CN112199685B - Intelligent terminal equipment derived vulnerability mining method based on architecture similarity - Google Patents
Intelligent terminal equipment derived vulnerability mining method based on architecture similarity Download PDFInfo
- Publication number
- CN112199685B CN112199685B CN202011023973.9A CN202011023973A CN112199685B CN 112199685 B CN112199685 B CN 112199685B CN 202011023973 A CN202011023973 A CN 202011023973A CN 112199685 B CN112199685 B CN 112199685B
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- intelligent terminal
- code
- terminal equipment
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 44
- 238000005065 mining Methods 0.000 title claims abstract description 16
- 238000012360 testing method Methods 0.000 claims description 27
- 239000012634 fragment Substances 0.000 claims description 23
- 238000010586 diagram Methods 0.000 claims description 10
- 230000006870 function Effects 0.000 claims description 7
- 238000001514 detection method Methods 0.000 claims description 4
- 238000006073 displacement reaction Methods 0.000 claims description 4
- 238000004519 manufacturing process Methods 0.000 claims description 4
- 230000024241 parasitism Effects 0.000 claims 1
- 230000002349 favourable effect Effects 0.000 abstract description 2
- 230000008569 process Effects 0.000 description 6
- 238000004891 communication Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 239000000470 constituent Substances 0.000 description 1
- 238000012938 design process Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
- Stored Programmes (AREA)
Abstract
The invention discloses an intelligent terminal equipment derivative vulnerability mining method based on architecture similarity. Aiming at equipment to be detected and known intelligent terminal equipment serving as two intelligent terminal equipment, judging the architecture similarity of the intelligent terminal equipment, and if the architecture similarity exists between the two intelligent terminal equipment, carrying out derivative vulnerability mining based on the architecture similarity aiming at the equipment to be detected. The method and the device can effectively improve the vulnerability mining efficiency of the intelligent terminal equipment, have universality and are favorable for automatic execution completion of machines.
Description
Technical Field
The invention belongs to a technical method for mining loopholes of computer equipment, and particularly relates to an intelligent terminal equipment derivative loophole mining method based on architecture similarity.
Background
The intelligent terminal device is a small-sized computing system with information processing capability, storage capability and networking capability, and the product forms of the intelligent terminal device are changed in a wide variety according to application scenes, including but not limited to network routers, network firewalls, network printers, network copiers, network projectors, electronic screens, scanners, car navigation devices, home gateways, television set-top boxes, televisions, network cameras, home sensors and the like. The intelligent terminal equipment is expanded to the fields of information production, interaction, consumption and the like from traditional communication by the promotion of technologies such as processing capacity, storage capacity, network performance and the like, and becomes an important node in the network space of the internetworking age.
On one hand, the intelligent terminal equipment often has a large number of loopholes due to the reasons of insufficient safety consciousness and capability level of developers, large number of low-quality open source modules, uncontrolled design of development tool chains, difficult evaluation of basic development platform safety risks and the like, and has extremely high potential safety hazards in the use process; on the other hand, such devices often do not consider too much security protection mechanism from the architectural design, and lack human-computer interaction interface, resulting in users not being able to perceive security issues.
Only if the loopholes in the intelligent terminal equipment are effectively detected, the safety of the user in the using process of the equipment can be guaranteed, wherein the safety comprises the protection of the equipment from illegal access, the protection of privacy information disclosure, the protection of the equipment from being used as an information system intrusion gangway, the protection of the equipment from being utilized by hackers as zombie nodes and the like.
Because the probability of adopting the same processor and electronic device, referring to the same constituent circuit and referring to the same open source software module is very high in the design process of the intelligent terminal equipment, the probability of the same performance and harm loopholes in different intelligent terminal equipment is also very high. This possibility is not only shown between two intelligent terminal devices with similar purposes (such as a leak T exposed in a network printer produced by a company a, often may exist in other types of network printers produced by the company a, but also may exist in a network printer produced by a company B), but also shown between two intelligent terminal devices with far-apart purposes (such as a leak T exposed by a network printer, and also may exist in a network camera or a network television).
Disclosure of Invention
In order to solve the problems in the background art, the invention aims to provide the intelligent terminal equipment derivative vulnerability mining method based on the framework similarity, so that the vulnerability mining efficiency of the intelligent terminal equipment is effectively improved, and support can be provided for evaluating the safety of the intelligent terminal equipment.
In order to achieve the above purpose, the present invention adopts the following technical scheme:
Aiming at equipment to be detected and known intelligent terminal equipment serving as two intelligent terminal equipment, judging the architecture similarity of the intelligent terminal equipment, and if the architecture similarity exists between the two intelligent terminal equipment, carrying out derivative vulnerability mining based on the architecture similarity aiming at the equipment to be detected.
The definition of the architecture similarity of the intelligent terminal equipment is as follows:
the two intelligent terminal devices of the intelligent terminal device a and the intelligent terminal device B have a structural similarity if one of the following conditions is satisfied:
(1) The processor types of the two intelligent terminal devices are the same, or the instruction sets executed by the processors are the same, or the processors contain at least two circuit modules with the same functions;
the circuit module is also called an IP core, i.e. a logic block or a data block for a product Application Specific Integrated Circuit (ASIC) or an editable logic device (FPGA), such as a USB interface, a network interface, a PCI interface, a memory interface, a power supply monitoring, etc.
(2) The two intelligent terminal devices form a circuit module with the same function or a circuit whole isomorphism or a circuit local isomorphism; the partially homogenous minimum unit is a single device, comprising a plurality of device combinations.
The isomorphism of the circuit means that a group of identical devices are adopted in the circuit with the same function in the intelligent terminal equipment, and the connection relations among the devices are consistent. The minimum structural unit in the circuit is a device, and a plurality of devices form a complete functional module to form a group of devices.
Circuits having the same function are determined from the circuit adjacency graph description, vertices in the circuit adjacency graph are devices, and edges between the vertices represent connection relations between the devices.
(3) The execution codes of the two intelligent terminal devices comprise a plurality of code fragments with the same execution behavior, such as a bootstrap program, an operating system, a network driver, a networking protocol, an identity authentication protocol, an application execution code and the like.
The derivative loopholes in the invention are determined in the following way: if the vulnerability T exists in the intelligent terminal equipment A and the vulnerability T also exists in the intelligent terminal equipment B, the vulnerability T is a derivative vulnerability.
The mining of the derivative loopholes in the invention is a process of mining the loopholes T in the intelligent terminal equipment B by the loopholes T in the known intelligent terminal equipment A.
The method comprises the steps that a known intelligent terminal device A contains a bug T, the detail position of the bug T is judged to be obtained, the detail position is a device, a circuit, an execution code and the like, and if the intelligent terminal device B serving as equipment to be detected has similarity with the intelligent terminal device A wholly or just contains part of the bug T, namely the intelligent terminal device is similar in structure, the intelligent terminal device B serving as equipment to be detected is judged to necessarily contain the bug T.
The step S4 specifically comprises the following working steps:
1) Collecting and sorting various disclosed vulnerability exploitation methods of intelligent terminal equipment, and constructing an intelligent terminal equipment vulnerability test operation sequence library based on the vulnerability exploitation methods;
2) Collecting and sorting all kinds of public loopholes of the intelligent terminal equipment, and constructing a loophole library of the intelligent terminal equipment;
3) Aiming at equipment to be detected, each item in a vulnerability test operation sequence library of intelligent terminal equipment is used for implementing a test on the equipment to be detected, and a vulnerability corresponding to a vulnerability test operation sequence with a true test result and a vulnerability description item thereof are output, wherein the vulnerability description item is in the form of: < vulnerability number, vulnerability type, vulnerability hazard level, attack test sequence >;
Outputting a test operation sequence with a true test result means that each item in the vulnerability test operation sequence library of the intelligent terminal equipment is detected in the equipment to be detected.
4) The processor model of the equipment to be detected is extracted and identified, the equipment can be manually read or photographed and then extracted by image processing software, and whether the processor model is contained in a vulnerability database of the intelligent terminal equipment is detected:
If the model is included, extracting all vulnerabilities corresponding to the model of the output processor and vulnerability description entries thereof from a vulnerability library of the intelligent terminal equipment, wherein the vulnerability description entries are in the form of: < vulnerability number, vulnerability type, vulnerability hazard level, vulnerability detail location description >;
5) Extracting names of all devices and circuit modules in the equipment to be detected, and searching whether a vulnerability library of the intelligent terminal equipment contains the names of the devices or the circuit modules;
If the device or the circuit module name is contained, extracting and outputting all vulnerabilities and vulnerability description entries thereof corresponding to the device or the circuit module name from an intelligent terminal device vulnerability library, wherein the vulnerability description entries are in the form of: < vulnerability number, vulnerability type, vulnerability hazard level, vulnerability association device or circuit module name >;
6) Extracting connection relations between all devices and circuit modules in equipment to be detected, constructing a circuit adjacency relation diagram of the equipment to be detected, comparing the circuit adjacency relation diagram with circuit adjacency diagrams associated with each loophole in a loophole library of intelligent terminal equipment, and outputting loopholes corresponding to the circuit adjacency diagrams with true comparison results and loophole description items thereof, wherein the form of the loophole description items is as follows: < vulnerability number, vulnerability type, vulnerability hazard level, vulnerability association circuit adjacency graph >;
And the circuit adjacency graph with the true comparison result is the circuit adjacency graph in the leak library of the intelligent terminal equipment, wherein the similarity is calculated between the circuit adjacency graph and the circuit adjacency relationship graph of the equipment to be detected and is larger than a preset threshold value.
For example, constructing a circuit adjacency graph G of the equipment to be detected; and comparing each vulnerability association circuit device adjacency graph G T in the vulnerability library with the equipment circuit adjacency graph G, judging whether G T is a subgraph of G, and outputting vulnerabilities corresponding to all circuit adjacency graphs with true comparison results.
7) Extracting the execution code, the processor model, the processor type or the instruction set type of the device to be detected,
Matching the code segments associated with each execution code class loophole item in the loophole library of the intelligent terminal equipment with the execution codes of the equipment to be detected, and outputting loopholes corresponding to all the code segments with true comparison results;
the code segment with the true comparison result is the code segment in the vulnerability library of the intelligent terminal equipment under the condition that the similarity is calculated with the execution code of the equipment to be detected and the similarity is larger than a preset threshold value.
8) Outputting the detection results and the quantity of all the loopholes.
The intelligent terminal equipment vulnerability test operation sequence library comprises vulnerability entries, and each vulnerability entry at least comprises the following information: vulnerability numbers, vulnerability types, vulnerability hazard degrees and vulnerability test operation sequences.
The vulnerability database of the intelligent terminal equipment comprises various vulnerabilities and vulnerability description entries thereof, and each vulnerability description entry of each vulnerability at least comprises the following information:
vulnerability number, vulnerability type, vulnerability hazard level information;
the equipment name, equipment manufacturer and equipment production time of the intelligent terminal equipment;
The intelligent terminal equipment executes the code instruction set type, the minimum instruction length, the code execution body and the code execution body version;
the detailed position of the vulnerability is classified into descriptive information, a vulnerability utilization mode and a vulnerability source.
The detailed position classification descriptive information of the loopholes is classified into the following categories according to the types of the loopholes:
Processor class: the method comprises the steps of associating a processor model and a vulnerability position with each other, wherein the vulnerability position comprises a structural part, an instruction combination, an IP core and the like;
Device circuitry class: the method comprises the steps of associating devices, circuit module names and circuit adjacency graphs with loopholes;
the device executes the code class: including instruction set type, bug associated execution code fragments, code fragment names.
As shown in fig. 4, the step of matching the code segment a associated with each execution code class bug entry in the bug library with the execution code B of the device to be detected is as follows:
1) Taking the code segment a as a code sliding window template, traversing the execution codes B by using a sliding window with a code fixed step length, and matching the code B with the same length as the code sliding window template in each section of the execution codes B by using each sliding window:
if the matching is successful, the code segment a is a subsequence of the execution code B, and a vulnerability description entry of the vulnerability corresponding to the code segment a is output, wherein the vulnerability description entry is expressed as: < vulnerability number, vulnerability type, vulnerability hazard level, vulnerability-associated code fragment >;
If the matching is unsuccessful, the same digest algorithm is used to digest the code segment a and the code segment b:
if the abstract results are the same, outputting a vulnerability description entry of the vulnerability corresponding to the code segment a, wherein the vulnerability description entry is expressed as: < highly suspected vulnerability: vulnerability number, vulnerability type, vulnerability hazard level, vulnerability association code fragment >;
otherwise, the displacement code of the sliding window is fixed in step length, and the next sliding window is processed;
the code fixed step length is a minimum instruction length unit corresponding to an instruction set of the equipment to be detected.
2) Disassembling the code segment a by using an instruction set corresponding to the code segment a, obtaining a template assembly instruction sequence L a as a result, and disassembling the execution code B by using an instruction set corresponding to the code segment B, and obtaining an assembly instruction sequence L B to be tested as a result;
Using the obtained template assembly instruction sequence L a as a sequence sliding window template, traversing the assembly instruction sequence L B to be tested by using a sliding window according to a sequence fixed step length, and matching each section of code L b with the same length as the sequence sliding window template in the assembly instruction sequence L B to be tested with the sequence sliding window template by using each sliding window:
If the matching is successful, the template assembly instruction sequence L a is a subsequence of the assembly instruction sequence L B to be tested, and a vulnerability description entry corresponding to the vulnerability of the template assembly instruction sequence L a is output, wherein the vulnerability description entry is expressed as: < vulnerability number, vulnerability type, vulnerability hazard level, vulnerability-associated code fragment >;
If the matching is unsuccessful, the same digest algorithm is used to digest the template assembly instruction sequence L a and the code L b:
If the abstract results are the same, outputting a vulnerability description entry of the vulnerability corresponding to the template assembly instruction sequence L a, wherein the vulnerability description entry is expressed as: < highly suspected vulnerability: vulnerability number, vulnerability type, vulnerability hazard level, vulnerability association code fragment >;
otherwise, the sliding window displacement sequence is fixed in step length, and the next sliding window is processed;
The sequence fixed step length is the length of an equipment assembly instruction to be detected.
3) Extracting a control flow graph of the template assembly instruction sequence L a as a template control flow graph G a, and extracting a semantic tree T a of the template control flow graph G a;
Extracting a control flow graph of an execution code B as a control flow graph G B to be tested, extracting a semantic tree T B of the control flow graph G B to be tested, and judging whether a template control flow graph G a is a subgraph of the control flow graph G B to be tested or whether a semantic tree T a of the template control flow graph G a is a subtree of a semantic tree T B of the control flow graph G B to be tested:
If one of the two judging conditions is yes, outputting a vulnerability description item of the vulnerability corresponding to the template assembly instruction sequence L a, wherein the vulnerability description item is expressed as: < highly suspected vulnerability: vulnerability number, vulnerability type, vulnerability hazard level, vulnerability association code fragment >.
In specific implementation, the intelligent terminal device specifically includes, but is not limited to: smart phones, smart tablets, routing, switches, firewalls, home gateways, set-top boxes, smart televisions, printers, copiers, projectors, and other electronic devices with computing and communication functions.
The method and the device can effectively improve the vulnerability mining efficiency of the intelligent terminal equipment, have universality and are favorable for automatic execution completion of machines.
Compared with the prior art, the invention has the following advantages:
1. Compared with the method for discovering the loopholes T by directly analyzing the complete circuit composition and all execution codes of each intelligent terminal device, the method for discovering the derivative loopholes based on the framework similarity can greatly improve the loophole mining efficiency.
2. The derivative vulnerability discovery method based on the framework similarity not only has universality, but also is beneficial to automatic execution completion of the machine.
3. The method can detect the architecture similarity derivative loopholes of the intelligent equipment from multiple detailed positions such as a processor, an equipment circuit, an equipment execution code and the like, and the detection means are more abundant.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required in the prior art and the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of intelligent terminal equipment derived vulnerability discovery based on architecture similarity;
FIG. 2 is a diagram of the relationship between loophole library entries of the intelligent terminal equipment constructed in the invention;
FIG. 3 is a schematic diagram of a circuit adjacency of an intelligent terminal defined by the present invention;
fig. 4 is a flow chart of intelligent terminal device instruction type vulnerability detection.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All embodiments obtained by a person of ordinary skill in the art without creative efforts based on the embodiments of the present invention are within the protection scope of the present invention.
As shown in fig. 1 and fig. 4, the implementation procedure and the case of the embodiment implemented according to the complete method of the present invention are as follows:
1. And collecting and sorting all kinds of disclosed intelligent terminal equipment vulnerabilities, and constructing an intelligent equipment vulnerability library as shown in fig. 2.
The description entry of the vulnerability in the vulnerability database at least contains the following information:
Vulnerability numbering, vulnerability type and vulnerability hazard degree;
the name of the equipment, the manufacturer of the equipment and the production time of the equipment;
the type of the execution code instruction set, the minimum instruction length, the execution code execution body and the execution code execution body version;
the detailed position classification description information of the vulnerability is divided into:
processor class: the processor model, the vulnerability position includes structural part, instruction combination, IP core, etc.;
Device circuitry class: vulnerability association device or circuit module name, vulnerability association circuit adjacency graph;
the device executes the code class: instruction set type, vulnerability-associated code fragment, code fragment name;
Device software and hardware association class: vulnerability association circuit adjacency graphs, vulnerability association code fragments, vulnerability exploitation modes, vulnerability sources and the like.
2. Collecting and sorting various disclosed vulnerability exploitation methods of intelligent terminal equipment, and constructing an intelligent terminal equipment vulnerability test operation sequence library based on the vulnerability exploitation method, wherein each item of the library at least comprises the following information:
vulnerability numbering, vulnerability type and vulnerability hazard degree; a vulnerability testing operation sequence.
3. Aiming at a device to be detected, each item in a vulnerability test operation sequence library of intelligent terminal equipment is used for implementing a test on the device, if the test of the test sequence is successful, a corresponding vulnerability description tested by the test is output, and the representation form is as follows:
< vulnerability number, vulnerability type, vulnerability hazard level, attack test sequence >;
This operation is repeated until all of the verification test sequences have been completed.
4. Extracting and identifying the processor model of the device to be detected, manually reading the processor model identification or extracting the device after photographing the device by image processing software, and searching whether the vulnerability library contains the processor model, if yes: outputting all vulnerability entries corresponding to the processor model, wherein the vulnerability entries are expressed as follows:
< vulnerability number, vulnerability type, vulnerability hazard level, vulnerability detail location description >.
5. The method for extracting names of all devices and circuit modules of the equipment to be detected is the same as 4, whether the names of the devices or the circuit modules are contained in the vulnerability database is searched, if yes, all corresponding vulnerability description items are output, and the representation forms are as follows:
< vulnerability number, vulnerability type, vulnerability hazard level, vulnerability association device or circuit module name >.
6. Extracting all devices and circuit modules of the equipment to be detected and connection relations thereof, wherein the connection relations can be obtained through manual measurement or three-dimensional scanning of a circuit board and then image recognition, and a circuit adjacency relation graph G is formed as shown in fig. 3; comparing each vulnerability association circuit device adjacency graph G T in the vulnerability library with the equipment circuit adjacency graph G, and judging whether G T is a subgraph of G; if yes, outputting the corresponding vulnerability item, wherein the representation form is as follows:
< vulnerability number, vulnerability type, vulnerability hazard level, vulnerability association circuit adjacency figure >.
And repeating the operation until all the vulnerability association circuit adjacency graphs in the vulnerability library are compared.
7. Extracting the type of an execution code B, a processor or an instruction set of the device to be detected, and attempting to match the vulnerability association code segment a of each execution code class vulnerability entry in the vulnerability library with the vulnerability association code segment a.
① Taking a as a standard sliding window template, matching a section of equal-length code B in B with the standard sliding window template, if the matching is successful, representing a as a subsequence of B, outputting a corresponding vulnerability description item, wherein the representation form is as follows:
< vulnerability number, vulnerability type, vulnerability hazard level, vulnerability-associated code fragment >;
If the matching is unsuccessful, the same abstract algorithm is used for carrying out abstract operation on the a and the b, if the abstract results are the same, the corresponding vulnerability description items are output, and the representation forms are as follows:
< highly suspected vulnerability: vulnerability number, vulnerability type, vulnerability hazard level, vulnerability association code fragment >;
otherwise: the sliding window is displaced by a minimum instruction length unit corresponding to the instruction set of the equipment to be detected, and the two operations are repeated until a slides over B.
② Disassembling the instruction set corresponding to the instruction set a, and obtaining an assembly instruction series L a as a result;
Disassembling the instruction set corresponding to the instruction set B, and obtaining an assembly instruction series L B as a result;
As a standard sliding window template of L a, taking a section of equal-length code L b in L B, matching L a with L b, if matching is successful, L a is a subsequence of L B, outputting a corresponding vulnerability description entry, and the representation form is:
< vulnerability number, vulnerability type, vulnerability hazard level, vulnerability-associated code fragment >;
if the matching is unsuccessful, the same abstract algorithm is used for carrying out abstract operation on the L a and the L b, if the abstract results are the same, the corresponding vulnerability description items are output, and the representation forms are as follows:
< highly suspected vulnerability: vulnerability number, vulnerability type, vulnerability hazard level, vulnerability association code fragment >;
Otherwise: the sliding window is displaced by one assembly instruction of the equipment to be checked, and the two operations are repeated until L a slides over L B.
③ Extracting an L a control flow graph G a and extracting a semantic tree T a thereof; extracting a B control flow graph G B, extracting a semantic tree T B, judging whether G a is a sub-graph of G B or whether T a is a sub-tree of T B, and if one of the two is positive, outputting:
< highly suspected vulnerability: vulnerability number, vulnerability type, vulnerability hazard level, vulnerability association code fragment >;
8. counting the number X of output items of the operation after all the operations are executed, and outputting: and (3) accumulating and finding that the total quantity of vulnerabilities of the retrieval target device is X.
9. The operation ends.
It should be noted that in this specification the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (6)
1. An intelligent terminal equipment derived vulnerability mining method based on architecture similarity is characterized by comprising the following steps of:
Aiming at equipment to be detected and known intelligent terminal equipment serving as two intelligent terminal equipment, judging the architecture similarity of the two intelligent terminal equipment, and if the architecture similarity exists between the two intelligent terminal equipment, carrying out derivative vulnerability mining based on the architecture similarity aiming at the equipment to be detected;
The method specifically comprises the following working steps:
1) Constructing an intelligent terminal equipment vulnerability test operation sequence library based on a vulnerability exploitation method;
2) Constructing an intelligent terminal equipment vulnerability database;
3) Aiming at equipment to be detected, each item in a vulnerability test operation sequence library of intelligent terminal equipment is used for implementing a test on the equipment to be detected, and vulnerabilities corresponding to a vulnerability test operation sequence with a true test result and vulnerability description items thereof are output;
4) Extracting and identifying the processor model of the equipment to be detected, and detecting whether the processor model is contained in the vulnerability database of the intelligent terminal equipment:
If the model number is included, extracting all vulnerabilities corresponding to the model number of the output processor and vulnerability description entries thereof from a vulnerability library of the intelligent terminal equipment;
5) Extracting names of all devices and circuit modules in the equipment to be detected, and searching whether a vulnerability library of the intelligent terminal equipment contains the names of the devices or the circuit modules;
If the device or the circuit module name is included, extracting and outputting all vulnerabilities corresponding to the device or the circuit module name and vulnerability description entries thereof from an intelligent terminal equipment vulnerability library;
6) Extracting connection relations between all devices and circuit modules in the equipment to be detected, constructing a circuit adjacency relation diagram of the equipment to be detected, comparing the circuit adjacency relation diagram with circuit adjacency diagrams associated with each loophole in a loophole library of the intelligent terminal equipment, and outputting loopholes corresponding to the circuit adjacency diagrams with true comparison results and loophole description items thereof;
7) Extracting the execution code, the processor model, the processor type or the instruction set type of the device to be detected,
Matching the code segments associated with each execution code class loophole item in the loophole library of the intelligent terminal equipment with the execution codes of the equipment to be detected, and outputting loopholes corresponding to all the code segments with true comparison results;
8) Outputting detection results and the quantity of all loopholes;
the step of matching the code segment a associated with each execution code class vulnerability entry in the vulnerability library with the execution code B of the device to be detected is:
1) Taking the code segment a as a code sliding window template, traversing the execution codes B by using a sliding window with a code fixed step length, and matching the code B with the same length as the code sliding window template in each section of the execution codes B by using each sliding window:
if the matching is successful, the code segment a is a subsequence of the execution code B, and a vulnerability description entry of the vulnerability corresponding to the code segment a is output, wherein the vulnerability description entry is expressed as: < vulnerability number, vulnerability type, vulnerability hazard level, vulnerability-associated code fragment >;
If the matching is unsuccessful, the same digest algorithm is used to digest the code segment a and the code segment b:
if the abstract results are the same, outputting a vulnerability description entry of the vulnerability corresponding to the code segment a, wherein the vulnerability description entry is expressed as: < highly suspected vulnerability: vulnerability number, vulnerability type, vulnerability hazard level, vulnerability association code fragment >;
otherwise, the displacement code of the sliding window is fixed in step length, and the next sliding window is processed;
2) Disassembling the code segment a by using an instruction set corresponding to the code segment a, obtaining a template assembly instruction sequence L a as a result, and disassembling the execution code B by using an instruction set corresponding to the code segment B, and obtaining an assembly instruction sequence L B to be tested as a result;
Using the obtained template assembly instruction sequence L a as a sequence sliding window template, traversing the assembly instruction sequence L B to be tested by using a sliding window according to a sequence fixed step length, and matching each section of code L b with the same length as the sequence sliding window template in the assembly instruction sequence L B to be tested with the sequence sliding window template by using each sliding window:
If the matching is successful, the template assembly instruction sequence L a is a subsequence of the assembly instruction sequence L B to be tested, and a vulnerability description entry corresponding to the vulnerability of the template assembly instruction sequence L a is output, wherein the vulnerability description entry is expressed as: < vulnerability number, vulnerability type, vulnerability hazard level, vulnerability-associated code fragment >;
If the matching is unsuccessful, the same digest algorithm is used to digest the template assembly instruction sequence L a and the code L b:
If the abstract results are the same, outputting a vulnerability description entry of the vulnerability corresponding to the template assembly instruction sequence L a, wherein the vulnerability description entry is expressed as: < highly suspected vulnerability: vulnerability number, vulnerability type, vulnerability hazard level, vulnerability association code fragment >;
otherwise, the sliding window displacement sequence is fixed in step length, and the next sliding window is processed;
3) Extracting a control flow graph of the template assembly instruction sequence L a as a template control flow graph G a, and extracting a semantic tree T a of the template control flow graph G a;
Extracting a control flow graph of an execution code B as a control flow graph G B to be tested, extracting a semantic tree T B of the control flow graph G B to be tested, and judging whether a template control flow graph G a is a subgraph of the control flow graph G B to be tested or whether a semantic tree T a of the template control flow graph G a is a subtree of a semantic tree T B of the control flow graph G B to be tested:
If one of the two judging conditions is yes, outputting a vulnerability description item of the vulnerability corresponding to the template assembly instruction sequence L a, wherein the vulnerability description item is expressed as: < highly suspected vulnerability: vulnerability number, vulnerability type, vulnerability hazard level, vulnerability association code fragment >.
2. The intelligent terminal equipment derived vulnerability discovery method based on architecture similarity as set forth in claim 1, wherein the method is characterized in that: the definition of the architecture similarity of the intelligent terminal equipment is as follows:
the two intelligent terminal devices of the intelligent terminal device a and the intelligent terminal device B have a structural similarity if one of the following conditions is satisfied:
(1) The processor types of the two intelligent terminal devices are the same, or the instruction sets executed by the processors are the same, or the processors contain at least two circuit modules with the same functions;
(2) The two intelligent terminal devices form a circuit module with the same function or a circuit whole isomorphism or a circuit local isomorphism; the partial isomorphic minimum unit is a single device and comprises a plurality of device combinations;
(3) The execution codes of the two intelligent terminal devices comprise code fragments with the same execution behavior.
3. The intelligent terminal equipment derived vulnerability discovery method based on architecture similarity as set forth in claim 1, wherein the method is characterized in that:
The method comprises the steps that a known intelligent terminal device A comprises a vulnerability T, the detail position of the vulnerability T parasitism is judged to be obtained, and if the intelligent terminal device B serving as the device to be detected has similarity with the intelligent terminal device A integrally or just comprises the local part of the vulnerability T, namely the intelligent terminal device architecture similarity, the intelligent terminal device B serving as the device to be detected also comprises the vulnerability T.
4. The intelligent terminal equipment derived vulnerability discovery method based on architecture similarity as set forth in claim 1, wherein:
The intelligent terminal equipment vulnerability test operation sequence library comprises vulnerability entries, and each vulnerability entry at least comprises the following information: vulnerability numbers, vulnerability types, vulnerability hazard degrees and vulnerability test operation sequences.
5. The intelligent terminal equipment derived vulnerability discovery method based on architecture similarity as set forth in claim 1, wherein:
the vulnerability database of the intelligent terminal equipment comprises various vulnerabilities and vulnerability description entries thereof, and each vulnerability description entry of each vulnerability at least comprises the following information:
vulnerability number, vulnerability type, vulnerability hazard level information;
the equipment name, equipment manufacturer and equipment production time of the intelligent terminal equipment;
The intelligent terminal equipment executes the code instruction set type, the minimum instruction length, the code execution body and the code execution body version;
and classifying description information of the detail position where the vulnerability is located.
6. The intelligent terminal equipment derived vulnerability discovery method based on architecture similarity as set forth in claim 1, wherein:
the detailed position classification descriptive information of the loopholes is classified into the following categories according to the types of the loopholes:
Processor class: the method comprises the steps of including the model number of a processor associated with the vulnerability and the vulnerability position;
Device circuitry class: the method comprises the steps of associating devices, circuit module names and circuit adjacency graphs with loopholes;
the device executes the code class: including instruction set type, vulnerability-associated execution code fragments.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011023973.9A CN112199685B (en) | 2020-09-25 | 2020-09-25 | Intelligent terminal equipment derived vulnerability mining method based on architecture similarity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011023973.9A CN112199685B (en) | 2020-09-25 | 2020-09-25 | Intelligent terminal equipment derived vulnerability mining method based on architecture similarity |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112199685A CN112199685A (en) | 2021-01-08 |
| CN112199685B true CN112199685B (en) | 2024-04-19 |
Family
ID=74008338
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011023973.9A Active CN112199685B (en) | 2020-09-25 | 2020-09-25 | Intelligent terminal equipment derived vulnerability mining method based on architecture similarity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112199685B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105678169A (en) * | 2015-12-30 | 2016-06-15 | 西安胡门网络技术有限公司 | Binary program vulnerability discovery method and system |
| CN106295335A (en) * | 2015-06-11 | 2017-01-04 | 中国科学院信息工程研究所 | The firmware leak detection method of a kind of Embedded equipment and system |
| CN109933980A (en) * | 2019-02-28 | 2019-06-25 | 北京长亭科技有限公司 | A kind of vulnerability scanning method, apparatus and electronic equipment |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10536482B2 (en) * | 2017-03-26 | 2020-01-14 | Microsoft Technology Licensing, Llc | Computer security attack detection using distribution departure |
-
2020
- 2020-09-25 CN CN202011023973.9A patent/CN112199685B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106295335A (en) * | 2015-06-11 | 2017-01-04 | 中国科学院信息工程研究所 | The firmware leak detection method of a kind of Embedded equipment and system |
| CN105678169A (en) * | 2015-12-30 | 2016-06-15 | 西安胡门网络技术有限公司 | Binary program vulnerability discovery method and system |
| CN109933980A (en) * | 2019-02-28 | 2019-06-25 | 北京长亭科技有限公司 | A kind of vulnerability scanning method, apparatus and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112199685A (en) | 2021-01-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107292170B (en) | Method, device and system for detecting SQL injection attack | |
| CN111400719A (en) | Firmware vulnerability distinguishing method and system based on open source component version identification | |
| CN103839005A (en) | Malware detection method and malware detection system of mobile operating system | |
| CN114077741B (en) | Software supply chain safety detection method and device, electronic equipment and storage medium | |
| CN112491872A (en) | Abnormal network access behavior detection method and system based on equipment image | |
| CN109670318B (en) | Vulnerability detection method based on cyclic verification of nuclear control flow graph | |
| CN111368289B (en) | Malicious software detection method and device | |
| US20080127043A1 (en) | Automatic Extraction of Programming Rules | |
| CN107247902A (en) | Malware categorizing system and method | |
| CN111585989A (en) | Vulnerability detection method and device of networked industrial control equipment and computer equipment | |
| CN115357904B (en) | Multi-class vulnerability detection method based on program slicing and graph neural network | |
| CN105468972B (en) | A kind of mobile terminal document detection method | |
| CN108959922B (en) | Malicious document detection method and device based on Bayesian network | |
| CN105243327B (en) | A kind of secure file processing method | |
| CN113297580B (en) | Code semantic analysis-based electric power information system safety protection method and device | |
| CN116032741A (en) | Equipment identification method and device, electronic equipment and computer storage medium | |
| CN112199685B (en) | Intelligent terminal equipment derived vulnerability mining method based on architecture similarity | |
| CN109670317B (en) | Internet of things equipment inheritance vulnerability mining method based on atomic control flow graph | |
| CN116821903A (en) | Detection rule determination and malicious binary file detection method, device and medium | |
| CN111148185A (en) | Method and device for establishing user relationship | |
| CN115102774A (en) | Method and device for vulnerability discovery and target range building of firmware of Internet of things | |
| CN115408700A (en) | Open source component detection method based on binary program modularization | |
| CN109788001B (en) | Suspicious internet protocol address discovery method, user equipment, storage medium and device | |
| CN114510717A (en) | ELF file detection method and device and storage medium | |
| CN105224873B (en) | A kind of smart machine document authentication method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |