CN106933642B - Application program processing method and processing device - Google Patents
Application program processing method and processing device Download PDFInfo
- Publication number
- CN106933642B CN106933642B CN201511004777.6A CN201511004777A CN106933642B CN 106933642 B CN106933642 B CN 106933642B CN 201511004777 A CN201511004777 A CN 201511004777A CN 106933642 B CN106933642 B CN 106933642B
- Authority
- CN
- China
- Prior art keywords
- program
- block
- control flow
- blocks
- execution
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/41—Compilation
- G06F8/43—Checking; Contextual analysis
- G06F8/433—Dependency analysis; Data or control flow analysis
Abstract
The application discloses a processing method and a processing device of an application program. The processing method comprises the following steps: acquiring a control flow diagram of a target application program, wherein the control flow diagram comprises a plurality of program blocks formed by decomposing functions in the target application program, each program block comprises a current program block ID and a subsequent program block ID, and the subsequent program block ID is used for pointing to a jumped program block; executing a plurality of program blocks according to an execution path formed by a current program block ID and a subsequent program block ID in a control flow graph to obtain state information corresponding to each program block, wherein the state information is used for indicating a data state used when each program block is executed; and generating a control flow and a data flow of the target application program based on the state information and the control flow graph. The method and the device solve the technical problem that the accuracy of the control flow and the data flow of the application program obtained in the prior art is low.
Description
Technical Field
The present application relates to the field of computers, and in particular, to a processing method and a processing apparatus for an application program.
Background
Data flow and control flow of application programs are widely used in many fields of computer industry, such as software testing field, vulnerability mining field, and virus behavior analysis field. The Data Flow (Data Flow) refers to a group of byte sets with sequence, starting point and ending point, and the application program can use the Data Flow to complete the Data acquisition from the input device, the Data writing into the file, or the Data reading and writing operation on the network connection. Control Flow (Control Flow) refers to the Control relationship between program logic rows.
At present, a dynamic method or a static method is generally adopted to acquire data flow and control flow of an application program, however, for the dynamic method, the dynamic method is generally limited by the operating environment and the operating state of the application program, so that all behaviors of the application program cannot be discovered, and the data flow and the control flow of the application program cannot be accurately acquired; for the static method, due to the lack of some environment variables (such as inheritance relationship in high-level language, remote server interaction, etc.) in the running process of the application program, the data flow and the control flow of the application program cannot be accurately acquired.
In view of the above problems, no effective solution has been proposed.
Content of application
The embodiment of the application provides a processing method and a processing device for an application program, so as to at least solve the technical problem that the accuracy of control flow and data flow of the application program obtained in the prior art is low.
According to an aspect of an embodiment of the present application, there is provided an application processing method, including: acquiring a control flow diagram of a target application program, wherein the control flow diagram comprises a plurality of program blocks decomposed by functions in the target application program, each program block comprises a current program block ID and a subsequent program block ID, and the subsequent program block ID is used for pointing to a jumped program block; executing the plurality of program blocks according to an execution path formed by the current program block ID and the subsequent program block ID in the control flow graph to obtain state information corresponding to each program block, wherein the state information is used for indicating a data state used when each program block is executed; and generating the control flow and the data flow of the target application program based on the state information and the control flow graph.
According to another aspect of the embodiments of the present application, there is also provided an apparatus for processing an application program, including: an obtaining unit, configured to obtain a control flow graph of a target application, where the control flow graph includes a plurality of program blocks decomposed by a function in the target application, each program block includes a current program block ID and a subsequent program block ID, and the subsequent program block ID is used to point to a skipped program block; an execution unit, configured to execute the multiple program blocks according to an execution path formed by the current program block ID and the subsequent program block ID in the control flow graph, and obtain state information corresponding to each program block, where the state information is used to indicate a data state used when each program block is executed; a generating unit configured to generate the control flow and the data flow of the target application based on the state information and the control flow graph.
Optionally, the identification information of the function includes one or more of the following: the function name, class name, return value of the function, and the name of the member variable of the class.
Optionally, the execution unit includes: a determining module, configured to determine an entry chunk of the multiple chunks from the control flow graph, where the entry chunk of the multiple chunks refers to a starting point for executing the multiple chunks; and the execution module is used for executing the program blocks according to the entrance program block and the execution path.
Optionally, the determining module includes: the judgment submodule is used for judging whether the in-degree of each program block is a first identifier in the plurality of program blocks; the screening submodule is used for screening out predefined entrance program blocks from the program blocks with the entrance degrees being the first identifications; a determination submodule for determining the predefined portal block as a portal block of the plurality of blocks.
Optionally, the execution module is configured to execute the plurality of program blocks according to the entry program block and the execution path by performing the following steps: starting from the entry program block, calling a preset defect execution list along the execution path, and executing defect execution on the plurality of program blocks, wherein the defect execution list is used for indicating the state information required to be acquired in the process of executing the plurality of program blocks, and the state information comprises preset attributes of preset variables.
Optionally, the generating unit includes: the updating module is used for updating the control flow graph according to the state information; and the generating module is used for generating the control flow according to the updated control flow graph and generating the data flow according to the state information.
Optionally, the status information includes one or more of the following: call stacks, function execution return values, instances of classes, registers, instruction sets, and inheritance relationships of classes.
In the embodiment of the application, a control flow diagram of a target application program is obtained, wherein the control flow diagram comprises a plurality of program blocks formed by decomposing functions in the target application program, each program block comprises a current program block ID and a subsequent program block ID, and the subsequent program block ID is used for pointing to a jumped program block; executing a plurality of program blocks according to an execution path formed by a current program block ID and a subsequent program block ID in a control flow graph to obtain state information corresponding to each program block, wherein the state information is used for indicating a data state used when each program block is executed; the method for generating the control flow and the data flow of the target application program based on the state information and the control flow graph achieves the purpose of generating the control flow and the data flow of the target application program based on the state information and the control flow graph by acquiring the control flow graph of the target application program and executing a plurality of program blocks according to the execution path in the control flow graph to obtain the state information corresponding to each program block and adopting a method of combining dynamic and static execution, thereby realizing the technical effects of effectively monitoring the data flow of the target application program, avoiding missing program behaviors and improving the accuracy of the control flow and the data flow and further solving the technical problem of low accuracy of the control flow and the data flow of the application program acquired in the prior art.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a block diagram of a hardware structure of a computer terminal running a file detection method according to an embodiment of the present application;
FIG. 2 is a flow chart illustrating an alternative method of processing an application according to an embodiment of the present application;
FIG. 3 is a flow chart diagram illustrating an alternative method of processing an application according to an embodiment of the application;
FIG. 4 is a flow chart illustrating an alternative method for processing an application according to an embodiment of the present application;
FIG. 5(a) is a schematic structural diagram of a processing method of another alternative application according to an embodiment of the present application;
FIG. 6 is a schematic diagram of an alternative processing device for an application according to an embodiment of the present application;
FIG. 7 is a schematic diagram of an alternative processing device for an application according to an embodiment of the present application;
FIG. 8 is a schematic diagram of a processing device for yet another alternative application according to an embodiment of the present application;
FIG. 9 is a schematic diagram of a processing device for yet another alternative application according to an embodiment of the present application;
FIG. 10 is a schematic diagram of a processing device for yet another alternative application according to an embodiment of the present application;
fig. 11 is a block diagram of a computer terminal according to an embodiment of the present application.
Detailed Description
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The terms referred to in the embodiments of the present application are first explained as follows:
control Flow Graph (CFG for short): also known as a control flow diagram, is an abstract representation of a process or program, usually in the form of a data chain. A control flow graph is an abstract data structure used in a compiler that is maintained internally by the compiler.
And a program block: are one level of separate, identifiable program instructions that may be processed by an assembler, compiler, loader, or translator as a whole. Generally, blocks can be loaded into executable code and data sets that are run in memory.
An assembler: the translation program is a machine-oriented language designed for a specific computer or computer column and consists of assembly execution instructions and assembly pseudo instructions.
Compiling a program: the translation program is a translation program which translates a source program written by a high-level programming language or a computer assembly language into an equivalent target program in a machine language format, and belongs to the translation program realized by adopting a generative realization way.
Loading a program: the code fields generated by compilers, assemblers or linker programs are not fully used or executable, but their main memory accesses can be in any location in memory and associated with an indeterminate starting location. Such code is said to be relocatable and the loader can handle all relocatable addresses associated with a specified base or start address
And (3) translating the program: software that translates a program written in one programming language into an equivalent program represented in another programming language.
Example 1
There is also provided, in accordance with an embodiment of the present application, a method embodiment of a processing method for an application, it should be noted that the steps illustrated in the flowchart of the accompanying drawings may be performed in a computer system such as a set of computer-executable instructions, and that while a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different than here.
The method provided by the first embodiment of the present application may be executed in a mobile terminal, a computer terminal, or a similar computing device. Taking an example of the application program running on a computer terminal, fig. 1 is a hardware structure block diagram of the computer terminal of a processing method of the application program according to an embodiment of the present application. As shown in fig. 1, the computer terminal 10 may include one or more (only one shown) processors 102 (the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA), a memory 104 for storing data, and a transmission device 106 for communication functions. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration and is not intended to limit the structure of the electronic device. For example, the computer terminal 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 may be configured to store software programs and modules of application software, such as program instructions/modules corresponding to the processing method of the application program in the embodiment of the present application, and the processor 102 executes various functional applications and data processing by running the software programs and modules stored in the memory 104, so as to implement the vulnerability detection method of the application program. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the computer terminal 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal 10. In one example, the transmission device 106 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission device 106 can be a Radio Frequency (RF) module for communicating with the internet in a wireless manner.
Under the above operating environment, the present application provides a processing method of an application program as shown in fig. 2. Fig. 2 is a flowchart of a processing method of an application according to a first embodiment of the present application.
As shown in fig. 2, the processing method of the application program may include the following implementation steps:
step S202, a control flow graph of the target application program is obtained.
In step S202, the control flow graph includes a plurality of blocks decomposed by a function in the target application, each block includes a current block ID and a subsequent block ID, and the subsequent block ID is used to point to the skipped block. A Control Flow Graph (CFG) is also called a Control Flow Graph, and is an abstract representation of a process or program, and is usually represented in the form of a data chain. A control flow graph is an abstract data structure used in a compiler that is maintained internally by the compiler.
It should be noted that the following situations may be included to acquire the control flow and the data flow of the target application:
case one, software testing of the target application is required. The software test may be a test performed by a tester in a development environment, or may be a test performed by a tester in a simulated actual operation environment, such as an alpha test.
And in the second case, vulnerability mining needs to be carried out on the target application program.
And in case three, virus behavior analysis needs to be carried out on the target application program.
It should be noted that the above three cases are only exemplary descriptions, and are not used to limit other cases where the control flow and the data flow of the target application need to be acquired.
Alternatively, a block is a level of independent, recognizable program instructions that can be processed by an assembler, compiler, loader, or translator as a whole. Generally, blocks can be loaded into executable code and data sets that are run in memory. The block ID is the identification of the block, i.e. each block has a separate current block ID to uniquely represent the block and its position in the smali (bytecode of the target application) code. The current block ID may be composed of the following components:
class name/method parameter and return value/offset of the current chunk first instruction in the function.
Optionally, each block contains a successor block ID in addition to the current block ID. Each block is terminated by a function call instruction or a jump instruction, and the successor block of the current block is the jump address of the jump instruction, so that the successor block ID is the ID of the block to which the current block is going to jump or has jumped to.
In this embodiment, the target application program may be, but is not limited to, a C language program, an iOS system-based program, or an Android system-based program (hereinafter referred to as an Android program). If the target application is an Android program, the format of the target application is an APK (Android Package) format, which is usually a zip (computer file compression algorithm) format compressed Package that includes a classes. In addition, if the target application program is an Android program, the bytecode of the target application program is smali.
Step S204, according to an execution path formed by the current program block ID and the subsequent program block ID in the control flow graph, executing a plurality of program blocks to obtain the state information corresponding to each program block, wherein the state information is used for indicating the data state used when each program block is executed.
In the above step S204, the status information may include one or more of the following: call stacks, function execution return values, instances of classes, registers, instruction sets, and inheritance relationships of classes, among others. The successor block ID is essentially the jump information of the current block, and is used to indicate that the current block jumps to the successor block according to the execution path indicated by the successor block ID.
For example, a control flow diagram includes a block a, a block B, a block C, a block D, and a block E, which total 5 blocks, where if the block a includes an ID of the block a and an ID of the block B, it can be determined that the block B is a subsequent block of the block a, the ID of the block B is used to point to the skipped block B, and the ID of the block a and the ID of the block B form an execution path "a → B" (arrow "→" indicates a direction of the execution path) from the block a to the block B; if the block B includes the ID of the block B and the ID of the block D, the ID of the block B and the ID of the block D form an execution path "B → D" from the block B to the block D.
For another example, if two different execution paths are connected to the same block and the block serves as the start point of one of the execution paths and the end point of the other execution path at the same time, the two different execution paths may constitute the same execution path, such as the execution paths "a → B" and "B → D" described above, which may constitute the execution path "a → B → D".
For another example, there may be multiple execution paths from one block to another block, for example, the execution path from block a to block E may be "a → B → C → D → E", or "a → B → D → E", or "a → C → E", or even "a → E".
Step S206, generating the control flow and the data flow of the target application program based on the state information and the control flow graph.
In step S206 of the present application, the control flow is the final control flow graph itself, and for the data flow, the control flow is composed of state information, so that the problem of missing report in the dynamic method in the prior art can be avoided, and the problem of unclear interpretation in some function calls in the target application program due to the fact that the static method in the prior art cannot obtain codes in the external program library called by the target application program can also be avoided.
As can be seen from the above, in the scheme provided in the first embodiment of the present application, by obtaining the control flow graph of the target application program and executing the plurality of program blocks according to the execution path in the control flow graph to obtain the state information corresponding to each program block, the purpose of generating the control flow and the data flow of the target application program based on the state information and the control flow graph is achieved, so that the technical effects of effectively monitoring the data flow of the target application program and avoiding missing any program behavior are achieved, and the technical problem that the accuracy of the control flow and the data flow of the application program obtained in the prior art is low is further solved.
In an alternative solution provided by the foregoing embodiment of the present application, fig. 3 is a schematic flowchart of a processing method of another optional application program according to the embodiment of the present application, and as shown in fig. 3, the step S202 of acquiring a control flow graph of a target application program may include:
step S302, the target application program is converted into a code file, and the code file includes a function and identification information of the function.
In step S302 of the present application, the code file may be a source code, a low-level assembly code or a byte code restored by decompilation or disassembly, or an intermediate code converted from the code. It should be noted that, converting the target application into the code file needs to ensure that the data information or the control information of the target application is not lost.
Taking an example that a target application program is an Android program, the application program on the Android is in an APK format, the APK is a zip-format compressed package, a class. Files of dex type can be converted into smali files by Backsmali (an APK compilation/decompilation tool).
Optionally, text analysis is performed on the above-mentioned smali code, and information such as a function method instruction, a class name member variable, and an inheritance relationship included in the section of the smali code can be determined.
Step S304, traversing the function in the code file, and decomposing the function into a plurality of program blocks.
In the above step S304, each function may be decomposed into a plurality of program blocks by traversing each function of each class in the smali code, where a program block is the largest instruction set that can be executed sequentially. Therefore, function call, jump instruction, etc. will end the current block and bring up a new block.
And step S306, generating a control flow graph with the execution direction of the target application program according to the program blocks.
In step S306, each program block includes the current program block ID and the successor program block ID, and for each program block, the successor program block indicated by the program block ID is searched only by the successor program block ID, and the successor program block is added to the control flow graph where the current program block is located, so that each program block is connected to the successor program block with edges, and thus the control flow graph having the execution direction of the target application program can be generated. It should be noted that each edge has a direction, and the direction of each edge points to a successor program block from a current program block connected to the edge, and the finally generated control flow graph is a directed cyclic graph as a whole.
Optionally, the identification information of the function includes one or more of the following: function name of function, class name, return value, and name of member variable of class. Specifically, taking the target application as an Android program as an example, after a dex type file is converted into a smali file through Backsmali (an APK compiling/decompiling tool), the smali file contains a smali code in a text format and a function name, a class name, a return value and the like of the smali code, and also contains names of all member variables of the class.
In an alternative solution provided by the foregoing embodiment of the present application, in step S204, according to an execution path formed by the current block ID and the subsequent block ID in the control flow graph, executing a plurality of blocks may include:
in step S10, an entry block of the plurality of blocks, which is a starting point for executing the plurality of blocks, is determined from the control flow graph.
In step S10, since the control flow graph is a directed cyclic graph, a starting point, i.e. the above-mentioned entry block, needs to be found when executing the control flow graph. How to determine the entry program blocks of the plurality of program blocks from the control flow graph will be described in detail in the following embodiments, which is not described herein again.
In step S12, a plurality of blocks are executed according to the entry block and the execution path.
In step S12, after the entry block is determined, each block is executed according to the execution path described above, with the entry block as a starting point. The edge in the control flow graph is the execution path.
In an alternative provided by the foregoing embodiment of the present application, the step S10 of determining an entry block of the plurality of blocks from the control flow graph may include:
in step S20, it is determined whether the degree of entry of each block is the first flag.
In the above step S20 of the present application, the introspection usually refers to the sum of the number of times a certain block is used as the end point of the execution path in the control flow graph. If the first flag is 0, it may be determined that a block in the control flow graph does not serve as an end point of any execution path, that is, the block may serve as a start point of all execution paths connecting the blocks. Specifically, it may be determined whether the in-degree of each block is 0 among a plurality of blocks.
In step S22, a predefined entry chunk is screened out from the chunks with the first identifier.
In the above step S22, if the entry degree of the block is 0, the method for screening the predefined entry block may be: and acquiring name information in the current program block ID of the program block with the degree of entry of 0, determining whether the program block is a predefined entry program block or not according to the name information, and screening out the predefined entry program block.
In addition, the method for filtering the predefined entry block may also be to call an entry block list, where name information of all blocks that can be entry blocks is recorded in the entry block list, and the name information may be a class name or a method name, and further, the predefined entry block may be determined and filtered according to the name information in the entry block list.
In step S24, a predefined portal block is determined as a portal block of the plurality of blocks.
In the above step S24, the number of the portal block may be plural, and the plural portal blocks may be displayed in a list manner, so as to indicate functions that can be used as program portals to other non-portal blocks. The above steps are necessary, and the manner of determining the portal block provided in step S10 in the first embodiment of the present application is different from the manner of determining the portal block by the C language program or the Android program. Specifically, the portal block of the C language program may be a main function, and the portal block of the Android program may be an oncredit function, an onStart function, or an onPause function encapsulated in the Activity component.
Optionally, executing the plurality of blocks according to the entry block and the execution path includes: starting from the entry program block, calling a preset defect execution list along an execution path, and executing defect execution on the program blocks, wherein the defect execution list is used for indicating state information which needs to be acquired in the process of executing the program blocks, and the state information comprises preset attributes of preset variables.
Alternatively, a plurality of blocks may be executed by an Execution Engine (Execution Engine) according to the entry block and the Execution path. Specifically, when the execution engine executes the defect execution according to the execution path in the control flow graph, the execution engine simultaneously maintains information such as the instance of the class and the inheritance relationship of the class, and the execution engine can also feed back some execution flows which can only be acquired by a dynamic method to the control flow graph, so that the control flow graph is improved more and more. It should be noted that the defect execution is a simulation of the dynamic operation of the target application provided in the first embodiment of the present application. Compared with actual dynamic operation, the defect execution has at least the following characteristics:
feature one, the defect execution only concerns partial attributes of partial variables, that is, for all variables in the running process of the target application program, the defect execution only guarantees that the changes of some specific attributes of partial key variables are accurate.
And secondly, defect execution performs defect interpretation on the instruction, only concerns certain attributes of certain variables based on the defect execution, and therefore when the instruction is interpreted, the defect execution only concerns the operation and influence of the instruction on the specific attributes. Wherein a defect interpretation may be understood as a local specification of local features of the target object.
And in the third characteristic, the defect execution does not need to explain the whole instruction set, namely when some instructions have the no-operation attribute, the defect execution does not need to explain the instruction.
And fourthly, the jump instruction is not interpreted in the defect execution, and the execution engine is executed according to the control flow graph, and the control flow graph already contains all jump information of the program, so that the execution is only carried out along the edge (execution path) in the control flow graph.
Feature five, each jump instruction in the defect execution can cover all its branches. For example, a jump instruction with two branches may result in a node and two branches in a control flow graph. The execution engine will execute each branch in turn, ensuring that all the behavior of the program can be restored. Wherein the jump instruction with two branches may be a conditional jump instruction.
Feature six, the operating environment variables required for the target application to execute the bug, all marked as "unknown" unless displayed to specify a particular value. This allows unknown variables to be introduced during the execution of the defect, and this part of the variables can ensure the normal operation of the defect execution without causing the abnormality or breakdown of the defect execution due to the absence or uncertainty of some variables.
And the seventh characteristic, the defect execution can simulate all characteristics or mechanisms when other application programs run, such as instantiation of a class of a high-level language, inheritance of an object and some system-related behaviors and the like.
Optionally, the defect execution further includes a plurality of execution instructions in addition to the above features, specifically as follows:
and the execution engine does not interpret the jump instruction, and executes the jump instruction in sequence according to an execution path acquired from the control flow diagram, so that each branch can be executed.
Instruction two, data operation instruction. The execution engine performs defect interpretation on the data operation instruction, namely only the influence of the instruction on certain attributes of the target data is concerned. Taking the "move" instruction in the Android system as an example, if a certain instruction is "move v1, v 2", the execution engine executes the instruction to cause the instruction in the register v2 to be copied into the register v 1. Before the execution engine executes the instruction, v1 is 0 and v2 is 1, and after the execution engine executes the instruction, v1 is 0 and v2 is 0. Assuming that the tester needs to get the data stream through defect execution for the taint analysis, the tester only needs to pay attention to the taint attribute of the data, that is, for the instruction, the operation required for defect execution is to copy the taint attribute of the data in v2 to the data in v1 register without determining its specific value.
And instruction III, high-level language characteristic related instructions. For some features related to high-level languages, such as inherited polymorphism of classes, the defect execution is consistent with the behavior of the actual dynamic runtime. Feeding back this part of the information may refine the control flow graph. Taking class inheritance as an example, class A contains function a, class B inherits from A, and function a is not overloaded. When an instance ib of class B is created and an a method of ib is called, the a method of ib cannot be found based on a purely static control flow graph, so that the control flow graph is incomplete. However, by means of the execution engine, it can be determined that ib a method inherits from class a, and further, when a defect is executed, the execution engine can automatically jump to class a method for continuing execution, and the part of information in the control flow graph can also be completed.
It should be noted that, since the execution engine performs bug execution for analysis of the target Application, but a system API (Application Programming Interface) called by the target Application may affect data flow inside the target Application, the first embodiment of the present Application provides a description-based unknown call modeling to eliminate the above effect. Specifically, if only certain specific attributes of the data are concerned, only the influence of the unknown calling processes on the specific attributes (which may be unknown attributes) is described. For example, it is assumed that there is a string concatenation function a (a1, a2) belonging to an unknown call, whose function is to concatenate the values of a1 and a2 together and return, that is, if there is a1 ═ 123 "and a2 ═ abc", then the return value of call a (a1, a2) is "123 abc". For another example, in a taint analysis scenario, if there is a tainted parameter condition in either parameter a1 or a2, to determine if the return value is likewise tainted, the return value may be tainted if the parameter is tainted, as long as the execution engine is told to the class unknown call by a simple pass. Following the above method, much of the trouble of rewriting the code of the function a can be eliminated.
In an alternative solution provided by the foregoing embodiment of the present application, fig. 4 is a schematic flowchart of a processing method of another optional application according to the embodiment of the present application, and as shown in fig. 4, the method may include the following steps:
in step S402, the execution engine starts execution.
In step S404, the instruction in the current block is acquired.
The current program block may include at least one instruction, for example, the instruction may be a multi-language instruction such as a "move" instruction, an "add" instruction, and a "push" instruction.
In step S406, instruction interpretation is performed.
The instruction interpretation may be to perform defect interpretation on a certain instruction, and the object of the defect interpretation may be all instructions in the current program block or part of instructions in the current program block. For example, the execution engine may perform a bug interpretation for the "move" instruction, while performing a normal interpretation for the "invoke" instruction and the "return" instruction.
Step S408, determine whether the instruction is the last instruction of the current block.
For example, if a certain instruction in the current block is an "end" instruction, it may be determined whether the certain instruction is the last instruction of the current block by determining whether the certain instruction is an unconditional end instruction.
If the execution of step S408 is completed and the result is yes, step S410 is executed; if the execution completes step S408 and the execution result is no, the process returns to execute step S404.
Step S410, determine whether the current block has a subsequent block.
Specifically, whether the current block has a successor block may be determined by determining whether the current block includes a successor block ID.
If the execution of step S410 is completed and the result is yes, step S412 is executed; if the execution completes step S410 and the execution result is no, step S414 is executed.
In step S412, each subsequent block is interpreted.
Specifically, interpreting each successor block may be a defect interpretation of the instructions in each successor block.
In step S414, the execution engine ends execution.
In step S414 of the present application, the execution engine ends the defect execution and the process ends.
In an alternative solution provided by the foregoing embodiment of the present application, fig. 5(a) is a schematic structural diagram of a processing method of another optional application according to an embodiment of the present application, and as shown in fig. 5(a), the execution engine includes an instruction interpretation component 502 and a state information obtaining component 504, where the instruction interpretation component 502 may be used to interpret each instruction in a program block, for example, the instruction interpretation component 502 may perform defect interpretation on a "move" instruction, an "invoke" instruction, a "return" instruction, and the like in the program block. The state information acquisition component 504 can acquire state information for each instruction, which can include call stacks, function execution return values, instances of classes, registers, instruction sets, inheritance relationships of classes, and the like. Further, the instruction interpretation component 502 interprets the instructions contained in the blocks based on the control flow graph and the portal block, thereby obtaining state information of each instruction. It should be noted that the execution engine in fig. 5(a) can be used to execute the above steps S402 to S414 in the first embodiment of the present application.
In an alternative solution provided by the foregoing embodiment of the present application, in step S206, generating a control flow and a data flow of the target application based on the state information and the control flow graph includes:
and step S30, updating the control flow graph according to the state information.
Step S32, a control flow is generated according to the updated control flow graph, and a data flow is generated according to the state information.
In the above steps S30 to S32, the generation of the control flow and the data flow depends on the state information, and since the method for acquiring the state information avoids the respective disadvantages of the dynamic method and the static method when the execution engine executes the defect, the acquired state information is more comprehensive and accurate, thereby ensuring the accuracy of the control flow and the data flow generated based on the state information.
Optionally, the status information includes one or more of the following: call stacks, function execution return values, instances of classes, registers, instruction sets, and inheritance relationships of classes.
The Call Stack (Call Stack) is used for recording function calls in the running process of the target application program. Function execution return values, i.e., function name variables, are typically used to bring back the processing result data of the function to the calling function. An example of a class is a real object created from the class. The Register is an internal component of the CPU, and is a high-speed storage unit with limited storage capacity, and may be used to temporarily store instructions, data, and addresses, specifically, the Register in the CPU control unit may be an Instruction Register (IR) or a Program Counter (PC), and the Register in the CPU arithmetic and logic unit may be an Accumulator (ACC). The Instruction Set (Instruction Set) is a program stored in the CPU, and is used to guide and optimize the CPU operation so that the CPU can operate more efficiently. In the inheritance relationship of the classes, inheritance means the capability of one class (called a child class or a child interface) to inherit the function of another class (called a parent class or a parent interface) and add new functions of the class. In UML (Unified Modeling Language) class diagram design, inheritance is represented by a solid line with open triangle arrows, and is pointed to a parent class by a child or to a parent interface by a child interface.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present application is not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present application.
Example 2
According to an embodiment of the present application, there is also provided an application processing apparatus for implementing the application processing method, as shown in fig. 6, the apparatus may include: an acquisition unit 602, an execution unit 604, and a generation unit 606.
The acquiring unit 602 is configured to acquire a control flow graph of a target application program, where the control flow graph includes a plurality of program blocks decomposed by a function in the target application program, each program block includes a current program block ID and a subsequent program block ID, and the subsequent program block ID is used to point to a skipped program block; an executing unit 604, configured to execute a plurality of program blocks according to an execution path formed by a current program block ID and a subsequent program block ID in a control flow graph, to obtain state information corresponding to each program block, where the state information is used to indicate a data state used when each program block is executed; a generating unit 606 for generating a control flow and a data flow of the target application based on the state information and the control flow graph.
It should be noted here that the acquiring unit 602, the executing unit 604, and the generating unit 606 correspond to steps S202 to S206 in the first embodiment, and the three units are the same as the corresponding steps in the implementation example and the application scenario, but are not limited to the disclosure in the first embodiment. It should be noted that the above units as a part of the apparatus may operate in the computer terminal 10 provided in the first embodiment.
As can be seen from the above, in the scheme provided in the second embodiment of the present application, by obtaining the control flow graph of the target application program and executing the plurality of program blocks according to the execution path in the control flow graph to obtain the state information corresponding to each program block, the purpose of generating the control flow and the data flow of the target application program based on the state information and the control flow graph is achieved, so that the technical effects of effectively monitoring the data flow of the target application program and avoiding missing any program behavior are achieved, and the technical problem that the accuracy of the control flow and the data flow of the application program obtained in the prior art is low is further solved.
Alternatively, as shown in fig. 7, the obtaining unit 602 may include: a conversion module 702, a decomposition module 704, and a generation module 706.
The conversion module 702 is configured to convert the target application into a code file, where the code file includes a function and identification information of the function; a decomposition module 704, configured to traverse the function in the code file, and decompose the function into a plurality of program blocks; a generating module 706, configured to generate a control flow graph having an execution direction of the target application according to the plurality of program blocks.
It should be noted here that the above conversion module 702, the decomposition module 704, and the generation module 706 correspond to steps S302 to S306 in the first embodiment, and the three modules are the same as the corresponding steps in the implementation example and application scenarios, but are not limited to the disclosure in the first embodiment. It should be noted that the modules described above as part of the apparatus may be run in the computer terminal 10 provided in the first embodiment.
Optionally, the identification information of the function in the second embodiment includes one or more of the following: function name of function, class name, return value, and name of member variable of class.
Optionally, as shown in fig. 8, the execution unit 604 includes: a determination module 802 and an execution module 804.
The determining module 802 is configured to determine an entry chunk of multiple chunks from the control flow graph, where the entry chunk of multiple chunks is a starting point for executing multiple chunks; an executing module 804, configured to execute the plurality of program blocks according to the entry program block and the execution path.
It should be noted that the determining module 802 and the executing module 804 correspond to the steps S10 to S12 in the first embodiment, and the two modules are the same as the corresponding steps in the implementation example and the application scenario, but are not limited to the disclosure in the first embodiment. It should be noted that the modules described above as part of the apparatus may be run in the computer terminal 10 provided in the first embodiment.
Optionally, as shown in fig. 9, the determining module 802 includes: decision block 902, filter block 904, and determine block 906.
The determining submodule 902 is configured to determine, in a plurality of program blocks, whether the in-degree of each program block is a first identifier; a screening submodule 904, configured to screen out a predefined entry program block from the program blocks with the first identifier; a determination submodule 906 for determining the predefined portal block as a portal block of the plurality of blocks.
It should be noted here that the above-mentioned determining sub-module 902, the screening sub-module 904, and the determining sub-module 906 correspond to steps S20 to S24 in the first embodiment, and the three sub-modules are the same as the corresponding steps in the implementation example and application scenario, but are not limited to the disclosure in the first embodiment. It should be noted that the sub-modules described above may be implemented in the computer terminal 10 provided in the first embodiment as a part of the apparatus.
Optionally, the executing module 804 in the second embodiment is configured to execute the following steps to execute the multiple program blocks according to the entry program block and the execution path: starting from the entry program block, calling a preset defect execution list along an execution path, and executing defect execution on the program blocks, wherein the defect execution list is used for indicating state information which needs to be acquired in the process of executing the program blocks, and the state information comprises preset attributes of preset variables.
Optionally, as shown in fig. 10, the generating unit 706 includes: an update module 1002 and a generation module 1004.
The updating module 1002 is configured to update the control flow graph according to the state information; a generating module 1004, configured to generate a control flow according to the updated control flow graph, and generate a data flow according to the state information.
It should be noted that the updating module 1002 and the generating module 1004 correspond to the steps S30 to S32 in the first embodiment, and the two modules are the same as the corresponding steps in the example and application scenarios, but are not limited to the disclosure in the first embodiment. It should be noted that the modules described above as part of the apparatus may be run in the computer terminal 10 provided in the first embodiment.
Optionally, the status information in the second embodiment includes one or more of the following: call stacks, function execution return values, instances of classes, registers, instruction sets, and inheritance relationships of classes.
Example 3
The embodiment of the application can provide a computer terminal, and the computer terminal can be any one computer terminal device in a computer terminal group. Optionally, in this embodiment, the computer terminal may also be replaced with a terminal device such as a mobile terminal.
Optionally, in this embodiment, the computer terminal may be located in at least one network device of a plurality of network devices of a computer network.
In this embodiment, the computer terminal may execute the program code of the following steps in the vulnerability detection method of the application program: acquiring a control flow diagram of a target application program, wherein the control flow diagram comprises a plurality of program blocks formed by decomposing functions in the target application program, each program block comprises a current program block ID and a subsequent program block ID, and the subsequent program block ID is used for pointing to a jumped program block; executing a plurality of program blocks according to an execution path formed by a current program block ID and a subsequent program block ID in a control flow graph to obtain state information corresponding to each program block, wherein the state information is used for indicating a data state used when each program block is executed; and generating a control flow and a data flow of the target application program based on the state information and the control flow graph.
Optionally, fig. 11 is a block diagram of a computer terminal according to an embodiment of the present application. As shown in fig. 11, the computer terminal a may include: one or more processors 1102 (only one of which is shown), a memory 1104, and a transmitting device 1106.
The memory 1104 may be used to store software programs and modules, such as program instructions/modules corresponding to the security vulnerability detection method and apparatus in the embodiment of the present application, and the processor 1102 executes various functional applications and data processing by running the software programs and modules stored in the memory 1104, that is, the method for detecting a system vulnerability attack described above is implemented. The memory 1104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, memory 1104 may further include memory located remotely from the processor, which may be connected to terminal a via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 1106 is used for receiving or transmitting data via a network. Examples of the network may include a wired network and a wireless network. In one example, the transmission device 1106 includes a Network adapter (NIC) that can be connected to a router via a Network cable to communicate with the internet or a local area Network. In one example, the transmission device 1106 is a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.
The memory 1104 is used for storing preset action conditions, information of preset authorized users and application programs.
The processor 1102 may invoke the information stored in the memory and the application program via the transmission device to perform the following steps: acquiring a control flow diagram of a target application program, wherein the control flow diagram comprises a plurality of program blocks formed by decomposing functions in the target application program, each program block comprises a current program block ID and a subsequent program block ID, and the subsequent program block ID is used for pointing to a jumped program block; executing a plurality of program blocks according to an execution path formed by a current program block ID and a subsequent program block ID in a control flow graph to obtain state information corresponding to each program block, wherein the state information is used for indicating a data state used when each program block is executed; and generating a control flow and a data flow of the target application program based on the state information and the control flow graph.
As can be seen from the above, in the scheme provided in the third embodiment of the present application, by obtaining the control flow graph of the target application program and executing the plurality of program blocks according to the execution path in the control flow graph to obtain the state information corresponding to each program block, the purpose of generating the control flow and the data flow of the target application program based on the state information and the control flow graph is achieved, so that the technical effects of effectively monitoring the data flow of the target application program and avoiding missing any program behavior are achieved, and the technical problem that the accuracy of the control flow and the data flow of the application program obtained in the prior art is low is further solved.
Optionally, the processor 1102 may further execute program code for: converting the target application program into a code file, wherein the code file comprises a function and identification information of the function; traversing functions in the code file, and decomposing the functions into a plurality of program blocks; and generating a control flow graph with the execution direction of the target application program according to the program blocks.
Optionally, the processor 1102 may further execute program code for: determining an entry block of a plurality of blocks from the control flow graph, wherein the entry block of the plurality of blocks refers to a starting point for executing the plurality of blocks; and executing a plurality of program blocks according to the inlet program block and the execution path.
Optionally, the processor 1102 may further execute program code for: judging whether the in-degree of each program block is a first identifier or not in a plurality of program blocks; screening out predefined entrance program blocks from the program blocks with the first identification of the degree of income; a predefined portal block is determined as a portal block of the plurality of blocks.
Optionally, the processor 1102 may further execute program code for: starting from the entry program block, calling a preset defect execution list along an execution path, and executing defect execution on the program blocks, wherein the defect execution list is used for indicating state information which needs to be acquired in the process of executing the program blocks, and the state information comprises preset attributes of preset variables.
Optionally, the processor 1102 may further execute program code for: updating the control flow graph according to the state information; and generating a control flow according to the updated control flow graph, and generating a data flow according to the state information.
It can be understood by those skilled in the art that the structure shown in fig. 11 is only an illustration, and the computer terminal may also be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palmtop computer, a Mobile Internet Device (MID), a PAD, and the like. Fig. 11 is a diagram illustrating a structure of the electronic device. For example, the computer terminal a may also include more or fewer components (e.g., network interfaces, display devices, etc.) than shown in fig. 11, or have a different configuration than shown in fig. 11.
Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disks, Read-Only memories (ROMs), Random Access Memories (RAMs), magnetic or optical disks, and the like.
Example 4
Embodiments of the present application also provide a storage medium. Optionally, in this embodiment, the storage medium may be configured to store a program code executed by the processing method of the application program provided in the first embodiment.
Optionally, in this embodiment, the storage medium may be located in any one of computer terminals in a computer terminal group in a computer network, or in any one of mobile terminals in a mobile terminal group.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: acquiring a control flow diagram of a target application program, wherein the control flow diagram comprises a plurality of program blocks formed by decomposing functions in the target application program, each program block comprises a current program block ID and a subsequent program block ID, and the subsequent program block ID is used for pointing to a jumped program block; executing a plurality of program blocks according to an execution path formed by a current program block ID and a subsequent program block ID in a control flow graph to obtain state information corresponding to each program block, wherein the state information is used for indicating a data state used when each program block is executed; and generating a control flow and a data flow of the target application program based on the state information and the control flow graph.
It should be noted here that any one of the computer terminal groups may establish a communication relationship with the web server and the scanner, and the scanner may scan the value commands of the web application executed by the php on the computer terminal.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
In the above embodiments of the present application, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed technology can be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or module blocks, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present application and it should be noted that those skilled in the art can make several improvements and modifications without departing from the principle of the present application, and these improvements and modifications should also be considered as the protection scope of the present application.
Claims (9)
1. A processing method of an application program is characterized by comprising the following steps:
acquiring a control flow diagram of a target application program, wherein the control flow diagram comprises a plurality of program blocks decomposed by functions in the target application program, each program block comprises a current program block ID and a subsequent program block ID, and the subsequent program block ID is used for pointing to a jumped program block;
executing the plurality of program blocks according to an execution path formed by the current program block ID and the subsequent program block ID in the control flow graph to obtain state information corresponding to each program block, wherein the state information is used for indicating a data state used when each program block is executed;
updating the control flow graph according to the state information;
and generating a control flow of the target application program according to the updated control flow graph, and generating a data flow of the target application program according to the state information.
2. The method of claim 1, wherein obtaining the control flow graph of the target application comprises:
converting the target application program into a code file, wherein the code file comprises a function and identification information of the function;
traversing the function in the code file, decomposing the function into the plurality of program blocks;
and generating the control flow graph with the execution direction of the target application program according to the program blocks.
3. The method of claim 2, wherein the identification information of the function comprises one or more of the following: the function name, class name, return value of the function, and the name of the member variable of the class.
4. The method of claim 1, wherein executing the plurality of blocks according to the execution path formed by the current block ID and the successor block ID in the control flow graph comprises:
determining an entry block of the plurality of blocks from the control flow graph, wherein the entry block of the plurality of blocks refers to a starting point for executing the plurality of blocks;
and executing the program blocks according to the entrance program block and the execution path.
5. The method of claim 4, wherein said determining an entry block of said plurality of blocks from said control flow graph comprises:
judging whether the in-degree of each program block is a first identifier or not in the plurality of program blocks;
screening out predefined entrance program blocks from the program blocks with the entrance degrees as the first identifications;
determining the predefined portal block as a portal block of the plurality of blocks.
6. The method of claim 4, wherein executing the plurality of blocks according to the entry block and the execution path comprises:
starting from the entry program block, calling a preset defect execution list along the execution path, and executing defect execution on the plurality of program blocks, wherein the defect execution list is used for indicating the state information required to be acquired in the process of executing the plurality of program blocks, and the state information comprises preset attributes of preset variables.
7. The method according to any one of claims 1 to 6, wherein the status information comprises one or more of: call stacks, function execution return values, instances of classes, registers, instruction sets, and inheritance relationships of classes.
8. An apparatus for processing an application program, comprising:
the method comprises the steps of obtaining a control flow graph of a target application program, wherein the control flow graph comprises a plurality of program blocks formed by decomposing functions in the target application program, each program block comprises a current program block ID and a subsequent program block ID, and the subsequent program block ID is used for pointing to a jumped program block;
an execution unit, configured to execute the multiple program blocks according to an execution path formed by the current program block ID and the subsequent program block ID in the control flow graph, to obtain state information corresponding to each program block, where the state information is used to indicate a data state used when each program block is executed;
a generating unit configured to generate a control flow and a data flow of the target application based on the state information and the control flow graph; wherein the generating unit includes: the updating module is used for updating the control flow graph according to the state information; and the generating module is used for generating the control flow according to the updated control flow graph and generating the data flow according to the state information.
9. The apparatus of claim 8, wherein the obtaining unit comprises:
the conversion module is used for converting the target application program into a code file, and the code file comprises a function and identification information of the function;
a decomposition module for traversing the function in the code file, decomposing the function into the plurality of program blocks;
and the generating module is used for generating the control flow graph with the execution direction of the target application program according to the program blocks.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201511004777.6A CN106933642B (en) | 2015-12-29 | 2015-12-29 | Application program processing method and processing device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201511004777.6A CN106933642B (en) | 2015-12-29 | 2015-12-29 | Application program processing method and processing device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106933642A CN106933642A (en) | 2017-07-07 |
| CN106933642B true CN106933642B (en) | 2021-04-27 |
Family
ID=59459098
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201511004777.6A Active CN106933642B (en) | 2015-12-29 | 2015-12-29 | Application program processing method and processing device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106933642B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110018890B (en) * | 2018-01-10 | 2021-07-30 | 武汉斗鱼网络科技有限公司 | Interaction method between threads, electronic equipment and readable storage medium |
| CN109543408B (en) * | 2018-10-29 | 2021-10-12 | 卓望数码技术(深圳)有限公司 | Malicious software identification method and system |
| CN111596926B (en) * | 2020-04-14 | 2023-02-07 | 中国人民解放军战略支援部队信息工程大学 | Data evidence obtaining analysis method and device and electronic equipment |
| CN111858380A (en) * | 2020-07-31 | 2020-10-30 | 北京字节跳动网络技术有限公司 | Model construction method and device |
Family Cites Families (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7454457B1 (en) * | 2000-02-07 | 2008-11-18 | Parallel Networks, Llc | Method and apparatus for dynamic data flow control using prioritization of data requests |
| JP4849606B2 (en) * | 2006-04-28 | 2012-01-11 | 株式会社日立製作所 | Control flow error detection method, data processing apparatus, and compiler |
| DE602006014415D1 (en) * | 2006-10-11 | 2010-07-01 | Rhf Gbr Robelly | Synchronization and parallel execution of control flow and data flow on task level |
| CN102165428B (en) * | 2008-08-13 | 2015-05-20 | 高通股份有限公司 | Software application performance enhancement |
| CN101739339B (en) * | 2009-12-29 | 2013-03-27 | 北京航空航天大学 | Program dynamic dependency relation-based software fault positioning method |
| CN101937396B (en) * | 2010-09-30 | 2012-07-11 | 中国科学院软件研究所 | Detecting method of unsafe variable use in software program |
| CN101968766B (en) * | 2010-10-21 | 2012-09-05 | 上海交通大学 | System for detecting software bug triggered during practical running of computer program |
| CN102298552A (en) * | 2011-09-19 | 2011-12-28 | 南京大学 | Method for performing source code instrumentation on the basis of code inquiry |
| CN103377341A (en) * | 2012-04-28 | 2013-10-30 | 北京网秦天下科技有限公司 | Method and system for security detection |
| CN103279421B (en) * | 2013-06-14 | 2015-09-16 | 武汉大学 | A kind of program exception propagation model building method based on data origin technology |
| CN104615535B (en) * | 2015-01-29 | 2017-08-11 | 北方工业大学 | Method and device for generating test case based on extended data flow model |
| CN104573503B (en) * | 2015-02-11 | 2018-04-27 | 中国农业银行股份有限公司 | The detection method and device that a kind of internal storage access overflows |
| CN104698935B (en) * | 2015-03-02 | 2017-08-29 | 国电南瑞科技股份有限公司 | A kind of method for optimizing protection supervisory equipment exploitation |
-
2015
- 2015-12-29 CN CN201511004777.6A patent/CN106933642B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN106933642A (en) | 2017-07-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101246623B1 (en) | Apparatus and method for detecting malicious applications | |
| US8407800B2 (en) | Method for software vulnerability flow analysis, generation of vulnerability-covering code, and multi-generation of functionally-equivalent code | |
| US9747190B2 (en) | Analysis system, analysis method, and computer program product | |
| CN108536451B (en) | Method and device for embedding embedded point of application program | |
| CN106933642B (en) | Application program processing method and processing device | |
| US8875111B2 (en) | Intermediate language representation and modification | |
| Li et al. | Program tailoring: Slicing by sequential criteria | |
| CN111090433A (en) | Data processing method, device and storage medium | |
| CN110825386A (en) | Code compiling method and device and storage medium | |
| CN106776266B (en) | Configuration method of test tool and terminal equipment | |
| JP2014021982A (en) | Iterative generation of symbolic test drivers for object-oriented languages | |
| CN110333872B (en) | Application processing method, device, equipment and medium | |
| CN114328168A (en) | Anomaly detection method and device, computer equipment and storage medium | |
| US20130111432A1 (en) | Validation of a system model including an activity diagram | |
| CN110647457B (en) | Data mining method, data processing method and system | |
| CN108304230B (en) | Implementation method and device for adjusting application attribute and readable storage medium | |
| CN112953721B (en) | IPA file analysis method, IPA file analysis device, IPA file analysis equipment and storage medium | |
| CN115098158A (en) | SDK packaging method and device, computer equipment and storage medium | |
| US20110321009A1 (en) | Implementing encryption via aspect oriented programming | |
| Foroughipour et al. | Androclonium: Bytecode-level code clone detection for obfuscated android apps | |
| Bazhenov et al. | Methodology of software code decomposition analysis | |
| CN116774988B (en) | Method and device for releasing frame package mode symbol dependence | |
| CN116775040B (en) | Pile inserting method for realizing code vaccine and application testing method based on code vaccine | |
| Sistany | AndroClonium: Bytecode-Level Code Clone Detection for Obfuscated Android Apps | |
| Quante | Online construction of dynamic object process graphs |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |