CN115495758A - Application program certificate storage vulnerability detection method and device - Google Patents

Application program certificate storage vulnerability detection method and device Download PDF

Info

Publication number
CN115495758A
CN115495758A CN202211128622.3A CN202211128622A CN115495758A CN 115495758 A CN115495758 A CN 115495758A CN 202211128622 A CN202211128622 A CN 202211128622A CN 115495758 A CN115495758 A CN 115495758A
Authority
CN
China
Prior art keywords
difference data
matching
storage
certificate
result
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211128622.3A
Other languages
Chinese (zh)
Inventor
孙勇
盛颖
王小丰
肖新光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Antiy Network Technology Co Ltd
Original Assignee
Beijing Antiy Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Antiy Network Technology Co Ltd filed Critical Beijing Antiy Network Technology Co Ltd
Priority to CN202211128622.3A priority Critical patent/CN115495758A/en
Publication of CN115495758A publication Critical patent/CN115495758A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/11File system administration, e.g. details of archiving or snapshots
    • G06F16/128Details of file system snapshots on the file-level, e.g. snapshot creation, administration, deletion
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/33Querying
    • G06F16/3331Query processing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Abstract

The invention provides a method and a device for detecting the vulnerability of application program certificate storage, wherein the method comprises the following steps: comparing the memory snapshots before and after the login operation is executed to determine the difference data of the memory snapshot after the login relative to the memory snapshot before the login, wherein the login operation refers to logging in a target application program by using a preset certificate; respectively processing the preset certificate according to a plurality of processing modes formed by combining known encryption storage mechanisms to obtain a plurality of certificate processing results corresponding to the plurality of processing modes one by one; and matching the data segments corresponding to the voucher processing results with the data segments corresponding to the difference data one by one, and outputting a storage vulnerability detection result of the target application program according to the matching result, wherein each data segment corresponds to one storage position. According to the scheme, the application program certificate storage vulnerability can be detected.

Description

Application program certificate storage vulnerability detection method and device
Technical Field
The embodiment of the invention relates to the technical field of detection, in particular to a method and a device for detecting the vulnerability of application program certificate storage.
Background
At present, vulnerability detection of application program certificates mainly aims at detecting the length, complexity and the like of the certificates. Security issues may also exist if the storage mechanism for the credentials is fragile. There is no way to detect vulnerability of application credential storage.
Disclosure of Invention
The embodiment of the invention provides a method and a device for detecting the storage vulnerability of an application program certificate, which can realize the detection of the storage vulnerability of the application program certificate.
In a first aspect, an embodiment of the present invention provides a method for detecting vulnerability of application credential storage, including:
comparing the memory snapshots before and after the login operation is executed to determine difference data of the memory snapshots after the login relative to the memory snapshots before the login, wherein the login operation refers to login of a target application program by using a preset certificate;
respectively processing the preset certificate according to a plurality of processing modes formed by combining known encryption storage mechanisms to obtain a plurality of certificate processing results corresponding to the plurality of processing modes one by one;
and matching the data sections corresponding to the voucher processing results with the data sections corresponding to the difference data one by one, and outputting a storage vulnerability detection result of the target application program according to the matching result, wherein each data section corresponds to one storage position.
In one possible implementation, the known encryption storage mechanism included in each of the processing modes includes: at least one of a compression method, an encoding method, and an encryption algorithm.
In a possible implementation manner, before the matching the data segments corresponding to the credential processing results one by one with the data segments corresponding to the differential data, the method further includes:
if the difference data corresponds to a plurality of difference data segments, respectively calculating the information entropy of each difference data segment, screening the difference data segments larger than a preset entropy value as the difference data segments on the estimated storage position of the preset certificate, and matching the screened difference data segments serving as the data segments corresponding to the difference data with the data segments corresponding to the processing results of each certificate.
In a possible implementation manner, the matching the data segments corresponding to the credential processing results with the data segments corresponding to the differential data one by one includes:
for each credential processing result, performing: determining a voucher data segment corresponding to the voucher processing result, and determining a difference data segment corresponding to the difference data; and matching the certificate data segments with each difference data segment one by one, and determining whether the certificate processing result is matched in the difference data or not according to the matching result.
In a possible implementation manner, before outputting the storage vulnerability detection result of the target application program according to the matching result, the method further includes:
restarting the target application program, and executing the memory snapshot comparison and data segment matching steps again;
and comparing the result obtained after the re-execution with the result obtained before the restart, combining the comparison result with the matching result, and outputting the storage vulnerability detection result of the target application program.
In a possible implementation manner, the comparing the result obtained after the re-execution with the result obtained before the restart includes:
comparing whether the difference data obtained again is the same as the difference data obtained before restarting to obtain a first comparison result;
and/or the presence of a gas in the atmosphere,
and if the matching result obtained in the data segment matching step executed again and the matching result obtained in the data segment matching step executed before restarting are matched with the certificate processing result, comparing whether the certificate processing results matched in the two matching results correspond to the same storage address or not to obtain a second comparison result.
In a possible implementation manner, whether the difference data obtained again is the same as the difference data obtained before restarting includes: whether the data content is the same and/or the memory address is the same.
In a second aspect, an embodiment of the present invention further provides an apparatus for detecting vulnerability of application credential storage, including:
the comparison determining unit is used for comparing the memory snapshots before and after the login operation is executed so as to determine the difference data of the memory snapshots after the login relative to the memory snapshots before the login, wherein the login operation refers to the login of a target application program by using a preset certificate;
the processing unit is used for respectively processing the preset certificate according to a plurality of processing modes formed by combining known encryption storage mechanisms to obtain a plurality of certificate processing results corresponding to the plurality of processing modes one by one;
and the matching detection unit is used for matching the data segments corresponding to the certificate processing results with the data segments corresponding to the difference data one by one, and outputting the storage vulnerability detection result of the target application program according to the matching result, wherein each data segment corresponds to one storage position.
In a third aspect, an embodiment of the present invention further provides an electronic device, which includes a memory and a processor, where the memory stores a computer program, and when the processor executes the computer program, the processor implements the method described in any embodiment of this specification.
In a fourth aspect, the present invention further provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed in a computer, the computer program causes the computer to execute the method described in any embodiment of the present specification.
The embodiment of the invention provides a method and a device for detecting the storage vulnerability of an application program certificate, which can determine the difference data of the memory snapshot after login relative to the memory snapshot before login by comparing the memory snapshots before and after login operation, wherein the difference data comprises certificates which are called by a target application program and stored in a memory in the certificate verification process, the preset certificates of the login target application program are respectively processed through a plurality of processing modes formed by combining known encryption storage mechanisms, and data sections corresponding to the processing results of each certificate are matched with the data sections corresponding to the difference data one by one, so as to detect whether the storage address of the certificate can be accurately positioned, and further determine the storage vulnerability of the certificate by the target application program.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a flowchart of a method for detecting vulnerability of an application credential storage according to an embodiment of the present invention;
fig. 2 is a hardware architecture diagram of an electronic device according to an embodiment of the present invention;
FIG. 3 is a block diagram of an apparatus for detecting vulnerability of application credential storage according to an embodiment of the present invention;
fig. 4 is a block diagram of another apparatus for detecting vulnerability of application credential storage according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer and more complete, the technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention, and based on the embodiments of the present invention, all other embodiments obtained by a person of ordinary skill in the art without creative efforts belong to the scope of the present invention.
The credentials of the application are typically stored in a database. When the user logs in the application program by using the certificate, the application program extracts the certificate from the database, encrypts the extracted certificate and stores the encrypted certificate in the internal memory so as to compare the encrypted certificate with the certificate input by logging in. However, if the storage mechanism of the credential in the memory is weak, for example, the storage location is the same each time, or the encryption method is simple, the credential still can be broken by an attacker, so that the security of the credential is threatened.
Based on the above problems, the present invention provides a method for detecting vulnerability of application certificate storage, and the inventive concept of the present invention is: the registered certificate is used for logging in the application program, snapshots of memory spaces before and after logging in are compared to determine difference data between the memory spaces before and after logging in, and whether a storage mechanism of the certificate is fragile or not is determined by whether the certificate can be detected in the difference data or not.
Specific implementations of the above concepts are described below.
Referring to fig. 1, an embodiment of the present invention provides a method for detecting vulnerability of application credential storage, where the method includes:
step 100, comparing the memory snapshots before and after the login operation is executed to determine difference data of the memory snapshot after the login relative to the memory snapshot before the login, wherein the login operation refers to login of a target application program by using a preset certificate;
102, respectively processing the preset certificate according to a plurality of processing modes formed by combining known encryption storage mechanisms to obtain a plurality of certificate processing results corresponding to the plurality of processing modes one to one;
and 104, matching the data sections corresponding to the voucher processing results with the data sections corresponding to the differential data one by one, and outputting a storage vulnerability detection result of the target application program according to the matching result, wherein each data section corresponds to one storage position.
In the embodiment of the invention, the difference data of the memory snapshot after login relative to the memory snapshot before login can be determined by comparing the memory snapshots before and after login operation, wherein the difference data comprises the certificates which are called by the target application program in the certificate verification process and stored in the memory, the preset certificates of the login target application program are respectively processed through a plurality of processing modes formed by combining the known encryption storage mechanisms, and the data segments corresponding to the processing results of the certificates are matched with the data segments corresponding to the difference data one by one so as to detect whether the storage address of the certificate can be accurately positioned, thereby determining the vulnerability of the target application program in storing the certificates.
The manner in which the various steps shown in fig. 1 are performed is described below.
First, in step 100, memory snapshots before and after performing a login operation are compared to determine difference data of the memory snapshot after login relative to the memory snapshot before login, where the login operation refers to logging in a target application program by using a preset credential.
The credential encryption storage mechanism of different applications may be different, and therefore, the detection method of this embodiment needs to be executed separately for each application to be detected.
In order to implement the vulnerability detection of the credential storage of the target application program, the target application program needs to be registered in advance to obtain a preset credential. The credential may be a combination of an account number and a password. And registering according to the requirements of the target application program on the account number and the password.
When the credential is input into the target application program and logs in the target application program, the target application program needs to verify the credential, and needs to load the credential and encrypt the loaded credential to store the credential in the memory, so that the memory data after logging in the target application program is different from the memory data before logging in the target application program. That is, the memory snapshot after the target application program is logged in has differential data with respect to the memory snapshot before the target application program is logged in.
In the embodiment of the present invention, the difference data may be a continuous difference data segment or a plurality of discontinuous difference data segments. However, whether the difference data corresponds to one difference data segment or a plurality of difference data segments, each difference data segment corresponds to a storage location, such as a start address.
Then, in step 102, the preset credentials are processed according to a plurality of processing modes formed by combining known encryption storage mechanisms, respectively, so as to obtain a plurality of credential processing results corresponding to the plurality of processing modes one to one.
Known encryption storage mechanisms may include: at least one of a compression method, an encoding method, and an encryption algorithm. Therefore, by selecting at least one of the three storage mechanisms arbitrarily and selecting a known manner from the selected at least one storage mechanism for combination, a processing mode can be obtained, i.e., each of the processing modes includes a known encryption storage mechanism that includes: at least one of a compression method, an encoding method, and an encryption algorithm. For example, the known compression modes may include compression modes A1, A2, and A3, the known encoding modes may include encoding modes B1, B2, and B3, and the known encryption algorithms may include encryption algorithms C1, C2, and C3, so that one of the processing modes may be the compression mode A1 and the encryption algorithm C2, and the other processing mode may be the compression mode A2, the encoding mode B1, and the encryption algorithm C1. A plurality of processing modes can be obtained by combining the known modes corresponding to the at least one storage mechanism.
And respectively processing the preset certificate aiming at each processing mode in all the processing modes. For example, the preset voucher is encoded by adopting a B1 encoding mode, compressed by adopting an A2 compression mode, and then encrypted by adopting an encryption algorithm C2, so as to obtain a voucher processing result corresponding to the processing mode.
Finally, in step 104, the data segments corresponding to the credential processing results are matched with the data segments corresponding to the difference data one by one, and the storage vulnerability detection result of the target application program is output according to the matching result, wherein each data segment corresponds to one storage location.
In an embodiment of the present invention, in order to reduce the amount of the differential data required to be detected, before performing this step, the method may include: if the difference data corresponds to a plurality of difference data segments, respectively calculating the information entropy of each difference data segment, screening the difference data segments larger than a preset entropy value as the difference data segments on the estimated storage position of the preset certificate, and matching the screened difference data segments serving as the data segments corresponding to the difference data with the data segments corresponding to the processing results of each certificate.
For example, the difference data corresponds to 10 difference data segments, and the 10 difference data segments need to be respectively subjected to matching detection, and generally, the codes of the difference data segments in which the certificates are stored are balanced, so a preset entropy value can be preset, if the information entropy of the difference data segments is greater than the preset entropy value, it is indicated that the difference data segments probably include the contents of the certificates, and thus the difference data segments on the estimated storage positions are screened out, so that the matching number of the difference data segments can be reduced, and the detection efficiency is improved.
In one embodiment, matching the data segments corresponding to the credential processing results with the data segments corresponding to the differential data one by one may include:
for each credential processing result, performing: determining a voucher data segment corresponding to the voucher processing result, and determining a difference data segment corresponding to the difference data; and matching the certificate data segments with each difference data segment one by one, and determining whether the certificate processing result is matched in the difference data according to the matching result.
If the credential processing result includes multiple credential data segments and the differential data includes multiple differential data segments, such as the credential data segments D1 and D2 and the differential data segments E1 and E2, the credential data segment D1 needs to be matched with the differential data segments E1 and E2, and the credential data segment D2 needs to be matched with the differential data segments E1 and E2.
Specifically, a matching rule may be configured in advance to determine whether the credential processing result is matched in the discrepancy data by using the matching rule. For example, if the data content of the credential data segment exceeds a set ratio (for example, 80%) and is located in the difference data segment, it is determined that the credential data segment is matched in the difference data segment, and further, if all the credential data segments are matched, it is determined that the credential processing result is matched in the difference data.
In one implementation of outputting the stored vulnerability detection result, the matching result is output as the stored vulnerability detection result. In addition, the method can also comprise the following steps: and if one of the certificate processing results is determined to be matched in the matching results, outputting a processing mode corresponding to the matched certificate processing result, and prompting that the storage is fragile.
It should be noted that, when the credential processing result includes a plurality of credential data segments, it indicates that the credential is expected to be stored in segments after being split in the encoding process.
Further, in order to improve the accuracy of the output stored vulnerability detection result, before outputting the stored vulnerability detection result of the target application program, the method may further include:
restarting the target application program, and executing the steps of comparing the memory snapshot and matching the data segments again (steps 100 to 104);
and comparing the result obtained after the re-execution with the result obtained before the restart, combining the comparison result with the matching result, and outputting the storage vulnerability detection result of the target application program.
In an embodiment of the present invention, the comparison process may include at least the following three comparison modes:
and in the first mode, comparing whether the difference data obtained again is the same as the difference data obtained before restarting to obtain a first comparison result.
And in the second mode, if the matching result obtained in the data segment matching step executed again and the matching result obtained in the data segment matching step executed before restarting are matched with the certificate processing result, comparing whether the certificate processing results matched in the two matching results correspond to the same storage address or not to obtain a second comparison result.
And obtaining a first comparison result and a second comparison result in a third mode, a first mode and a second mode.
The following describes the above-described modes.
In a first mode, whether the difference data obtained again is the same as the difference data obtained before the restart may include: whether the data content is the same and/or the storage address is the same.
If the data content is the same or the storage address is the same, it indicates that the encryption storage mechanism may be the same every time, and there may be a security problem.
If only the data content is different or the storage address is different, it indicates that the encryption storage mechanism is changed every time, the security is slightly high, but the storage vulnerability needs to be further determined.
Therefore, in the first mode, the first comparison result and the matching result before the restart may be determined as the storage vulnerability detection result output. If the first comparison result is the same, and the matching result before restarting is matched, the output storage vulnerability detection result of the target application program may further include: and outputting the processing mode corresponding to the matched certificate processing result, and prompting that the encryption and storage mechanisms are the same and the storage is fragile each time.
In the second method, the matching result of the second time may be the same as or different from the matching result before the restart, and if the matching results are the same and are all matched, and the matched credential processing results are the same, the output storage vulnerability detection result of the target application program may further include: and outputting the processing mode corresponding to the matched certificate processing result, and prompting that the encryption and storage mechanisms are the same and the storage is fragile each time.
In the third mode, both the first comparison result and the second comparison result may be output as the storage vulnerability detection result.
It should be noted that the number of times of restarting and re-executing the steps 100 to 104 may be one time, or may be multiple times, and the matching result before restarting is output and the vulnerability detection result is stored based on the comparison result output by the multiple times of comparison, so that the detection accuracy can be further improved.
In any of the above manners, if the matching result is not matched, which indicates that the encrypted storage mechanism adopted by the target application is not known, the output storage vulnerability detection result of the target application may further include: and the storage position of the certificate cannot be detected, and the storage safety is higher.
In the embodiment of the invention, the following effects are achieved:
1. the universality is good: the method is suitable for various operating systems such as windows and linux, and is suitable for various application programs (such as web, exe and elf);
2. the expandability is good: the method for detecting the configurable rule is provided for the user, so that the user can quickly customize the matching rule of the application program;
3. the compatibility is good: the storage security of the application program certificate can be detected without modifying the application program and configuration information;
4. various types of detection content are supported: the method is suitable for security detection of various credential information such as self-login credentials, remote login credentials, encryption credentials and the like of the application program, and can also be used for detection of sensitive information of the application program.
As shown in fig. 2 and fig. 3, an embodiment of the present invention provides an apparatus for detecting vulnerability of application credential storage. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. From a hardware aspect, as shown in fig. 2, for a hardware architecture diagram of an electronic device in which an application credential storage vulnerability detection apparatus according to an embodiment of the present invention is located, in addition to the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 2, the electronic device in which the apparatus is located in the embodiment may generally include other hardware, such as a forwarding chip responsible for processing a packet, and the like. Taking a software implementation as an example, as shown in fig. 3, as a logical device, a CPU of the electronic device reads a corresponding computer program in the non-volatile memory into the memory for running. The embodiment provides an application program credential storage vulnerability detection apparatus, which includes:
a comparison determining unit 301, configured to compare the memory snapshots before and after the login operation is performed, so as to determine difference data of the memory snapshot after login relative to the memory snapshot before login, where the login operation is to log in the target application program by using a preset credential;
a processing unit 302, configured to process the preset credentials according to multiple processing modes formed by combining known encryption storage mechanisms, respectively, to obtain multiple credential processing results corresponding to the multiple processing modes one to one;
and the matching detection unit 303 is configured to match the data segments corresponding to the credential processing results with the data segments corresponding to the difference data one by one, and output a storage vulnerability detection result of the target application program according to the matching result, where each data segment corresponds to one storage location.
In one embodiment of the present invention, the known encryption storage mechanism included in each of the processing modes includes: at least one of a compression method, an encoding method, and an encryption algorithm.
In an embodiment of the present invention, the matching detection unit is further configured to: if the difference data corresponds to a plurality of difference data segments, respectively calculating the information entropy of each difference data segment, screening the difference data segments larger than a preset entropy value as the difference data segments on the estimated storage position of the preset certificate, and matching the screened difference data segments serving as the data segments corresponding to the difference data with the data segments corresponding to the processing results of each certificate.
In an embodiment of the present invention, the matching detection unit is specifically configured to: for each credential processing result, performing: determining a voucher data segment corresponding to the voucher processing result, and determining a difference data segment corresponding to the difference data; and matching the certificate data segments with each difference data segment one by one, and determining whether the certificate processing result is matched in the difference data according to the matching result.
In an embodiment of the present invention, referring to fig. 4, the apparatus for detecting vulnerability of application credential storage may further include:
a restarting unit 304, configured to restart the target application program, and trigger the comparison determining unit and the processing unit to perform the memory snapshot comparison and data segment matching again;
a comparing unit 305, configured to compare a result obtained after the re-execution with a result obtained before the restart, combine the comparison result with the matching result, and output a storage vulnerability detection result of the target application program.
In an embodiment of the present invention, when performing the comparison between the result obtained after the re-execution and the result obtained before the restart, the comparing unit is specifically configured to:
comparing whether the difference data obtained again is the same as the difference data obtained before restarting to obtain a first comparison result;
and/or the presence of a gas in the gas,
and if the matching result obtained in the data segment matching step executed again and the matching result obtained in the data segment matching step executed before restarting are matched with the certificate processing result, comparing whether the certificate processing results matched in the two matching results correspond to the same storage address or not to obtain a second comparison result.
In an embodiment of the present invention, the comparing unit is specifically configured to compare whether the data content is the same and/or the storage address is the same when the comparing unit is configured to compare whether the obtained difference data is the same as the difference data obtained before the restart.
It is to be understood that the illustrated structure of the embodiment of the present invention does not constitute a specific limitation to an application credential storage vulnerability detection apparatus. In other embodiments of the invention, an application credential storage vulnerability detection apparatus may include more or fewer components than shown, or combine certain components, or split certain components, or a different arrangement of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
Because the content of information interaction, execution process, and the like among the modules in the device is based on the same concept as the method embodiment of the present invention, specific content can be referred to the description in the method embodiment of the present invention, and is not described herein again.
The embodiment of the invention also provides electronic equipment which comprises a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to realize the method for detecting the vulnerability of the application program certificate storage in any embodiment of the invention.
An embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the computer program causes the processor to execute an application credential storage vulnerability detection method in any embodiment of the present invention.
Specifically, a system or an apparatus equipped with a storage medium on which software program codes that realize the functions of any of the embodiments described above are stored may be provided, and a computer (or a CPU or MPU) of the system or the apparatus is caused to read out and execute the program codes stored in the storage medium.
In this case, the program code itself read from the storage medium can realize the functions of any of the above-described embodiments, and thus the program code and the storage medium storing the program code constitute a part of the present invention.
Examples of the storage medium for supplying the program code include a flexible disk, hard disk, magneto-optical disk, optical disk (e.g., CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD + RW), magnetic tape, nonvolatile memory card, and ROM. Alternatively, the program code may be downloaded from a server computer via a communications network.
Further, it should be clear that the functions of any one of the above-described embodiments may be implemented not only by executing the program code read out by the computer, but also by causing an operating system or the like operating on the computer to perform a part or all of the actual operations based on instructions of the program code.
Further, it is to be understood that the program code read out from the storage medium is written to a memory provided in an expansion board inserted into the computer or to a memory provided in an expansion module connected to the computer, and then causes a CPU or the like mounted on the expansion board or the expansion module to perform part or all of the actual operations based on instructions of the program code, thereby realizing the functions of any of the above-described embodiments.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a" \8230; "does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. An application program credential storage vulnerability detection method, comprising:
comparing the memory snapshots before and after the login operation is executed to determine difference data of the memory snapshots after the login relative to the memory snapshots before the login, wherein the login operation refers to login of a target application program by using a preset certificate;
respectively processing the preset certificate according to a plurality of processing modes formed by combining known encryption storage mechanisms to obtain a plurality of certificate processing results corresponding to the plurality of processing modes one by one;
and matching the data segments corresponding to the voucher processing results with the data segments corresponding to the difference data one by one, and outputting a storage vulnerability detection result of the target application program according to the matching result, wherein each data segment corresponds to one storage position.
2. The method of claim 1, wherein the known encryption storage mechanism included in each of the processing modes comprises: at least one of a compression method, an encoding method, and an encryption algorithm.
3. The method according to claim 1, wherein before matching the data segments corresponding to the credential processing results one by one with the data segments corresponding to the discrepancy data, the method further comprises:
if the difference data corresponds to a plurality of difference data segments, respectively calculating the information entropy of each difference data segment, screening the difference data segments larger than a preset entropy value into the difference data segments on the estimated storage position of the preset certificate, and matching the screened difference data segments serving as the data segments corresponding to the difference data with the data segments corresponding to the certificate processing results.
4. The method according to claim 3, wherein the matching the data segments corresponding to the credential processing results with the data segments corresponding to the difference data one by one comprises:
for each credential processing result, performing: determining a voucher data section corresponding to the voucher processing result, and determining a difference data section corresponding to the difference data; and matching the certificate data segments with each difference data segment one by one, and determining whether the certificate processing result is matched in the difference data according to the matching result.
5. The method of claim 1, further comprising, before outputting the target application's stored vulnerability detection result according to the matching result:
restarting the target application program, and executing the memory snapshot comparison and data segment matching steps again;
and comparing the result obtained after the re-execution with the result obtained before the restart, combining the comparison result with the matching result, and outputting the storage vulnerability detection result of the target application program.
6. The method of claim 5, wherein comparing the result obtained after the re-execution with the result obtained before the restart comprises:
comparing whether the difference data obtained again is the same as the difference data obtained before restarting to obtain a first comparison result;
and/or the presence of a gas in the gas,
and if the matching result obtained in the data segment matching step executed again and the matching result obtained in the data segment matching step executed before restarting are matched with the certificate processing result, comparing whether the certificate processing results matched in the two matching results correspond to the same storage address or not to obtain a second comparison result.
7. The method of claim 6, wherein determining whether the retrieved difference data is the same as the difference data obtained before restarting comprises: whether the data content is the same and/or the storage address is the same.
8. An apparatus for detecting vulnerability of application credential storage, comprising:
the comparison determining unit is used for comparing the memory snapshots before and after the login operation is executed so as to determine the difference data of the memory snapshot after the login relative to the memory snapshot before the login, wherein the login operation refers to the login of a target application program by using a preset certificate;
the processing unit is used for respectively processing the preset certificate according to a plurality of processing modes formed by combining known encryption storage mechanisms to obtain a plurality of certificate processing results corresponding to the plurality of processing modes one by one;
and the matching detection unit is used for matching the data segments corresponding to the certificate processing results with the data segments corresponding to the difference data one by one, and outputting the storage vulnerability detection result of the target application program according to the matching result, wherein each data segment corresponds to one storage position.
9. An electronic device comprising a memory having stored therein a computer program and a processor that, when executing the computer program, implements the method of any of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored which, when executed in a computer, causes the computer to carry out the method of any one of claims 1-7.
CN202211128622.3A 2022-09-16 2022-09-16 Application program certificate storage vulnerability detection method and device Pending CN115495758A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211128622.3A CN115495758A (en) 2022-09-16 2022-09-16 Application program certificate storage vulnerability detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211128622.3A CN115495758A (en) 2022-09-16 2022-09-16 Application program certificate storage vulnerability detection method and device

Publications (1)

Publication Number Publication Date
CN115495758A true CN115495758A (en) 2022-12-20

Family

ID=84467759

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211128622.3A Pending CN115495758A (en) 2022-09-16 2022-09-16 Application program certificate storage vulnerability detection method and device

Country Status (1)

Country Link
CN (1) CN115495758A (en)

Similar Documents

Publication Publication Date Title
US8621223B2 (en) Data security method and system
US8874922B2 (en) Systems and methods for multi-layered authentication/verification of trusted platform updates
US10372914B2 (en) Validating firmware on a computing device
KR101937220B1 (en) Method for generating and verifying a digital signature or message authentication code based on a block chain that does not require key management
US7353386B2 (en) Method and device for authenticating digital data by means of an authentication extension module
CN109033818B (en) Terminal, authentication method, and computer-readable storage medium
JP5014081B2 (en) Data processing apparatus, data processing method, and program
KR101670456B1 (en) document security system and security method
CN115495758A (en) Application program certificate storage vulnerability detection method and device
US20220292201A1 (en) Backdoor inspection apparatus, backdoor inspection method, and non-transitory computer readable medium
US20220284109A1 (en) Backdoor inspection apparatus, backdoor inspection method, and non-transitory computer readable medium
US9998495B2 (en) Apparatus and method for verifying detection rule
CN115906109A (en) Data auditing method and device and storage medium
US11791986B2 (en) Unauthorized use detection system, information processing apparatus, computer-readable recording medium and unauthorized use detection method
KR101865785B1 (en) document security system and security method through verifying and converting document file
CN114003907A (en) Malicious file detection method and device, computing equipment and storage medium
CN113360868A (en) Application program login method and device, computer equipment and storage medium
KR101934381B1 (en) Method for detecting hacking tool, and user terminal and server for performing the same
CN113949568B (en) Middleware identification method, device, computing equipment and storage medium
US11874752B1 (en) Methods and systems for facilitating cyber inspection of connected and autonomous electrical vehicles using smart charging stations
CN116305295B (en) Method and platform for issuing applet
US11574049B2 (en) Security system and method for software to be input to a closed internal network
WO2023152880A1 (en) Vulnerability analysis device and vulnerabilty analysis method
CN114238983A (en) Threat analysis method, device, equipment and storage medium in confidential environment
CN114245183A (en) Push stream data authentication method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination