CN116484378A - Vulnerability analysis method and device and electronic equipment - Google Patents

Vulnerability analysis method and device and electronic equipment Download PDF

Info

Publication number
CN116484378A
CN116484378A CN202310125553.9A CN202310125553A CN116484378A CN 116484378 A CN116484378 A CN 116484378A CN 202310125553 A CN202310125553 A CN 202310125553A CN 116484378 A CN116484378 A CN 116484378A
Authority
CN
China
Prior art keywords
vulnerability
software
interface
analysis report
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310125553.9A
Other languages
Chinese (zh)
Inventor
刘显扬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
XFusion Digital Technologies Co Ltd
Original Assignee
XFusion Digital Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by XFusion Digital Technologies Co Ltd filed Critical XFusion Digital Technologies Co Ltd
Priority to CN202310125553.9A priority Critical patent/CN116484378A/en
Publication of CN116484378A publication Critical patent/CN116484378A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Abstract

The embodiment of the application provides a vulnerability analysis method, which comprises the following steps: obtaining vulnerability information of each open source software in target software; based on a training model, determining a function capable of triggering the loopholes in the loophole information; judging whether the target software carries an interface or not based on the interface where the function capable of triggering the vulnerability is located in the corresponding source code of the open source software and the compiling file of the target software; wherein, a plurality of interfaces included in the open source software are stored in the compiling file; and outputting a vulnerability analysis report of the target software, wherein the vulnerability analysis report indicates whether a function capable of triggering the vulnerability is carried in the target software. The method provided by the embodiment of the application can improve the efficiency of vulnerability analysis.

Description

Vulnerability analysis method and device and electronic equipment
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a vulnerability analysis method, a vulnerability analysis device, and an electronic device.
Background
Embedded software is operating system and development tool software embedded in hardware, which typically includes a number of pieces of software. Among these software, a large amount of open source software is typically involved. When embedded software is formally distributed as business software, the influence of vulnerabilities in the business software needs to be analyzed. When an analyst analyzes formally released business software, the time cost of the analyst during analysis is increased due to the large number of loopholes and complex loopholes scenes or the fact that the analyst is unfamiliar with the codes of open source software contained in the business software. Therefore, how to improve the efficiency of vulnerability analysis is a technical problem to be solved.
Disclosure of Invention
In order to solve the problems in the prior art, embodiments of the present application provide a vulnerability analysis method, device, electronic apparatus, computer storage medium, and product containing a computer program, which can improve the vulnerability analysis efficiency.
In a first aspect, the present application provides a vulnerability analysis method, including: obtaining vulnerability information of each open source software in target software; based on a training model, determining a function capable of triggering the loopholes in the loophole information; judging whether the target software carries an interface or not based on the interface where a function capable of triggering the vulnerability is located in the corresponding source code of the open source software and a compiling file of the target software; and outputting a vulnerability analysis report of the target software, wherein the vulnerability analysis report indicates whether a function capable of triggering the vulnerability is carried in the target software.
In this way, in the vulnerability information of the open source software referenced by the target software, the function which can trigger the vulnerability is acquired, then the interface where the function is located in the open source software is acquired, and whether the interface is in the compiled file of the open source software is judged, so that whether the function which can trigger the vulnerability is referenced in the target software is judged. Thus, the vulnerability can be analyzed through the program, and the vulnerability analysis efficiency can be improved.
In some possible implementations, outputting the vulnerability analysis report of the target software specifically includes: inquiring the mapping relation between the identification of the interface and the identification of the functional module to which the interface belongs based on the identification of the interface to obtain the identification of the functional module to which the interface belongs; respectively judging whether the identification of the functional module is positioned in the compiling file; recording the obtained first judgment result in a vulnerability analysis report, and outputting the vulnerability analysis report.
In some possible implementations, the method further includes: when a first judgment result corresponding to the first functional module is in the compiled file, judging whether the identification of the first interface associated with the first functional module is in the compiled file, wherein the first functional module is any one of the functional modules; and recording the obtained second judgment result in a vulnerability analysis report.
In this way, the target software refers to the functional module corresponding to the interface where the function which can trigger the vulnerability is located, and at this time, the functional module can be recorded in the vulnerability analysis report so as to prompt the analyst.
In some possible implementations, the method further includes: when the identification of the first interface associated with the first functional module is located in the compiled file, the business associated with the first interface is recorded in a vulnerability analysis report.
In this way, when the interface where the function that may trigger the vulnerability is determined to be referred to by the target software, the service that is used for the interface in the target software may be recorded in the vulnerability report, so as to prompt the analyst how much the vulnerability affects.
In some possible implementations, outputting the vulnerability analysis report of the target software specifically includes: respectively judging whether the identification of the interface is positioned in the compiling file; recording the obtained third judgment result in a vulnerability analysis report, and outputting the vulnerability analysis report.
Thus, although the target software refers to the functional module corresponding to the interface where the function which can trigger the bug is located, the function has no influence on the target software although the function can trigger the bug if the interface is not used for normal operation of the target software. This may make vulnerability analysis more accurate.
In some possible implementations, the method further includes: and when the identifier of the second interface is positioned in the compiled file, recording the service associated with the second interface in a vulnerability analysis report, wherein the second interface is any one of the interfaces.
In some possible implementations, the target software is embedded software.
In some possible implementations, the method includes: processing the vulnerability information to obtain a target vulnerability contained in the vulnerability information, wherein the target vulnerability comprises: information leakage type loopholes and/or dispute type loopholes, wherein the dispute type loopholes are loopholes which occur at least once and cannot be reproduced; the target vulnerability is recorded in a vulnerability analysis report.
Thus, more comprehensive vulnerability information is put into the vulnerability analysis report, so that the vulnerability analysis report can be more comprehensive.
In some possible implementations, the method further includes: processing the vulnerability information to obtain vulnerability data contained in the vulnerability information, wherein the vulnerability data comprises: at least one of a vulnerability triggering scene, a version of software affected by the vulnerability and patch information of the vulnerability; vulnerability data is recorded in a vulnerability analysis report.
In a second aspect, the application provides a vulnerability analysis device, which includes an acquisition module and a processing module. The acquisition module is used for acquiring vulnerability information of each open source software in the target software. The processing module is used for determining a function capable of triggering the loopholes in the loophole information based on the training model. The processing module is also used for judging whether the target software carries the function capable of triggering the loopholes or not based on the interface where the function capable of triggering the loopholes is located in the corresponding source code of the open source software and the compiling file of the target software; and outputting a vulnerability analysis report of the target software, wherein the vulnerability analysis report indicates whether a function capable of triggering the vulnerability is carried in the target software.
In some possible implementations, the processing module is further configured to query a mapping relationship between the identifier of the interface and the identifier of the functional module to which the interface belongs based on the identifier of the interface, to obtain the identifier of the functional module to which the interface belongs; respectively judging whether the identification of the functional module is positioned in the compiling file; recording the obtained first judgment result in a vulnerability analysis report, and outputting the vulnerability analysis report.
In some possible implementations, the processing module is further configured to determine, when the first determination result corresponding to the first functional module is in the compiled file, whether the identifier of the first interface associated with the first functional module is in the compiled file, where the first functional module is any one of the functional modules; and recording the obtained second judgment result in a vulnerability analysis report.
In some possible implementations, the processing module is further configured to record, when the identification of the first interface associated with the first functional module is located in the compiled file, a service associated with the first interface in the vulnerability analysis report.
In some possible implementations, the processing module is further configured to determine whether the identifier of the interface is located in the compiled file, respectively; recording the obtained third judgment result in a vulnerability analysis report, and outputting the vulnerability analysis report.
In some possible implementations, the processing module is further configured to record, when the identifier of the second interface is located in the compiled file, a service associated with the second interface in the vulnerability analysis report, where the second interface is any one of the interfaces.
In some possible implementations, the target software is embedded software.
In some possible implementations, the processing module is further configured to process the vulnerability information to obtain a target vulnerability included in the vulnerability information, where the target vulnerability includes: information leakage type loopholes and/or dispute type loopholes, wherein the dispute type loopholes are loopholes which occur at least once and cannot be reproduced; the target vulnerability is recorded in a vulnerability analysis report.
In some possible implementations, the processing module is further configured to process the vulnerability information to obtain vulnerability data contained in the vulnerability information, where the vulnerability data includes: at least one of a vulnerability triggering scene, a version of software affected by the vulnerability and patch information of the vulnerability; vulnerability data is recorded in a vulnerability analysis report.
In a third aspect, the present application provides a computer readable storage medium comprising computer readable instructions which, when read and executed by a computer, cause the computer to perform the method of any of the first aspects.
In a fourth aspect, the present application provides an electronic device comprising a processor and a memory, wherein the memory has stored therein computer program instructions which, when executed by the processor, perform the method of any of the first aspects.
In a fifth aspect, the present application provides a product comprising a computer program which, when run on a processor, causes the processor to perform the method according to any of the first aspects.
It will be appreciated that the advantages of the second to fifth aspects may be found in the relevant description of the first aspect, and are not described here again.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of embedded software according to an embodiment of the present application;
FIG. 2 is a schematic diagram of a vulnerability analysis method according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a process for obtaining a vulnerability analysis report according to an embodiment of the present application;
fig. 4 is a schematic diagram of a vulnerability analysis apparatus provided in an embodiment of the present application;
fig. 5 is a schematic diagram of a computing device provided in an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The term "and/or" herein is an association relationship describing an associated object, and means that there may be three relationships, for example, a and/or B may mean: a exists alone, A and B exist together, and B exists alone. The symbol "/" herein indicates that the associated object is or is a relationship, e.g., A/B indicates A or B.
The terms "first" and "second" and the like in the description and in the claims are used for distinguishing between different objects and not for describing a particular sequential order of objects. For example, the first response message and the second response message, etc. are used to distinguish between different response messages, and are not used to describe a particular order of response messages.
In the embodiments of the present application, words such as "exemplary" or "such as" are used to mean serving as examples, illustrations, or descriptions. Any embodiment or design described herein as "exemplary" or "for example" should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion.
In the description of the embodiments of the present application, unless otherwise specified, the meaning of "a plurality of" means two or more, for example, a plurality of processing units means two or more processing units and the like; the plurality of elements means two or more elements and the like.
For the purpose of facilitating an understanding of the embodiments of the present application, reference will now be made to the following description of specific embodiments, taken in conjunction with the accompanying drawings, which are not intended to limit the embodiments of the invention.
First, technical terms related to the present application will be described:
1. embedded software refers to system software and application software embedded in a special purpose computer system that performs independent functions. In embedded software, multiple open source software may be referenced in general.
2. Vulnerabilities refer to flaws in the specific implementation of hardware, software, protocols, or system security policies that may enable an attacker to access or destroy the system without authorization.
3. Natural language processing (natural language processing, NLP) is an important direction in the fields of computer science and artificial intelligence. It is studying various theories and methods that enable effective communication between a person and a computer in natural language. NLP can be used for text classification, text semantic comparison, etc.
Next, the technical solution provided in the embodiments of the present application will be described.
By way of example, FIG. 1 shows a schematic diagram of an embedded software. As shown in fig. 1 (a), the embedded software may include system software, a plurality of self-developed software, and a plurality of referenced open source software. In the open source software, each of the open source software may include a plurality of modules, each of which may implement a different function. For example, as shown in (B) of fig. 1, the open source software a may include two modules, a and B, respectively. The module a can realize the registration function, and the module b can realize the registration function. When the embedded software refers to the open source software, the embedded software can be all references to the open source software or part references to the open source software. For example, as shown in fig. 1 (C), when the embedded software references the open source software a, all references are made to the open source software a, and the embedded software can implement the registration function of the module a and the login function of the module b. As another example, as shown in (D) of fig. 1, in the embedded software, only the registration function and not the logon function need to be implemented, and in this case, the embedded software may refer only to the module a included in the open source software a and not to the module b. It should be noted that, in the present embodiment, the description is given taking an example that the module a and the module b implement one function respectively, and in actual use, the module a and the module b may implement a plurality of functions respectively, and the module may be understood as a collection of a plurality of functions.
After a piece of open source software is released, with the continuous deep use of users, the loopholes existing in the open source software are continuously exposed. These previously discovered vulnerabilities are also continually patched by patch software released by suppliers of open source software or corrected in new versions of software released later. While the new version of software corrects the loopholes in the old version, some new loopholes and errors are introduced. Thus, over time, old vulnerabilities may continue to disappear and new vulnerabilities may continue to appear. Vulnerability issues also persist for long periods. Thus, when the embedded software refers to open source software with a vulnerability, the vulnerability may be introduced into the embedded software.
In the existing vulnerability publishing website, vulnerabilities of open source software are generally described. But when the embedded software references the open source software, there may be no reference to the module of the open source software that has the vulnerability. For example, with continued reference to fig. 1, the open source software a shown in fig. 1 (B) has two modules, where the module a has no vulnerability and the module B has a vulnerability, and when the embedded software shown in fig. 1 (D) references the open source software a, only the module a of the open source software a is referenced. At this time, the vulnerability of the open source software a will not affect the embedded software. Therefore, when embedded software is released, analysis needs to be performed on the code with holes which are all referenced in the software. The analysis is carried out one by the analyst, and the time cost is greatly increased due to the problems of large vulnerability quantity, complex scene and the like.
In view of this, the embodiment of the present application provides a vulnerability analysis method, which may process vulnerability information corresponding to open source software referenced by target software first, to obtain a function that may trigger a vulnerability indicated in each vulnerability information; then, it can be judged whether the corresponding interface and function module including the function in the open source software is used in the target software. When the target software uses the corresponding interfaces and function modules of the function in the open source software, the safety of the target software is affected. Recording the judging result in a vulnerability analysis report so that a developer can maintain the target software according to the vulnerability analysis report. The target software may be, for example, embedded software. Illustratively, FIG. 2 illustrates a vulnerability analysis method. The method may be performed by any apparatus, device, platform, cluster of devices having computing, processing capabilities. As shown in fig. 2, the vulnerability analysis method may include the steps of:
s201: and obtaining vulnerability information of each open source software in the target software.
In this embodiment, the vulnerability information of the open source software may be obtained on the official network of each open source software, or may be obtained on the vulnerability information publishing website. For example, the open source software referenced in the target software is OpenSSL software, and there is a news column in the public network of OpenSSL, under which there is vulnerability information issued by OpenSSL. Therefore, the vulnerability information of the open source software can be obtained in the official network of OpenSSL.
S202: based on the training model, a function capable of triggering the loopholes in the loophole information is determined.
In this embodiment, after obtaining the vulnerability information, each vulnerability information may be processed through a pre-trained data processing model, so as to obtain a function capable of triggering the vulnerability indicated in each vulnerability information. The data processing model can select a neural network model or a natural language processing model.
For example, after obtaining the vulnerability information of the vulnerability, the vulnerability information of the vulnerability can be processed by using a pre-trained natural language processing model to obtain a function indicated in the high vulnerability information, which can trigger the vulnerability, and the function is a bn_mod_sqrt () function.
In some embodiments, the data processing model is a natural language processing model. When training the natural language processing model, a large amount of vulnerability information can be acquired on a vulnerability publishing website, and the vulnerability information is used as a corpus text. Then, the keywords in each vulnerability information are labeled so that the natural language processing model can learn these contents from the labels. And training a natural language processing model by using the labeled corpus text. After the natural language processing model is sufficiently trained, a trained processing model can be obtained, and the processing model can process the vulnerability information to obtain codes which are indicated in the vulnerability information and can trigger the vulnerability. Illustratively, the natural language processing model may be a Word vector model Word2Vec.
S203: based on the interface where the function capable of triggering the loophole is located in the corresponding source code of the open source software and the compiling file of the target software, outputting a loophole analysis report of the target software, wherein the loophole analysis report indicates whether the target software carries the function capable of triggering the loophole. The compiled file is a building script (e.g., makefile), in which a plurality of interfaces required for implementing the software and functional modules included in the software are stored, and one functional module corresponds to at least one interface, which interface is used for implementing the functional module.
In some embodiments, performing vulnerability analysis on the target software based on an interface where a function capable of triggering vulnerability is located in a source code of the corresponding open source software and a compiled file of the target software to obtain a vulnerability analysis report of the target software, which specifically includes:
and respectively judging whether the identifiers of the interfaces are positioned in the compiled file, and recording the obtained third judging results in a vulnerability analysis report. The third determination result is used for indicating whether the interface capable of triggering the vulnerability is in the compiled file.
In this embodiment, after a function that may trigger a bug is obtained, the function that may trigger a bug may be used as a search condition to search a source code of open source software where the function is located, so as to obtain an interface where the function is located in the source code. For example, the source code of the open source software may be searched in a content matching manner, may be searched in a regular expression manner, or may be searched by using existing software. Then, the interface identifier of the interface can be used as a matching condition to be matched with the content of the compiled file of the target software. And recording the matching result in a vulnerability analysis report of the target software, wherein the matching result is the third judgment result. The result of the matching may include both success and unsuccessful. A successful match indicates that an interface is used in the target software that contains a function that may trigger a vulnerability that may have an impact on the target software. An unsuccessful match indicates that no interface is used in the target software that contains a function that may trigger the vulnerability, i.e., no function that may trigger the vulnerability is used, and that function will not affect the target software. Both of these cases are recorded in the vulnerability analysis report.
For example, when a vulnerability of OpenSSL software is obtained, which may be triggered by the bn_mod_sqrt () function, "bn_mod_sqrt" may be used as a search condition to search for OpenSSL source code using the Doxygen tool. After searching, the interface where the bn_mod_sqrt () function is located is bn_mod_sqrt () (the function name is identical to the interface meaning that the function is an interface function). Next, using "bn_mod_sqrt" as a matching condition, matching is performed with the content described in the compiled file of the target software. When the matching is successful, it indicates that the bn_mod_sqrt () function is used in the target software, so that the vulnerability may be triggered, and the security of the target software is affected. When the match is unsuccessful, indicating that the bn_mod_sqrt () function is not used in the target software, the vulnerability will not have an effect on the target software. Both of these cases are recorded in the vulnerability analysis report.
In some embodiments, when the identifier of the second interface is located in the compiled file, the service associated with the second interface is recorded in the vulnerability analysis report, and the second interface is any one of the interfaces.
In this embodiment, when the interface identifier is successfully matched in the compiled file of the target software, it indicates that the target software references the interface that may trigger the vulnerability, so that the service associated with the interface is affected. And acquiring the service of the interface identifier according to the interface identifier, and recording the service associated with the interface in a vulnerability analysis report.
In some embodiments, when the module of the open source software referred by the target software may not include the interface where the function triggering the bug is located, the module where the function triggering the bug is located may be further obtained, and based on the identifier of the module and the compiled file of the target software, the bug analysis is performed on the target software, so as to obtain a bug analysis report of the target software.
By way of example, FIG. 3 illustrates a process for obtaining a vulnerability analysis report. As shown in fig. 3, performing vulnerability analysis on the target software based on the interface where each function is located in the source code of the corresponding open source software and the compiled file of the target software to obtain a vulnerability analysis report of the target software may specifically include:
s301: and inquiring the mapping relation between the identification of the interface and the identification of the functional module to which the interface belongs based on the identification of each interface to obtain the identification of the functional module to which each interface belongs.
In this embodiment, the function module and the interface included in the function module are stored in the compiled file of the open source software, so that after the interface identifier of the interface is obtained, the interface identifier is used as a search condition to search the content in the compiled file of the open source software, so as to obtain the identifier of the function module. The identification may be a name, for example.
For example, the function module BN and the interface bn_mod_sqrt included in the function module BN are stored in the compiled file of the open source software OpenSSL. After acquiring the function bn_mod_sqrt () which may trigger the loophole, acquiring the interface bn_mod_sqrt where the function is located according to the function. At this time, the identifier (name) of the interface may be used as a search condition to search the content in the compiled file of OpenSSL, thereby obtaining the name "BN" of the functional module.
S302: and respectively judging whether the identification of each functional module is positioned in the compiling file of the target software.
In this embodiment, after the identifier of the functional module is obtained, the identifier of the functional module may be used as a matching condition to match with the content in the compiled file of the target software. And when the matching is successful, determining that the identification of the functional module is positioned in the compiled file of the target software. When the matching is unsuccessful, the identification of the functional module is determined not to be located in the compiled file of the target software.
S303: and recording the obtained first judgment results in a vulnerability analysis report.
In this embodiment, when the matching is successful, it is determined that the identifier of the functional module is located in the compiled file of the target software, which indicates that a function that may trigger a bug is referenced in the target software. The target software at this time may have a potential safety hazard that creates a vulnerability. When the matching is unsuccessful, determining that the identification of the functional module is not located in the compiled file of the target software, and indicating that no function which can trigger loopholes is referenced in the target software. At this time, the open source software has a vulnerability, but the vulnerability does not affect the target software. All the judging results are recorded in a vulnerability analysis report. The first judging result is used for indicating whether the first functional module is located in the compiling file or not. At this time, it may be recorded in the vulnerability analysis report that the target software uses a function module corresponding to the interface where the function that may trigger the vulnerability is located, where the function that may trigger the vulnerability may affect the target software.
In some embodiments, when the first determination result corresponding to the first functional module is in the compiled file, determining whether the identifier of the first interface associated with the first functional module is in the compiled file, where the first functional module is any one of the functional modules; and recording the obtained second judgment result in a vulnerability analysis report. The second judging result is used for indicating whether the first interface is located in the compiled file or not under the condition that the first functional module is located in the compiled file. At this time, it may be recorded in the vulnerability analysis report that the target software uses the function module corresponding to the interface where the function that may trigger the vulnerability is located, but the function that may trigger the vulnerability will not affect the target software.
In this embodiment, the functional module may be composed of multiple interfaces, and although the target software refers to a functional module that may trigger a bug, the interface where the function that may trigger the bug is located may not be used. Therefore, when the identifier of the functional module is determined to be located in the compiled file of the target software (the matching is successful, that is, the first determination result corresponding to the functional module is located in the compiled file), the interface identifier of the interface where the function that triggers the vulnerability is located may be used as a matching condition to match the content in the compiled file of the target software. And recording the matched result in a vulnerability analysis report.
In some embodiments, when the identification of the first interface associated with the first functional module is located in the compiled file of the target software, the business associated with the first interface is recorded in the vulnerability analysis report.
In this embodiment, when the interface identifier is successfully matched in the compiled file of the target software, it indicates that the target software references the interface that may trigger the vulnerability, so that the service associated with the interface is affected. And acquiring the service of the interface identifier according to the interface identifier, and recording the service associated with the interface in a vulnerability analysis report.
In some embodiments, when the foregoing step S202 is performed, the code triggering the bug that is not included in the bug information is obtained when the bug information of the open source software is processed, but the situation in which the bug is triggered is included. For example, the vulnerability CVE-2021-20322 does not include code triggering the vulnerability in the vulnerability information, but is described in the vulnerability information, which is "finding that there is a defect in the processing procedure of the control message protocol (internet control message protocol, ICMP) error (ICMP fragments and ICMP redirection are required) received in the Linux kernel function, allowing to quickly scan the open user datagram protocol (user datagram protocol, UDP) port. This vulnerability allows non-path remote users to effectively bypass source port UDP randomization. That is, the specific code triggering the vulnerability is not indicated in the vulnerability information, but the information that the UDP port may be intercepted by the ICMP error message is indicated. In other words, this vulnerability is a vulnerability that may cause some information to leak, and thus the vulnerability type may be referred to as an information leakage type vulnerability. At this time, the method of leakage of the information leakage hole may be recorded in the hole analysis report.
In some embodiments, when the foregoing step S202 is performed, when the vulnerability information of the open source software is processed, information about which version of the sub-software is affected by the vulnerability included in the vulnerability information may also be obtained. For example, in the vulnerability information of the vulnerability CVE-2022-0778 of the OpenSSL software, which is described as "vulnerability affected versions 1.0.2, 1.1.1, 3.0", the vulnerability affected versions of the OpenSSL software are described as three versions of OpenSSL1.0.2, openSSL1.1.1, and OpenSSL 3.0. Information of which version of this vulnerability affects the sub-software is recorded in the vulnerability analysis report.
In some embodiments, when the foregoing step S202 is executed, the vulnerability information of the open source software may further obtain vulnerability patch related information included in the vulnerability information. For example, described in vulnerability information of the vulnerability CVE-2022-1473 of OpenSSL software, which is "CVE-2022-1473OpenSSL denial of service vulnerability: openssl3.0 user should upgrade to 3.0.3". That is, the authorities have released a software version with a patch in which the problem of the vulnerability has been solved. Patch related information in the vulnerability information may be recorded in a vulnerability analysis report.
In some embodiments, when the foregoing step S202 is executed, when the vulnerability information of the open source software is processed, it may also be obtained under what scene the vulnerability included in the vulnerability information will trigger. For example, as described in the vulnerability information of the vulnerability CVE-2022-1473 of OpenSSL software, this functionality is used when decoding certificates or keys, if a long-standing process decodes certificates or keys periodically, its memory usage will be infinitely extended and the process may be terminated by the operating system, resulting in denial of service, indicating that in a scenario where the process of periodically decoding certificates or keys is terminated by the operating system, the vulnerability will be triggered. The scene in which this vulnerability may be triggered is recorded in a vulnerability analysis report.
In some embodiments, when the aforementioned step S202 is performed, the vulnerability information of the open source software is processed, so that the vulnerability is a disputed vulnerability. The disputed loopholes are generated again in a mode that the loopholes cannot be reproduced through scenes, so that different people have different views of the loopholes. For a disputed vulnerability there is temporarily no solution. The vulnerability may also be recorded in a vulnerability analysis report.
According to the embodiments, the vulnerability information corresponding to the open source software referenced by the target software is processed to obtain the function which is indicated in each vulnerability information and can trigger the vulnerability; then, it can be judged whether the corresponding interface and function module including the function in the open source software is used in the target software. When the target software uses the corresponding interfaces and function modules of the function in the open source software, the safety of the target software is affected. Recording the judging result in a vulnerability analysis report so that a developer can maintain the target software according to the vulnerability analysis report. Therefore, during vulnerability analysis, work required by analysts is greatly reduced, and vulnerability analysis efficiency can be improved.
It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not mean the order of execution, and the execution order of the processes should be determined by the functions and the internal logic, and should not be construed as limiting the implementation process of the embodiments in this application. In addition, in some possible implementations, each step in the foregoing embodiments may be selectively performed according to practical situations, and may be partially performed or may be performed entirely, which is not limited herein. All or part of any features of any of the embodiments of the present application may be freely, and arbitrarily combined without conflict. The combined technical scheme is also within the scope of the application.
Based on the method in the above embodiment, the embodiment of the present application further provides a vulnerability analysis device.
Illustratively, FIG. 4 shows a vulnerability analysis apparatus. As shown in fig. 4, the vulnerability analysis apparatus 400 may include an acquisition module 410 and a processing module 420.
The obtaining module 410 is configured to obtain vulnerability information of each open source software in the target software. The processing module 420 is configured to determine a function capable of triggering a vulnerability in the vulnerability information based on the training model. The processing module 420 may also be configured to determine, based on the function capable of triggering the bug, whether the target software carries the function capable of triggering the bug in the corresponding interface where the source code of the open source software is located and the compiled file of the target software. The processing module 420 may also be configured to output a vulnerability analysis report of the target software, where the vulnerability analysis report indicates whether the target software carries a function capable of triggering a vulnerability.
In some embodiments, the processing module 420 may be further configured to query a mapping relationship between the identifier of the interface and the identifier of the functional module to which the interface belongs based on the identifier of the interface, to obtain the identifier of the functional module to which the interface belongs; respectively judging whether the identification of the functional module is positioned in the compiling file; recording the obtained first judgment result in a vulnerability analysis report, and outputting the vulnerability analysis report.
In some embodiments, the processing module 420 may be further configured to determine whether the identifier of the first interface associated with the first functional module is located in the compiled file when the first determination result corresponding to the first functional module is located in the compiled file, where the first functional module is any one of the functional modules; and recording the obtained second judgment result in a vulnerability analysis report.
In some embodiments, the processing module 420 may be further configured to record the business associated with the first interface in the vulnerability analysis report when the identification of the first interface associated with the first functional module is located in the compiled file.
In some embodiments, the processing module 420 may be further configured to determine whether the identifier of the interface is located in the compiled file; recording the obtained third judgment result in a vulnerability analysis report, and outputting the vulnerability analysis report.
In some embodiments, the processing module 420 may be further configured to record, when the identifier of the second interface is located in the compiled file, a service associated with the second interface in the vulnerability analysis report, where the second interface is any one of the interfaces.
In some embodiments, the target software is embedded software.
In some embodiments, the processing module 420 may be further configured to process the vulnerability information to obtain a target vulnerability contained in the vulnerability information, where the target vulnerability includes: information leakage type loopholes and/or dispute type loopholes, wherein the dispute type loopholes are loopholes which occur at least once and cannot be reproduced; the target vulnerability is recorded in a vulnerability analysis report.
In some embodiments, the processing module 420 may be further configured to process the vulnerability information to obtain vulnerability data contained in the vulnerability information, where the vulnerability data includes: at least one of a vulnerability triggering scene, a version of software affected by the vulnerability and patch information of the vulnerability; vulnerability data is recorded in a vulnerability analysis report.
It should be understood that, the foregoing apparatus is used to perform the method in the foregoing embodiment, and corresponding program modules in the apparatus implement principles and technical effects similar to those described in the foregoing method, and reference may be made to corresponding processes in the foregoing method for the working process of the apparatus, which are not repeated herein.
The present application also provides a computing device 500. As shown in fig. 5, the computing device 500 includes: bus 502, processor 504, memory 506, and communication interface 508. Communication between processor 504, memory 506, and communication interface 508 is via bus 502. Computing device 500 may be a server or a terminal device. It should be understood that the present application is not limited to the number of processors, memories in computing device 500.
Bus 502 may be a peripheral component interconnect standard (peripheral component interconnect, PCI) bus or an extended industry standard architecture (extended industry standard architecture, EISA) bus, among others. The buses may be divided into address buses, data buses, control buses, etc. For ease of illustration, only one line is shown in fig. 5, but not only one bus or one type of bus. Bus 504 may include a path to transfer information between various components of computing device 500 (e.g., memory 506, processor 504, communication interface 508).
The processor 504 may include any one or more of a central processing unit (central processing unit, CPU), a graphics processor (graphics processing unit, GPU), a Microprocessor (MP), or a digital signal processor (digital signal processor, DSP).
The memory 506 may include volatile memory (RAM), such as random access memory (random access memory). The processor 504 may also include non-volatile memory (ROM), such as read-only memory (ROM), flash memory, a mechanical hard disk (HDD), or a solid state disk (solid state drive, SSD).
The memory 506 has stored therein executable program code that the processor 504 executes to implement the functions of the aforementioned acquisition module 410 and processing module 420, respectively, to implement all or part of the steps of the methods in the aforementioned embodiments. That is, the memory 506 has instructions stored thereon for performing all or part of the steps of the methods of the embodiments described above.
Alternatively, the memory 506 may store executable code, and the processor 504 executes the executable code to implement the functions of the memory security device 400, thereby implementing all or part of the steps in the method of the foregoing embodiments. That is, the memory 506 has instructions stored thereon for performing all or part of the steps of the methods of the embodiments described above.
The communication interface 503 enables communication between the computing device 500 and other devices or communication networks using a transceiver module such as, but not limited to, a network interface card, transceiver, or the like.
Based on the method in the above embodiment, the present application provides a computer-readable storage medium storing a computer program, which when executed on a processor, causes the processor to perform the method in the above embodiment.
Based on the methods in the above embodiments, the present application provides a computer program product, which when run on a processor causes the processor to perform the methods in the above embodiments.
It is to be appreciated that the processor in embodiments of the present application may be a central processing unit (central processing unit, CPU), but may also be other general purpose processors, digital signal processors (digital signal processor, DSP), application specific integrated circuits (application specific integrated circuit, ASIC), field programmable gate arrays (field programmable gate array, FPGA) or other programmable logic devices, transistor logic devices, hardware components, or any combination thereof. The general purpose processor may be a microprocessor, but in the alternative, it may be any conventional processor.
The method steps in the embodiments of the present application may be implemented by hardware, or may be implemented by a processor executing software instructions. The software instructions may be comprised of corresponding software modules that may be stored in random access memory (random access memory, RAM), flash memory, read-only memory (ROM), programmable ROM (PROM), erasable programmable PROM (EPROM), electrically erasable programmable EPROM (EEPROM), registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC.
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, produces a flow or function in accordance with embodiments of the present application, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in or transmitted across a computer-readable storage medium. The computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic, digital Subscriber Line (DSL)), or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a DVD), or a semiconductor medium (e.g., a Solid State Disk (SSD)), or the like.
It will be appreciated that the various numerical numbers referred to in the embodiments of the present application are merely for ease of description and are not intended to limit the scope of the embodiments of the present application.

Claims (10)

1. A vulnerability analysis method, the method comprising:
obtaining vulnerability information of each open source software in target software;
based on a training model, determining a function capable of triggering the loopholes in the loophole information;
judging whether the target software carries the interface or not based on the interface where the function capable of triggering the vulnerability is located in the corresponding source code of the open source software and the compiling file of the target software; wherein, the compiling file stores a plurality of interfaces included in the open source software;
and outputting a vulnerability analysis report of the target software, wherein the vulnerability analysis report indicates whether the target software carries the function capable of triggering the vulnerability.
2. The method according to claim 1, wherein the outputting the vulnerability analysis report of the target software specifically comprises:
inquiring the mapping relation between the identification of the interface and the identification of the functional module to which the interface belongs based on the identification of the interface to obtain the identification of the functional module to which the interface belongs;
Respectively judging whether the identification of the functional module is positioned in the compiling file;
recording the obtained first judgment result in the vulnerability analysis report, and outputting the vulnerability analysis report.
3. The method according to claim 2, wherein the method further comprises:
when a first judgment result corresponding to a first functional module is in the compiled file, judging whether an identifier of a first interface associated with the first functional module is in the compiled file, wherein the first functional module is any one of the functional modules;
and recording the obtained second judgment result in the vulnerability analysis report.
4. A method according to claim 3, characterized in that the method further comprises:
and when the identification of the first interface associated with the first functional module is positioned in the compiled file, recording the business associated with the first interface in the vulnerability analysis report.
5. The method according to claim 1, wherein the outputting the vulnerability analysis report of the target software specifically comprises:
respectively judging whether the identification of the interface is positioned in the compiling file;
Recording the obtained third judging result in the vulnerability analysis report, and outputting the vulnerability analysis report.
6. The method of claim 5, wherein the method further comprises:
and when the identifier of the second interface is positioned in the compiled file, recording the service associated with the second interface in the vulnerability analysis report, wherein the second interface is any one of the interfaces.
7. The method of any of claims 1-6, wherein the target software is embedded software.
8. The method according to any one of claims 1-7, characterized in that the method comprises:
processing the vulnerability information to obtain a target vulnerability contained in the vulnerability information, wherein the target vulnerability comprises: information leakage type loopholes and/or dispute type loopholes, wherein the dispute type loopholes are loopholes which occur at least once and cannot be reproduced;
and recording the target loopholes in the loophole analysis report.
9. The method according to any one of claims 1-8, further comprising:
processing the vulnerability information to obtain vulnerability data contained in the vulnerability information, wherein the vulnerability data comprises: at least one of a vulnerability triggering scene, a version of software affected by the vulnerability and patch information of the vulnerability;
And recording the vulnerability data in the vulnerability analysis report.
10. A computing device comprising a processor and a memory, wherein the memory has stored therein computer program instructions that, when executed by the processor, perform the method of any of claims 1-9.
CN202310125553.9A 2023-02-16 2023-02-16 Vulnerability analysis method and device and electronic equipment Pending CN116484378A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310125553.9A CN116484378A (en) 2023-02-16 2023-02-16 Vulnerability analysis method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310125553.9A CN116484378A (en) 2023-02-16 2023-02-16 Vulnerability analysis method and device and electronic equipment

Publications (1)

Publication Number Publication Date
CN116484378A true CN116484378A (en) 2023-07-25

Family

ID=87223893

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310125553.9A Pending CN116484378A (en) 2023-02-16 2023-02-16 Vulnerability analysis method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN116484378A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117478440A (en) * 2023-12-28 2024-01-30 中国人民解放军国防科技大学 POC batch verification method, device, equipment and medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117478440A (en) * 2023-12-28 2024-01-30 中国人民解放军国防科技大学 POC batch verification method, device, equipment and medium
CN117478440B (en) * 2023-12-28 2024-03-01 中国人民解放军国防科技大学 POC batch verification method, device, equipment and medium

Similar Documents

Publication Publication Date Title
US11729198B2 (en) Mapping a vulnerability to a stage of an attack chain taxonomy
Zhang et al. Towards automatic generation of security-centric descriptions for android apps
US10547628B2 (en) Security weakness and infiltration detection and repair in obfuscated website content
CN109255234B (en) Processing method, device, medium and electronic equipment of machine learning model
Carmony et al. Extract Me If You Can: Abusing PDF Parsers in Malware Detectors.
US9390270B2 (en) Security testing using semantic modeling
CN110474900B (en) Game protocol testing method and device
US20120023486A1 (en) Verification of Information-Flow Downgraders
Ma et al. An empirical study of sms one-time password authentication in android apps
CN109889511B (en) Process DNS activity monitoring method, equipment and medium
CN113961919B (en) Malicious software detection method and device
CN109376534B (en) Method and apparatus for detecting applications
Wang et al. Understanding malicious cross-library data harvesting on android
Tang et al. {iOS}, your {OS}, everybody's {OS}: Vetting and analyzing network services of {iOS} applications
CN116484378A (en) Vulnerability analysis method and device and electronic equipment
CN114065222A (en) Source code risk analysis method and device, electronic equipment and storage medium
CN112131573A (en) Method and device for detecting security vulnerability and storage medium
CN110287700B (en) iOS application security analysis method and device
CN109246113B (en) REST API SQL injection vulnerability detection method and device
US20170026392A1 (en) System and method of detecting malicious multimedia files
US20230141948A1 (en) Analysis and Testing of Embedded Code
Qin et al. UCRF: Static analyzing firmware to generate under-constrained seed for fuzzing SOHO router
CN112600864A (en) Verification code verification method, device, server and medium
CN111125714A (en) Safety detection method and device and electronic equipment
US20230107164A1 (en) System and method for vulnerability detection in computer code

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination