CN111523115B - Information determining method, function calling method and electronic equipment - Google Patents

Information determining method, function calling method and electronic equipment Download PDF

Info

Publication number
CN111523115B
CN111523115B CN201910106289.8A CN201910106289A CN111523115B CN 111523115 B CN111523115 B CN 111523115B CN 201910106289 A CN201910106289 A CN 201910106289A CN 111523115 B CN111523115 B CN 111523115B
Authority
CN
China
Prior art keywords
function
calling
meeting
path
condition
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910106289.8A
Other languages
Chinese (zh)
Other versions
CN111523115A (en
Inventor
李丹
裘绍翔
熊海潇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Banma Zhixing Network Hongkong Co Ltd
Original Assignee
Banma Zhixing Network Hongkong Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Banma Zhixing Network Hongkong Co Ltd filed Critical Banma Zhixing Network Hongkong Co Ltd
Priority to CN201910106289.8A priority Critical patent/CN111523115B/en
Publication of CN111523115A publication Critical patent/CN111523115A/en
Application granted granted Critical
Publication of CN111523115B publication Critical patent/CN111523115B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Abstract

The embodiment of the application provides an information determining method, a function calling method and electronic equipment. The information determining method comprises the following steps: acquiring a calling path of a first function under the condition that a first function calling event is monitored; detecting whether a second function meeting preset requirements is contained in the calling path; and determining the validity of the calling first function event based on the detection result. According to the technical scheme provided by the embodiment of the application, whether the current initiation of the call to the first function is legal or not is determined by detecting whether the call path contains the function meeting the preset requirement or not, so that the complexity of path detection is reduced, the attack difficulty of an attacker is improved, the detection cost is reduced, and the application has high practicability.

Description

Information determining method, function calling method and electronic equipment
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to an information determining method, a function calling method, and an electronic device.
Background
Each process in the Linux operating system has different access rights to system resources. With the development of Linux, the management of system rights is from initial autonomous access control (Discretionary Access Control, DAC) to forced access control of later SELinux, and the operating system provides finer granularity management of process access rights and safer guarantee.
All of these guarantees are based on a structure named 'cred' in the kernel, and protection of the cred structure from malicious modification by an attacker is one of the important problems of kernel security research.
Disclosure of Invention
In view of the foregoing, it is proposed that the present application provide an information determining method, a function calling method, and an electronic device that solve or at least partially solve the foregoing problems.
Thus, in one embodiment of the present application, an information determining method is provided. The method comprises the following steps:
acquiring a calling path of a first function under the condition that a first function calling event is monitored;
detecting whether a second function meeting preset requirements is contained in the calling path;
and determining the validity of the calling first function event based on the detection result.
In another embodiment of the present application, a function call method is provided. The method comprises the following steps:
acquiring a calling path of a first function under the condition that a first function calling event is monitored;
backtracking a second function meeting preset requirements based on the calling path;
and intercepting the call to the first function under the condition that the backtracking result is null.
In yet another embodiment of the present application, a function call method is provided. The method comprises the following steps:
Acquiring a calling path of a first function under the condition that a first function calling event is monitored;
and calling the first function and executing the first function when a second function meeting the preset requirement can be traced back based on the calling path.
In yet another embodiment of the present application, an electronic device is provided. The electronic device includes: a memory and a processor; wherein,
the memory is used for storing programs;
the processor, coupled to the memory, is configured to execute the program stored in the memory for:
acquiring a calling path of a first function under the condition that a first function calling event is monitored;
detecting whether a second function meeting preset requirements is contained in the calling path;
and determining the validity of the calling first function event based on the detection result.
In yet another embodiment of the present application, an electronic device is provided. The electronic device includes: a memory and a processor; wherein,
the memory is used for storing programs;
the processor, coupled to the memory, is configured to execute the program stored in the memory for:
Acquiring a calling path of a first function under the condition that a first function calling event is monitored;
backtracking a second function meeting preset requirements based on the calling path;
and intercepting the call to the first function under the condition that the backtracking result is null.
In yet another embodiment of the present application, an electronic device is provided. The electronic device includes: a memory and a processor; wherein,
the memory is used for storing programs;
the processor, coupled to the memory, is configured to execute the program stored in the memory for:
acquiring a calling path of a first function under the condition that a first function calling event is monitored;
and calling the first function and executing the first function when a second function meeting the preset requirement can be traced back based on the calling path.
According to the technical scheme provided by the embodiment of the application, whether the current initiation of the call to the first function is legal or not is determined by detecting whether the call path contains the function meeting the preset requirement or not, so that the complexity of path detection is reduced, the attack difficulty of an attacker is improved, the detection cost is reduced, and the application has high practicability.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, a brief description will be given below of the drawings that are needed in the embodiments or the prior art descriptions, and it is obvious that the drawings in the following description are some embodiments of the present application, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of an information determining method according to an embodiment of the present application;
FIG. 2 is a schematic diagram of a kernel-mode process obtaining its own cred address through a kernel stack;
fig. 3 is a flow chart of an information determining method according to another embodiment of the present application;
FIG. 4 is a flow chart of a function calling method according to an embodiment of the present application;
FIG. 5 is a flowchart illustrating a function calling method according to another embodiment of the present application;
FIG. 6 is a block diagram of an information determining apparatus according to an embodiment of the present application;
FIG. 7 is a block diagram of a function calling device according to an embodiment of the present application;
FIG. 8 is a block diagram of a function calling device according to another embodiment of the present application;
fig. 9 is a schematic structural diagram of an electronic device according to an embodiment of the present application;
Fig. 10 is a schematic structural diagram of an electronic device according to another embodiment of the present application;
fig. 11 is a schematic structural diagram of an electronic device according to another embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application. It will be apparent that the described embodiments are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.
Fig. 1 is a flow chart illustrating an information determining method according to an embodiment of the present application. The main execution body of the method provided in this embodiment may be an information determining device, which may be hardware integrated on the terminal and having an embedded program, or may be an application software installed in the terminal, or may be a tool software embedded in an operating system of the terminal, which is not limited in this embodiment of the present application. The terminal may be any terminal device including a computer, a mobile phone, a tablet computer, a PDA (Personal Digital Assistant ), a POS (Point of Sales), a car computer, and the like. Specifically, as shown in fig. 1, the method includes:
101. And acquiring a calling path of the first function under the condition that a first function calling event is monitored.
102. And detecting whether the calling path contains a second function meeting preset requirements.
103. And determining the validity of the calling first function event based on the detection result.
In 101, the call path of the first function may be understood as a set of all functions in the first function stack trace back. For example, function A calls function B, which calls function C; correspondingly, the calling path of the function C is a set of the function B and the function A.
In 102, the second function meeting the preset requirement may be: the valid input does not include a setting pointer, and includes a function for performing a right check operation on the setting content. In one embodiment, the setting pointer may be a pointer of a cred structure; the setting content may be a cred content. The feed includes, but is not limited to: xid (e.g., uid and/or gid), cap_ xxx, security, context.
The following describes the effective input of the function as two specific examples.
Example 1, function a (struct cred new); the input parameters of the function include pointers to the cred structure; the effective input of function a therefore contains a pointer to the cred structure.
Example 2, function B (struct c); the input parameter of function B is c, not a pointer to the cred structure, but assuming that there is a pointer in this function B: the pointer of the cred structure is taken as the case where the parameter is passed into the function B; the valid input of this function B contains a pointer to the cred structure.
As can be seen from the above two examples, the effective input in this embodiment means: substantially all of the parameters of the function are entered.
In the step 103, when the detection result is that the calling path contains the second function meeting the preset requirement, determining that the event of calling the first function is legal; and when the detection result is that the second function meeting the preset requirement is not contained in the calling path, determining that the event of calling the first function is illegal.
The second function meeting the predetermined requirements may also be referred to as a secure source function. What is called a secure source function is that there is a function on the call path of the first function that indicates that the source of the call is secure, and thus it can be determined that the call to the first function is legal.
Existing call path detection requires determining all legal call paths of a detected function at compile time and detecting whether the call paths of the function are correct when the function is called during operation. The difficulty of the calling path detection method in the prior art is that: all legal call paths for the detected function are determined during compilation. The number of call paths of a function theoretically increases exponentially with the increase of the call layer number, and then, in consideration of factors such as dynamic call, recursive call, system migration and the like in running, all legal call paths of the detected function cannot be accurately and completely determined. Thus, existing call path detection is still subject to a bypass-able vulnerability. The technical scheme provided by the embodiment of the application does not detect whether the whole calling path is correct, only detects whether the calling path contains the safety source function, and then judges whether the calling is legal according to the detection result, so that the complexity of path detection is reduced; in addition, in theory, a safe source function is necessarily present in a call path from system call, so the technical scheme provided by the embodiment improves the attack difficulty of an attacker, reduces the detection cost and has high usability.
Further, the step 102 of detecting whether the second function meeting the preset requirement exists in the call path may be implemented specifically as follows:
1021. and backtracking an upper function calling the first function based on the calling path.
1022. And determining whether the upper function meets the preset requirement.
1023. And under the condition that the preset requirement is met, stopping stack backtracking by the upper function, namely the second function.
Backtracking, i.e., backtracking, derivation upward. For example, function A calls function B, which calls function C at run-time. The backtracking process is to backtrack the function B, which is the upper function calling the function C, from the function C.
In the foregoing 1022, the preset requirement may be: the valid input does not include a setting pointer, and includes an operation of checking authority for setting contents. In a specific embodiment, the first function is a cred interface function; the setting pointer is a pointer of a cred structure body; the set content is a cred content.
What needs to be explained here is: the technical scheme provided by the scheme not only can be applied to the calling scheme of the kernel-driven interface function, but also is applicable to the calling of other key functions of the kernel, and the embodiment of the application is not particularly limited to the above.
In one implementation solution, step 1022, "determining whether the upper layer function meets the preset requirement" may specifically include the following steps:
s1, whether the effective input of the upper function contains a setting pointer or not;
s2, whether the upper function contains an operation of checking authority of the set content or not;
s3, under the condition that the effective input of the upper layer function does not contain the setting pointer and contains the operation of checking the authority of the setting content, the upper layer function meets the preset requirement.
In fact, all secure source functions can be analyzed during code compilation according to the rules of the cred secure source functions. The corresponding secure source function can also be finally determined for dynamic calls and recursive calls. Therefore, in order to improve the processing efficiency, a white list may be established in advance, and a function meeting the preset requirement (i.e., the rule of the secure source function) is put therein. During path backtracking, only the function to be detected needs to be queried whether the function to be detected is in the white list or not. Accordingly, in another possible implementation manner, step 1022 "determining whether the upper layer function meets the preset requirement" may specifically include the following steps:
S1', acquiring a white list.
S2', the upper layer function is in the white list, and the upper layer function meets the preset requirement.
In 1023, the upper layer function meets a preset condition, which indicates that the upper layer function is a secure source function. At this time, the backtracking operation can be stopped, and the legality of the call can be explained after backtracking to the secure source function, so that the time cost of calling path detection is saved.
Further, the step 102 further includes the following steps:
1024. and under the condition that the upper function does not meet the preset requirement, continuing backtracking until a second function meeting the preset requirement is found or until the starting point function of the calling path is found.
If the starting point function traced back to the calling path can not find the second function meeting the preset requirement, the calling path is indicated to not contain the second function meeting the preset requirement.
What is needed here is that: the secure source function must exist in all call paths where the operation of the cred cannot be guaranteed in the kernel. In theory, the kernel can ensure that a secure source function can be found before tracing back to the system call, if the condition that the secure source function cannot be located when tracing back to the system call occurs, it is indicated that a user state exists and the path of the cred can be directly modified through the system call, and the user state is considered to be the system bug to be repaired at the moment. That is, the method provided in this embodiment may further include the following steps:
104. If the second function meeting the preset requirement does not exist in the path from the system call, determining that the system bug to be repaired exists.
The detection of the call path of the key function capable of determining the safety source function in the kernel can be realized by adopting the method provided by the embodiment. The following embodiments are described with reference to invoking a kernel-driven interface function.
cred is a data structure that each process has. Each process has a kernel stack, and typically a kernel state process will obtain its own address through the kernel stack 1, as shown in fig. 2.
The permission to obtain the root in the kernel can use a commit_references function, and the root permission can be obtained through the commit_references function. The kernel authority is an attack method for acquiring root authorities in the kernel so as to acquire authorities higher than the system assigned authorities by taking kernel vulnerabilities as processes. For an attacker, implementing kernel nomination in a Linux system actually summarizes only two methods:
method one, from a code perspective
Modifying the cred operation function includes, but is not limited to modifying xid (e.g., uid and/or gid), the check function of cap xxx, security, context bypassing the security check.
Method two, from the data perspective
Modifying the crawd content includes, but is not limited to, directly modifying the content of xid (e.g., uid and/or gid), cap_xxx, security/context. Modifying the feed includes two ways: (1) modification by direct reading and writing of the cred structure; (2) Modification is performed by calling a modification function (commit_references, etc.) of the cred structure.
The technical scheme provided by the embodiment is to solve the problem that an attacker modifies the attack mode of the cred by calling the modification function of the cred structure body. In the detection of the path of the coded call, because the parameter of the interface function of the coded, such as the limit_references, is the pointer of the coded structure, an attacker can arbitrarily transfer a pointer into the interface function of the coded as the coded structure, and the attacker can modify the interface function of the coded structure through the standard interface of the coded structure under certain conditions, so that the safety of the currently initiated modification of the coded function of the coded interface is determined through the mode of the path detection.
For example, fig. 3 shows a flowchart of an information determining method according to an embodiment of the present application. As shown in fig. 3, the method includes:
201. and acquiring a call path of the cred interface function under the condition that the calling event of the cred interface function is monitored.
For example, the cred interface function is commit_creds; one possible call path 1 is: complete_references (struct_references) < -function C;
Possible further call paths 2 are: the limit_references (struct_references) < -function D </function E </function F </function G;
202. and detecting whether the call path contains a safety source function.
Taking call path 2 as an example, function G in call path 2 is known to be a secure source function; the function D, the function E and the function F are not safety source functions. Specifically, the present step 202 includes the following steps:
2021. backtracking to an upper function D for calling the commit_references based on the calling path;
2022. the function D is not a secure source function and continues back to the upper function, function E, that called the function D.
2024. The function E is not a secure source function and continues back to the upper function, function F, that called the function E.
2025. The function F is not a secure source function and continues back to the upper function, function G, that called the function F.
2026. Function G is a secure source function, stopping backtracking.
203. Based on the detection result, whether the call of the cred interface function is legal or not is determined.
Taking the above call path 2 as an example, if the call path contains a secure source function (i.e. function G), it can be determined that the call of the cred interface function is legal.
There is of course also a case where there is no secure source function in the call path, and the call to the cred interface function is determined to be illegal.
One way to do this is to determine the modification interfaces of all the cred functions during compilation, which may also be referred to as cred interface functions. The cred interface function may include, but is not limited to: commit_references, reverse_ creds, override _references, etc. In addition, during compiling, all the safety source functions are analyzed according to preset requirements (namely safety source function rules), and corresponding safety source functions can be finally determined for a dynamic call and a recursion call system. After analyzing all the safety source functions, a white list can be constructed. Thus, when the step 202 is executed, only the white list is needed to be checked to determine whether the function is a secure source function, so as to improve the detection efficiency. That is, before the steps 201 to 203 are performed, preparation is made as follows:
preparation 1: and establishing a security source function white list.
In the cred call path detection, the secure source function needs to satisfy two conditions:
condition 1, pointer not including a cred structure in the effective input of the function
And 2, carrying out authority checking on the content of the cred in the function, wherein the authority checking can ensure the safety of the cred.
Taking commit_references as an example, there are the following call paths: complete_references (struct references new) < -function H; wherein, the valid input of the commit_references has a coded pointer, which belongs to an unsafe source function; it is assumed that the valid input of the function H does not include a cred pointer, but there is a security check of the cred content inside the function H. The function H satisfies both conditions, so the function H is a secure source function on the path of the cred call.
All security source functions analyzed based on the two conditions are listed in a white list. When executing the step 202, if the query function is in the white list, it is indicated that the function is a secure source function; if the query function is not in the white list, the function is described as a non-secure source function.
Preparation 2: call path detection code is added in the cred interface function. When the call path detection code runs, steps 201 to 203 provided in the above embodiment can be implemented. When the cred interface function is called, a calling path detection code is firstly run; continuing to run the cred interface function only when the call path detection code returns legal; otherwise, intercepting the call to the cred interface function to avoid an attacker from illegally modifying the structure body by calling the cred interface function.
The present embodiment is mainly used for defending an attacker from illegally modifying the embedded structure by calling a kernel embedded interface function (such as commit_references). Currently known attacks against cred are initiated by a user state, which then goes through a system call to reach kernel mode. System calls are the only method that the kernel provides services to user processes, and applications call functional modules (functions) provided by the operating system. The user program switches from a user mode to a kernel mode through a system call, so that the corresponding resource can be accessed. A secure source function is necessarily present in all call paths in which the cred operation cannot be guaranteed in the kernel; the method can ensure that a safe source function exists in a call path from system call; if the security source function is not found after the function is detected and the system call is traced, the call can be considered as illegal; therefore, by adopting the technical scheme provided by the embodiment, the detection of the kernel cred call path becomes practical, and the method has high practicability while improving the attack difficulty of an attacker and reducing the detection cost.
Fig. 4 is a schematic flow chart of a function calling method according to an embodiment of the present application. The execution body of the method provided in this embodiment may be a function call determining device, and the device may be hardware integrated on the terminal and provided with an embedded program, or may be an application software installed in the terminal, or may be a tool software embedded in an operating system of the terminal, which is not limited in this embodiment of the present application. The terminal may be any terminal device including a computer, a mobile phone, a tablet computer, a PDA (Personal Digital Assistant ), a POS (Point of Sales), a car computer, and the like. As shown, the method includes:
301. and acquiring a calling path of the first function under the condition that a first function calling event is monitored.
302. And backtracking a second function meeting preset requirements based on the calling path.
303. And intercepting the call to the first function under the condition that the backtracking result is null.
Reference to 301 is made to the corresponding content in the above embodiments, and will not be repeated here.
In 302 above, the second function meets the following preset requirements:
the valid input parameters do not include a setting pointer and include an operation of checking authority for setting contents.
In 303, the backtracking result is null and can be simply understood as follows; based on the calling path, a second function meeting preset requirements is not traced back.
Further, the method provided in this embodiment may further include the following steps:
303. acquiring a white list;
304. backtracking an upper function calling the first function based on the calling path;
305. continuing backtracking under the condition that the upper function is not in the white list;
306. if the function in the white list is not found when the function is traced back to the starting point function of the calling path, determining that a second function meeting the preset requirement cannot be traced back based on the calling path.
In 303 above, the whitelist may be preset, for example, all security source functions are analyzed during compiling according to preset requirements (such as the security source function rules mentioned in the above embodiment); and establishing the white list based on the determined safety source function.
Further, the first function is a cred interface function; the setting pointer is a pointer of a cred structure body; the set content is a cred content.
According to the technical scheme provided by the embodiment, whether the call of the first function is intercepted or not is determined by detecting whether the second function meeting the preset requirement can be traced back in the call path, so that the complexity of path detection is reduced, the attack difficulty of an attacker is improved, the detection cost is reduced, and the method has high practicability.
Fig. 5 is a schematic flow chart of a function calling method according to another embodiment of the present application. The execution body of the method provided in this embodiment may be a function calling device, which may be hardware integrated on a terminal and having an embedded program, or may be an application software installed in the terminal, or may be a tool software embedded in an operating system of the terminal, which is not limited in this embodiment of the present application. The terminal may be any terminal device including a computer, a mobile phone, a tablet computer, a PDA (Personal Digital Assistant ), a POS (Point of Sales), a car computer, and the like. As shown, the method includes:
401. and acquiring a calling path of the first function under the condition that a first function calling event is monitored.
402. And calling the first function and executing the first function when a second function meeting the preset requirement can be traced back based on the calling path.
Reference to 401 is made to the corresponding content in the above embodiments, and is not repeated here.
In 402, the second function meets the following preset requirements:
the valid input parameters do not include a setting pointer and include an operation of checking authority for setting contents.
Further, the method provided in this embodiment further includes the following steps:
403. a white list is obtained.
404. And backtracking an upper function calling the first function based on the calling path.
405. And determining that a second function meeting the preset requirement can be traced back based on the calling path under the condition that the upper function is in the white list.
In 401, the white list includes a plurality of functions meeting a predetermined requirement. The upper layer function is indicated in the white list that the function meets the preset requirement. The white list can find out all functions meeting the preset requirements through analysis during compiling and list the functions in the white list.
According to the technical scheme provided by the embodiment, whether the call of the first function is released and the first function is operated is determined by detecting whether a second function meeting the preset requirement can be traced back in the call path; the complexity of path detection is reduced, and the method has high practicability while improving the attack difficulty of an attacker and reducing the detection cost.
It should be noted that: the execution subjects of the steps of the method provided in the above embodiment may be the same device, or the method may be executed by different devices. For example, the execution subject of steps 101 to 103 may be device a; for another example, the execution subject of steps 101 and 102 may be device a, and the execution subject of step 103 may be device B; etc.
Fig. 6 shows a schematic structural diagram of an information determining apparatus provided in an embodiment of the present application. As shown in the drawing, the information determining apparatus includes: an acquisition module 11, a detection module 12 and a determination module 13. The acquiring module 11 is configured to acquire a call path of a first function under the condition that a first function call event is monitored; the detection module 12 is configured to detect whether the call path contains a second function that meets a preset requirement; the determining module 13 is configured to determine validity of the calling the first function event based on the detection result.
According to the technical scheme provided by the embodiment, whether the current call of the first function is legal or not is determined by detecting whether the call path contains the function meeting the preset requirement, so that the complexity of path detection is reduced, the attack difficulty of an attacker is improved, the detection cost is reduced, and the practicability is high.
Further, the detection module 12 is further configured to: backtracking an upper function calling the first function based on the calling path; determining whether the upper function meets the preset requirement; and under the condition that the preset requirement is met, stopping stack backtracking by the upper function, namely the second function.
Still further, the detection module 12 is further configured to: and under the condition that the upper function does not meet the preset requirement, continuing backtracking until a second function meeting the preset requirement is found or until the starting point function of the calling path is found.
Further, the detection module 12 is further configured to: whether the valid input of the upper layer function contains a setting pointer; whether the upper function contains an operation of checking authority of the set content or not; and under the condition that the valid input of the upper layer function does not contain the setting pointer and contains the operation of checking the authority of the setting content, the upper layer function meets the preset requirement.
Further, the detection module 12 is further configured to: acquiring a white list; and under the condition that the upper layer function is in the white list, the upper layer function accords with the preset requirement.
Further, the determining module 13 is further configured to: the detection result is that the calling path contains the second function meeting the preset requirement, and the first function calling event is determined to be legal; and the detection result is that the calling path does not contain the second function meeting the preset requirement, and the illegal calling of the first function event is determined.
In one embodiment, the first function mentioned in this embodiment may be specifically: a cred interface function. The cred interface functions include, but are not limited to: commit_references, reverse_ creds, override _references, etc.
Further, the determining module 13 is further configured to: if the second function meeting the preset requirement does not exist in the path from the system call, determining that the system bug to be repaired exists.
What needs to be explained here is: the information determining device provided in the foregoing embodiments may implement the technical solutions described in the foregoing method embodiments, and the specific implementation principles of the foregoing modules or units may refer to corresponding contents in the foregoing method embodiments, which are not repeated herein.
Fig. 7 is a block diagram of a function calling device according to an embodiment of the present application. As shown, the function calling device includes: an acquisition module 21 and an execution module 22. Wherein, the obtaining module 21 is configured to obtain a call path of the first function when the first function call event is monitored; the execution module 22 is configured to trace back a second function that meets a preset requirement based on the call path; and intercepting the call to the first function under the condition that the backtracking result is null.
According to the technical scheme provided by the embodiment, whether the call of the first function is intercepted or not is determined by detecting whether the second function meeting the preset requirement can be traced back in the call path, so that the complexity of path detection is reduced, the attack difficulty of an attacker is improved, the detection cost is reduced, and the method has high practicability.
Further, the second function meets the following preset requirements: the valid input parameters do not include a setting pointer and include an operation of checking authority for setting contents.
Further, the first function is a cred interface function; the setting pointer is a pointer of a cred structure body; the set content is a cred content.
Further, the function calling device provided in this embodiment further includes: and the backtracking module and the determining module. The acquisition module is also used for acquiring a white list; the backtracking module is used for backtracking an upper function calling the first function based on the calling path; continuing backtracking under the condition that the upper function is not in the white list; and the determining module is used for determining that a second function meeting the preset requirement cannot be traced back based on the calling path if the function in the white list is not found when tracing back to the starting function of the calling path.
What needs to be explained here is: the function calling device provided in the foregoing embodiments may implement the technical solutions described in the foregoing method embodiments, and the specific implementation principles of the foregoing modules or units may refer to corresponding contents in the foregoing method embodiments, which are not repeated herein.
Fig. 8 is a block diagram showing a function calling device according to another embodiment of the present application. As shown, the function calling device includes: an acquisition module 31 and an execution module 32. Wherein, the obtaining module 31 is configured to obtain a call path of the first function when a first function call event is monitored; the execution module 32 is configured to call the first function and execute the first function when the call path can trace back to a second function that meets a preset requirement.
According to the technical scheme provided by the embodiment, whether the call of the first function is released and the first function is operated is determined by detecting whether a second function meeting the preset requirement can be traced back in the call path; the complexity of path detection is reduced, and the method has high practicability while improving the attack difficulty of an attacker and reducing the detection cost.
Further, the second function meets the following preset requirements:
the valid input parameters do not include a setting pointer and include an operation of checking authority for setting contents.
Further, the first function is a cred interface function; the setting pointer is a pointer of a cred structure body; the set content is a cred content.
Further, the function calling device provided in this embodiment further includes: and the backtracking module and the determining module. The acquisition module is also used for acquiring a white list; the backtracking module is used for backtracking an upper function calling the first function based on the calling path; the determining module is used for determining that a second function meeting preset requirements can be traced back based on the calling path under the condition that the upper function is in the white list.
What needs to be explained here is: the function calling device provided in the foregoing embodiments may implement the technical solutions described in the foregoing method embodiments, and the specific implementation principles of the foregoing modules or units may refer to corresponding contents in the foregoing method embodiments, which are not repeated herein.
Fig. 9 shows a schematic structural diagram of an electronic device according to an embodiment of the present application. The electronic device comprises a memory 41 and a processor 42. The memory 41 may be configured to store various other data to support operations on the electronic device. Examples of such data include instructions for any application or method operating on an electronic device. The memory 41 may be implemented by any type of volatile or non-volatile memory device or combination thereof, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disk.
The processor 42 is coupled to the memory 41 for executing the program stored in the memory 41 for:
acquiring a calling path of a first function under the condition that a first function calling event is monitored;
detecting whether a second function meeting preset requirements is contained in the calling path;
and determining the validity of the calling first function event based on the detection result.
According to the technical scheme provided by the embodiment, whether the current call of the first function is legal or not is determined by detecting whether the call path contains the function meeting the preset requirement, so that the complexity of path detection is reduced, the attack difficulty of an attacker is improved, the detection cost is reduced, and the practicability is high.
In addition to the above functions, the processor 42 may also realize other functions when executing the program in the memory 41, and the foregoing description of the embodiments may be specifically referred to.
Further, as shown in fig. 9, the electronic device further includes: a display 44, a communication component 43, a power supply component 45, an audio component 46, and other components. Only some of the components are schematically shown in fig. 9, which does not mean that the electronic device only comprises the components shown in fig. 9.
Accordingly, the present embodiments also provide a computer-readable storage medium storing a computer program capable of implementing the steps or functions of the information determining method provided in the above embodiments when the computer program is executed by a computer.
Fig. 10 shows a schematic structural diagram of an electronic device according to an embodiment of the present application. As shown in fig. 10, the electronic device includes: a memory 51 and a processor 52. Wherein the memory 51 may be configured to store various other data to support operations on the electronic device. Examples of such data include instructions for any application or method operating on an electronic device. The memory 51 may be implemented by any type of volatile or non-volatile memory device or combination thereof, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disk.
The processor 52 is coupled to the memory 51 for executing the program stored in the memory 51 for:
Acquiring a calling path of a first function under the condition that a first function calling event is monitored;
backtracking a second function meeting preset requirements based on the calling path;
and intercepting the call to the first function under the condition that the backtracking result is null.
According to the technical scheme provided by the embodiment, whether the call of the first function is intercepted or not is determined by detecting whether the second function meeting the preset requirement can be traced back in the call path, so that the complexity of path detection is reduced, the attack difficulty of an attacker is improved, the detection cost is reduced, and the method has high practicability.
In addition to the above functions, the processor 52 may also realize other functions when executing the program in the memory 51, and the foregoing description of the embodiments may be specifically referred to.
Further, as shown in fig. 10, the electronic device further includes: a display 54, a communication component 53, a power supply component 55, an audio component 56, and other components. Only some of the components are schematically shown in fig. 10, which does not mean that the electronic device only comprises the components shown in fig. 10.
Accordingly, the present application also provides a computer-readable storage medium storing a computer program capable of implementing the steps or functions of the function calling method provided in each of the above embodiments when the computer program is executed by a computer.
Fig. 11 shows a schematic structural diagram of an electronic device according to an embodiment of the present application. As shown in fig. 11, the electronic device includes: a memory and a processor. Wherein the memory 61 may be configured to store various other data to support operations on the electronic device. Examples of such data include instructions for any application or method operating on an electronic device. The memory 61 may be implemented by any type or combination of volatile or non-volatile memory devices, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disk.
The processor 62 is coupled to the memory 61 for executing the program stored in the memory 61 for:
acquiring a calling path of a first function under the condition that a first function calling event is monitored;
and calling the first function and executing the first function when a second function meeting the preset requirement can be traced back based on the calling path.
According to the technical scheme provided by the embodiment, whether the call of the first function is released and the first function is operated is determined by detecting whether a second function meeting the preset requirement can be traced back in the call path; the complexity of path detection is reduced, and the method has high practicability while improving the attack difficulty of an attacker and reducing the detection cost.
In addition to the above functions, the processor 62 may also realize other functions when executing the program in the memory 61, and the foregoing description of the embodiments may be specifically referred to.
Further, as shown in fig. 11, the electronic device further includes: a display 64, a communication component 63, a power supply component 65, an audio component 66, and other components. Only some of the components are schematically shown in fig. 11, which does not mean that the electronic device only comprises the components shown in fig. 11.
Accordingly, the present application also provides a computer-readable storage medium storing a computer program capable of implementing the steps or functions of the function calling method provided in each of the above embodiments when the computer program is executed by a computer.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
In some of the flows described in the specification, claims, and drawings described above, a plurality of operations occurring in a particular order are included, and the operations may be performed out of order or concurrently with respect to the order in which they occur. The sequence numbers of operations such as 101, 102, etc. are merely used to distinguish between the various operations, and the sequence numbers themselves do not represent any order of execution. In addition, the flows may include more or fewer operations, and the operations may be performed sequentially or in parallel. It should be noted that, the descriptions of "first" and "second" herein are used to distinguish different messages, devices, modules, etc., and do not represent a sequence, and are not limited to the "first" and the "second" being different types.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and are not limiting thereof; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the corresponding technical solutions.

Claims (17)

1. An information determination method, comprising:
acquiring a calling path of a first function under the condition that a first function calling event is monitored;
detecting whether a second function meeting preset requirements is contained in the calling path;
determining the validity of the calling first function event based on the detection result;
the detecting whether the call path contains the second function meeting the preset requirement comprises the following steps:
backtracking an upper function calling the first function based on the calling path;
determining whether the upper function meets the preset requirement;
under the condition of meeting the preset requirement, stopping stack backtracking by the upper function, namely the second function;
And under the condition that the upper function does not meet the preset requirement, continuing backtracking until a second function meeting the preset requirement is found or until the starting point function of the calling path is found.
2. The method of claim 1, wherein determining whether the upper layer function meets the preset requirement comprises:
whether the valid input of the upper layer function contains a setting pointer;
whether the upper function contains an operation of checking authority of the set content or not;
and under the condition that the valid input of the upper layer function does not contain the setting pointer and contains the operation of checking the authority of the setting content, the upper layer function meets the preset requirement.
3. The method of claim 1, wherein determining whether the upper layer function meets the preset requirement comprises:
acquiring a white list;
and under the condition that the upper layer function is in the white list, the upper layer function accords with the preset requirement.
4. The method of claim 1, wherein determining the legitimacy of the invoking the first function event based on the detection result comprises:
the detection result is that the calling path contains the second function meeting the preset requirement, and the first function calling event is determined to be legal;
And the detection result is that the calling path does not contain the second function meeting the preset requirement, and the illegal calling of the first function event is determined.
5. The method of claim 1, wherein the first function is a cred interface function.
6. The method of claim 1, wherein when the call path includes a path from a system call, the method further comprises:
if the second function meeting the preset requirement does not exist in the path from the system call, determining that the system bug to be repaired exists.
7. A method of function call, comprising:
acquiring a calling path of a first function under the condition that a first function calling event is monitored;
backtracking a second function meeting preset requirements based on the calling path; the second function meeting the preset requirements is an upper function of the first function meeting the preset requirements, and the trace back is continued until the second function meeting the preset requirements is found or until the starting point function of the calling path is found under the condition that the upper function does not meet the preset requirements;
and intercepting the call to the first function under the condition that the backtracking result is null.
8. The method of claim 7, wherein the second function meets the following preset requirements:
the valid input parameters do not include a setting pointer and include an operation of checking authority for setting contents.
9. The method of claim 8, wherein the first function is a cred interface function; the setting pointer is a pointer of a cred structure body; the set content is a cred content.
10. The method according to any one of claims 7 to 9, further comprising:
acquiring a white list;
backtracking an upper function calling the first function based on the calling path;
continuing backtracking under the condition that the upper function is not in the white list;
if the function in the white list is not found when the function is traced back to the starting point function of the calling path, determining that a second function meeting the preset requirement cannot be traced back based on the calling path.
11. A method of function call, comprising:
acquiring a calling path of a first function under the condition that a first function calling event is monitored;
when a second function meeting the preset requirement can be traced back based on the calling path, the first function is called and executed;
The second function meeting the preset requirements is an upper function of the first function meeting the preset requirements, and the trace back is continued until the second function meeting the preset requirements is found or until the starting point function of the calling path is found under the condition that the upper function does not meet the preset requirements.
12. The method of claim 11, wherein the second function meets the following preset requirements:
the valid input parameters do not include a setting pointer and include an operation of checking authority for setting contents.
13. The method of claim 12, wherein the first function is a cred interface function; the setting pointer is a pointer of a cred structure body; the set content is a cred content.
14. The method according to any one of claims 11 to 13, further comprising:
acquiring a white list;
backtracking an upper function calling the first function based on the calling path;
and determining that a second function meeting the preset requirement can be traced back based on the calling path under the condition that the upper function is in the white list.
15. An electronic device, comprising a memory and a processor; wherein,
The memory is used for storing programs;
the processor, coupled to the memory, is configured to execute the program stored in the memory for:
acquiring a calling path of a first function under the condition that a first function calling event is monitored;
detecting whether a second function meeting preset requirements is contained in the calling path;
determining the validity of the calling first function event based on the detection result;
the detecting whether the call path contains the second function meeting the preset requirement comprises the following steps:
backtracking an upper function calling the first function based on the calling path;
determining whether the upper function meets the preset requirement;
under the condition of meeting the preset requirement, stopping stack backtracking by the upper function, namely the second function;
and under the condition that the upper function does not meet the preset requirement, continuing backtracking until a second function meeting the preset requirement is found or until the starting point function of the calling path is found.
16. An electronic device, comprising a memory and a processor; wherein,
the memory is used for storing programs;
the processor, coupled to the memory, is configured to execute the program stored in the memory for:
Acquiring a calling path of a first function under the condition that a first function calling event is monitored;
backtracking a second function meeting preset requirements based on the calling path; the second function meeting the preset requirements is an upper function of the first function meeting the preset requirements, and the trace back is continued until the second function meeting the preset requirements is found or until the starting point function of the calling path is found under the condition that the upper function does not meet the preset requirements;
and intercepting the call to the first function under the condition that the backtracking result is null.
17. An electronic device, comprising a memory and a processor; wherein,
the memory is used for storing programs;
the processor, coupled to the memory, is configured to execute the program stored in the memory for:
acquiring a calling path of a first function under the condition that a first function calling event is monitored;
when a second function meeting the preset requirement can be traced back based on the calling path, the first function is called and executed;
the second function meeting the preset requirements is an upper function of the first function meeting the preset requirements, and the trace back is continued until the second function meeting the preset requirements is found or until the starting point function of the calling path is found under the condition that the upper function does not meet the preset requirements.
CN201910106289.8A 2019-02-02 2019-02-02 Information determining method, function calling method and electronic equipment Active CN111523115B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910106289.8A CN111523115B (en) 2019-02-02 2019-02-02 Information determining method, function calling method and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910106289.8A CN111523115B (en) 2019-02-02 2019-02-02 Information determining method, function calling method and electronic equipment

Publications (2)

Publication Number Publication Date
CN111523115A CN111523115A (en) 2020-08-11
CN111523115B true CN111523115B (en) 2023-05-26

Family

ID=71900123

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910106289.8A Active CN111523115B (en) 2019-02-02 2019-02-02 Information determining method, function calling method and electronic equipment

Country Status (1)

Country Link
CN (1) CN111523115B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101539883A (en) * 2009-05-05 2009-09-23 北京和利时系统工程有限公司 Error tracking method of embedded system and device thereof
JP4927231B1 (en) * 2011-12-22 2012-05-09 株式会社フォティーンフォティ技術研究所 Program, information device, and unauthorized access detection method
CN103761175A (en) * 2013-11-25 2014-04-30 中国科学院计算技术研究所 System and method for monitoring program execution paths under Linux system
CN106295346A (en) * 2015-05-20 2017-01-04 深圳市腾讯计算机系统有限公司 A kind of application leak detection method, device and the equipment of calculating
US9542300B1 (en) * 2013-03-15 2017-01-10 Twitter, Inc. System and method for tracking callback functions for error identification
CN108256335A (en) * 2018-02-08 2018-07-06 北京百度网讯科技有限公司 For detecting the method and apparatus of loophole

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9426177B2 (en) * 2013-07-15 2016-08-23 Tencent Technology (Shenzhen) Company Limited Method and apparatus for detecting security vulnerability for animation source file

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101539883A (en) * 2009-05-05 2009-09-23 北京和利时系统工程有限公司 Error tracking method of embedded system and device thereof
JP4927231B1 (en) * 2011-12-22 2012-05-09 株式会社フォティーンフォティ技術研究所 Program, information device, and unauthorized access detection method
US9542300B1 (en) * 2013-03-15 2017-01-10 Twitter, Inc. System and method for tracking callback functions for error identification
CN103761175A (en) * 2013-11-25 2014-04-30 中国科学院计算技术研究所 System and method for monitoring program execution paths under Linux system
CN106295346A (en) * 2015-05-20 2017-01-04 深圳市腾讯计算机系统有限公司 A kind of application leak detection method, device and the equipment of calculating
CN108256335A (en) * 2018-02-08 2018-07-06 北京百度网讯科技有限公司 For detecting the method and apparatus of loophole

Also Published As

Publication number Publication date
CN111523115A (en) 2020-08-11

Similar Documents

Publication Publication Date Title
US10310992B1 (en) Mitigation of cyber attacks by pointer obfuscation
US8893225B2 (en) Method and apparatus for secure web widget runtime system
EP3270319B1 (en) Method and apparatus for generating dynamic security module
CN100492300C (en) System and method for executing a process on a microprocessor-enabled device
CN105468980A (en) Security control method, device and system
CN108763951B (en) Data protection method and device
US9871800B2 (en) System and method for providing application security in a cloud computing environment
US11425127B2 (en) Securing application behavior in serverless computing
CN104217139A (en) Processing system
CN111400723A (en) TEE extension-based operating system kernel mandatory access control method and system
Hammad et al. Determination and enforcement of least-privilege architecture in android
US20130042297A1 (en) Method and apparatus for providing secure software execution environment based on domain separation
US20110154364A1 (en) Security system to protect system services based on user defined policies
Rahat et al. Cerberus: Query-driven scalable vulnerability detection in oauth service provider implementations
CN111523115B (en) Information determining method, function calling method and electronic equipment
US10268823B2 (en) Device, system, and method for securing executable operations
CN115048630A (en) Integrity verification method and device of application program, storage medium and electronic equipment
GB2539199A (en) Apparatus and methods for transitioning between a secure area and a less-secure area
CN115455414A (en) Safety detection method and device
CN111062061B (en) Safety protection method and system for ios system
CN113836529A (en) Process detection method, device, storage medium and computer equipment
Lee et al. Is your android app insecure? patching security functions with dynamic policy based on a java reflection technique
KR101862382B1 (en) Method and device for managing application data in Android
CN111177726A (en) System vulnerability detection method, device, equipment and medium
Lee et al. AppWrapper: Patching security functions with dynamic policy on your insecure Android apps

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20201224

Address after: Room 603, 6 / F, Roche Plaza, 788 Cheung Sha Wan Road, Kowloon, China

Applicant after: Zebra smart travel network (Hong Kong) Ltd.

Address before: A four-storey 847 mailbox in Grand Cayman Capital Building, British Cayman Islands

Applicant before: Alibaba Group Holding Ltd.

GR01 Patent grant
GR01 Patent grant