CN116628694B - Anti-serialization 0day security risk defense method, device and equipment - Google Patents

Anti-serialization 0day security risk defense method, device and equipment Download PDF

Info

Publication number
CN116628694B
CN116628694B CN202310918994.4A CN202310918994A CN116628694B CN 116628694 B CN116628694 B CN 116628694B CN 202310918994 A CN202310918994 A CN 202310918994A CN 116628694 B CN116628694 B CN 116628694B
Authority
CN
China
Prior art keywords
attack
function
mode
java
serialization
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310918994.4A
Other languages
Chinese (zh)
Other versions
CN116628694A (en
Inventor
陈群华
王滨
万里
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Hikvision Digital Technology Co Ltd
Original Assignee
Hangzhou Hikvision Digital Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Hikvision Digital Technology Co Ltd filed Critical Hangzhou Hikvision Digital Technology Co Ltd
Priority to CN202310918994.4A priority Critical patent/CN116628694B/en
Publication of CN116628694A publication Critical patent/CN116628694A/en
Application granted granted Critical
Publication of CN116628694B publication Critical patent/CN116628694B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/302Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3051Monitoring arrangements for monitoring the configuration of the computing system or of the computing system component, e.g. monitoring the presence of processing resources, peripherals, I/O links, software programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/53Decompilation; Disassembly
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1475Passive attacks, e.g. eavesdropping or listening without modification of the traffic monitored
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Quality & Reliability (AREA)
  • Mathematical Physics (AREA)
  • Stored Programmes (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application provides a reverse-serialization 0day security risk defense method, a device and equipment, wherein the method comprises the following steps: in the running process of a service system realized based on java, monitoring the running state of the service system by using a java probe; performing anti-serialization attack judgment according to the information monitored by the java probe and the judgment rule corresponding to the appointed anti-serialization attack mode; the judgment rules corresponding to the specified anti-serialization attack mode are set according to attack characteristics under the specified anti-serialization attack mode; and carrying out anti-serialization attack defense processing under the condition that the anti-serialization attack is determined to exist. The method may include efficiently implementing a deserialized zero day 0day security risk defense.

Description

Anti-serialization 0day security risk defense method, device and equipment
Technical Field
The present application relates to the field of software technologies, and in particular, to a method, an apparatus, and a device for anti-serializing 0day security risk defense.
Background
Currently java (an object oriented programming language) projects are widely used and more open source software is multiplexed, however, while enjoying the convenience of using such software, many security risks are introduced, wherein any command execution by deserialization can be said to be the most deadly security risk, and most of the current cases are defended by a restricted object list or a trusted object list set by a software provider, but in fact, such a way does not prevent similar 0day security risks from appearing again.
Therefore, how to effectively defend against the 0day security risk becomes a technical problem to be solved.
Disclosure of Invention
In view of the above, the present application provides a method, apparatus and device for anti-serializing 0day security risk protection.
Specifically, the application is realized by the following technical scheme:
according to a first aspect of an embodiment of the present application, there is provided a reverse-serialization 0day security risk defense method, including:
in the running process of a service system realized based on java, monitoring the running state of the service system by using a java probe; the java probe is set for java functions associated with a specified deserialization attack mode in a java function library;
performing anti-serialization attack judgment according to the information monitored by the java probe and the judgment rule corresponding to the appointed anti-serialization attack mode; the judgment rules corresponding to the specified anti-serialization attack mode are set according to attack characteristics under the specified anti-serialization attack mode;
and carrying out anti-serialization attack defense processing under the condition that the anti-serialization attack is determined to exist.
According to a second aspect of an embodiment of the present application, there is provided a reverse-sequenced zero day 0day security risk defense device, including:
The monitoring unit is used for monitoring the running state of the service system by using a java probe in the running process of the service system realized based on java; the java probe is set for java functions associated with a specified deserialization attack mode in a java function library;
the judging unit is used for carrying out deserialization attack judgment according to the information monitored by the java probe and the judging rule corresponding to the appointed deserialization attack mode; the judgment rules corresponding to the specified anti-serialization attack mode are set according to attack characteristics under the specified anti-serialization attack mode;
and the defending unit is used for performing anti-serialization attack defending processing under the condition that the anti-serialization attack exists.
According to a third aspect of embodiments of the present application, there is provided an electronic device comprising a processor and a memory, wherein,
a memory for storing a computer program;
and a processor configured to implement the method provided in the first aspect when executing the program stored in the memory.
According to the anti-serialization 0day security risk defense method, a java probe is arranged in a java function library aiming at a java function associated with a specified anti-serialization attack mode, and a judging rule corresponding to the specified anti-serialization attack mode is arranged according to attack characteristics in the specified anti-serialization attack mode, in the running process of a service system realized based on java, the java probe is utilized to monitor the running state of the service system, and according to information monitored by the java probe and the judging rule corresponding to the specified anti-serialization attack mode, anti-serialization attack judgment is carried out, and further anti-serialization attack defense processing is carried out under the condition that the anti-serialization attack exists is determined, so that automatic identification of the anti-serialization attack of the bottom layer (monitoring is carried out on the java function in the java function library) is realized, and in addition, the fact that the upper layer is a component of that type is not concerned is not needed, in particular, in addition, the attack behavior can appear from the earlier stage is analyzed instead of waiting for being attacked, and the real is analyzed again, and the anti-serialization zero day 0day security risk defense is effectively realized.
Drawings
FIG. 1 is a flow chart of an anti-serialization zero day 0day security risk defense method according to an exemplary embodiment of the present application;
FIG. 2 is a diagram illustrating a reverse-serialization attack detection scheme in an invoke scenario according to an exemplary embodiment of the present application;
FIG. 3 is a diagram illustrating a reverse-serialization attack detection scheme in a readObject scenario according to an exemplary embodiment of the present application;
FIG. 4 is a diagram illustrating a reverse-serialization attack detection scheme in a forName scenario according to an exemplary embodiment of the present application;
FIG. 5 is a diagram illustrating a reverse-serialization attack detection scheme in a URLClassLoader scenario according to an exemplary embodiment of the present application;
FIG. 6 is a schematic diagram of an anti-sequenced zero day 0day security risk protection apparatus according to an exemplary embodiment of the present application;
fig. 7 is a schematic diagram of a hardware structure of an electronic device according to an exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the application. Rather, they are merely examples of apparatus and methods consistent with aspects of the application as detailed in the accompanying claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
In order to enable those skilled in the art to better understand the technical solutions provided by the embodiments of the present application, some technical terms related to the embodiments of the present application are explained below.
1. java serialization: the process of converting the attribute or method of the java object into a byte sequence, the generalized byte sequence also includes json (JavaScript Object Notation ), xml (eXtensible Markup Language, extensible markup language), and the like, and the serialized data is typically stored in a file or database.
2. java deserialization (simply deserialization): the process of recovering the java byte sequence into the java object may be called by other logic after recovering the java object, so that the function execution in the java object is triggered, and thus if the java byte sequence comes from the outside, a malicious user may attack the system by utilizing the java byte sequence.
3. java probe: the java probe is to dynamically modify a corresponding function or attribute when class bytecode information is loaded into a JVM (java virtual machine) through a class loader by using hook technology, and typically, a function call is added in a first line of the function to monitor an input parameter (referred to as a parameter), or a function call is added in a last line of the function to monitor return information.
4. 0day security risk: refers to the security risk of being exploited immediately after being discovered. Colloquially, i.e., within the same day that the security patch is exposed to flaws, the associated malicious program appears. Such attacks tend to be very bursty and damaging.
5. Java wrapper stream: on the basis of the original byte stream or character stream, the stream that is reprocessed in order to improve the read-write efficiency is called a wrapper stream/processing stream, and the unwrapping is a process in which values are reversely obtained from the original stream object by using a reflection mechanism.
In order to make the above objects, features and advantages of the embodiments of the present application more comprehensible, the following describes the technical solution of the embodiments of the present application in detail with reference to the accompanying drawings.
It should be noted that, the sequence number of each step in the embodiment of the present application does not mean that the execution sequence of each process should be determined by the function and the internal logic, and should not limit the implementation process of the embodiment of the present application.
Referring to fig. 1, a flow chart of an anti-serialization zero day 0day security risk defense method provided by an embodiment of the present application, as shown in fig. 1, may include the following steps:
step S100, monitoring the operation state of the service system by using a java probe in the operation process of the service system realized based on java; the java probe is set for java functions associated with a specified deserialization attack mode in a java function library.
In the embodiment of the application, in order to realize anti-serialization 0day security risk defense at the bottom layer, a java probe can be set in a java function library according to a specified anti-serialization attack mode aiming at a java function associated with the specified anti-serialization attack mode so as to detect the anti-serialization 0day security risk from the bottom layer.
In the operation process of a service system (hereinafter referred to as a service system for short) based on java implementation, the set java probe can be utilized to monitor the operation state of the service system.
By way of example, the designated deserialization attack mode may include, but is not limited to, one or more of an invoke mode, a readObject mode, a forName mode, and a URLClassLoader mode.
In one example, the designated deserialization attack mode may include at least two modes of an invoke mode, a readObject mode, a forName mode, a url lassloader mode, etc., so that deserialization 0day security risk can be detected in a plurality of different scenes, and the running security of the service system is better improved.
For example, the specified deserialization attack mode may include an invoke mode, a readObject mode, a forName mode, and a URLClassLoader mode, i.e., detecting deserialization 0day security risk from 4 different scenarios.
Step S110, performing anti-serialization attack judgment according to information monitored by the java probe and a judgment rule corresponding to a designated anti-serialization attack mode; the decision rule corresponding to the specified anti-serialization attack mode is set according to the attack characteristic under the specified anti-serialization attack mode.
In the embodiment of the application, in order to realize automatic identification of the deserialization attack, the judgment rule corresponding to the specified deserialization attack mode can be set according to the attack characteristic under the specified deserialization attack mode, so that the deserialization attack judgment can be carried out according to the set judgment rule.
Accordingly, in the running process of the service system based on java implementation, the anti-serialization attack judgment can be performed according to the information monitored by the java probe and the judgment rule corresponding to the appointed anti-serialization attack mode, so as to determine whether the appointed anti-serialization attack behavior (namely, the appointed anti-serialization attack behavior of the appointed anti-serialization attack mode) exists.
Step S120, performing anti-serialization attack defense processing when the anti-serialization attack exists.
In the embodiment of the application, under the condition that the existence of the deserialization attack is determined in the mode, namely the designated deserialization attack behavior exists, the deserialization attack defense processing can be performed.
Illustratively, performing anti-serialization attack defense may include, but is not limited to, performing an alarm and/or intercepting a specified anti-serialization attack, etc.
It can be seen that, in the method flow shown in fig. 1, by setting a java probe for a java function associated with a specified deserialization attack mode in a java function library, and setting a decision rule corresponding to the specified deserialization attack mode according to the attack characteristic in the specified deserialization attack mode, in the running process of a service system realized based on java, the java probe is utilized to monitor the running state of the service system, and according to the information monitored by the java probe and the decision rule corresponding to the specified deserialization attack mode, the deserialization attack decision is performed, and further, under the condition that the deserialization attack is determined to exist, the deserialization attack defense processing is performed, so that the automatic identification of the deserialization attack of the bottom layer (the monitoring for the java function in the java function library) is realized, the upper layer is not required to be concerned with the specific component of that type, in addition, the attack behavior may appear from the earlier stage of attack is analyzed, instead of the real attack is analyzed again, and the deserialization zero day 0day security defense risk is effectively realized.
In some embodiments, the functions associated with the invoke mode include invoke functions, java probes set for the invoke functions, and the actual names of methods and caller callers when the invoke functions are running.
Illustratively, invoke is a function of the reflection class java. Lang. Reflection. Method, with two parameters, one being the actual object caller and the second being the actual list of parameters. Thus, the java probe of this type of scenario needs to be placed in the invoke function to monitor the name of the caller and the specific method.
The invoke function is a method in a class, the first parameter is obj (object), the class is used in the actual application process, the class is a set of objects, the second parameter is args (parameter), the parameter used for invoking the invoke method is a method in the class, so the invoke function can be understood as: invoke (class, method) corresponds to parameterizing the methods in a class.
Among them, the reflection class Java. Lang. Reflection. Method is a class in the Java programming language, which is used to describe a method in a class or interface. Information of a Method defined in a class or interface can be acquired and manipulated by a Method object.
In Java, the use of a reflection mechanism can dynamically acquire class or interface information at runtime and invoke their methods without knowing the class name. The Method class is one of the classes playing an important role in this process, and mainly provides the following functions:
1) Acquiring information such as the name, the return value type, the parameter type and the like of the method;
2) Reflecting the calling method and transmitting the method parameters;
3) A modifier of the acquisition method, etc.
In some embodiments, the functions associated with the readObject mode include a readObject function and a getInputStream function, the java probe set for the readObject function is used to monitor the actual stream type when the readObject function is running, and the java probe set for the getInputStream function is used to monitor the returned stream object.
Illustratively, the readObject is a function of java. Io. ObjectInputStream, mainly deserializing the incoming stream object, such a scenario requires a hook in the readObject function (i.e. setting a java probe) to monitor the actual stream type at runtime, and a hook in the getInputStream function of javax. Servlet. ServletRequestWrapper to record the returned stream object.
Wherein the java.io.objectinputstream.readobject () method reads an object from ObjectInputStream. The class of the object, the signature of the class, and the non-transient and non-static fields of the class and all its supertype values are read. Default deserialization of classes may be overridden using the writeObject and readObject methods. The object referenced by this object is transitive, so that the readObject can reconstruct the complete equivalent object diagram.
ObjectInputStream is a subclass of the InputStream class in Java that is used to deserialize a byte stream into objects. In the case where an object that has been serialized needs to be read from the byte stream, the ObjectInputStream object can be used to accomplish this.
InputStream is an abstract parent of all input streams in Java, which defines some basic methods, such as read (), skip (), available (), etc., for reading data from an input stream.
getInputStream () is a method of the URLConnection class in Java to get the input stream of a resource that is open to this URL connection. The method returns an InputStream object that can be used to read the resource associated with the URL.
URL connection is a connection object in Java for indicating that a URL is opened, and may be used to obtain resources such as an input stream and an output stream of the URL, and may configure some connection parameters.
In some embodiments, the function associated with the forName mode includes a forName function, and a java probe set for the forName function is used to monitor class names of the forName runtime input parameters.
Illustratively, the forName mode is a function of java.lang.class, so that a corresponding class object (the class itself is also an object) is obtained by a class name, and such a scenario is that a hook is performed on the forName function to determine the class name of the incoming reference.
The Java class is an important class in the Java language, is used for representing an instance of a class or an interface, and can be used for acquiring related information such as class information, class attributes, methods and the like. Each Class has a corresponding Class instance through which all information of the Class can be obtained and reflected.
In some embodiments, the function associated with the url lassloader manner includes a url lassloader function, and a java probe set for the url lassloader function is used to monitor an input parameter of the url lassloader function when running.
Illustratively, java. Net. URLClassLoader loads remote objects mainly through a url (Universal Resource Locator, uniform resource locator) parameter, which may be local or external, and the reverse-serialization attack in such a scenario essentially loads external resources through URLClassLoader. Thus, such a scenario requires a hook on the URLClassLoader function to monitor the entry of the URLClassLoader function as it runs.
Wherein the URLClassLoader is a class loader in Java that can be used to load classes or resources from specified URLs. In the case where it is desired to dynamically load a class under a specified directory, this may be accomplished using a URLClassLoader. The class loader is typically used to load classes from external resources such as Jar packets and class files downloaded over a network.
In some embodiments, the designated anti-serialization attack mode comprises an invoke mode;
the decision rule corresponding to the invoke mode comprises: the caller at the time of the invoke function operation is java.lang.processbuilder, and the actual name of the method is start; or, if the caller at the time of the invoke function is java.
Illustratively, since start and exec are functions of executing system commands, in such a way that the initiation of functions is not generally by reflection, it may be determined that there is an anti-serialization attack in the case where the caller of the invoke function is java.
Wherein ProcessBuilder is a class in Java that is used to create a process. It provides a way to create and manipulate processes and interact with processes that can be used to perform tasks such as local or remote commands, executing Shell scripts, etc.
Run time is a class in the Java standard library that provides some means to perform system commands, acquire system information, etc.
In some embodiments, the specified deserialization attack mode includes a readObject mode;
the determination rule corresponding to the readObject mode includes: determining that deserialization attack exists under the condition that the same hashcode exists in Ha Xichi hashcoles of a memory pool in any one of the objects obtained by unwrapping the current entity when the readObject function runs; wherein the hashcode in the hashcools includes hashcode of the stream object returned by the getInputStream function.
In this scenario, on one hand, the current entity of the readObject function in operation, that is, objectInputStream (which is a wrapper class) may be monitored by a java probe, and the current entity of the readObject function in operation may be unwrapped to obtain three objects, such as BlockDataInputStream, peekInputStream and BufferInputStream, and the hashcode (hash code) of the three objects may be respectively determined; on the other hand, the returned stream object of the getInputStream function can be monitored through a probe, the hashcode of the returned stream object is determined, and the determined hashcode is stored in hashcoles (Ha Xichi) of the memory pool.
In the case that the same hash code exists in Ha Xichi hash pois of the memory pool in the hash code of any one of the objects obtained by unwrapping the current entity when the readObject function runs, it may be determined that an deserialization attack exists.
The BlockDataInputStream is a tool class for reading data blocks in a Java IO standard library, can efficiently read the data blocks, and also supports cross-platform serialization and deserialization.
PeekInputStream is an extension class in the Java IO standard library that allows a program to view the next byte (byte) in the stream without causing it to be read.
The bufferedInputStream is a buffered input stream class in the Java IO standard library that improves the efficiency of a program reading data from an input stream.
In some embodiments, the specified deserialization attack manner includes a forName manner;
the decision rule corresponding to the forName mode includes: in the case that the class name of the input parameter when the forName function runs is java.
For example, since the reflection mode is not generally used for the use of the class of "java.lang.processbuilder" or "java.lang.runtime" in this scenario, in the case that the entry in the for name function is "java.lang.processbuilder" or "java.lang.runtime", it belongs to dangerous behavior, and it can be determined that there is a deserialization attack.
In some embodiments, the specified deserialization attack manner includes a URLClassLoader manner;
the determination rules corresponding to the URLClassLoader mode comprise: and determining that the deserialization attack exists under the condition that the input parameter of the URLClasSLoader function in operation is an external untrusted address.
For this scenario, by way of example, since it is not normally necessary to load a class from a remote location into the local environment, in the case where the entry at the time of the URLClassLoader function is an external untrusted address, the high probability is an attack behaviour, and it can be determined that an deserialization attack exists.
In some embodiments, the performing the anti-serialization attack defense process in the case where it is determined that the anti-serialization attack exists may include:
under the condition that the operation time of the service system does not exceed the preset time, carrying out alarm processing;
and under the condition that the operation time of the service system exceeds the preset time, performing anti-serialization attack behavior interception.
For example, in consideration of the situation that the operation duration of the service system is short, false alarm anti-serialization behavior attacks may be caused due to some special reasons, so in order to improve the operation stability of the service system, in the situation that the operation duration of the service system is short, the determined anti-serialization attack behavior can be alarmed but not intercepted.
Correspondingly, under the condition that the existence of the deserialization attack is determined, the running duration of the current service system can be compared with the preset duration.
Under the condition that the operation time of the service system does not exceed the preset time, carrying out alarm processing; and under the condition that the operation time of the service system exceeds the preset time, performing anti-serialization attack behavior interception.
The preset duration may be set according to actual scene requirements, for example, according to access amount of the service system. For a service system with larger access quantity, the preset time length can be set to be shorter, such as 3 days or 5 days; for a service system with a smaller access amount, the preset time period may be set to be longer, for example, 1 month.
In an example, when the reverse serialization attack is a reverse serialization attack in a url lassloader manner, and the operation duration of the service system does not exceed the preset duration, the method may further include:
outputting alarm information, wherein the alarm information comprises input parameters when a URLClassLoader function operates;
according to the detected trusted object list setting instruction aiming at the input parameters, adding the input parameters to the trusted object list; wherein the trusted object list setting instruction is input by the user under the condition that the input parameter is determined to be a trusted address.
Illustratively, considering the reverse serialization for the URLClassLoader approach, classes may be loaded from external trusted addresses to the local environment, and thus external trusted addresses may be identified by maintaining a list of trusted objects.
In order to avoid false alarm caused by incomplete trusted object list, when the reverse-sequencing attack is a reverse-sequencing attack in a URLClassLoader mode and the operation duration of the service system does not exceed the preset duration, the alarm can be carried out, and alarm information is output.
By way of example, the alert information may include input parameters at the time the URLClassLoader function is run, i.e., the url that is loaded, so that the relevant person determines whether the url is a trusted url.
The relevant person may add the input parameter to the list of trusted objects in case it is determined that the input parameter is a trusted address.
Accordingly, in the case where a trusted object list setting instruction for the input parameter is detected, the input parameter may be added to the trusted object list in accordance with the detected trusted object list setting instruction for the input parameter.
In order to enable those skilled in the art to better understand the technical solution provided by the embodiments of the present application, the technical solution provided by the embodiments of the present application is described below in conjunction with a specific scenario.
In this embodiment, the anti-sequenced zero day 0day security risk defense scheme based on java probes may mainly include three parts: lowering the probe, setting rules and correcting false alarms.
The implementation of the three parts will be described below, respectively.
1. Lowering of probes
As can be seen from the historical anti-serialization security risk analysis, the anti-serialization attack mainly performs anti-serialization in four modes, and the probe is placed down mainly according to the four modes (corresponding to four scenes).
1.1, invoke mode: the invoke is a function of the reflection class java. Lang. Reflection. Method, with two parameters, one being the actual object caller and the second being the actual parameter list. Thus, the java probe of this type of scenario needs to be placed in the invoke function to monitor the name of the caller and the specific method;
1.2, readObject mode: the readObject is a function of java. Io. ObjectInputStream, mainly deserializes the incoming stream object, such a scenario requires a hook in the readObject function to monitor the actual stream type at run time, and a hook in the getInputStream function of java. Servlet. ServletRequestWrapper to record the returned stream object;
1.3, forName mode: the forName mode is a function of java.lang.class, the purpose is to obtain a corresponding class object through a class name, and the scene is to carry out hook on the forName function so as to determine the class name of the entering parameter;
1.4, URLClassLoader mode: the java, net, url lassfoader loads remote objects mainly through a url parameter, and the url may be local or external network, and the reverse-serialization attack in such a scenario is essentially to load external resources through url lassfloader. Thus, such a scenario requires a hook on the URLClassLoader function to monitor the entry of the URLClassLoader function as it runs.
2. Rule set-up
2.1, invoke mode: since start and exec are functions that execute system commands, no reflection is typically performed at the initiation of such functions, and thus, in the case where the caller of the invoke function is java.
Accordingly, for an invoke scene, the actual names of the pushers and methods may be monitored by taking a hook on the method. In the case where the caller of the invoke function is java. Lang. Processor builder and the actual name of the method is start, or where the caller of the invoke function is java. Lang. Run and the actual name of the method is exec, it may be determined that there is an anti-serialization attack, and the implementation flow diagram may be as shown in fig. 2.
2.2, readObject mode: on the one hand, the current entity of the readObject function in operation, namely ObjectInputStream, can be monitored through a java probe, and the current entity of the readObject function in operation is unpacked to obtain three objects, namely BlockDataInputStream, peekInputStream, bufferInputStream and the like, so that hashcode of the three objects can be respectively determined; on the other hand, the flow object returned by the getInputStream function can be monitored through a probe, the hashcode of the returned flow object is determined, and the determined hashcode is stored in hashcoles of the memory pool.
Accordingly, for the readObject scene, on one hand, a hook may be performed on the readObject function of the java. Io. ObjectInputStream, to monitor the current entity of this (i.e. the thread to which the this object belongs); unpacking the current entity of this by using a transmitting mechanism to sequentially obtain three objects of BlockDataInputStream, peekInputStream and BufferInputStream, and calculating the hashcode (assumed to be hashcode1, hashcode2 and hashcode3 respectively) of the three objects.
In Java, the keyword this represents a reference to the current object. Inside an example method, this key may be used to reference the object to which the method belongs.
On the other hand, the method comprises the steps of performing hook on the getInputStream function of the Java.servlet.servletRequestWrapper, and monitoring returned stream objects; the hashcode of the stream object actually returned each time is stored in hashPools of the memory pool.
Further, in the case that any one of hashcode1, hashcode2 and hashcode3 can be found in hashcoles of the memory pool, it is determined that there is an anti-serialization attack, and a schematic implementation flow chart can be shown in fig. 3.
2.3, forName mode: since the reflection mode is not generally used for the use of the classes of 'java. Lang. Processbuilder' or 'java. Lang. Run', etc., the anti-serialization attack can be determined to exist under the condition that the entry parameter in the operation of the forName function is 'java. Lang. Processbuilder' or 'java. Lang. Run'.
Correspondingly, for a forName scene, a hook can be performed on class. ForName (name), and the parametrized name of the forName function in operation can be monitored; in the case that the entry parameter in the operation of the forName function is "java. Lang. Processbuilder" or "java. Lang. Runtime", it may be determined that an anti-serialization attack exists, and a schematic implementation flow chart may be shown in fig. 4.
2.4, URLClassLoader mode: since it is normally not necessary to load a class from a remote location into the local environment, in the case where the entry at the time of the URLClassLoader function is an external untrusted address, the high probability is an attack behavior, and it can be determined that an deserialization attack exists.
Correspondingly, for the URLClassLoader scene, a hook can be carried out on a constructor URLClassLoader (url) of the Java.net.URLClassLoader, and the participating url is monitored; in the case where the participating in the url loader function is not a local address and does not belong to an external address in the trusted object list, it is determined that an deserialization attack exists, and a schematic implementation flow chart may be shown in fig. 5.
3. False alarm correction
In this embodiment, to reduce false positives, in the case where it is determined that there are anti-serialization attacks, there may be two processing modes:
3.1, alarm mode: in other words, when an abnormality is found, an alarm is given, but the alarm is not intercepted, and the mode is generally used for a period of time when the system is just on line, for example, the operation time does not exceed the preset time, so that false alarm caused by some special conditions can be prevented, and a trusted object list can be set in the case.
For example, the URLClassLoader may indeed load a non-local IP address, which may be added to the trusted object list in case it is determined that the loaded non-local IP address is a trusted IP address.
It should be noted that, in the embodiment of the present application, when it is determined that an anti-serialization attack exists in the above manner, a call chain for the objective function (i.e., an access path from a source IP address to the objective function) may also be acquired, and whether the call chain is trusted may be determined, and in the case that the call chain is trusted, the call chain may be added to the trusted object list, that is, the call chain in the trusted object list is implemented without risk, and the other call chains are all at risk (that is, it is determined that an anti-serialization attack exists, and the call chain is not in the trusted object list and is considered as a true attack).
3.2, interception mode: the interception mode may be started after a period of time of system operation, for example, when the system operation duration exceeds a preset duration, and at this stage, service special scenes are added to the trusted object list, and if there is an abnormality, the probability of actually having an attack is very high, and the attack is possibly a real 0day security risk.
The method provided by the application is described above. The device provided by the application is described below:
referring to fig. 6, a schematic structural diagram of a reverse-sequenced 0day security risk protection apparatus according to an embodiment of the present application is shown in fig. 6, where the reverse-sequenced 0day security risk protection apparatus may include:
the monitoring unit 610 is configured to monitor an operation state of a service system based on java implementation by using a java probe during an operation process of the service system; the java probe is set for java functions associated with a specified deserialization attack mode in a java function library;
a determining unit 620, configured to perform deserialization attack determination according to the monitored information of the java probe and the determination rule corresponding to the specified deserialization attack mode; the judgment rules corresponding to the specified anti-serialization attack mode are set according to attack characteristics under the specified anti-serialization attack mode;
and a defending unit 630, configured to perform anti-serialization attack defending processing when it is determined that the anti-serialization attack exists.
In some embodiments, the specifying a deserialization attack pattern includes: an invoke mode, a readObject mode, a forName mode, and a url lassfoader mode;
The function associated with the invoke mode comprises an invoke function, and a java probe set for the invoke function is used for monitoring the actual names of a caller and a method when the invoke function runs;
the functions associated with the readObject mode comprise a readObject function and a getInputStream function, a java probe set for the readObject function is used for monitoring the actual stream type of the readObject function when running, and a java probe set for the getInputStream function is used for monitoring the returned stream object;
the function related to the forName mode comprises a forName function, and a java probe set for the forName function is used for monitoring class names of input parameters when the forName runs;
the functions related to the URLClassLoader mode comprise a URLClassLoader function, and a java probe set for the URLClassLoader function is used for monitoring input parameters of the URLClassLoader function during operation.
In some embodiments, the specified deserialization attack pattern comprises an invoke pattern;
the decision rule corresponding to the invoke mode comprises: the caller at the time of the invoke function operation is java.lang.processbuilder, and the actual name of the method is start; or determining that an anti-serialization attack exists under the condition that the caller is java.lang.run and the actual name of the method is exec when the invoke function runs;
And/or the number of the groups of groups,
the specified deserialization attack mode comprises a readObject mode;
the determination rule corresponding to the readObject mode includes: determining that deserialization attack exists under the condition that the same hash codes exist in Ha Xichi hash pois of a memory pool in hash codes of any one of objects obtained by unwrapping a current entity when a readObject function runs; wherein the hashcode in the hashcools comprises hashcode of the stream object returned by the getInputStream function;
and/or the number of the groups of groups,
the specified deserialization attack mode comprises a forName mode;
the decision rule corresponding to the forName mode includes: under the condition that the class name of the input parameter when the forName function runs is java.lang.ProcessBuilder or java.lang.Runtime, determining that deserialization attack exists;
and/or the number of the groups of groups,
the specified deserialization attack mode comprises a URLClassLoader mode;
the determination rules corresponding to the URLClassLoader mode comprise: and under the condition that the input parameter of the URLClassLoader function in operation is an external untrusted address, determining that an deserialization attack exists.
In some embodiments, the defending unit 630 performs a deserialization attack defending process in a case where it is determined that the deserialization attack exists, including:
Under the condition that the operation time of the service system does not exceed the preset time, carrying out alarm processing;
and under the condition that the operation time length of the service system exceeds the preset time length, performing anti-serialization attack behavior interception.
In some embodiments, the defending unit 630 is further configured to output alarm information when the deserialization attack is an deserialization attack in a URLClassLoader manner and the operation duration of the service system does not exceed a preset duration, where the alarm information includes input parameters when a URLClassLoader function operates; adding the input parameters to a trusted list according to the detected trusted list setting instruction for the input parameters; wherein the trusted list setting instruction is entered by a user if the input parameter is determined to be a trusted address.
The embodiment of the application also provides electronic equipment, which comprises a processor and a memory, wherein the memory is used for storing a computer program; and the processor is used for realizing the anti-serialization 0day security risk defense method when executing the programs stored on the memory.
Fig. 7 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application. The electronic device may include a processor 701, a memory 702 storing machine-executable instructions. The processor 701 and the memory 702 may communicate via a system bus 703. Also, by reading and executing machine-executable instructions in memory 702 corresponding to the anti-serialized 0day security risk defense logic, processor 701 may perform the anti-serialized 0day security risk defense method described above.
The memory 702 referred to herein may be any electronic, magnetic, optical, or other physical storage device that may contain or store information, such as executable instructions, data, or the like. For example, a machine-readable storage medium may be: RAM (Radom Access Memory, random access memory), volatile memory, non-volatile memory, flash memory, a storage drive (e.g., hard drive), a solid state drive, any type of storage disk (e.g., optical disk, dvd, etc.), or a similar storage medium, or a combination thereof.
In some embodiments, a machine-readable storage medium, such as memory 702 in fig. 7, is also provided, having stored thereon machine-executable instructions that when executed by a processor implement the anti-sequenced 0day security risk defense method described above. For example, the machine-readable storage medium may be ROM, RAM, CD-ROM, magnetic tape, floppy disk, optical data storage device, etc.
Embodiments of the present application also provide a computer program product storing a computer program and when executed by a processor causing the processor to perform the de-sequenced 0day security risk defense method described above.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing description of the preferred embodiments of the application is not intended to be limiting, but rather to enable any modification, equivalent replacement, improvement or the like to be made within the spirit and principles of the application.

Claims (9)

1. An anti-serialization zero day 0day security risk defense method, which is characterized by comprising the following steps:
in the running process of a service system realized based on java, monitoring the running state of the service system by using a java probe; the java probe is set for java functions associated with a specified deserialization attack mode in a java function library;
performing anti-serialization attack judgment according to the information monitored by the java probe and the judgment rule corresponding to the appointed anti-serialization attack mode; the judgment rules corresponding to the specified anti-serialization attack mode are set according to attack characteristics under the specified anti-serialization attack mode;
under the condition that the existence of the deserialization attack is determined, carrying out the deserialization attack defense processing;
the specified deserialization attack mode comprises the following steps: an invoke mode;
the function associated with the invoke mode comprises an invoke function, and a java probe set for the invoke function is used for monitoring the actual names of a caller and a method when the invoke function runs;
the decision rule corresponding to the invoke mode comprises: the caller at the time of the invoke function operation is java.lang.processbuilder, and the actual name of the method is start; or determining that an anti-serialization attack exists under the condition that the caller is java.lang.run and the actual name of the method is exec when the invoke function runs;
Under the condition that the existence of the anti-serialization attack is determined, anti-serialization attack defense processing is carried out, and the method comprises the following steps:
under the condition that the operation time of the service system does not exceed the preset time, carrying out alarm processing;
and under the condition that the operation time length of the service system exceeds the preset time length, performing anti-serialization attack behavior interception.
2. The method of claim 1, wherein the specifying an anti-serialization attack style further comprises: the readObject mode, the forName mode, and some or all of the URLClassLoader mode;
the functions associated with the readObject mode comprise a readObject function and a getInputStream function, a java probe set for the readObject function is used for monitoring the actual stream type of the readObject function when running, and a java probe set for the getInputStream function is used for monitoring the returned stream object;
the function related to the forName mode comprises a forName function, and a java probe set for the forName function is used for monitoring class names of input parameters when the forName runs;
the functions related to the URLClassLoader mode comprise a URLClassLoader function, and a java probe set for the URLClassLoader function is used for monitoring input parameters of the URLClassLoader function during operation.
3. The method of claim 2, wherein the step of determining the position of the substrate comprises,
the specified deserialization attack mode also comprises a readObject mode;
the determination rule corresponding to the readObject mode includes: determining that deserialization attack exists under the condition that the same hash codes exist in Ha Xichi hash pois of a memory pool in hash codes of any one of objects obtained by unwrapping a current entity when a readObject function runs; wherein the hashcode in the hashcools comprises hashcode of the stream object returned by the getInputStream function;
and/or the number of the groups of groups,
the specified deserialization attack mode also comprises a forName mode;
the decision rule corresponding to the forName mode includes: under the condition that the class name of the input parameter when the forName function runs is java.lang.ProcessBuilder or java.lang.Runtime, determining that deserialization attack exists;
and/or the number of the groups of groups,
the specified deserialization attack mode also comprises a URLClassLoader mode;
the determination rules corresponding to the URLClassLoader mode comprise: and under the condition that the input parameter of the URLClassLoader function in operation is an external untrusted address, determining that an deserialization attack exists.
4. The method of claim 1, wherein, in the case where the deserialization attack is an deserialization attack in a URLClassLoader manner, and an operation duration of the service system does not exceed a preset duration, the method further includes:
Outputting alarm information, wherein the alarm information comprises input parameters of the URLClassLoader function during operation;
adding the input parameters to a trusted list according to the detected trusted list setting instruction for the input parameters; wherein the trusted list setting instruction is entered by a user if the input parameter is determined to be a trusted address.
5. An anti-sequencing zero day 0day security risk defense device, comprising:
the monitoring unit is used for monitoring the running state of the service system by using a java probe in the running process of the service system realized based on java; the java probe is set for java functions associated with a specified deserialization attack mode in a java function library;
the judging unit is used for carrying out deserialization attack judgment according to the information monitored by the java probe and the judging rule corresponding to the appointed deserialization attack mode; the judgment rules corresponding to the specified anti-serialization attack mode are set according to attack characteristics under the specified anti-serialization attack mode;
the defending unit is used for performing anti-serialization attack defending processing under the condition that the anti-serialization attack exists;
The specified deserialization attack mode comprises the following steps: an invoke mode;
the function associated with the invoke mode comprises an invoke function, and a java probe set for the invoke function is used for monitoring the actual names of a caller and a method when the invoke function runs;
the decision rule corresponding to the invoke mode comprises: the caller at the time of the invoke function operation is java.lang.processbuilder, and the actual name of the method is start; or determining that an anti-serialization attack exists under the condition that the caller is java.lang.run and the actual name of the method is exec when the invoke function runs;
the defending unit performs anti-serialization attack defending processing under the condition that the anti-serialization attack exists, and the defending unit comprises the following steps:
under the condition that the operation time of the service system does not exceed the preset time, carrying out alarm processing;
and under the condition that the operation time length of the service system exceeds the preset time length, performing anti-serialization attack behavior interception.
6. The apparatus of claim 5, wherein the means for specifying a deserialization attack further comprises: the readObject mode, the forName mode, and some or all of the URLClassLoader mode;
The functions associated with the readObject mode comprise a readObject function and a getInputStream function, a java probe set for the readObject function is used for monitoring the actual stream type of the readObject function when running, and a java probe set for the getInputStream function is used for monitoring the returned stream object;
the function related to the forName mode comprises a forName function, and a java probe set for the forName function is used for monitoring class names of input parameters when the forName runs;
the functions related to the URLClassLoader mode comprise a URLClassLoader function, and a java probe set for the URLClassLoader function is used for monitoring input parameters of the URLClassLoader function during operation.
7. The apparatus of claim 6, wherein the device comprises a plurality of sensors,
the specified deserialization attack mode comprises a readObject mode;
the determination rule corresponding to the readObject mode includes: determining that deserialization attack exists under the condition that the same hash codes exist in Ha Xichi hash pois of a memory pool in hash codes of any one of objects obtained by unwrapping a current entity when a readObject function runs; wherein the hashcode in the hashcools comprises hashcode of the stream object returned by the getInputStream function;
And/or the number of the groups of groups,
the specified deserialization attack mode comprises a forName mode;
the decision rule corresponding to the forName mode includes: under the condition that the class name of the input parameter when the forName function runs is java.lang.ProcessBuilder or java.lang.Runtime, determining that deserialization attack exists;
and/or the number of the groups of groups,
the specified deserialization attack mode comprises a URLClassLoader mode;
the determination rules corresponding to the URLClassLoader mode comprise: and under the condition that the input parameter of the URLClassLoader function in operation is an external untrusted address, determining that an deserialization attack exists.
8. The apparatus of claim 5, wherein the defending unit is further configured to output alarm information when the deserialization attack is a deserialization attack in a URLClassLoader manner and an operation duration of the service system does not exceed a preset duration, where the alarm information includes an input parameter when a URLClassLoader function operates; adding the input parameters to a trusted list according to the detected trusted list setting instruction for the input parameters; wherein the trusted list setting instruction is entered by a user if the input parameter is determined to be a trusted address.
9. An electronic device comprising a processor and a memory, wherein,
a memory for storing a computer program;
a processor configured to implement the method of any one of claims 1 to 4 when executing a program stored on a memory.
CN202310918994.4A 2023-07-25 2023-07-25 Anti-serialization 0day security risk defense method, device and equipment Active CN116628694B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310918994.4A CN116628694B (en) 2023-07-25 2023-07-25 Anti-serialization 0day security risk defense method, device and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310918994.4A CN116628694B (en) 2023-07-25 2023-07-25 Anti-serialization 0day security risk defense method, device and equipment

Publications (2)

Publication Number Publication Date
CN116628694A CN116628694A (en) 2023-08-22
CN116628694B true CN116628694B (en) 2023-11-21

Family

ID=87610308

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310918994.4A Active CN116628694B (en) 2023-07-25 2023-07-25 Anti-serialization 0day security risk defense method, device and equipment

Country Status (1)

Country Link
CN (1) CN116628694B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1972286A (en) * 2006-12-05 2007-05-30 苏州国华科技有限公司 A defense method aiming at DDoS attack
CN111881460A (en) * 2020-08-06 2020-11-03 深信服科技股份有限公司 Vulnerability exploitation detection method, system, equipment and computer storage medium
WO2020238414A1 (en) * 2019-05-24 2020-12-03 深圳前海微众银行股份有限公司 Method and device for protection from deserialization vulnerability
CN112395597A (en) * 2019-08-15 2021-02-23 奇安信安全技术(珠海)有限公司 Method and device for detecting website application vulnerability attack and storage medium
CN114760089A (en) * 2022-02-23 2022-07-15 深圳开源互联网安全技术有限公司 Safety protection method and device for web server
CN115270131A (en) * 2022-06-14 2022-11-01 中国科学院信息工程研究所 Java anti-serialization vulnerability detection method and system
CN116208432A (en) * 2023-05-05 2023-06-02 北京安普诺信息技术有限公司 Web application security probe management method, system, electronic equipment and storage medium

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1972286A (en) * 2006-12-05 2007-05-30 苏州国华科技有限公司 A defense method aiming at DDoS attack
WO2020238414A1 (en) * 2019-05-24 2020-12-03 深圳前海微众银行股份有限公司 Method and device for protection from deserialization vulnerability
CN112395597A (en) * 2019-08-15 2021-02-23 奇安信安全技术(珠海)有限公司 Method and device for detecting website application vulnerability attack and storage medium
CN111881460A (en) * 2020-08-06 2020-11-03 深信服科技股份有限公司 Vulnerability exploitation detection method, system, equipment and computer storage medium
CN114760089A (en) * 2022-02-23 2022-07-15 深圳开源互联网安全技术有限公司 Safety protection method and device for web server
CN115270131A (en) * 2022-06-14 2022-11-01 中国科学院信息工程研究所 Java anti-serialization vulnerability detection method and system
CN116208432A (en) * 2023-05-05 2023-06-02 北京安普诺信息技术有限公司 Web application security probe management method, system, electronic equipment and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Java反序列化漏洞研究;郭瑞;;信息安全与技术(第03期);全文 *

Also Published As

Publication number Publication date
CN116628694A (en) 2023-08-22

Similar Documents

Publication Publication Date Title
JP5420734B2 (en) Software system with controlled access to objects
US8943592B1 (en) Methods of detection of software exploitation
CN105574411B (en) A kind of dynamic hulling method, device and equipment
CN110941528B (en) Log buried point setting method, device and system based on fault
US7930744B2 (en) Methods for hooking applications to monitor and prevent execution of security-sensitive operations
US20110145924A1 (en) Method for detection and prevention of loading executable files from the current working directory
WO2023155686A1 (en) Data processing method and apparatus
CN104036019A (en) Method and device for opening webpage links
US20240143739A1 (en) Intelligent obfuscation of mobile applications
CN105426751A (en) Method and device for preventing system time from being tampered
US8037526B1 (en) Detecting buffer overflows using frame pointer characteristics
CN116150739A (en) Automatic stack overflow defense method based on dynamic protection of key address
CN114676424A (en) Container escape detection and blocking method, device, equipment and storage medium
CN113176926B (en) API dynamic monitoring method and system based on virtual machine introspection technology
CN116628694B (en) Anti-serialization 0day security risk defense method, device and equipment
CN113518055B (en) Data security protection processing method and device, storage medium and terminal
Durães et al. A methodology for the automated identification of buffer overflow vulnerabilities in executable software without source-code
CN112307470A (en) Method and device for detecting intrusion kernel, computing equipment and computer storage medium
CN114266037B (en) Sample detection method and device, electronic equipment and storage medium
CN111625463B (en) Program state detection method and device
Kim et al. Detection and blocking method against dll injection attack using peb-ldr of ics ews in smart iot environments
CN107220537B (en) Method for detecting leakage behavior of program memory layout information
CN116244687A (en) Dynamic library hijacking detection method and device based on Linux kernel
CN115935341A (en) Vulnerability defense method, system, server and storage medium
CN117034278A (en) Vulnerability detection method and device, storage medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant