CN112182517A - CANARY security protection-based detection method, terminal and storage medium - Google Patents
CANARY security protection-based detection method, terminal and storage medium Download PDFInfo
- Publication number
- CN112182517A CN112182517A CN202011168472.XA CN202011168472A CN112182517A CN 112182517 A CN112182517 A CN 112182517A CN 202011168472 A CN202011168472 A CN 202011168472A CN 112182517 A CN112182517 A CN 112182517A
- Authority
- CN
- China
- Prior art keywords
- canary
- program
- elf
- detection method
- safety protection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 241000287219 Serinus canaria Species 0.000 title claims abstract description 87
- 238000001514 detection method Methods 0.000 title claims abstract description 28
- 238000000034 method Methods 0.000 abstract description 14
- 235000014510 cooky Nutrition 0.000 description 17
- 230000006870 function Effects 0.000 description 11
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 231100000572 poisoning Toxicity 0.000 description 1
- 230000000607 poisoning effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Technology Law (AREA)
- Multimedia (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a detection method, a terminal and a storage medium based on CANARY security protection, wherein the method comprises the following steps: acquiring an ELF file of a program, and checking ELF symbol table information of the ELF file by analyzing a first command of the ELF file; and judging whether a preset symbol exists in the ELF symbol table information, if so, indicating that the program opens CANARY safety protection. The method and the device can remind the user to open the CANARY safety protection when the program does not open the CANARY safety protection by judging whether the program opens the CANARY safety protection, detect whether the stack CANARY is covered before function push-out every time if the program opens the CANARY safety protection, and directly quit the program if the stack CANARY is covered to indicate that the program is attacked, thereby avoiding the program from being attacked by hackers.
Description
Technical Field
The invention relates to the technical field of computer security, in particular to a detection method, a terminal and a storage medium based on CANARY security protection.
Background
Buffer overflow is that the overlong data is copied to a small buffer, so that the data exceeds the small buffer, and other data in the buffer is damaged, namely the buffer overflow, stack overflow is one of the buffer overflows, and stack overflow is that the C language series has no built-in check mechanism to ensure that the data copied to the buffer is not larger than the size of the buffer, so that when the data is large enough, the range of the buffer is overflowed.
Stack overflow protection is a buffer overflow attack relieving means, when a function has a buffer overflow attack vulnerability, an attacker can cover a return address on a stack to enable shellcode (shellcode is a section of code for executing by utilizing a software vulnerability, shellcode is a 16-system machine code, and the name of the shellcode is often obtained because the attacker often obtains shell, shellcode is often written by using a machine language, and after a temporary memory eip overflows, a section of shellcode machine code which can be executed by a CPU (Central processing Unit) can be plugged into the function so that a computer can execute any instruction of the attacker). After the stack protection is started, cookie (data stored on a local terminal of a user) information is inserted into the stack when a function starts to execute, whether the cookie information is legal or not is verified when the function really returns, and if the cookie information is illegal, the program operation is stopped. An attacker often also covers the return address with cookie information, so that stack protection check fails and execution of shellcode is prevented. The cookie information is referred to as CANARY in Linux.
If the program does not open CANARY security, the stack CANARY cannot be covered before each function roll-out, and hacking cannot be avoided.
Accordingly, the prior art is yet to be improved and developed.
Disclosure of Invention
The invention mainly aims to provide a detection method, a terminal and a storage medium based on CANARY security protection, and aims to solve the problem that hacker attack cannot be avoided when CANARY security protection is not opened in the prior art.
In order to achieve the above object, the present invention provides a detection method based on CANARY security protection, which comprises the following steps:
acquiring an ELF file of a program, and checking ELF symbol table information of the ELF file by analyzing a first command of the ELF file;
and judging whether a preset symbol exists in the ELF symbol table information, if so, indicating that the program opens CANARY safety protection.
The method for detecting the CANARY security protection, wherein the step of judging whether the ELF symbol table information has the preset symbol, further comprises the following steps:
and if the preset symbol is judged not to exist in the ELF symbol table information, the program does not start CANARY safety protection.
The detection method based on CANARY security protection, wherein the detection method based on CANARY security protection further comprises:
and if the program does not start the CANARY safety protection, prompting the user to start the CANARY safety protection.
The CANARY security protection-based detection method is characterized in that the first command is readelf-s.
The detection method based on CANARY safety protection, wherein the preset symbol is as follows: __ stack _ chk _ fail symbol.
In addition, to achieve the above object, the present invention further provides a terminal, wherein the terminal includes: the system comprises a memory, a processor and a CANARY security protection-based detection program stored on the memory and capable of running on the processor, wherein the CANARY security protection-based detection program realizes the steps of the CANARY security protection-based detection method when being executed by the processor.
In addition, in order to achieve the above object, the present invention further provides a storage medium, wherein the storage medium stores a CANARY security protection-based detection program, and the CANARY security protection-based detection program implements the steps of the CANARY security protection-based detection method as described above when executed by a processor.
According to the method, an ELF file of a program is obtained, and ELF symbol table information of the ELF file is checked by analyzing a first command of the ELF file; and judging whether a preset symbol exists in the ELF symbol table information, if so, indicating that the program opens CANARY safety protection. The method and the device can remind the user to open the CANARY safety protection when the program does not open the CANARY safety protection by judging whether the program opens the CANARY safety protection, detect whether the stack CANARY is covered before function push-out every time if the program opens the CANARY safety protection, and directly quit the program if the stack CANARY is covered to indicate that the program is attacked, thereby avoiding the program from being attacked by hackers.
Drawings
FIG. 1 is a flow chart of the preferred embodiment of the CANARY security protection based detection method of the present invention;
fig. 2 is a schematic operating environment of a terminal according to a preferred embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer and clearer, the present invention is further described in detail below with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
As shown in fig. 1, the detection method based on CANARY security protection according to the preferred embodiment of the present invention includes the following steps:
and step S10, acquiring an ELF file of the program, and checking ELF symbol table information of the ELF file by analyzing a first command of the ELF file.
In the invention, Cookie information is called CANARY in Linux, and Cookie is a simple text file stored in a client, the file is associated with a specific Web document, information when the client accesses the Web document is stored, and the information can be used by the document when the client accesses the Web document again. Because the Cookie has the miraculous characteristic of being saved on the client, the Cookie can help us to realize the function of recording personal information of the user, and the function does not need to use a complicated program such as CGI and the like.
For example, a Web site may generate a unique ID for each visitor and store it as a Cookie file on each user's machine. If the Web is accessed using a browser, all cookies stored on the hard disk are seen. Each file in the folder is a text file consisting of a name/value pair, and a file stores information of all corresponding Web sites. Each Cookie file is here a simple and plain text file. Through the file name, it can be seen which Web site has the Cookie placed on the machine (although the site information is also stored in the file).
An attacker can steal cookies stored in a user hard disk or a memory by means of malicious programs such as trojans and the like or by means of cross-site scripting attacks and the like. Passively monitoring network communication in an insecure local area network by means of network attack; controlling routing infrastructure through a router attacking a network user or by methods such as building a malicious wireless router and the like, and redirecting network traffic to a host controlled by an attacker; the domain name server launches a domain spoofing attack, attacks the DNS system through methods such as DNS cache poisoning, DNS response spoofing or modification of a local domain name resolution file of a user end and the like, so that an access request of a user to a legal website is redirected to a malicious website and the like, and the Cookie can be stolen. For the captured authentication Cookie, an attacker often guesses an access token therein and tries to acquire sensitive information such as a session ID, a user name and password, a user role, a timestamp and the like; or directly replay the Cookie to impersonate the identity of the victim to launch the attack.
In computer science, an ELF file is a file used for binary files, executable files, object code, shared libraries, and core dump formats.
Specifically, an ELF file is composed of 4 parts, which are an ELF header (i.e., a file header), a Program header table (Program header table), a Section (Section), and a Section header table (Section header table), respectively. In fact, a file does not necessarily contain all the contents, and their positions are not necessarily arranged as shown, only the position of the ELF header is fixed, and the information of the positions, sizes, and the like of the rest of the parts is determined by the values in the ELF header.
After an ELF file of a program is acquired, checking ELF symbol table information of the ELF file through analyzing a first command (the first command is readelf-s) of the ELF file.
The display of specific information can be controlled by parameter options, and the command is very useful in analyzing the format of the ELF file.
And step S20, judging whether a preset symbol exists in the ELF symbol table information, if so, indicating that the program has opened CANARY safety protection.
Wherein the preset symbol is: __ stack _ chk _ fail symbol; after the program initiates CANARY security, if CANARY is found to be modified, the program executes __ stack _ chk _ fail function to print the string pointed to by the argv [0] pointer, which normally points to the program name.
After the ELF symbol table information is obtained, judging whether __ stack _ chk _ fail symbols exist in the ELF symbol table information, and if __ stack _ chk _ fail symbols exist, indicating that CANARY security protection is started by the program.
Further, if the preset symbol is judged not to exist in the ELF symbol table information, it indicates that the program does not open CANARY security protection. And if the program does not start the CANARY security protection, prompting the user to start the CANARY security protection, and preventing the program from being attacked by hackers in advance.
That is, in the present invention, only when the program opens the CANARY security protection, before each function push-out, it will be detected whether the stack CANARY is covered, if so, it indicates that the stack CANARY is attacked, and the program can be directly exited, and the CANARY security protection greatly improves the security of the program.
Further, as shown in fig. 2, based on the above detection method based on CANARY security protection, the present invention also provides a terminal, which includes a processor 10, a memory 20, and a display 30. Fig. 2 shows only some of the components of the terminal, but it is to be understood that not all of the shown components are required to be implemented, and that more or fewer components may be implemented instead.
The memory 20 may in some embodiments be an internal storage unit of the terminal, such as a hard disk or a memory of the terminal. The memory 20 may also be an external storage device of the terminal in other embodiments, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like provided on the terminal. Further, the memory 20 may also include both an internal storage unit and an external storage device of the terminal. The memory 20 is used for storing application software installed in the terminal and various types of data, such as program codes of the installation terminal. The memory 20 may also be used to temporarily store data that has been output or is to be output. In one embodiment, the memory 20 stores a CANARY security protection-based detection program 40, and the CANARY security protection-based detection program 40 can be executed by the processor 10, so as to implement the CANARY security protection-based detection method in the present application.
The processor 10 may be a Central Processing Unit (CPU), microprocessor or other data Processing chip in some embodiments, and is used to run program codes stored in the memory 20 or process data, for example, execute the CANARY security protection-based detection method.
The display 30 may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode) touch panel, or the like in some embodiments. The display 30 is used for displaying information at the terminal and for displaying a visual user interface. The components 10-30 of the terminal communicate with each other via a system bus.
In one embodiment, the following steps are implemented when processor 10 executes the CANARY security based detection program 40 in memory 20:
acquiring an ELF file of a program, and checking ELF symbol table information of the ELF file by analyzing a first command of the ELF file;
and judging whether a preset symbol exists in the ELF symbol table information, if so, indicating that the program opens CANARY safety protection.
Wherein, the judging whether the preset symbol exists in the ELF symbol table information further includes:
and if the preset symbol is judged not to exist in the ELF symbol table information, the program does not start CANARY safety protection.
The detection method based on CANARY security protection further comprises the following steps:
and if the program does not start the CANARY safety protection, prompting the user to start the CANARY safety protection.
Wherein the first command is readelf-s.
Wherein the preset symbol is: __ stack _ chk _ fail symbol.
The invention also provides a storage medium, wherein the storage medium stores a detection program based on CANARY security protection, and the detection program based on CANARY security protection realizes the steps of the detection method based on CANARY security protection when being executed by a processor.
In summary, the present invention provides a detection method, a terminal and a storage medium based on CANARY security protection, wherein the method includes: acquiring an ELF file of a program, and checking ELF symbol table information of the ELF file by analyzing a first command of the ELF file; and judging whether a preset symbol exists in the ELF symbol table information, if so, indicating that the program opens CANARY safety protection. The method and the device can remind the user to open the CANARY safety protection when the program does not open the CANARY safety protection by judging whether the program opens the CANARY safety protection, detect whether the stack CANARY is covered before function push-out every time if the program opens the CANARY safety protection, and directly quit the program if the stack CANARY is covered to indicate that the program is attacked, thereby avoiding the program from being attacked by hackers.
Of course, it will be understood by those skilled in the art that all or part of the processes of the methods of the above embodiments may be implemented by a computer program instructing relevant hardware (such as a processor, a controller, etc.), and the program may be stored in a computer readable storage medium, and when executed, the program may include the processes of the above method embodiments. The storage medium may be a memory, a magnetic disk, an optical disk, etc.
It is to be understood that the invention is not limited to the examples described above, but that modifications and variations may be effected thereto by those of ordinary skill in the art in light of the foregoing description, and that all such modifications and variations are intended to be within the scope of the invention as defined by the appended claims.
Claims (7)
1. A detection method based on CANARY safety protection is characterized in that the detection method based on CANARY safety protection comprises the following steps:
acquiring an ELF file of a program, and checking ELF symbol table information of the ELF file by analyzing a first command of the ELF file;
and judging whether a preset symbol exists in the ELF symbol table information, if so, indicating that the program opens CANARY safety protection.
2. The CANARY-based security protection detection method of claim 1, wherein the determining whether the ELF symbol table information includes a preset symbol further comprises:
and if the preset symbol is judged not to exist in the ELF symbol table information, the program does not start CANARY safety protection.
3. The CANARY security protection-based detection method of claim 2, further comprising:
and if the program does not start the CANARY safety protection, prompting the user to start the CANARY safety protection.
4. The CANARY-security-based detection method of claim 1, wherein the first command is readelf-s.
5. The CANARY-based security protection detection method of claim 1 or 2, wherein the preset symbols are: __ stack _ chk _ fail symbol.
6. A terminal, characterized in that the terminal comprises: memory, processor and a CANARY security protection-based detection program stored on the memory and executable on the processor, the CANARY security protection-based detection program when executed by the processor implementing the steps of the CANARY security protection-based detection method of any of claims 1-5.
7. A storage medium storing a CANARY-security-based detection program, the CANARY-security-based detection program implementing the steps of the CANARY-security-based detection method of any one of claims 1-5 when executed by a processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011168472.XA CN112182517A (en) | 2020-10-28 | 2020-10-28 | CANARY security protection-based detection method, terminal and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011168472.XA CN112182517A (en) | 2020-10-28 | 2020-10-28 | CANARY security protection-based detection method, terminal and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112182517A true CN112182517A (en) | 2021-01-05 |
Family
ID=73922218
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011168472.XA Pending CN112182517A (en) | 2020-10-28 | 2020-10-28 | CANARY security protection-based detection method, terminal and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112182517A (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108573143A (en) * | 2017-03-10 | 2018-09-25 | 南京大学 | The stack guard method verified based on program pitching pile and multidate information |
| CN111046349A (en) * | 2019-12-16 | 2020-04-21 | 北京智游网安科技有限公司 | So library file reinforcement identification method, intelligent terminal and storage medium |
| US20200184079A1 (en) * | 2017-07-31 | 2020-06-11 | Nec Corporation | Program verification system, method, and program |
-
2020
- 2020-10-28 CN CN202011168472.XA patent/CN112182517A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108573143A (en) * | 2017-03-10 | 2018-09-25 | 南京大学 | The stack guard method verified based on program pitching pile and multidate information |
| US20200184079A1 (en) * | 2017-07-31 | 2020-06-11 | Nec Corporation | Program verification system, method, and program |
| CN111046349A (en) * | 2019-12-16 | 2020-04-21 | 北京智游网安科技有限公司 | So library file reinforcement identification method, intelligent terminal and storage medium |
Non-Patent Citations (3)
| Title |
|---|
| 佚名: "看看checksec", Retrieved from the Internet <URL:《https://blog.csdn.net/weixin_34112900/article/details/94313015》> * |
| 宜信技术学院: "程序的一生:从源程序到进程的辛苦历程", Retrieved from the Internet <URL:《https://segmentfault.com/a/1190000022040651#item-5-10》> * |
| 紫色仰望合天智汇: "格式化字符串漏洞及利用_萌新食用", Retrieved from the Internet <URL:《https://zhuanlan.zhihu.com/p/147542190?utm_id=0》> * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7752662B2 (en) | Method and apparatus for high-speed detection and blocking of zero day worm attacks | |
| EP3113064B1 (en) | System and method for determining modified web pages | |
| KR101122646B1 (en) | Method and device against intelligent bots by masquerading virtual machine information | |
| Parampalli et al. | A practical mimicry attack against powerful system-call monitors | |
| EP3113063B1 (en) | System and method for detecting malicious code in random access memory | |
| JP6624771B2 (en) | Client-based local malware detection method | |
| US8776196B1 (en) | Systems and methods for automatically detecting and preventing phishing attacks | |
| US8739284B1 (en) | Systems and methods for blocking and removing internet-traversing malware | |
| JP5704518B2 (en) | Confidential information leakage prevention system, confidential information leakage prevention method, and confidential information leakage prevention program | |
| US20100306851A1 (en) | Method and apparatus for preventing a vulnerability of a web browser from being exploited | |
| EP2317454A2 (en) | Providing authenticated anti-virus agents a direct access to scan memory | |
| US9973525B1 (en) | Systems and methods for determining the risk of information leaks from cloud-based services | |
| CN108028843B (en) | Method, system and computing device for securing delivery of computer-implemented functionality | |
| US9219728B1 (en) | Systems and methods for protecting services | |
| CN111988292B (en) | Method, device and system for accessing Internet by intranet terminal | |
| CN111177727A (en) | Vulnerability detection method and device | |
| US10075456B1 (en) | Systems and methods for detecting exploit-kit landing pages | |
| CN111241546A (en) | Malicious software behavior detection method and device | |
| KR20140064840A (en) | Malware risk scanner | |
| KR20160061141A (en) | Method and apparatus for blocking web page attack | |
| WO2020233044A1 (en) | Plug-in verification method and device, and server and computer-readable storage medium | |
| US11095666B1 (en) | Systems and methods for detecting covert channels structured in internet protocol transactions | |
| CN105791221B (en) | Rule issuing method and device | |
| US20190163905A1 (en) | System, Method, and Apparatus for Preventing Execution of Malicious Scripts | |
| CN112182517A (en) | CANARY security protection-based detection method, terminal and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |