CN116167058A - Runtime vulnerability analysis method and device based on code vaccine - Google Patents

Runtime vulnerability analysis method and device based on code vaccine Download PDF

Info

Publication number
CN116167058A
CN116167058A CN202310440050.0A CN202310440050A CN116167058A CN 116167058 A CN116167058 A CN 116167058A CN 202310440050 A CN202310440050 A CN 202310440050A CN 116167058 A CN116167058 A CN 116167058A
Authority
CN
China
Prior art keywords
propagation
function
stain
event
source
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202310440050.0A
Other languages
Chinese (zh)
Other versions
CN116167058B (en
Inventor
张涛
李�浩
宁戈
董毅
周辜名
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Anpro Information Technology Co ltd
Original Assignee
Beijing Anpro Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Anpro Information Technology Co ltd filed Critical Beijing Anpro Information Technology Co ltd
Priority to CN202310440050.0A priority Critical patent/CN116167058B/en
Publication of CN116167058A publication Critical patent/CN116167058A/en
Application granted granted Critical
Publication of CN116167058B publication Critical patent/CN116167058B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The application provides a code vaccine-based runtime vulnerability analysis method and device, comprising the following steps: analyzing request information, and marking a stain source and a stain propagation for the request parameters; monitoring an operation function, and judging whether the operation function is a stain source event; if yes, creating a dirty point source event structure body, and removing a dirty point source mark of a return value of the operation function; monitoring a propagation function, and judging whether the propagation function is a stain propagation event; if yes, creating a taint propagation event structure body, and carrying out taint propagation marking on a return value of the propagation function; monitoring a risk function, and judging whether the risk function is a stain converging event; if yes, creating a stain converging event structure; and constructing a taint propagation link according to the taint source event structure, the taint propagation event structure and the taint convergence event structure. By implementing the method, the problem of how to locate codes of vulnerability restoration and the problem of tracing the vulnerability cause analysis can be solved through the stain propagation link tracing.

Description

Runtime vulnerability analysis method and device based on code vaccine
Technical Field
The application relates to the field of code security, in particular to a runtime vulnerability analysis method and device based on a code vaccine.
Background
Existing vulnerability discovery techniques are largely divided into two categories. The method is characterized in that the whole software system is treated as a black box, a user provides data input from one end of the black box, the other end of the black box generates an output result, and whether software vulnerabilities exist is determined by observing whether the software system is abnormal or crashed. But it is not known about the internal structure of the program, so that all code execution paths cannot be covered. Meanwhile, a large amount of dirty data and dirty operation can be generated in the test process, and the data packet cannot be constructed in the scenes of data packet encryption, signature and the like, so that the black box test cannot be used. The second type is white-box testing, which searches for software vulnerabilities by means of code auditing of the software source code. However, the technology needs to perform deep analysis on the source code of the application program, consumes high time and cost, and has high bug false alarm rate because the technology analyzes data of the simulation program during running. And most of the software under win32 is non-open source, which limits the use of white-box testing.
In the related art, the code security solution is to add pollution zone bit to the received connection request based on grammar rule; transferring a pollution zone bit according to a pollution maintenance function; judging whether the processing result has pollution data or not through the pollution risk function, and realizing vulnerability detection in a dynamic process. However, the above scheme can only provide the alarming result of the bug detection, can not provide accurate bug source code position positioning for bug alarming, can not perform tracing and effective determination of pollution sources on the propagation path, and is inconvenient for bug disposal after alarming, such as bug code repair and bug cause analysis.
The code vaccine technology is to inject the code security capability into the application server like a vaccine, and the analyzed flow is clearly seen in the application server to sense the context of the application running process. The method can realize the diagnosis of the leak position and defect cause existing in the application during running, and based on the leak position and defect cause, the autonomous detection and response can be realized, and the external danger is actively defended.
Disclosure of Invention
In view of this, an object of the embodiments of the present application is to provide a method and an apparatus for analyzing a runtime bug based on a code vaccine, which can provide accurate bug source code location for bug alarming, and effectively trace source and effectively determine pollution sources to propagation paths, so as to facilitate bug code repair and bug cause analysis after alarming.
An embodiment of the present application provides a method for analyzing runtime loopholes based on a code vaccine, including:
parsing request information, the request information including: request parameters, url, and request method;
performing stain source marking and stain propagation marking on the request parameters;
monitoring an operation function corresponding to the opcode, and judging whether the operation function is a stain source event; if yes, creating a dirty point source event structure body, and removing a dirty point source mark of a return value of the operation function;
Monitoring a propagation function, and judging whether the propagation function is a stain propagation event; if yes, creating a taint propagation event structure body, and carrying out taint propagation marking on a return value of the propagation function;
monitoring a risk function corresponding to the opcode, and judging whether the risk function is a stain converging event; if yes, creating a stain converging event structure;
and constructing a taint propagation link according to the taint source event structure, the taint propagation event structure and the taint convergence event structure.
In the implementation process, the code vaccine-based runtime vulnerability analysis method. Carrying out pollution source marking and pollution propagation marking on the request parameters by analyzing the request information, judging a pollution source event and creating a pollution source event structure body by monitoring an operation function corresponding to the opcode during running, and removing the pollution source marking of a return value of the operation function; monitoring a spreading function, judging a taint spreading event, creating a taint spreading event structure body, and marking the returned value of the spreading function with the taint spreading; and monitoring a risk function corresponding to the opcode, judging a stain aggregation event and creating a stain aggregation event structure. And finally, constructing a taint propagation link according to the taint source event structure body, the taint propagation event structure body and the taint convergence event structure body. Therefore, the method not only carries out conventional stain spreading marking, but also carries out stain source marking, is used for distinguishing different stain sources, and is convenient for stain backtracking. Specifically, the source is determined by marking the stain source information and the trace back parameters of the stain source mark due to the fact that the source at the beginning in the stain propagation process is different. Compared with the existing vulnerability detection scheme, the vulnerability determination method can be used for determining the vulnerability and rapidly positioning the vulnerability source code position. In addition, the whole stain propagation process is traced back through the stain propagation links constructed by the stain point source event structure body, the stain propagation event structure body and the stain convergence event structure body, so that the analysis of the reasons of the loopholes is facilitated.
Optionally, before the parsing the request information, the method includes: in the module initialization stage of php expansion, pre-instrumentation is performed on a first probe of the opcode of the zend engine and on a second probe of the php internal function.
Optionally, the parsing request information includes: and storing the request information into a predefined variable array of a first zval structure body, and analyzing the request information stored in a php global variable array through the first probe in a request initialization stage of php expansion to obtain request parameters, url and a request method.
Optionally, the performing the stain source marking and the stain propagation marking on the request parameter includes: and carrying out taint source marking and taint propagation marking on string types in the predefined variable array.
In the implementation process, the request parameters are used in the development based on php, and operations between the array and the object type are generally obtained through a predefined variable array, so that the taint mark bit of the character string is not affected. Therefore, the dirty point source mark and the dirty propagation mark all string types in the arrays, and only the dirty propagation analysis is needed to be carried out aiming at the string types in the follow-up process, so that the effectiveness of dirty propagation is ensured, and the tracing efficiency of the propagation path is improved.
Optionally, after the request parameter performs the stain source marking and the stain propagation marking, the method includes: storing the first zval structure address of the request parameter and information of the request parameter into a taint propagation table, wherein the information of the request parameter comprises the type of the request parameter and the name of the request parameter;
after the creating of the pollution source event structure body, the method comprises the following steps: saving a second zval structure address of a return value of the operation function and the corresponding taint source event structure into a taint propagation table;
after the creating of the taint propagation event structure, comprising: saving a third zval structure address of a return value of the propagation function and the corresponding taint propagation event structure into a taint propagation table;
the spot pooling event structure comprises: and saving the fourth zval structure address of the parameter of the risk function and the corresponding stain converging event structure into a stain propagation table.
Optionally, the monitoring the operation function corresponding to the opcode, and determining whether the operation function is a stain source event includes: and acquiring parameters and a return value of the operation function through the operation function corresponding to the first probe monitoring opcode, and judging whether the return value of the operation function is of a string type or not and whether a stain source mark exists or not.
Optionally, the monitoring the propagation function, determining whether the propagation function is a taint propagation event includes: and monitoring the propagation function through the first probe or the second probe, acquiring parameters and a return value of the propagation function, and judging whether the parameters of the propagation function are of a string type or not and whether a stain propagation mark exists or not.
Optionally, the monitoring the propagation function by the first probe or the second probe comprises: monitoring an operation function corresponding to the opcode through the first probe, wherein the operation function comprises a first propagation function for character string connection; or monitoring, by the second probe, a php internal function including a second propagation function for string operations;
optionally, the monitoring the risk function corresponding to the opcode, and determining whether the event is a stain aggregation event includes: and acquiring parameters of the risk function by the risk function corresponding to the first probe monitoring opcode, and judging whether the parameters of the risk function are string types or not and whether a stain transmission mark exists or not.
Optionally, the stain source event structure comprises: dirty point source parameter information, dirty event type, call stack information, operation function name, operation function parameter, operation function return value and stack tracking information; the obtaining of the stain source parameter information comprises the following steps: inquiring corresponding request parameters in the stain propagation table through parameters of an operation function, taking the type of the corresponding request parameters as the type of the stain source parameters, and taking the name of the corresponding request parameters as the name of the stain source parameters.
Optionally, the smudge propagation event structure comprises: the method comprises the steps of taint event type, call stack information, a spreading function name, a spreading function parameter, a spreading function return value, stack tracking information and spreading parent event information; acquiring the propagation parent event information comprises: inquiring a return value of a corresponding operation function in the taint propagation table through parameters of the propagation function, and acquiring a corresponding second zval structure body address and a corresponding taint source event structure body through the return value of the operation function.
Optionally, the spot pooling event structure comprises: stain event type, call stack information, risk function name, risk function parameters, risk function return value, stack tracking information and converging father event information; the acquiring the converged parent event information comprises the following steps: inquiring the return value of the corresponding propagation function in the taint propagation table through the parameters of the risk function, and acquiring the corresponding third zval structure body address and the corresponding taint propagation event structure body through the return value of the propagation function.
Optionally, the constructing a smear propagation link according to the smear source event structure, the smear propagation event structure and the smear convergence event structure includes: inquiring and acquiring a corresponding stain converging event structure body of parameters of a risk function in the stain propagation table; inquiring and acquiring a corresponding stain propagation event structure body in the stain propagation table through the acquired information of the converging father events in the stain converging event structure body; inquiring and acquiring a corresponding stain source event structure body in the stain propagation table through the acquired propagation father event information in the stain propagation event structure body; the method comprises the steps of sequentially inquiring and acquiring stain source parameter information, call stack information, operation function names, parameters of an operation function, return values of the operation function and stack tracking information in a stain source event structure body, and sequentially connecting the call stack information, the propagation function names, the parameters of the propagation function, the return values of the propagation function and the stack tracking information in a stain propagation event structure body, and the call stack information, the risk function names, the parameters of the risk function, the return values of the risk function and the stack tracking information in a stain convergence event structure body to generate a stain propagation link.
Optionally, the stack tracking information includes: the first line of the stack is currently called.
A second aspect of the embodiments of the present application provides a code vaccine-based runtime vulnerability analysis apparatus, including:
the analysis module is used for analyzing the request information, and the request information comprises: request parameters, url, and request method;
the marking module is used for marking the stain source and the stain propagation of the request parameters, removing the stain source mark of the return value of the operation function after judging the stain source event, and marking the stain propagation of the return value of the propagation function after judging the stain propagation event;
the first monitoring module is used for monitoring an operation function corresponding to the opcode and judging whether the operation function is a stain source event or not; if yes, creating a pollution point source event structure body;
the second monitoring module is used for monitoring the propagation function and judging whether the propagation function is a stain propagation event or not; if yes, creating a stain propagation event structure;
the third monitoring module is used for monitoring a risk function corresponding to the opcode and judging whether the risk function is a stain converging event or not; if yes, creating a stain converging event structure;
and the construction module is used for constructing a taint propagation link according to the taint source event structure body, the taint propagation event structure body and the taint convergence event structure body.
A third aspect of the embodiments of the present application provides an electronic device, where the electronic device includes a memory and a processor, where the memory stores a computer program, and where the processor executes steps of any implementation manner of the first aspect of the embodiments of the present application when the computer program is executed.
A fourth aspect of the embodiments of the present application provides a readable storage medium having stored therein a computer program which, when run on a processor, performs the steps of any implementation of the first aspect of the embodiments of the present application.
A fifth aspect of the embodiments of the present application provides a computer program product for performing the steps of any implementation manner of the first aspect when the computer program product is run on a computer.
Compared with the prior art, the technical scheme provided by the embodiment of the application has the following advantages: by analyzing the request information; performing stain source marking and stain propagation marking on the request parameters; so that in addition to acquiring the contamination propagation trajectory, information of the contamination source is recorded. Monitoring an operation function corresponding to the opcode, creating a dirty source event structure body, and removing a dirty source mark of a return value of the operation function; monitoring a propagation function, creating a taint propagation event structure body, and marking the returned value of the propagation function with the taint propagation; monitoring a risk function corresponding to the opcode, and creating a stain aggregation event structure; and constructing a taint propagation link according to the taint source event structure, the taint propagation event structure and the taint convergence event structure. Therefore, accurate vulnerability source code position positioning can be provided for vulnerability warning, effective tracing and effective determination of pollution sources are carried out on a propagation path, and the problems of how to repair the vulnerability and how to spread the vulnerability by constructing a stain propagation link are solved.
It should be understood that what is described in this summary is not intended to limit the critical or essential features of the embodiments of the disclosure nor to limit the scope of the disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered limiting the scope, and that other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of a runtime vulnerability analysis method based on a code vaccine according to an embodiment of the present application;
fig. 2 is a schematic diagram of variable propagation and tracing of a runtime vulnerability analysis method based on a code vaccine according to an embodiment of the present application;
FIG. 3 is another variable propagation and tracing schematic diagram of a runtime vulnerability analysis method based on a code vaccine according to an embodiment of the present application;
FIG. 4 is a schematic view of linear propagation of blobs according to a method for analyzing runtime vulnerabilities based on a code vaccine according to an embodiment of the present application;
FIG. 5 is a schematic diagram of nonlinear propagation of blobs in a method for analyzing runtime vulnerabilities based on a code vaccine according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a runtime vulnerability analysis device based on a code vaccine according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application. In the description of the present application, the terms "first," "second," and the like are used merely to distinguish between descriptions and are not to be construed as indicating or implying relative importance. It will be apparent that the embodiments described below are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments of the present application without making any inventive effort, are intended to be within the scope of the embodiments of the present application.
Embodiment one:
referring to fig. 1, fig. 1 is a flow chart of a runtime vulnerability analysis method based on a code vaccine according to an embodiment of the present application. Wherein the method comprises the following steps:
S100: before a key function pre-stub (hook) probe is used for analyzing request information, an opcode pre-stub first probe of a zend engine and a php internal function pre-stub second probe are used for a module initialization stage of php expansion. The smudge propagation analysis requires monitoring the invocation of individual sensitive functions, in particular by means of a hook opcode (via the first probe) and a hook internal function (via the second probe).
It should be noted that, the extended running instance of php goes through the following four processes:
the Module initialization Module init (MINIT) phase: the MINIT method of each relevant module (Redis, mysql, etc.) is called only once, occurring before all requests arrive, for example starting up the Apache server, with which the php interpreter starts up. Request initialization Request init (RINIT) phase: each request is triggered when it arrives. The SAPI layer passes control to the php layer, which initializes the environment variables, function lists, etc. required by the script execution request, and invokes the RINIT functions of all modules. Request end Request short (rshuntdown) phase: at the end of each request, the php automatically clears the program, sequentially calls the RSHUTDOWN method of each module, clears the symbol table during program operation. The Module ends the Module Shutdown (MSHUTDOWN) phase: after all requests are processed, the SAPI is also closed (i.e., the server is closed), and the PHP invokes the MSHUTDOWN method of each module to release memory.
The pre-stub probe is also a php extension in this application, where registration of these four phases is accomplished. And (3) completing the starting of the stake (hook), log, heartbeat communication and other modules in the MINIT stage, and issuing various configuration commands, such as whether to start a probe or not after the heartbeat process is connected with the server.
Note that php is an interpreted language, and code is translated into intermediate bytecodes that are parsed for execution by the zend engine. php refers to intermediate bytecodes as opcodes, each opcode corresponding to a processing function underlying the zend engine that ultimately executes. The first probe of the opcode pre-instrumentation needs to perform instrumentation hook for several opcode types, and then the sensitive function for instrumentation can be added by itself.
The trace source of the stain propagation in the php operation needs to perform pre-instrumentation probe on the opcode, because in the php, when a request is received, namely when a request parameter user is used, an operation function opcode (ZEND_FETCH_DIM_R) is actually used to read a variable from an array $_POST, namely a string variable value admin of an element user is obtained from the array $_POST, and therefore, the propagation process of a stain source mark can be tracked by instrumentation of the opcode, and how a stain source is further propagated is known.
In addition, in order to track the fact that part of the propagation function (e.g., the ZEND_CONCAT is representative of the string connection) relates to the opcode, a pre-stub probe needs to be performed on the opcode, so as to track the propagation process of the taint propagation mark.
In addition, in order to track some risk (convergence point) functions, such as xss attack utilization (ZEND_ECHO) file containing, command execution (ZEND_INCLUDE_OR_EVAL) related functions are related to opcodes, and the monitoring of the functions is directly implemented on an opcode pre-instrumentation probe.
In addition, some risk (convergence point) functions are also pre-staked with opcodes, but in a different manner. The following are provided:
when the contaminated variable is passed as a parameter to the risk function, the risk function call in the call php is made BY any one of three z opcode (z_INCLUDE_OR_EVAL/z_DO_FCALL/z_DO_FCALL_BY_NAME) depending on the way the function call is made, for example, directly OR BY function NAME. The three z op codes are pre-inserted by the z engine built-in function z_set_user_op code_handler, so that the risk function call is monitored, and the called risk function and parameter can be obtained, mainly aiming at a convergence point (sink) function. Such as command execution correlation functions exec, sql inject correlated mysqli, query, etc.
The pre-stake first probe is implemented in a module initialization (mini) phase in which the probe is preloaded.
And in the module initialization stage of the php expansion, the first probe of the opcode pre-instrumentation of the zend engine is specifically used for replacing a function pointer of a built-in function (such as opcode handler) of the zend engine through a custom function, such as replacing a function pointer object in a built-in function table through the custom function. After the function pointer is replaced, when the zend engine executes the opcode, the table is queried to find the corresponding replaced built-in function pointer and the built-in function pointer is executed, namely the instrumentation is completed. The opcode is instrumented to change the running structure of the code and to execute custom functions. After replacing the built-in function, the operation before and after the function call can be customized, such as parameter acquisition, attack blocking and the like.
In the php kernel, when a function is called by the three z opcodes, the z engine looks up the function in the function table and then returns a z_function type pointer. After pre-instrumentation of the probe, the zend engine searches the function table for the function, returns a zend_function pointer, then determines the type in the zend_function structure, calls the modified handler since the handler has been replaced by the custom function by the instrumentation method, and executes the zend_op_array contained in the custom function by calling zend_execute.
And the first probe of the opcode pre-instrumentation of the zend engine is realized in the module initialization stage of the php expansion. According to the invention, the operation function and part of the propagation function are monitored through the pre-inserted first probe to track the pollution point source event and the pollution point propagation event, and the three opcodes are monitored by the pre-inserted first probe when the risk function operates to track the pollution point convergence event.
The second probe is pre-instrumented for php internal functions, which include partial propagation functions. Specifically, the function pointer of the php internal function in the global function table is replaced by a custom function, for example, a handler for packaging the php internal function is used for adding a custom pre-function and a custom post-function in the php internal function, for example, the custom pre-function is added before the php internal function, the custom post-function is added after the php internal function, and the custom function=the custom pre-function+the original internal function+the custom post-function.
The functions pointed to by the handler, written in C or c++, may be executed directly, as by pre-inserting the internal functions in the stub php by modifying the handler of the zend_internal_function. And replacing the function pointer corresponding to the specific propagation function in the function table of the global variable structure by modifying the function pointer in the php internal function structure. And calling the original processing function after the operation of the detection function is finished, and thus the pre-inserted probe can be finished.
The stain propagation traceability analysis uses a second probe pre-inserted to the php internal function (partial propagation function);
the partial propagation functions mainly relate to the string operation (the taint source mark and the taint propagation mark are marked on the string structure body) and comprise string conversion class functions, string search class functions, string coding class functions, string encryption class functions, string comparison class functions and the like. S101: analyzing request information, wherein the request information comprises: request parameters, url, and request method.
In this embodiment, the request information is stored in a predefined variable array of the first zval structure; and in the request initialization stage of the php expansion, the request information stored in the predefined variable array is analyzed through the first probe to obtain request parameters, url and a request method.
In php, when a request is received, i.e. when the request parameter user is used, an operation function opcode (action_fetch_dim_r) is actually used to read the variable from, for example, the predefined variable array $_post, i.e. the string variable value admin of the element user is obtained from, for example, the predefined variable array $_post, so that the request information is parsed at the first probe of opcode by pre-instrumentation.
S102: performing stain source marking and stain propagation marking on the request parameters;
in this embodiment, the stain source and stain propagation flags are made for the string type in the predefined variable array.
In this embodiment, the stain source mark and the stain propagation mark are performed on the string type in the predefined variable array respectively, and the stain source mark is performed through the first byte bit of the string type corresponding to the unused u.v.flags field in the zval structure; and performing taint propagation marking through the second byte bit of the string type corresponding to the unused u.v.flags field in the zval structure.
Triggering a Request initialization Request init (RINIT) when each Request arrives, and performing the following processing through the pre-instrumented first probe:
1. the request information is processed to obtain information such as parameters, url, request methods and the like, and the information is needed when the vulnerability is marked by a stain and reported.
2. The request parameters are marked for contamination. Including smudge source marks and smudge propagation marks.
In php, global variables are all stored in a symbol table symbol_table of the HashTable type, including predefined variables $GLOBALS, $COOKIE, $GET, $POST, etc.
The request parameters are obtained from the HashTable, in particular by storing the request information comprising the request parameters in a predefined variable array.
Such as one of the website parameters: index, phpdata=1a2b3c can use $parameter= $_get ("data"); parameters are obtained. The final $parameter result is 1a2b3c.
The $ REQUEST usage is the same. The $_REQUEST contains by default an array of $_GET, $_POST and $_COOKIE.
In the initialization (RINIT) phase, we first mark the values in the arrays of the predefined variables $_SERVER, $_GET, $POST, $REQUEST, $COOKIE, $SESSION, $FILES, $ENV, $GLOBALS, etc. (only for string types) with the stain source and the stain spread markers.
In php, the use of request parameters typically retrieves operations (e.g., copy, assign) between array, object types via predefined variables, without affecting the dirty flag bits of the string (string). Therefore, the dirty point source mark and the dirty propagation mark are used for carrying out dirty mark on all character strings in the predefined variable arrays, and then carrying out dirty propagation analysis on the character string types.
In particular, the fact that all variables are held within the php implementation using the same data structure (variable structure zval), and this structure represents the various data types in the php at the same time. It contains not only the value of the variable, but also the type of variable. In php, there are 8 variable types, which can be divided into three categories. Scalar types (e.g., boolean, integer, float (double), string), complex types (array, object), special types (resource, NULL).
Two marker bits are used here, one for the dirty point source marker (for distinguishing and locating the dirty point source, facilitating the backtracking of the dirty propagation) and the other for the dirty propagation marker. Specifically, the first byte bit of the zval structure of all character strings in the predefined variable array, which is not used in the u.v.flags field, is marked with a stain source, for example, the byte bit is modified from 0 to 1. The unused second byte bit is marked for dirty propagation, e.g., the byte bit is modified from 0 to 1.
The stain source mark is used for distinguishing different stain source, marking source information of stains, and determining a stain source by tracing parameters due to different initial sources, such as determining stain source parameter types POST/GET/COOKIE, determining stain source parameter names user/name/pwd, determining url, requesting method and the like.
As an alternative implementation manner, the first zval structure address of the request parameter and the information of the request parameter are stored in a taint propagation table, and the information of the request parameter comprises the type of the request parameter and the name of the request parameter;
the zval structure address of the request parameter (i.e. the taint source parameter) and the information of the parameter (the marked parameter source POST, GET, such as get_user, url, request method) after the taint source mark and the taint propagation mark are saved in a taint propagation table (such as map structure), and the information is needed in creating the taint source event structure. The following are provided:
std: map < long:: string > p_param;// parameter pointer: parameters (parameters)
S103: monitoring an operation function corresponding to the opcode, and judging whether the operation function is a stain source event; if the event is judged to be a stain source event, creating a stain source event structure;
in this embodiment, an operation function corresponding to an opcode is monitored by a first probe, parameters and a return value of the operation function are obtained, and whether the return value of the operation function is of a string type or not is determined, and whether a stain source mark exists or not is determined. If the return value of the operation function is string type and a stain source mark exists, judging that the operation function is a stain source event, and creating a stain source event structure body.
Specifically, through a custom opcode handler (the handler is an actual operation function corresponding to the opcode) in the first probe after pile insertion replacement, the working mode of the zend engine for each opcode is identical, and the zend engine has a function pointer of the handler to point to an address of an operation function, including codes corresponding to the execution opcodes, and parameters including operands, symbol tables, operand stacks and the like required by the opcodes, after execution is completed, a result (return value) is returned, and sometimes a piece of information extended_value is also added. In the handler of the first probe, we can acquire the operation instruction of the operation function monitored by the opcode, and the acquired parameter string. The opline field is obtained from the zend_execution_data structure: the structure_zend_op type, the currently executed intermediate code, and parameters and return values result of an operation function opline are obtained.
Stain source analysis was performed: by determining whether the return value result is of the string type and is a dirty source (i.e., whether there is a dirty point source marker), in fact, there are currently two dirty marker bits, a dirty source marker and a dirty propagation marker, respectively.
As an alternative embodiment, the stain source event structure includes stain source parameter information, stain event type, call stack information, operation function name, parameters of the operation function, return value of the operation function, and stack trace information; the method comprises the steps of obtaining dirty point source parameter information, inquiring corresponding request parameters in a dirty propagation table through parameters of an operation function, taking the type of the corresponding request parameters as the type of the dirty source parameters, and taking the name of the corresponding request parameters as the name of the dirty source parameters.
In this embodiment, the parameter query of the operation function is used to query the corresponding request parameter in the taint propagation table, and the hash of the parameter of the operation function is compared with the hash of the request parameter in the taint propagation table.
If it is a dirty point source, a dirty point source event structure is created and saved,
the pollution point source event structure body comprises: the dirty point source parameter information comprises the type of the dirty source parameter and the name of the dirty source parameter, and when the dirty point source event structure is created, the corresponding request parameter in the dirty propagation table is inquired through the parameter of the operation function, the type of the corresponding request parameter is used as the type of the dirty source parameter, the name of the corresponding request parameter is used as the name of the dirty source parameter, and therefore the type of the dirty source parameter and the name of the dirty source parameter are obtained.
The pollution point source event structure body comprises: the type of the smear event, such as the type of the current smear event structure, is a smear source event.
The pollution point source event structure body comprises: and the call stack information, such as the first line of the call stack, is obtained from the php function parameter entering information structure body.
The pollution point source event structure body comprises: the operation function name is known in advance which operation function is pre-inserted, so the operation function name is written manually in advance.
The pollution point source event structure body comprises: parameters of the operating function are obtained by the first probe.
The pollution point source event structure body comprises: the return value of the operating function is obtained by the first probe.
The pollution point source event structure body comprises: the stack is tracked in-formation,
obtained by calling the zend engine function.
Since it takes some performance to obtain the stack trace information, in order to avoid performance consumption, as an alternative implementation, only the first line of the current call stack is obtained.
As an alternative embodiment, after creating the taint source event structure, saving the second zval structure address of the return value of the operation function and the corresponding taint source event structure in the taint propagation table; the following are provided:
std is that map < long, point_event > point_events;// key is the return value memory pointer of the operation function
As an alternative embodiment, if a stain source event is determined, the stain source flag of the return value of the operating function is removed.
When the structure of the stain source event is created, the stain source mark of the stain source needs to be removed (because the current stain source has two marks, one is the stain source mark and the other is the stain propagation mark), and the reason for removing the stain source mark is that the subsequent propagation event or the convergence event should not be considered as the stain source in practice, so the stain source mark needs to be removed, which is specifically: the dirty source flag of the u.v.flags field in the second zval structure for the return value of the current operation function is removed, such as modifying the first byte bit of the dirty source flag from 1 to 0.
In practice, the smear events are classified into 3 kinds, a smear source event, a smear propagation event, and a smear trigger (convergence) event. The corresponding smear event structure also includes a smear source event structure, a smear propagation event structure, a smear convergence event structure. The entire smudge propagation process is facilitated to be traced back through the smudge event structure.
S104: monitoring a propagation function, and judging whether the propagation function is a stain propagation event; if yes, creating a taint propagation event structure body, and carrying out taint propagation marking on a return value of the propagation function;
In this embodiment, the first probe or the second probe monitors the propagation function, obtains the parameter and the return value of the propagation function, and determines whether the parameter of the propagation function is string type, and whether there is a stain propagation mark. If the parameters of the propagation function are string types and the taint propagation mark exists, judging that the parameters are taint propagation events, and creating a taint propagation event structure body.
As an alternative implementation manner, the operation function corresponding to the opcode is monitored through the first probe, and the operation function comprises a first propagation function for character string connection; a first propagation function for string concatenation, such as ZEND_CONCAT.
As an alternative embodiment, the php internal function is monitored by a second probe, the php internal function comprising a second propagation function for string operations;
in this embodiment, the propagation functions of the pre-stake probe (through the first probe stake-out code and through the second probe stake-in internal function) are performed: specifically, it is determined whether the parameter of the propagation function is of string type and is marked with a smear (presence of a smear propagation mark). If both the values are satisfied, the returned value result of the transmission function is marked for stain transmission, so that the pollution transmission process is completed. The stain propagation mark for the return value result of the propagation function is specifically: the unused byte bits of the u.v.flags field in the third zval structure of the return value of the current propagation function are marked for dirty propagation, e.g., the byte bits are modified from 0 to 1.
As an alternative embodiment, a stain spreading event structure comprises: the method comprises the steps of taint event type, call stack information, a spreading function name, parameters of a spreading function, a return value of the spreading function, stack tracking information and spreading parent event information;
a structure of taint propagation events is created and saved as follows:
the stain propagation event structure includes: the event structure type, such as the current type of the taint event structure, is a taint propagation event.
The stain propagation event structure includes: call stack information, such as the first line of the call stack,
call stack information is obtained from the zend engine function structure.
The stain propagation event structure includes: the name of the spreading function is known in advance which spreading function is pre-inserted, so the name of the spreading function is written manually in advance.
The stain propagation event structure includes: parameters of the propagation function are obtained by the first probe or the second probe.
The stain propagation event structure includes: the return value of the propagation function is obtained by the first probe or the second probe.
The stain propagation event structure includes: the stack is tracked in-formation,
obtained by calling the zend engine function.
Since it takes some performance to obtain the stack trace information, in order to avoid performance consumption, as an alternative implementation, only the first line of the current call stack is obtained.
The stain propagation event structure includes: the parent event information is propagated, and the parent event may be a taint source event and a taint propagation event.
As an optional implementation manner, referring to fig. 3, fig. 3 is a variable propagation and tracing schematic diagram of a code vaccine-based runtime vulnerability analysis method provided in this application, where the obtaining of the propagation parent event information is to query the return value of the corresponding operation function in the taint propagation table through the parameters of the propagation function, and then obtain the corresponding second zval structure address and the corresponding taint source event structure through the return value of the operation function.
In this embodiment, the return value of the corresponding operation function in the taint propagation table is queried through the parameter of the propagation function, specifically, the hash of the parameter of the propagation function is compared with the hash of the return value of the operation function in the taint propagation table.
As an optional implementation manner, referring to fig. 2, fig. 2 is a variable propagation and tracing schematic diagram of a code vaccine-based runtime vulnerability analysis method provided in this application, where the obtaining of the propagation parent event information is to query the return value of the corresponding propagation function in the taint propagation table through the parameter of the propagation function, and then obtain the corresponding third zval structure address and the corresponding taint propagation event structure through the return value of the corresponding propagation function.
In this embodiment, the return values of the corresponding spread functions in the taint spread table are queried through the parameter query of the spread function, specifically, the hash of the parameters of the spread function is compared with the hash of the return values of the spread functions in the taint spread table.
In this embodiment, referring to fig. 4 and 5, there may be a plurality of propagating parent event information of the taint propagating event structure, that is, a parent event of one taint propagating event structure may be a plurality of taint source events or a plurality of taint propagating events. A plurality of smear source event structures, or a plurality of smear propagation event structures, or a combination of a plurality of smear source event structures and a smear propagation event structure are acquired through a plurality of propagation parent event information in the smear propagation event structures.
Since the actual smear propagation process is a nonlinear complex propagation path, such as a smear propagation event may also originate from multiple smear source events or multiple smear propagation events. As shown in fig. 5, the smear propagation event e1 is derived from the smear source event c1 and the smear source event d1, and the smear propagation event d1 is derived from the smear propagation event c1 and the smear propagation event e1. In order to be able to distinguish and trace back the sources of the stains. Besides the conventional stain spreading mark, the method also carries out stain source marking and is used for distinguishing different stain sources, so that the stain backtracking is facilitated. By marking the stain source information, the source is determined by the stain source mark backtracking parameter due to the different sources at the beginning in the stain propagation process. By dual marking, the vulnerability source code location can be located quickly in addition. And the stain propagation link constructed by the stain source event structure, the stain propagation event structure and the stain convergence event structure is combined, so that the whole stain propagation process is traced back, and the propagation path in the complex stain propagation process is presented, thereby being beneficial to analyzing the cause of the leak.
As an alternative embodiment, after creating the taint propagation event structure, saving the third zval structure address of the parameter of the propagation function and the corresponding taint propagation event structure in the taint propagation table; the following are provided:
std is map < long, point_event > point_events;// key is the return value memory pointer of the propagation function
S105: monitoring a risk function corresponding to the opcode, and judging whether the risk function is a stain converging event; if yes, creating a stain converging event structure;
in this embodiment, a risk function corresponding to an opcode is monitored by a first probe, parameters of the risk function are obtained, and whether the parameters of the risk function are string types or not is judged, and whether a stain propagation mark exists or not is judged. If the return value of the risk function is string type and the stain propagation mark exists, judging that the stain is converged, and creating a stain converging event structure body.
As an alternative embodiment, a spot pooling event structure comprises: the method comprises the steps of stain event type, call stack information, risk function name, parameters of a risk function, return value of the risk function, stack tracking information and converging parent event information;
creating and storing a stain converging event structure, wherein the stain converging event structure comprises: the type of the smear event structure, such as the current smear event structure type, is a smear convergence event.
The stain converging event structure comprises: and the call stack information, such as the first line of the call stack, is obtained from the php function parameter entering information structure body.
The stain converging event structure comprises: the risk function name knows in advance which risk function to pre-insert, so the risk function name is written manually in advance.
The stain converging event structure comprises: parameters of the risk function are obtained by the first probe or the second probe.
The stain converging event structure comprises: the return value of the risk function is obtained by the first probe or the second probe.
The stain converging event structure comprises: the stack is tracked in-formation,
obtained by calling the zend engine function.
Since it takes some performance to obtain the stack trace information, in order to avoid performance consumption, as an alternative implementation, only the first line of the current call stack is obtained.
The stain converging event structure comprises: the parent event information is aggregated, and the parent event includes a taint propagation event.
As an alternative embodiment, obtaining the aggregated parent event information includes: inquiring the return value of the corresponding propagation function in the taint propagation table through the parameters of the risk function, and acquiring the corresponding third zval structure body address and the corresponding taint propagation event structure body through the return value of the propagation function.
In this embodiment, the return value of the corresponding propagation function in the taint propagation table is queried through the parameter of the risk function, which is a hash of the parameter of the risk function and the return value of the propagation function in the taint propagation table.
As an alternative embodiment, the fourth zval structure address of the parameter of the risk function and the corresponding blobs convergence event structure are saved into the blobs propagation table.
In this embodiment, referring to fig. 4 and 5, there may be a plurality of aggregated parent event information of the stain aggregated event structure, that is, the parent event of the stain aggregated event structure may be a plurality of stain propagation events. I.e., the parent event of the blemish event structure may be a plurality of blemish propagation events. And acquiring a plurality of stain propagation event structures through the plurality of converging parent event information in the stain converging event structures.
Since the actual smear propagation process is a nonlinear complex propagation path, such as one smear convergence event may originate from a plurality of smear propagation events, as shown in fig. 5, the smear convergence event a1 originates from the smear propagation event b1 and the smear propagation event d1. One smear-propagation event may also originate from multiple smear-source events, as shown in fig. 5, the smear-propagation event e1 originates from a smear-source event c1 and a smear-source event d1. According to the method and the device, the information of different dirty point sources is recorded through the dirty source information in the dirty point source event structure body, so that the dirty point sources can be determined in a backtracking mode. And the established taint propagation table and the propagation father event in the taint propagation event structure body and the convergence father event in the taint convergence event structure body are used for sequentially backtracking the above information of each event, constructing a complete net-shaped taint propagation link and backtracking the whole taint propagation process, so that the analysis of the reasons of the loopholes is facilitated.
As an optional implementation manner, when judging that the stain aggregation event exists, judging that the loophole exists, and sending the loophole information to the server.
S106: and constructing a stain propagation link according to the stain point source event structure, the stain propagation event structure and the stain convergence event structure.
In the embodiment, inquiring and acquiring a stain converging event structure corresponding to parameters of a risk function in a stain propagation table; inquiring and acquiring a corresponding stain propagation event structure body in a stain propagation table through the acquired converging father event information in the stain converging event structure body; inquiring and acquiring a corresponding stain source event structure body in a stain propagation table through the acquired propagation father event information in the stain propagation event structure body;
the method comprises the steps of sequentially inquiring and acquiring stain source parameter information, call stack information, operation function names, parameters of an operation function, return values of the operation function and stack tracking information in a stain source event structure body, and sequentially connecting the call stack information, the propagation function names, the parameters of the propagation function, the return values of the propagation function and the stack tracking information in a stain propagation event structure body, and the call stack information, the risk function names, the parameters of the risk function, the return values of the risk function and the stack tracking information in a stain convergence event structure body to generate a stain propagation link.
As an alternative implementation, referring to fig. 2 to 5, a smear propagation link is constructed, the entire smear propagation process is traced back, the related smear event structure is obtained by using a smear event structure in a smear propagation table, and information such as function name, parameter, return value, call stack, stack trace, and the like of each step from a smear source event structure-a smear propagation event structure-a smear convergence event structure, and smear source parameter information. The method can locate accurate function and call stack code position and stack tracking information of each step during bug repair, and can trace back the taint source information. The method can provide accurate position location of the vulnerability source code when the vulnerability is alarmed, is convenient for more accurate vulnerability restoration, and further improves vulnerability restoration efficiency.
As an alternative embodiment, it relates to aggregation of multiple taint propagation links, where links traced individually can be combined to generate an aggregated taint propagation link according to the same taint event structure combination (tracing is a process of aggregation, for example, a taint propagation event originates from two taint source events, and tracing is a process of aggregating taint propagation events essentially). And the aggregated stain propagation link of the loopholes is sent to the server, so that analysis of the loopholes causes is facilitated.
Embodiment two:
referring to fig. 6, fig. 6 is a schematic structural diagram of a code vaccine-based runtime vulnerability analysis apparatus according to an embodiment of the present application, where the apparatus 400 includes:
the parsing module 401 is configured to parse request information, where the request information includes: request parameters, url, and request method;
the marking module 402 is used for marking a stain source and marking a stain propagation on the request parameters, removing the stain source mark of the return value of the operation function after judging the stain source event, and marking the stain propagation on the return value of the propagation function after judging the stain propagation event;
the first monitoring module 403 is configured to monitor an operation function corresponding to the opcode, and determine whether the operation function is a stain source event; if yes, creating a pollution point source event structure body;
a second monitoring module 404, configured to monitor the propagation function and determine whether the propagation function is a stain propagation event; if yes, creating a stain propagation event structure;
a third monitoring module 405, configured to monitor a risk function corresponding to the opcode, and determine whether the risk function is a stain aggregation event; if yes, creating a stain converging event structure;
a construction module 406 for constructing a smear propagation link from the smear source event structure, the smear propagation event structure and the smear convergence event structure.
For a detailed description of the code vaccine-based runtime vulnerability analysis apparatus, please refer to the description of the relevant method steps in the above embodiments.
Embodiment III:
referring to fig. 7, fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application, where the electronic device 500 includes: the memory 510 and the processor 520 are connected through the bus 530, the memory 510 stores a computer program, and the processor 520 reads and runs the computer program, so that the electronic device 500 can execute all or part of the flow of the method in the embodiment to realize the code vaccine based runtime vulnerability analysis.
It should be understood that the electronic device may be a personal computer (Personal Computer, PC), tablet computer, smart phone, etc. with logic computing capabilities.
The embodiment of the application also provides a readable storage medium, wherein the readable storage medium stores a computer program, and the computer program executes steps in a code vaccine-based runtime vulnerability analysis method when running on a processor.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other manners as well. The apparatus embodiments described above are merely illustrative, for example, flow diagrams and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, the functional modules in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely exemplary embodiments of the present application and is not intended to limit the scope of the present application, and various modifications and variations may be suggested to one skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principles of the present application should be included in the protection scope of the present application. It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

Claims (17)

1. A method of runtime vulnerability analysis based on a code vaccine, the method comprising:
parsing request information, the request information including: request parameters, url, and request method;
performing stain source marking and stain propagation marking on the request parameters;
monitoring an operation function corresponding to the opcode, and judging whether the operation function is a stain source event;
if yes, creating a dirty point source event structure body, and removing a dirty point source mark of a return value of the operation function;
monitoring a propagation function, and judging whether the propagation function is a stain propagation event;
if yes, creating a taint propagation event structure body, and carrying out taint propagation marking on a return value of the propagation function;
monitoring a risk function corresponding to the opcode, and judging whether the risk function is a stain converging event;
if yes, creating a stain converging event structure;
and constructing a taint propagation link according to the taint source event structure, the taint propagation event structure and the taint convergence event structure.
2. The method of claim 1, wherein prior to parsing the request information, comprising:
in the module initialization stage of php expansion, pre-instrumentation is performed on a first probe of the opcode of the zend engine and on a second probe of the php internal function.
3. The method of claim 2, wherein the parsing request information includes:
storing the request information into a predefined variable array of a first zval structure;
and in the request initialization stage of php expansion, analyzing the request information stored in the predefined variable array through the first probe to obtain request parameters, url and a request method.
4. A method according to claim 3, wherein said marking of the request parameters for a smudge source and a smudge propagation comprises:
and carrying out taint source marking and taint propagation marking on string types in the predefined variable array.
5. The method of claim 1, wherein the request parameters, after marking the stain source and the stain propagation, comprise:
storing the first zval structure address of the request parameter and information of the request parameter into a taint propagation table, wherein the information of the request parameter comprises the type of the request parameter and the name of the request parameter;
after the creating of the pollution source event structure body, the method comprises the following steps: saving a second zval structure address of a return value of the operation function and the corresponding taint source event structure into a taint propagation table;
After the creating of the taint propagation event structure, comprising: saving a third zval structure address of a return value of the propagation function and the corresponding taint propagation event structure into a taint propagation table;
the spot pooling event structure comprises: and saving the fourth zval structure address of the parameter of the risk function and the corresponding stain converging event structure into a stain propagation table.
6. The method of claim 2, wherein monitoring the operation function corresponding to the opcode to determine whether it is a stain source event comprises:
and acquiring parameters and a return value of the operation function through the operation function corresponding to the first probe monitoring opcode, and judging whether the return value of the operation function is of a string type or not and whether a stain source mark exists or not.
7. The method of claim 2, wherein monitoring the propagation function to determine whether it is a smudge propagation event comprises:
and monitoring the propagation function through the first probe or the second probe, acquiring parameters and a return value of the propagation function, and judging whether the parameters of the propagation function are of a string type or not and whether a stain propagation mark exists or not.
8. The method of claim 7, wherein monitoring the propagation function by the first probe or the second probe comprises:
Monitoring an operation function corresponding to the opcode through the first probe, wherein the operation function comprises a first propagation function for character string connection;
or alternatively, the first and second heat exchangers may be,
monitoring a php internal function by the second probe, wherein the php internal function comprises a second propagation function for string operations.
9. The method according to claim 2, wherein the monitoring the risk function corresponding to the opcode, determining whether the event is a stain collection event includes:
and acquiring parameters of the risk function by the risk function corresponding to the first probe monitoring opcode, and judging whether the parameters of the risk function are string types or not and whether a stain transmission mark exists or not.
10. The method of claim 5, wherein the stain source event structure comprises:
dirty point source parameter information, dirty event type, call stack information, operation function name, parameters of an operation function, return value of the operation function and stack tracking information;
obtaining the stain source parameter information, including:
inquiring corresponding request parameters in the stain propagation table through parameters of an operation function, taking the type of the corresponding request parameters as the type of the stain source parameters, and taking the name of the corresponding request parameters as the name of the stain source parameters.
11. The method of claim 10, wherein the smudge propagation event structure comprises:
the method comprises the steps of taint event type, call stack information, a spreading function name, parameters of a spreading function, a return value of the spreading function, stack tracking information and spreading parent event information;
acquiring the propagation parent event information, including:
inquiring a return value of a corresponding operation function in the taint propagation table through parameters of the propagation function, and acquiring a corresponding second zval structure body address and a corresponding taint source event structure body through the return value of the operation function.
12. The method of claim 11, wherein the spot pooling event structure comprises:
the method comprises the steps of stain event type, call stack information, risk function name, parameters of a risk function, return value of the risk function, stack tracking information and converging parent event information;
acquiring the converged parent event information, including:
inquiring the return value of the corresponding propagation function in the taint propagation table through the parameters of the risk function, and acquiring the corresponding third zval structure body address and the corresponding taint propagation event structure body through the return value of the propagation function.
13. The method of claim 12, wherein the constructing a smear-propagation link from the smear-source-event structure, the smear-propagation-event structure, and the smear-convergence-event structure comprises:
inquiring and acquiring a corresponding stain converging event structure body of parameters of a risk function in the stain propagation table; inquiring and acquiring a corresponding stain propagation event structure body in the stain propagation table through the acquired information of the converging father events in the stain converging event structure body; inquiring and acquiring a corresponding stain source event structure body in the stain propagation table through the acquired propagation father event information in the stain propagation event structure body;
the method comprises the steps of sequentially inquiring and acquiring stain source parameter information, call stack information, operation function names, parameters of an operation function, return values of the operation function and stack tracking information in a stain source event structure body, and sequentially connecting the call stack information, the propagation function names, the parameters of the propagation function, the return values of the propagation function and the stack tracking information in a stain propagation event structure body, and the call stack information, the risk function names, the parameters of the risk function, the return values of the risk function and the stack tracking information in a stain convergence event structure body to generate a stain propagation link.
14. The method of any of claims 10-13, wherein the stack trace information comprises: the first line of the stack is currently called.
15. A code vaccine based runtime vulnerability analysis apparatus, comprising:
the analysis module is used for analyzing the request information, and the request information comprises: request parameters, url, and request method;
the marking module is used for marking the stain source and the stain propagation of the request parameters, removing the stain source mark of the return value of the operation function after judging the stain source event, and marking the stain propagation of the return value of the propagation function after judging the stain propagation event;
the first monitoring module is used for monitoring an operation function corresponding to the opcode and judging whether the operation function is a stain source event or not; if yes, creating a pollution point source event structure body;
the second monitoring module is used for monitoring the propagation function and judging whether the propagation function is a stain propagation event or not; if yes, creating a stain propagation event structure;
the third monitoring module is used for monitoring a risk function corresponding to the opcode and judging whether the risk function is a stain converging event or not; if yes, creating a stain converging event structure;
And the construction module is used for constructing a taint propagation link according to the taint source event structure body, the taint propagation event structure body and the taint convergence event structure body.
16. An electronic device comprising a memory storing a computer program and a processor executing the method of any of claims 1 to 13 when the computer program is run.
17. A readable storage medium, characterized in that it has stored therein a computer program which, when run on a processor, performs the method of any of claims 1 to 13.
CN202310440050.0A 2023-04-23 2023-04-23 Runtime vulnerability analysis method and device based on code vaccine Active CN116167058B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310440050.0A CN116167058B (en) 2023-04-23 2023-04-23 Runtime vulnerability analysis method and device based on code vaccine

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310440050.0A CN116167058B (en) 2023-04-23 2023-04-23 Runtime vulnerability analysis method and device based on code vaccine

Publications (2)

Publication Number Publication Date
CN116167058A true CN116167058A (en) 2023-05-26
CN116167058B CN116167058B (en) 2023-06-30

Family

ID=86422250

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310440050.0A Active CN116167058B (en) 2023-04-23 2023-04-23 Runtime vulnerability analysis method and device based on code vaccine

Country Status (1)

Country Link
CN (1) CN116167058B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116775040A (en) * 2023-08-16 2023-09-19 北京安普诺信息技术有限公司 Pile inserting method for realizing code vaccine and application testing method based on code vaccine
CN116842531A (en) * 2023-08-28 2023-10-03 北京安普诺信息技术有限公司 Code vaccine-based vulnerability real-time verification method, device, equipment and medium
CN117009955A (en) * 2023-09-26 2023-11-07 北京安普诺信息技术有限公司 IAST and RASP probe control method and device based on code vaccine
CN117150514A (en) * 2023-10-30 2023-12-01 北京安普诺信息技术有限公司 Vulnerability active verification method and device based on code vaccine IAST probe
CN117272331A (en) * 2023-11-23 2023-12-22 北京安普诺信息技术有限公司 Cross-thread vulnerability analysis method, device, equipment and medium based on code vaccine
CN117675593A (en) * 2023-12-05 2024-03-08 北京安普诺信息技术有限公司 Application topology construction method and device based on code vaccine IAST probe

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111859375A (en) * 2020-07-20 2020-10-30 百度在线网络技术(北京)有限公司 Vulnerability detection method and device, electronic equipment and storage medium
WO2021243740A1 (en) * 2020-06-02 2021-12-09 浙江大学 Code instrumentation framework system based on ethereum virtual machine
CN114386045A (en) * 2021-12-24 2022-04-22 深圳开源互联网安全技术有限公司 Web application program vulnerability detection method and device and storage medium
CN115827610A (en) * 2022-11-21 2023-03-21 杭州默安科技有限公司 Method and device for detecting effective load

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021243740A1 (en) * 2020-06-02 2021-12-09 浙江大学 Code instrumentation framework system based on ethereum virtual machine
CN111859375A (en) * 2020-07-20 2020-10-30 百度在线网络技术(北京)有限公司 Vulnerability detection method and device, electronic equipment and storage medium
CN114386045A (en) * 2021-12-24 2022-04-22 深圳开源互联网安全技术有限公司 Web application program vulnerability detection method and device and storage medium
CN115827610A (en) * 2022-11-21 2023-03-21 杭州默安科技有限公司 Method and device for detecting effective load

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116775040A (en) * 2023-08-16 2023-09-19 北京安普诺信息技术有限公司 Pile inserting method for realizing code vaccine and application testing method based on code vaccine
CN116775040B (en) * 2023-08-16 2023-11-17 北京安普诺信息技术有限公司 Pile inserting method for realizing code vaccine and application testing method based on code vaccine
CN116842531A (en) * 2023-08-28 2023-10-03 北京安普诺信息技术有限公司 Code vaccine-based vulnerability real-time verification method, device, equipment and medium
CN116842531B (en) * 2023-08-28 2023-11-03 北京安普诺信息技术有限公司 Code vaccine-based vulnerability real-time verification method, device, equipment and medium
CN117009955A (en) * 2023-09-26 2023-11-07 北京安普诺信息技术有限公司 IAST and RASP probe control method and device based on code vaccine
CN117009955B (en) * 2023-09-26 2024-01-09 北京安普诺信息技术有限公司 IAST and RASP probe control method and device based on code vaccine
CN117150514A (en) * 2023-10-30 2023-12-01 北京安普诺信息技术有限公司 Vulnerability active verification method and device based on code vaccine IAST probe
CN117150514B (en) * 2023-10-30 2024-02-02 北京安普诺信息技术有限公司 Vulnerability active verification method and device based on code vaccine IAST probe
CN117272331A (en) * 2023-11-23 2023-12-22 北京安普诺信息技术有限公司 Cross-thread vulnerability analysis method, device, equipment and medium based on code vaccine
CN117272331B (en) * 2023-11-23 2024-02-02 北京安普诺信息技术有限公司 Cross-thread vulnerability analysis method, device, equipment and medium based on code vaccine
CN117675593A (en) * 2023-12-05 2024-03-08 北京安普诺信息技术有限公司 Application topology construction method and device based on code vaccine IAST probe

Also Published As

Publication number Publication date
CN116167058B (en) 2023-06-30

Similar Documents

Publication Publication Date Title
CN116167058B (en) Runtime vulnerability analysis method and device based on code vaccine
US11087002B2 (en) Using the same query language for static and dynamic application security testing tools
US9715593B2 (en) Software vulnerabilities detection system and methods
KR101904911B1 (en) Method for Automatically Detecting Security Vulnerability Based on Hybrid Fuzzing, and Apparatus thereof
Jueckstock et al. Visiblev8: In-browser monitoring of javascript in the wild
CN103699480B (en) A kind of WEB dynamic security leak detection method based on JAVA
Carmony et al. Extract Me If You Can: Abusing PDF Parsers in Malware Detectors.
Pradel et al. EventBreak: Analyzing the responsiveness of user interfaces through performance-guided test generation
Mateos et al. Detecting WSDL bad practices in code–first Web Services
Zhang et al. Condysta: Context-aware dynamic supplement to static taint analysis
Gauthier et al. AFFOGATO: runtime detection of injection attacks for node. js
CN111859380B (en) Zero false alarm detection method for Android App loopholes
CN109298855B (en) Network target range management system, implementation method and device thereof, and storage medium
Wei et al. State-sensitive points-to analysis for the dynamic behavior of JavaScript objects
CN113497809A (en) MIPS framework vulnerability mining method based on control flow and data flow analysis
Hassanshahi et al. Gelato: Feedback-driven and guided security analysis of client-side web applications
CN102034045A (en) Software bug detection system with low computer system resource expense
Chen et al. ARMORY: An automatic security testing tool for buffer overflow defect detection
Zeng et al. Palantír: Optimizing attack provenance with hardware-enhanced system observability
Al Kassar et al. Testability Tarpits: the Impact of Code Patterns on the Security Testing of Web Applications.
Kang et al. Astraea: Towards an effective and usable application permission system for SDN
US8949421B2 (en) Techniques for discovering database connectivity leaks
CN114741700B (en) Public component library vulnerability availability analysis method and device based on symbolized stain analysis
Laranjeiro et al. Protecting database centric web services against SQL/XPath injection attacks
US11886589B2 (en) Process wrapping method for evading anti-analysis of native codes, recording medium and device for performing the method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant