CN112287353A - Vulnerability detection method, terminal and storage medium - Google Patents
Vulnerability detection method, terminal and storage medium Download PDFInfo
- Publication number
- CN112287353A CN112287353A CN202011170948.3A CN202011170948A CN112287353A CN 112287353 A CN112287353 A CN 112287353A CN 202011170948 A CN202011170948 A CN 202011170948A CN 112287353 A CN112287353 A CN 112287353A
- Authority
- CN
- China
- Prior art keywords
- memory
- vulnerability
- memory block
- detection method
- uaf
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 32
- 238000000034 method Methods 0.000 claims abstract description 17
- 230000006870 function Effects 0.000 claims abstract description 15
- 230000003068 static effect Effects 0.000 description 7
- 230000008569 process Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 3
- 238000004590 computer program Methods 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Techniques For Improving Reliability Of Storages (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a vulnerability detection method, a terminal and a storage medium, wherein the method comprises the following steps: when the free function is detected to be called, the released memory block is stored; when the memory is detected to be accessed, judging whether the currently accessed memory block belongs to the stored memory block; and if the currently accessed memory block belongs to the released memory, reporting the UAF vulnerability. According to the invention, the Use After Free vulnerability of the binary file is detected, the detection is carried out before an attacker utilizes the vulnerability, and if the vulnerability is detected, the vulnerability is repaired in time, so that the hacker is prevented from invading.
Description
Technical Field
The invention relates to the technical field of computer security, in particular to a vulnerability detection method, a terminal and a storage medium.
Background
In the computer field, Use After Free (UAF, a block of memory is released and then used again) refers to a memory region that a program attempts to access that has been previously released.
When the following three steps occur simultaneously, a UAF vulnerability occurs:
(1) a block of memory is allocated and has a pointer to it.
(2) The memory region is released but the pointer is available.
(3) The pointer is used and accesses the previously freed memory.
Most of the time, UAF holes can cause information leakage. More specifically, however, UAF causes code to execute, resulting in hacking.
For example, this can be accomplished by several steps:
(1) the program allocates and releases memory chunk a.
(2) And the attacker allocates the memory block B and reuses the memory allocated to the memory block A.
(3) The attacker writes the data to the B block.
(4) The program uses the freed block a to access the data that the attacker left there.
However, in the prior art, before an attacker utilizes the vulnerability, a method for effectively detecting whether the vulnerability exists in the software is not available.
Accordingly, the prior art is yet to be improved and developed.
Disclosure of Invention
The invention mainly aims to provide a vulnerability detection method, a terminal and a storage medium, and aims to solve the problem that in the prior art, no method for effectively detecting whether a vulnerability exists in software before an attacker utilizes the vulnerability is available.
In order to achieve the above object, the present invention provides a vulnerability detection method, which includes the following steps:
when the free function is detected to be called, the released memory block is stored;
when the memory is detected to be accessed, judging whether the currently accessed memory block belongs to the stored memory block;
and if the currently accessed memory block belongs to the released memory, reporting the UAF vulnerability.
The vulnerability detection method includes reporting a UAF vulnerability if the currently accessed memory block belongs to the released memory, and then:
and if the UAF vulnerability is detected to exist, repairing the UAF vulnerability.
The vulnerability detection method, wherein the repairing the UAF vulnerability specifically includes:
and checking codes, and placing the operation of releasing the memory behind the use for ensuring that the memory is released after the use is finished.
The vulnerability detection method includes the following steps of judging whether the currently accessed memory block belongs to the stored memory block, and then:
and if the currently accessed memory block does not belong to the released memory, no UAF loophole exists.
The vulnerability detection method, wherein when it is detected that the free function is called, the released memory block is stored, and the method further comprises the following steps:
the checkPreCall interface of the Checker class is reloaded.
The vulnerability detection method includes, when it is detected that the memory is accessed, determining whether the currently accessed memory block belongs to the stored memory block, and before:
and reloading a checkLocation interface of the Checker class.
In addition, to achieve the above object, the present invention further provides a terminal, wherein the terminal includes: the system comprises a memory, a processor and a vulnerability detection program which is stored on the memory and can run on the processor, wherein when the vulnerability detection program is executed by the processor, the steps of the vulnerability detection method are realized.
In addition, in order to achieve the above object, the present invention further provides a storage medium, wherein the storage medium stores a vulnerability detection program, and the vulnerability detection program implements the steps of the vulnerability detection method when executed by a processor.
When the free function is detected to be called, the released memory block is stored; when the memory is detected to be accessed, judging whether the currently accessed memory block belongs to the stored memory block; and if the currently accessed memory block belongs to the released memory, reporting the UAF vulnerability. According to the invention, the Use After Free vulnerability of the binary file is detected, the detection is carried out before an attacker utilizes the vulnerability, and if the vulnerability is detected, the vulnerability is repaired in time, so that the hacker is prevented from invading.
Drawings
FIG. 1 is a flow chart of a vulnerability detection method according to a preferred embodiment of the present invention;
fig. 2 is a schematic operating environment of a terminal according to a preferred embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer and clearer, the present invention is further described in detail below with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
As shown in fig. 1, the vulnerability detection method according to the preferred embodiment of the present invention includes the following steps:
and step S10, when the free function is detected to be called, the released memory block is saved.
Here, the free function is free () which is a function of releasing a memory space in C language, and is generally used in combination with malloc () which applies a memory space, and can release a memory space applied by a function such as malloc (), calloc (), realloc (), or the like.
Macroscopically, Clang is a project name. Microscopically, similar to GCC, Clang is a lightweight compiler in the C language, C + +, Objective C language, which is part of the Clang project. Compared with GCC, the compiling speed of Clang is faster, and the occupied memory is less. The error prompt and warning message of Clang is also more accurate and clear than the GCC. Furthermore, the Clang library-based modular design facilitates integration of the IDE and conforms to the LLVM BSD protocol.
The Clang Static Analyzer is a source code analysis tool which can search C language, C + +, Objective-C (C language family) bugs.
Currently, the Clang Static Analyzer can be used as an independent tool and can also be operated in the Xcode development environment (Mac os). The Clang Static Analyzer as a standalone tool may be started from a command line (e.g., the end of ubuntu) and run in building a code library.
The Clang Static Analyzer, as part of the Clang project, is a one hundred percent open source of software. Just like the Clang compiler, the Clang Static Analyzer can be integrated into other applications like a C + + library.
The invention is based on the user After Free vulnerability detection technology of the Clang Static Analyzer, the Clang Static Analyzer has the function of executing the symbol to the source code and provides a modularized Checker interface, and the defined interface can be called in the symbol executing process by overloading and registering the Checker interface.
Reloading a checkPreCall interface of a Checker class, wherein the implementation code logic is as follows: when the free function is called, the released memory block address is saved.
Step S20, when it is detected that the memory is accessed, determine whether the currently accessed memory block belongs to the stored memory block.
The memory is a main component in the computer system, and is used for storing programs and data during process running, which is also called an executable memory. In a computer, memory space generally refers to main memory space (physical address space) or memory space allocated by a system for a user program. Methods for expanding memory space typically include increasing memory size and virtual memory.
Reloading a checkLocation interface of a Checker class, wherein the implementation code logic is as follows: when the memory access is received, it is determined whether the accessed memory block belongs to the memory block stored in step S10.
And step S30, reporting the UAF vulnerability if the currently accessed memory block belongs to the released memory.
That is to say, if the memory block belongs to the released memory, reporting a Use After Free vulnerability, and After reporting the vulnerability, further including: and if the UAF vulnerability is detected to exist, repairing the UAF vulnerability. The repairing method comprises the following steps: and checking codes, and placing the operation of releasing the memory behind the use for ensuring that the memory is released after the use is finished.
Further, if the currently accessed memory block does not belong to the released memory, no UAF hole exists.
According to the method, the Use After Free vulnerability is detected for the binary file, detection is performed before an attacker utilizes the vulnerability, and if the vulnerability is detected, repair is performed.
Where a binary file represents a file containing data or program instructions written in ASCII and extended ASCII characters. Computer files are basically divided into two types: binary files and computer programs such as ASCII (also called plain text files), graphic files, and word processors belong to the binary files. These files contain special formats and computer code. ASCII is a simple text file that can be read with any word processing program.
Further, as shown in fig. 2, based on the above vulnerability detection method, the present invention also provides a terminal, which includes a processor 10, a memory 20 and a display 30. Fig. 2 shows only some of the components of the terminal, but it is to be understood that not all of the shown components are required to be implemented, and that more or fewer components may be implemented instead.
The memory 20 may in some embodiments be an internal storage unit of the terminal, such as a hard disk or a memory of the terminal. The memory 20 may also be an external storage device of the terminal in other embodiments, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like provided on the terminal. Further, the memory 20 may also include both an internal storage unit and an external storage device of the terminal. The memory 20 is used for storing application software installed in the terminal and various types of data, such as program codes of the installation terminal. The memory 20 may also be used to temporarily store data that has been output or is to be output. In one embodiment, the memory 20 stores a bug detection program 40, and the bug detection program 40 can be executed by the processor 10 to implement the bug detection method of the present application.
The processor 10 may be a Central Processing Unit (CPU), a microprocessor or other data Processing chip in some embodiments, and is used for running the program codes stored in the memory 20 or Processing data, such as executing the bug detection method.
The display 30 may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode) touch panel, or the like in some embodiments. The display 30 is used for displaying information at the terminal and for displaying a visual user interface. The components 10-30 of the terminal communicate with each other via a system bus.
In one embodiment, when the processor 10 executes the bug detection program 40 in the memory 20, the following steps are implemented:
when the free function is detected to be called, the released memory block is stored;
when the memory is detected to be accessed, judging whether the currently accessed memory block belongs to the stored memory block;
and if the currently accessed memory block belongs to the released memory, reporting the UAF vulnerability.
If the currently accessed memory block belongs to the released memory, reporting the UAF vulnerability, and then:
and if the UAF vulnerability is detected to exist, repairing the UAF vulnerability.
Repairing the UAF vulnerability specifically comprises the following steps:
and checking codes, and placing the operation of releasing the memory behind the use for ensuring that the memory is released after the use is finished.
Wherein, the determining whether the currently accessed memory block belongs to the stored memory block further includes:
and if the currently accessed memory block does not belong to the released memory, no UAF loophole exists.
When it is detected that the free function is called, the released memory block is saved, and the method further includes:
the checkPreCall interface of the Checker class is reloaded.
When it is detected that the memory is accessed, determining whether the currently accessed memory block belongs to the stored memory block, where the method further includes:
and reloading a checkLocation interface of the Checker class.
The present invention also provides a storage medium, wherein the storage medium stores a vulnerability detection program, and the vulnerability detection program implements the steps of the vulnerability detection method when executed by a processor.
In summary, the present invention provides a vulnerability detection method, a terminal and a storage medium, wherein the method includes: when the free function is detected to be called, the released memory block is stored; when the memory is detected to be accessed, judging whether the currently accessed memory block belongs to the stored memory block; and if the currently accessed memory block belongs to the released memory, reporting the UAF vulnerability. According to the invention, the Use After Free vulnerability of the binary file is detected, the detection is carried out before an attacker utilizes the vulnerability, and if the vulnerability is detected, the vulnerability is repaired in time, so that the hacker is prevented from invading.
Of course, it will be understood by those skilled in the art that all or part of the processes of the methods of the above embodiments may be implemented by a computer program instructing relevant hardware (such as a processor, a controller, etc.), and the program may be stored in a computer readable storage medium, and when executed, the program may include the processes of the above method embodiments. The storage medium may be a memory, a magnetic disk, an optical disk, etc.
It is to be understood that the invention is not limited to the examples described above, but that modifications and variations may be effected thereto by those of ordinary skill in the art in light of the foregoing description, and that all such modifications and variations are intended to be within the scope of the invention as defined by the appended claims.
Claims (8)
1. A vulnerability detection method is characterized by comprising the following steps:
when the free function is detected to be called, the released memory block is stored;
when the memory is detected to be accessed, judging whether the currently accessed memory block belongs to the stored memory block;
and if the currently accessed memory block belongs to the released memory, reporting the UAF vulnerability.
2. The method according to claim 1, wherein if the currently accessed memory block belongs to the released memory, reporting a UAF vulnerability, and then further comprising:
and if the UAF vulnerability is detected to exist, repairing the UAF vulnerability.
3. The vulnerability detection method according to claim 2, wherein the repairing the UAF vulnerability specifically comprises:
and checking codes, and placing the operation of releasing the memory behind the use for ensuring that the memory is released after the use is finished.
4. The vulnerability detection method according to claim 1, wherein the determining whether the currently accessed memory block belongs to the stored memory blocks further comprises:
and if the currently accessed memory block does not belong to the released memory, no UAF loophole exists.
5. The vulnerability detection method according to claim 1, wherein the saving the released memory block when detecting that the free function is called further comprises:
the checkPreCall interface of the Checker class is reloaded.
6. The vulnerability detection method according to claim 1, wherein when it is detected that the memory is accessed, determining whether the currently accessed memory block belongs to the stored memory blocks further comprises:
and reloading a checkLocation interface of the Checker class.
7. A terminal, characterized in that the terminal comprises: memory, a processor and a vulnerability detection program stored on the memory and executable on the processor, the vulnerability detection program when executed by the processor implementing the steps of the vulnerability detection method according to any of claims 1-6.
8. A storage medium storing a vulnerability detection program which, when executed by a processor, implements the steps of the vulnerability detection method of any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011170948.3A CN112287353B (en) | 2020-10-28 | 2020-10-28 | Vulnerability detection method, terminal and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011170948.3A CN112287353B (en) | 2020-10-28 | 2020-10-28 | Vulnerability detection method, terminal and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112287353A true CN112287353A (en) | 2021-01-29 |
| CN112287353B CN112287353B (en) | 2024-07-16 |
Family
ID=74374164
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011170948.3A Active CN112287353B (en) | 2020-10-28 | 2020-10-28 | Vulnerability detection method, terminal and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112287353B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114579431A (en) * | 2022-01-27 | 2022-06-03 | 南京航空航天大学 | Zero-removing error detection method based on hybrid analysis |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109426723A (en) * | 2017-09-01 | 2019-03-05 | 深圳市源伞新科技有限公司 | Use the detection method, system, equipment and storage medium of memory after release |
| CN110363004A (en) * | 2018-04-10 | 2019-10-22 | 腾讯科技(深圳)有限公司 | A kind of code vulnerabilities detection method, device, medium and equipment |
| CN111625833A (en) * | 2020-04-13 | 2020-09-04 | 中国科学院软件研究所 | Efficient method and device for judging reuse vulnerability after software program release |
-
2020
- 2020-10-28 CN CN202011170948.3A patent/CN112287353B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109426723A (en) * | 2017-09-01 | 2019-03-05 | 深圳市源伞新科技有限公司 | Use the detection method, system, equipment and storage medium of memory after release |
| CN110363004A (en) * | 2018-04-10 | 2019-10-22 | 腾讯科技(深圳)有限公司 | A kind of code vulnerabilities detection method, device, medium and equipment |
| CN111625833A (en) * | 2020-04-13 | 2020-09-04 | 中国科学院软件研究所 | Efficient method and device for judging reuse vulnerability after software program release |
Non-Patent Citations (1)
| Title |
|---|
| WEIXIN_3423649: ""通过静态分析检测二进制代码中的Use-After-Free漏洞"", pages 1 - 7, Retrieved from the Internet <URL:https://blog.csdn.net/weixin_34236497/article/details/90395173> * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114579431A (en) * | 2022-01-27 | 2022-06-03 | 南京航空航天大学 | Zero-removing error detection method based on hybrid analysis |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112287353B (en) | 2024-07-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109583200B (en) | Program abnormity analysis method based on dynamic taint propagation | |
| US9535613B2 (en) | Hardware and software methodologies for detecting illegal memory address of a memory access operation | |
| US7386690B2 (en) | Method and apparatus for hardware awareness of data types | |
| CN105723348A (en) | Detection of unauthorized memory modification and access using transactional memory | |
| US20110173505A1 (en) | Method for detecting memory error | |
| CN102081719B (en) | Software security testing system and method based on dynamic taint propagation | |
| US20060277371A1 (en) | System and method to instrument references to shared memory | |
| Zou et al. | {Syzscope}: Revealing {high-risk} security impacts of {fuzzer-exposed} bugs in linux kernel | |
| US20110314338A1 (en) | Data collisions in concurrent programs | |
| CN110321674B (en) | Anti-debugging method based on script program, intelligent terminal and storage medium | |
| CN112287353B (en) | Vulnerability detection method, terminal and storage medium | |
| CN109582542B (en) | Method for dumping core of embedded system | |
| CN118152298A (en) | Memory access detection method and device, electronic equipment and computer storage medium | |
| CN110781075A (en) | Method, device and system for detecting memory leakage and storage medium | |
| CN111931191A (en) | Dynamic detection method and system for binary software stack overflow leakage hole of Linux platform | |
| CN115795489B (en) | Software vulnerability static analysis method and device based on hardware-level process tracking | |
| CN102831334A (en) | Positioning method and positioning system for target address | |
| CN112199642A (en) | Detection method for anti-debugging of android system, mobile terminal and storage medium | |
| CN115994348A (en) | Control method for program pipeline, processing device and storage medium | |
| EP3692456A1 (en) | Binary image stack cookie protection | |
| US11055202B1 (en) | Compilation scheme for tagged global variables | |
| CN111143851B (en) | Detection method and system suitable for kernel object address leakage of operating system | |
| CN116340081A (en) | RISCV memory access violation detection method and device based on hardware virtualization | |
| CN114443418A (en) | RISCV memory overflow vulnerability detection method and device based on hardware virtualization | |
| CN112182516A (en) | Detection method based on RELRO security protection, terminal and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |