CN114417353A - Byte array detection method and device and computer readable storage medium - Google Patents
Byte array detection method and device and computer readable storage medium Download PDFInfo
- Publication number
- CN114417353A CN114417353A CN202111602841.6A CN202111602841A CN114417353A CN 114417353 A CN114417353 A CN 114417353A CN 202111602841 A CN202111602841 A CN 202111602841A CN 114417353 A CN114417353 A CN 114417353A
- Authority
- CN
- China
- Prior art keywords
- byte array
- byte
- similarity
- array
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
According to the byte array detection method, the byte array detection device and the computer-readable storage medium, detection logic is inserted into an application program to be detected according to a instrumentation technology; after a first byte array comprising effective taint data is detected to obtain a second byte array through a change function, acquiring first similarity of the first byte array and the second byte array; if the first similarity value is zero, marking the state bit of the second byte array; and when the second byte array executes the sensitive function, determining the propagation result state of the effective taint data in the second byte array according to whether the second byte array has the state bit mark. Through the implementation of the method, the similarity of the byte array subjected to the change function is verified, the state bit mark is carried out on the byte array with the zero similarity, the propagation result state of the effective taint data in the byte array is determined according to the state bit mark, and the accuracy of vulnerability identification based on a data flow tracking method is improved.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for detecting a byte array, and a computer-readable storage medium.
Background
The data flow vulnerability tracking refers to tracking an input stage, a propagation stage and an execution stage of taint data in a request, judging whether the taint data is subjected to a complete three-stage process or not and is not subjected to any safety method, namely, the taint data is considered to have a vulnerability, and generally, SQL injection, command line injection and the like are detected by using the taint data.
At present, a common data flow tracking method can only carry out identification based on a memory address of taint data, the modification operation of the taint data cannot be identified, when the taint data changes, a normal data flow tracking method cannot carry out normal tracking, and a series of false alarm problems occur at this time.
Disclosure of Invention
The embodiment of the application provides a byte array detection method, a byte array detection device and a computer readable storage medium, which can at least solve the problem that when taint data changes, a normal data stream tracking method cannot track normally, and a series of false alarms occur in the related art.
A first aspect of the embodiments of the present application provides a byte array detection method, including:
inserting detection logic into the application under test according to the instrumentation technology;
after a first byte array comprising effective taint data is detected to obtain a second byte array through a change function, acquiring a first similarity of the first byte array and the second byte array;
if the first similarity value is zero, marking a state bit of the second byte array;
when the second byte array executes a sensitive function, determining the propagation result state of the effective taint data in the second byte array according to whether the second byte array has the state bit mark; wherein the propagation result state comprises a present state and a lost state, and the propagation result state is the lost state when the second byte array has the state bit flag.
A second aspect of the embodiments of the present application provides a byte array detection apparatus, including:
the insertion module is used for inserting the detection logic into the application program to be detected according to the instrumentation technology;
the device comprises an acquisition module, a judgment module and a processing module, wherein the acquisition module is used for acquiring a first similarity of a first byte array and a second byte array after detecting that the first byte array containing effective dirty data passes through a change function to obtain the second byte array;
a marking module, configured to mark a status bit of the second byte array if the first similarity value is zero;
a determining module, configured to determine, when the second byte array executes a sensitive function, a propagation result state of the valid dirty data in the second byte array according to whether the second byte array has the status bit flag; wherein the propagation result state comprises a present state and a lost state, and the propagation result state is the lost state when the second byte array has the state bit flag.
A third aspect of embodiments of the present application provides an electronic apparatus, including: the system comprises a memory, a processor and a bus, wherein the bus is used for realizing the connection and communication between the memory and the processor; the processor is configured to execute a computer program stored in the memory, and the processor executes the computer program, where the processor performs each step in the byte array detection method provided in the first aspect of the embodiment of the present application.
A fourth aspect of the embodiments of the present application provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps in the byte array detection method provided in the first aspect of the embodiments of the present application.
As can be seen from the above, according to the byte array detection method, apparatus and computer-readable storage medium provided in the present application, the detection logic is inserted into the application under test according to the instrumentation technique; after a first byte array comprising effective taint data is detected to obtain a second byte array through a change function, acquiring a first similarity of the first byte array and the second byte array; if the first similarity value is zero, marking a state bit of the second byte array; when the second byte array executes a sensitive function, determining the propagation result state of the effective taint data in the second byte array according to whether the second byte array has the state bit mark; wherein the propagation result state comprises a present state and a lost state, and the propagation result state is the lost state when the second byte array has the state bit flag. Through the implementation of the method, the similarity of the second byte array obtained after the first byte array passes through the change function is verified, the state bit mark is carried out on the second byte array with the similarity of zero, when the second byte array passes through the sensitive function in the execution stage, the propagation result state of the effective taint data in the second byte array is determined according to whether the second byte array has the state bit mark, and the accuracy of vulnerability identification based on a data flow tracking method can be further improved.
Drawings
Fig. 1 is a schematic basic flowchart of a byte array detection method according to a first embodiment of the present application;
fig. 2 is a schematic flowchart illustrating a refinement of a byte array detection method according to a second embodiment of the present application;
FIG. 3 is a block diagram of a program module of a byte array detecting device according to a third embodiment of the present application;
fig. 4 is a schematic structural diagram of an electronic device according to a fourth embodiment of the present application.
Detailed description of the preferred embodiments
In order to make the objects, features and advantages of the present invention more apparent and understandable, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In order to solve the problem that when the taint data itself changes in the related art, a normal data stream tracking method cannot perform normal tracking, and a series of false alarms occur at this time, the first embodiment of the present application provides a byte array detection method.
Program code for dirty data in the input, propagate, and execute stages is as follows:
①String taintedData=request.getParameter("taintedData");//world
②taintedData="hello"+taintedData;//helloworld
③char[]chars=taintedData.toCharArray();
④chars[5]='g';//hellogorld
⑤chars[6]='a';//hellogarld
⑥chars[7]='m';//hellogamld
⑦chars[8]='e';//hellogamed
⑧String value=String.valueOf(chars);
⑨Runtime.getRuntime().exec(value);
wherein, the first represents an input stage of the taint data, the second-the third represents a propagation stage of the taint data, and the ninth represents an execution stage of the taint data.
As shown in fig. 1, which is a basic flowchart of the byte array detection method provided in this embodiment, the byte array detection method includes the following steps:
Specifically, the inserting means that a component of the detection logic is inserted into the application under test by using a Java virtual machine technology, where the component of the detection logic is an agent process of the same container as the application under test, so that the component can obtain a context of each request execution process of the application. The existing data flow tracking method only tracks the generated taint data and does not detect whether the taint data changes in the transmission process. In this embodiment, after the application under test is started, the instrumentation tool inserts detection logic in the input stage, the propagation stage, and the execution stage of the application under test, so as to detect taint data in different stages.
Specifically, in this embodiment, it should be noted that the similarity of the byte arrays refers to a storage data type char [ ] in java, the byte arrays are native types of java, and directly modifying characters at a certain position in the byte arrays does not cause propagation stage tracking, which also causes a problem of false alarm in a data stream hole-leakage tracking stage (that is, the original byte arrays may be completely replaced, not data input by a user, and not utilized, so that no hole exists in this case). After the detection logic detects that the dirty data in the input stage changes to the first byte array, it should be further noted that the dirty data is the original valid dirty data in the first byte array, which is all represented by valid dirty data below. And determining whether the first byte array containing the effective dirty data changes in the propagation stage by using a byte array similarity matching module, and obtaining a second byte array after the change is sent, wherein as shown by the codes, the contents in the char arrays at the third and the eighth positions are changed, and the dirty data from the request input only remains d from world. The byte array similarity matching module is used for judging whether the first similarity exists between the first byte array and the second byte array or not according to the lengths of the first byte array and the second byte array and the length of the maximum equal byte string in the first byte array and the second byte array as algorithm input parameters.
In an implementation manner of this embodiment, before the step of obtaining the first similarity between the first byte array and the second byte array, the method further includes: detecting whether effective taint data exist in the data stream in an input stage in real time according to detection logic; when valid dirty data is present, it is detected whether the valid dirty data has changed to a first byte array.
Specifically, in this embodiment, after the detection logic is inserted into the application under test, the detection logic may detect whether the valid dirty data exists in the data input by the user in real time, and when the valid dirty data exists, the detection logic may perform tracking detection on the valid dirty data in the input stage, determine whether the valid dirty data changes into the first byte array, and when the valid dirty data does not exist, determine that the data is the security data, and do not participate in the subsequent detection process.
In an optional implementation manner of this embodiment, after the step of detecting whether the valid taint data changes into the first byte array, the method further includes: after determining that the effective taint data is changed into a first byte array, determining whether bytes on a byte coordinate position are changed according to the byte coordinate position of the first byte array; when determining that the bytes on the byte coordinate positions change, detecting a first byte array containing valid dirty data and obtaining a second byte array through a change function.
Specifically, in practical applications, the first byte array including the valid and dirty data may not change during the propagation process, and if all byte arrays during the propagation process are compared, the operation efficiency of the detection logic is seriously affected. In this embodiment, before obtaining the first similarity, after determining that the effective stain data is changed into the first byte array, the detection logic detects the byte at each byte coordinate position in the first byte array, and after detecting that the first byte array is changed, obtains the second byte array obtained after the change, and then performs the step of obtaining the first similarity.
In an optional implementation manner of this embodiment, the step of obtaining the first similarity between the first byte array and the second byte array includes: carrying out byte comparison on the target coordinate position of the first byte array and the corresponding coordinate position of the second byte array; and determining the first similarity of the first byte array and the second byte array according to the length of the compared consistent bytes.
Specifically, the target coordinate position of this embodiment is a coordinate position where the effective stain data is located in the first byte array, after determining that the first byte array is changed into the second byte array according to the detection logic, the coordinate position of the effective stain data in the first byte array is compared with the byte of the corresponding coordinate position of the second byte array, and the same length of the effective stain data in the byte array is determined through the comparison, it should be understood that the effective stain data in the second byte array is the effective stain data that still exists after the effective stain data in the first byte array passes through the change function. And determining the first similarity between the first byte array and the second byte array according to the length of the same byte, for example, the length of the byte array is 10 at the third and the twelfth codes, the effective stain byte data in the byte array is (5,9), and the equivalent length of the effective stain data in the two byte arrays is 1.
In an optional implementation manner consistent with this embodiment, after the step of obtaining the first similarity between the first byte array and the second byte array, the method further includes: if the first similarity value is not zero, verifying the accuracy of the first similarity; if the verification fails, marking the status bit of the second byte array, and then determining the propagation result status of the effective taint data in the second byte array according to whether the second byte array has the status bit mark or not when the sensitive function is executed in the second byte array; and if the verification is passed, executing a step of determining the propagation result state of the effective taint data in the second byte array according to whether the second byte array has the state bit mark or not when the sensitive function is executed in the second byte array.
Specifically, in this embodiment, when the value of the first similarity between the first byte array and the second byte array is not zero, the accuracy of the first similarity is determined by verifying the first similarity according to the similarity verification module, and when the verification is passed, it is determined that the first similarity is accurate, it is determined that there is a correlation between the first byte array and the second byte array, and valid taint data optionally exists in the second byte array, and the data flow hole leakage detection logic is continuously executed. When the verification is failed, the error occurs in the similarity matching module, the status bit marking is carried out on the second byte array, the second byte array is indicated to be safe, and the accuracy of whether effective taint data exist in the second byte array can be effectively improved.
It should be noted that, in an optional implementation manner of this embodiment, before the step of performing accuracy verification on the first similarity, the method further includes: carrying out byte comparison on the non-target coordinate position of the first byte array and the corresponding coordinate position of the second byte array; and when the third similarity value of the non-target coordinate position of the first byte array and the corresponding coordinate position of the second byte array is not zero, executing a step of verifying the accuracy of the first similarity.
Specifically, in practical applications, for example, the hard coded data in the code steps (iv) to (iv) may be consistent with part of the data of the original byte array, and an error may occur in such a case.
In an optional implementation manner of this embodiment, the step of verifying the accuracy of the first similarity includes: generating a random byte array with the same length as the first byte array; obtaining a second similarity of the random byte array and a third byte array obtained by the random byte array through a variation function; and verifying the accuracy of the first similarity based on the second similarity.
Specifically, in this embodiment, after the similarity verification module receives the data for matching in the similarity matching module, a byte array with the same length and random content is generated, the first byte array is called again to change into a function of the second byte array, the random byte data is subjected to similarity matching with the changed third byte array to obtain a second similarity, and the accuracy verification is performed on the first similarity according to the second similarity.
And 103, if the first similarity value is zero, marking the state bit of the second byte array.
Specifically, in this embodiment, if the first similarity value is zero, which indicates that there is no valid dirty data included in the first byte array in the second byte array, the status bit of the second byte array is marked, and it is determined that the second byte array is safe.
And 104, when the second byte array executes the sensitive function, determining the propagation result state of the effective taint data in the second byte array according to whether the second byte array has the state bit mark.
Specifically, the propagation result state in this embodiment includes an existing state and a lost state, in the execution stage, when the second byte array passes through the sensitive function, such as command line execution, SQL operation, and the like, the detection logic may further determine the propagation result state of the valid taint data in the second byte array according to whether the second byte array has a state bit flag, where the state bit flag indicates that the valid taint data has been lost in the propagation process, that is, the valid taint data cannot be operated by a malicious user, and at this time, the vulnerability is not reported, so as to improve the accuracy.
Based on the scheme of the embodiment of the application, inserting the detection logic into the application program to be detected according to the instrumentation technology; after a first byte array comprising effective taint data is detected to obtain a second byte array through a change function, acquiring first similarity of the first byte array and the second byte array; if the first similarity value is zero, marking the state bit of the second byte array; and when the second byte array executes the sensitive function, determining the propagation result state of the effective taint data in the second byte array according to whether the second byte array has the state bit mark. Through the implementation of the method, the similarity of the byte array subjected to the change function is verified, the state bit mark is carried out on the byte array with the zero similarity, the propagation result state of the effective taint data in the byte array is determined according to the state bit mark, and the accuracy of vulnerability identification based on a data flow tracking method can be improved.
The method in fig. 2 is a refined byte array detection method provided in a second embodiment of the present application, and the byte array detection method includes:
Specifically, in this embodiment, before the first similarity is obtained, after the change of the valid stain data into the first byte array is determined, the byte at each byte coordinate position of the first byte array is detected through the detection logic, and after the change of the first byte array is detected, the second byte array obtained after the change is obtained.
And step 205, if the first similarity value is zero, marking the status bit of the second byte array.
Specifically, in this embodiment, when the first similarity value is zero, it is determined that all bytes in the second byte array corresponding to the coordinate position of the valid dirty data in the first byte array are changed, and no valid dirty data exists in the second byte array, when the second byte array passes through the sensitive function in the execution stage, if the detection logic detects that the second byte array has the status bit flag, it is determined that the valid dirty data of the second byte array is in the missing state, and if the detection logic detects that the second byte array does not have the status bit flag, it is determined that the valid dirty data of the second byte array is in the existing state.
It should be understood that, the size of the serial number of each step in this embodiment does not mean the execution sequence of the step, and the execution sequence of each step should be determined by its function and inherent logic, and should not be limited uniquely to the implementation process of the embodiment of the present application.
According to the byte array detection method provided by the scheme of the application, detection logic is inserted into an application program to be detected according to an instrumentation technology; after determining that the effective taint data is changed into a first byte array, determining whether bytes on a byte coordinate position are changed according to the byte coordinate position of the first byte array; when determining that the bytes on the byte coordinate positions change, acquiring a second byte array obtained by the first byte array through a change function; acquiring a first similarity of a first byte array and a second byte array; if the first similarity value is zero, marking the state bit of the second byte array; detecting whether a status bit mark exists in the second byte array; when the second byte array is detected to have the status bit mark, determining that the effective taint data is in a lost state in the second byte array; when it is detected that the status bit flag is not present in the second byte array, it is determined that valid dirty data is present in the second byte array. Through the implementation of the method, the similarity of the second byte array subjected to the change function is verified, the state bit mark is carried out on the second byte array with the first similarity being zero, the propagation result state of the effective taint data in the second byte array is determined according to the state bit mark, and the accuracy of vulnerability identification based on a data flow tracking method can be improved.
Fig. 3 is a block diagram of a byte array detection apparatus according to a third embodiment of the present application. The byte array detection device can be used for realizing the byte array detection method in the embodiment. As shown in fig. 3, the byte array detection apparatus mainly includes:
an insertion module 301, configured to insert detection logic into an application under test according to instrumentation techniques;
an obtaining module 302, configured to obtain a first similarity between a first byte array and a second byte array after detecting that the first byte array containing valid dirty data obtains the second byte array through a change function;
a marking module 303, configured to mark a status bit of the second byte array if the first similarity value is zero;
a determining module 304, configured to determine a propagation result state of the valid taint data in the second byte array according to whether the second byte array has a status bit flag when the second byte array executes the sensitive function; and when the second byte array has the state bit mark, the propagation result state bit loses the state.
In an optional implementation manner of this embodiment, the byte array detection apparatus further includes: and a detection module. The detection module is used for: detecting whether effective taint data exist in the data stream in an input stage in real time according to detection logic; when valid dirty data is present, it is detected whether the valid dirty data has changed to a first byte array.
Further, in an optional implementation manner of this embodiment, the determining module is further configured to: after determining that the valid taint data has changed to the first byte array, determining whether a byte at the byte coordinate position has changed based on the byte coordinate position of the first byte array. The detection module is further configured to: when determining that the bytes on the byte coordinate positions change, detecting a first byte array containing valid dirty data and obtaining a second byte array through a change function.
In an optional implementation manner of this embodiment, the obtaining module is specifically configured to: carrying out byte comparison on the target coordinate position of the first byte array and the corresponding coordinate position of the second byte array; the target coordinate position is the coordinate position of the effective taint data in the first byte array; and determining the first similarity of the first byte array and the second byte array according to the length of the compared consistent bytes.
In an optional implementation manner of this embodiment, the byte array detection apparatus further includes: and a verification module. The verification module is to: if the first similarity value is not zero, verifying the accuracy of the first similarity; if the verification fails, marking the status bit of the second byte array, and then determining the propagation result status of the effective taint data in the second byte array according to whether the second byte array has the status bit mark or not when the sensitive function is executed in the second byte array; and if the verification is passed, executing a step of determining the propagation result state of the effective taint data in the second byte array according to whether the second byte array has the state bit mark or not when the sensitive function is executed in the second byte array.
Further, in an optional implementation manner of this embodiment, the verification module is specifically configured to: generating a random byte array with the same length as the first byte array; obtaining a second similarity of the random byte array and a third byte array obtained by the random byte array through a variation function; and verifying the accuracy of the first similarity based on the second similarity.
Further, in an optional implementation manner of this embodiment, the byte array detection apparatus further includes: and a comparison module. The comparison module is used for carrying out byte comparison on the non-target coordinate position of the first byte array and the corresponding coordinate position of the second byte array; and when the third similarity value of the non-target coordinate position of the first byte array and the corresponding coordinate position of the second byte array is not zero, executing a step of verifying the accuracy of the first similarity.
It should be noted that, the byte array detection methods in the first and second embodiments can be implemented based on the byte array detection device provided in this embodiment, and it can be clearly understood by those skilled in the art that, for convenience and simplicity of description, the specific working process of the byte array detection device described in this embodiment may refer to the corresponding process in the foregoing method embodiment, and details are not described here.
According to the byte array detection device provided by the scheme of the application, detection logic is inserted into an application program to be detected according to an instrumentation technology; after a first byte array comprising effective taint data is detected to obtain a second byte array through a change function, acquiring first similarity of the first byte array and the second byte array; if the first similarity value is zero, marking the state bit of the second byte array; and when the second byte array executes the sensitive function, determining the propagation result state of the effective taint data in the second byte array according to whether the second byte array has the state bit mark. Through the implementation of the method, the similarity of the byte array subjected to the change function is verified, the state bit mark is carried out on the byte array with the zero similarity, the propagation result state of the effective taint data in the byte array is determined according to the state bit mark, and the accuracy of vulnerability identification based on a data flow tracking method can be improved.
Fig. 4 is an electronic device according to a fourth embodiment of the present disclosure. The electronic device can be used for realizing the byte array detection method in the embodiment. As shown in fig. 4, the electronic device mainly includes:
The Memory 401 may be a high-speed Random Access Memory (RAM) Memory or a non-volatile Memory (non-volatile Memory), such as a disk Memory. The memory 401 is used for storing executable program code and the processor 402 is coupled to the memory 401.
Further, an embodiment of the present application also provides a computer-readable storage medium, where the computer-readable storage medium may be provided in an electronic device in the foregoing embodiments, and the computer-readable storage medium may be the memory in the foregoing embodiment shown in fig. 4.
The computer-readable storage medium has stored thereon a computer program which, when executed by a processor, implements the byte array detection method in the foregoing embodiments. Further, the computer-readable storage medium may be various media that can store program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a RAM, a magnetic disk, or an optical disk.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of modules is merely a division of logical functions, and an actual implementation may have another division, for example, a plurality of modules or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or modules, and may be in an electrical, mechanical or other form.
Modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
In addition, functional modules in the embodiments of the present application may be integrated into one processing module, or each of the modules may exist alone physically, or two or more modules are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode.
The integrated module, if implemented in the form of a software functional module and sold or used as a separate product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a readable storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method of the embodiments of the present application. And the aforementioned readable storage medium includes: various media capable of storing program codes, such as a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk.
It should be noted that, for the sake of simplicity, the above-mentioned method embodiments are described as a series of acts or combinations, but those skilled in the art should understand that the present application is not limited by the described order of acts, as some steps may be performed in other orders or simultaneously according to the present application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In view of the above description of the byte array detection method, apparatus and computer-readable storage medium provided by the present application, those skilled in the art will recognize that there may be variations in the embodiments and applications of the byte array detection method, apparatus and computer-readable storage medium according to the teachings of the present application.
Claims (10)
1. A method for detecting a byte array, comprising:
inserting detection logic into the application under test according to the instrumentation technology;
after a first byte array containing effective dirty data is detected to obtain a second byte array through a change function, acquiring a first similarity of the first byte array and the second byte array;
if the first similarity value is zero, marking a state bit of the second byte array;
when the second byte array executes a sensitive function, determining the propagation result state of the effective taint data in the second byte array according to whether the second byte array has the state bit mark; wherein the propagation result state comprises a present state and a lost state, and the propagation result state is the lost state when the second byte array has the state bit flag.
2. The byte array detection method of claim 1, wherein the step of obtaining the first similarity between the first byte array and the second byte array further comprises:
detecting whether the effective taint data exist in the data stream in an input stage in real time according to the detection logic;
when the effective taint data exists, detecting whether the effective taint data changes to the first byte array.
3. The byte array detection method of claim 1, wherein the step of obtaining the first similarity between the first byte array and the second byte array comprises:
performing byte comparison on the target coordinate position of the first byte array and the corresponding coordinate position of the second byte array; wherein the target coordinate position is a coordinate position where the valid taint data is located in the first byte array;
and determining the first similarity of the first byte array and the second byte array according to the length of the compared consistent bytes.
4. The byte array detection method of claim 1, wherein after the step of obtaining the first similarity between the first byte array and the second byte array, the method further comprises:
if the value of the first similarity is not zero, verifying the accuracy of the first similarity;
if the verification is not passed, marking the status bit of the second byte array, and then executing the step of determining the propagation result status of the effective taint data in the second byte array according to whether the status bit mark exists in the second byte array or not when the sensitive function is executed in the second byte array;
and if the verification is passed, executing the step of determining the propagation result state of the effective taint data in the second byte array according to whether the second byte array has the state bit mark or not when the sensitive function is executed in the second byte array.
5. The byte array detection method of claim 4, wherein the step of verifying the accuracy of the first similarity comprises:
generating a random byte array with the same length as the first byte array;
obtaining a second similarity of the random byte array and a third byte array obtained by the random byte array through a variation function;
and verifying the accuracy of the first similarity based on the second similarity.
6. The byte array detection method of claim 4, wherein before the step of verifying the accuracy of the first similarity, the method further comprises:
carrying out byte comparison on the non-target coordinate position of the first byte array and the corresponding coordinate position of the second byte array;
and when the third similarity value between the non-target coordinate position of the first byte array and the corresponding coordinate position of the second byte array is not zero, executing the step of verifying the accuracy of the first similarity.
7. The byte array detection method of claim 2, wherein the step of detecting whether the valid dirty data has changed to the first byte array is further followed by:
after determining that the effective taint data is changed into the first byte array, determining whether bytes on the byte coordinate position are changed according to the byte coordinate position of the first byte array;
and when determining that the bytes on the byte coordinate positions change, detecting a first byte array containing effective dirty point data and obtaining a second byte array through a change function.
8. A byte array detection apparatus, comprising:
the insertion module is used for inserting the detection logic into the application program to be detected according to the instrumentation technology;
the device comprises an acquisition module, a judgment module and a processing module, wherein the acquisition module is used for acquiring a first similarity of a first byte array and a second byte array after detecting that the first byte array containing effective dirty data passes through a change function to obtain the second byte array;
a marking module, configured to mark a status bit of the second byte array if the first similarity value is zero;
a determining module, configured to determine, when the second byte array executes a sensitive function, a propagation result state of the valid dirty data in the second byte array according to whether the second byte array has the status bit flag; wherein the propagation result state comprises a present state and a lost state, and the propagation result state is the lost state when the second byte array has the state bit flag.
9. An electronic device, comprising: the system comprises a memory, a processor and a bus, and is characterized in that the bus is used for realizing the connection and communication between the memory and the processor; the processor is configured to execute a computer program stored on the memory, and when the processor executes the computer program, the processor implements the steps of the method of any one of claims 1 to 7.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111602841.6A CN114417353A (en) | 2021-12-24 | 2021-12-24 | Byte array detection method and device and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111602841.6A CN114417353A (en) | 2021-12-24 | 2021-12-24 | Byte array detection method and device and computer readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114417353A true CN114417353A (en) | 2022-04-29 |
Family
ID=81269489
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111602841.6A Pending CN114417353A (en) | 2021-12-24 | 2021-12-24 | Byte array detection method and device and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114417353A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116760650A (en) * | 2023-08-23 | 2023-09-15 | 深圳开源互联网安全技术有限公司 | Method for confirming HTTP parameter pollution propagation chain in micro-service call based on IAST technology |
-
2021
- 2021-12-24 CN CN202111602841.6A patent/CN114417353A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116760650A (en) * | 2023-08-23 | 2023-09-15 | 深圳开源互联网安全技术有限公司 | Method for confirming HTTP parameter pollution propagation chain in micro-service call based on IAST technology |
| CN116760650B (en) * | 2023-08-23 | 2023-11-21 | 深圳开源互联网安全技术有限公司 | Method for confirming HTTP parameter pollution propagation chain in micro-service call based on IAST technology |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109583200B (en) | Program abnormity analysis method based on dynamic taint propagation | |
| CN102592080B (en) | flash malicious file detection method and device | |
| CN111046396A (en) | Web application test data flow tracking method and system | |
| EP3566166B1 (en) | Management of security vulnerabilities | |
| CN110474900B (en) | Game protocol testing method and device | |
| CN114138681A (en) | Taint data tracking method and device and computer readable storage medium | |
| MX2010014464A (en) | Secure memory management system and method. | |
| WO2011147845A1 (en) | Detecting counterfeit devices | |
| CN111967044B (en) | Tracking method and system of leaked privacy data suitable for cloud environment | |
| CN105138903A (en) | ROP attack detection method based on RET instructions and JMP instructions | |
| CN114417353A (en) | Byte array detection method and device and computer readable storage medium | |
| CN107423171A (en) | The detection method and device of insertion slot type function expansion card based on PCIE standards | |
| CN103034810A (en) | Detection method and detection device and electronic device | |
| US20170142145A1 (en) | Computation apparatus and method for identifying attacks on a technical system on the basis of events of an event sequence | |
| CN106682512A (en) | Method, device and system for preventing programs from being corrected | |
| EP3812940B1 (en) | Vulnerability analyzer | |
| CN115310087A (en) | Website backdoor detection method and system based on abstract syntax tree | |
| CN115134153A (en) | Safety evaluation method and device and model training method and device | |
| CN108073411A (en) | A kind of kernel loads method and device of patch | |
| CN113919841A (en) | Block chain transaction monitoring method and system based on static characteristics and dynamic instrumentation | |
| KR20100100488A (en) | Method for scanning a fabrication or memory and device thereof | |
| CN109992964A (en) | A kind of data prevention method based on industry internet, device and storage medium | |
| CN114499960B (en) | CSRF vulnerability identification method, device and computer readable storage medium | |
| CN102822836B (en) | For the method for executive utility | |
| US11294783B1 (en) | Non-invasive program execution protection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |