CN112287335A - Detection method based on FORTIFY security protection, terminal and storage medium - Google Patents
Detection method based on FORTIFY security protection, terminal and storage medium Download PDFInfo
- Publication number
- CN112287335A CN112287335A CN202011170061.4A CN202011170061A CN112287335A CN 112287335 A CN112287335 A CN 112287335A CN 202011170061 A CN202011170061 A CN 202011170061A CN 112287335 A CN112287335 A CN 112287335A
- Authority
- CN
- China
- Prior art keywords
- fortify
- security protection
- program
- elf
- detection method
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Computing Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a detection method, a terminal and a storage medium based on FORTIFY safety protection, wherein the method comprises the following steps: acquiring an ELF file of a program, and checking ELF symbol table information of the ELF file by analyzing a first command of the ELF file; and judging whether a symbol with a _ chk @ character string exists in the ELF symbol table information, if so, indicating that the program opens FORTIFY security protection. According to the method, whether the FORTIFY security protection is started or not is judged, the user is reminded to start the FORTIFY security protection when the FORTIFY security protection is not started by the program, if the FORTIFY security protection is started by the program, the memory operation function can be replaced by a function comprising security verification, the security is higher, and the program is prevented from being attacked by hackers.
Description
Technical Field
The invention relates to the technical field of computer security, in particular to a detection method, a terminal and a storage medium based on FORTIFY security protection.
Background
FORTIFY can provide static and dynamic application security testing techniques, as well as runtime application monitoring and protection functions. In order to realize efficient safety monitoring, the FORTIFY has source code safety analysis, can accurately position a path generated by a vulnerability, and has a scanning speed of 1 ten thousand lines in 1 minute.
FORTIFY is a very simple check to see if there is an error of buffer overflow. The application is that the program uses a large number of strings or memory operation functions, such as memcpy, memset, stpcpy, strcpy, strncpy, strcat, strnat, sprintf, snprintf, vsprintf, vsnprintf, gets and variants of wide characters.
Buffer overflow is that the overlong data is copied to a small buffer, so that the data exceeds the small buffer, and other data in the buffer is damaged, namely the buffer overflow, stack overflow is one of the buffer overflows, and stack overflow is that the C language series has no built-in check mechanism to ensure that the data copied to the buffer is not larger than the size of the buffer, so that when the data is large enough, the range of the buffer is overflowed.
If the program does not open the FORTIFY security protection, the security of the memory operation function is not high, and then the hacker attack cannot be avoided.
Accordingly, the prior art is yet to be improved and developed.
Disclosure of Invention
The invention mainly aims to provide a detection method, a terminal and a storage medium based on FORTIFY security protection, and aims to solve the problem that hacker attacks cannot be avoided when FORTIFY security protection is not started in the prior art.
In order to achieve the above object, the present invention provides a detection method based on FORTIFY security protection, which comprises the following steps:
acquiring an ELF file of a program, and checking ELF symbol table information of the ELF file by analyzing a first command of the ELF file;
and judging whether a symbol with a _ chk @ character string exists in the ELF symbol table information, if so, indicating that the program opens FORTIFY security protection.
The detection method based on FORTIFY security protection, wherein the determining whether the symbol with the _ chk @ string exists in the ELF symbol table information further includes:
and if the symbol with the _ chk @ character string does not exist in the ELF symbol table information, indicating that the program does not start FORTIFY security protection.
The detection method based on FORTIFY security protection, wherein the detection method based on FORTIFY security protection further includes:
and if the program does not start FORTIFY safety protection, prompting a user to start FORTIFY safety protection.
The detection method based on the FORTIFY security protection is characterized in that the first command is readelf-s.
In addition, to achieve the above object, the present invention further provides a terminal, wherein the terminal includes: the detection program based on FORTIFY security protection realizes the steps of the detection method based on FORTIFY security protection when being executed by the processor.
In addition, in order to achieve the above object, the present invention further provides a storage medium, wherein the storage medium stores a FORTIFY security protection-based detection program, and the FORTIFY security protection-based detection program implements the steps of the FORTIFY security protection-based detection method when executed by a processor.
According to the method, an ELF file of a program is obtained, and ELF symbol table information of the ELF file is checked by analyzing a first command of the ELF file; and judging whether a symbol with a _ chk @ character string exists in the ELF symbol table information, if so, indicating that the program opens FORTIFY security protection. According to the method, whether the FORTIFY security protection is started or not is judged, the user is reminded to start the FORTIFY security protection when the FORTIFY security protection is not started by the program, if the FORTIFY security protection is started by the program, the memory operation function can be replaced by a function comprising security verification, the security is higher, and the program is prevented from being attacked by hackers.
Drawings
FIG. 1 is a flow chart of a preferred embodiment of the FORTIFY-based security protection detection method of the present invention;
fig. 2 is a schematic operating environment of a terminal according to a preferred embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer and clearer, the present invention is further described in detail below with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
As shown in fig. 1, the detection method based on FORTIFY security protection according to the preferred embodiment of the present invention includes the following steps:
and step S10, acquiring an ELF file of the program, and checking ELF symbol table information of the ELF file by analyzing a first command of the ELF file.
In the invention, the FORTIFY is an AST (application program safety test) product under the flag of Micro Focus, and the product combination comprises: the Fortify Static Code Analyzer provides a Static Code Analyzer (SAST), Fortify WebInspect is dynamic Application Security testing Software (DAST), Software Security center is the Software Security Center (SSC) and Application Defender is the real-time Application self-protection (RASP).
The FORTIFY can provide static and dynamic application program safety testing technology and application program monitoring and protecting functions in operation; the FORTIFY SCA is a Static Application Security Test (SAST) product that allows development teams and security experts to analyze source code, detect security vulnerabilities, help developers identify problems more quickly and easily and prioritize them for resolution. The Micro Focus Fortify WebInsects is a dynamic application program safety testing tool, can scan the current mainstream technical framework and Web technology by using a dynamic scanning program, provides a dynamic application program safety testing coverage range, and can detect a novel bug which cannot be frequently detected by a black box safety testing technology.
In computer science, an ELF file is a file used for binary files, executable files, object code, shared libraries, and core dump formats.
Specifically, an ELF file is composed of 4 parts, which are an ELF header (i.e., a file header), a Program header table (Program header table), a Section (Section), and a Section header table (Section header table), respectively. In fact, a file does not necessarily contain all the contents, and their positions are not necessarily arranged as shown, only the position of the ELF header is fixed, and the information of the positions, sizes, and the like of the rest of the parts is determined by the values in the ELF header.
The symbol is an important part of representing each ELF file because it holds all (global) variables and functions implemented or used by the program. If the program refers to a symbol whose own code is undefined, the symbol is called an undefined symbol (for example, the printf function in a general program is defined in the c standard function). Such references must be resolved with other target modules or libraries during static linking, or by dynamic linking (using ld-linux. The nm tool can generate all compliance lists defined and used by the program.
The symbol table stores all the information needed to look up the program symbols, assign values to the symbols, and relocate the symbols. The main task of a symbol is to speak a string of characters in association with a value. For example, the printf symbol represents the address of the printf function in the virtual address space at which the machine code of the function resides. Symbols may also have absolute values, interpreted by a program, such as numerical constants.
After an ELF file of a program is acquired, checking ELF symbol table information of the ELF file through analyzing a first command (the first command is readelf-s) of the ELF file.
The display of specific information can be controlled by parameter options, and the command is very useful in analyzing the format of the ELF file.
Step S20, determining whether a symbol with a _ chk @ string exists in the ELF symbol table information, if so, indicating that the program has opened the FORTIFY security protection.
The FORTIFY is a powerful static code scanning analysis tool, has strong capability of discovering code vulnerability defects, and mainly discovers vulnerabilities by compiling codes and relying on a powerful built-in rule base of the codes. Secondly, when the FORTIFY SCA team develops the business tool, a user-defined rule interface is provided, so that the rules can be defined on the basis only by virtue of legal version authorization, the vulnerability recognition capability of the FORTIFY SCA is enhanced, and meanwhile, by virtue of the user-defined rule, the misinformation can be reduced, so that the accuracy and the efficiency of static analysis are improved.
By default, the FORTIFY SCA uses the installed security code rule package to inspect the source code and define a series of possible problems, such as security holes and bad code bugs, that can be exploited by attackers.
The rules in the security code rule package analyze the functions in the core and extended API packages of the supported language and record the analysis results in the FORTIFY SCA. The interpretation of each problem contains a description of the problem and a proposed solution to better address bugs and bugs in the program.
Specific applications (which contain rules for additional information about source code elements) can be accurately analyzed by creating custom rule packages, validating specialized security rules, and refining the problems reported by the FORTIFY SCA.
After the ELF symbol table information is obtained, whether a symbol with a _ chk @ character string exists in the ELF symbol table information is judged, and if the symbol with the _ chk @ character string exists, the FORTIFY safety protection of the program is started.
Further, if the symbol with the _ chk @ character string does not exist in the ELF symbol table information, it indicates that the program does not open the FORTIFY security protection. And if the program does not start the FORTIFY security protection, prompting the user to start the FORTIFY security protection and preventing the program from being attacked by hackers in advance.
That is, in the present invention, only when the FORTIFY security protection is opened by the program, the memory operation function may be replaced with a function including security check, for example, strcpy (a string copy function, strcpy is a standard library function in C language, strcpy copies a string containing '\0' end character to another address space, and the return value is of type char) may be replaced with __ strcpy _ chk function (an implicit function), __ strcpy _ chk function has higher security than the strcpy function, and the FORTIFY security protection greatly improves the security of the program.
Further, as shown in fig. 2, based on the detection method based on FORTIFY security protection, the present invention also provides a terminal, which includes a processor 10, a memory 20 and a display 30. Fig. 2 shows only some of the components of the terminal, but it is to be understood that not all of the shown components are required to be implemented, and that more or fewer components may be implemented instead.
The memory 20 may in some embodiments be an internal storage unit of the terminal, such as a hard disk or a memory of the terminal. The memory 20 may also be an external storage device of the terminal in other embodiments, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like provided on the terminal. Further, the memory 20 may also include both an internal storage unit and an external storage device of the terminal. The memory 20 is used for storing application software installed in the terminal and various types of data, such as program codes of the installation terminal. The memory 20 may also be used to temporarily store data that has been output or is to be output. In one embodiment, the memory 20 stores a FORTIFY-based detection program 40, and the FORTIFY-based detection program 40 can be executed by the processor 10 to implement the FORTIFY-based detection method of the present application.
The processor 10 may be a Central Processing Unit (CPU), microprocessor or other data Processing chip in some embodiments, and is used for running program codes stored in the memory 20 or Processing data, such as executing the test method based on FORTIFY security protection.
The display 30 may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode) touch panel, or the like in some embodiments. The display 30 is used for displaying information at the terminal and for displaying a visual user interface. The components 10-30 of the terminal communicate with each other via a system bus.
In one embodiment, when the processor 10 executes the FORTIFY based detection program 40 in the memory 20, the following steps are implemented:
acquiring an ELF file of a program, and checking ELF symbol table information of the ELF file by analyzing a first command of the ELF file;
and judging whether a symbol with a _ chk @ character string exists in the ELF symbol table information, if so, indicating that the program opens FORTIFY security protection.
Wherein, the judging whether the symbol with the _ chk @ character string exists in the ELF symbol table information further includes:
and if the symbol with the _ chk @ character string does not exist in the ELF symbol table information, indicating that the program does not start FORTIFY security protection.
The detection method based on the FORTIFY security protection further comprises the following steps:
and if the program does not start FORTIFY safety protection, prompting a user to start FORTIFY safety protection.
Wherein the first command is readelf-s.
The invention also provides a storage medium, wherein the storage medium stores a detection program based on FORTIFY security protection, and the detection program based on FORTIFY security protection realizes the steps of the detection method based on FORTIFY security protection when being executed by a processor.
In summary, the present invention provides a detection method, a terminal and a storage medium based on FORTIFY security protection, where the method includes: acquiring an ELF file of a program, and checking ELF symbol table information of the ELF file by analyzing a first command of the ELF file; and judging whether a symbol with a _ chk @ character string exists in the ELF symbol table information, if so, indicating that the program opens FORTIFY security protection. According to the method, whether the FORTIFY security protection is started or not is judged, the user is reminded to start the FORTIFY security protection when the FORTIFY security protection is not started by the program, if the FORTIFY security protection is started by the program, the memory operation function can be replaced by a function comprising security verification, the security is higher, and the program is prevented from being attacked by hackers.
Of course, it will be understood by those skilled in the art that all or part of the processes of the methods of the above embodiments may be implemented by a computer program instructing relevant hardware (such as a processor, a controller, etc.), and the program may be stored in a computer readable storage medium, and when executed, the program may include the processes of the above method embodiments. The storage medium may be a memory, a magnetic disk, an optical disk, etc.
It is to be understood that the invention is not limited to the examples described above, but that modifications and variations may be effected thereto by those of ordinary skill in the art in light of the foregoing description, and that all such modifications and variations are intended to be within the scope of the invention as defined by the appended claims.
Claims (6)
1. A detection method based on FORTIFY safety protection is characterized by comprising the following steps:
acquiring an ELF file of a program, and checking ELF symbol table information of the ELF file by analyzing a first command of the ELF file;
and judging whether a symbol with a _ chk @ character string exists in the ELF symbol table information, if so, indicating that the program opens FORTIFY security protection.
2. The FORTIFY-based security protection detection method of claim 1, wherein the determining whether the ELF symbol table information includes a symbol with a _ chk @ string further comprises:
and if the symbol with the _ chk @ character string does not exist in the ELF symbol table information, indicating that the program does not start FORTIFY security protection.
3. The FORTIFY-based security protection detection method of claim 2, wherein the FORTIFY-based security protection detection method further comprises:
and if the program does not start FORTIFY safety protection, prompting a user to start FORTIFY safety protection.
4. The FORTIFY-based security protection detection method of claim 1, wherein the first command is readelf-s.
5. A terminal, characterized in that the terminal comprises: a memory, a processor and a FORTIFY security protection based detection program stored on the memory and executable on the processor, the FORTIFY security protection based detection program when executed by the processor implementing the steps of the FORTIFY security protection based detection method according to any one of claims 1-4.
6. A storage medium storing a FORTIFY security protection-based detection program, which when executed by a processor implements the steps of the FORTIFY security protection-based detection method according to any one of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011170061.4A CN112287335A (en) | 2020-10-28 | 2020-10-28 | Detection method based on FORTIFY security protection, terminal and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011170061.4A CN112287335A (en) | 2020-10-28 | 2020-10-28 | Detection method based on FORTIFY security protection, terminal and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112287335A true CN112287335A (en) | 2021-01-29 |
Family
ID=74373506
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011170061.4A Pending CN112287335A (en) | 2020-10-28 | 2020-10-28 | Detection method based on FORTIFY security protection, terminal and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112287335A (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102779257A (en) * | 2012-06-28 | 2012-11-14 | 奇智软件(北京)有限公司 | Security detection method and system of Android application program |
| CN109558734A (en) * | 2018-11-28 | 2019-04-02 | 北京梆梆安全科技有限公司 | A kind of detection method and device, the mobile device of storehouse safety |
-
2020
- 2020-10-28 CN CN202011170061.4A patent/CN112287335A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102779257A (en) * | 2012-06-28 | 2012-11-14 | 奇智软件(北京)有限公司 | Security detection method and system of Android application program |
| CN109558734A (en) * | 2018-11-28 | 2019-04-02 | 北京梆梆安全科技有限公司 | A kind of detection method and device, the mobile device of storehouse safety |
Non-Patent Citations (1)
| Title |
|---|
| FATSHI: ""如何查看一个ELF文件开启了哪些安全保护"", Retrieved from the Internet <URL:https://blog.51cto.com/duallay/1876720> * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8316448B2 (en) | Automatic filter generation and generalization | |
| US8850581B2 (en) | Identification of malware detection signature candidate code | |
| US7849509B2 (en) | Detection of security vulnerabilities in computer programs | |
| US20060101413A1 (en) | Software operation monitoring apparatus and software operation monitoring method | |
| JP5863973B2 (en) | Program execution device and program analysis device | |
| JP7287480B2 (en) | Analysis function imparting device, analysis function imparting method and analysis function imparting program | |
| CN112527674B (en) | AI frame safety evaluation method, device, equipment and storage medium | |
| CN109271789B (en) | Malicious process detection method and device, electronic equipment and storage medium | |
| WO2012079832A1 (en) | Formal analysis of the quality and conformance of information flow downgraders | |
| CN108228312B (en) | System and method for executing code through interpreter | |
| Huang et al. | The taming of the stack: Isolating stack data from memory errors | |
| US11868465B2 (en) | Binary image stack cookie protection | |
| US9171168B2 (en) | Determine anomalies in web application code based on authorization checks | |
| CN112287335A (en) | Detection method based on FORTIFY security protection, terminal and storage medium | |
| Jurn et al. | A survey of automated root cause analysis of software vulnerability | |
| CN114741700A (en) | Public component library vulnerability availability analysis method and device based on symbolic taint analysis | |
| JP6608569B1 (en) | Security design apparatus, security design method, and security design program | |
| Bhardwaj et al. | Fuzz testing in stack-based buffer overflow | |
| Xie et al. | A new detection method for stack overflow vulnerability based on component binary code for third-party component | |
| Reynolds | Modeling the java bytecode verifier | |
| Wang et al. | A Systematic Literature Review on Smart Contract Vulnerability Detection by Symbolic Execution | |
| KR102392394B1 (en) | Security vulnerability analysis method for generating function abstract information and electronic device including the same | |
| Alqarni et al. | Evdd-a novel dataset for embedded system vulnerability detection mechanism | |
| CN112580058A (en) | Vulnerability detection method, intelligent terminal and computer readable storage medium | |
| JP2023024084A (en) | Information processing program, information processing method, and information processing device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |