CN114756872A - Injection type taint data tracking method and device based on GO language and electronic device - Google Patents

Injection type taint data tracking method and device based on GO language and electronic device Download PDF

Info

Publication number
CN114756872A
CN114756872A CN202210460933.3A CN202210460933A CN114756872A CN 114756872 A CN114756872 A CN 114756872A CN 202210460933 A CN202210460933 A CN 202210460933A CN 114756872 A CN114756872 A CN 114756872A
Authority
CN
China
Prior art keywords
data
function
detected application
acquiring
method function
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210460933.3A
Other languages
Chinese (zh)
Inventor
范丙华
徐锋
熊奎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Xiaodao Technology Co ltd
Original Assignee
Hangzhou Xiaodao Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Xiaodao Technology Co ltd filed Critical Hangzhou Xiaodao Technology Co ltd
Priority to CN202210460933.3A priority Critical patent/CN114756872A/en
Publication of CN114756872A publication Critical patent/CN114756872A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/362Software debugging
    • G06F11/3636Software debugging by tracing the execution of the program
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/362Software debugging
    • G06F11/3644Software debugging by instrumenting at runtime

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Quality & Reliability (AREA)
  • Computing Systems (AREA)
  • Stored Programmes (AREA)

Abstract

The application relates to a GO-language-based injection type stain data tracking method, a GO-language-based injection type stain data tracking device, an electronic device and a storage medium, wherein the GO-language-based injection type stain data tracking method comprises the following steps of: acquiring an ELF table of a detected application, acquiring construction information of the detected application by inquiring the ELF table, and acquiring address information of a method function for constructing the detected application from the construction information; according to the address information of the method function, acquiring input data and output data when the method function processes taint data through a preset function structure which is injected into the detected application in advance; and marking the acquired input data and output data of the method function. Through the method and the device, the problems that preparation work is complicated and troublesome before use and user experience is influenced in the compiling type stain tracking technology in the prior art are solved, and a novel GO-language-based injection type stain data tracking method is provided.

Description

Injection type taint data tracking method and device based on GO language and electronic device
Technical Field
The application relates to the technical field of computers, in particular to an injection type stain data tracking method and device based on a GO language, an electronic device and a storage medium.
Background
The existing GO-language-based stain tracking technology in the market mainly adopts the steps of merging and compiling stain tracking codes and user codes, and then running the compiled program for monitoring, so that the following defects exist.
a) Firstly, the user code is needed to be possessed for compiling, and if the user only executes the file without the source code, vulnerability detection cannot be carried out.
b) The use of the recompilation means that each online machine of the user needs to recompile and deploy, which is very inconvenient and time-consuming especially for the customers with huge machine clusters.
c) The compiled injection needs to modify a certain amount of user code, which means that the user needs to delete the added part of the modified source code when the user does not need to use the source code, thereby affecting the user experience.
Therefore, the preparation work of the current compiling type stain tracking technology before use is more complicated and troublesome, and the use experience of a user is influenced.
Aiming at the problems that preparation work before use is complicated and troublesome and the use experience of a user is influenced in the compiling type taint tracking technology in the related technology, an effective solution is not provided at present.
Disclosure of Invention
The embodiment provides an injection type stain data tracking method, device, electronic device and storage medium based on GO language, so as to solve the problems that preparation work before use is complicated and troublesome and the use experience of a user is influenced in a compiling type stain tracking technology in the related technology.
In a first aspect, in this embodiment, a GO language-based injected taint data tracking method is provided, the method comprising:
acquiring an ELF table of a detected application, acquiring construction information of the detected application by inquiring the ELF table, and acquiring information of a method function for constructing the detected application from the construction information;
according to the information of the method function, acquiring input data and output data when the method function processes taint data through a preset function structure injected into the detected application in advance;
marking the acquired input data and output data of the method function;
wherein the input data and the output data of each marked method function are used for forming a vulnerability link.
In some embodiments, the obtaining the ELF table of the detected application, and the obtaining the construction information of the detected application by querying the ELF table includes:
converting the process file of the detected application into a character type to generate an ELF file, wherein the ELF file comprises the ELF table, and the ELF table comprises construction information of the detected application;
acquiring a virtual address and an address offset of the process file of the detected application in a memory;
and acquiring a specific address space of the construction information in a memory according to the virtual address, and acquiring the construction information of the detected application by combining the address offset.
In some embodiments, the obtaining the virtual address and the address offset of the process file of the detected application in the memory includes:
acquiring a path of the detected application according to the process name of the process file;
and acquiring the virtual address and the address offset of the process file in the memory through a file mapping relation based on the path of the detected application.
In some embodiments, the marking the acquired input data and output data of the method function further comprises:
classifying the method function; wherein the type of method function comprises: a first type, a second type, and a third type; the first type of method function is used for receiving externally input taint data, the second type of method function is used for spreading the taint data, and the third type of method function is used for triggering a vulnerability.
In some embodiments, the preset function structure includes a data marking function and a data acquiring function, and the information of the method function includes an address of the method function in the memory;
the step of acquiring input data and output data when the taint data is processed by the method function according to the information of the method function and through a preset function structure injected into the detected application in advance comprises the following steps:
according to the address of the method function in the memory, performing register address replacement operation through a data acquisition function so as to enable input data and output data of the method function to enter the preset function structure;
and marking and storing the output data and the input data through the data marking function.
In some of these embodiments, the method further comprises:
acquiring an interface list of an interface called by the detected application according to the ELF table;
wherein, the interface list comprises the method function.
In some embodiments, the obtaining input data and output data when the method functionally processes taint data through a preset function structure pre-injected into the detected application includes:
determining a method function to be monitored in the detected application by comparing the method function in the interface list with a method function in a preset function list; the preset function list comprises preset method functions needing to be monitored;
and acquiring input data and output data when the taint data is processed by the method function to be monitored in the detected application through the preset function structure.
In a second aspect, there is provided in this embodiment an apparatus for GO language based injection taint data tracking, the apparatus comprising: the device comprises a first acquisition module, a second acquisition module and a data marking module;
the first acquisition module is used for acquiring an ELF table of the detected application, acquiring construction information of the detected application by inquiring the ELF table, and acquiring information of a method function for constructing the detected application from the construction information;
the second acquisition module is used for acquiring input data and output data when the taint data is processed by the method function through a preset function structure which is pre-injected into the detected application according to the information of the method function;
the data marking module is used for marking the acquired input data and output data of the method function;
wherein the input data and the output data of each marked method function are used for forming a vulnerability link.
In a third aspect, in this embodiment, an electronic device is provided, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the computer program, the processor implements the GO language-based injection stain data tracking method according to the first aspect.
In a fourth aspect, in the present embodiment, there is provided a storage medium having a computer program stored thereon, which when executed by a processor, implements the GO language-based injection stain data tracking method of the first aspect.
Compared with the prior art, the taint tracking technology starts from the perspective of an operating system, construction information of detected application is obtained through an ELF file, the construction information comprises method function information, on the basis, input data and output data of corresponding method functions are obtained through a corresponding hook technology, and finally taint tracking analysis is achieved. Because the method function information is obtained from the view of the operating system, the preset function structure injected into the application does not need to be compiled together with the source code of the application, but the input and output data of the method function are directly obtained and marked through register address replacement operation, so that the propagation link of the taint data is determined. Therefore, the taint data tracking method can be directly applied to the process file, and in the starting stage of the application program, the taint data tracking method can acquire the propagation link of taint data and report corresponding vulnerability information under the condition of not recompiling and restarting through the dynamic injection of the preset function structure. Therefore, the problem that preparation work is complicated and troublesome before use and the use experience of a user is influenced in the compiling type stain tracking technology in the prior art is solved.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a block diagram of a hardware structure of a terminal of the GO language-based injection type taint data tracking method according to the present embodiment.
Fig. 2 is a flowchart of an injection type stain data tracking method based on GO language according to the present embodiment.
Fig. 3 is a flow chart of a GO language based injection taint data tracking method according to the preferred embodiment.
Fig. 4 is a block diagram of an injection type stain data tracking device based on GO language according to the present embodiment.
Detailed Description
For a clearer understanding of the objects, aspects and advantages of the present application, reference is made to the following description and accompanying drawings.
Unless defined otherwise, technical or scientific terms used herein shall have the same general meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The use of the terms "a" and "an" and "the" and similar referents in the context of this application do not denote a limitation of quantity, either in the singular or the plural. The terms "comprises," "comprising," "has," "having," and any variations thereof, as referred to in this application, are intended to cover non-exclusive inclusions; for example, a process, method, and system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or modules, but may include other steps or modules (elements) not listed or inherent to such process, method, article, or apparatus. Reference throughout this application to "connected," "coupled," and the like is not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. Reference to "a plurality" in this application means two or more. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. In general, the character "/" indicates a relationship in which the objects associated before and after are an "or". The terms "first," "second," "third," and the like in this application are used for distinguishing between similar items and not necessarily for describing a particular sequential or chronological order.
The method embodiments provided in the present embodiment may be executed in a terminal, a computer, or a similar computing device. For example, when the method is executed on a terminal, fig. 1 is a block diagram of a hardware structure of the terminal according to the GO language-based injection stain data tracking method of the present embodiment. As shown in fig. 1, the terminal may include one or more processors 102 (only one shown in fig. 1) and a memory 104 for storing data, wherein the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA. The terminal may also include a transmission device 106 for communication functions and an input-output device 108. It will be understood by those of ordinary skill in the art that the structure shown in fig. 1 is merely an illustration and is not intended to limit the structure of the terminal described above. For example, the terminal may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 can be used for storing computer programs, for example, software programs and modules of application software, such as a computer program corresponding to the GO language-based injection stain data tracking method in the present embodiment, and the processor 102 executes various functional applications and data processing by running the computer program stored in the memory 104, so as to implement the above-mentioned method. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used to receive or transmit data via a network. The network described above includes a wireless network provided by a communication provider of the terminal. In one example, the transmission device 106 includes a Network adapter (NIC) that can be connected to other Network devices via a base station to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
In this embodiment, a GO language-based injection type stain data tracking method is provided, and fig. 2 is a flowchart of the GO language-based injection type stain data tracking method of this embodiment, as shown in fig. 2, the flowchart includes the following steps:
step S210, obtaining an ELF table of the detected application, obtaining construction information of the detected application by querying the ELF table, and obtaining information of a method function for constructing the detected application from the construction information.
In this specific step, the detection terminal first obtains the construction information of the detected application through the ELF table of the detected application, and since the construction information of the application includes the information of the method function for constructing the application, the detection terminal then obtains the method function for constructing the detected application and the information of the method function from the construction information.
The method for acquiring the ELF table of the detected application by querying the ELF table comprises the following steps: and converting the process file of the detected application into a character type to generate an ELF file, wherein the ELF file comprises an ELF table, and the ELF table comprises the construction information of the detected application. ELF is a standard file format in computer science for binary files, executable files, object code, shared libraries and core dumps. Then acquiring a virtual address and an address offset of the process file of the detected application in the memory; and acquiring a specific address space of the construction information in the memory according to the virtual address, and acquiring the construction information of the detected application by combining the address offset. More specifically, the file of the process is read into the memory, converted into a character type, and judged whether the file is of an ELF file type, and if so, the file is loaded. The applied construction information is generally stored in an ELF file, then a specific address space where the construction information is located is searched and obtained through a virtual address of a process file in a memory, and finally a construction version and specific detailed construction information are obtained through an address offset.
Illustratively, the step of obtaining the virtual address and the address offset of the process file of the detected application in the memory is: acquiring a path of the detected application according to the process name of the process file; and acquiring the virtual address and the address offset of the process file in the memory through the file mapping relation based on the path of the detected application. Specifically, a PID (process unique identifier) of a process is acquired through a process name, a complete path where a detected application is located is acquired through the PID, then, read/proc/{ PID }/maps is carried out according to the complete path, the file shows a memory area and access authority mapped by the process, then, a start and end address, read/write authority, offset, a node number to which the mapping belongs and the like of a virtual address of the process file in the memory are acquired from the file, and the data are stored in the memory.
And step S220, acquiring input data and output data when the taint data is processed by the method function through a preset function structure which is injected into the detected application in advance according to the information of the method function.
In the specific step, the detection terminal injects a section of function structure into the detected application in advance, and then the section of function structure obtains the input data and the output data of the method function by using the information of the method function. In a specific example, when a user starts a code item, a request is triggered to start vulnerability detection, and a preset function structure acquires input data and output data of a method function through which taint data passes.
Step S230, marking the input data and the output data of the acquired method function; wherein the input data and the output data of the marked respective method functions are used to form the vulnerability link.
In the specific step, the detection terminal marks input data and output data of the method function, and if the taint data reaches the vulnerability trigger function, the data are sorted in the thread to form a complete vulnerability link for reporting. Namely, the contaminated data originally input from the outside is determined by the label information, and all the method functions passed through in the middle of the contaminated data.
More specifically, the preset function structure includes a data marking function and a data acquiring function, and the information of the method function includes an address of the method function in the memory; firstly, a detection terminal carries out register address replacement operation through a data acquisition function according to the address of a method function in a memory so as to enable input data and output data of the method function to enter a preset function structure; the output data and the input data are marked and stored by a data marking function. Illustratively, the data obtaining function may be a section of inline assembly code arranged in a function structure, and its main function is to obtain corresponding input data and output data when executing a certain method function through register address operation, and then send the input data and output data to a preset function structure; and the data marking function may be a handle function for marking and storing the input data. Illustratively, in the present embodiment, a Hook technique is used to obtain input and output data of the method function. In particular, the function may be obtained through a register address replacement operation, and the register address replacement operation refers to modifying an index address of a function in a register. For example, if the address of the method function to be monitored in the memory is 0x11, and the address of the preset function structure in the memory is 0x22, then the index address of the method function to be monitored in the register is 0x11, and at this time, the index address of the method function in the register is changed to 0x22, so that the data information related to the method function enters the preset function structure through the index address, and then the input and output data of the monitored method function can be obtained.
Preferably, before the step of marking the input data and the output data of the obtained method function, the step of: classifying the method functions; wherein the types of method functions include: a first type, a second type, and a third type; the method function of the first type is used for receiving externally input taint data, the method function of the second type is used for spreading the taint data, and the method function of the third type is used for triggering a vulnerability. Specifically, initial externally input taint data enters a detected application program through a first type of method function, then is propagated in a second type of method function, and when the taint data is propagated to a third type of method function, it is indicated that a bug exists in the detected application, and the method functions through which the taint data passes need to be sorted, and finally a bug link is formed.
It should be particularly noted that the method is applied in the GO language environment, and the stain tracking technology in the current GO language environment mainly merges and compiles a stain tracking code and a user code, and then runs a compiled program for monitoring, so that corresponding use defects exist. The stain tracking technology in the embodiment is used for stain tracking analysis of a golang application program, so that the defect of inconvenience in use caused by the fact that stain tracking codes and user codes need to be combined and compiled in a golang language environment in the prior art is overcome.
In this embodiment, through the above steps, a new GO language-based injection type taint data tracking method is provided, which includes first obtaining construction information of a detected application through an ELF table, then obtaining a method function for constructing the detected application and an address of the method function in a memory from the construction information, and finally obtaining input data and output data when the taint data is processed by the method function through register address replacement operation by using a preset function structure injected into the detected application in advance, and marking the corresponding data. These marked data facilitate subsequent determination of a link vulnerability. Compared with the prior art, the taint tracking technology in the embodiment starts from the perspective of an operating system, the construction information of the detected application is obtained through the ELF file, the construction information comprises method function information, on the basis, the corresponding hook technology is adopted to obtain the input data and the output data of the corresponding method function, and finally taint tracking analysis is achieved. Because the method function information is obtained from the perspective of an operating system, a preset function structure injected into an application does not need to be compiled together with the source code of the application, but input and output data of the method function are directly obtained through register address replacement operation and marked, and therefore a propagation link of taint data is determined. Therefore, the taint data tracking method can be directly applied to the process file, and in the starting stage of the application program, the taint data tracking method can acquire the propagation link of taint data and report corresponding vulnerability information under the condition of not recompiling and restarting through the dynamic injection of the preset function structure. Therefore, the problem that preparation work is complicated and troublesome before use and the use experience of a user is influenced in the compiling type stain tracking technology in the prior art is solved.
In some of these embodiments, the GO language-based injected taint data tracking method further comprises: acquiring an interface list of an interface called by the detected application according to the ELF table; the interface list comprises method functions.
Acquiring input data and output data of the method function through a preset function structure, and marking the input data and the output data further comprises: determining a method function to be monitored in the detected application by comparing the method function in the interface list with the method function in the preset function list; the preset function list comprises preset method functions to be monitored; and acquiring input data and output data of a method function to be monitored in the detected application through a preset function structure.
Specifically, in this embodiment, the construction information of the detected application further includes an interface list, the interface list is obtained through the information in the ELF file, and the interface list includes the method function. And determining a method function to be monitored in the detected application by comparing the interface list with a preset function list, wherein the method function to be monitored means that input and output data of the method function need to be captured. Therefore, through the step, the preset function structure can obtain the input and output data of the method function to be monitored in a targeted manner, and therefore unnecessary consumption is reduced.
The present embodiment is described and illustrated below by means of preferred embodiments.
Fig. 3 is a flow chart of a GO language based injection stain data tracking method of the preferred embodiment. As shown in fig. 3, the GO language-based injection stain data tracking method includes the following steps:
step S310, a path where the detected application is located is obtained through the process name, and a virtual address space and an address offset occupied by the process in the memory are obtained through a file mapping relation based on the path where the detected application is located.
In the specific step, the detection terminal obtains the PID (unique process identifier) of the process through the process name, then obtains the complete path of the detected application through the PID, then reads/proc/{ PID }/maps according to the path, displays the memory area and the access authority mapped by the process, then obtains the start and end address, the read-write authority, the offset, the node number to which the mapping belongs and the like of the virtual address, and stores the data in the memory.
Step S320, reading the process file of the detected application into the memory, converting the process file into a character type, determining whether the converted file is an ELF file, and if so, loading the ELF file.
In the specific step, the detection terminal needs to load the ELF file in different ways according to different numbers of bits of the storage unit, specifically, load in different ways according to 32 bits or 64 bits, and generate an ELF header at the same time; in the loading process, the sections and the segments in the ELF file are loaded respectively.
Step S330, the construction information of the detected application is obtained through the virtual address and the address offset of the process in the memory.
In the specific step, the detection terminal firstly acquires brief information for constructing information, wherein the information is generally stored in a section in an ELF file and is acquired by traversing and searching; and then, searching a virtual address in a memory through a process to obtain a specific address space where the construction information is located, and finally, acquiring a construction version and specific detailed construction information through address offset, wherein the construction information comprises a method function for forming the detected application.
Step S340, obtain the interface list of the interface called by the detected application, and obtain the virtual address of each method function in the memory.
In the specific step, the detection terminal acquires information required to be used in the ELF file from the INTERFACE list, and searches for global data to obtain the required data through the keyword GO _ INTERFACE _ TABLE based on the ELF list information. The interface is a set of partial method functions, so the interface list is equivalent to a method function list, and the virtual address of each method function in the memory is obtained according to the interface list.
And step S350, classifying and marking the method functions, and simultaneously recording input data and output data when each method function processes taint data.
In the specific step, the function is divided into three stages, namely a pollution source, a propagation path and triggering. The method function of the pollution source stage is used for receiving externally input taint data, the method function of the propagation stage is used for propagating the taint data, and when the taint data reaches the method function of the trigger stage, the fact that a bug exists in the detected application is indicated.
And step S360, acquiring input data and output data of the method function through a preset function structure, and marking and storing the input data and the input data.
In the specific step, the detection terminal obtains input data and input data when the taint data is processed by the method function through a preset function structure, and the stage of the method function. It should be explained that each preset function structure includes a section of inline assembly code, and the main function is to read input and output data corresponding to a method function when a certain method function is performed through register address operation, and input the read input and output data into a self-defined preset function structure, and a handle function is further included in the preset function structure and used for marking and storing the input data to prepare for forming a vulnerability link subsequently. In this embodiment, input and output data of the method function are obtained by Hook (Hook) technology, specifically by register address operation. The register address operation refers to modifying an index address of a function in a register, for example, if an address of a method function to be monitored is 0x11, and an address of a preset function structure is 0x22, then the index address of the monitored method function is 0x11, at this time, the index address of the method function is changed to 0x22, so that data information related to the method function enters the preset function structure through the index address, then input and output data of the monitored method function can be obtained, and then the data is marked and processed through a handle function.
In this embodiment, preferably, the method further includes traversing the self-defined preset function list according to the information data of the interface list, and if a method function in the interface list is the same as a method function in the self-defined preset function list, it indicates that a corresponding method function needs Hook, that is, input data and output data of the method function need to be acquired. The self-defined preset function list comprises preset method functions needing Hook. By the steps, unnecessary resource consumption can be reduced, and input and output data of the method function can be acquired in a targeted manner.
The steps form a new GO-language-based injection type taint data tracking method, and firstly, the construction information of the application to be detected is obtained through the virtual address and the address offset of the process in the memory; and then, acquiring a method function for constructing the detected application from the construction information, finally acquiring input data and output data when the taint data is processed by the method function through a Hook technology by utilizing a preset function structure which is injected into the detected application in advance, and marking the corresponding data. These marked data facilitate subsequent determination of a link vulnerability. Compared with the prior art, the method function for constructing the application is obtained through the construction information, so that the preset function structure injected into the application does not need to be compiled together with the source code of the application, and the propagation link of the taint data can be determined by obtaining the input data and the output data of the method function and marking the input data and the output data. Therefore, the taint data tracking method can be directly applied to the process file, and in the starting stage of the application program, the taint data tracking method can acquire the propagation link of taint data and report corresponding vulnerability information under the condition of not recompiling and restarting through the dynamic injection of the preset function structure. Therefore, the problem that the preparation work before use is more complicated and troublesome and the use experience of a user is influenced in the compiling type stain tracking technology in the prior art is solved.
The preferred embodiment further provides a taint data tracking test method, which is used for testing the GO-language-based injection taint data tracking method in the preferred embodiment. The method comprises the following steps:
and step A, performing pile insertion on the method function for sending the http request to the outside in the detected application, and when the detected application sends the http request to the outside through the method function, obtaining data for sending the http request to the outside by a pile insertion program.
Step B, judging whether the data which are obtained in the step A and send http requests to the outside have polluted data or not; if yes, extracting the coordinates of the data, generating pollution data coordinate information, and adding the pollution data coordinate information into a header which sends an http request to the outside by using a fixed key value.
And step C, after another application receives the http request sent in the step A, judging whether a fixed key value in a header of the http request exists, if so, extracting the value of the http request, and obtaining the coordinate information of the pollution data.
And D, putting the coordinate information of the pollution data obtained in the step C into a cache and tracking the coordinate information, and in the subsequent program execution flow, if the data requested by the http is extracted and the data extracted from the cache in which the coordinate information of the pollution data is stored is pointed by the coordinate of the data, setting the data as a pollution source.
There are various implementation methods for receiving the http request by the detected application, and in this embodiment, a postman is used to perform request simulation sending request.
The GO language-based injection type taint data tracking method in this embodiment is tested through the above steps, and parameters and addresses of net/http. (. Request). cookies can be obtained by using a Hook technology, and data in cookies are all marked as pollution sources. And marking the propagation process by the fmt function, marking the propagation process as a trigger point on the os/exec command, and reporting the vulnerability. The GO-language-based injection type taint data tracking method in the application is feasible and effective.
In this embodiment, an injection type stain data tracking device based on GO language is also provided, and the device is used to implement the foregoing embodiments and preferred embodiments, which have already been described and will not be described again. The terms "module," "unit," "subunit," and the like as used below may implement a combination of software and/or hardware for a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 4 is a block diagram of a GO language-based injection type stain data tracking apparatus according to the present embodiment, and as shown in fig. 4, the apparatus includes: a first acquisition module 410, a second acquisition module 420, and a data tagging module 430; the first obtaining module 410 is configured to obtain an ELF table of the detected application, obtain construction information of the detected application by querying the ELF table, and obtain information of a method function for constructing the detected application from the construction information; the second obtaining module 420 is configured to obtain input data and output data when the method function processes the taint data according to the information of the method function through a preset function structure pre-injected into the detected application; the data marking module 430 is configured to mark input data and output data of the obtained method function; wherein the input data and the output data of the marked method functions are used for forming the vulnerability link.
It should be noted that the above modules may be functional modules or program modules, and may be implemented by software or hardware. For a module implemented by hardware, the modules may be located in the same processor; or the modules can be respectively positioned in different processors in any combination.
There is also provided in this embodiment an electronic device comprising a memory having a computer program stored therein and a processor arranged to run the computer program to perform the steps of any of the above method embodiments.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
and step S210, acquiring the ELF table of the detected application, acquiring the construction information of the detected application by inquiring the ELF table, and acquiring the address information of the method function for constructing the detected application from the construction information.
Step S220, according to the address information of the method function, input data and output data when the method function processes the taint data are obtained through a preset function structure which is injected into the detected application in advance.
Step S230, the obtained input data and output data of the method functions are marked, where the marked input data and output data of each method function are used to form a vulnerability link.
It should be noted that, for specific examples in this embodiment, reference may be made to the examples described in the foregoing embodiments and optional implementations, and details are not described again in this embodiment.
In addition, in combination with the GO language-based injection type taint data tracking method provided in the above embodiments, a storage medium may also be provided to implement the method in this embodiment. The storage medium has a computer program stored thereon; the computer program when executed by a processor implements any of the GO language based injection stain data tracking methods of the above embodiments.
It should be understood that the specific embodiments described herein are merely illustrative of this application and are not intended to be limiting. All other embodiments, which can be derived by a person skilled in the art from the examples provided herein without any inventive step, shall fall within the scope of protection of the present application.
It is obvious that the drawings are only examples or embodiments of the present application, and it is obvious to those skilled in the art that the present application can be applied to other similar cases according to the drawings without creative efforts. Moreover, it should be appreciated that such a development effort might be complex and lengthy, but would nevertheless be a routine undertaking of design, fabrication, and manufacture for those of ordinary skill having the benefit of this disclosure, and is not intended to limit the present disclosure to the particular forms disclosed herein.
The term "embodiment" is used herein to mean that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the present application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is to be expressly or implicitly understood by one of ordinary skill in the art that the embodiments described in this application may be combined with other embodiments without conflict.
The above examples only express several embodiments of the present application, and the description thereof is more specific and detailed, but not to be construed as limiting the scope of the patent protection. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application should be subject to the appended claims.

Claims (10)

1. An injection type taint data tracking method based on GO language, which is characterized by comprising the following steps:
acquiring an ELF table of a detected application, acquiring construction information of the detected application by inquiring the ELF table, and acquiring information of a method function for constructing the detected application from the construction information;
according to the information of the method function, acquiring input data and output data when the method function processes taint data through a preset function structure injected into the detected application in advance;
marking the acquired input data and output data of the method function;
wherein the input data and the output data of each marked method function are used for forming a vulnerability link.
2. The GO language-based injected stain data tracking method of claim 1, wherein the obtaining an ELF table of a detected application, and the obtaining construction information of the detected application by querying the ELF table comprises:
converting the process file of the detected application into a character type to generate an ELF file, wherein the ELF file comprises the ELF table, and the ELF table comprises construction information of the detected application;
acquiring a virtual address and an address offset of the process file of the detected application in a memory;
and acquiring a specific address space of the construction information in a memory according to the virtual address, and acquiring the construction information of the detected application by combining the address offset.
3. The GO language-based injected taint data tracking method according to claim 2, wherein the obtaining of the virtual address and the address offset of the process file of the detected application in the memory comprises:
acquiring a path of the detected application according to the process name of the process file;
and acquiring the virtual address and the address offset of the process file in the memory through a file mapping relation based on the path of the detected application.
4. The GO language-based injected taint data tracking method according to claim 1, characterized in that the step of marking the acquired input data and output data of the method function further comprises:
classifying the method function; wherein the type of method function comprises: a first type, a second type, and a third type; the first type of method function is used for receiving externally input taint data, the second type of method function is used for spreading the taint data, and the third type of method function is used for triggering a vulnerability.
5. The GO language-based injection type stain data tracking method of claim 1, wherein the preset function structure comprises a data marking function and a data acquiring function, and the information of the method function comprises an address of the method function in a memory;
the step of acquiring input data and output data when the taint data is processed by the method function according to the information of the method function and through a preset function structure injected into the detected application in advance comprises the following steps:
according to the address of the method function in the memory, performing register address replacement operation through a data acquisition function so as to enable input data and output data of the method function to enter the preset function structure;
and marking and storing the output data and the input data through the data marking function.
6. The GO language-based injected stain data tracking method of claim 1, further comprising:
acquiring an interface list of an interface called by the detected application according to the ELF table;
wherein, the interface list comprises the method function.
7. The GO language-based injected taint data tracking method according to claim 6, characterized in that the obtaining of input data and output data when the taint data is functionally processed by the method through a preset function structure injected into the detected application in advance comprises:
determining a method function to be monitored in the detected application by comparing the method function in the interface list with a method function in a preset function list; the preset function list comprises preset method functions needing to be monitored;
and acquiring input data and output data when the taint data is processed by the method function to be monitored in the detected application through the preset function structure.
8. An injection-type taint data tracking device based on GO language, the device comprising: the device comprises a first acquisition module, a second acquisition module and a data marking module;
the first acquisition module is used for acquiring an ELF table of the detected application, acquiring construction information of the detected application by inquiring the ELF table, and acquiring information of a method function for constructing the detected application from the construction information;
the second acquisition module is used for acquiring input data and output data when the taint data is processed by the method function through a preset function structure which is pre-injected into the detected application according to the information of the method function;
the data marking module is used for marking the acquired input data and output data of the method function;
wherein the input data and the output data of each marked method function are used for forming a vulnerability link.
9. An electronic device comprising a memory and a processor, wherein the memory has stored therein a computer program, and the processor is configured to execute the computer program to perform the GO language-based injected stain data tracking method of any of claims 1 to 7.
10. A computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the steps of the GO language-based injection stain data tracking method of any of claims 1 to 7.
CN202210460933.3A 2022-04-28 2022-04-28 Injection type taint data tracking method and device based on GO language and electronic device Pending CN114756872A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210460933.3A CN114756872A (en) 2022-04-28 2022-04-28 Injection type taint data tracking method and device based on GO language and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210460933.3A CN114756872A (en) 2022-04-28 2022-04-28 Injection type taint data tracking method and device based on GO language and electronic device

Publications (1)

Publication Number Publication Date
CN114756872A true CN114756872A (en) 2022-07-15

Family

ID=82332476

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210460933.3A Pending CN114756872A (en) 2022-04-28 2022-04-28 Injection type taint data tracking method and device based on GO language and electronic device

Country Status (1)

Country Link
CN (1) CN114756872A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115828224A (en) * 2022-11-15 2023-03-21 中国科学院信息工程研究所 Automatic Go language password misuse detection method and device
CN116541855A (en) * 2023-07-06 2023-08-04 北京大学 Cross-coroutine runtime vulnerability analysis method and device, electronic equipment and storage medium

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115828224A (en) * 2022-11-15 2023-03-21 中国科学院信息工程研究所 Automatic Go language password misuse detection method and device
CN115828224B (en) * 2022-11-15 2023-08-29 中国科学院信息工程研究所 Automatic Go language password misuse detection method and device
CN116541855A (en) * 2023-07-06 2023-08-04 北京大学 Cross-coroutine runtime vulnerability analysis method and device, electronic equipment and storage medium
CN116541855B (en) * 2023-07-06 2023-09-08 北京大学 Cross-coroutine runtime vulnerability analysis method and device, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
CN108628751B (en) Useless dependency item detection method and device
CN114756872A (en) Injection type taint data tracking method and device based on GO language and electronic device
CN110221982B (en) Performance test method, device and equipment of business system and readable storage medium
CN110825619A (en) Automatic generation method and device of interface test case and storage medium
CN107276842B (en) Interface test method and device and electronic equipment
CN113094255A (en) Simulation test method, device and system for data interface
CN112015771B (en) Data retrieval method and device, electronic equipment and computer storage medium
CN108446224B (en) Performance analysis method of application program on mobile terminal and storage medium
CN112328458A (en) Data processing method and device based on flink data engine
CN111078276B (en) Application redundant resource processing method, device, equipment and storage medium
CN112099800A (en) Code data processing method and device and server
CN111831574A (en) Regression test planning method, device, computer system and medium
CN112559088A (en) Configuration file optimization method, device, server and storage medium
CN110134583B (en) Software testing and data processing method and device
CN111221721B (en) Automatic recording and executing method and device for unit test cases
CN112671878B (en) Block chain information subscription method, device, server and storage medium
CN117009230B (en) Accurate test method and system based on code coverage rate evaluation
CN110826057A (en) Data processing path analysis method, computer device, and storage medium
CN112346981A (en) Joint debugging test coverage rate detection method and system
CN112433953A (en) Embedded automatic testing method, device, equipment and medium based on network game client
CN112559343A (en) Test path generation method and related equipment
CN111124545A (en) Application program starting method and device, electronic equipment and storage medium
CN113031995B (en) Rule updating method and device, storage medium and electronic equipment
CN106951236B (en) Plug-in development method and device
CN115686535A (en) Inspection method and device for Kubernets cluster and application

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination