CN116578991A - Vulnerability mining method, device, equipment and storage medium - Google Patents

Vulnerability mining method, device, equipment and storage medium Download PDF

Info

Publication number
CN116578991A
CN116578991A CN202310603985.6A CN202310603985A CN116578991A CN 116578991 A CN116578991 A CN 116578991A CN 202310603985 A CN202310603985 A CN 202310603985A CN 116578991 A CN116578991 A CN 116578991A
Authority
CN
China
Prior art keywords
vulnerability
address
determining
heap
program
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310603985.6A
Other languages
Chinese (zh)
Inventor
陈君
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ecarx Hubei Tech Co Ltd
Original Assignee
Ecarx Hubei Tech Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ecarx Hubei Tech Co Ltd filed Critical Ecarx Hubei Tech Co Ltd
Priority to CN202310603985.6A priority Critical patent/CN116578991A/en
Publication of CN116578991A publication Critical patent/CN116578991A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a method, a device, equipment and a storage medium for mining loopholes. The method comprises the following steps: determining whether a bug feature exists in a program to be tested and an initial address corresponding to the bug feature based on symbol execution, if so, determining the bug according to the bug feature, wherein the initial address is a jump address of a calling function associated with the bug feature; and outputting vulnerability information according to the vulnerability and the initial address. According to the technical scheme provided by the embodiment of the invention, the existing vulnerability characteristics of the program to be tested are determined by utilizing symbolic execution, and the execution path (namely the initial address) of the existing vulnerability is found out, so that the method has the advantage of high path coverage rate, the time of manual verification is greatly reduced, and the vulnerability mining efficiency and effect are both remarkably improved.

Description

Vulnerability mining method, device, equipment and storage medium
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a method, an apparatus, a device, and a storage medium for mining vulnerabilities.
Background
Along with the stronger and stronger software functions of the vehicle-mounted operating system, the scale of the software code is continuously enlarged, and the security holes of the system software are increased. The ever-increasing software vulnerabilities present more and more complex security vulnerabilities that present significant challenges to the security of operating systems.
Currently, conventional vulnerability discovery based on Linux operating systems mainly depends on fuzzy test technology. According to the technology, random data is continuously input into a tested target to trigger target error reporting, so that unknown vulnerabilities of executable files of a Linux operating system are mined. After the fuzzy test is finished, the obtained result cannot be directly used, and the result needs to be processed in a result analysis link. The working of the link is as follows: and performing operations such as deduplication, reproduction, analysis, threat assessment and the like on the obtained test result, and finally determining whether valuable vulnerabilities are found.
However, the traditional vulnerability mining mode has relatively high randomness, the yield of vulnerabilities is relatively low by means of input random data, path coverage rate is low, vulnerabilities uncovered by paths cannot be found, and a large amount of manpower and material resources are required to be input in subsequent analysis links.
Disclosure of Invention
The invention provides a method, a device, equipment and a storage medium for mining holes, which are used for solving the problem of inaccurate hole mining.
In a first aspect, the present invention provides a method for mining vulnerabilities, including:
determining whether a bug feature exists in a program to be tested and an initial address corresponding to the bug feature based on symbol execution, if so, determining the bug according to the bug feature, wherein the initial address is a jump address of a calling function associated with the bug feature;
And outputting vulnerability information according to the vulnerability and the initial address.
In a second aspect, the present invention provides a device for mining vulnerabilities, including:
the system comprises a vulnerability determining module, a vulnerability determining module and a vulnerability determining module, wherein the vulnerability determining module is used for determining whether vulnerability characteristics and initial addresses corresponding to the vulnerability characteristics exist in a program to be tested based on symbolic execution, and if the vulnerability characteristics exist, determining the vulnerability according to the vulnerability characteristics, wherein the initial addresses are jump addresses of calling functions associated with the vulnerability characteristics;
and the vulnerability information output module is used for outputting vulnerability information according to the vulnerability and the initial address.
In a third aspect, the present invention provides an electronic device comprising:
at least one processor;
and a memory communicatively coupled to the at least one processor;
wherein the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the method of mining vulnerabilities described above in the first aspect.
In a fourth aspect, the present invention provides a computer readable storage medium storing computer instructions for causing a processor to perform the method of mining vulnerabilities of the first aspect described above.
According to the scheme for mining the loopholes, whether the loopholes feature exists in the program to be tested or not and the initial address corresponding to the loopholes feature are determined based on symbol execution, if so, the loopholes are determined according to the loopholes feature, wherein the initial address is the jump address of the calling function associated with the loopholes feature, and the loophole information is output according to the loopholes and the initial address. By adopting the technical scheme, each path in the program to be tested is traversed by utilizing symbol execution, input data is symbolized, and the execution process of the program to be tested is abstracted into a constraint function, so that whether all paths of the program to be tested have vulnerability characteristics or not is analyzed, and the execution path (namely an initial address) with the vulnerability is found, so that vulnerability information can be obtained and output.
It should be understood that the description in this section is not intended to identify key or critical features of the invention or to delineate the scope of the invention. Other features of the present invention will become apparent from the description that follows.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method for mining vulnerabilities provided in accordance with a first embodiment of the present invention;
FIG. 2 is a flowchart of a method for mining vulnerabilities provided in accordance with a second embodiment of the present invention;
FIG. 3 is a flow chart of another method for mining vulnerabilities provided in accordance with a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of a device for mining holes according to a fourth embodiment of the present invention;
fig. 5 is a schematic structural diagram of an electronic device according to a fifth embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. In the description of the present invention, unless otherwise indicated, "a plurality" means two or more. "and/or", describes an association relationship of an association object, and indicates that there may be three relationships, for example, a and/or B, and may indicate: a exists alone, A and B exist together, and B exists alone. The character "/" generally indicates that the context-dependent object is an "or" relationship. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
Fig. 1 is a flowchart of a method for mining holes according to an embodiment of the present invention, where the method may be applicable to a situation of mining holes in a program, and the method may be performed by a device for mining holes, where the device for mining holes may be implemented in a form of hardware and/or software, and the device for mining holes may be configured in an electronic device, where the electronic device may be configured by two or more physical entities, or may be configured by one physical entity. The method can be realized by using a binary analysis framework Angr developed by python, and can be applied to a vehicle machine operating system of Linux and the like.
Symbol execution is the transfer of information during execution by maintaining symbol states and path constraints. Symbol states in symbol execution are understood to mean that symbol states α are maintained during symbol execution and the variable α is mapped to a symbol expression. Symbol path constraints can be understood as first order formulas with no quantitative terms on the symbol expressions. When symbol execution begins, a may be initialized to a null map, the symbol path constraint may be initialized to true, and both a and the symbol path constraint may be updated during symbol execution. For example, when encountering a branch statement of a program to be tested during symbol execution, each branch statement is explored, and branch conditions are added into corresponding symbol path constraints, if the symbol path constraints are solvable, the path is reachable, if the symbol path constraints are not solvable, the path is unreachable, and at the moment, the solvable symbol path constraints can be solved and updated to obtain new symbol path constraints and new symbol states.
As shown in fig. 1, the method for mining vulnerabilities provided in the first embodiment of the present invention specifically includes the following steps:
s101, determining whether a bug feature exists in a program to be tested and an initial address corresponding to the bug feature based on symbol execution, and if so, determining the bug according to the bug feature, wherein the initial address is a jump address of a calling function associated with the bug feature.
In this embodiment, before the vulnerability is mined, the program to be tested may be checked for format, and the compiling security options of the program to be tested may be checked, for example, to check whether the program to be tested is suitable for the current system (for example, the angr platform developed based on python) to determine whether the program to be tested can be subjected to vulnerability mining. If so, the symbolic execution environment can be started, binary byte codes of the program to be tested are statically analyzed, and the binary byte codes are converted into an intermediate language VEX language. Traversing an operation tree of the program to be tested by utilizing the symbol execution, thereby determining whether the program to be tested has the loophole feature and the initial address corresponding to the loophole feature, if so, determining that the program to be tested has the loophole, and determining the information such as the type of the loophole according to the specific loophole feature. The initialization state manager of the angr platform may include information related to the program running, such as a register value, a memory value, a file system, and a symbolic variable, where the symbolic variable used in executing the symbolic is not a specific numerical value but a symbolic variable.
S102, outputting vulnerability information according to the vulnerability and the initial address.
In this embodiment, the initial address and the name of the vulnerability may be determined as vulnerability information. The method of creating the temporary JSON (JavaScript Object Notation, script object mark) file can be adopted, the vulnerability information is temporarily stored in the JSON file, and when all program paths of the program to be tested are subjected to vulnerability mining or exceed the mining time (such as 200 minutes), the temporary JSON file is read again, so that feedback output of the vulnerability mining is obtained, and whether the feedback output is printed or not can be selected. This is because, in the case of a timeout of excavation or a path explosion, the excavated vulnerability information is easily lost, and thus the feedback output of the vulnerability excavation is designed by using the idea of "excavation to one place and one place". The initial address may be stored in an array, so as to record information of the address, and a description string is generated according to the array to mark the position of each jump address in the assembly code, where the description string may include a function address or a function name of a calling function associated with the vulnerability feature, and may be used to identify the calling function.
According to the method for mining the loopholes, which is provided by the embodiment of the invention, whether the loopholes feature exists in the program to be tested or not and the initial address corresponding to the loopholes feature are determined based on symbol execution, if so, the loopholes are determined according to the loopholes feature, wherein the initial address is the jump address of the calling function associated with the loopholes feature, and the loopholes information is output according to the loopholes and the initial address. According to the technical scheme, each path in the program to be tested is traversed by utilizing symbol execution, input data are symbolized, the execution process of the program to be tested is abstracted into a constraint function, so that whether all paths of the program to be tested have vulnerability characteristics or not is analyzed, an execution path (namely an initial address) with the vulnerability is found, vulnerability information can be obtained and output according to the vulnerability characteristics, the method has the advantage of high path coverage rate, the time of manual verification is greatly reduced, and the efficiency and effect of vulnerability mining are both remarkably improved.
Example two
Fig. 2 is a flowchart of a method for mining vulnerabilities provided in a second embodiment of the present invention, where the technical solution of the embodiment of the present invention is further optimized based on the foregoing alternative technical solutions, and a specific manner for mining vulnerabilities in a program is provided.
Optionally, the determining whether the bug feature exists in the program to be tested based on the symbol execution includes: traversing the heap address in the program to be tested by utilizing symbol execution, and determining whether the heap address exists in a heap release management list array and a heap allocation management list array at the same time, wherein the heap release management list array is used for storing a first heap address returned by a heap allocation function, and the heap allocation management list array is used for storing a second heap address which is emptied; if the heap address exists simultaneously, determining that the heap address exists simultaneously in a heap release management list array and a heap allocation management list array as a first vulnerability characteristic; wherein the determining the vulnerability according to the vulnerability characteristics includes: if the vulnerability characteristics comprise first vulnerability characteristics, determining that the vulnerability of the program to be tested comprises a pointer to release the vulnerability for a plurality of times. The method has the advantage that whether the pointer release loopholes exist in the program to be tested for multiple times can be accurately identified by judging whether the heap address exists in the heap release storage array and the heap allocation storage array at the same time.
Optionally, the determining whether the bug feature exists in the program to be tested based on the symbol execution includes: traversing a first heap address in a heap release management list array, and determining whether read operation or write operation is performed on the first heap address; if yes, performing read or write operation on the first heap address, and determining the first heap address as a second vulnerability characteristic; wherein the determining the vulnerability according to the vulnerability characteristics includes: and if the vulnerability characteristics comprise second vulnerability characteristics, determining that the vulnerability of the program to be tested comprises re-using the vulnerability after release. The benefit of this arrangement is that whether the reuse loophole after release exists in the program to be tested can be accurately identified by judging whether the heap address in the heap release storage array is subjected to the read or write operation.
Optionally, the determining whether the bug feature exists in the program to be tested based on the symbol execution includes: traversing first target data in a program to be tested by using a symbol, and converting the first target data into a symbol type variable, wherein the first target data is data needing to be input externally; judging whether second target data corresponding to the memory address are sign-type variables or not, if so, determining the variable of which the data stored in the memory address are sign-type variables as a third vulnerability characteristic, wherein the second target data are data to be output; wherein the determining the vulnerability according to the vulnerability characteristics includes: if the vulnerability characteristics comprise third vulnerability characteristics, determining that the vulnerability of the program to be tested comprises a formatted string vulnerability. The method has the advantages that whether the data variable is controlled by the external input, namely whether the formatting character string loopholes exist or not can be accurately identified by symbolizing the data which needs to be input externally and judging whether the data in the memory is a symbolized variable or not.
As shown in fig. 2, a method for mining vulnerabilities provided in the second embodiment of the present invention specifically includes the following steps:
S201, traversing the heap address in the program to be tested by utilizing the symbol execution, determining whether the heap address exists in the heap release management list array and the heap allocation management list array at the same time, if yes, executing step 202, and if no, executing step 203.
The heap release management list array is used for storing a first heap address returned by the heap allocation function, and the heap allocation management list array is used for storing a second heap address which is emptied.
In particular, a first-in last-out stack structure may be used to store heap addresses, and a heap allocation management list array may be used to store heap addresses that are allocated and not emptied, and a heap release management list array may be used to store heap addresses that have been emptied. For example, the heap address returned by the heap allocation function may be stored in the heap allocation management list array by using the Hook heap allocation function, so that the applied heap block address may be recorded, then before the heap release function is executed, the Hook heap release function is used to firstly determine whether the heap address to be released is legal, that is, determine whether the heap release management list array exists, if so, indicate that the heap address in the to-be-tested program is directly traversed, so as to detect whether the heap address exists in the heap release management list array and the heap allocation management list array at the same time. If the current heap address exists in the heap allocation management list array, the current heap address can be moved into the heap release management list array.
S202, determining that heap addresses exist in the heap release management list array and the heap allocation management list array simultaneously as first loopholes, determining initial addresses corresponding to the first loopholes, and determining that loopholes of the program to be tested comprise pointers for releasing loopholes for a plurality of times.
Specifically, if the heap address exists in the heap release management list array and the heap allocation management list array at the same time, it is indicated that the program to be tested has a Double Free condition, so that the heap address exists in the heap release management list array and the heap allocation management list array at the same time can be determined as a first vulnerability feature and an initial address corresponding to the vulnerability feature is recorded. Where there are multiple releases of the pointer, this may be referred to as Double Free.
S203, traversing the first heap address in the heap release management list array, determining whether the first heap address is subjected to read operation or write operation, if so, executing step 204, and if not, executing step 205.
Specifically, whether the array of the heap release management list is empty or not can be judged first, if yes, the judgment is skipped, if not, the content in the array is traversed, one (first) heap address in the array is fetched each time, and the operation judgment of memory reading and writing under the current execution path is participated.
S204, performing read or write operation on the first heap address, determining the first heap address as a second vulnerability characteristic, determining an initial address corresponding to the second vulnerability characteristic, and determining the vulnerability of the program to be tested comprises reusing the vulnerability after release.
Specifically, if the operation of reading or writing the first heap address is found, it indicates that a UAF (Use After Free) vulnerability exists, then the "first heap address is subjected to the operation of reading or writing" may be determined as a second vulnerability feature, and an initial address corresponding to the vulnerability feature is recorded.
S205, traversing first target data in a program to be tested by utilizing a symbol, converting the first target data into a symbol type variable, judging whether second target data corresponding to a memory address is a symbol type variable, if so, executing step 206, and if not, ending.
The first target data is data which needs to be input externally.
Specifically, all data requiring external input in the program to be tested can be converted into variables of Fu Haoxing through symbolic execution. In the process of executing the symbol, whether the data variable is controlled by external input can be judged by judging whether the data stored in the memory address is a symbol type variable or not. For example, before the printf output function is called, the first parameter to be output may be judged first, to determine whether the content pointed by the first parameter has a sign type variable.
S206, determining the variable of which the data stored in the memory address is of a symbol type as a third vulnerability characteristic, determining an initial address corresponding to the third vulnerability characteristic, and determining that the vulnerability of the program to be tested comprises a formatting character string vulnerability.
Specifically, if the format string loopholes are indicated to exist, the "variable of which the data stored in the memory address is a sign type" may be determined as the third loophole feature, and the initial address corresponding to the loophole feature is recorded.
S207, outputting vulnerability information according to the vulnerability and the initial address.
Specifically, when all paths in the program to be tested are traversed, corresponding vulnerability information can be output, and the output vulnerability information can contain the vulnerability number, available solutions of symbol path constraints and the like besides the name of the vulnerability and the vulnerability path (i.e. the initial address). The available solution may be obtained by a Z3 solver or the like.
According to the method for mining the loopholes, firstly, whether the pointer releases the loopholes for many times in the program to be tested can be accurately identified by judging whether the heap addresses exist in the heap release storage array and the heap allocation storage array at the same time, then whether the loopholes are reused after release in the program to be tested can be accurately identified by judging whether the heap addresses in the heap release storage array are subjected to read or write operation, and then whether data needing to be input externally are symbolized and whether the data in the memory are symbolic variables or not is judged, so that whether the data variables are controlled by external input or not can be accurately identified, namely whether formatted character string loopholes exist or not, the time for manual verification is greatly shortened, and the efficiency and effect of mining the loopholes are remarkably improved.
Example III
Fig. 3 is a flowchart of another method for mining vulnerabilities provided in the third embodiment of the present invention, where the technical solution of the embodiment of the present invention is further optimized based on the foregoing alternative technical solutions, and another specific way for mining vulnerabilities in a program is provided.
Optionally, the determining whether the bug feature exists in the program to be tested based on the symbol execution includes: traversing an execution tree path of a program to be tested by utilizing symbol execution, and determining whether a target address corresponding to memory reading or memory writing operation is a symbol-type address; if yes, determining the address of which the target address is a sign type as a fourth vulnerability characteristic; wherein the determining the vulnerability according to the vulnerability characteristics includes: and if the vulnerability characteristics comprise fourth vulnerability characteristics, determining that the vulnerability of the program to be tested comprises any address read-write vulnerability. The method has the advantages that whether the address is controlled by external input can be accurately identified by judging whether the address corresponding to the memory read or memory write operation is symbolized, so that any address read-write loopholes of the program to be tested can be mined.
Optionally, the determining whether the bug feature exists in the program to be tested based on the symbol execution includes: traversing a register in a program to be tested by using symbol execution, and determining whether the value of the register is a symbol type variable or not; if yes, symbolizing the value of the register to be determined as a fifth vulnerability characteristic; wherein the determining the vulnerability according to the vulnerability characteristics includes: and if the vulnerability characteristics comprise fifth vulnerability characteristics, determining that the vulnerability of the program to be tested comprises a register assignment error vulnerability. The method has the advantages that whether the value of the register is modified by errors can be accurately determined by judging whether the value in the register is symbolized or not, so that the register assignment error loophole of the program to be tested is mined.
Optionally, the outputting the vulnerability information according to the vulnerability and the initial address includes: screening a target jump address which is not repeated with a historical vulnerability path from the initial address, wherein the historical vulnerability path is a determined vulnerability path in the vulnerability mining; determining the target jump address as a new vulnerability path, determining the vulnerability corresponding to the target jump address as a target vulnerability, and outputting vulnerability information according to a total vulnerability and a total vulnerability path, wherein the total vulnerability path comprises the new vulnerability path and the historical vulnerability path, and the total vulnerability comprises the historical vulnerability corresponding to the target vulnerability and the historical vulnerability path. The method has the advantages that by means of deduplicating the obtained new vulnerability execution path, the target vulnerability after deduplication and the total vulnerability path can be obtained, and a large amount of manpower and material resources are not required to be input in the aspects of vulnerability mining and deduplication.
As shown in fig. 3, another method for mining vulnerabilities provided in the third embodiment of the present invention specifically includes the following steps:
s301, traversing the heap address in the program to be tested by utilizing the symbol execution, determining whether the heap address exists in the heap release management list array and the heap allocation management list array at the same time, if yes, executing step 302, and if no, executing step 303.
S302, determining that heap addresses exist in the heap release management list array and the heap allocation management list array simultaneously as first loopholes, determining initial addresses corresponding to the first loopholes, and determining that loopholes of the program to be tested comprise pointers for releasing loopholes for a plurality of times.
S303, traversing the first heap address in the heap release management list array, determining whether the first heap address is subjected to read operation or write operation, if so, executing step 304, and if not, executing step 305.
S304, performing read or write operation on the first heap address, determining the first heap address as a second vulnerability characteristic, determining an initial address corresponding to the second vulnerability characteristic, and determining the vulnerability of the program to be tested comprises reusing the vulnerability after release.
S305, traversing first target data in a program to be tested by utilizing a symbol, converting the first target data into a symbol type variable, judging whether second target data corresponding to a memory address is a symbol type variable, if so, executing step 306, and if not, executing step 307.
S306, determining the variable of which the data stored in the memory address is of a symbol type as a third vulnerability characteristic, determining an initial address corresponding to the third vulnerability characteristic, and determining that the vulnerability of the program to be tested comprises a formatting character string vulnerability.
S307, traversing the execution tree path of the program to be tested by utilizing the symbol execution, determining whether the target address corresponding to the memory read or memory write operation is a symbol type address, if so, executing step 308, and if not, executing step 309.
Specifically, in the process of symbol execution, memory read and write operations may be recorded, where the read and write objects include addresses, registers, file streams, and the like in the memory. In the process of symbol execution, each execution tree path of the program to be tested can be traversed to detect whether the target address corresponding to the memory read or memory write operation is a symbol-type address.
S308, determining an address with a target address being a sign type as a fourth vulnerability characteristic, determining an initial address corresponding to the fourth vulnerability characteristic, and determining that the vulnerability of the program to be tested comprises any address read-write vulnerability.
Specifically, if yes, it is indicated that the target address may be controlled by an external input, so that any address read-write loopholes may exist, so that the "address of which the target address is a sign" may be determined as a fourth loophole feature, and an initial address corresponding to the loophole feature may be recorded.
S309, traversing the register in the program to be tested by using the symbol execution, determining whether the value of the register is a symbol type variable, if so, executing step 310, and if not, ending.
For example, when traversing the rip (program count register) in the program under test using a symbolic execution, it may be first determined whether the value in the register is valid, i.e. whether the address of the pointer is within the address range of the code segment. If not, the description may be hard coded as an illegal address, and if so, a determination may be continued as to whether the value in the register is a signed variable. Then, the values in the registers such as rsp (top of stack register) and rbp (stack base register) can be detected continuously, and whether the values in these registers are sign type variables can be determined.
Optionally, after determining the symbolization of the value of the register as the fifth vulnerability characteristic, the method further includes: determining whether a target variable can be symbolized or not by using a preset constraint solving mode, and if so, symbolizing the variable in the stack to be a sixth vulnerability characteristic, wherein the target variable is the variable in the stack except for the variable of a register in the stack; wherein determining the vulnerability according to the vulnerability characteristics comprises: if the vulnerability characteristics comprise sixth vulnerability characteristics, determining that the vulnerability of the program to be tested comprises a stack overflow vulnerability. The advantage of this arrangement is that, because the value of the register is modified when stack overflow is detected for the first time, if execution is continued, the register can report error directly, so that the path is directly terminated, and other hidden paths under the path cannot be explored continuously.
Specifically, when stack overflow occurs, the variables in the stack are necessarily changed, and then whether overflow occurs can be judged by detecting the variables in the stack, so after all the registers are determined to have Fu Haoxing variables, whether the variables in the stack except the variables in the registers in the stack can be symbolized or not can be determined, and if so, the existence of stack overflow loopholes can be determined. "the in-stack variable may be symbolized" may be determined as a sixth vulnerability characterization. If it is determined that the Fu Haoxing variable exists in some registers, it can determine which registers with sign type variable are registers in the stack, and then determine whether the target variable can be signed.
S310, symbolizing the value of the register to be determined as a fifth vulnerability characteristic, determining an initial address corresponding to the fifth vulnerability characteristic, and determining that the vulnerability of the program to be tested comprises a register assignment error vulnerability.
Specifically, if the register is controlled by the external input of the program, it is indicated that a loophole executed by any address exists, that is, a loophole of assignment error of the register exists, the "value symbolization of the register" can be determined as a fifth loophole feature, and an initial address corresponding to the loophole feature is recorded. For the stack top register, the register may be caused by a pop or ret instruction for data in the stack if the register is signed, and for the stack base register, the register may be caused by a leave instruction for data in the stack if the register is signed.
S311, a target jump address which is not repeated with the history vulnerability path is screened from the initial address.
The historical vulnerability path is a determined vulnerability path in the vulnerability mining.
Specifically, the target jump address which is not repeated with the historical vulnerability path can be screened out by utilizing a preset mode. For example, by calculating the similarity between the initial address and the history vulnerability path, the initial address with high similarity is removed, and the initial address with low similarity is determined as the target jump address.
Optionally, the selecting a target jump address from the initial addresses, where the target jump address is not repeated with the historical vulnerability path includes: and determining the similarity between the initial address and the historical vulnerability path by using an edit distance algorithm, and determining the initial address corresponding to the similarity lower than a preset threshold value as a target jump address.
Specifically, each time a new vulnerability path (i.e., an initial address) is determined, the new vulnerability path may be compared with each element array in the global array, where the global array is used to store the historical vulnerability paths, i.e., each element array in the global array includes the historical vulnerability paths. Because the path is an ordered address sequence, the similarity of the array contents cannot be simply compared, and the sequence of the array is considered, so that the similarity of the initial address and the historical vulnerability path can be calculated by using an edit distance algorithm, and the smaller the minimum edit operation times, the larger the similarity of the initial address and the historical vulnerability path is. The target jump address can be obtained by reserving the initial address corresponding to the similarity lower than the preset threshold value, and the address is the loophole path after the duplication removal. The advantage of this arrangement is that the similarity of the path addresses cannot be simply compared because the path addresses are an ordered sequence of addresses, and the sequence of the address sequences needs to be considered, so that the similarity of the initial address and the history vulnerability path can be accurately determined by adopting the edit distance algorithm.
S312, determining the target jump address as a new vulnerability path, determining the vulnerability corresponding to the target jump address as a target vulnerability, and outputting vulnerability information according to the total vulnerability and the total vulnerability path.
The total vulnerability path comprises the new vulnerability path and the historical vulnerability path, and the total vulnerability comprises a target vulnerability and the historical vulnerability corresponding to the historical vulnerability path.
Specifically, the target jump address, the name of the target vulnerability, the historical vulnerability path and the name of the vulnerability corresponding to the historical vulnerability path may be determined as vulnerability information.
According to the method for mining the loopholes, whether the address corresponding to the memory read or memory write operation is symbolized or not is judged, whether the address is controlled by external input or not can be accurately identified, so that any address read-write loopholes of a program to be tested can be mined, whether the value of a register is wrongly modified or not can be accurately determined by judging whether the value of the register is symbolized or not, and therefore the error loopholes of the register assignment of the program to be tested can be mined.
Example IV
Fig. 4 is a schematic structural diagram of a device for mining holes according to a fourth embodiment of the present invention. As shown in fig. 4, the apparatus includes: a vulnerability determination module 401 and a vulnerability information output module 402, wherein:
the system comprises a vulnerability determining module, a vulnerability determining module and a vulnerability determining module, wherein the vulnerability determining module is used for determining whether vulnerability characteristics and initial addresses corresponding to the vulnerability characteristics exist in a program to be tested based on symbolic execution, and if the vulnerability characteristics exist, determining the vulnerability according to the vulnerability characteristics, wherein the initial addresses are jump addresses of calling functions associated with the vulnerability characteristics;
and the vulnerability information output module is used for outputting vulnerability information according to the vulnerability and the initial address.
According to the device for mining the loopholes, provided by the embodiment of the invention, each path in the program to be tested is traversed by utilizing symbolic execution, input data is symbolized, and the execution process of the program to be tested is abstracted into a constraint function, so that whether all paths of the program to be tested have loophole features or not is analyzed, the execution path (namely, an initial address) with the loopholes is found, and accordingly, the loophole information can be obtained and output.
Optionally, the vulnerability determination module includes:
the first judging unit is used for traversing the heap address in the program to be tested by utilizing the symbol execution, and determining whether the heap address exists in a heap release management list array and a heap allocation management list array at the same time, wherein the heap release management list array is used for storing a first heap address returned by a heap allocation function, and the heap allocation management list array is used for storing a second heap address which is emptied;
the first vulnerability characteristic determining unit is used for determining that the heap address exists in the heap release management list array and the heap allocation management list array simultaneously as a first vulnerability characteristic if the information returned by the first judging unit exists simultaneously;
and the first vulnerability determining unit is used for determining that the vulnerability of the program to be tested comprises a pointer for releasing the vulnerability for a plurality of times if the vulnerability characteristics comprise the first vulnerability characteristics.
Optionally, the vulnerability determination module includes:
the second judging unit is used for traversing the first heap address in the heap release management list array and determining whether the first heap address is subjected to read operation or write operation;
the second vulnerability characteristic determining unit is used for performing read or write operation on the first heap address if the information returned by the second judging unit is yes, and determining the first heap address as a second vulnerability characteristic;
And the second vulnerability determining unit is used for determining that the vulnerability of the program to be tested comprises a reuse vulnerability after release if the vulnerability characteristics comprise the second vulnerability characteristics.
Optionally, the vulnerability determination module includes:
the third judging unit is used for traversing first target data in the program to be tested by utilizing the symbol, and converting the first target data into a symbol type variable, wherein the first target data is data needing to be input externally;
the third vulnerability characteristic determining unit is configured to determine whether second target data corresponding to the memory address is a symbolic variable, if yes, determine that the data stored in the memory address is a symbolic variable as a third vulnerability characteristic, where the second target data is data that needs to be output;
and the third vulnerability determining unit is used for determining that the vulnerability of the program to be tested comprises a formatted character string vulnerability if the vulnerability characteristics comprise the third vulnerability characteristics.
Optionally, the vulnerability determination module includes:
a fourth judging unit, configured to traverse an execution tree path of the program to be tested by using symbol execution, and determine whether a target address corresponding to the memory read or memory write operation is a symbol-type address;
The fourth vulnerability characteristic determining unit is used for determining the address with the target address being a sign type as a fourth vulnerability characteristic if the information returned by the fourth judging unit is yes;
and the fourth vulnerability determining unit is used for determining that the vulnerability of the program to be tested comprises any address read-write vulnerability if the vulnerability characteristics comprise fourth vulnerability characteristics.
Optionally, the vulnerability determination module includes:
a fifth judging unit for traversing a register in a program to be tested by using a symbol execution, and determining whether the value of the register is a symbol type variable;
a fifth vulnerability characteristic determining unit, configured to symbolize the value of the register to determine the value as a fifth vulnerability characteristic if the information returned by the fifth judging unit is yes;
and a fifth vulnerability determining unit, configured to determine that the vulnerability of the program to be tested includes a register assignment error vulnerability if the vulnerability feature includes a fifth vulnerability feature.
Optionally, the vulnerability determination module further includes:
a sixth vulnerability characteristic determining unit, configured to determine whether a target variable is symbolizable by using a preset constraint solving manner after the symbolizing of the value of the register is determined to be a fifth vulnerability characteristic, and if symbolize, determine that an in-stack variable is symbolizable to be a sixth vulnerability characteristic, where the target variable is an in-stack variable except for a variable of the register in the stack;
And the sixth vulnerability determining unit is used for determining that the vulnerability of the program to be tested comprises a stack overflow vulnerability if the vulnerability characteristics comprise sixth vulnerability characteristics.
Optionally, the vulnerability information output module includes:
the target address determining unit is used for screening target jump addresses which are not repeated with the historical vulnerability paths from the initial addresses, wherein the historical vulnerability paths are determined vulnerability paths in the vulnerability mining;
the vulnerability information output unit is used for determining the target jump address as a new vulnerability path, determining the vulnerability corresponding to the target jump address as a target vulnerability, and outputting vulnerability information according to a total vulnerability and a total vulnerability path, wherein the total vulnerability path comprises the new vulnerability path and the historical vulnerability path, and the total vulnerability comprises the target vulnerability and the historical vulnerability corresponding to the historical vulnerability path.
Optionally, the selecting a target jump address from the initial addresses, where the target jump address is not repeated with the historical vulnerability path includes: and determining the similarity between the initial address and the historical vulnerability path by using an edit distance algorithm, and determining the initial address corresponding to the similarity lower than a preset threshold value as a target jump address.
The device for excavating the loopholes provided by the embodiment of the invention can execute the method for excavating the loopholes provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of executing the method.
Example five
Fig. 5 shows a schematic diagram of an electronic device 50 that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. Electronic equipment may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 5, the electronic device 50 includes at least one processor 51, and a memory, such as a Read Only Memory (ROM) 52, a Random Access Memory (RAM) 53, etc., communicatively connected to the at least one processor 51, in which the memory stores a computer program executable by the at least one processor, and the processor 51 may perform various appropriate actions and processes according to the computer program stored in the Read Only Memory (ROM) 52 or the computer program loaded from the storage unit 58 into the Random Access Memory (RAM) 53. In the RAM 53, various programs and data required for the operation of the electronic device 50 can also be stored. The processor 51, the ROM 52 and the RAM 53 are connected to each other via a bus 54. An input/output (I/O) interface 55 is also connected to bus 54.
Various components in the electronic device 50 are connected to the I/O interface 55, including: an input unit 56 such as a keyboard, a mouse, etc.; an output unit 57 such as various types of displays, speakers, and the like; a storage unit 58 such as a magnetic disk, an optical disk, or the like; and a communication unit 59 such as a network card, modem, wireless communication transceiver, etc. The communication unit 59 allows the electronic device 50 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunications networks.
The processor 51 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 51 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, digital Signal Processors (DSPs), and any suitable processor, controller, microcontroller, etc. The processor 51 performs the various methods and processes described above, such as the method of mining vulnerabilities.
In some embodiments, the method of mining vulnerabilities may be implemented as a computer program that is tangibly embodied on a computer-readable storage medium, such as storage unit 58. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 50 via the ROM 52 and/or the communication unit 59. When the computer program is loaded into RAM 53 and executed by processor 51, one or more steps of the method of mining vulnerabilities described above may be performed. Alternatively, in other embodiments, processor 51 may be configured to perform the method of mining vulnerabilities in any other suitable manner (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for carrying out methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be implemented. The computer program may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
The computer equipment provided by the embodiment can be used for executing the vulnerability mining method provided by any embodiment, and has corresponding functions and beneficial effects.
Example five
In the context of the present invention, a computer-readable storage medium may be a tangible medium that, when executed by a computer processor, is configured to perform a method of mining vulnerabilities, the method comprising:
determining whether a bug feature exists in a program to be tested and an initial address corresponding to the bug feature based on symbol execution, if so, determining the bug according to the bug feature, wherein the initial address is a jump address of a calling function associated with the bug feature;
and outputting vulnerability information according to the vulnerability and the initial address.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer equipment provided by the embodiment can be used for executing the vulnerability mining method provided by any embodiment, and has corresponding functions and beneficial effects.
It should be noted that, in the embodiment of the vulnerability exploiting device, each unit and module included are only divided according to the functional logic, but not limited to the above division, so long as the corresponding functions can be implemented; in addition, the specific names of the functional units are also only for distinguishing from each other, and are not used to limit the protection scope of the present invention.
Note that the above is only a preferred embodiment of the present invention and the technical principle applied. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, while the invention has been described in connection with the above embodiments, the invention is not limited to the embodiments, but may be embodied in many other equivalent forms without departing from the spirit or scope of the invention, which is set forth in the following claims.

Claims (11)

1. A method for mining vulnerabilities, comprising:
determining whether a bug feature exists in a program to be tested and an initial address corresponding to the bug feature based on symbol execution, if so, determining the bug according to the bug feature, wherein the initial address is a jump address of a calling function associated with the bug feature;
and outputting vulnerability information according to the vulnerability and the initial address.
2. The method of claim 1, wherein determining whether the vulnerability characteristics exist in the program under test based on the symbolic execution comprises:
traversing the heap address in the program to be tested by utilizing symbol execution, and determining whether the heap address exists in a heap release management list array and a heap allocation management list array at the same time, wherein the heap release management list array is used for storing a first heap address returned by a heap allocation function, and the heap allocation management list array is used for storing a second heap address which is emptied;
if the heap address exists simultaneously, determining that the heap address exists simultaneously in a heap release management list array and a heap allocation management list array as a first vulnerability characteristic;
wherein the determining the vulnerability according to the vulnerability characteristics includes: if the vulnerability characteristics comprise first vulnerability characteristics, determining that the vulnerability of the program to be tested comprises a pointer to release the vulnerability for a plurality of times.
3. The method of claim 1, wherein determining whether the vulnerability characteristics exist in the program under test based on the symbolic execution comprises:
traversing a first heap address in a heap release management list array, and determining whether read operation or write operation is performed on the first heap address;
if yes, performing read or write operation on the first heap address, and determining the first heap address as a second vulnerability characteristic;
wherein the determining the vulnerability according to the vulnerability characteristics includes: and if the vulnerability characteristics comprise second vulnerability characteristics, determining that the vulnerability of the program to be tested comprises re-using the vulnerability after release.
4. The method of claim 1, wherein determining whether the vulnerability characteristics exist in the program under test based on the symbolic execution comprises:
traversing first target data in a program to be tested by using a symbol, and converting the first target data into a symbol type variable, wherein the first target data is data needing to be input externally;
judging whether second target data corresponding to the memory address are sign-type variables or not, if so, determining the variable of which the data stored in the memory address are sign-type variables as a third vulnerability characteristic, wherein the second target data are data to be output;
Wherein the determining the vulnerability according to the vulnerability characteristics includes: if the vulnerability characteristics comprise third vulnerability characteristics, determining that the vulnerability of the program to be tested comprises a formatted string vulnerability.
5. The method of claim 1, wherein determining whether the vulnerability characteristics exist in the program under test based on the symbolic execution comprises:
traversing an execution tree path of a program to be tested by utilizing symbol execution, and determining whether a target address corresponding to memory reading or memory writing operation is a symbol-type address;
if yes, determining the address of which the target address is a sign type as a fourth vulnerability characteristic;
wherein the determining the vulnerability according to the vulnerability characteristics includes: and if the vulnerability characteristics comprise fourth vulnerability characteristics, determining that the vulnerability of the program to be tested comprises any address read-write vulnerability.
6. The method of claim 1, wherein determining whether the vulnerability characteristics exist in the program under test based on the symbolic execution comprises:
traversing a register in a program to be tested by using symbol execution, and determining whether the value of the register is a symbol type variable or not;
if yes, symbolizing the value of the register to be determined as a fifth vulnerability characteristic;
Wherein the determining the vulnerability according to the vulnerability characteristics includes: and if the vulnerability characteristics comprise fifth vulnerability characteristics, determining that the vulnerability of the program to be tested comprises a register assignment error vulnerability.
7. The method of claim 6, further comprising, after said symbolizing the value of the register as a fifth vulnerability characteristic:
determining whether a target variable can be symbolized or not by using a preset constraint solving mode, and if so, symbolizing the variable in the stack to be a sixth vulnerability characteristic, wherein the target variable is the variable in the stack except for the variable of a register in the stack;
wherein the determining the vulnerability according to the vulnerability characteristics includes: and if the vulnerability characteristics comprise sixth vulnerability characteristics, determining that the vulnerability of the program to be tested comprises a stack overflow vulnerability.
8. The method of claim 1, wherein outputting vulnerability information based on the vulnerability and the initial address comprises:
screening a target jump address which is not repeated with a historical vulnerability path from the initial address, wherein the historical vulnerability path is a determined vulnerability path in the vulnerability mining;
Determining the target jump address as a new vulnerability path, determining the vulnerability corresponding to the target jump address as a target vulnerability, and outputting vulnerability information according to a total vulnerability and a total vulnerability path, wherein the total vulnerability path comprises the new vulnerability path and the historical vulnerability path, and the total vulnerability comprises the historical vulnerability corresponding to the target vulnerability and the historical vulnerability path.
The step of screening the target jump address which is not repeated with the historical vulnerability path from the initial address comprises the following steps:
and determining the similarity between the initial address and the historical vulnerability path by using an edit distance algorithm, and determining the initial address corresponding to the similarity lower than a preset threshold value as a target jump address.
9. An apparatus for mining vulnerabilities, comprising:
the system comprises a vulnerability determining module, a vulnerability determining module and a vulnerability determining module, wherein the vulnerability determining module is used for determining whether vulnerability characteristics and initial addresses corresponding to the vulnerability characteristics exist in a program to be tested based on symbolic execution, and if the vulnerability characteristics exist, determining the vulnerability according to the vulnerability characteristics, wherein the initial addresses are jump addresses of calling functions associated with the vulnerability characteristics;
and the vulnerability information output module is used for outputting vulnerability information according to the vulnerability and the initial address.
10. An electronic device, the electronic device comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the method of mining vulnerabilities of any of claims 1-8.
11. A computer readable storage medium storing computer instructions for causing a processor to perform the method of mining vulnerabilities of any of claims 1-8.
CN202310603985.6A 2023-05-26 2023-05-26 Vulnerability mining method, device, equipment and storage medium Pending CN116578991A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310603985.6A CN116578991A (en) 2023-05-26 2023-05-26 Vulnerability mining method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310603985.6A CN116578991A (en) 2023-05-26 2023-05-26 Vulnerability mining method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN116578991A true CN116578991A (en) 2023-08-11

Family

ID=87533838

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310603985.6A Pending CN116578991A (en) 2023-05-26 2023-05-26 Vulnerability mining method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116578991A (en)

Similar Documents

Publication Publication Date Title
CN109426723B (en) Detection method, system, equipment and storage medium using released memory
CN113114680B (en) Detection method and detection device for file uploading vulnerability
US11030074B2 (en) Code update based on detection of change in runtime code during debugging
CN114510722B (en) Static detection method and detection system for incremental code
US11704186B2 (en) Analysis of deep-level cause of fault of storage management
CN112560043A (en) Vulnerability similarity measurement method based on context semantics
CN110032505A (en) Software quality determining device, software quality determine that method and software quality determine program
CN112559337A (en) Code coverage rate testing method and device, electronic equipment and storage medium
CN110287700A (en) A kind of iOS application safety analytical method and device
US20230141948A1 (en) Analysis and Testing of Embedded Code
CN116578991A (en) Vulnerability mining method, device, equipment and storage medium
CN114741700B (en) Public component library vulnerability availability analysis method and device based on symbolized stain analysis
CN108804308B (en) Defect detection method and device for new version program
CN111240987A (en) Migration program detection method and device, electronic equipment and computer readable storage medium
CN116107625A (en) Flow design method, apparatus, device, storage medium, and program product
CN110472415B (en) Malicious program determination method and device
CN112887328A (en) Sample detection method, device, equipment and computer readable storage medium
CN116226673B (en) Training method of buffer region vulnerability recognition model, vulnerability detection method and device
CN113961475B (en) Protocol-oriented error processing defect detection method and system
CN111566625A (en) Test case generation device, test case generation method, and test case generation program
CN113946347B (en) Function call detection method and device, electronic equipment and readable medium
CN109656580B (en) Serial-port NAND FLASH data zero clearing processing method and system
CN117033203A (en) Method and device for determining association influence of change codes and electronic equipment
CN114780952A (en) Method, system and storage medium for detecting sensitive application calling scene
CN114661297A (en) Code data processing method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination