CN112181751A - Detection method based on PIE security protection, terminal and storage medium - Google Patents
Detection method based on PIE security protection, terminal and storage medium Download PDFInfo
- Publication number
- CN112181751A CN112181751A CN202011169020.3A CN202011169020A CN112181751A CN 112181751 A CN112181751 A CN 112181751A CN 202011169020 A CN202011169020 A CN 202011169020A CN 112181751 A CN112181751 A CN 112181751A
- Authority
- CN
- China
- Prior art keywords
- pie
- program
- security protection
- file
- detection method
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 31
- 238000000034 method Methods 0.000 claims abstract description 20
- 230000008569 process Effects 0.000 description 7
- 208000036758 Postinfectious cerebellitis Diseases 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 238000004590 computer program Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/22—Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
- G06F11/2205—Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing using arrangements specific to the hardware being tested
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/22—Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
- G06F11/2273—Test methods
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Abstract
The invention discloses a detection method, a terminal and a storage medium based on PIE safety protection, wherein the method comprises the following steps: acquiring an ELF file of a program, and checking file header information of the ELF file by analyzing a first command of the ELF file; judging whether a Type option in the file header information is a DYN Type, if so, checking a dynamic segment of the ELF file by analyzing a second command of the ELF file; and judging whether the DEBUG option exists in the dynamic section, if so, indicating that the PIE protection is started by the program. According to the invention, whether the PIE safety protection is started by the program is judged, the user is reminded to start the PIE safety protection when the PIE safety protection is not started by the program, and if the PIE safety protection is started by the program, the loading address needs to be changed when the program is loaded every time, so that a hacker can not use a traditional fixed address method to attack the program by utilizing a vulnerability.
Description
Technical Field
The invention relates to the technical field of computer security, in particular to a detection method, a terminal and a storage medium based on PIE security protection.
Background
In the field of computers, a position-independent executable file (also called as an address-independent code, PIC) refers to a machine code that can correctly run at any position in a main memory without being affected by an absolute address of the machine code.
PIE is widely used for shared libraries to enable code in the same library to be loaded into the address space of different processes. PICs are also used in computer systems that lack a memory management unit, enabling the operating system to isolate different running programs in a single address space.
Usually, after discovering a software bug, a hacker will write a corresponding exploit program, and the exploit program will use a process-specific address space, which is fixed and unchangeable at any time on any machine, so that the exploit program can run on any computer with a bug.
Accordingly, the prior art is yet to be improved and developed.
Disclosure of Invention
The invention mainly aims to provide a detection method, a terminal and a storage medium based on PIE (personal information assistant) safety protection, and aims to solve the problem that when the PIE safety protection is not started, a program can be used for running on any computer with a leak in the prior art.
In order to achieve the above object, the present invention provides a detection method based on PIE security protection, which comprises the following steps:
acquiring an ELF file of a program, and checking file header information of the ELF file by analyzing a first command of the ELF file;
judging whether a Type option in the file header information is a DYN Type, if so, checking a dynamic segment of the ELF file by analyzing a second command of the ELF file;
and judging whether the DEBUG option exists in the dynamic section, if so, indicating that the PIE security protection is opened by the program.
The detection method based on PIE security protection, wherein the determining whether the Type option in the header information is a DYN Type, further includes:
and if the Type option in the file header information is judged not to be the DYN Type, indicating that the PIE safety protection is not opened by the program.
The detection method based on the PIE security protection, wherein the determining whether the dynamic segment has a DEBUG option, further includes:
and if the dynamic segment is judged to have no DEBUG option, indicating that the program does not start PIE security protection.
The detection method based on the PIE security protection further comprises the following steps:
and if the program does not start the PIE safety protection, prompting a user to start the PIE safety protection.
The detection method based on PIE security protection is characterized in that the ELF file comprises a file header, a program header table, sections and a section header table.
The detection method based on the PIE security protection is characterized in that the first command is readelf-h.
The detection method based on the PIE security protection is characterized in that the second command is readelf-d.
In addition, to achieve the above object, the present invention further provides a terminal, wherein the terminal includes: the detection program based on the PIE safety protection realizes the steps of the detection method based on the PIE safety protection when being executed by the processor.
In addition, in order to achieve the above object, the present invention further provides a storage medium, wherein the storage medium stores a detection program based on the PIE security protection, and the detection program based on the PIE security protection implements the steps of the detection method based on the PIE security protection when being executed by a processor.
The method comprises the steps of checking file header information of an ELF file by acquiring the ELF file of a program and analyzing a first command of the ELF file; judging whether a Type option in the file header information is a DYN Type, if so, checking a dynamic segment of the ELF file by analyzing a second command of the ELF file; and judging whether the DEBUG option exists in the dynamic section, if so, indicating that the PIE protection is started by the program. According to the invention, whether the PIE safety protection is started by the program is judged, the user is reminded to start the PIE safety protection when the PIE safety protection is not started by the program, and if the PIE safety protection is started by the program, the loading address needs to be changed when the program is loaded every time, so that a hacker can not use a traditional fixed address method to attack the program by utilizing a vulnerability.
Drawings
FIG. 1 is a flow chart of a preferred embodiment of the detection method based on PIE security protection of the present invention;
fig. 2 is a schematic operating environment of a terminal according to a preferred embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer and clearer, the present invention is further described in detail below with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
As shown in fig. 1, the detection method based on the PIE security protection according to the preferred embodiment of the present invention includes the following steps:
and step S10, acquiring an ELF file of the program, and checking the file header information of the ELF file by analyzing a first command of the ELF file.
In the invention, an address-independent executable file (PIE) refers to code which is independent of running and placing addresses, wherein the PIE is a relative meaning, because position-independent code is used for generating code more or less, the basic idea of the implementation is as follows: the part of the instruction to be modified is separated and put together with the data part, so that the instruction part can be kept unchanged, and the data part has a copy in each process. The address-independent executable file can be copied to any location in memory without modification. This is different from relocation code, which requires special processing by a linker or loader to determine the appropriate runtime memory address. Address independent code needs to follow a specific set of semantics at the source code level and requires compiler support. Those instructions that reference an absolute memory address (such as an absolute jump instruction) must be replaced with PC relative addressing instructions. These indirect processes may cause the PIC to operate less efficiently, but most processors support PIE very well, making this drop in efficiency substantially negligible.
In computer science, an ELF file is a file used for binary files, executable files, object code, shared libraries, and core dump formats.
Specifically, an ELF file is composed of 4 parts, which are an ELF header (i.e., a file header), a Program header table (Program header table), a Section (Section), and a Section header table (Section header table), respectively. In fact, a file does not necessarily contain all the contents, and their positions are not necessarily arranged as shown, only the position of the ELF header is fixed, and the information of the positions, sizes, and the like of the rest of the parts is determined by the values in the ELF header.
After an ELF file of a program is obtained, file header information of the ELF file is checked through a first command (the first command is readelf-h) of analyzing the ELF file.
The display of specific information can be controlled by parameter options, and the command is very useful in analyzing the format of the ELF file.
And step S20, judging whether the Type option in the file header information is a DYN Type, if so, checking the dynamic segment of the ELF file by analyzing a second command of the ELF file.
The file Header information may determine the type of the ELF file, for example, a file _ identification in an ELF Header indicates that the file type is a binary file of the ELF.
The file header information comprises a Type option, and after the file header information is acquired, whether the Type option in the file header information is a DYN (shared object file) Type is judged, and the DYN (shared object file) represents the file Type. And if the Type option in the file header information is judged to be a DYN Type, viewing the dynamic segment of the ELF file by analyzing a second command (the second command is readelf-d) of the ELF file.
Further, if the Type option in the header information is judged not to be the DYN Type, it indicates that the program does not start PIE security protection, and if the program does not start PIE security protection, the user is prompted to start PIE security protection.
And step S30, judging whether the DEBUG option exists in the dynamic segment, if so, indicating that the PIE security protection is opened by the program.
After the dynamic segment of the ELF file is checked through analyzing the second command of the ELF file, whether a DEBUG option exists in the dynamic segment is judged, and if yes, the program indicates that PIE security protection is started.
Further, if the fact that the DEBUG option does not exist in the dynamic segment is judged, the program indicates that PIE safety protection is not started, and if the program does not start PIE safety protection, a user is prompted to start PIE safety protection.
That is, in the present invention, only when the program starts the PIE security protection, the load address needs to be transformed each time the program is loaded, so that a hacker cannot use the conventional fixed address method to attack the program with a bug, for example, after the PIE security protection is started, the hacker cannot use the conventional fixed address method to exploit the bug, that is, the hacker cannot use Ret2libc (which is an attack method for resisting the linux system stack protection, most linux systems have a stack protection mechanism, in a simple way, since the instruction in the stack cannot be executed, the function in libc can be found to be executed, thus bypassing the problem that the data cannot be executed) to construct the ROPgadget (development tool) for exploitation.
The method and the device can check whether the executable file has the option of starting the PIE security, and if not, prompt the user to start the PIE security, so as to prevent the program from being attacked by hackers in advance.
Further, as shown in fig. 2, based on the above detection method based on the PIE security protection, the present invention also provides a terminal, which includes a processor 10, a memory 20, and a display 30. Fig. 2 shows only some of the components of the terminal, but it is to be understood that not all of the shown components are required to be implemented, and that more or fewer components may be implemented instead.
The memory 20 may in some embodiments be an internal storage unit of the terminal, such as a hard disk or a memory of the terminal. The memory 20 may also be an external storage device of the terminal in other embodiments, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like provided on the terminal. Further, the memory 20 may also include both an internal storage unit and an external storage device of the terminal. The memory 20 is used for storing application software installed in the terminal and various types of data, such as program codes of the installation terminal. The memory 20 may also be used to temporarily store data that has been output or is to be output. In an embodiment, the storage 20 stores a PIE security protection-based detection program 40, and the PIE security protection-based detection program 40 can be executed by the processor 10, so as to implement the PIE security protection-based detection method in the present application.
The processor 10 may be, in some embodiments, a Central Processing Unit (CPU), a microprocessor or other data Processing chip, and is configured to run program codes stored in the memory 20 or process data, such as executing the PIE security protection-based detection method.
The display 30 may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode) touch panel, or the like in some embodiments. The display 30 is used for displaying information at the terminal and for displaying a visual user interface. The components 10-30 of the terminal communicate with each other via a system bus.
In one embodiment, the following steps are implemented when the processor 10 executes the PIE security protection based detection program 40 in the memory 20:
acquiring an ELF file of a program, and checking file header information of the ELF file by analyzing a first command of the ELF file;
judging whether a Type option in the file header information is a DYN Type, if so, checking a dynamic segment of the ELF file by analyzing a second command of the ELF file;
and judging whether the DEBUG option exists in the dynamic section, if so, indicating that the PIE security protection is opened by the program.
Wherein, the judging whether the Type option in the file header information is a DYN Type further includes:
and if the Type option in the file header information is judged not to be the DYN Type, indicating that the PIE safety protection is not opened by the program.
Wherein, the judging whether the dynamic segment has a DEBUG option further comprises:
and if the dynamic segment is judged to have no DEBUG option, indicating that the program does not start PIE security protection.
The detection method based on the PIE safety protection further comprises the following steps:
and if the program does not start the PIE safety protection, prompting a user to start the PIE safety protection.
The ELF file comprises a file header, a program header table, sections and a section header table.
Wherein the first command is readelf-h.
Wherein the second command is readelf-d.
The invention also provides a storage medium, wherein the storage medium stores a detection program based on the PIE security protection, and the detection program based on the PIE security protection realizes the steps of the detection method based on the PIE security protection when being executed by a processor.
In summary, the present invention provides a detection method, a terminal and a storage medium based on PIE security protection, where the method includes: acquiring an ELF file of a program, and checking file header information of the ELF file by analyzing a first command of the ELF file; judging whether a Type option in the file header information is a DYN Type, if so, checking a dynamic segment of the ELF file by analyzing a second command of the ELF file; and judging whether the DEBUG option exists in the dynamic section, if so, indicating that the PIE protection is started by the program. According to the invention, whether the PIE safety protection is started by the program is judged, the user is reminded to start the PIE safety protection when the PIE safety protection is not started by the program, and if the PIE safety protection is started by the program, the loading address needs to be changed when the program is loaded every time, so that a hacker can not use a traditional fixed address method to attack the program by utilizing a vulnerability.
Of course, it will be understood by those skilled in the art that all or part of the processes of the methods of the above embodiments may be implemented by a computer program instructing relevant hardware (such as a processor, a controller, etc.), and the program may be stored in a computer readable storage medium, and when executed, the program may include the processes of the above method embodiments. The storage medium may be a memory, a magnetic disk, an optical disk, etc.
It is to be understood that the invention is not limited to the examples described above, but that modifications and variations may be effected thereto by those of ordinary skill in the art in light of the foregoing description, and that all such modifications and variations are intended to be within the scope of the invention as defined by the appended claims.
Claims (9)
1. A detection method based on PIE security protection is characterized in that the detection method based on PIE security protection comprises the following steps:
acquiring an ELF file of a program, and checking file header information of the ELF file by analyzing a first command of the ELF file;
judging whether a Type option in the file header information is a DYN Type, if so, checking a dynamic segment of the ELF file by analyzing a second command of the ELF file;
and judging whether the DEBUG option exists in the dynamic section, if so, indicating that the PIE security protection is opened by the program.
2. The method according to claim 1, wherein the determining whether the Type option in the header information is a DYN Type further comprises:
and if the Type option in the file header information is judged not to be the DYN Type, indicating that the PIE safety protection is not opened by the program.
3. The detection method based on PIE security protection according to claim 2, wherein said determining whether there is a DEBUG option in the dynamic segment further comprises:
and if the dynamic segment is judged to have no DEBUG option, indicating that the program does not start PIE security protection.
4. The PIE security protection-based detection method according to claim 3, further comprising:
and if the program does not start the PIE safety protection, prompting a user to start the PIE safety protection.
5. The PIE security protection-based detection method of claim 1, wherein the ELF file comprises a file header, a program header table, a section and a section header table.
6. The PIE security protection-based detection method of claim 1, wherein the first command is readelf-h.
7. The PIE security protection-based detection method of claim 1, wherein the second command is readelf-d.
8. A terminal, characterized in that the terminal comprises: a memory, a processor, and a PIE security protection-based detection program stored on the memory and executable on the processor, the PIE security protection-based detection program when executed by the processor implementing the steps of the PIE security protection-based detection method as claimed in any of claims 1-7.
9. A storage medium, characterized in that the storage medium stores a PIE security protection-based detection program, and the PIE security protection-based detection program implements the steps of the PIE security protection-based detection method according to any one of claims 1 to 7 when executed by a processor.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011169020.3A CN112181751A (en) | 2020-10-28 | 2020-10-28 | Detection method based on PIE security protection, terminal and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011169020.3A CN112181751A (en) | 2020-10-28 | 2020-10-28 | Detection method based on PIE security protection, terminal and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN112181751A true CN112181751A (en) | 2021-01-05 |
Family
ID=73922918
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011169020.3A Pending CN112181751A (en) | 2020-10-28 | 2020-10-28 | Detection method based on PIE security protection, terminal and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112181751A (en) |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111046349A (en) * | 2019-12-16 | 2020-04-21 | 北京智游网安科技有限公司 | So library file reinforcement identification method, intelligent terminal and storage medium |
-
2020
- 2020-10-28 CN CN202011169020.3A patent/CN112181751A/en active Pending
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111046349A (en) * | 2019-12-16 | 2020-04-21 | 北京智游网安科技有限公司 | So library file reinforcement identification method, intelligent terminal and storage medium |
Non-Patent Citations (1)
Title |
---|
YARPEE: "看看checksec", pages 1 - 2, Retrieved from the Internet <URL:https://www.cnblogs.com/moonflow/archive/2012/12/29/2839307.html> * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US6876996B2 (en) | Method and apparatus for using a shared library mechanism to facilitate sharing of metadata | |
AU2014348812B2 (en) | Improved control flow integrity system and method | |
US8627303B2 (en) | Memory optimization of virtual machine code by partitioning extraneous information | |
US6542167B1 (en) | System and method for flexible software linking | |
US9104504B2 (en) | Systems and methods for embedded shared libraries in an executable image | |
US20150301809A1 (en) | Wholesale Replacement of Specialized Classes | |
US20060064576A1 (en) | Boot systems and methods | |
CN109657488B (en) | Resource file encryption processing method, intelligent terminal and storage medium | |
US20080091874A1 (en) | System and method for loading programs from hdd independent of operating system | |
US7162626B2 (en) | Use of common language infrastructure for sharing drivers and executable content across execution environments | |
KR20150024842A (en) | Adaptive portable libraries | |
TW201541353A (en) | Method for loading driver and embedded device | |
US20060161898A1 (en) | Method and system for project library dependency management | |
CN104008340A (en) | Virus scanning and killing method and device | |
US20090235284A1 (en) | Cross-platform compatibility framework for computer applications | |
KR101059633B1 (en) | Heap configuration for multitasking virtual machines | |
WO2016176013A1 (en) | Method and system for generating a mapping between a function call from a legacy binary file to a function call from a virtualized namespace binary file | |
CN112631684B (en) | Executable program running method and device, electronic equipment and computer storage medium | |
KR101875225B1 (en) | Process, computer program, and device for security of intermediate code of programming for the execution thereof by a virtual machine | |
JP5225071B2 (en) | Method for verifying pseudo code loaded on embedded systems, especially smart cards | |
CN111046349A (en) | So library file reinforcement identification method, intelligent terminal and storage medium | |
CN112905962B (en) | Method for protecting program codes in MCU, intelligent terminal and storage medium | |
US9841982B2 (en) | Locating import class files at alternate locations than specified in classpath information | |
CN101236498B (en) | Method for embedding inner core drive program in Window operation system by PCI card start-up | |
CN112181751A (en) | Detection method based on PIE security protection, terminal and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |