CN116484390A - Heap vulnerability attack detection method, device and medium based on metadata and dynamic instrumentation technology - Google Patents
Heap vulnerability attack detection method, device and medium based on metadata and dynamic instrumentation technology Download PDFInfo
- Publication number
- CN116484390A CN116484390A CN202310590884.XA CN202310590884A CN116484390A CN 116484390 A CN116484390 A CN 116484390A CN 202310590884 A CN202310590884 A CN 202310590884A CN 116484390 A CN116484390 A CN 116484390A
- Authority
- CN
- China
- Prior art keywords
- chunk
- vulnerability attack
- metadata
- heap
- executable file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 48
- 238000005516 engineering process Methods 0.000 title claims abstract description 24
- 230000006870 function Effects 0.000 claims abstract description 115
- 238000000034 method Methods 0.000 claims abstract description 51
- 238000004590 computer program Methods 0.000 claims description 10
- 238000013507 mapping Methods 0.000 claims description 6
- 238000003860 storage Methods 0.000 claims description 6
- 238000010586 diagram Methods 0.000 abstract description 9
- 238000004458 analytical method Methods 0.000 abstract description 6
- 238000009826 distribution Methods 0.000 abstract description 2
- 238000012544 monitoring process Methods 0.000 abstract 1
- 230000006978 adaptation Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a heap vulnerability attack detection method, equipment and medium based on metadata and a dynamic instrumentation technology, which uses an intel pintool architecture to dynamically instrumentation a binary elf executable file of an x86 platform aiming at key standard library functions malloc and free; the main program for detecting the vulnerability attack dynamically tracks global information on a hook aiming at a chunk metadata area and a user data area generated by key malloc, free and other functions; at the stake hook, acquiring a real-time map regional distribution diagram of the binary file during operation, and judging preliminary vulnerability attack; and at the pile hook, monitoring the change of the chunk metadata area and the user data according to the vulnerability attack judgment rule base, and carrying out accurate judgment. The method and the device can avoid high expenditure and pile inserting blind areas of dynamic taint analysis under the condition of no source codes, and can effectively and rapidly detect vulnerability attacks which will occur in pile space.
Description
Technical Field
The invention relates to a heap vulnerability attack detection method, equipment and medium based on metadata and a dynamic pile-inserting technology, and belongs to the technical field of information security.
Background
Common vulnerability attack detection techniques cannot effectively detect vulnerability attacks in heap space. Such as: the automatic detection technology of the conventional ELF binary file vulnerability attack is mainly oriented to the fields of stack space or formatted character strings and the like, and is mainly used for finding out control flow attacks caused by buffer overflow. The attack technique based on heap space is not directly aimed at the control flow, but is aimed at the potential logic loopholes existing at the user service level in the code. Such as: and designing complex payload attack codes, and obtaining the control authority of the bottom operating system by utilizing the execution flow solidified in standard library functions such as malloc and free in glibc.
In addition, the dynamic taint analysis technology is used as a hot spot technology for detecting the memory space vulnerability attack in recent years, and a detection dead zone exists when the dynamic taint analysis technology is applied to heap memory space vulnerability detection. The dynamic stain analysis technology focuses on functions of a system call level, and can not effectively detect operation flows of a pile space glibc layer, which are mainly composed of standard library functions malloc and free; meanwhile, the dynamic taint analysis technology uses a technology similar to memory mirror image copying, and the cost of a bottom layer system is high in the process of detecting program execution.
Therefore, the vulnerability attack in the heap space cannot be effectively detected by the existing vulnerability attack detection technology, and the vulnerability attack detection technology special for the heap space is required to quickly and efficiently detect the attack, so that the operating system is prevented from being attacked by the heap space, and any code is further caused to execute.
Disclosure of Invention
The purpose is as follows: in order to overcome the defects in the prior art, the invention provides a heap vulnerability attack detection method, equipment and medium based on metadata and a dynamic instrumentation technology.
The technical scheme is as follows: in order to solve the technical problems, the invention adopts the following technical scheme:
in a first aspect, a heap vulnerability attack detection method based on metadata and a dynamic instrumentation technique includes the following steps:
step 1: and (3) carrying out dynamic instrumentation on the front and/or rear pile space operation functions in the standard library functions in the binary elf executable file by utilizing a pintool architecture in advance, and inserting a hook function for self-defined vulnerability attack detection to form a new binary elf executable file.
Step 2: and acquiring a heap space chunk head address of the new binary if executable file, and constructing a global tracking table of chunk metadata and a user input data area in a hook function of the self-defined vulnerability attack detection according to the heap space chunk head address of the user input file and a basic data structure of the chunk of the hook function of the self-defined vulnerability attack detection.
Step 3: after the user inputs data, the linux operating system executes a new binary if executable file, when a hook function for detecting vulnerability attack in a self-definition mode is executed, acquiring the chunk metadata before and after the heap space operating function is operated and the global tracking table of the user input data area in the hook function for detecting vulnerability attack in the self-definition mode, and comparing the two chunk metadata with the global tracking table of the user input data area to acquire the change content; if the change content exceeds the range of the heap space area, the heap space vulnerability attack is indicated to occur, an alarm is sent, and the user input data and the execution process of the new binary if executable file are interrupted.
Further, the method further comprises the following steps: step 4: after the user inputs data, the linux operating system executes a new binary if executable file, when a hook function for detecting vulnerability attack in a self-definition mode is executed, acquiring the chunk metadata before and after the heap space operating function is operated and the global tracking table of the user input data area in the hook function for detecting vulnerability attack in the self-definition mode, and comparing the two chunk metadata with the global tracking table of the user input data area to acquire the change content; if the change content is matched with the rule in the vulnerability attack judging rule base, the occurrence of heap space vulnerability attack is indicated, an alarm is sent, and the user input data and the execution process of the new binary if executable file are interrupted.
Further, the step 1 includes:
pintools are initialized with pin_initsymbols () and pin_init (argc, argv) step 1.1.
Step 1.2, loading the mirror level information of the binary elf executable file by using an IMG_AddInstrumentfunction function, and finding MALLOC Rtn and FREE function information FREE Rtn from the mirror level information by using RTN_FindByName (IMG, MALLC) and RTN_FindByName (IMG, FREE).
And 1.3, performing instrumentation by using RTN_InsertCall before and/or after the execution of malloc Rtn and/or freeRtn function information, and inserting a hook function for self-defining detection vulnerability attack to form a new elf executable file.
Further, the step 2 includes:
and 2.1, obtaining a user input data head address of a heap space of the new binary elf executable file according to the return value of the RTN_InertCall.
And 2.2, deducing the heap space trunk head address of the user input data according to the head address of the user input data and the fixed offset value of the heap space trunk head address of the user input data.
And 2.3, constructing a global tracking table of the chunk metadata and the user input data area according to the basic data structure of chunk in glibc and the heap space chunk head address to which the user input data belongs in a custom hook function for detecting vulnerability attack.
Further, the structure of the global tracking table of the chunk metadata and the user input data area includes: prev_size, size, fd, bk, chunk-addr, user-addr.
Where prev_size represents the size of the previous heap in the heap chunk metadata, size represents the entire size of the present chunk, fd represents the header of the next chunk in the chunk chain, bk represents the header of the last chunk in the chunk chain, chunk-addr represents the head address of the present chunk, and user-addr represents the head address of the user data area in the present chunk.
Further, the step 3 includes:
and 3.1, after the user inputs data, the linux operating system executes a new binary field executable file, when a hook function for detecting vulnerability attack by a user is executed, the numerical values of the hook metadata and the user data area, which are caused by the new binary field executable file before and after each malloc and/or free operation, are recorded in a global tracking table of the hook metadata and the user input data area, and the change content is obtained according to the numerical values before and after the malloc and/or free operation.
And 3.2, entering a proc under the root node to obtain a map information table according to the process number information of the new binary if executable file.
And 3.3, obtaining the complete real-time authority of the new binary if executable file and the corresponding region mapping information from the map information.
And 3.4, judging whether the chunk_addr and the user_addr in the changing content exceed the space region range of the head stack in the map information table according to the region mapping information corresponding to the new binary elf executable file in a hook function for self-defining detection of vulnerability attack, if so, indicating that the heap space vulnerability attack occurs, giving an alarm, and interrupting user input data and the execution process of the new binary elf executable file.
Further, the step 4 includes:
and 4.1, after the user inputs data, the linux operating system executes a new binary field executable file, when a hook function for detecting vulnerability attack by a user is executed, the numerical values of the hook metadata and the user data area, which are caused by the new binary field executable file before and after each malloc and/or free operation, are recorded in a global tracking table of the hook metadata and the user input data area, and the change content is obtained according to the numerical values before and after the malloc and/or free operation.
And 4.2, comparing and judging according to the change content and the vulnerability attack judgment rule base.
And 4.3, if the change content is consistent with the rules in the vulnerability attack judging rule base, indicating that the heap space vulnerability attack occurs, giving an alarm, and interrupting the user input data and the execution process of the new binary if executable file.
Further, the rules in the vulnerability attack judging rule base at least comprise one of the following:
the user data range of the variant chunk covers the size of the existing chunk.
The user data range of the variant chunk covers the prevsize of the existing chunk.
The user data range of the changing chunk covers fd of the existing chunk.
The user data range of the variant chunk covers the bk of the existing chunk.
In a second aspect, a computer readable storage medium has stored thereon a computer program, which when executed by a processor, implements a heap vulnerability attack detection method based on metadata and dynamic instrumentation technique as in any one of the first aspects.
In a third aspect, a computer device comprises:
and the memory is used for storing the instructions.
A processor, configured to execute the instructions, so that the computer device performs an operation of a heap vulnerability attack detection method according to any one of the first aspect, where the heap vulnerability attack detection method is based on metadata and a dynamic instrumentation technique.
The beneficial effects are that: according to the pile vulnerability attack detection method, device and medium based on the metadata and dynamic pile inserting technology, high expenditure and pile inserting blind areas of dynamic taint analysis can be avoided under the condition that no source codes exist, the pile inserting of the dynamic library function is carried out in the execution process of the binary program to obtain the chunk metadata and the user data, the change of the chunk metadata and the user data is judged by utilizing the continuously perfected vulnerability attack rule base, and finally the vulnerability attack which will occur in the pile space can be effectively and rapidly detected before the common vulnerability attack in the pile space is not completed.
Drawings
FIG. 1 is a schematic flow chart of the method of the present invention.
FIG. 2 is a diagram illustrating the stake pocket of malloc and free and the construction of global tracking of all chunk metadata and user data in step one and step two of the present invention.
Fig. 3 is a schematic diagram of performing preliminary judgment by using a real-time authority distribution map and performing accurate judgment by using cross coverage of a chunk metadata area and a user data area in the third and fourth steps of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made more apparent and fully by reference to the accompanying drawings, in which embodiments of the invention are shown, and in which it is evident that the embodiments shown are only some, but not all embodiments of the invention. All other embodiments, which can be made by a person skilled in the art without any inventive effort, are intended to be within the scope of the present invention.
The invention will be further described with reference to specific examples.
As shown in fig. 1, a heap vulnerability attack detection method based on metadata and a dynamic instrumentation technique according to a first embodiment includes the following steps:
step 1: and (3) carrying out dynamic instrumentation on the front and/or rear pile space operation functions in the standard library functions in the binary elf executable file of the x86 platform by utilizing the pintool architecture of intel in advance, and inserting a hook function for self-defined vulnerability attack detection to form a new binary elf executable file.
Step 2: and acquiring a heap space chunk head address of the new binary if executable file, and constructing a global tracking table of chunk metadata and a user input data area in a hook function of the self-defined vulnerability attack detection according to the heap space chunk head address of the user input file and a basic data structure of the chunk of the hook function of the self-defined vulnerability attack detection.
Step 3: after the user inputs data, the linux operating system executes a new binary if executable file, when a hook function for detecting vulnerability attack in a self-definition mode is executed, acquiring the chunk metadata before and after the heap space operating function is operated and the global tracking table of the user input data area in the hook function for detecting vulnerability attack in the self-definition mode, and comparing the two chunk metadata with the global tracking table of the user input data area to acquire the change content; if the change content exceeds the range of the heap space area, the heap space vulnerability attack is indicated to occur, an alarm is sent, and the user input data and the execution process of the new binary if executable file are interrupted.
Step 4: after the user inputs data, the linux operating system executes a new binary if executable file, when a hook function for detecting vulnerability attack in a self-definition mode is executed, acquiring the chunk metadata before and after the heap space operating function is operated and the global tracking table of the user input data area in the hook function for detecting vulnerability attack in the self-definition mode, and comparing the two chunk metadata with the global tracking table of the user input data area to acquire the change content; if the change content is matched with the rule in the vulnerability attack judging rule base, the occurrence of heap space vulnerability attack is indicated, an alarm is sent, and the user input data and the execution process of the new binary if executable file are interrupted.
A second embodiment is a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a heap vulnerability attack detection method based on metadata and dynamic instrumentation techniques as in any one of the first embodiments.
A third embodiment is a computer device comprising:
and the memory is used for storing the instructions.
A processor, configured to execute the instructions, and cause the computer device to perform the operation of the heap vulnerability attack detection method based on metadata and dynamic instrumentation technology according to any one of the first embodiment.
Examples
As shown in fig. 2, the specific treatment procedure of step 1 of the method of the present invention is as follows:
step 1.1, the implementation of the hook function for custom detection of vulnerability attack in the present invention is based on the pintool architecture of intel, so the naming of the following functions, the meaning of parameter names and the usage method are all from the usage specification of the pintool function library of intel, and pin_initsymbols () and pin_init (argc, argv) are used to initialize Pintools first.
Step 1.2, the heap space vulnerability attack is mainly aimed at heap space operation functions in glibc standard library functions such as malloc and free.
The img_addinstrmentfunction function is used to load the information of the mirror level of the binary elf executable file for the x86 platform, and the MALLOC function information MALLOC RTN and the FREE function information FREE RTN are found using the rtn_findbyname (IMG, MALLOC) and the rtn_findbyname (IMG, FREE) in the information of the mirror level.
And 1.3, performing instrumentation by using RTN_InsertCall before and/or after the execution of malloc Rtn and/or freeRtn function information, and inserting a hook function for self-defining detection vulnerability attack to form a new elf executable file.
For example: and inserting piles before executing the identified malloc function information malloc Rtn by using an RTN_InsertCall function pair in pintools, inserting a custom hook function malloc before detecting pile vulnerability attack, and taking other parameters in the RTN_InsertCall function as parameters of the malloc before function according to the specification in pintools.
RTN_InsertCall(mallocRtn, IPOINT_BEFORE, (AFUNPTR)mallocbeforehook,
IARG_ADDRINT, MALLOC,
IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
IARG_END);
And inserting piles after executing the identified malloc function information malloc Rtn by using an RTN_InsertCall function pair in pintools, inserting a custom hook function malloc afterook for detecting heap vulnerability attack, and taking other parameters in the RTN_InsertCall function as parameters of the malloc afterook according to the specification in pintools.
RTN_InsertCall(mallocRtn,
IPOINT_AFTER,
(AFUNPTR)mallocafterhook,
IARG_FUNCRET_EXITPOINT_VALUE,
IARG_END);
The instrumentation at similar free functions may be chosen as described above to implement instrumentation hook function settings such as freebefore and/or after execution of the free and the hook functions of the two custom instrumentation heap vulnerability attacks such as freebefore and freeafter execution.
Mallocbeforehook, mallocafterhook, freebeforehook and freafterhook are hook function bodies for realizing the custom detection heap vulnerability attack of the second step, the third step and the fourth step.
As shown in fig. 2, the specific treatment procedure of step 2 of the method of the present invention is as follows:
step 2.1, according to the pintool framework of intel, the return value of RTN_InertCall contains the user input data head address of the heap space allocated to the new binary elf executable file by the operating system. Thus, the head address of the user input data is obtained from the return value of the rtn_insert call operation of pintools.
And 2.2, deducing the heap space trunk head address of the user input data according to the head address of the user input data and the fixed offset value of the heap space trunk head address of the user input data.
And 2.3, in a custom hook function for detecting vulnerability attack, according to the basic data structure of the chunk in glibc and the acquired heap space chunk head address, further acquiring the corresponding numerical value of each member in the following data structure in the memory, thereby constructing a global tracking table of chunk metadata and a user input data area.
The meaning of the following heap chunk metadata and the structure members of the user data global tracking table both follow the standards and meanings defined in the glibc function library. The global tracking table of the heap chunk metadata and the user input data area is a record item comprising a plurality of following structures, and each record item is provided with the following structures:
struct malloc_chunk {
INTERNAL_SIZE_T prev_size;
INTERNAL_SIZE_T size;
struct malloc_chunk* fd;
struct malloc_chunk* bk;
Long long chunk-addr;
Long long user-addr;
};
where prev_size represents the size of the previous heap in the heap chunk metadata, size represents the entire size of the present chunk, fd represents the header of the next chunk in the chunk chain, bk represents the header of the last chunk in the chunk chain, chunk-addr represents the head address of the present chunk, and user-addr represents the head address of the user data area in the present chunk.
As shown in fig. 3, the specific treatment procedure of step 3 of the method of the present invention is as follows:
and 3.1, executing a custom hook function for detecting vulnerability attack according to the pintool architecture of intel every time the pile-inserting function is triggered. And each time the custom hook function for detecting the vulnerability attack is executed, the values of the hook metadata and the user data area, which are caused by the fact that the new binary if executable file is before and after each malloc and/or free operation, are recorded in a global tracking table of the hook metadata and the user input data area, the change values are obtained according to the values before and after the malloc and/or free operation, the change values of the hook metadata and the user data area are recorded in a log mode, and the change values are recorded in the global tracking table according to the data structure, and in addition, the global tracking table is combined with main-arena information to increase the top hook related information in the glibc library.
In one embodiment, to reduce the computational effort of custom hook functions to detect vulnerability attacks, the hook functions may be inserted before or after malloc or free operations.
And when the new binary field executable file is run to a hook function, recording the chunk metadata corresponding to the malloc or free function and the numerical value in the global tracking table of the user input data area in the hook function, and obtaining a first global tracking table.
And carrying out a new binary if executable file at the next moment, and recording the chunk metadata corresponding to the malloc or free function and the numerical values in the global tracking table of the user input data area in the hook function when the binary if executable file runs to the hook function to obtain a second global tracking table.
And comparing the first global tracking table with the second global tracking table to obtain the change content.
In one embodiment, to improve the detection accuracy of the custom hook function for detecting vulnerability attacks, the hook function may be inserted before and after the malloc and free functions are operated.
And (3) performing a new binary if executable file at the current moment, and recording the corresponding chunk metadata of the malloc function and the numerical values in the global tracking table of the user input data area in the hook function when the hook function is operated before the malloc function is operated, so as to obtain a third global tracking table. And when the hook function is operated after the malloc function is operated, recording the corresponding chunk metadata of the malloc function and the numerical values in the global tracking table of the user input data area in the hook function, and obtaining a fourth global tracking table.
And comparing the third global tracking table with the fourth global tracking table to obtain the change content.
Similarly, the change content corresponding to the free function operation can be obtained.
And 3.2, entering the proc under the root node to obtain map information according to the process number information of the new binary if executable file.
And 3.3, obtaining the complete real-time authority of the new binary if executable file and the corresponding region mapping information from the map information.
And 3.4, in the hook function, according to the region mapping information corresponding to the new binary if executable file, the changing content of the global tracking table of the set chunk metadata and the user data can be primarily judged. Judging whether the initial address of the user data of the chunk_addr and the user_addr which are used for generating the changed chunk exceeds the space region range of the head heap in the map information table, and if the initial address exceeds the space region range of the head heap in the normal operation, indicating that the attack of the heap space loophole occurs. An alarm may be raised and the user input data and the binary execution process may be interrupted. If not, the step 4 is entered.
As shown in fig. 3, the specific treatment procedure of step 4 of the method of the present invention is as follows:
and 4.1, executing a custom hook function for detecting vulnerability attack according to the pintool architecture of intel every time the pile-inserting function is triggered. And each time the custom hook function for detecting the vulnerability attack is executed, the values of the hook metadata and the user data area, which are caused by the fact that the new binary if executable file is before and after each malloc and/or free operation, are recorded in a global tracking table of the hook metadata and the user input data area, the change values are obtained according to the values before and after the malloc and/or free operation, the change values of the hook metadata and the user data area are recorded in a log mode, and the change values are recorded in the global tracking table according to the data structure, and in addition, the global tracking table is combined with main-arena information to increase the top hook related information in the glibc library.
Step 4.2, summarizing and summarizing according to vulnerability attack characteristics occurring in a heap space: these rules are represented by relationships between the chunk metadata and the user data region, each relationship representing a characteristic rule of a potential vulnerability attack. And (3) sorting the characteristic rules and constructing a vulnerability attack judgment rule base. The rule base can be continuously perfected according to new characteristics of vulnerability attack occurring in heap space.
The rules for a common heap space vulnerability attack are as follows:
the user data range of the variant chunk covers the size of the existing chunk.
The user data range of the variant chunk covers the prevsize of the existing chunk.
The user data range of the changing chunk covers fd of the existing chunk.
The user data range of the variant chunk covers the bk of the existing chunk.
The rules can be summarized according to the future vulnerability attack method, so that the rule table is added with the rules.
And 4.3, recording operation results of heap space operation functions such as malloc and/or free and the like in a custom hook function for detecting heap vulnerability attack, wherein the operation results comprise changing chunk metadata and user data information changing contents generated by changing a certain chunk: such as chunk_addr, prevsize, fd, bk, user_addr, user_size.
And 4.4, in a custom hook function for detecting heap vulnerability attack at the instrumentation position, comparing and judging in real time according to each rule of a vulnerability attack judging rule base according to the change content of the corresponding chunk metadata and user data area in the newly generated global tracking list item.
And 4.5, once the judgment rule is found to be met, the potential risk of heap space vulnerability attack exists, and the attack process is in the process of heap space vulnerability attack, so that an alarm can be sent out, and the user input and the binary execution process are interrupted.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The foregoing is only a preferred embodiment of the invention, it being noted that: it will be apparent to those skilled in the art that various modifications and adaptations can be made without departing from the principles of the present invention, and such modifications and adaptations are intended to be comprehended within the scope of the invention.
Claims (10)
1. A heap vulnerability attack detection method based on metadata and dynamic instrumentation technology is characterized in that: the method comprises the following steps:
step 1: carrying out dynamic instrumentation on front and/or rear of a heap space operation function in a standard library function in a binary elf executable file by utilizing a pintool architecture in advance, and inserting a hook function for self-defined vulnerability attack detection to form a new binary elf executable file;
step 2: acquiring a heap space chunk head address of the new binary if executable file, and constructing a global tracking table of chunk metadata and a user input data area in a hook function of the self-defined vulnerability attack detection according to the heap space chunk head address of the user input file and a basic data structure of a chunk of the hook function of the self-defined vulnerability attack detection;
step 3: after the user inputs data, the linux operating system executes a new binary if executable file, when a hook function for detecting vulnerability attack in a self-definition mode is executed, acquiring the chunk metadata before and after the heap space operating function is operated and the global tracking table of the user input data area in the hook function for detecting vulnerability attack in the self-definition mode, and comparing the two chunk metadata with the global tracking table of the user input data area to acquire the change content; if the change content exceeds the range of the heap space area, the heap space vulnerability attack is indicated to occur, an alarm is sent, and the user input data and the execution process of the new binary if executable file are interrupted.
2. The heap vulnerability attack detection method based on metadata and dynamic instrumentation technology as claimed in claim 1, wherein the method is characterized in that: further comprises: step 4: after the user inputs data, the linux operating system executes a new binary if executable file, when a hook function for detecting vulnerability attack in a self-definition mode is executed, acquiring the chunk metadata before and after the heap space operating function is operated and the global tracking table of the user input data area in the hook function for detecting vulnerability attack in the self-definition mode, and comparing the two chunk metadata with the global tracking table of the user input data area to acquire the change content; if the change content is matched with the rule in the vulnerability attack judging rule base, the occurrence of heap space vulnerability attack is indicated, an alarm is sent, and the user input data and the execution process of the new binary if executable file are interrupted.
3. The heap vulnerability attack detection method based on metadata and dynamic instrumentation technology as claimed in claim 1 or 2, wherein the method comprises the following steps: the step 1 comprises the following steps:
step 1.1, initializing Pintools using pin_initsymbols () and pin_init (argc, argv);
step 1.2, using an IMG_AddInstrumentfunction function to load information of a mirror level of a binary elf executable file, and using RTN_FindByName (IMG, MALLC) and RTN_FindByName (IMG, FREE) to find MALLOC function information MALLOC Rtn and FREE function information FREE Rtn in the information of the mirror level;
and 1.3, performing instrumentation by using RTN_InsertCall before and/or after the execution of malloc Rtn and/or freeRtn function information, and inserting a hook function for self-defining detection vulnerability attack to form a new elf executable file.
4. The heap vulnerability attack detection method based on metadata and dynamic instrumentation technology as claimed in claim 1 or 2, wherein the method comprises the following steps: the step 2 includes:
step 2.1, obtaining a user input data head address of a heap space of a new binary elf executable file according to a return value of RTN_InertCall;
step 2.2, deducing the heap space trunk head address of the user input data according to the head address of the user input data and the fixed offset value of the heap space trunk head address of the user input data;
and 2.3, constructing a global tracking table of the chunk metadata and the user input data area according to the basic data structure of chunk in glibc and the heap space chunk head address to which the user input data belongs in a custom hook function for detecting vulnerability attack.
5. The heap vulnerability attack detection method based on metadata and dynamic instrumentation technology as claimed in claim 4, wherein the method is characterized in that: the structure of the global tracking table of the chunk metadata and user input data area comprises: prev_size, size, fd, bk, chunk-addr, user-addr;
where prev_size represents the size of the previous heap in the heap chunk metadata, size represents the entire size of the present chunk, fd represents the header of the next chunk in the chunk chain, bk represents the header of the last chunk in the chunk chain, chunk-addr represents the head address of the present chunk, and user-addr represents the head address of the user data area in the present chunk.
6. The heap vulnerability attack detection method based on metadata and dynamic instrumentation technology as claimed in claim 5, wherein the method is characterized in that: the step 3 includes:
step 3.1, after the user inputs data, the linux operating system executes a new binary elf executable file, when a hook function for self-defining detection vulnerability attack is executed, the numerical values of the new binary elf executable file in the trunk metadata and the user data area caused by the operation before and after each time of malloc and/or free operation are recorded in a global tracking table of the trunk metadata and the user data area, and the change content is obtained according to the numerical values before and after the operation of the malloc and/or free;
step 3.2, entering a proc under the root node to obtain a map information table according to the process number information of the new binary if executable file;
step 3.3, obtaining the complete real-time authority of the new binary if executable file and the corresponding region mapping information from the map information;
and 3.4, judging whether the chunk_addr and the user_addr in the changing content exceed the space region range of the head stack in the map information table according to the region mapping information corresponding to the new binary elf executable file in a hook function for self-defining detection of vulnerability attack, if so, indicating that the heap space vulnerability attack occurs, giving an alarm, and interrupting user input data and the execution process of the new binary elf executable file.
7. The heap vulnerability attack detection method based on metadata and dynamic instrumentation technology as claimed in claim 5, wherein the method is characterized in that: the step 4 includes:
step 4.1, after the user inputs data, the linux operating system executes a new binary elf executable file, when a hook function for self-defining detection vulnerability attack is executed, the numerical values of the new binary elf executable file in the trunk metadata and the user data area caused by the operation before and after each time of malloc and/or free operation are recorded in a global tracking table of the trunk metadata and the user data area, and the change content is obtained according to the numerical values before and after the operation of the malloc and/or free;
step 4.2, comparing and judging according to the change content and the vulnerability attack judgment rule base;
and 4.3, if the change content is consistent with the rules in the vulnerability attack judging rule base, indicating that the heap space vulnerability attack occurs, giving an alarm, and interrupting the user input data and the execution process of the new binary if executable file.
8. The heap vulnerability attack detection method based on metadata and dynamic instrumentation technology as claimed in claim 7, wherein the method is characterized in that: the rules in the vulnerability attack judging rule base at least comprise one of the following:
the user data range of the changed chunk covers the size of the existing chunk;
the user data range of the changed chunk covers the prevsize of the existing chunk;
the user data range of the changed chunk covers fd of the existing chunk;
the user data range of the variant chunk covers the bk of the existing chunk.
9. A computer-readable storage medium, characterized by: a computer program stored thereon, which when executed by a processor, implements a heap vulnerability attack detection method based on metadata and dynamic instrumentation techniques as claimed in any one of claims 1-8.
10. A computer device, characterized by: comprising the following steps:
a memory for storing instructions;
a processor configured to execute the instructions to cause the computer device to perform the operations of a heap vulnerability attack detection method based on metadata and dynamic instrumentation techniques according to any one of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310590884.XA CN116484390A (en) | 2023-05-24 | 2023-05-24 | Heap vulnerability attack detection method, device and medium based on metadata and dynamic instrumentation technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310590884.XA CN116484390A (en) | 2023-05-24 | 2023-05-24 | Heap vulnerability attack detection method, device and medium based on metadata and dynamic instrumentation technology |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116484390A true CN116484390A (en) | 2023-07-25 |
Family
ID=87223384
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310590884.XA Pending CN116484390A (en) | 2023-05-24 | 2023-05-24 | Heap vulnerability attack detection method, device and medium based on metadata and dynamic instrumentation technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116484390A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117435440A (en) * | 2023-12-20 | 2024-01-23 | 麒麟软件有限公司 | Dynamic analysis method and system for program heap space |
-
2023
- 2023-05-24 CN CN202310590884.XA patent/CN116484390A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117435440A (en) * | 2023-12-20 | 2024-01-23 | 麒麟软件有限公司 | Dynamic analysis method and system for program heap space |
| CN117435440B (en) * | 2023-12-20 | 2024-04-05 | 麒麟软件有限公司 | Dynamic analysis method and system for program heap space |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3899770B1 (en) | System and method for detecting data anomalies by analysing morphologies of known and/or unknown cybersecurity threats | |
| CN111563742B (en) | Fuzzy testing method for intelligent contract transaction sequence dependence vulnerability variation | |
| CN105224600A (en) | A kind of detection method of Sample Similarity and device | |
| CN116484390A (en) | Heap vulnerability attack detection method, device and medium based on metadata and dynamic instrumentation technology | |
| CN111753290A (en) | Software type detection method and related equipment | |
| CN112866292B (en) | Attack behavior prediction method and device for multi-sample combination attack | |
| CN106355092A (en) | Systems and methods for optimizing antivirus determinations | |
| US20100083375A1 (en) | Detection accuracy tuning for security | |
| CN113468524B (en) | RASP-based machine learning model security detection method | |
| CN111803956B (en) | Method and device for determining game plug-in behavior, electronic equipment and storage medium | |
| CA3125101A1 (en) | System and method for detecting data anomalies by analysing morphologies of known and/or unknown cybersecurity threats | |
| CN106778276B (en) | Method and system for detecting malicious codes of entity-free files | |
| CN112087414A (en) | Detection method and device for mining trojans | |
| CN116226865A (en) | Security detection method, device, server, medium and product of cloud native application | |
| CN112491820B (en) | Abnormity detection method, device and equipment | |
| CN111310162B (en) | Trusted computing-based equipment access control method, device, product and medium | |
| CN114897723A (en) | Image generation and noise adding method based on generation type countermeasure network | |
| CN114357445A (en) | Method, device and storage medium for identifying terminal side attack path | |
| KR102528593B1 (en) | Apparatus, method, computer-readable storage medium and computer program for identifying abnormal process | |
| CN110610086B (en) | Illegal code identification method, system, device and storage medium | |
| Melaragno et al. | Detecting ransomware execution in a timely manner | |
| CN113992978B (en) | Evaluation method and device of video defense system, storage medium and processor | |
| KR102473436B1 (en) | Method and apparatus for managing of physical memory layout, computer-readable storage medium and computer program | |
| US20240005000A1 (en) | Detection of ransomware attack at object store | |
| Mohamed et al. | Automate memory forensics Investigation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |