CN111753302A - Method and device for detecting code bugs, computer readable medium and electronic equipment - Google Patents

Method and device for detecting code bugs, computer readable medium and electronic equipment Download PDF

Info

Publication number
CN111753302A
CN111753302A CN202010680830.9A CN202010680830A CN111753302A CN 111753302 A CN111753302 A CN 111753302A CN 202010680830 A CN202010680830 A CN 202010680830A CN 111753302 A CN111753302 A CN 111753302A
Authority
CN
China
Prior art keywords
function
code
parameter
parameters
detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010680830.9A
Other languages
Chinese (zh)
Inventor
陈培思
欧霄
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN202010680830.9A priority Critical patent/CN111753302A/en
Publication of CN111753302A publication Critical patent/CN111753302A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Abstract

The embodiment of the application provides a method and a device for detecting code bugs, a computer readable medium and electronic equipment. The method for detecting the code vulnerability comprises the following steps: the method comprises the steps of obtaining a code and a detection parameter for detecting the code, performing covering initialization processing on the code to obtain the code with a stain mark and a detection function, inputting the detection parameter into the initialized code, performing parameter transmission in the running process of the code, detecting whether the parameter is a parameter with a security threat or not to mark the parameter with the security threat, and identifying the function as a bug of the code when the stain detection function detects that the parameter of the function carries the stain mark. The corresponding detection parameters are obtained based on the codes, so that the authenticity of code detection is improved, and the functions with security holes are detected based on the transfer of the taint marks in the functions, so that the comprehensiveness and the reliability of the code detection are improved.

Description

Method and device for detecting code bugs, computer readable medium and electronic equipment
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method and an apparatus for detecting a code vulnerability, a computer-readable medium, and an electronic device.
Background
When a bug exists in a code file, the bug is easy to attack, and the normal operation of the file is influenced. In the related art, attack prevention and detection are performed on files, for example, a code file is subjected to code analysis in a static analysis mode, and a place where hidden dangers may exist is detected, but the mode cannot comprehensively detect bugs in the code file, and further the problem that the detection effect is not accurate enough is caused.
Disclosure of Invention
Embodiments of the present application provide a method and an apparatus for detecting a code vulnerability, a computer-readable medium, and an electronic device, so that the authenticity, comprehensiveness, and reliability of code detection can be improved at least to a certain extent.
Other features and advantages of the present application will be apparent from the following detailed description, or may be learned by practice of the application.
According to an aspect of an embodiment of the present application, a method for detecting a code vulnerability is provided, including: acquiring a code to be detected and detection parameters for detecting the code; covering and initializing the code to obtain a code with a stain marking function and a stain detecting function; inputting the detection parameters into the code, and performing taint marking on the parameters when the parameters in the code are detected to have safety threats through the taint marking function in the function parameter transmission process of the code to obtain marking parameters; and when the stain detection function detects that the parameters of the function carry stain marks, identifying the function as the vulnerability of the code.
According to an aspect of the embodiments of the present application, there is provided an apparatus for detecting a code bug, including: the device comprises an acquisition unit, a detection unit and a control unit, wherein the acquisition unit is used for acquiring a code to be detected and detection parameters for detecting the code; the initialization unit is used for performing covering initialization on the codes to obtain the codes with the taint marking function and the taint detection function; the marking unit is used for inputting the detection parameters into the code, and performing stain marking on the parameters when the parameters in the code are detected to have safety threats through the stain marking function in the function parameter transmission process of the code to obtain marking parameters; and the detection unit is used for identifying the function as the vulnerability of the code when the stain detection function detects that the parameter of the function carries a stain mark. In some embodiments of the present application, based on the foregoing scheme, the initialization unit includes: the function detection unit is used for identifying a function to be processed which needs to be subjected to coverage initialization in the code based on the attribute of the function in the code; and the function adding unit is used for adding a taint marking function and a taint detection function in the function to be processed to obtain codes with the taint marking function and the taint detection function.
In some embodiments of the present application, based on the foregoing solution, the function detecting unit includes: the first detection unit is used for identifying a function with the number of the character strings exceeding the preset number as a character string related function; and the second detection unit is used for identifying the character string correlation function and the function processor in the code as the function to be processed.
In some embodiments of the present application, based on the foregoing scheme, the marking unit includes: a detection parameter introduction unit for inputting the detection parameter into the code to indicate the code to start running; the parameter attribute detection unit is used for detecting the attribute of the parameter when the parameter obtained based on the detection parameter is transmitted into the function of the code; and the parameter marking unit is used for marking the parameter parameters through the stain marking function to obtain the marked parameters if the parameters in the code are detected to have the security threat based on the attributes of the parameters.
In some embodiments of the present application, based on the foregoing solution, the parameter attribute detecting unit is configured to detect whether an input parameter of the function carries the dirty mark in a function parameter transmission process of the code; the parameter marking unit is used for judging that the input parameters have security threats if the input parameters of the function carry the taint marks; and performing taint marking on the output parameters corresponding to the input parameters through the taint marking function to obtain the marked parameters.
In some embodiments of the present application, based on the foregoing scheme, the marking unit includes: a first determining unit, configured to determine, based on a function in the code, a variable corresponding to the parameter in the code, and generate an identification bit in the variable; the setting unit is used for acquiring a stain mark and setting the value of the identification bit as the stain mark; and the second marking unit is used for generating the marking parameter based on the parameter and the stain mark corresponding to the identification bit.
In some embodiments of the present application, based on the foregoing solution, the detection unit includes: the second detection unit is used for detecting whether a function with potential safety hazard exists in the code or not based on a preset function type with potential safety hazard; the third detection unit is used for detecting whether a function with potential safety hazard exists in the code or not based on the taint detection function, and whether a taint mark is included in the parameter of the function or not is detected; and the third detection unit is used for identifying the function as the vulnerability of the code if the taint mark is contained in the parameter of the function.
In some embodiments of the present application, based on the foregoing scheme, the parameters comprise incoming parameters; the third detection unit includes: the fourth detection unit is used for detecting whether the incoming parameters of the function have identification bits or not; and the fifth detection unit is used for judging that the incoming parameters contain the taint mark if the incoming parameters have the identification bits and the values on the identification bits are the same as the taint mark.
In some embodiments of the present application, based on the foregoing scheme, the function type with security risk includes one or at least two of the following functions: the system comprises a command execution function, a callback function, a code execution function, a file reading function, a file containing function, a file writing function, a data showing function and a database injection function.
In some embodiments of the present application, based on the foregoing solution, the obtaining unit includes: the code acquisition unit is used for acquiring a code to be detected; the scene simulation unit is used for simulating the running scene of the code and determining a target interface for inputting initial parameters into the code; and the parameter generating unit is used for acquiring the detection parameters corresponding to the running scene based on the configuration information of the target interface.
In some embodiments of the present application, based on the foregoing solution, the apparatus for detecting a code vulnerability further includes: the target detection unit is used for identifying a function corresponding to the parameter carrying the stain mark as a target function; a name acquisition unit configured to acquire a function name of the target function; and the alarm unit is used for generating safety alarm information based on the function name.
In some embodiments of the present application, based on the foregoing solution, the apparatus for detecting a code vulnerability further includes: a position determining unit, configured to determine a target position of the target function in the code based on a function name of the target function; the code marking unit is used for marking the target position to generate a marking code; and the detection result unit is used for generating the vulnerability detection result based on the mark code.
According to an aspect of the embodiments of the present application, there is provided a computer readable medium on which a computer program is stored, the computer program, when executed by a processor, implementing the method for detecting code bugs as described in the above embodiments.
According to an aspect of an embodiment of the present application, there is provided an electronic device including: one or more processors; storage means for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement the method of detecting code vulnerabilities as described in the above embodiments.
According to an aspect of embodiments herein, there is provided a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform the method for detecting a code vulnerability provided in the above-mentioned various alternative implementations.
In the technical scheme provided by some embodiments of the application, after a code and a detection parameter used for detecting the code are obtained by covering initialization processing on the code, the code with a stain mark and a detection function is obtained, the detection parameter is input into the code after initialization, parameter transmission is performed in the running process of the code, whether the parameter is a parameter with a security threat or not is detected, the parameter with the security threat is marked, and when the stain detection function detects that the parameter of the function carries the stain mark, the function is identified as a bug of the code. The corresponding detection parameters are obtained based on the codes, so that the authenticity of code detection is improved, and the functions with security holes are detected based on the transfer of the taint marks in the functions, so that the comprehensiveness and the reliability of the code detection are improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application. It is obvious that the drawings in the following description are only some embodiments of the application, and that for a person skilled in the art, other drawings can be derived from them without inventive effort. In the drawings:
FIG. 1 shows a schematic diagram of an exemplary system architecture to which aspects of embodiments of the present application may be applied;
FIG. 2 schematically illustrates a flow diagram of a method of detecting code vulnerabilities according to one embodiment of the present application;
FIG. 3 schematically illustrates a flow diagram of a taint mark being passed in a function of code according to one embodiment of the present application;
FIG. 4 schematically illustrates a schematic view of a spot marking of a detection parameter according to an embodiment of the present application;
FIG. 5 schematically illustrates a schematic diagram of transferring a spot mark according to an embodiment of the present application;
FIG. 6 schematically illustrates a diagram of detecting code vulnerabilities according to one embodiment of the present application;
FIG. 7 schematically illustrates a flow diagram of identifying a function as a vulnerability of code according to one embodiment of the present application;
FIG. 8 schematically shows a flow diagram for detecting code vulnerabilities according to one embodiment of the present application;
FIG. 9 schematically illustrates a block diagram of an apparatus for detecting code vulnerabilities according to one embodiment of the present application;
FIG. 10 is a block diagram of a computer system suitable for use in implementing the electronic device of an embodiment of the present application.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the application. One skilled in the relevant art will recognize, however, that the subject matter of the present application can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and so forth. In other instances, well-known methods, devices, implementations, or operations have not been shown or described in detail to avoid obscuring aspects of the application.
The block diagrams shown in the figures are functional entities only and do not necessarily correspond to physically separate entities. I.e. these functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor means and/or microcontroller means.
The flow charts shown in the drawings are merely illustrative and do not necessarily include all of the contents and operations/steps, nor do they necessarily have to be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the actual execution sequence may be changed according to the actual situation.
Fig. 1 shows a schematic diagram of an exemplary system architecture to which the technical solution of the embodiments of the present application can be applied.
As shown in fig. 1, the system architecture may include a terminal device (e.g., one or more of a smartphone 101, a tablet computer 102, and a portable computer 103 shown in fig. 1, but may also be a desktop computer, etc.), a network 104, and a server 105. The network 104 serves as a medium for providing communication links between terminal devices and the server 105. Network 104 may include various connection types, such as wired communication links, wireless communication links, and so forth.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation. For example, server 105 may be a server cluster comprised of multiple servers, or the like.
A user may use a terminal device to interact with the server 105 over the network 104 to receive or send messages or the like. The server 105 may be a server that provides various services. For example, a user uploads a code to be detected to the server 105 by using the terminal device 103 (or the terminal device 101 or 102), the server 105 obtains the code to be detected and a detection parameter for detecting the code, and then performs overlay initialization on the code to obtain a code having a stain marking function and a stain detection function; inputting the detection parameters into the code, and performing taint marking on the parameters to obtain marked parameters when the parameters in the code are detected to have safety threats through the taint marking function in the function parameter transmission process of the code; when the dirty mark is carried by the parameter of the function detected by the dirty detection function, the function is identified as a bug of the code. The method comprises the steps of obtaining a code and a detection parameter for detecting the code, performing covering initialization processing on the code to obtain the code with a stain mark and a detection function, inputting the detection parameter into the initialized code, performing parameter transmission in the running process of the code, detecting whether the parameter is a parameter with a security threat or not to mark the parameter with the security threat, and identifying the function as a leak of the code when the stain detection function detects that the parameter of the function carries the stain mark. The corresponding detection parameters are obtained based on the codes, so that the authenticity of code detection is improved, and the functions with security holes are detected based on the transfer of the taint marks in the functions, so that the comprehensiveness and the reliability of the code detection are improved.
It should be noted that the method for detecting a code bug provided in the embodiment of the present application is generally executed by the server 105, and accordingly, the apparatus for detecting a code bug is generally disposed in the server 105. However, in other embodiments of the present application, the terminal device may also have a similar function as the server, so as to execute the scheme for detecting the code vulnerability provided in the embodiments of the present application. For example, a computer directly detects a bug of a code to obtain the bug of the code, and generates a detection result.
The implementation details of the technical solution of the embodiment of the present application are set forth in detail below:
FIG. 2 illustrates a flow diagram of a method of detecting a code vulnerability that may be performed by a server, which may be the server shown in FIG. 1, according to one embodiment of the present application. Referring to fig. 2, the method for detecting code bugs at least includes steps S210 to S240, which are described in detail as follows:
in step S210, a code to be detected and a detection parameter for detecting the code are acquired.
With the development of computer systems, more and more system software appears like bamboo shoots after the rain, and due to the development of front-end technologies, more and more systems start to be web-oriented and online, and people can acquire more and more services online through browsers. Along with the richness of functions of online websites, the network security is complicated, and hackers can search for the possibility of vulnerabilities existing in each system without losing proficiency. In the embodiment, the codes in the network and the system are obtained to perform vulnerability detection on the codes.
In an embodiment of the present application, the mode of acquiring the code to be detected may be acquired through a background of the system, or may be acquired from a folder of the system code, and the like.
The code in this embodiment is used to represent a source file written by a programmer in a language supported by a development tool, and is a set of explicit rules for representing information in discrete form by characters, symbols, or signal symbols. The code types in this embodiment may include: hypertext Markup Language (HTML), Cascading Style Sheets (CSS), Java, C, and C + +, and so on.
In one embodiment of the application, when the code is detected, the detection is performed by simulating an actual running scene of the code. Therefore, the input parameters can be generated based on the actual operation scene, in the embodiment, the operation scene of the code is simulated to obtain the detection parameters corresponding to the operation scene, so as to detect the code based on the detection parameters.
In an embodiment of the present application, the process of acquiring the code to be detected and the detection parameter for detecting the code in step S210 includes the following steps: acquiring a code to be detected; simulating the running scene of the code, and determining a target interface for inputting initial parameters in the code; and acquiring detection parameters corresponding to the operation scene based on the configuration information of the target interface.
In practical applications, each code requires an initial input data at runtime to initiate the execution of the code. In this embodiment, an operation scenario of a code is simulated, and a target interface of the code, into which initial data needs to be input, is determined. And generating detection parameters corresponding to the operation scene based on the configuration information of the target interface, so that the detection parameters are used as input parameters of the code. In an embodiment of the present application, the configuration information of the target interface may include an interface type of the target interface, a parameter type of an input parameter corresponding to the interface type, and the like, so as to determine data corresponding to the interface type or the parameter type as the detection parameter.
For example, in an application scenario of a web page backdoor webshell, in this embodiment, an entry for receiving external parameters for the webshell is adopted in a form of simulating dynamic incoming parameters, and custom parameters are incoming to simulate a real scenario running on a line. Specifically, in this embodiment, a value place, i.e., an input interface, in a code is determined, and a user-defined character string parameter is transmitted to a common parameter input interface with a potential safety hazard, such as a GET, a POST, a COOKIE, and the like, in combination with analysis of a security intrusion case. Assuming that a security threat content is introduced by an external malicious attacker of the webshell as a detection parameter, the value of the detection parameter may be set to 'attach' to facilitate the transmission of the parameter.
In step S220, overlay initialization is performed on the code, and a code having a stain marking function and a stain detection function is obtained.
In one embodiment of the present application, the code may be initialized before being detected. The initialization operation in this embodiment may include overwriting the code, deleting redundant data in the code, for example, deleting comments in the code, and the like, and may further add a stain marking function and a stain detection function to the code to be detected.
In one embodiment of the present application, as shown in fig. 3, the process of performing overlay initialization on the code in step S220 to obtain a code having a stain marking function and a stain detection function includes steps S2201 to S2202, which are described in detail as follows:
in step S2201, a function to be processed in the code, which needs to be coverage initialized, is identified based on the attribute of the function in the code.
In one embodiment of the present application, the functions to be processed may include various types of functions, functions with more specific operation modes, or functions with more corresponding characters in the code. The coverage initialization in this embodiment is used to indicate that a function obtained by coverage initialization has both an original function and a new function by covering the new function on the basis of the original function of the function.
In an embodiment of the present application, the process of identifying a function to be processed in the code, which needs to perform coverage initialization, based on an attribute of the function in the code in step S2201 includes the following steps:
identifying a function with the number of the character strings exceeding a preset number as a character string related function;
identifying a function processor in the character string related function and the code as a function to be processed;
in one embodiment of the present application, a function that the number of character strings in the code exceeds a preset number is detected as a character string correlation function. And the function processor in the character string related function and the code is used as the function to be processed, so that a layer of agent is added on the upper layer of the function to be processed on the basis of not changing the original functions of the functions to be processed.
In step S2202, a taint marking function and a taint detection function are added to the function to be processed, and a code having the taint marking function and the taint detection function is obtained.
In an embodiment of the application, after the functions to be processed are determined, on the basis of not changing the original functions of the functions to be processed, a layer of agent is added on the upper layer of the functions to be processed, and on the basis of entrusting the original function processor to execute the original functions, functions of stain marking and stain detection are added, so that codes with functions of stain marking and stain detection are obtained.
Illustratively, in the webpage backdoor webshell code written based on the PHP language, the code is overwritten when the drive entry function MODULE _ INIT is run. The MODULE _ INIT is an entry function of the Linux driver, and when the MODULE _ INIT is run, an initialization process of the code can be executed. In the process, the code is overwritten, namely, a function processor of a large number of character string related functions and operation codes native to the PHP kernel is overwritten. To add the functionality of smudge marking and smudge detection before the functions of the code take effect.
In step S230, the detection parameters are input into the code, and in the process of function parameter transmission of the code, when the parameter in the code is detected to have a security threat through the taint marking function, the parameter is taint marked to obtain marked parameters.
In an embodiment of the present application, in the embodiment, the detection parameters are input into the code, and the targeted stain marking is performed on the detection parameters with the security threat through a stain marking function, so as to obtain marking parameters. So that the marking parameters identify functions or other code elements, etc. in the code, which are related to the marking parameters, through the taint mark during the transfer process.
In an embodiment of the present application, the step S230 inputs the detection parameter into the code, and in the process of function parameter transmission of the code, when the parameter in the code is detected to have a security threat through the taint marking function, the process of taint marking the parameter to obtain a marked parameter includes steps S2301 to S2303, which are described in detail as follows:
in step S2301, the detection parameter is input into the code to instruct the code to start running.
In one embodiment of the present application, after the code is initialized, detection parameters are entered into the code to indicate or trigger the code to begin execution. In the running process of the code, the processing such as operation is carried out based on the marking parameters, and the processing result obtained by each operation is generated. Meanwhile, the code generates new parameters based on the detection parameters in the running process, and the new parameters are transmitted among the functions, namely, parameters are transmitted, so that the function of the whole code is completed.
In step S2302, when a parameter derived based on the detected parameter is introduced into a function of the code, an attribute of the parameter is detected.
In one embodiment of the application, whether the detection parameter is a parameter with a security threat is judged based on the parameter information of the detection parameter. For an externally-transmitted parameter with a security threat, namely taint content, a means for tracing the transmission of the taint content in the code is needed. It is first marked so that it can be identified by the mark at any time. Since our goal is not to detect all externally incoming parameters, but only to track and detect parameters that have a threat potential.
In one embodiment of the present application, detecting the attribute of the parameter, when the parameter obtained based on the detected parameter is transmitted into the function of the code, comprises: and detecting whether the input parameters of the function carry the taint mark or not in the function parameter transmission process of the code.
In one embodiment of the present application, the attribute of the parameter may be determined by detecting the input party of the parameter. For example, when an actual running scene of a code is simulated, in this embodiment, an input of a detection parameter may be simulated as an attacker of the code, and then the input detection parameter is attack data, and by judging identity information of the input of the detection parameter, a conclusion is obtained whether the detection parameter is a parameter with a security threat.
In step S2303, based on the attribute of the parameter, if it is detected that the parameter in the code has a security threat, the parameter is marked by the taint marking function, so as to obtain the marked parameter.
In one embodiment of the application, if it is detected that the input parameters of the function carry the taint mark, it is determined that the input parameters have a security threat; and performing taint marking on the output parameters corresponding to the input parameters through the taint marking function to obtain the marked parameters. If the input parameters of the function are detected not to carry the taint marks, the input parameters are judged not to have the security threat, and the output parameter memorability marks of the function are not needed. In the above way, the taint mark is transferred in the function of the code so as to detect the function with the security hole in the code.
In this embodiment, when the detection parameter is a parameter with a security threat, the detection parameter is marked to obtain a marked parameter. Optionally, in this embodiment, the parameter information of the detected parameter may be a type of the detected parameter, a numerical value of the detected parameter, or an analog input person for inputting the detected parameter.
In an embodiment of the present application, the step S230 of performing the dirty mark on the parameter to obtain a marked parameter includes the following steps:
determining a variable corresponding to the parameter in the code based on a function in the code, and generating an identification bit in the variable;
acquiring a stain mark, and setting the value of the identification bit as the stain mark;
and generating marking parameters based on the detection parameters and the stain marks corresponding to the identification bits.
Fig. 4 is a schematic diagram of a stain marking on a detection parameter according to an embodiment of the present application.
As shown in fig. 4, in an embodiment of the present application, in the running process of a code, a function and a variable thereof in the code are assigned to implement operation of the function, thereby completing a function of the code. In this embodiment, a variable 410 corresponding to a detection parameter in a code is determined, so as to mark a dirty point for the variable, and further perform function operation and parameter transfer based on the variable carrying the dirty point mark. Specifically, in this embodiment, the flag bit 420 is first generated in the variable, the value of the flag bit 420 is set as the taint mark 440, and the value of the variable 430 is set as the detection parameter 450; finally, the stain mark and the detection parameter are combined to assign a value to the variable, and the mark parameter 460 carrying the stain mark is obtained.
Exemplary, there are many ways to mark the detection parameters for stains. Taking the PHP language of the hypertext preprocessor as an example, a flag reserved for a PHP variable in the PHP7 version is used, and the flag is set to a certain value, that is, the variable is considered to be marked with a stain. In addition, for other development languages, the taint mark may be performed using the characteristics of other languages.
In one embodiment of the present application, a dirty mark in the marking parameters is passed in the code during the code's execution. The specific transfer mode is that the functions of the code are sequentially transferred, and the transfer sequence of the functions is consistent with the operation logic or reference relation among the functions in the code.
For example, during the operation of the webshell program, the parameter may be passed and calculated many times. For example, passing as a parameter of some function inside the webshell. For example $ a ═ b. $ c, or $ a ═ base64($ c). In these processes, although we initially flag the variable $ c, in the process of calculating or transferring parameters of the function, its value is passed to other variables. In the embodiment, the variable calculation and function transfer process is modified, whether the parameter has the stain mark or not is judged on the basis of the original function, if so, the returned result of the function is marked with the stain mark, and then the stain transmission can be completed.
In one embodiment of the present application, the process of transferring a taint mark in a function of a code comprises the steps of: when the dirty mark is transmitted in the function of the code, whether the input parameter of the function carries the dirty mark or not is detected; and if the input parameters of the function carry the dirty mark, carrying out the dirty mark on the output parameters of the function so as to transfer the output parameters carrying the dirty mark in other functions.
Fig. 5 is a schematic diagram of a transmission stain mark provided by an embodiment of the present application.
As shown in fig. 5, in one embodiment of the present application, there are at least two functions in the code, such as functions 510, 560, 570, and 580 in the figure. When the dirty mark is transferred in the function, each variable in the related function is marked with the dirty mark. Specifically, whether the input parameter 520 of the function 510 carries the dirty mark 530 is detected, and if the input parameter 510 of the function carries the dirty mark 530, the output parameter 510 of the function is also marked with the dirty mark 550, so that the output parameter carrying the dirty mark in the function is used as the input parameter of the next function 570, and the transfer of the dirty mark is realized.
In addition, for the function 560 in fig. 5, if no dirty flag exists in the input parameters, no dirty flag is performed on the output parameters. And when at least two input parameters of a function exist, and the input parameters have the dirty mark and the input parameters do not have the dirty mark, the dirty mark is carried out on the output parameters of the function, so that the phenomenon of label missing is prevented.
In step S240, when it is detected by the taint detection function that the parameter of the function carries a taint mark, the function is identified as a vulnerability of the code.
In one embodiment of the present application, during the transfer of the dirty mark, the corresponding parameters of the function are introduced, and the input parameters and the output parameters of the respective functions may be shared. Therefore, during the running process of a code, the dirty mark may be transferred to all functions or to part of the functions, particularly the running logic between the functions. In the embodiment, a function carrying a stain mark is judged by detecting a parameter of the function and is used as a code bug.
In addition, when the taint detection function detects that the parameters of the function do not carry the taint mark, the function is not affected by the taint mark, namely the function is not identified as the vulnerability of the code, and the other functions are continuously detected.
Fig. 6 is a schematic diagram of detecting a code vulnerability provided in an embodiment of the present application.
As shown in fig. 6, in the web system 610, the Webshell code 620 based on the PHP programming language is input into the Webshell intrusion detection tool 630; firstly, performing coverage initialization 640 on the code to enable the code to have the functions of marking and detecting a vulnerability; and then simulating a dynamic incoming parameter 650, and simultaneously performing stain marking and detection 660 based on the incoming parameter to obtain a detection result 670 with potential safety hazard.
In an embodiment of the present application, as shown in fig. 7, when it is detected by the stain detection function that the parameter of the function carries a stain mark in step S240, a process of identifying the function as a vulnerability of the code includes steps S2401 to S2402, which are described in detail as follows:
in step S2401, whether a function with a potential safety hazard exists in the code is detected based on a preset function type with a potential safety hazard.
In one embodiment of the application, function types with potential safety hazards are preset, and functions with potential safety hazards in codes are determined based on the preset function types. And performing important potential safety hazard detection based on the functions with potential safety hazards.
In one embodiment of the present application, the function types with security risks include one or at least two of the following functions: the system comprises a command execution function, a callback function, a code execution function, a file reading function, a file containing function, a file writing function, a data showing function and a database injection function.
Specifically, in an embodiment of the present application, the command execution function may include: system functions, exec program start functions, etc.; the callback function may include: call _ user _ func user call function, forward _ static _ call keyword call function, and the like; the code execution function includes: a preg _ place canonical replacement function, an assert run function, etc.; the file read function may include: file function, file _ get _ contents file directory function, etc.; the file containing function may include: the include comprises a function, a require loading and running function and the like; the file writing function may include: file _ put _ contents directory write function, fwrite file handling function, etc.; the data presentation may include: a printf output function, a print _ r print variable function, etc.; sql injection correlation includes: mysqli extended library functions, sqlitedatabase database control functions, and the like; in the return value obtaining function eval, there are external parameters in the content of code execution, such as:
eval (gzilrate (base64_ decode ('U0 lfusvqixd 3DYk2jLUGAA ═'))); indicating that the corresponding return value was obtained.
In step S2402, if a function with a potential safety hazard exists in the code, whether a taint mark is included in parameters of the function is detected based on the taint detection function.
In one embodiment of the present application, since there may be multiple functions in one code, it takes much time and effort to detect each function. In the embodiment, whether the stain mark exists or not is detected in a targeted manner through the stain detection function based on the function with the potential safety hazard by detecting the function with the potential safety hazard, so that the stain detection efficiency is improved.
In one embodiment of the present application, the parameters include incoming parameters; detecting whether the parameters of the function contain the stain marks or not comprises the following steps: detecting whether an incoming parameter of a function has an identification bit; and if the incoming parameters have identification bits, and the values on the identification bits are the same as the stain marks, judging that the incoming parameters contain the stain marks.
In an embodiment of the present application, corresponding to the manner of adding the dirty mark to the variable, when detecting whether the dirty mark exists in a parameter of a function, first, whether an identification bit exists in a transmission parameter of the function is detected, and if the identification bit exists in the transmission parameter, whether a value on the identification bit is the same as the dirty mark is detected; and if the value on the identification bit is the same as the stain mark, judging that the transmitted parameters contain the stain mark. In addition, if the identification bit does not exist in the transmitted parameters, judging that the transmitted parameters of the function do not contain the stain marks; or, if the incoming parameter has the identification bit, but the value of the identification bit is different from the dirty mark, determining that the incoming parameter does not include the dirty mark.
It should be noted that the way of detecting the blur of the incoming parameter in the present embodiment can be applied to detect the blur of other parameters in the function, and this is merely an example.
In step S2403, if the parameters of the function include the dirty flag, the function is identified as a bug of the code.
In an embodiment of the present application, if the parameters of the function include the dirty mark, it indicates that the detection parameters and the dirty mark have a large influence on the function, and will directly affect the output of the function.
Illustratively, for the following code written by webshell:
<?php
$ a ═ $ GET [ 'call' ]; // first row
$ b ═ $ GET [ 'cmd' ]; // second row
$ c ═ base64_ decode ($ a); // third row
system ($ b); // fourth row
eval ($ c); // fifth element
?>
Assuming that the code is subjected to the overlay initialization processing, the processing procedure of each subsequent line of code is as follows:
first row: judging that the GET is an entrance with potential safety hazard, assigning 'ATTACK' to $ a, and marking by using a reserved zone bit of php 7;
a second row: judging that GET is an entrance with potential safety hazard, assigning 'ATTACK' to $ b, and marking by using a reserved zone bit of php 7;
third row: the primitive function is that $ a is decrypted by base64 and then assigned to $ c, and after coverage initialization, taint propagation is carried out, and $ c is also taint marked;
fourth row: when a high-risk function (system) is encountered, judging whether parameters of the system have a taint mark or not, and alarming because $ b has the taint mark;
the fifth element: encountering a high risk function (eval), judging whether the parameter has a dirty mark, and alarming because $ c has a dirty mark (propagated by $ a);
and after the detection is finished, judging the webshell code file as a file with potential safety hazard due to the alarm.
Fig. 8 is a flowchart of detecting a code vulnerability according to an embodiment of the present application.
As shown in fig. 8, in step S810, the actual running environment of the model code dynamically transmits parameters; in step S820, it is determined whether the parameter-valued variable is a sensitive variable, that is, a variable with security threat; if not, returning to step 810; if yes, in step S830, the reserved mark for simulating the entry parameter is set and marked with a stain; in step S840, based on a preset function type with a security vulnerability, detecting whether a variable is a sensitive function in a transfer process; if not, in step S850, the taint mark is propagated down functionally and technically; if yes, in step S860, determining whether the parameter has a stain mark; if yes, in step S870, a memorability alarm is given, and the function is determined to be a function with potential safety hazard.
In an embodiment of the present application, in the step S240, in the taint mark transferring process, after the step of identifying the function as the vulnerability of the code when the taint detection function detects that the parameter of the function carries the taint mark, the method further includes: identifying a function corresponding to the parameter carrying the stain mark as a target function; acquiring a function name of a target function; and generating safety alarm information based on the function name.
Specifically, in this embodiment, after a parameter carrying a stain mark is detected, a function corresponding to the parameter is identified as an objective function, so as to generate safety alarm information based on a function name of the objective function. And informing the management equipment that potential safety hazards exist in the function so as to maintain the function by packaging and the like, and improving the safety and reliability of the target function.
In an embodiment of the present application, after the process of obtaining the function name of the objective function, the method further includes: determining a target position of the target function in the code based on the function name of the target function; marking the target position to generate a marking code; and generating a vulnerability detection result based on the mark codes.
Specifically, in an embodiment of the present application, after all the functions in one code are detected, at least one objective function is obtained. In this embodiment, the target position of the target function in the code is determined by searching in the code based on the function name of the target function. To mark in the code based on the target position, generating a marked code after marking. And finally, generating a vulnerability detection result based on the mark code.
In one embodiment of the present application, the method for marking the target function may be marking by different colors, marking by adding annotations, and the like.
The following describes an embodiment of an apparatus of the present application, which may be used to execute the method for detecting a code vulnerability in the above embodiment of the present application. It will be appreciated that the apparatus may be a computer program (comprising program code) running on a computer device, for example an application software; the apparatus may be used to perform the corresponding steps in the methods provided by the embodiments of the present application. For details that are not disclosed in the embodiments of the apparatus of the present application, please refer to the embodiments of the method for detecting a code bug described above.
FIG. 9 shows a block diagram of an apparatus to detect code vulnerabilities according to one embodiment of the present application.
Referring to fig. 9, an apparatus 900 for detecting a code vulnerability according to an embodiment of the present application includes: an obtaining unit 910, configured to obtain a code to be detected and a detection parameter for detecting the code; an initialization unit 920, configured to perform overlay initialization on the code to obtain a code having a taint marking function and a taint detection function; a marking unit 930, configured to input the detection parameter into the code, and perform a dirty mark on the parameter when detecting that the parameter in the code has a security threat through the dirty mark function in a function parameter transmission process of the code, to obtain a mark parameter; a detecting unit 940, configured to identify the function as a vulnerability of the code when it is detected by the taint detection function that the parameter of the function carries a taint mark.
In some embodiments of the present application, based on the foregoing scheme, the initialization unit 920 includes: the function detection unit is used for identifying a function to be processed which needs to be subjected to coverage initialization in the code based on the attribute of the function in the code; and the function adding unit is used for adding a taint marking function and a taint detection function in the function to be processed to obtain codes with the taint marking function and the taint detection function.
In some embodiments of the present application, based on the foregoing solution, the function detecting unit includes: the first detection unit is used for identifying a function with the number of the character strings exceeding the preset number as a character string related function; and the second detection unit is used for identifying the character string correlation function and the function processor in the code as the function to be processed.
In some embodiments of the present application, based on the foregoing scheme, the marking unit 930 includes: a detection parameter introduction unit for inputting the detection parameter into the code to indicate the code to start running; the parameter attribute detection unit is used for detecting the attribute of the parameter when the parameter obtained based on the detection parameter is transmitted into the function of the code; and the parameter marking unit is used for marking the parameter parameters through the stain marking function to obtain the marked parameters if the parameters in the code are detected to have the security threat based on the attributes of the parameters.
In some embodiments of the present application, based on the foregoing solution, the parameter attribute detecting unit is configured to detect whether an input parameter of the function carries the dirty mark in a function parameter transmission process of the code; the parameter marking unit is used for judging that the input parameters have security threats if the input parameters of the function carry the taint marks; and performing taint marking on the output parameters corresponding to the input parameters through the taint marking function to obtain the marked parameters.
In some embodiments of the present application, based on the foregoing scheme, the marking unit 930 includes: a first determining unit, configured to determine, based on a function in the code, a variable corresponding to the parameter in the code, and generate an identification bit in the variable; the setting unit is used for acquiring a stain mark and setting the value of the identification bit as the stain mark; and the second marking unit is used for generating the marking parameter based on the parameter and the stain mark corresponding to the identification bit.
In some embodiments of the present application, based on the foregoing solution, the detecting unit 910 includes: the second detection unit is used for detecting whether a function with potential safety hazard exists in the code or not based on a preset function type with potential safety hazard; the third detection unit is used for detecting whether a function with potential safety hazard exists in the code or not based on the taint detection function, and whether a taint mark is included in the parameter of the function or not is detected; and the third detection unit is used for identifying the function as the vulnerability of the code if the taint mark is contained in the parameter of the function.
In some embodiments of the present application, based on the foregoing scheme, the parameters comprise incoming parameters; the third detection unit includes: the fourth detection unit is used for detecting whether the incoming parameters of the function have identification bits or not; and the fifth detection unit is used for judging that the incoming parameters contain the taint mark if the incoming parameters have the identification bits and the values on the identification bits are the same as the taint mark.
In some embodiments of the present application, based on the foregoing scheme, the function type with security risk includes one or at least two of the following functions: the system comprises a command execution function, a callback function, a code execution function, a file reading function, a file containing function, a file writing function, a data showing function and a database injection function.
In some embodiments of the present application, based on the foregoing solution, the obtaining unit 910 includes: the code acquisition unit is used for acquiring a code to be detected; the scene simulation unit is used for simulating the running scene of the code and determining a target interface for inputting initial parameters into the code; and the parameter generating unit is used for acquiring the detection parameters corresponding to the running scene based on the configuration information of the target interface.
In some embodiments of the present application, based on the foregoing solution, the apparatus 900 for detecting a code vulnerability further includes: the target detection unit is used for identifying a function corresponding to the parameter carrying the stain mark as a target function; a name acquisition unit configured to acquire a function name of the target function; and the alarm unit is used for generating safety alarm information based on the function name.
In some embodiments of the present application, based on the foregoing solution, the apparatus 900 for detecting a code vulnerability further includes: a position determining unit, configured to determine a target position of the target function in the code based on a function name of the target function; the code marking unit is used for marking the target position to generate a marking code; and the detection result unit is used for generating the vulnerability detection result based on the mark code.
FIG. 10 illustrates a schematic structural diagram of a computer system suitable for use in implementing the electronic device of an embodiment of the present application.
It should be noted that the computer system 1000 of the electronic device shown in fig. 10 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present application.
As shown in fig. 10, the computer system 1000 includes a Central Processing Unit (CPU)1001 that can perform various appropriate actions and processes, such as performing the methods described in the above embodiments, according to a program stored in a Read-Only Memory (ROM) 1002 or a program loaded from a storage portion 1008 into a Random Access Memory (RAM) 1003. In the RAM 1003, various programs and data necessary for system operation are also stored. The CPU 1001, ROM 1002, and RAM 1003 are connected to each other via a bus 1004. An Input/Output (I/O) interface 1005 is also connected to the bus 1004.
The following components are connected to the I/O interface 1005: an input section 1006 including a keyboard, a mouse, and the like; an output section 1007 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and a speaker; a storage portion 1008 including a hard disk and the like; and a communication section 1009 including a network interface card such as a LAN (Local area network) card, a modem, or the like. The communication section 1009 performs communication processing via a network such as the internet. The driver 1010 is also connected to the I/O interface 1005 as necessary. A removable medium 1011 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 1010 as necessary, so that a computer program read out therefrom is mounted into the storage section 1008 as necessary.
In particular, according to embodiments of the application, the processes described above with reference to the flow diagrams may be implemented as computer software programs. For example, embodiments of the present application include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising a computer program for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication part 1009 and/or installed from the removable medium 1011. When the computer program is executed by a Central Processing Unit (CPU)1001, various functions defined in the system of the present application are executed.
It should be noted that the computer readable medium shown in the embodiments of the present application may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a Read-Only Memory (ROM), an Erasable Programmable Read-Only Memory (EPROM), a flash Memory, an optical fiber, a portable Compact Disc Read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In this application, however, a computer readable signal medium may include a propagated data signal with a computer program embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. The computer program embodied on the computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. Each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present application may be implemented by software, or may be implemented by hardware, and the described units may also be disposed in a processor. Wherein the names of the elements do not in some way constitute a limitation on the elements themselves.
According to an aspect of the application, a computer program product or computer program is provided, comprising computer instructions, the computer instructions being stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform the method provided in the various alternative implementations described above.
As another aspect, the present application also provides a computer-readable medium, which may be contained in the electronic device described in the above embodiments; or may exist separately without being assembled into the electronic device. The computer readable medium carries one or more programs which, when executed by an electronic device, cause the electronic device to implement the method described in the above embodiments.
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the application. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present application can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which can be a personal computer, a server, a touch terminal, or a network device, etc.) to execute the method according to the embodiments of the present application.
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the embodiments disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains.
It will be understood that the present application is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims (15)

1. A method for detecting code bugs, comprising:
acquiring a code to be detected and detection parameters for detecting the code;
covering and initializing the code to obtain a code with a stain marking function and a stain detecting function;
inputting the detection parameters into the code, and performing taint marking on the parameters when the parameters in the code are detected to have safety threats through the taint marking function in the function parameter transmission process of the code to obtain marking parameters;
and when the stain detection function detects that the parameters of the function carry stain marks, identifying the function as the vulnerability of the code.
2. The method of claim 1, wherein performing overlay initialization on the code to obtain a code with a taint marking function and a taint detection function comprises:
identifying a function to be processed which needs to be subjected to coverage initialization in the code based on the attribute of the function in the code;
and adding a taint marking function and a taint detection function in the function to be processed to obtain a code with the taint marking function and the taint detection function.
3. The method of claim 2, wherein identifying the function to be processed in the code for which overlay initialization is required based on the property of the function in the code comprises:
identifying a function with the number of the character strings exceeding a preset number as a character string related function;
and identifying the character string related function and a function processor in the code as the function to be processed.
4. The method of claim 1, wherein inputting the detection parameters into the code, and performing a taint marking on the parameters in the code when detecting that the parameters have a security threat through the taint marking function in a function parameter process of the code to obtain marking parameters comprises:
inputting the detection parameters into the code to indicate that the code starts to run;
detecting the attribute of the parameter when the parameter obtained based on the detection parameter is transmitted into the function of the code;
and based on the attribute of the parameter, if the parameter in the code is detected to have a security threat, marking the parameter through the taint marking function to obtain the marked parameter.
5. The method of claim 4, wherein detecting the attribute of the parameter in the code during the function parameter process of the code comprises:
in the function parameter transmission process of the code, detecting whether the input parameters of the function carry the taint mark;
based on the attribute of the parameter, if the parameter in the code is detected to have the security threat, marking the parameter through the stain marking function to obtain the marking parameter, wherein the marking parameter comprises:
if the input parameters of the function carry the taint mark, judging that the input parameters have security threat;
and performing taint marking on the output parameters corresponding to the input parameters through the taint marking function to obtain the marked parameters.
6. The method of claim 1, wherein spot marking the parameter to obtain a marked parameter comprises:
determining a variable corresponding to the parameter in the code based on a function in the code, and generating an identification bit in the variable;
acquiring a stain mark, and setting the value of the identification bit as the stain mark;
and generating the marking parameters based on the parameters and the stain marks corresponding to the identification bits.
7. The method of claim 1, wherein identifying the function as a vulnerability of the code when a parameter of the function carrying a dirty flag is detected by the dirty detection function comprises:
detecting whether a function with potential safety hazard exists in the code or not based on a preset function type with potential safety hazard;
if a function with potential safety hazards exists in the code, detecting whether parameters of the function contain a taint mark or not based on the taint detection function;
and if the parameters of the function comprise the taint marks, identifying the function as the vulnerability of the code.
8. The method of claim 7, wherein the parameters comprise incoming parameters;
detecting whether the parameters of the function contain the stain mark or not, comprising the following steps:
detecting whether identification bits exist in the incoming parameters of the function;
and if the incoming parameters have the identification bits and the values on the identification bits are the same as the taint marks, judging that the incoming parameters contain the taint marks.
9. The method of claim 7, wherein the type of function with security risk comprises one or at least two of the following functions: the system comprises a command execution function, a callback function, a code execution function, a file reading function, a file containing function, a file writing function, a data showing function and a database injection function.
10. The method of claim 1, wherein obtaining a code to be detected and detection parameters for detecting the code comprises:
acquiring a code to be detected;
simulating the running scene of the code, and determining a target interface for inputting initial parameters in the code;
and acquiring detection parameters corresponding to the operation scene based on the configuration information of the target interface.
11. The method of claim 1, wherein after identifying the function as a vulnerability of the code when detecting by the taint detection function that a parameter of the function carries a taint mark, further comprising:
identifying a function corresponding to the parameter carrying the stain mark as a target function;
acquiring a function name of the target function;
and generating safety alarm information based on the function name.
12. The method of claim 11, wherein after obtaining the function name of the objective function, further comprising:
determining a target position of the target function in the code based on the function name of the target function;
marking the target position to generate a marking code;
and generating the vulnerability detection result based on the mark code.
13. An apparatus for detecting code vulnerabilities, comprising:
the device comprises an acquisition unit, a detection unit and a control unit, wherein the acquisition unit is used for acquiring a code to be detected and detection parameters for detecting the code;
the initialization unit is used for performing covering initialization on the codes to obtain the codes with the taint marking function and the taint detection function;
the marking unit is used for inputting the detection parameters into the code, and performing stain marking on the parameters when the parameters in the code are detected to have safety threats through the stain marking function in the function parameter transmission process of the code to obtain marking parameters;
and the detection unit is used for identifying the function as the vulnerability of the code when the stain detection function detects that the parameter of the function carries a stain mark.
14. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out a method of detecting a code vulnerability according to any one of claims 1 to 12.
15. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement the method of detecting code vulnerabilities as claimed in any one of claims 1 to 12.
CN202010680830.9A 2020-07-15 2020-07-15 Method and device for detecting code bugs, computer readable medium and electronic equipment Pending CN111753302A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010680830.9A CN111753302A (en) 2020-07-15 2020-07-15 Method and device for detecting code bugs, computer readable medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010680830.9A CN111753302A (en) 2020-07-15 2020-07-15 Method and device for detecting code bugs, computer readable medium and electronic equipment

Publications (1)

Publication Number Publication Date
CN111753302A true CN111753302A (en) 2020-10-09

Family

ID=72711840

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010680830.9A Pending CN111753302A (en) 2020-07-15 2020-07-15 Method and device for detecting code bugs, computer readable medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN111753302A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112966274A (en) * 2021-03-11 2021-06-15 北京长亭未来科技有限公司 Web security vulnerability detection method, scanner, storage medium and electronic device
CN114969765A (en) * 2022-07-27 2022-08-30 杭州海康威视数字技术股份有限公司 Internet of things equipment non-inductive security vulnerability repairing method, device and equipment
CN116049823A (en) * 2023-03-31 2023-05-02 北京微步在线科技有限公司 Memory horse detection method and device, computer equipment and storage medium

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112966274A (en) * 2021-03-11 2021-06-15 北京长亭未来科技有限公司 Web security vulnerability detection method, scanner, storage medium and electronic device
CN112966274B (en) * 2021-03-11 2024-03-19 北京长亭未来科技有限公司 Web security hole detection method, scanner, storage medium and electronic device
CN114969765A (en) * 2022-07-27 2022-08-30 杭州海康威视数字技术股份有限公司 Internet of things equipment non-inductive security vulnerability repairing method, device and equipment
CN116049823A (en) * 2023-03-31 2023-05-02 北京微步在线科技有限公司 Memory horse detection method and device, computer equipment and storage medium

Similar Documents

Publication Publication Date Title
US10282550B1 (en) Auto-remediation workflow for computer security testing
US9892263B2 (en) System, method and apparatus to visually configure an analysis of a program
WO2019075390A1 (en) Blackbox matching engine
Lin et al. Automated forensic analysis of mobile applications on Android devices
CN111753302A (en) Method and device for detecting code bugs, computer readable medium and electronic equipment
CN107659570A (en) Webshell detection methods and system based on machine learning and static and dynamic analysis
US20150244737A1 (en) Detecting malicious advertisements using source code analysis
CN111737692B (en) Application program risk detection method and device, equipment and storage medium
US9443077B1 (en) Flagging binaries that drop malicious browser extensions and web applications
Li et al. Large-scale third-party library detection in android markets
US11868465B2 (en) Binary image stack cookie protection
CN113971284B (en) JavaScript-based malicious webpage detection method, equipment and computer readable storage medium
CN114398673A (en) Application compliance detection method and device, storage medium and electronic equipment
CN114626061A (en) Webpage Trojan horse detection method and device, electronic equipment and medium
WO2016032516A1 (en) Static program analysis in an object-relational mapping framework
CN116361793A (en) Code detection method, device, electronic equipment and storage medium
CN115688108A (en) Webshell static detection method and system
CN115168861A (en) Data security verification method, device, equipment and storage medium
CN114637988A (en) Binary-oriented function level software randomization method
CN110674491B (en) Method and device for real-time evidence obtaining of android application and electronic equipment
CN113935847A (en) Online process risk processing method, device, server and medium
Shah Malicious javascript detection using statistical language model
US20240045955A1 (en) Identifying security events in programming code for logging
Zhao Toward the flow-centric detection of browser fingerprinting
CN115455474A (en) Privacy protection method and system for preventing misbehaving small program based on deep learning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40031298

Country of ref document: HK

SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination