the instruction is to institute
The message continuation transmission that reading and writing data function is called is stated, normal execution is called to data read/write function, and then normally in fact
Now to the read-write operation of specified object.
Further, in one embodiment of the invention, when it is determined that depositing in the Flash file that run of Flash modules
In vulnerability exploit, the method shown in Fig. 1 is further included:The value of the length element in the specified object is reverted to original
Value.
The implementation process of this programme is illustrated with a specific example:Due to writing in script for Flash file, normal quilt
Attacker be used for operating the structure of any memory address be in Vector and ByteArray the two objects, therefore this example respectively
The specified object mentioned as in method shown in Fig. 1 using ByteArray objects and Vector objects is illustrating:
During with ByteArray objects as specified object, in application program the Flash of Flash file but application program is loaded
Module is not had started before operation, and static analysis is carried out to Flash modules, analyzes the main functional modules generation in Flash modules
Code, finds the reading and writing data function that operation is written and read to ByteArray objects;Before Flash modules bring into operation, finding
Reading and writing data function on carry Hook Function, i.e. the reading and writing data function to finding carry out HOOK, when occurring that the data are read
When writing the call operation of function reading, the length elements and capacity elements of the ByteArray objects for reading is checked, wherein
The length of length element assignment ByteArray objects, the maximum of capacity element assignment Bytearray object lengths.
If length elements are more than capacity elements, or length is then judged to the profit that starts a leak more than certain predetermined threshold value
With needing to carry out further protective treatment.
During with Vector objects as specified object, in application program the Flash modules of Flash file but application program are loaded
Before not having started operation, static analysis is carried out to Flash modules, analyze the main functional modules code in Flash modules, looked for
To the reading and writing data function that operation is written and read to Vector objects.Again due to being ActionScript scripts when Flash modules
When generating the machine primary code (being called jit codes below), the logic basis performed by it are generated the machine primary codes
Rather than the original code of Flash modules itself, therefore can not be directly original according to Flash modules itself as described previously
Code find reading and writing data function and the direct carry Hook Function on the reading and writing data function, but when Flash modules
When generating jit codes for ActionScript scripts, needs judge whether have to in Flash modules in the jit codes for generating
Vector objects are written and read calling for the reading and writing data function of operation, if then on the main line code of respective handling logic
Carry Hook Function carries out HOOK, checks the length elements and capacity elements of corresponding Vector objects, if
Length elements are more than capacity elements, or length elements are then judged to the utilization that starts a leak more than certain threshold value.
For example, Fig. 2 shows the signal of the local primary code that Flash modules according to an embodiment of the invention are generated
Figure, as shown in Fig. 2 in this section of jit code, the part for 1. indicating illustrates:It is right in Flash module runnings
Vector objects in Flash modules are read, and specifically, read the data at the vernier 0x18 of Vector objects;
The process that Vector objects are read out data manipulation is included performed by this section of code:2. it is Vector objects to indicate ecx
Pointer, through 3. shown step, the value of the length elements of Vector objects is preserved in eax, by this reading data
The value of the length elements of the vernier 0x18 and Vector objects to be accessed is compared, to judge that this reads the address of data
Whether in the corresponding access rights of Vector objects, if vernier 0x18 is less than the value of the length elements of Vector objects,
Illustrate in access rights, it is normal to perform, the code process logic for 4. indicating is entered, call and behaviour is read out to Vector objects
The Data Read Function GetNativeIntProperty of work, to carry out digital independent, otherwise then can not normally perform.
In this section of jit code, the part for 5. indicating illustrates:In Flash module runnings, to Flash moulds
Vector objects in block carry out write operation, specifically, write data at the vernier 0x0C of Vector objects;This section of code
Performed includes to the process that Vector objects carry out writing data manipulation:6. pointers of the ecx for Vector objects, Jing are indicated
7. shown step is crossed, the value of the length elements of Vector objects is preserved in eax, by this reading data trip to be accessed
Whether the value of length elements of mark 0x0C and Vector objects is compared, existed with judging that this writes the address of data
In the corresponding access rights of Vector objects, if vernier 0x0C is illustrated less than the value of the length elements of Vector objects
It is normal to perform in access rights, the code process logic for 8. indicating is entered, calling carries out the number of write operation to Vector objects
According to write function SetNativeIntProperty, to carry out digital independent, otherwise then can not normally perform.
Based on above-mentioned execution logic, this programme only need to add HOOK codes in mainline processing flow process, that is to say, that upper
State the 4. shown ground for calling the Data Read Function GetNativeIntProperty being read to Vector objects
Fang Jinhang HOOK, specifically, mount point that can be with GetNativeIntProperty as Hook Function, and, it is above-mentioned 8.
Shown calling is entered where the data write function SetNativeIntProperty that write operation is carried out to Vector objects
Row HOOK, specifically, mount point that can be with SetNativeIntProperty as Hook Function is being called to Vector objects
Row write is entered to Vector objects during the Data Read Function GetNativeIntProperty being read or calling
Vector objects are obtained during the data write function SetNativeIntProperty for entering operation, in Vector objects
The value of length elements is compared judgement, to determine the Flash file that current Flash modules are run in whether there is leak
Utilize.The wherein opportunity of HOOK is that Flash modules call VirtualProtect that jit codes place page is set to into EXCUTE to hold
When row attribute.
In the above-described embodiments, application program includes following one or more:Web browser, text processing application journey
Sequence, PowerPoint application program, spreadsheet applications, graphics process application program.These application programs are in loading Flash
File and render opening during Flash vulnerability exploits can be detected using the technical scheme of this programme, do not limit here
System.
Fig. 3 shows a kind of schematic diagram of the device of detection Flash vulnerability exploits according to an embodiment of the invention.Such as
Shown in Fig. 3, the device 300 of detection Flash vulnerability exploits includes:
Monitoring unit 310, is suitable in the running of the Flash modules of application program, monitors in Flash modules
Specified object is written and read the event of operation;Detection is notified when listening to and being written and read the event of operation to the specified object
Processing unit 320.
Detection process unit 320, is suitable to, when notice is received, obtain the specified object, judges the specified object
In the value of length element whether be more than predetermined threshold value;It is then, to determine and exist in the Flash file that Flash modules are run leakage
Hole utilizes;Otherwise, it determines there is no vulnerability exploit in the Flash file that run of Flash modules.
It can be seen that, the device shown in Fig. 3 application program Flash modules operation Flash file during, by monitor
Specified object in Flash modules is written and read the event of operation to realize that the specified object in Flash modules is carried out
Whether the value that the length element for specifying object is judged during read-write operation is maliciously tampered by the process of larger numerical value, when discovery refers to
Determine the length element of object value it is excessive when, determine malicious attacker by by the length of specified object according to leak Attack Theory
What the Flash modules that element is changed to larger numerical value to obtain the literacy of any memory address, i.e. application program were run
There is vulnerability exploit in Flash file, conversely, determining that the Flash file that Flash modules are run has no problem, and then realize
For the dynamic detection of Flash vulnerability exploits.This programme proposes corresponding logical according to the principle suiting measures to different conditions of Flash vulnerability exploits
With counter-measure, convenient and efficient, currently known vulnerability exploit can not only be taken precautions against and attacked, moreover it is possible to which it is potential that prevention is likely to occur
Property threaten, with very high exploitativeness.
In one embodiment of the invention, detection process unit 320, is further adapted for when determination Flash modules are transported
When there is vulnerability exploit in capable Flash file, forbid being written and read operation to the specified object continuing executing with;And,
It is suitable to when it is determined that there is no vulnerability exploit in the Flash file that run of Flash modules, it is allowed to which the specified object is carried out
Read-write operation is continued executing with.
Wherein, monitoring unit 310, were further adapted for before the Flash modules operation of application program, knew Flash moulds
The reading and writing data function of operation is written and read in block to the specified object;That monitors the reading and writing data function calls event;
The detection process unit 320 is notified when the event being called to the reading and writing data function is listened to.
Specifically, monitoring unit 310, are suitable to the carry Hook Function on the reading and writing data function;By the hook
Intercepting api callses indicate the message being called to the reading and writing data function, do not allow the instruction to the reading and writing data function
The continuation transmission of the message being called.
Further, in one embodiment of the invention, detection process unit 320, is suitable to when determination Flash modules are run
Flash file in when there is vulnerability exploit, force to terminate the instruction to the reading and writing data letter by the Hook Function
The continuation transmission of the message that number is called.
In another embodiment of the present invention, detection process unit 320, is suitable to work as what determination Flash modules were run
When there is no vulnerability exploit in Flash file, the reading and writing data function is entered by the Hook Function clearance instruction
The message that row is called so that the message that the instruction is called to the reading and writing data function continues to transmit.
In one embodiment of the invention, monitoring unit 310, are suitable to carry out static analysis to Flash modules, according to quiet
State analysis result is known in Flash modules and is written and read the reading and writing data function of operation to the specified object.
In one embodiment of the invention, detection process unit 320, is further adapted for when determination Flash modules are transported
When there is vulnerability exploit in capable Flash file, the value of the length element in the specified object is reverted to into original value.
In one embodiment of the invention, it is intended that object includes:Vector objects, and/or, ByteArray objects;Institute
The length element stated in specified object includes:Length elements, and/or, capacity elements.
In one embodiment of the invention, application program includes following one or more:Web browser, word processing
Application program, PowerPoint application program, spreadsheet applications, graphics process application program.
Wherein, each embodiment of the device shown in Fig. 3 is corresponding identical with each embodiment shown in Fig. 1-Fig. 2, above
Describe in detail, will not be described here.
In sum, the technical scheme that the present invention is provided runs the process of Flash file in the Flash modules of application program
In, by monitor to Flash modules in specified object be written and read the event of operation realize in Flash modules specify
Whether the value that the length element for specifying object is judged when object is written and read operation is maliciously tampered by the mistake of larger numerical value
Journey, when the value of the length element for finding to specify object is excessive, determines malicious attacker by referring to according to leak Attack Theory
The length element for determining object is changed to larger numerical value to obtain the Flash of the literacy of any memory address, i.e. application program
There is vulnerability exploit in the Flash file that module is run, conversely, determining that the Flash file that Flash modules are run is not asked
Topic, and then realize for the dynamic detection of Flash vulnerability exploits.Principle suiting measures to different conditions ground of this programme according to Flash vulnerability exploits
Corresponding general counter-measure is proposed, convenient and efficient can not only take precautions against currently known vulnerability exploit and attack, moreover it is possible to which prevention can
The potentiality that can occur is threatened, with very high exploitativeness.
It should be noted that:
Provided herein algorithm and display be not inherently related to any certain computer, virtual bench or miscellaneous equipment.
Various fexible units can also be used together based on teaching in this.As described above, construct required by this kind of device
Structure be obvious.Additionally, the present invention is also not for any certain programmed language.It is understood that, it is possible to use it is various
Programming language realizes the content of invention described herein, and the description done to language-specific above is to disclose this
Bright preferred forms.
In specification mentioned herein, a large amount of details are illustrated.It is to be appreciated, however, that the enforcement of the present invention
Example can be put into practice in the case of without these details.In some instances, known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify the disclosure and help understand one or more in each inventive aspect, exist
Above in the description of the exemplary embodiment of the present invention, each feature of the present invention is grouped together into single enforcement sometimes
In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:I.e. required guarantor
The more features of feature that the application claims ratio of shield is expressly recited in each claim.More precisely, such as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim itself
All as the separate embodiments of the present invention.
Those skilled in the art are appreciated that can be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment
Unit or component are combined into a module or unit or component, and can be divided in addition multiple submodule or subelement or
Sub-component.In addition at least some in such feature and/or process or unit is excluded each other, can adopt any
Combine to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so disclosed
Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification is (including adjoint power
Profit is required, summary and accompanying drawing) disclosed in each feature can it is identical by offers, be equal to or the alternative features of similar purpose carry out generation
Replace.
Although additionally, it will be appreciated by those of skill in the art that some embodiments described herein include other embodiments
In included some features rather than further feature, but the combination of the feature of different embodiments means in of the invention
Within the scope of and form different embodiments.For example, in the following claims, embodiment required for protection appoint
One of meaning can in any combination mode using.
The present invention all parts embodiment can be realized with hardware, or with one or more processor operation
Software module realize, or with combinations thereof realization.It will be understood by those of skill in the art that can use in practice
Microprocessor or digital signal processor (DSP) are realizing the dress of detection Flash vulnerability exploits according to embodiments of the present invention
The some or all functions of some or all parts in putting.The present invention is also implemented as described here for performing
Method some or all equipment or program of device (for example, computer program and computer program).This
The program of the realization present invention of sample can be stored on a computer-readable medium, or can have one or more signal
Form.Such signal can be downloaded from internet website and obtained, or be provided on carrier signal, or with any other
Form is provided.
It should be noted that above-described embodiment the present invention will be described rather than limits the invention, and ability
Field technique personnel can design without departing from the scope of the appended claims alternative embodiment.In the claims,
Any reference symbol between bracket should not be configured to limitations on claims.Word "comprising" is not excluded the presence of not
Element listed in the claims or step.Word "a" or "an" before element does not exclude the presence of multiple such
Element.The present invention can come real by means of the hardware for including some different elements and by means of properly programmed computer
It is existing.If in the unit claim for listing equipment for drying, several in these devices can be by same hardware branch
To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and be run after fame
Claim.
The invention discloses A1, a kind of method of detection Flash vulnerability exploits, wherein, including:
In the running of the Flash modules of application program, the specified object in monitoring to Flash modules is written and read
The event of operation;
When listen to the event of operation is written and read to the specified object when, obtain the specified object, judge described
Whether the value of the length element in specified object is more than predetermined threshold value;
It is then, to determine in the Flash file that Flash modules are run there is vulnerability exploit;
Otherwise, it determines there is no vulnerability exploit in the Flash file that run of Flash modules.
A2, the method as described in A1, wherein, the method is further included:
When it is determined that there is vulnerability exploit in the Flash file that run of Flash modules, forbid entering the specified object
Row read-write operation is continued executing with;
When it is determined that there is no vulnerability exploit in the Flash file that run of Flash modules, it is allowed to the specified object
It is written and read continuing executing with for operation.
A3, the method as described in A1 or A2, wherein, the method is further included:Run in the Flash modules of application program
Before, know in Flash modules and the reading and writing data function of operation is written and read to the specified object;
The monitoring to Flash modules in specified object be written and read the event of operation and include:Monitor the data to read
That writes function calls event;
It is described when listen to the event of operation is written and read to the specified object when, obtaining the specified object includes:
When the event being called to the reading and writing data function is listened to, the specified object is obtained.
A4, the method as described in A3, wherein, the event of calling for monitoring the reading and writing data function includes:
The carry Hook Function on the reading and writing data function;
The message for indicating to be called to the reading and writing data function is intercepted by the Hook Function, the finger is not allowed
Show the continuation transmission of the message being called to the reading and writing data function.
A5, the method as described in A4, wherein, it is described to there is leak in the Flash file that Flash modules are run is determined
During utilization, forbid being written and read the specified object operation continue executing with including:
When it is determined that there is vulnerability exploit in the Flash file that run of Flash modules, forced by the Hook Function
Terminate the continuation transmission of the message for indicating and being called to the reading and writing data function.
A6, the method as described in A4, wherein, when it is determined that there is no leak profit in the Flash file that run of Flash modules
Used time, it is allowed to the specified object is written and read operation continue executing with including:
When it is determined that there is no vulnerability exploit in the Flash file that run of Flash modules, put by the Hook Function
The row message for indicating to be called the reading and writing data function so that the instruction is carried out to the reading and writing data function
The message called continues to transmit.
A7, the method as described in A3, wherein, it is described know in Flash modules operation is written and read to the specified object
Reading and writing data function include:
Static analysis is carried out to Flash modules, is known in Flash modules to the specified object according to staticaanalysis results
It is written and read the reading and writing data function of operation.
A8, the method as described in A2, wherein, when it is determined that there is vulnerability exploit in the Flash file that run of Flash modules
When, the method is further included:
The value of the length element in the specified object is reverted to into original value.
A9, the method as described in A1, wherein, the specified object includes:Vector objects, and/or, ByteArray pair
As;
Length element in the specified object includes:Length elements, and/or, capacity elements.
A10, the method as described in A1, wherein, the application program includes following one or more:
Web browser, word-processing application, PowerPoint application program, spreadsheet applications, at figure
Reason application program.
The invention also discloses B11, a kind of device of detection Flash vulnerability exploits, wherein, including:
Monitoring unit, is suitable in the running of the Flash modules of application program, monitors to the finger in Flash modules
Determine the event that object is written and read operation;Notify at detection when listening to and being written and read the event of operation to the specified object
Reason unit;
The detection process unit, is suitable to, when notice is received, obtain the specified object, judges the specified object
In the value of length element whether be more than predetermined threshold value;It is then, to determine and exist in the Flash file that Flash modules are run leakage
Hole utilizes;Otherwise, it determines there is no vulnerability exploit in the Flash file that run of Flash modules.
B12, the device as described in B11, wherein,
The detection process unit, is further adapted for there is leak in the Flash file that Flash modules are run is determined
During utilization, forbid being written and read operation to the specified object continuing executing with;And, it is suitable to when determination Flash modules are transported
When there is no vulnerability exploit in capable Flash file, it is allowed to be written and read operation to the specified object and continue executing with.
B13, the device as described in B11 or B12, wherein,
The monitoring unit, is further adapted for before the Flash modules operation of application program, in knowing Flash modules
The reading and writing data function of operation is written and read to the specified object;That monitors the reading and writing data function calls event;Work as prison
The detection process unit is notified when hearing the event being called to the reading and writing data function.
B14, the device as described in B13, wherein,
The monitoring unit, is suitable to the carry Hook Function on the reading and writing data function;Blocked by the Hook Function
The message for indicating to be called to the reading and writing data function is cut, does not allow the instruction to adjust the reading and writing data function
The continuation transmission of message.
B15, the device as described in B14, wherein,
The detection process unit, is suitable to there is vulnerability exploit in the Flash file that Flash modules are run is determined
When, force the continuation for terminating the message for indicating and being called to the reading and writing data function to pass by the Hook Function
Pass.
B16, the device as described in B14, wherein,
The detection process unit, is suitable to there is no vulnerability exploit in the Flash file that Flash modules are run is determined
When, by the Hook Function clearance message for indicating to be called the reading and writing data function so that the instruction
The message being called to the reading and writing data function continues to transmit.
B17, the device as described in B13, wherein,
The monitoring unit, is suitable to carry out static analysis to Flash modules, and according to staticaanalysis results Flash moulds are known
The reading and writing data function of operation is written and read in block to the specified object.
B18, the device as described in B12, wherein,
The detection process unit, is further adapted for there is leak in the Flash file that Flash modules are run is determined
During utilization, the value of the length element in the specified object is reverted to into original value.
B19, the device as described in B11, wherein, the specified object includes:Vector objects, and/or, ByteArray
Object;
Length element in the specified object includes:Length elements, and/or, capacity elements.
B20, the device as described in B11, wherein, the application program includes following one or more:
Web browser, word-processing application, PowerPoint application program, spreadsheet applications, at figure
Reason application program.
Claims (10)
1. a kind of method of detection Flash vulnerability exploits, wherein, including:
In the running of the Flash modules of application program, the specified object in monitoring to Flash modules is written and read operation
Event;
When listen to the event of operation is written and read to the specified object when, obtain the specified object, judge described specified
Whether the value of the length element in object is more than predetermined threshold value;
It is then, to determine in the Flash file that Flash modules are run there is vulnerability exploit;
Otherwise, it determines there is no vulnerability exploit in the Flash file that run of Flash modules.
2. the method for claim 1, wherein the method is further included:
When it is determined that there is vulnerability exploit in the Flash file that run of Flash modules, forbid reading the specified object
Write operation is continued executing with;
When it is determined that there is no vulnerability exploit in the Flash file that run of Flash modules, it is allowed to which the specified object is carried out
Read-write operation is continued executing with.
3. method as claimed in claim 1 or 2, wherein, the method is further included:Transport in the Flash modules of application program
Before row, know in Flash modules and the reading and writing data function of operation is written and read to the specified object;
The monitoring to Flash modules in specified object be written and read the event of operation and include:Monitor the reading and writing data letter
Several calls event;
It is described when listen to the event of operation is written and read to the specified object when, obtaining the specified object includes:Work as prison
When hearing the event being called to the reading and writing data function, the specified object is obtained.
4. method as claimed in claim 3, wherein, the event of calling for monitoring the reading and writing data function includes:
The carry Hook Function on the reading and writing data function;
The message for indicating to be called to the reading and writing data function is intercepted by the Hook Function, does not allow the instruction right
The continuation transmission of the message that the reading and writing data function is called.
5. method as claimed in claim 4, wherein, it is described to there is leakage in the Flash file that Flash modules are run is determined
When hole utilizes, forbid being written and read the specified object operation continue executing with including:
When it is determined that there is vulnerability exploit in the Flash file that run of Flash modules, force to terminate by the Hook Function
The continuation transmission of the message for indicating to be called the reading and writing data function.
6. a kind of device of detection Flash vulnerability exploits, wherein, including:
Monitoring unit, is suitable in the running of the Flash modules of application program, specified right in monitoring to Flash modules
Event as being written and read operation;Detection process list is notified when listening to and being written and read the event of operation to the specified object
Unit;
The detection process unit, is suitable to, when notice is received, the specified object be obtained, in judging the specified object
Whether the value of length element is more than predetermined threshold value;It is then, to determine there is leak profit in the Flash file that Flash modules are run
With;Otherwise, it determines there is no vulnerability exploit in the Flash file that run of Flash modules.
7. device as claimed in claim 6, wherein,
The detection process unit, is further adapted for there is vulnerability exploit in the Flash file that Flash modules are run is determined
When, forbid being written and read operation to the specified object continuing executing with;And, it is suitable to work as what determination Flash modules were run
When there is no vulnerability exploit in Flash file, it is allowed to be written and read operation to the specified object and continue executing with.
8. device as claimed in claims 6 or 7, wherein,
The monitoring unit, was further adapted for before the Flash modules operation of application program, knew in Flash modules to institute
State the reading and writing data function that specified object is written and read operation;That monitors the reading and writing data function calls event;When listening to
The detection process unit is notified during the event being called to the reading and writing data function.
9. device as claimed in claim 8, wherein,
The monitoring unit, is suitable to the carry Hook Function on the reading and writing data function;Intercepted by the Hook Function and referred to
Show the message being called to the reading and writing data function, do not allow what the instruction was called to the reading and writing data function
The continuation transmission of message.
10. device as claimed in claim 9, wherein,
The detection process unit, is suitable to when it is determined that there is vulnerability exploit in the Flash file that run of Flash modules, lead to
Cross the Hook Function to force to terminate the continuation transmission of the message for indicating and being called the reading and writing data function.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611064559.6A CN106650462A (en) | 2016-11-28 | 2016-11-28 | Method and device for detecting Flash vulnerability exploitation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611064559.6A CN106650462A (en) | 2016-11-28 | 2016-11-28 | Method and device for detecting Flash vulnerability exploitation |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106650462A true CN106650462A (en) | 2017-05-10 |
Family
ID=58812544
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611064559.6A Pending CN106650462A (en) | 2016-11-28 | 2016-11-28 | Method and device for detecting Flash vulnerability exploitation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106650462A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107229844A (en) * | 2017-05-31 | 2017-10-03 | 武汉斗鱼网络科技有限公司 | Detect method, device, service end and the client of SWF file callers |
| CN107766733A (en) * | 2017-10-10 | 2018-03-06 | 北京奇虎科技有限公司 | A kind of screen method of security breaches, device and terminal |
| CN112422553A (en) * | 2020-11-17 | 2021-02-26 | 杭州安恒信息技术股份有限公司 | Method, device and equipment for detecting VBScript vulnerability exploitation |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102693396A (en) * | 2012-06-11 | 2012-09-26 | 中南大学 | Flash bug detection method based on virtual execution mode |
| CN103617396A (en) * | 2013-11-29 | 2014-03-05 | 杭州华三通信技术有限公司 | Detection method and system of vulnerability exploitation |
| CN103714292A (en) * | 2014-01-15 | 2014-04-09 | 四川师范大学 | Method for detecting exploit codes |
| CN104298922A (en) * | 2013-07-16 | 2015-01-21 | 腾讯科技(深圳)有限公司 | Method and device of stopping vulnerability exploiting |
-
2016
- 2016-11-28 CN CN201611064559.6A patent/CN106650462A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102693396A (en) * | 2012-06-11 | 2012-09-26 | 中南大学 | Flash bug detection method based on virtual execution mode |
| CN104298922A (en) * | 2013-07-16 | 2015-01-21 | 腾讯科技(深圳)有限公司 | Method and device of stopping vulnerability exploiting |
| CN103617396A (en) * | 2013-11-29 | 2014-03-05 | 杭州华三通信技术有限公司 | Detection method and system of vulnerability exploitation |
| CN103714292A (en) * | 2014-01-15 | 2014-04-09 | 四川师范大学 | Method for detecting exploit codes |
Non-Patent Citations (2)
| Title |
|---|
| YUKICHEN: "Angler EK最新CVE-2015-8446 Flash Exploit分析", 《HTTP://BLOGS.360.CN/POST/ANGLER-EK%E6%9C%80%E6%96%B0CVE-2015-8446-FLASH-EXPLOIT%E5%88%86%E6%9E%90.HTML》 * |
| YUKICHEN: "Angler EK最新CVE-2015-8446 Flash Exploit分析", 《JU.OUTOFMEMORY.CN/ENTRY/227971》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107229844A (en) * | 2017-05-31 | 2017-10-03 | 武汉斗鱼网络科技有限公司 | Detect method, device, service end and the client of SWF file callers |
| CN107229844B (en) * | 2017-05-31 | 2019-09-10 | 武汉斗鱼网络科技有限公司 | Detect method, apparatus, server-side and the client of SWF file caller |
| CN107766733A (en) * | 2017-10-10 | 2018-03-06 | 北京奇虎科技有限公司 | A kind of screen method of security breaches, device and terminal |
| CN112422553A (en) * | 2020-11-17 | 2021-02-26 | 杭州安恒信息技术股份有限公司 | Method, device and equipment for detecting VBScript vulnerability exploitation |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Sun et al. | Taintart: A practical multi-level information-flow tracking system for android runtime | |
| US9262628B2 (en) | Operating system sandbox | |
| US8726392B1 (en) | Systems and methods for combining static and dynamic code analysis | |
| Ali-Gombe et al. | Aspectdroid: Android app analysis system | |
| Xu et al. | An adaptive and configurable protection framework against android privilege escalation threats | |
| US11714884B1 (en) | Systems and methods for establishing and managing computer network access privileges | |
| EP2881881A2 (en) | Detecting java sandbox escaping attacks based on java bytecode instrumentation and java method hooking | |
| JP2009521737A (en) | Method and apparatus for detecting and preventing unsafe operation of JAVASCRIPT program | |
| US20190073473A1 (en) | Dynamic security domain data flow analysis via passive monitoring | |
| KR20110087193A (en) | Apparatus and method for processing documents with executable text | |
| CN105930694B (en) | Flexible instruction set for fuzzy virtual machines | |
| EP3028211A1 (en) | Determining malware based on signal tokens | |
| US11163645B2 (en) | Apparatus and method of control flow integrity enforcement utilizing boundary checking | |
| CN106650462A (en) | Method and device for detecting Flash vulnerability exploitation | |
| Yang et al. | {Iframes/Popups} Are Dangerous in Mobile {WebView}: Studying and Mitigating Differential Context Vulnerabilities | |
| Mouzarani et al. | Smart fuzzing method for detecting stack‐based buffer overflow in binary codes | |
| Piromsopa et al. | Survey of protections from buffer-overflow attacks | |
| Grace et al. | Behaviour analysis of inter-app communication using a lightweight monitoring app for malware detection | |
| Lantz et al. | Towards self-monitoring enclaves: Side-channel detection using performance counters | |
| CN110717181B (en) | Non-control data attack detection method and device based on novel program dependency graph | |
| Ahmed Rumee et al. | Droidtest: Testing android applications for leakage of private information | |
| US8484753B2 (en) | Hooking nonexported functions by the offset of the function | |
| Kudo et al. | Access control for plugins in Cordova-based hybrid applications | |
| Khanmohammadi et al. | Hydroid: A hybrid approach for generating API Call traces from obfuscated android applications for mobile security | |
| Shen et al. | Toward efficient dynamic analysis and testing for Android malware |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170510 |
|
| RJ01 | Rejection of invention patent application after publication |