CN111967044A - Method and system for tracking leaked private data suitable for cloud environment - Google Patents
Method and system for tracking leaked private data suitable for cloud environment Download PDFInfo
- Publication number
- CN111967044A CN111967044A CN202010814229.4A CN202010814229A CN111967044A CN 111967044 A CN111967044 A CN 111967044A CN 202010814229 A CN202010814229 A CN 202010814229A CN 111967044 A CN111967044 A CN 111967044A
- Authority
- CN
- China
- Prior art keywords
- api
- data
- tracking
- leaked
- instrumentation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 40
- 238000012544 monitoring process Methods 0.000 claims abstract description 12
- 230000006870 function Effects 0.000 claims description 83
- 230000008569 process Effects 0.000 claims description 12
- 238000012545 processing Methods 0.000 claims description 3
- 230000006399 behavior Effects 0.000 description 13
- 230000006872 improvement Effects 0.000 description 10
- 238000004891 communication Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 6
- 238000004458 analytical method Methods 0.000 description 3
- 235000014510 cooky Nutrition 0.000 description 3
- 208000025174 PANDAS Diseases 0.000 description 2
- 208000021155 Paediatric autoimmune neuropsychiatric disorders associated with streptococcal infection Diseases 0.000 description 2
- 240000004718 Panda Species 0.000 description 2
- 235000016496 Panda oleosa Nutrition 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- VYZAMTAEIAYCRO-UHFFFAOYSA-N Chromium Chemical compound [Cr] VYZAMTAEIAYCRO-UHFFFAOYSA-N 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010219 correlation analysis Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Bioethics (AREA)
- Medical Informatics (AREA)
- Databases & Information Systems (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a method and a system for tracking leaked private data suitable for a cloud environment, wherein pile inserting programs corresponding to a plurality of API calling types one by one are embedded into a host machine of the cloud environment, and the pile inserting programs are used for tracking the leaked private data; API calling of a host machine of a cloud environment is monitored in real time, when suspected malicious programs cause API calling during monitoring, API calling data are obtained, corresponding calling types are judged, corresponding plug-in programs are called according to the API calling types to achieve tracking of leaked privacy data, and therefore accurate positioning of user privacy data which widely exist in a system and are distributed discretely is achieved through an automatic method.
Description
Technical Field
The invention belongs to the field of information security, and particularly relates to a method and a system for tracking leaked private data suitable for a cloud environment.
Background
The system is used for passing through a big data environment with computing capacity, virtual machine service, storage capacity and the like according to requirements. The advent of such platforms often comes with various security challenges.
The malicious code can enable a malicious user to realize invasion of private data through a series of operations such as illegal external connection, right lifting and the like by various malicious behaviors such as opening a back door, hooking a main function and the like, and further finally achieve the purpose of stealing the private data of the user.
The existing private data tracking and analyzing technology is basically formed based on static taint analysis and dynamic taint analysis technologies, such as analysis tools like TaintCheck, DroidChecker, Dytan, Panda and the like, most of monitored information is limited, the amount of positioned private data is large, the accuracy is low, and the granularity is not high.
Disclosure of Invention
In view of at least one defect or improvement requirement of the prior art, the present invention provides a tracking method and system for leaked private data suitable for a cloud environment, and aims to solve the problem of how to realize accurate positioning of widely existing and distributed discrete user private data in the system by an automated method.
To achieve the above object, according to one aspect of the present invention, there is provided a tracking method of leaked privacy data suitable for a cloud environment, including the steps of:
a host machine of the cloud environment is embedded with instrumentation programs which correspond to a plurality of API calling types one by one, and the instrumentation programs are used for tracking the leaked privacy data;
and API calling of a host machine of the cloud environment is monitored in real time, when suspected malicious programs cause API calling during monitoring, API calling data are obtained, corresponding calling types are judged, and corresponding instrumentation programs are called according to the API calling types to realize tracking of leaked privacy data.
As a further improvement of the present invention, obtaining API call data and determining a corresponding call type includes:
determining whether the API to perform the call is an API of a windows system, wherein,
when the called API is the API of the windows system, further judging whether the called API is an external input operation or a memory leakage operation;
and when the called API is not the API of the windows system, further judging whether the called API is a function written by the C language.
As a further improvement of the invention, the API for executing the call is the API of the windows system, and the external input operation for executing the call is called as a file call, and the following instrumentation steps are executed:
and judging whether the file called by the file is a sensitive file or not through the instrumentation function, if so, finding the leaked private data through a file buffer pointer in the instrumentation function information and marking the private data.
As a further improvement of the invention, the API for executing the call is the API of the windows system, and the external input operation for calling the keystroke record is executed, the following instrumentation steps are executed:
and determining and marking the leaked private data through a file buffer pointer, a sending buffer pointer and a keyboard buffer pointer pointed by the parameters according to the parameter information in the call log by acquiring the call log of the instrumentation function.
As a further improvement of the invention, the API for executing the call is the API of the windows system, and the external input operation called as the clipboard operation is executed, the following instrumentation steps are executed:
and acquiring the data of the clipboard buffer area through the instrumentation function, and marking the data of the clipboard buffer area as the leaked privacy data.
As a further improvement of the present invention, the API for performing the call is the API of the windows system, and in order to perform an external input operation other than performing the file call, keystroke logging and clipboard operations, the following instrumentation steps are performed:
and acquiring a pointer pointing to the buffer area to be sent through the instrumentation function, and marking the intercepted data in the buffer area to be sent as the leaked private data when the data in the buffer area to be sent does not belong to the marked leaked private data.
As a further improvement of the invention, the API for executing the call is the API of the windows system, and the executing call is a memory leak operation, and the following instrumentation steps are executed:
extracting and marking the characteristic character string of the database table, matching and calling the read data and the marked characteristic character string, and recording an address successfully matched, wherein the address is the address of the database table in the memory; and analyzing the attributes of the data table in sequence according to the structure of the data table, determining the offset condition of the data in the table based on the address of the table, each attribute of the table and the number of bytes occupied by the data, and finally analyzing the obtained data, namely the leaked privacy data.
As a further improvement of the invention, the API for executing the call is the API of a non-windows system and is a function written in C language, and the following instrumentation steps are executed:
and obtaining the base address of the loaded module through the module list loaded by the process, analyzing the loaded module to obtain the corresponding function and the function offset condition, and finding the entry address of the corresponding function to perform the instrumentation operation.
As a further improvement of the invention, the API for executing the call is the API of a non-windows system and is a function written in a non-C language, and the following instrumentation steps are executed:
and extracting the bottom C language implementation function of the called API function to perform instrumentation operation.
To achieve the above object, according to another aspect of the present invention, there is provided a tracking system of leaked private data suitable for a cloud environment, the system including:
the device comprises a plug program embedding module, a cloud environment host computer and a data processing module, wherein the plug program embedding module is used for embedding plug programs which are in one-to-one correspondence with a plurality of API calling types in the host computer of the cloud environment, and the plug programs are used for tracking the leaked privacy data;
the real-time monitoring module is used for monitoring API calling of a host machine in a cloud environment in real time, and when suspected malicious programs are monitored to cause API calling, API calling data are obtained and a corresponding calling type is judged;
and the tracking module is used for calling the corresponding instrumentation program according to the API calling type so as to realize tracking of the leaked privacy data.
In general, compared with the prior art, the above technical solution contemplated by the present invention can achieve the following beneficial effects:
the invention provides a tracking method and a system of leaked private data suitable for a cloud environment, which intercept and capture data (keyboard input, files, clipboards and the like) accessed by a program or data (browser history record, cookie record and the like) generated by the program as user private data during program running through a dynamic taint tracking technology, mark the user private data as a pollution source, record the propagation condition of the private data in the system in a log mode according to taint propagation rules, continuously monitor API calling condition of a host malicious program simulated by a VMI technology for externally input data, determine the manipulated behavior of the private data and the private data through instrumentation of the functions, determine the private data by analyzing the data of a data table through positioning the position of an important database in a memory for internally generated data, and continuously detect the memory reading behavior of the host malicious program, the behavior of stealing the memory information is recorded, so that the privacy data of the user can be automatically positioned as a pollution source, the privacy disclosure behavior is detected by adopting a full-system dynamic taint tracking technology, and the real-time monitoring result is arranged into a log so as to carry out correlation analysis.
Drawings
Fig. 1 is a schematic diagram of a tracking method of leaked private data suitable for a cloud environment according to an embodiment of the present invention;
FIG. 2 is a diagram illustrating instrumentation when the API for performing a call is a non-windows function according to an embodiment of the present invention;
fig. 3 is a schematic diagram of an instrumentation method corresponding to a sensitive memory privacy disclosure operation according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
The method and the working principle of the present invention will be described in detail with reference to the following embodiments and the accompanying drawings.
The terms to which the present invention relates are explained as follows:
an API (Application Programming Interface) is a predefined function or a convention for linking different components of a software system. It is used to provide a set of routines that applications and developers can access based on certain software or hardware without having to access source code or understand the details of the internal working mechanisms.
SOCKET, a SOCKET, is an abstraction of an endpoint for two-way communication between application processes on different hosts in a network. A socket is the end of a process's communication over a network and provides a mechanism for application layer processes to exchange data using a network protocol. In terms of the position, the socket uplink application process and the socket downlink network protocol stack are interfaces through which the application program communicates through the network protocol, and are interfaces through which the application program interacts with the network protocol root.
Fig. 1 is a schematic diagram of a tracking method of leaked private data suitable for a cloud environment according to an embodiment of the present invention. As shown in fig. 1, a method for tracking leaked private data suitable for a cloud environment includes the following steps:
a host machine of the cloud environment is embedded with instrumentation programs which correspond to a plurality of API calling types one by one, and the instrumentation programs are used for tracking the leaked privacy data; generally, the leaked private data refers to data that has been manipulated or processed by malicious code.
And API calling of a host machine of the cloud environment is monitored in real time, when suspected malicious programs cause API calling during monitoring, API calling data are obtained, corresponding calling types are judged, and corresponding instrumentation programs are called according to the API calling types to realize tracking of leaked privacy data. The API call type may be various, for example, when the API for performing the call is an API of a windows system, the leaked private data may be private data related to the file call, private data leaked from the keystroke record, sensitive data of the clipboard buffer, and private data leaked by a malicious program through communication between a SOCKET and the outside, and of course, there may be a case where the API for performing the call is an API of a non-windows system.
Because the malicious sample or the code has deception and concealment, a user can not intuitively judge what program is the malicious code, and the privacy data can be tracked and positioned through the behavior of the monitoring process so as to obtain evidence of the malicious code; or protecting, recovering and the like the traced private data through subsequent means.
Optionally, the obtaining API call data and determining a corresponding call type includes:
determining whether the API to perform the call is an API of a windows system, wherein,
when the called API is the API of the windows system, further judging whether the called API is an external input operation or a memory leakage operation;
and when the called API is not the API of the windows system, further judging whether the called API is a function written by the C language.
Optionally, judging whether the API for executing the call is an API of a windows system of a file call type, if so, executing the following instrumentation step:
and judging whether the file called file is a sensitive file or not through a hook function represented by a ReadFile function, a WriteFile function, a DeleteFile function and the like, and finding the leaked private data through a file buffer pointer in the information of the stub function if the file called file is the sensitive file. The sensitive files comprise files designated by a user and files with stain labels, the files, data files, backup files and the like designated by the user can be marked as leaked private data, malicious operation behaviors of malicious programs on the files can be recorded, and typical behaviors such as Wanacry encrypt the contents of the files of the user and write the encrypted contents into new files.
Optionally, when the API for executing the call is an API of a windows system, the API call type further includes a keystroke record. When the keyboard is input, a typical keyboard record malicious program is Trojan-spy, MSIL, Keylogger, browse, which is capable of tampering, reading, storing and sending keystroke records, at this time, data in a keyboard buffer is marked as private data, and malicious behaviors of the malicious program are recorded. Judging whether the called API is the API of the windows system of the keystroke record type, wherein the execution step of the instrumentation program corresponding to the keystroke record comprises the following steps:
and acquiring call logs of the instrumentation functions through instrumentation functions represented by GlobalLock, GetAsyncKeyState and the like, and determining privacy data through a file buffer pointer, a sending buffer pointer and a keyboard buffer pointer pointed by parameters according to parameter information in the function call logs. Specifically, when there is malicious program read data, the module name of the current program and the called function name are determined by the VMI technology and the function call stack. After that, functions such as WriteFile, send, GetAsyncKeyState and the like of the current process can be obtained through function instrumentation, and privacy data is determined through a file buffer pointer, a sending buffer pointer and a keyboard buffer pointer pointed by the parameters according to parameter information in the function call stack.
Optionally, when the API that is called is the API of the windows system, the API call type further includes a clipboard operation, the clipboard operation includes operations such as simulated copy, paste, and the like on data in the clipboard buffer, and when the copy and paste operations are used, if the data in the clipboard buffer is accessed, tampered, and sent through a network by a malicious program, then these data are used as private data, and a relevant malicious behavior is recorded, and it is determined whether the API that is called is the API of the windows system of the clipboard operation type, where the instrumentation program corresponding to the clipboard operation executes steps including:
by means of functions such as instrumented globalock, SetClipboardData, GetClipboardData and the like, if malicious behaviors such as reading, tampering and the like exist, data of the clipboard buffer areas are taint data, and the malicious behaviors of malicious programs are recorded in logs.
In addition to the privacy leakage of the external communication type, when the called API is the API of the windows system, the API call type further includes other external communication operations besides the above three privacy leakage types, that is, the malicious program leaks the privacy data through SOCKET related API and external communication. The instrumentation program execution steps corresponding to other external communication operations include:
through functions such as instrumentation send, sendto, recv and the like, the data in the buffer area is compared with the marked leaked privacy data through the acquired pointer pointing to the buffer area to be sent, if the data is the marked leaked privacy data, it is indicated that the malicious program leaks out the privacy information through one of the three privacy leaks, otherwise, the malicious program is not the privacy information stolen through the three paths, and the intercepted data in the sending buffer area serves as supplement to the privacy information.
When the called API is the API of the windows system, the API calling type also includes privacy disclosure operation of sensitive memory type, the sensitive data in the memory is positioned as the privacy data by matching the marked character string, and the malicious operation behaviors of the malicious program on the data, including reading, tampering, disclosure through the network and the like, can be monitored and recorded. A typical vulnerability that steals sensitive memory is heartbled. The instrumentation program execution step corresponding to the sensitive memory privacy disclosure operation comprises the following steps:
extracting a characteristic character string of a database table, wherein the attribute invariance is realized, and an ASCII code with the attribute extracted is suitable as the characteristic character string; when the malicious program reads the memory, matching the read data with the marked characteristic character string until the matching is successful; recording the successfully matched address, wherein the address is the address of the database table in the memory; according to the structure of the data table, sequentially analyzing the attributes of the data table, and directly determining the number of bytes occupied by the corresponding data by the attributes; and determining the offset condition of the data in the table based on the address of the table, each attribute of the table and the number of bytes occupied by the data, and finally analyzing the obtained data to be the internal privacy data.
Optionally, when the called API is an API of a non-windows system, the execution step of the instrumentation program corresponding to the called API includes:
for API functions written in non-C languages, extracting the bottom layer C language implementation functions of the functions to perform instrumentation operation, and determining modules of the functions through a vs developer command tool and the like;
for a non-windows function written in C language, obtaining the base address of a loaded module through a module list loaded by a process, analyzing the module to obtain the function and the function offset condition in the module, and finding the entry address of the function to provide conditions for instrumentation. The instrumentation premise is that the implementation function of the bottom C language of the function and the module where the bottom function is located need to be known. Taking a program written by PHP as an example, the tested program is encrypted by MD5, such as MD5($ password), but cannot be directly inserted into MD5 function belonging to PHP built-in function, and the underlying C language implementation function of MD5 includes PHP _ MD5Init (), PHP _ MD5Update (), and PHP _ MD5Final (), wherein parameter information of PHP _ MD5Update can obtain the size of the encryption buffer and encrypted data. The precondition of instrumentation is that the entry address of the function to be instrumented needs to be known, so for each process, a module to be loaded by the process and the function condition contained in the module need to be obtained. After the names of the modules and the functions are obtained through the mapping and the function addresses to be plugged are located, plugging can be carried out, and related parameters are obtained.
FIG. 2 is a diagram illustrating a instrumentation step when the API for executing the call is a non-windows function according to an embodiment of the present invention. As one example, Discuz!written in PHP! For example, when the forum logs in, the MD5 is used to encrypt the user's login password, such as MD5($ password), as a built-in function of the PHP. The Md5 function cannot be directly instrumented, but the PHP is implemented by C, so that the finally called function is also the function of C, so that the instrumentation can be completed by extracting the underlying C language implementation function, and the function to be instrumented includes: PHP _ MD5Init (), PHP _ MD5Update (), and PHP _ MD5Final (), where parameter information of PHP _ MD5Update indicates the size of the encryption buffer and the encrypted data, and the function is used for instrumentation to obtain the original data encrypted by MD 5.
(1) Acquiring a bottom layer C language implementation function and a bottom layer C language implementation module of a current to-be-plugged function;
(2) this step is intended to obtain the module loading and entry addresses of the currently active process.
The method comprises the steps that since an FS register points to a current active thread, a TEB thread structure body is obtained by obtaining the value of the FS register; finding a PEB process structure through the TEB; and finding a PEB _ LDR _ DATA structure body through the PEB structure body, wherein an InLoadOrderModuleList in the structure body is a module list recorded in the loading order, and the list records the loaded module name and the module base address.
(3) The purpose of this step is to obtain the loading of the function and the entry address in each module. For each module, reading the optional header of NT of the PE file of the current module, where each entry in the array corresponds to a special data structure, for example, the first entry of the array records the data structure of the export table, and the export table records the name of the function contained in the current module and the offset condition of the function in the module. (2) The module base address obtained in the above step is combined with the offset condition of the function in the module in this step, so as to find the entry address of the function to be inserted, and the entry address is stored by using map < module _ name, map < function _ name, function _ offset >.
(4) According to the function name and the module name provided by the function to be instrumented, the entry address of the function can be found in the map, and a hook record is generated.
Fig. 3 is a schematic diagram of an instrumentation method corresponding to a sensitive memory privacy disclosure operation according to an embodiment of the present invention. As shown in fig. 3, for internally generated private data, such as cookies indicating the identity of a user generated when a browser is used, an attacker can use the information to cause damage, and typically XSS vulnerabilities are used to steal cookie information. There are five mainstream browsers today: internet Explorer, Firefox, Safari, Chrome and Opera, the relevant records when accessing the browser will be saved in the local sqlite database, and a method for locating database data is provided below;
(1) and extracting the database file by taking the special character string as a mark, and positioning the position of the related database through matching of the special character string. Because the attributes of the records in the relational database are determined when the database is created, the positions of the database tables in the memory can be accurately positioned by taking part of the attributes as special character strings required by matching. After the special character string is appointed, when a malicious program steals data in the database through the action of reading the memory, the read content is matched with the special character string, a character matching algorithm used in the method is derived from a stringsearch plug-in of PANDA, if the matching is successful, a recorded virtual address when the memory is read is the position of the target database, and otherwise, the positioning fails. In the invention, taking a browser related database as an example, extracted characteristic character strings are enumerated as follows:
(2) after locating the database, the contents of the database are parsed and an unsigned array is used to store the attributes. Each attribute is one byte in size, and one attribute can be resolved every byte forward or backward from the address to which the special string matches.
(3) The value of the attribute directly determines the size of the byte occupied by the value, the byte of the value needs to be determined according to the attribute when the value is analyzed, and the attribute and the byte number of the value have the following corresponding relation:
unsigned arrays num _ buff and variance _ len in the variance structure respectively record the key type of the data table entry attribute, the byte number of the corresponding data and the length of the data corresponding to the key.
Data corresponding to the attributes are extracted, the position of the attribute extracted as the characteristic character string is determined in (1), the number of bytes occupied by each data is determined in (3), and according to the two information, the offset of the value relative to the attributes can be determined, and the data of the value determined from the database is easy to carry out.
A tracking system of leaked private data suitable for use in a cloud environment, the system comprising:
the device comprises a plug program embedding module, a cloud environment host computer and a data processing module, wherein the plug program embedding module is used for embedding plug programs which are in one-to-one correspondence with a plurality of API calling types in the host computer of the cloud environment, and the plug programs are used for tracking the leaked privacy data;
the real-time monitoring module is used for monitoring API calling of a host machine in a cloud environment in real time, and when suspected malicious programs are monitored to cause API calling, API calling data are obtained and a corresponding calling type is judged;
and the tracking module is used for calling the corresponding instrumentation program according to the API calling type so as to realize tracking of the leaked privacy data. The implementation principle and technical effect of the system are similar to those of the method, and are not described herein again.
It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and that any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (10)
1. A method for tracking leaked private data suitable for a cloud environment is characterized by comprising the following steps:
a host machine of the cloud environment is embedded with instrumentation programs which correspond to a plurality of API calling types one by one, and the instrumentation programs are used for tracking the leaked privacy data;
and API calling of a host machine of the cloud environment is monitored in real time, when suspected malicious programs cause API calling during monitoring, API calling data are obtained, corresponding calling types are judged, and corresponding instrumentation programs are called according to the API calling types to realize tracking of leaked privacy data.
2. The method for tracking leaked privacy data applicable to the cloud environment according to claim 1, wherein the obtaining of the API call data and the determining of the corresponding call type includes:
determining whether the API to perform the call is an API of a windows system, wherein,
when the called API is the API of the windows system, further judging whether the called API is an external input operation or a memory leakage operation;
and when the called API is not the API of the windows system, further judging whether the called API is a function written by the C language.
3. The method for tracking the leaked private data in the cloud environment according to claim 1 or 2, wherein the API for executing the call is an API of a windows system, and the external input operation for executing the call is a file call, and the following instrumentation steps are executed:
and judging whether the file called by the file is a sensitive file or not through the instrumentation function, if so, finding the leaked private data through a file buffer pointer in the instrumentation function information and marking the private data.
4. The method for tracking the leaked private data in the cloud environment according to claim 1 or 2, wherein the API for executing the call is an API of a windows system, and the external input operation for executing the call as keystroke record is executed, and the following instrumentation steps are executed:
and determining and marking the leaked private data through a file buffer pointer, a sending buffer pointer and a keyboard buffer pointer pointed by the parameters according to the parameter information in the call log by acquiring the call log of the instrumentation function.
5. The method for tracking the leaked private data applicable to the cloud environment according to claim 1 or 2, wherein the API for executing the call is an API of a windows system, and the external input operation called as a clipboard operation is executed, and the following instrumentation steps are executed:
and acquiring the data of the clipboard buffer area through the instrumentation function, and marking the data of the clipboard buffer area as the leaked privacy data.
6. The method for tracking the leaked private data in the cloud environment according to claim 1 or 2, wherein the calling API is the API of a windows system, and in order to execute external input operations except for file calling, keystroke recording and clipboard operations, the following instrumentation steps are executed:
and acquiring a pointer pointing to the buffer area to be sent through the instrumentation function, and marking the intercepted data in the buffer area to be sent as the leaked private data when the data in the buffer area to be sent does not belong to the marked leaked private data.
7. The method for tracking the leaked private data in the cloud environment according to claim 1 or 2, wherein the API for executing the call is an API of a windows system, and the execution of the call is a memory leak operation, and the following instrumentation steps are executed:
extracting and marking the characteristic character string of the database table, matching and calling the read data and the marked characteristic character string, and recording an address successfully matched, wherein the address is the address of the database table in the memory; and analyzing the attributes of the data table in sequence according to the structure of the data table, determining the offset condition of the data in the table based on the address of the table, each attribute of the table and the number of bytes occupied by the data, and finally analyzing the obtained data, namely the leaked privacy data.
8. The method for tracking the leaked private data in the cloud environment according to claim 1 or 2, wherein the API for executing the call is an API of a non-windows system and is a function written in C language, and the following instrumentation steps are executed:
and obtaining the base address of the loaded module through the module list loaded by the process, analyzing the loaded module to obtain the corresponding function and the function offset condition, and finding the entry address of the corresponding function to perform the instrumentation operation.
9. The method for tracking the leaked private data in the cloud environment according to claim 1 or 2, wherein the API for executing the call is an API of a non-windows system and is a function written in a non-C language, and the following instrumentation steps are executed:
and extracting the bottom C language implementation function of the called API function to perform instrumentation operation.
10. A tracking system for leaked private data suitable for use in a cloud environment, the system comprising:
the device comprises a plug program embedding module, a cloud environment host computer and a data processing module, wherein the plug program embedding module is used for embedding plug programs which are in one-to-one correspondence with a plurality of API calling types in the host computer of the cloud environment, and the plug programs are used for tracking the leaked privacy data;
the real-time monitoring module is used for monitoring API calling of a host machine in a cloud environment in real time, and when suspected malicious programs are monitored to cause API calling, API calling data are obtained and a corresponding calling type is judged;
and the tracking module is used for calling the corresponding instrumentation program according to the API calling type so as to realize tracking of the leaked privacy data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010814229.4A CN111967044B (en) | 2020-08-13 | 2020-08-13 | Tracking method and system of leaked privacy data suitable for cloud environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010814229.4A CN111967044B (en) | 2020-08-13 | 2020-08-13 | Tracking method and system of leaked privacy data suitable for cloud environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111967044A true CN111967044A (en) | 2020-11-20 |
| CN111967044B CN111967044B (en) | 2024-04-19 |
Family
ID=73365881
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010814229.4A Active CN111967044B (en) | 2020-08-13 | 2020-08-13 | Tracking method and system of leaked privacy data suitable for cloud environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111967044B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112560083A (en) * | 2020-12-02 | 2021-03-26 | 支付宝(杭州)信息技术有限公司 | Safety protection method and device and electronic equipment |
| CN113420328A (en) * | 2021-06-23 | 2021-09-21 | 鹤壁国立光电科技股份有限公司 | Big data batch sharing exchange system |
| CN113672925A (en) * | 2021-08-26 | 2021-11-19 | 安天科技集团股份有限公司 | Method, device, storage medium and electronic equipment for preventing lasso software attack |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103064784A (en) * | 2012-11-29 | 2013-04-24 | 福建师范大学 | Memory leak detection method facing Xen environment during operation and implement system thereof |
| CN103440201A (en) * | 2013-09-05 | 2013-12-11 | 北京邮电大学 | Dynamic taint analysis device and application thereof to document format reverse analysis |
| CN107358103A (en) * | 2017-07-20 | 2017-11-17 | 国网上海市电力公司 | The Android sensitive behavior monitoring method and system of pitching pile are called based on sensitivity function |
| CN109145603A (en) * | 2018-07-09 | 2019-01-04 | 四川大学 | A kind of Android privacy leakage behavioral value methods and techniques based on information flow |
-
2020
- 2020-08-13 CN CN202010814229.4A patent/CN111967044B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103064784A (en) * | 2012-11-29 | 2013-04-24 | 福建师范大学 | Memory leak detection method facing Xen environment during operation and implement system thereof |
| CN103440201A (en) * | 2013-09-05 | 2013-12-11 | 北京邮电大学 | Dynamic taint analysis device and application thereof to document format reverse analysis |
| CN107358103A (en) * | 2017-07-20 | 2017-11-17 | 国网上海市电力公司 | The Android sensitive behavior monitoring method and system of pitching pile are called based on sensitivity function |
| CN109145603A (en) * | 2018-07-09 | 2019-01-04 | 四川大学 | A kind of Android privacy leakage behavioral value methods and techniques based on information flow |
Non-Patent Citations (1)
| Title |
|---|
| 朱康: "虚拟计算环境中的隐私数据访问监控", 《中国优秀硕士学位论文全文数据库(电子期刊) 信息科技辑》, pages 1 - 56 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112560083A (en) * | 2020-12-02 | 2021-03-26 | 支付宝(杭州)信息技术有限公司 | Safety protection method and device and electronic equipment |
| CN112560083B (en) * | 2020-12-02 | 2023-04-18 | 支付宝(杭州)信息技术有限公司 | Safety protection method and device and electronic equipment |
| CN113420328A (en) * | 2021-06-23 | 2021-09-21 | 鹤壁国立光电科技股份有限公司 | Big data batch sharing exchange system |
| CN113420328B (en) * | 2021-06-23 | 2023-04-28 | 鹤壁国立光电科技股份有限公司 | Big data batch sharing exchange system |
| CN113672925A (en) * | 2021-08-26 | 2021-11-19 | 安天科技集团股份有限公司 | Method, device, storage medium and electronic equipment for preventing lasso software attack |
| CN113672925B (en) * | 2021-08-26 | 2024-01-26 | 安天科技集团股份有限公司 | Method and device for preventing lux software attack, storage medium and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111967044B (en) | 2024-04-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111967044B (en) | Tracking method and system of leaked privacy data suitable for cloud environment | |
| CN109583200B (en) | Program abnormity analysis method based on dynamic taint propagation | |
| Carmony et al. | Extract Me If You Can: Abusing PDF Parsers in Malware Detectors. | |
| US8856937B1 (en) | Methods and systems for identifying fraudulent websites | |
| CN109918907B (en) | Method, controller and medium for obtaining evidence of malicious codes in process memory of Linux platform | |
| CN107066390B (en) | Dynamic memory leak detection method and system | |
| CN107004088B (en) | Determining device, determining method and recording medium | |
| CN105760787B (en) | System and method for the malicious code in detection of random access memory | |
| CN112733150B (en) | Firmware unknown vulnerability detection method based on vulnerability analysis | |
| CN110096433B (en) | Method for acquiring encrypted data on iOS platform | |
| US11568044B2 (en) | Method and apparatus for vetting universal serial bus device firmware | |
| US8037529B1 (en) | Buffer overflow vulnerability detection and patch generation system and method | |
| CN108898012B (en) | Method and apparatus for detecting illegal program | |
| CN108920253B (en) | Agent-free virtual machine monitoring system and monitoring method | |
| CN109062965B (en) | Big data analysis system, server, data processing method and storage medium | |
| CN113315767A (en) | Electric power Internet of things equipment safety detection system and method | |
| CN113158197A (en) | SQL injection vulnerability detection method and system based on active IAST | |
| US9542535B1 (en) | Systems and methods for recognizing behavorial attributes of software in real-time | |
| US20200342094A1 (en) | Generating rule-based access control policies using a bytecode instrumentation system | |
| US20160092313A1 (en) | Application Copy Counting Using Snapshot Backups For Licensing | |
| Newsham et al. | Breaking forensics software: Weaknesses in critical evidence collection | |
| Petkovic et al. | A host based method for data leak protection by tracking sensitive data flow | |
| CN103095714A (en) | Trojan horse detection method based on Trojan horse virus type classification modeling | |
| CN107688481B (en) | Multi-node-supporting KVM virtual machine hiding process detection system | |
| Yu et al. | Towards Automated Detection of Higher-Order Memory Corruption Vulnerabilities in Embedded Devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |