CN115688119A - Vulnerability repairing method and device, electronic equipment and storage medium - Google Patents

Vulnerability repairing method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN115688119A
CN115688119A CN202211381711.9A CN202211381711A CN115688119A CN 115688119 A CN115688119 A CN 115688119A CN 202211381711 A CN202211381711 A CN 202211381711A CN 115688119 A CN115688119 A CN 115688119A
Authority
CN
China
Prior art keywords
function
system kernel
vulnerability
jump
replacement
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211381711.9A
Other languages
Chinese (zh)
Inventor
张宇
崔士伟
王传国
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suzhou Inspur Intelligent Technology Co Ltd
Original Assignee
Suzhou Inspur Intelligent Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suzhou Inspur Intelligent Technology Co Ltd filed Critical Suzhou Inspur Intelligent Technology Co Ltd
Priority to CN202211381711.9A priority Critical patent/CN115688119A/en
Publication of CN115688119A publication Critical patent/CN115688119A/en
Pending legal-status Critical Current

Links

Images

Abstract

The application discloses a vulnerability repairing method and device, electronic equipment and a storage medium, and belongs to the technical field of computers. The method is used for repairing at least one vulnerability function in a system kernel, wherein the system kernel comprises a patch file, the patch file comprises at least one data segment, and one data segment corresponds to data in a preset range of the vulnerability in one vulnerability function, and the method comprises the following steps: generating a replacement function based on the data segment, wherein the replacement function is used for replacing the vulnerability function corresponding to the data segment when the system kernel runs; generating a hot patch according to at least one replacement function; implanting a hot patch into a system kernel, the system kernel configured to: and when the vulnerability function is run, jumping to the replacement function and running the replacement function. By replacing the vulnerability function with the replacement function when the system kernel runs, the interruption of upper-layer services caused by system restart is avoided, and the influence of vulnerability repair on the upper-layer services of the system is effectively reduced.

Description

Vulnerability repairing method and device, electronic equipment and storage medium
Technical Field
The application belongs to the technical field of computers, and particularly relates to a vulnerability fixing method and device, electronic equipment and a storage medium.
Background
The kernel of the operating system is the core of the system, which determines the performance and stability of the system, and the CVE (Common Vulnerabilities & exposition) is an open vulnerability of the system or software, and if the CVE is present in the system, it is easy to have a great influence on the system
Currently, for the repair of the CVE, after a kernel in which a patch is implanted is installed, a restart operation is performed on an operating system, so that the kernel is replaced.
The prior art has at least the following problems: the operating system needs to be restarted, which causes interruption of the upper-layer service of the system and further affects the work of the system service.
Disclosure of Invention
The embodiment of the application aims to provide a vulnerability repairing method, a vulnerability repairing device, electronic equipment and a storage medium, and can solve the problem that in the prior art, when a CVE for repairing a kernel needs to restart a system, an upper-layer service terminal is caused to have a large influence on services.
In a first aspect, an embodiment of the present application provides a vulnerability repairing method, configured to repair at least one vulnerability function in a system kernel, where the system kernel includes a patch file, the patch file includes at least one data segment, and one data segment corresponds to data in a preset range in which a vulnerability exists in the vulnerability function, and the method includes: generating a replacement function based on the data segment, wherein the replacement function is used for replacing the vulnerability function corresponding to the data segment when the system kernel runs; generating a hot patch according to at least one replacement function; implanting the hot patch into the system kernel, the system kernel configured to: and when the vulnerability function is operated, jumping to the replacement function and operating the replacement function.
Optionally, the generating a hot patch according to at least one of the replacement functions includes: configuring a jump function according to at least one replacement function, wherein the jump function comprises at least one jump instruction, one jump instruction corresponds to one replacement function, and one jump instruction corresponds to one vulnerability function; generating a hot patch based on at least one of the replacement function and the jump function.
Optionally, the configuring a jump function according to at least one of the replacement functions includes: generating at least one corresponding jump instruction according to at least one replacement function; configuring a preset algorithm, wherein the system kernel determines a jump instruction corresponding to the vulnerability function by running the preset algorithm; and generating a jump function based on at least one jump instruction and the preset algorithm.
Optionally, the system kernel includes at least one call instruction, where one call instruction corresponds to one function, and the system kernel jumps to the function through the call instruction and runs the function; the calling instruction comprises a jump sub instruction, and the system kernel determines a jump function based on a configuration value of the jump sub instruction; after the implanting the hot patch into the system kernel, the method further comprises: and modifying the configuration value of the jump sub-instruction corresponding to the vulnerability function into a first preset value, and jumping to the corresponding replacement function by the system kernel according to the first preset value.
Optionally, the data segment is provided with a repair instruction; generating, based on the data segment, a replacement function, including: acquiring a vulnerability function corresponding to the data segment based on the data segment; and repairing the acquired vulnerability function based on the repairing instruction to obtain a replacement function.
Optionally, before the generating a replacement function based on the data segment, the method further includes: and under the condition that the data matched with the data segment does not exist in the system kernel, generating an error log, wherein the error log is used for reflecting that the patch file is not matched with the version of the system kernel.
Optionally, after the implanting the hot patch into the system kernel, the method further includes: in the case of the system kernel running abnormally, removing the hot patch from the system kernel; and generating a prompt log, wherein the prompt log is used for reflecting the success of the hot patch removal and the removal time.
In a second aspect, an embodiment of the present application provides a vulnerability fixing apparatus, configured to fix at least one vulnerability function in a system kernel, where the system kernel includes a patch file, where the patch file includes at least one data segment, and one of the data segments corresponds to one of the data in a preset range in which a vulnerability exists in the vulnerability function, and the apparatus includes: a function generating module, configured to generate a replacement function based on the data segment, where the replacement function is used to replace the vulnerability function corresponding to the data segment when the system kernel runs; the patch generating module is used for generating a hot patch according to at least one replacement function; a patch implantation module to implant the hot patch into the system kernel, the system kernel configured to: and when the vulnerability function is operated, jumping to the replacement function and operating the replacement function.
In a third aspect, embodiments of the present application provide an electronic device, which includes a processor and a memory, where the memory stores a program or instructions executable on the processor, and the program or instructions, when executed by the processor, implement the steps of the method according to the first aspect.
In a fourth aspect, embodiments of the present application provide a readable storage medium, on which a program or instructions are stored, which when executed by a processor implement the steps of the method according to the first aspect.
In a fifth aspect, an embodiment of the present application provides a chip, where the chip includes a processor and a communication interface, where the communication interface is coupled to the processor, and the processor is configured to execute a program or instructions to implement the method according to the first aspect.
In a sixth aspect, embodiments of the present application provide a computer program product, which is stored in a storage medium and executed by at least one processor to implement the method according to the first aspect.
In the embodiment of the application, a corresponding replacement function is generated through a data segment of a patch file in a system kernel, a hot patch is generated based on the replacement function, and the hot patch is implanted into the system kernel. Therefore, when the system kernel runs and runs to the vulnerability function, the system kernel can jump to the replacement function and run the replacement function, so that the problem of running of the system kernel caused by the running of the vulnerability function is avoided, the vulnerability function is replaced in the running process of the system kernel, the operation of restarting the system is avoided, the interruption of upper-layer services of the system is further avoided, and the influence of vulnerability repair on the upper-layer services of the system is effectively reduced.
Drawings
Fig. 1 is a flowchart illustrating steps of a vulnerability fixing method according to an embodiment of the present application;
FIG. 2 is a flowchart illustrating steps of a vulnerability fixing method according to an embodiment of the present application;
FIG. 3 is a block diagram of an implementation of an embodiment of the present application;
fig. 4 is a schematic view of a bug fix flow according to an embodiment of the present application;
FIG. 5 is a block diagram of a bug fixing device according to an embodiment of the present application;
fig. 6 is a schematic hardware structure diagram of an electronic device according to an embodiment of the present application;
fig. 7 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application.
Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention can be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
Fig. 1 is a flowchart of steps of a vulnerability fixing method according to an embodiment of the present application, where the method is used to fix at least one vulnerability function in a system kernel, where the system kernel includes a patch file, the patch file includes at least one data segment, and one of the data segments corresponds to data in a preset range in which a vulnerability exists in the vulnerability function, and the method may include the following steps:
step 101: and generating a replacement function based on the data segment, wherein the replacement function is used for replacing the vulnerability function corresponding to the data segment when the system kernel runs.
In the embodiment of the application, the source code of the system kernel comprises a plurality of functions, and aiming at the functions with the vulnerabilities, the method for setting the hot patch realizes the replacement of the vulnerability functions in the running process of the system kernel so as to achieve the effect of repairing the vulnerabilities.
For example, a plurality of vulnerability functions may exist in source code of a system kernel, one hot patch according to the embodiment of the present application repairs only a limited number of vulnerability functions, and all vulnerability functions in the source code of the system kernel can be repaired by setting a plurality of hot patches.
The system kernel may generate a patch file for the existing bug, and specifically, write a code of a location where the bug exists in the source code of the system kernel and a context preset range of the location in the source code as a data segment into the patch file. When the hot patch is generated, firstly, according to the data segment in the patch file, a new function, namely a replacement function, which corresponds to a vulnerability function in the system kernel, can be compiled and generated, and the replacement function is a feasible function, namely if the system kernel runs the replacement function, normal running can be ensured without abnormal problems.
Step 102: and generating a hot patch according to at least one replacement function.
Illustratively, after obtaining the at least one replacement function, a hot patch is constructed based on the obtained at least one replacement function, so that after the hot patch is implanted into the system kernel, the system can jump to the replacement function to avoid calling the vulnerability function.
Step 103: implanting the hot patch into the system kernel, the system kernel configured to: and when the vulnerability function is operated, jumping to the replacement function and operating the replacement function.
Illustratively, after the hot patch is built, the hot patch is implanted into the system kernel. In the operation process of the system kernel, when the loophole function is called, the corresponding replacement function can be jumped to, namely the loophole function is not called any more, and the corresponding replacement function is called instead, so that the normal operation of the system kernel is ensured.
Therefore, in the embodiment of the application, according to the data segment of the patch file in the system kernel, a replacement function for replacing a vulnerability function corresponding to the data segment is compiled and generated, then, according to at least one obtained replacement function, a hot patch is constructed and generated, the hot patch is implanted into the system kernel, when the system kernel runs to the vulnerability function in the running process, if the hot patch does not exist, the vulnerability function is called, further the running of the system kernel is abnormal, after the hot patch is implanted, the system kernel can jump to the replacement function when calling the vulnerability function, and the abnormity of the system kernel caused by the running of the vulnerability function is avoided.
Fig. 2 is a flowchart of steps of a vulnerability fixing method according to an embodiment of the present application, where the method is used to fix at least one vulnerability function in a system kernel, where the system kernel includes a patch file, the patch file includes at least one data segment, and one of the data segments corresponds to data in a preset range in which a vulnerability exists in the vulnerability function, and the method may include the following steps:
step 201: and generating a replacement function based on the data segment, wherein the replacement function is used for replacing the vulnerability function corresponding to the data segment when the system kernel runs.
For this step, reference may be made to step 101, which is not described herein again.
Step 202: and generating a hot patch according to at least one replacement function.
This step may specifically refer to step 102, which is not described herein again.
Step 203: implanting the hot patch into the system kernel, the system kernel configured to: and when the vulnerability function is operated, jumping to the replacement function and operating the replacement function.
This step may specifically refer to step 103, which is not described herein again.
Optionally, in this embodiment of the present application, step 202 may include the following steps:
step 2021: and configuring a jump function according to at least one replacement function, wherein the jump function comprises at least one jump instruction, one jump instruction corresponds to one replacement function, and one jump instruction corresponds to one vulnerability function.
In the embodiment of the application, a jump function is set, and at least one jump instruction is set in the jump function, and the jump instruction corresponds to the replacement function and the bug function with the corresponding relationship respectively, so that when the system kernel calls the at least one bug function, the jump function can be unified, and then the corresponding jump instruction is run, so that the jump function can be unified and the corresponding replacement function can be run. In the embodiment of the application, the process of switching the vulnerability function to the replacement function is effectively managed by setting the function with unified jump, and the stability of the system kernel when the hot patch is operated is improved.
Optionally, in this embodiment of the present application, a jump function may not be set, and the system kernel may directly jump to a corresponding replacement function to implement a replacement process without passing through the jump function when the vulnerability function is dropped.
Step 2022: generating a hot patch based on at least one of the replacement function and the jump function.
Illustratively, after the configuration of the jump function is completed, a hot patch can be constructed based on the jump function and at least one replacement function corresponding to the jump function, the hot patch is a hot patch which is finally required to be implanted into a system kernel, the system kernel can jump to the jump function by calling the vulnerability function, and run a corresponding jump instruction therein, and then jump to a corresponding replacement function, so that the replacement function replaces the vulnerability function in the running process of the system kernel, the system kernel is prevented from running the vulnerability function, the effect of vulnerability repair is achieved, and the influence of vulnerability repair on upper-layer services is effectively reduced.
Optionally, in this embodiment of the present application, step 2021 may include the following steps:
step 20211: and generating at least one corresponding jump instruction according to at least one replacement function.
Illustratively, after obtaining the replacement function, compiling may be performed to generate a jump instruction, the jump instruction is executed, and the jump may be performed to the replacement function, that is, the execution of the jump instruction implements a call to the replacement function.
Step 20212: and configuring a preset algorithm, wherein the system kernel determines a jump instruction corresponding to the loophole function by running the preset algorithm.
Exemplarily, after the system kernel jumps to the jump function from the vulnerability function, in order to accurately call the corresponding jump instruction, a preset algorithm needs to be configured in the jump function, and the preset algorithm is run, so that the jump instruction to be called can be determined according to the vulnerability function of the jump source, and then the jump instruction is jumped to.
Optionally, the preset algorithm may adopt a hash algorithm, a hash table is established according to the vulnerability function and the corresponding jump instruction, and the system kernel may determine the jump instruction corresponding to the vulnerability function by calling the hash table, and then jump to the jump function, thereby implementing the correspondence between the vulnerability function and the jump instruction.
Step 20213: and generating a jump function based on at least one jump instruction and the preset algorithm.
Illustratively, after the configuration of the preset algorithm is completed, the jump function can be generated based on the jump instruction and the preset algorithm, so that after the system kernel jumps to the jump function, the corresponding jump instruction can be accurately called by running the preset algorithm, the accurate jump to the corresponding replacement function is further ensured, and the running stability of the system kernel is ensured.
Optionally, the system kernel includes at least one call instruction, one call instruction corresponds to one function, and the system kernel jumps to the function through the call instruction and runs the function; the call instruction comprises a jump sub-instruction, and the system kernel determines a function to jump based on a configuration value of the jump sub-instruction.
For example, in the source code of the system kernel, for the neatness and observability of code compilation and the like, a main function is generally compiled separately from a function which needs to be used, and a call to the function is completed through a call instruction in the main function; each calling instruction is provided with a jump sub-instruction at the bottom layer of the system, the jump sub-instruction is generally set as nop, the system kernel calls the instruction, and when the jump sub-instruction is further operated, additional processing is not carried out, and the jump is normally carried out to the function operation corresponding to the calling instruction; in the embodiment of the application, in order to enable the system kernel to jump from the call instruction to the replacement function, the configuration value of the jump sub-instruction needs to be modified, so that the system kernel can jump to the replacement function when running the jump sub-instruction, and further, the vulnerability function is prevented from running.
After step 203, the vulnerability repairing method of the embodiment of the application may further include the following steps:
step 204: and modifying the configuration value of the jump sub-instruction corresponding to the vulnerability function into a first preset value, and jumping to the corresponding replacement function by the system kernel according to the first preset value.
Exemplarily, after the hot patch is implanted into the system kernel, a call instruction of a vulnerability function corresponding to a replacement function related to the hot patch is further required to be found, and a configuration value of a jump sub-instruction in the call instruction is modified to a first preset value, so that when the system kernel runs the call instruction, the system kernel can jump to the corresponding replacement function in the hot patch through the configuration value of the jump sub-instruction, thereby realizing the replacement of the function and realizing the effect of vulnerability repair.
Optionally, for the vulnerability functions related to the same hot patch, the configuration values of the jump sub-instructions are uniform, that is, the configuration values are the same value, the system kernel uniformly jumps to the jump functions in the hot patch based on the configuration values of the jump rotor instructions, then the corresponding jump instructions are determined through a preset algorithm, and then the jump instructions are run to call the replacement functions, so that the situation that the system kernel runs the vulnerability functions and runs the corresponding replacement functions is avoided.
Illustratively, a kernel symbol table is arranged in the system kernel, the kernel symbol table includes function names of all functions of the system kernel source code, and the function can be skipped to a call instruction corresponding to the function from the kernel symbol table according to the function names of the functions, so as to call and run the function.
Alternatively, when a new function needs to be added for a vulnerability of the system kernel, the new function may be registered in the kernel symbol table after the hot patch is implanted into the system kernel.
Optionally, the data segment is provided with a repair instruction.
In the data segment, for example, a location where the vulnerability exists is marked, and it is determined whether the location needs to add content, delete content, or modify content. For the data segment needing to add the content, system maintenance personnel can determine the content needing to be added for eliminating the vulnerability according to the specific situation of the vulnerability, and then compile and add corresponding content on the basis of the original code of the vulnerability function, and further generate a replacement function; similarly, for the data segment of which the content needs to be deleted or modified, the system maintenance personnel delete or modify the corresponding content; in practical application, according to the complexity of the vulnerability, the processing of the vulnerability function may involve adding content, deleting content and modifying content at the same time, and system maintenance personnel can determine and compile a replacement function which can finally replace the vulnerability function and eliminate the vulnerability according to specific conditions.
Step 201 may include the steps of:
step 2011: and acquiring a vulnerability function corresponding to the data segment based on the data segment.
By way of example, by comparing a data segment with a source code of a system kernel, a vulnerability function corresponding to the data segment may be determined, and system maintenance personnel may perform compilation work of a replacement function.
Step 2012: and repairing the acquired vulnerability function based on the repairing instruction to obtain a replacement function.
For example, after the corresponding vulnerability function is determined, a system maintainer may analyze a solution according to a repair instruction in the data segment, in combination with specific situations of the vulnerability function and the vulnerability, and then perform compilation operations such as addition, deletion or modification on the basis of the original code of the vulnerability function, so as to obtain a replacement function, and the system kernel runs the replacement function, so as to avoid the vulnerability related to the vulnerability function.
Optionally, before step 201, the vulnerability repairing method according to the embodiment of the present application may further include the following steps:
step 205: and under the condition that the data matched with the data segment does not exist in the system kernel, generating an error log, wherein the error log is used for reflecting that the patch file is not matched with the version of the system kernel.
Exemplarily, a system kernel performs corresponding version update according to a service requirement in a working process, after the version update, a source code of the system kernel has a larger difference compared with a previous source code, and a patch file corresponding to the version is not generated in time within a certain time period after the version update, and at this time, an obtained patch file corresponds to a previous version and cannot be applied to the bug fixing operation of the current version.
For example, the judgment on whether the version of the patch file is matched with the version of the system kernel can be performed through matching the data segment in the patch file with the source code of the system kernel, and when a code segment completely consistent with each data segment in the patch file can be found in the source code of the system kernel, it is indicated that the version of the patch file is matched with the version of the system kernel; when the data section exists and no consistent code section is found in the source code of the system kernel, the version of the patch file is not matched with that of the system kernel, the patch file cannot be used for bug fixing of the system kernel of the current version, an error log can be generated, and the version of the patch file is prompted to be not matched with that of the system kernel.
Optionally, after step 203, the bug fixing method according to the embodiment of the present application may further include the following steps:
step 206: and in the case of the abnormal operation of the system kernel, removing the hot patch from the system kernel.
For example, in the embodiment of the present application, after the hot patch is implanted into the system kernel, it may be determined in real time whether the system kernel is operating normally, and when there is an abnormality, it may be a new problem caused by the hot patch, and at this time, the hot patch may be removed from the system kernel, that is, the hot patch is unloaded, so as to avoid that the above-mentioned problem affects the system kernel, and further affects the operation of upper layer services.
Step 207: and generating a prompt log, wherein the prompt log is used for reflecting the success of the hot patch removal and the removal time.
Illustratively, after completion of the hot patch uninstall, a prompt log may be generated to prompt that the hot patch removal was successful and to record the time of the hot patch removal for later review.
Fig. 3 is a schematic diagram of a module implementation according to an embodiment of the present application.
For example, the bug fixing method in the embodiment of the present application may be implemented by a patch compiling generation module, a patch injection module, and a patch unloading module, where the three modules all work around a hot patch for implementing system kernel bug fixing.
The patch compiling and generating module is used for generating a hot patch, and in actual operation, the patch compiling and generating module can firstly determine which functions in source codes of a system kernel need to be replaced according to patch file analysis, then determines whether versions are matched or not through comparison of the patch file and the source codes of the system kernel, and searches a function name corresponding to a vulnerability function in a kernel symbol table under the condition that the versions are matched, so that a specific position of a calling instruction of the vulnerability function in the source codes of the system kernel can be indexed, and then an original code of the vulnerability function can be found, then system maintenance personnel can determine the content of the replacement function according to the patch file and the vulnerability function, and then inject logic, namely, the generation of the replacement function and the configuration of a jump function are carried out, so that after the hot patch is implanted into the system kernel, the system kernel can realize vulnerability repair through jumping; and finally, constructing a hot patch according to the replacing function and the jumping function.
And the patch injection module is used for implanting the hot patch into the system kernel after the patch compiling generation module generates the hot patch. Optionally, the judgment on whether the versions are matched may be performed again to ensure that the hot patch can complete the bug fixing work of the system kernel. After the hot patch is implanted, whether the hot patch is included in a system kernel can be detected, if the hot patch is included, the hot patch is successfully implanted, a log can be further generated to prompt that the implantation operation is completed, and a corresponding implantation time node is recorded, and if the hot patch is not included, a log prompting that the implantation fails can be output.
And the patch unloading module, namely a patch rollback module, is used for unloading and removing the hot patch from the system kernel when detecting that other problems occur in the system kernel after the hot patch is implanted, and outputting a log prompting successful unloading after the unloading is finished.
Fig. 4 is a schematic view of a bug fix process according to an embodiment of the present application.
For example, after the hot patch is implanted into the system kernel, the system kernel may load the hot patch first, then look up all symbols, i.e., function names, related to the hot patch through a function symbol table, i.e., a kernel symbol table, and find the position of a call instruction corresponding to the vulnerability function through the kernel symbol table, and then jump to the jump function through a configuration value of a jump sub-instruction of the call instruction, then determine a corresponding jump instruction according to a hash table in the jump function, and then jump to the operation of a replacement function according to a relationship between the jump instruction and the replacement function, i.e., replace the old function with a new function, thereby preventing the system kernel from operating a leaky function, and achieving the effect of vulnerability repair.
Illustratively, a reg- > ip register is arranged in the system kernel, and can point to the address of the corresponding function; in practical application, in the running process of a system kernel, the situation that although the kernel jumps to the replacement function, the kernel jumps back to the hole-leaking function through the register may occur, and in order to avoid the situation, after the hot patch is implanted, the register is modified to point to the address of the replacement function corresponding to the hole-leaking function, so that the jump back to the hole-leaking function in the running process of the system kernel is avoided, and the normal completion of the hole-leaking repairing work is ensured.
In summary, in the embodiment of the present application, when there is a bug in the system kernel disclosure, a bug fixing operation on the system kernel may be performed. Firstly, a patch file in a system kernel can be obtained, then a data segment in the patch file is matched with a source code of the system kernel, and when a data segment which is not matched exists, an error log can be generated to prompt that the patch file is not matched with the version of the system kernel; when the data segments are all matched, the patch file is matched with the version of the system kernel; further, the original code of the corresponding vulnerability function can be obtained according to the data segment, and then the original code of the vulnerability function is correspondingly edited according to the repair instruction in the data segment, so that a replacement function is obtained; then compiling a jump function according to the obtained replacement function, setting a jump instruction corresponding to the replacement function in the jump function, further setting a preset algorithm in the jump function, establishing a corresponding relation between the loophole function and the jump instruction, and then generating a hot patch based on the replacement function and the jump function; further, the generated hot patch is implanted into the system kernel. After the hot patch is implanted into the system kernel, when the system kernel runs to a calling instruction corresponding to the vulnerability function in the running process, the system kernel can jump to a jump function of the hot patch by running a jump sub-instruction therein based on a first preset value configured for the hot patch, the jump instruction which needs to be called can be determined by running a preset algorithm when entering the system kernel, and the jump instruction is called to jump to a corresponding replacement function and the replacement function is run, so that the replacement function replaces the vulnerability function; when other exceptions occur during the operation of the system kernel, it is described that the implantation of the hot patch brings other problems to the system kernel, and at this time, the hot patch needs to be removed from the system kernel as soon as possible, so as to avoid great influence on the system kernel. By setting the skip logic in the process, the kernel of the system can skip the vulnerability function in the operation process and then operate the replacement function, so that the problem that the kernel of the system is abnormal due to the operation of the vulnerability function is avoided.
According to the bug fixing method provided by the embodiment of the application, the execution main body can be a bug fixing device. The embodiment of the present application takes an example of a vulnerability fixing device executing a vulnerability fixing method, and illustrates a vulnerability fixing device provided in the embodiment of the present application.
Fig. 5 is a block diagram of a bug fixing device according to an embodiment of the present application. The apparatus is used for repairing at least one vulnerability function in a system kernel, where the system kernel includes a patch file, the patch file includes at least one data segment, and one data segment corresponds to data in a preset range in which a vulnerability exists in one vulnerability function, and the apparatus may include:
a function generating module 301, configured to generate a replacement function based on the data segment, where the replacement function is used to replace the vulnerability function corresponding to the data segment when the system kernel runs.
A patch generating module 302, configured to generate a hot patch according to at least one of the replacement functions.
A patch implanting module 303 to implant the hot patch into the system kernel, the system kernel configured to: and when the vulnerability function is operated, jumping to the replacement function and operating the replacement function.
Optionally, the patch generating module 302 includes:
the function configuration submodule 3021 is configured to configure a jump function according to at least one of the replacement functions, where the jump function includes at least one jump instruction, one of the jump instructions corresponds to one of the replacement functions, and one of the jump instructions corresponds to one of the vulnerability functions.
A patch generating sub-module 3022 configured to generate a hot patch based on the at least one replacement function and the skip function.
Optionally, the function configuration submodule 3021 includes:
an instruction generating unit 30211, configured to generate at least one corresponding jump instruction according to at least one of the replacement functions.
An algorithm configuration unit 30212, configured to configure a preset algorithm, where the system kernel determines, by running the preset algorithm, a jump instruction corresponding to the vulnerability function.
A function configuration unit 30213, configured to generate a jump function based on at least one of the jump instructions and the preset algorithm.
Optionally, the system kernel includes at least one call instruction, one call instruction corresponds to one function, and the system kernel jumps to the function through the call instruction and runs the function; the call instruction comprises a jump sub-instruction, and the system kernel determines a function to jump based on a configuration value of the jump sub-instruction. The bug fixing device of the embodiment of the application may further include: :
and the instruction configuration module 304 is configured to modify a configuration value of a jump sub-instruction corresponding to the vulnerability function to a first preset value after the hot patch is implanted into the system kernel, and the system kernel jumps to the corresponding replacement function according to the first preset value.
Optionally, the data segment is provided with a repair instruction; the function generation module 301 includes:
and the function obtaining submodule 3011 is configured to obtain, based on the data segment, a vulnerability function corresponding to the data segment.
And the function generation submodule 3012 is configured to repair the obtained vulnerability function based on the repair instruction to obtain a replacement function.
Optionally, the vulnerability repairing apparatus according to the embodiment of the present application may further include:
a log generating module 305, configured to generate an error log in a case that there is no data matching the data segment in the system kernel before generating the replacement function based on the data segment, where the error log is used to reflect that the patch file does not match the version of the system kernel.
Optionally, the vulnerability repairing apparatus according to the embodiment of the present application may further include:
a patch removing module 306, configured to remove the hot patch from the system kernel in case of an abnormal operation of the system kernel after the hot patch is implanted into the system kernel.
The log generation module 305 is further configured to generate a prompt log, where the prompt log is used to reflect the success of the hot patch removal and the removal time.
In summary, in the embodiment of the present application, when there is a bug in the system kernel disclosure, a bug fixing operation on the system kernel may be performed. Firstly, a patch file in a system kernel can be obtained, then a data segment in the patch file is matched with a source code of the system kernel, and when a data segment which is not matched exists, an error log can be generated to prompt that the patch file is not matched with the version of the system kernel; when the data segments are all matched, the patch file is matched with the version of the system kernel; further, the original code of the corresponding vulnerability function can be obtained according to the data segment, and then the original code of the vulnerability function is correspondingly edited according to the repair instruction in the data segment, so that a replacement function is obtained; then compiling a jump function according to the obtained replacement function, setting a jump instruction corresponding to the replacement function in the jump function, further setting a preset algorithm in the jump function, establishing a corresponding relation between a vulnerability function and the jump instruction, and then generating a hot patch based on the replacement function and the jump function; further, the generated hot patch is implanted into the system kernel. After the hot patch is implanted into the system kernel, when the system kernel runs to a calling instruction corresponding to the vulnerability function in the running process, the system kernel can jump to a jump function of the hot patch by running a jump sub-instruction therein based on a first preset value configured for the hot patch, the jump instruction which needs to be called can be determined by running a preset algorithm when entering the system kernel, and the jump instruction is called to jump to a corresponding replacement function and the replacement function is run, so that the replacement function replaces the vulnerability function; when other abnormalities occur in the operation of the system kernel, it is indicated that the implantation of the hot patch brings other problems to the system kernel, and at this time, the hot patch needs to be removed from the system kernel as soon as possible, so that a large influence on the system kernel is avoided. By setting the skip logic in the process, the kernel of the system can skip the vulnerability function in the operation process and then operate the replacement function, so that the problem that the kernel of the system is abnormal due to the operation of the vulnerability function is avoided.
The bug fixing device in the embodiment of the present application may be an electronic device, or may be a component in an electronic device, such as an integrated circuit or a chip. The electronic device may be a terminal, or may be a device other than a terminal. The electronic Device may be, for example, a Mobile phone, a tablet computer, a notebook computer, a palm top computer, a vehicle-mounted electronic Device, a Mobile Internet Device (MID), an Augmented Reality (AR)/Virtual Reality (VR) Device, a robot, a wearable Device, an ultra-Mobile personal computer (UMPC), a netbook or a Personal Digital Assistant (PDA), and the like, and may also be a server, a Network Attached Storage (Network Attached Storage, NAS), a personal computer (NAS), a Television (TV), a teller machine, a self-service machine, and the like, and the embodiments of the present application are not limited in particular.
The bug fixing device in the embodiment of the application may be a device with an operating system. The operating system may be an Android (Android) operating system, an ios operating system, or other possible operating systems, and embodiments of the present application are not limited specifically.
The bug fixing device provided by the embodiment of the application can realize each process realized by the method embodiments of fig. 1 to fig. 4, achieve the same technical effect, and is not repeated here to avoid repetition.
Optionally, as shown in fig. 6, an electronic device 400 is further provided in an embodiment of the present application, and includes a processor 401 and a memory 402, where the memory 402 stores a program or an instruction that can be executed on the processor 401, and when the program or the instruction is executed by the processor 401, the steps of the bug fixing method embodiment are implemented, and the same technical effects can be achieved, and are not described again here to avoid repetition.
It should be noted that the electronic device in the embodiment of the present application includes the mobile electronic device and the non-mobile electronic device described above.
Fig. 7 is a schematic diagram of a hardware structure of an electronic device implementing an embodiment of the present application.
The electronic device 5000 includes, but is not limited to: a radio frequency unit 5001, a network module 5002, an audio output unit 5003, an input unit 5004, a sensor 5005, a display unit 5006, a user input unit 5007, an interface unit 5008, a memory 5009, and a processor 5010.
Those skilled in the art will appreciate that the electronic device 5000 may also include a power supply (e.g., a battery) for powering the various components, which may be logically coupled to the processor 5010 via a power management system to perform the functions of managing charging, discharging, and power consumption via the power management system. The electronic device structure shown in fig. 7 does not constitute a limitation of the electronic device, and the electronic device may include more or less components than those shown, or combine some components, or arrange different components, and thus, the description is omitted here.
It is to be understood that in the embodiment of the present application, the input Unit 5004 may include a Graphics Processing Unit (GPU) 50041 and a microphone 50042, and the Graphics Processing Unit 50041 processes image data of still pictures or videos obtained by an image capturing device (such as a camera) in a video capturing mode or an image capturing mode. The display unit 5006 may include a display panel 50061, and the display panel 50061 may be configured in the form of a liquid crystal display, an organic light emitting diode, or the like. User input unit 5007 includes touch panel 50071 and at least one of other input devices 50072. Touch panel 50071 is also referred to as a touch screen. Touch panel 50071 can include two portions, a touch detection device and a touch controller. Other input devices 50072 may include, but are not limited to, a physical keyboard, function keys (e.g., volume control keys, switch keys, etc.), a trackball, a mouse, and a joystick, which are not described herein.
The memory 5009 may be used to store software programs as well as various data. The memory 5009 may mainly include a first storage area storing programs or instructions and a second storage area storing data, wherein the first storage area may store an operating system, application programs or instructions required for at least one function (such as a sound playing function, an image playing function, and the like), and the like. Further, the memory 5009 may include volatile memory or nonvolatile memory, or the memory 5009 may include both volatile and nonvolatile memory. The non-volatile Memory may be a Read-Only Memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an Electrically Erasable PROM (EEPROM), or a flash Memory. The volatile Memory may be a Random Access Memory (RAM), a Static Random Access Memory (Static RAM, SRAM), a Dynamic Random Access Memory (Dynamic RAM, DRAM), a Synchronous Dynamic Random Access Memory (Synchronous DRAM, SDRAM), a Double Data Rate Synchronous Dynamic Random Access Memory (Double Data Rate SDRAM, ddr SDRAM), an Enhanced Synchronous SDRAM (ESDRAM), a Synchronous Link DRAM (SLDRAM), and a Direct Memory bus RAM (DRRAM). The memory 5009 in the present embodiments includes, but is not limited to, these and any other suitable types of memory.
The processor 5010 may include one or more processing units; optionally, processor 5010 integrates an application processor, which primarily handles operations related to the operating system, user interface, and applications, and a modem processor, which primarily handles wireless communication signals, such as a baseband processor. It is to be appreciated that the modem processor described above may not be integrated into processor 5010.
The embodiment of the present application further provides a readable storage medium, where a program or an instruction is stored on the readable storage medium, and when the program or the instruction is executed by a processor, the program or the instruction implements each process of the vulnerability repair method embodiment, and can achieve the same technical effect, and in order to avoid repetition, details are not repeated here.
The processor is the processor in the electronic device described in the above embodiment. The readable storage medium includes a computer readable storage medium, such as a computer read only memory ROM, a random access memory RAM, a magnetic or optical disk, and the like.
The embodiment of the present application further provides a chip, the chip includes a processor and a communication interface, the communication interface is coupled to the processor, the processor is configured to run a program or an instruction, implement each process of the foregoing bug fixing method embodiment, and can achieve the same technical effect, and for avoiding repetition, the details are not repeated here.
It should be understood that the chips mentioned in the embodiments of the present application may also be referred to as a system-on-chip, or a system-on-chip.
The embodiments of the present application provide a computer program product, where the program product is stored in a storage medium, and the program product is executed by at least one processor to implement the processes of the foregoing bug fixing method embodiments, and can achieve the same technical effects, and in order to avoid repetition, details are not described here again.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or apparatus that comprises the element. Further, it should be noted that the scope of the methods and apparatus of the embodiments of the present application is not limited to performing the functions in the order illustrated or discussed, but may include performing the functions in a substantially simultaneous manner or in a reverse order based on the functions involved, e.g., the methods described may be performed in an order different than that described, and various steps may be added, omitted, or combined. In addition, features described with reference to certain examples may be combined in other examples.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present application may be embodied in the form of a computer software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal (such as a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present application.
While the present embodiments have been described with reference to the accompanying drawings, it is to be understood that the invention is not limited to the precise embodiments described above, which are meant to be illustrative and not restrictive, and that various changes may be made therein by those skilled in the art without departing from the spirit and scope of the invention as defined by the appended claims.

Claims (10)

1. The vulnerability fixing method is used for fixing at least one vulnerability function in a system kernel, wherein the system kernel comprises a patch file, the patch file comprises at least one data section, one data section corresponds to data in a preset range with a vulnerability in the vulnerability function, and the method comprises the following steps:
generating a replacement function based on the data segment, wherein the replacement function is used for replacing the vulnerability function corresponding to the data segment when the system kernel runs;
generating a hot patch according to at least one replacement function;
implanting the hot patch into the system kernel, the system kernel configured to: and when the vulnerability function is operated, jumping to the replacement function and operating the replacement function.
2. The method of claim 1, wherein generating a hot patch according to at least one of the replacement functions comprises:
configuring a jump function according to at least one replacement function, wherein the jump function comprises at least one jump instruction, one jump instruction corresponds to one replacement function, and one jump instruction corresponds to one vulnerability function;
generating a hot patch based on at least one of the replacement function and the jump function.
3. The method of claim 2, wherein configuring a jump function based on at least one of the replacement functions comprises:
generating at least one corresponding jump instruction according to at least one replacement function;
configuring a preset algorithm, wherein the system kernel determines a jump instruction corresponding to the vulnerability function by running the preset algorithm;
and generating a jump function based on at least one jump instruction and the preset algorithm.
4. The method of claim 1, wherein the system kernel comprises at least one call instruction, wherein one call instruction corresponds to one function, and wherein the system kernel jumps to the function and runs the function through the call instruction;
the calling instruction comprises a jump sub instruction, and the system kernel determines a jump function based on a configuration value of the jump sub instruction;
after said implanting said hot patch into said system kernel, further comprising: :
and modifying the configuration value of the jump sub-instruction corresponding to the vulnerability function into a first preset value, and jumping to the corresponding replacement function by the system kernel according to the first preset value.
5. The method of claim 1, wherein the data segment is provided with a repair instruction;
generating, based on the data segment, a replacement function, comprising:
acquiring a vulnerability function corresponding to the data segment based on the data segment; (ii) a
And repairing the acquired vulnerability function based on the repairing instruction to obtain a replacement function.
6. The method of claim 1, further comprising, prior to said generating a replacement function based on said data segment:
and under the condition that the data matched with the data segment does not exist in the system kernel, generating an error log, wherein the error log is used for reflecting that the patch file is not matched with the version of the system kernel.
7. The method of any of claims 1-6, further comprising, after said implanting the hot patch into the system kernel:
in the case of the system kernel running abnormally, removing the hot patch from the system kernel;
and generating a prompt log, wherein the prompt log is used for reflecting the success of the hot patch removal and the removal time.
8. An apparatus for bug fixing, configured to fix at least one bug function in a system kernel, where the system kernel includes a patch file, where the patch file includes at least one data segment, and one of the data segments corresponds to a preset range of data in the bug function, where the bug exists, the apparatus includes:
a function generating module, configured to generate a replacement function based on the data segment, where the replacement function is used to replace the vulnerability function corresponding to the data segment when the system kernel runs;
the patch generating module is used for generating a hot patch according to at least one replacement function;
a patch implanting module to implant the hot patch into the system kernel, the system kernel configured to: and when the vulnerability function is operated, jumping to the replacement function and operating the replacement function.
9. An electronic device comprising a processor and a memory, the memory storing a program or instructions executable on the processor, the program or instructions when executed by the processor implementing the steps of the vulnerability remediation method of any of claims 1-7.
10. A readable storage medium, on which a program or instructions are stored, which when executed by a processor, implement the steps of the vulnerability fix method of any of claims 1-7.
CN202211381711.9A 2022-11-03 2022-11-03 Vulnerability repairing method and device, electronic equipment and storage medium Pending CN115688119A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211381711.9A CN115688119A (en) 2022-11-03 2022-11-03 Vulnerability repairing method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211381711.9A CN115688119A (en) 2022-11-03 2022-11-03 Vulnerability repairing method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN115688119A true CN115688119A (en) 2023-02-03

Family

ID=85049076

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211381711.9A Pending CN115688119A (en) 2022-11-03 2022-11-03 Vulnerability repairing method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115688119A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116257853A (en) * 2023-05-15 2023-06-13 北京赛博昆仑科技有限公司 Method and device for defending system vulnerabilities by using runtime memory patches

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116257853A (en) * 2023-05-15 2023-06-13 北京赛博昆仑科技有限公司 Method and device for defending system vulnerabilities by using runtime memory patches

Similar Documents

Publication Publication Date Title
US10642596B2 (en) Embedded device and program updating method
CN102736978B (en) A kind of method and device detecting the installment state of application program
CN107451474B (en) Software bug fixing method and device for terminal
US20070180441A1 (en) Method and system for avoidance of software conflict
CN107783776B (en) Processing method and device of firmware upgrade package and electronic equipment
CN105468529A (en) Accurate traversal method and apparatus for UI controls of android application
CN115688119A (en) Vulnerability repairing method and device, electronic equipment and storage medium
CN107704730B (en) Self-encryption method for embedded software of electronic equipment
CN113760339A (en) Vulnerability repair method and device
CN110414218B (en) Kernel detection method and device, electronic equipment and storage medium
Pashakhanloo et al. Pacjam: Securing dependencies continuously via package-oriented debloating
CN109271181A (en) Using compatible restorative procedure, terminal device and computer readable storage medium
CN110688198B (en) System calling method and device and electronic equipment
CN113282435B (en) Application exception processing method and electronic equipment
CN112379973B (en) Heavy load method and device
CN111949301B (en) Application program hot update method, device and computer readable storage medium
CN115080984A (en) Third-party library file vulnerability detection method and device, electronic equipment and storage medium
CN104516752A (en) Information processing method and electronic equipment
US20150309885A1 (en) Method and device for processing data and electronic apparatus
CN111309358A (en) CPLD (Complex programmable logic device) firmware upgrading method, device, equipment and readable storage medium
CN113010199B (en) Application updating method and device, computer equipment and storage medium
CN105160240A (en) Terminal password protection method and apparatus
KR100321999B1 (en) Method for program patch using script
CN112732363A (en) H5 page opening method and device and electronic equipment
CN117407202A (en) Desktop icon layout repairing method and device, storage medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination