CN116842531A - Code vaccine-based vulnerability real-time verification method, device, equipment and medium - Google Patents

Code vaccine-based vulnerability real-time verification method, device, equipment and medium Download PDF

Info

Publication number
CN116842531A
CN116842531A CN202311084273.4A CN202311084273A CN116842531A CN 116842531 A CN116842531 A CN 116842531A CN 202311084273 A CN202311084273 A CN 202311084273A CN 116842531 A CN116842531 A CN 116842531A
Authority
CN
China
Prior art keywords
stain
function
propagation
vulnerability
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202311084273.4A
Other languages
Chinese (zh)
Other versions
CN116842531B (en
Inventor
张涛
宁戈
杜玉洁
周辜名
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Anpro Information Technology Co ltd
Original Assignee
Beijing Anpro Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Anpro Information Technology Co ltd filed Critical Beijing Anpro Information Technology Co ltd
Priority to CN202311084273.4A priority Critical patent/CN116842531B/en
Publication of CN116842531A publication Critical patent/CN116842531A/en
Application granted granted Critical
Publication of CN116842531B publication Critical patent/CN116842531B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3604Software analysis for verifying properties of programs
    • G06F11/3612Software analysis for verifying properties of programs by runtime analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3604Software analysis for verifying properties of programs
    • G06F11/3616Software analysis for verifying properties of programs using software metrics

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Quality & Reliability (AREA)
  • Computing Systems (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The application provides a code vaccine-based vulnerability real-time verification method, device, equipment and medium, relating to the field of code security, wherein the method comprises the following steps: pre-instrumentation probes are used for key functions of a target program, and functions related to requests are monitored through the pre-instrumentation probes and request information is obtained; establishing a stain pool corresponding to the request, monitoring a stain source function, a stain propagation function and a stain convergence function through the pre-inserted pile probe, judging whether a leak is detected, verifying whether the detected leak is true and effective, and reporting the leak if the detected leak is true and effective; otherwise ignoring the vulnerability. And detecting the loopholes through the pile inserting during operation, establishing a stain pool to track the path of the loopholes in real time, backtracking the loopholes in real time through tree nodes of the stain pool, further verifying the effectiveness of the loopholes, improving the detection precision of the loopholes, and reducing false alarm of the loopholes. Meanwhile, no extra test data is generated, the resource consumption of the user is reduced, the normal operation of the service is ensured, and the real-time verification process has no influence on the service.

Description

Code vaccine-based vulnerability real-time verification method, device, equipment and medium
Technical Field
The application relates to the field of code security, in particular to a code vaccine-based vulnerability real-time verification method, device, equipment and medium.
Background
In order to ensure that an application program can safely and stably provide services after being delivered and deployed, weak points and vulnerabilities in the application program are generally discovered and repaired by applying a security test before the application program is delivered, so as to prevent the related application program from being utilized by hackers and illegal personnel to cause security hazards. And the loopholes need to be verified before the loopholes are repaired. The purpose of vulnerability verification is to reduce asset risk, and potential vulnerabilities in a system can be discovered and repaired in time, so that asset risk is reduced. This helps to protect the network security of the organization and reduces the likelihood of possible attacks. The organization may be aided in preventing attacks against vulnerabilities. By actively verifying and repairing the loopholes, the risk of the system under attack can be reduced, and the safety of the system is improved. The reliability of the system when it is under attack can be ensured. By timely finding and repairing the loopholes, the system can be prevented from being crashed or utilized by an attacker at key moments. The system can help the organization to identify and repair potential loopholes in the system, thereby improving the security of the system. This helps to protect the organization's network, data, and user assets.
The existing vulnerability verification scheme is to perform simulation attack message construction on known vulnerabilities, verify known type vulnerabilities possibly hidden in a target program through simulation attack tests, and realize active vulnerability verification of a server. However, this verification method needs to replace the message input by the user, and initiates the request again with the attack message, so that additional test dirty data can be generated in practice. In addition, the consumption and influence on the resources of the user can be caused, and the normal operation of the service can be influenced. The implemented instrumentation probe needs to inject the functional code into the service code, which is invasive to the user service itself, and when the vulnerability is verified by the simulation attack test, the service is secondarily affected.
Disclosure of Invention
Accordingly, an object of the embodiments of the present application is to provide a method and an apparatus for verifying a vulnerability based on a code vaccine in real time, wherein the vulnerability is detected by a pile-inserting during operation, a stain pool is built to track a vulnerability path in real time, and the vulnerability is traced back in real time through tree nodes of the stain pool, so that the validity of the vulnerability is verified, the vulnerability detection precision is improved, and the false report of the vulnerability is reduced. Meanwhile, no extra test data is generated, the resource consumption of the user is reduced, the normal operation of the service is ensured, and the real-time verification process has no influence on the service.
The first aspect of the embodiment of the application provides a code vaccine-based real-time vulnerability verification method, which comprises the following steps: pre-instrumentation probes for key functions of a target program, wherein the key functions comprise a function related to a request, a stain source function, a stain propagation function and a stain convergence function; loading the pre-instrumentation probe when the target program is running, and establishing a stain analysis thread pool in the initialization stage of the pre-instrumentation probe; the target program receives the request, monitors the function related to the request through the pre-inserted probe and acquires the request information; the request information comprises request parameters, url and a request method; establishing a stain pool corresponding to the request, constructing a stain hash table and a stain propagation structure in the stain pool, and supplementing the acquired request information; monitoring a stain source function through the pre-inserted pile probe, judging whether stain input exists, and if so, establishing a corresponding root node in the stain propagation structure; monitoring a stain propagation function through the pre-inserted pile probe, judging whether stain propagation exists, and if so, establishing a corresponding propagation child node in the stain propagation structure; monitoring a stain aggregation function through the pre-inserted pile probe, judging whether a leak is detected, and if so, establishing a corresponding aggregation child node in the stain propagation structure; meanwhile, newly creating an analysis task in the stain analysis thread pool, verifying whether the detected loopholes are truly effective, and reporting the loopholes if the detected loopholes are truly effective; otherwise ignoring the vulnerability.
In the implementation process, the code vaccine-based real-time vulnerability verification method detects vulnerabilities through the pile inserting monitoring key function during operation, backtracks the node tree structure of the stain propagation process through the stain pool, provides verification data related to stain analysis, analyzes the detected vulnerabilities in real time through the stain analysis thread Chi Wudian pool, further verifies the true validity of the vulnerabilities, improves the vulnerability detection precision, reduces vulnerability false alarm, does not generate additional test data unavoidable in traditional verification, reduces the resource consumption of users, ensures normal operation of services, and has no influence on the services in real-time verification process.
Optionally, the establishing a corresponding root node in the taint propagation structure includes:
establishing a root node associated with a taint source function in the taint propagation structure, and recording corresponding root node information;
and recording the hash value of the parameters of the stain source function into the stain hash table.
Optionally, the monitoring, by the pre-inserted probe, the taint propagation function, judging whether there is taint propagation, if yes, establishing a corresponding propagation child node in the taint propagation structure, including:
Monitoring a taint propagation function through the pre-inserted pile probe, and searching whether a hash value of an input parameter of the taint propagation function exists in the taint hash table; if so, judging that the stain spread exists;
establishing a propagation sub-node associated with the taint propagation function in the taint propagation structure, and recording corresponding propagation sub-node information; the propagation child node is established under a root node associated with a stain source function corresponding to the hash value;
and recording the hash value of the output parameter of the stain propagation function into the stain hash table.
Optionally, the monitoring the stain aggregation function by the pre-inserted pile probe judges whether a leak is detected, if so, establishes a corresponding aggregation sub-node in the stain propagation structure, including:
monitoring a stain converging function through the pre-pile-inserted probe, and searching whether a hash value of an input parameter of the stain converging function exists in the stain hash table; if so, judging that the loophole is detected;
establishing a sink node associated with a stain aggregation function in the stain propagation structure, and recording corresponding sink node information; the sink child node is built under a propagation child node associated with a stain propagation function corresponding to a hash value which is found, or under a root node associated with a stain source function corresponding to the hash value which is found;
And recording the hash value of the input parameter of the stain converging function into the stain hash table.
Optionally, the calculating process of the hash value is: and using the memory address of the parameter as a first hash code, calculating a second hash code by using the content of the parameter, performing shift operation on the first hash code, and performing OR operation on the first hash code and the second hash code to obtain a hash value.
This is to avoid hash collisions that may occur during a dirty hash table lookup, and solve this problem by dual address binding.
Optionally, the root node information includes detailed information of a pollution point source function, specifically: the stain data type is the source, the name of the stain source function, the parameters of the stain source function and stack tracking information;
the root node information also comprises request information of a request corresponding to parameters of the pollution point source function;
the propagation child node information comprises detailed information of a taint propagation function, and specifically comprises the following steps: the type of the taint data is the name of the taint spreading function, the input parameter and the output parameter of the taint spreading function, and the stack tracking information;
the sink node information comprises detailed information of a stain sink function, and specifically comprises the following steps: the stain data type is the name of the stain converging function, the input parameters of the stain converging function and the stack tracking information;
The sink child node information also comprises a specific execution command corresponding to the stain sink function and a vulnerability triggering type; and determining the vulnerability triggering type according to the name of the stain aggregation function.
Optionally, the verifying whether the detected vulnerability is truly valid includes:
acquiring a stain transmission structure after the loophole is detected;
performing depth-first search by taking a sink child node associated with the taint sink function when the vulnerability is detected as an initial node to traverse the taint propagation structure to obtain a taint propagation tree structure diagram;
the method comprises the steps of cutting off useless branches in a stain propagation tree structure diagram, wherein the useless branches refer to propagation paths in the stain propagation tree structure diagram including custom cleaning functions or not including stain source functions;
acquiring information of a sink node corresponding to the sink node and information of a root node corresponding to the root node in the stain propagation tree structure diagram;
and selecting a corresponding vulnerability detection rule according to the vulnerability triggering type in the aggregation child node information, and verifying whether the detected vulnerability is true and effective.
Optionally, the vulnerability triggering type is a path traversing vulnerability, the selecting a corresponding vulnerability detection rule according to the vulnerability triggering type in the aggregation child node information, and verifying whether the detected vulnerability is true and valid includes:
Judging whether a stain source function associated with the root node is path class or not;
if yes, judging whether the parameters of the stain source function associated with the root node are of the string type, and judging whether the input parameters of the stain aggregation function associated with the aggregation child node are of the string type;
if yes, judging whether crossing symbols exist in the sink node information;
if yes, judging whether the parameter end of the stain source function exists in the input parameters of the stain converging function;
if yes, determining that the path passes through the vulnerability.
Optionally, the vulnerability triggering type is XXE vulnerability, the selecting a corresponding vulnerability detection rule according to the vulnerability triggering type in the aggregation child node information, and verifying whether the detected vulnerability is true and valid includes:
acquiring a system identifier and stack tracking information in the sink node information;
judging whether the request parameters in the root node information contain a system identifier, if so, continuously judging whether the file content contains the system identifier;
if so, judging whether stack tracking information in the sink node information exists in a preset white list stack or not;
if not, a XXE vulnerability is determined.
Optionally, the method further comprises:
and continuously monitoring a stain converging function through the pre-pile-inserted probe, and continuously creating a queue analysis task in the stain analysis thread pool when judging that the detected loopholes exist so as to continuously verify whether the detected loopholes are real and effective in real time.
A second aspect of the embodiment of the present application provides a code vaccine-based real-time vulnerability verification device, including:
the instrumentation module is used for pre-instrumentation of probes for key functions of the target program, wherein the key functions comprise a function related to a request, a stain source function, a stain propagation function and a stain convergence function;
the preprocessing module is used for loading the pre-stake-inserting probe when the target program runs, and establishing a stain analysis thread pool in the initialization stage of the pre-stake-inserting probe;
the target program is also used for receiving the request, monitoring the function related to the request through the pre-inserted probe and acquiring request information;
the method is also used for establishing a stain pool corresponding to the request, constructing a stain hash table and a stain propagation structure in the stain pool and supplementing acquired request information;
the first monitoring module is used for monitoring a stain source function through the pre-inserted pile probe, judging whether stain input exists, and if so, establishing a corresponding root node in the stain propagation structure;
the second monitoring module is used for monitoring the stain propagation function through the pre-inserted pile probe and judging whether the stain propagation exists or not, and if the stain propagation exists, a corresponding propagation child node is established in the stain propagation structure;
The third monitoring module is used for monitoring the stain aggregation function through the pre-inserted pile probe and judging whether the leak is detected, and if so, a corresponding aggregation child node is established in the stain propagation structure; meanwhile, newly creating an analysis task in the stain analysis thread pool, verifying whether the detected loopholes are truly effective, and reporting the loopholes if the detected loopholes are truly effective; otherwise ignoring the vulnerability.
A third aspect of the embodiments of the present application provides an electronic device comprising a memory storing a computer program and a processor executing the steps of any implementation manner of the first aspect of the embodiments of the present application when the computer program is executed by the processor.
A fourth aspect of the embodiments of the present application provides a readable storage medium having stored therein a computer program which when run on a processor performs the steps of any implementation of the first aspect of the embodiments of the present application.
A fifth aspect of the embodiments of the present application provides a computer program product for performing the steps of any implementation manner of the first aspect when the computer program product is run on a computer.
Compared with the prior art, the technical scheme provided by the embodiment of the application has the following advantages:
The method comprises the steps of realizing real-time monitoring and detecting loopholes on functions related to a request, a stain source function, a stain propagation function and a stain convergence function during program operation through the pile inserting during operation, providing verification data related to stain analysis by establishing a node tree structure of a stain pool backtracking stain propagation process, analyzing the detected loopholes in real time through a stain analysis thread Chi Wudian pool, further verifying the true validity of the loopholes, generating no additional test data unavoidable in the traditional verification, reducing the resource consumption of users, ensuring the normal operation of the service, and ensuring that the real-time verification process has no influence on the service.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of a vulnerability detection process of a real-time vulnerability verification method based on a code vaccine according to an embodiment of the present application;
Fig. 2 is a schematic diagram of a vulnerability verification process of a real-time vulnerability verification method based on a code vaccine according to an embodiment of the present application;
fig. 3 is a schematic diagram of a stain propagation structure of a real-time vulnerability verification method based on a code vaccine according to an embodiment of the present application;
fig. 4 is a schematic diagram of a path-crossing vulnerability verification process of a real-time vulnerability verification method based on a code vaccine according to an embodiment of the present application;
fig. 5 is a schematic diagram of a XXE vulnerability verification process of a real-time vulnerability verification method based on a code vaccine according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a real-time vulnerability verification device based on a code vaccine according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application. In the description of the present application, the terms "first," "second," and the like are used merely to distinguish between descriptions and are not to be construed as indicating or implying relative importance. It will be apparent that the embodiments described below are only some, but not all, embodiments of the application. All other embodiments, which can be made by one of ordinary skill in the art based on embodiments of the present application without making any inventive effort, are intended to fall within the scope of the embodiments of the present application.
The technical term "probe" in the description of the embodiments of the present disclosure refers to a "probe" of "instrumentation," which is essentially a piece of code that performs information collection, which may be an assignment statement or a function call that collects overlay information. In the description of the embodiments of the present disclosure, the technical term "instrumentation", also called "program instrumentation", refers to a method of inserting a "probe" into a program on the basis of ensuring the original logic integrity of the tested program, and obtaining control flow and data flow of the program by analyzing the program operation characteristic data (i.e., the data during operation) thrown by the "probe" so as to obtain dynamic information such as logic coverage, thereby achieving the purpose of testing. The probe with corresponding capturing function can be designed according to different inserting pile points, capturing data requirements and the like, and required data can be obtained. In the same tested program, only one probe can be inserted into the test socket according to different test requirements, and a plurality of different insertion points can be respectively inserted into the test socket. In a general IAST ash box test based on "stake-out", the key is a "probe" of the stake-out; generally, these "probes" are required to be developed according to different languages, but are basically identical in function and mainly include: parameter delivery in code execution, database queries (e.g., ODBC), directory queries (e.g., LDAP), file system permissions, monitoring specific values in memory, identifying contaminated input, use of third party libraries, calls to external applications and services, etc.
In the description of the embodiments of the present disclosure, the technical term "object program" refers to a computer application program that is an object of detection in a security test process. Security vulnerabilities are unavoidable to computer programs. The program is programmed by a person, the code quality and the development efficiency are both considered, and the program is a large-scale application program which can not completely meet the programming specification in a development stage and has no loopholes and defects; particularly those B/S-based Web applications that meet many functional requirements, with complex business logic, are inevitably subject to vulnerabilities and drawbacks. Considering that most security vulnerabilities exist in applications, in order to reduce damage caused by hacking, applications are typically required to pass application security tests before being deployed online. The term "target program" herein mainly refers to a Web application program to be tested in the security test process.
In the description of the embodiments of the present disclosure, the technical term "critical functions" refers to those functions in the "target program" that execute abnormally when a hidden bug is triggered. For various types of loopholes which may be hidden in the target program, each type of loophole is corresponding to the loophole, and at least one key function corresponding to the loophole is included in the target program. "Critical function" means that the "vulnerability trigger type" can be any known type of vulnerability relative to the "vulnerability trigger type"; in each vulnerability verification process, a known type of vulnerability is typically used as the "vulnerability trigger type" for the current vulnerability verification detection.
Embodiment one:
referring to fig. 1 and fig. 2, fig. 1 is a schematic diagram of a vulnerability detection process according to an embodiment of the present application. Fig. 2 is a schematic diagram of a vulnerability verification process according to an embodiment of the present application.
Wherein the method comprises the following steps:
s100: pre-instrumentation probes for key functions of a target program, wherein the key functions comprise a function related to a request, a stain source function, a stain propagation function and a stain convergence function; and loading the pre-instrumentation probe when the target program is running, and establishing a stain analysis thread pool in the initialization stage of the pre-instrumentation probe.
In this embodiment, the pre-instrumentation probe is used to perform instrumentation on functions/methods including a function/method related to a request, a function/method related to a source (stain source) point, a function/method related to a propagation point, and a function/method related to a sink (sink) point.
Request information (including requests and responses) such as request parameters, url, request methods and the like are obtained through a method related to the instrumentation request, and the method is used for carrying out vulnerability verification according to the request information and also used for carrying out subsequent real-time interception treatment on the requests.
In addition, the key function/method list of the predetermined target program is also subject to instrumentation, and the target function/method list is divided into three types: source point, pad point, and sink point.
The source point corresponds to the stain source function, and is a method for acquiring external input data by a target program, such as an entry method for processing an Http Request, a related method for acquiring external parameters by a Request object, a related method for setting return data by a Response object, and the like.
The method specifically comprises the following steps: request. Getrequest parameter (string).
The production point, corresponding to the stain spreading function, is a method for processing data in the target program, such as string operations (string splicing, string interception, string inversion, etc.), java set type operations, java IO operations (file IO/network IO), encryption and decryption methods (Base 64 encryption and decryption, AES/DES encryption and decryption, RSA encryption and decryption, etc.), and specifically includes: string. Subtroping (int ).
sink points, corresponding to the stain aggregation function, are methods or functions for executing vulnerabilities, such as SMTP operation methods, HTTP request sending correlation methods, XML decoding correlation methods, correlation methods for executing system commands, LDAP query correlation methods, XPATH query correlation methods, file operation correlation methods, JSON deserialization correlation methods, and the like,
the method specifically comprises the following steps: run.
In this embodiment, the pre-instrumentation probe is loaded when the target program is running, and a stain analysis thread pool is established in the initialization stage of the pre-instrumentation probe.
A Java thread pool is a collection of threads. The method mainly comprises the steps of controlling the number of running threads, putting tasks into a queue in the processing process, starting the tasks after the threads are created, queuing the threads with the number exceeding the maximum number if the number of the threads exceeds the maximum number, waiting until the execution of other threads is finished, and taking out the tasks from the queue to execute. The thread multiplexing can be realized, the maximum concurrency number is controlled, and the threads are managed. And establishing a stain analysis thread pool to carry out verification analysis in real time after the detection of the monitoring loopholes.
S200: the target program receives the request, monitors the function related to the request through the pre-inserted probe and acquires the request information; the request information includes request parameters, url, and request method. When requested, the request information (including the request and the response) is intercepted by the pre-stub probe.
S300: and establishing a stain pool corresponding to the request, constructing a stain hash table and a stain propagation structure in the stain pool, and supplementing the acquired request information.
In this embodiment, a corresponding stain pool is established for the incoming request, where the stain pool includes: hash tables, stain propagation structures, and filtering functions (e.g., cleaning functions and/or user-defined functions), which are custom stain removal functions. During the smear propagation phase, the smear mark data encounters a cleaning function and is successfully filtered or otherwise secured, which removes the smear mark carried by the data and confirms that the current propagation link is secure.
S400: and monitoring a pollution point source function through a pre-pile-inserted probe, judging whether pollution input exists, and if so, establishing a corresponding root node in a pollution propagation structure. Comprising the following steps:
establishing a root node associated with a taint source function in a taint propagation structure, and recording corresponding root node information;
and recording the hash value of the parameters of the stain source function into the stain hash table.
Referring to fig. 3, fig. 3 is a schematic view of a stain propagation structure. In this embodiment, the passing taint source functions are monitored, a root node is established in the taint pool, the root node corresponds to the parameters of each taint source function, and the root node further includes root node information, and detailed information corresponding to the taint source functions, such as taint data type, taint propagation function name, input parameters, output parameters, stack tracking information, and request information corresponding to the taint source parameters. The address hash of the parameters (input parameters/output parameters) of the taint source function is filled into the taint hash table. As the stain source belongs to user input, parameters such as a query, a form, a path, a form-data, a body and the like of a request are marked when the request arrives and serve as the stain source and serve as root nodes for the stain pool propagation. The taint hash table is used to determine whether taint propagation occurs at the exit and entrance of the subsequent propagation point, for example, if the input parameters of the judging function hit the taint hash table, then it can be determined that the output parameters of the function are also a taint fragment, and this fragment of code is marked as a valid propagation point.
S500: monitoring a taint propagation function through a pre-inserted probe, judging whether taint propagation exists, and if so, establishing a corresponding propagation child node in a taint propagation structure; comprising the following steps:
monitoring a taint propagation function through a pre-pile-inserted probe, and searching whether a hash value of an input parameter of the taint propagation function exists in a taint hash table; if so, judging that the stain spread exists;
establishing a propagation sub-node associated with the taint propagation function in the taint propagation structure, and recording corresponding propagation sub-node information; the propagation child node is established under the root node associated with the stain source function corresponding to the hash value;
and recording the hash value of the output parameter of the stain propagation function into the stain hash table.
The root node information comprises detailed information of a pollution point source function, and specifically comprises the following steps: the stain data type is the source, the name of the stain source function, the parameters of the stain source function and stack tracking information;
the root node information also comprises request information of a request corresponding to parameters of the pollution point source function.
The propagation child node information comprises detailed information of a taint propagation function, and specifically comprises the following steps: the type of the taint data is the name of the taint spreading function, the input parameter and the output parameter of the taint spreading function, and the stack tracking information.
Referring to fig. 3, in this embodiment, the passing taint propagation point function, such as a string processing, serialization/deserialization function, is monitored, whether the hash of the corresponding input parameter exists or not is searched in the taint hash table, if yes, the child node (propagation child node) corresponding to the root node is established, and the propagation child node information is supplemented, and the detailed information of the corresponding taint propagation function, such as the taint data type, the taint propagation function name, the input parameter and the output parameter of the function, and the stack tracking information, is provided. And filling the output parameters of the stain propagation function into a stain hash table.
S600: monitoring a stain aggregation function through a pre-pile-inserted probe, judging whether a leak is detected, and if so, establishing a corresponding aggregation child node in a stain propagation structure; meanwhile, newly creating an analysis task in the stain analysis thread pool, verifying whether the detected loopholes are truly effective, and reporting the loopholes if the detected loopholes are truly effective; otherwise ignoring the vulnerability.
Monitoring a stain converging function through the pre-pile-inserted probe, and searching whether a hash value of an input parameter of the stain converging function exists in the stain hash table; if so, judging that the loophole is detected.
Establishing a sink node associated with a stain aggregation function in the stain propagation structure, and recording corresponding sink node information; the sink child node is built under a propagation child node associated with a stain propagation function corresponding to a hash value which is found, or under a root node associated with a stain source function corresponding to the hash value which is found;
And recording the hash value of the input parameter of the stain converging function into the stain hash table.
The sink node information comprises detailed information of a stain sink function, and specifically comprises the following steps: the stain data type is the name of the stain converging function, the input parameter of the stain converging function and stack tracking information;
the sink child node information also comprises a specific execution command corresponding to the stain sink function and a vulnerability triggering type; and determining the vulnerability triggering type according to the name of the stain aggregation function.
Referring to fig. 3, in this embodiment, a stain aggregation function, such as an sql execution function, is monitored, a corresponding input parameter hash is searched in a stain hash table, if the corresponding input parameter hash exists, a corresponding aggregation child node is established as an aggregation point, information of the aggregation child node is recorded, the information of the aggregation child node includes detailed information of the corresponding stain aggregation function, such as that stain data types are aggregation, stain aggregation function names, input parameters of the stain aggregation function, and stack tracking information. The sink child node information also comprises a stain hash table corresponding to the input parameters, a command corresponding to the specific execution of the sink function and more complete method information.
As an optional implementation manner, the corresponding input parameter hash found in the taint hash table is derived from the root node, is determined to be a convergence point, and establishes a convergence child node corresponding to the root node.
As an optional implementation manner, the corresponding input parameter hash found in the taint hash table is derived from the propagation child node, is determined to be a convergence point, and establishes a convergence child node corresponding to the propagation child node.
As an alternative implementation manner, in the foregoing process of finding the taint hash table, hash collision may occur, the problem is solved by dual address binding, the memory address of the object (parameter) is used as the first hash code, the second hash code is calculated according to the content of the object (parameter), the first hash code is shifted firstly, and then the final hash value is obtained by performing an or operation with the second hash code and is stored in the taint hash table, and is used for subsequent finding. If the method uses the memory address of the object as the memory hash code, the method calculates the content hash code according to the content of the object. The memory hash code is shifted firstly, and then OR operation is carried out on the memory hash code and the content hash code to obtain a final hash value, so that hash collision is avoided.
After the loophole is detected, verifying whether the detected loophole is truly effective comprises the following specific steps,
s601: and (5) detecting the loopholes.
S602: and putting a new vulnerability analysis task into the stain analysis thread pool.
S603: and acquiring a stain spreading structure after the loophole is detected.
S604: and taking the sink child nodes associated with the taint sink function when the loophole is detected as initial nodes to carry out depth-first search and traverse the taint propagation structure to obtain a taint propagation tree structure diagram.
S605: and cutting off useless branches in the smear propagation tree structure diagram, wherein the useless branches refer to propagation paths in the smear propagation tree structure diagram including custom cleaning functions or not including a smear source function.
S606: and acquiring the information of the sink node corresponding to the sink node and the information of the root node corresponding to the root node in the stain propagation tree structure diagram.
S607: and selecting a corresponding vulnerability detection rule according to the vulnerability triggering type in the aggregation child node information.
S608: and verifying whether the detected loopholes are true and effective according to the corresponding loophole detection rules.
In this embodiment, the pre-pile-inserted probe is used to continuously monitor the stain convergence function, and when each leak is detected, a queue leak analysis task is newly built in the stain analysis thread pool, so as to continuously verify whether the detected leak is real and effective in real time. And a stain analysis thread pool is established to ensure that verification analysis is performed in real time after detection of the monitoring loopholes.
In this embodiment, relevant vulnerability information is obtained based on the obtained passive vulnerability detection result, including data of the convergence point, a stain propagation structure and a vulnerability triggering type; the data of the convergence point comprises function information of the convergence child node, a specific execution command and more complete method information. The taint propagation structure is used for tracing the source according to the current sink node until the root node to form a taint propagation tree structure diagram. The vulnerability trigger type is determined according to the name of the convergence point function, such as path traversal, XXE, etc.
The probe initializing stage establishes a stain analysis thread pool, and a new analysis task is put into the stain analysis thread pool; and putting the corresponding analysis task into a stain analysis thread pool every time the collection point (vulnerability detection) is triggered.
Performing depth-first search to traverse the taint propagation structure by taking the detected aggregation point (taint aggregation function) of the vulnerability as an initial node; useless branches are pruned in the traversal process, and useless definitions are defined: the propagation path includes cleaning functions or no source points, and a clean and correct node tree (a stain propagation tree structure diagram) is obtained. And finding out a vulnerability triggering point (a convergence point corresponding to a stain convergence function) and a user data input point (a stain source corresponding to a stain source function) in the tree. The real data of the vulnerability triggering point and the user data input point, namely the input parameters of the stain converging function, the parameters of the stain source function and the input data of the user (request information such as request parameters, url and request method), namely all the data which can reach the server, are obtained.
In this embodiment, the process of actively verifying the vulnerability is to improve accuracy and reduce false alarm. The corresponding detection rule is selected according to the vulnerability triggering type, wherein the vulnerability triggering type comprises common vulnerability types such as path crossing, command execution, SQL injection, XXE, SSRF and the like. Judging whether the data triggering the loopholes are truly effective or not, and carrying out subsequent neglect/reporting.
As an alternative implementation, the vulnerability trigger type is a path-crossing vulnerability,
referring to fig. 4, the path-crossing vulnerability verification process of fig. 4 is shown.
S6081: the vulnerability triggering type is path crossing vulnerability, and a corresponding vulnerability detection rule is selected according to the vulnerability triggering type in the sink child node information, so that whether the detected vulnerability is real and effective is verified, and the method comprises the following steps:
judging whether a stain source function associated with the root node is path class or not; i.e., determine if the source function of the stain in the node tree is path class.
If yes, judging whether the parameters of the stain source function associated with the root node are of the string type, and judging whether the input parameters of the stain aggregation function associated with the aggregation child node are of the string type;
if yes, judging whether crossing symbols exist in the sink node information; i.e., determining whether sink data has obvious traversal data identifiers, such as./.(traversal identifiers).
If yes, judging whether the parameter end of the stain source function exists in the input parameters of the stain converging function; that is, whether the parameters (input parameters) of the sink end with the parameters of the source is determined, if the file name is defined as a parameter, the file name is added with a prefix and a suffix in the execution process, and whether the parameters reaching the trigger sink end with the parameters of the source is determined.
If yes, determining that the path passes through the vulnerability.
Referring to fig. 5, fig. 5 is a schematic diagram of a XXE vulnerability verification process.
XXE loopholes are named XML External Entity Injection, namely, the XML external entity is injected with loopholes, and when an application program analyzes XML input, the loopholes XXE do not inhibit the loading of external entities, so that malicious external files can be loaded, and the damage such as file reading, command execution, intranet port scanning, dos attack initiation and the like is caused.
S6082: the vulnerability triggering type is XXE vulnerability, and the selecting a corresponding vulnerability detection rule according to the vulnerability triggering type in the aggregation child node information, verifying whether the detected vulnerability is true and effective, includes:
acquiring a system identifier and stack tracking information in the sink node information;
respectively acquiring SystemId and current call stack information; in XML, systemId is an attribute that specifies the system identifier (system identifier) of the XML document. It represents the location of the XML document or the location of the referenced external entity. The SystemId attribute is typically used to specify the URL, file path, or other resource identifier of the XML document. It may be an absolute path or a relative path, or may be a uniform resource identifier (UniformResource Identifier, URI). The value of SystemId may be used by the parser to locate and load XML documents or related external resources. The SystemId is used to specify the location or identifier of the resource so that the parser can properly parse and process the XML document.
Judging whether the request parameters in the root node information contain a system identifier, if so, continuously judging whether the file content contains the system identifier; that is, it is determined that the request parameter has a SystemId (system id), and if the request parameter has a SystemId, it is determined whether the file content has a SystemId.
If so, judging whether stack tracking information in the sink node information exists in a preset white list stack or not; i.e. simultaneously judging whether the current call stack information has a white list stack or not.
If not, a XXE vulnerability is determined.
Embodiment two:
referring to fig. 6, fig. 6 is a schematic structural diagram of a real-time vulnerability verification device based on a code vaccine according to an embodiment of the present application, and the device 600 includes:
a instrumentation module 610 for pre-instrumentation of probes for key functions of the target program, the key functions including a request-related function, a smear source function, a smear propagation function, and a smear convergence function;
the preprocessing module 620 is configured to load the pre-instrumentation probe when the target program is running, and establish a stain analysis thread pool at an initialization stage of the pre-instrumentation probe;
the target program is also used for receiving the request, monitoring the function related to the request through the pre-inserted probe and acquiring request information;
The method is also used for establishing a stain pool corresponding to the request, constructing a stain hash table and a stain propagation structure in the stain pool and supplementing acquired request information;
a first monitoring module 630, configured to monitor a stain source function by using the pre-inserted probe, determine whether a stain input exists, and if so, establish a corresponding root node in the stain propagation structure;
the second monitoring module 640 is configured to monitor the taint propagation function through the pre-inserted probe, determine whether there is taint propagation, and if so, establish a corresponding propagation child node in the taint propagation structure;
a third monitoring module 650, configured to monitor a stain aggregation function through the pre-inserted probe, determine whether a leak exists, and if so, establish a corresponding aggregation sub-node in the stain propagation structure; meanwhile, newly creating an analysis task in the stain analysis thread pool, verifying whether the detected loopholes are truly effective, and reporting the loopholes if the detected loopholes are truly effective; otherwise ignoring the vulnerability.
For a detailed description of the code vaccine-based real-time vulnerability verification apparatus, please refer to the description of the relevant method steps in the above embodiments.
Embodiment III:
referring to fig. 7, fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application, and the electronic device 700 includes: the memory 710 and the processor 720, the memory 710 and the processor 720 are connected through the bus 730, the memory 710 stores a computer program, and when the processor 720 reads and runs the computer program, the electronic device 700 can execute all or part of the method flow in the embodiment, so as to realize real-time vulnerability verification based on the code vaccine.
It should be understood that the electronic device may be a personal computer (Personal Computer, PC), tablet computer, smart phone, etc. with logic computing capabilities.
The embodiment of the application also provides a readable storage medium, wherein the readable storage medium stores a computer program, and the computer program executes the steps in the code vaccine-based real-time vulnerability verification method when running on a processor.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The apparatus embodiments described above are merely illustrative, for example, of the flowcharts and block diagrams in the figures that illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and variations will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application. It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

Claims (13)

1. A method for real-time vulnerability verification based on a code vaccine, the method comprising:
pre-instrumentation probes for key functions of a target program, wherein the key functions comprise a function related to a request, a stain source function, a stain propagation function and a stain convergence function;
Loading the pre-instrumentation probe when the target program is running, and establishing a stain analysis thread pool in the initialization stage of the pre-instrumentation probe;
the target program receives the request, monitors the function related to the request through the pre-inserted probe and acquires the request information; the request information comprises request parameters, url and a request method;
establishing a stain pool corresponding to the request, constructing a stain hash table and a stain propagation structure in the stain pool, and supplementing the acquired request information;
monitoring a stain source function through the pre-inserted pile probe, judging whether stain input exists, and if so, establishing a corresponding root node in the stain propagation structure;
monitoring a stain propagation function through the pre-inserted pile probe, judging whether stain propagation exists, and if so, establishing a corresponding propagation child node in the stain propagation structure;
monitoring a stain aggregation function through the pre-inserted pile probe, judging whether a leak is detected, and if so, establishing a corresponding aggregation child node in the stain propagation structure; meanwhile, newly creating an analysis task in the stain analysis thread pool, verifying whether the detected loopholes are truly effective, and reporting the loopholes if the detected loopholes are truly effective; otherwise ignoring the vulnerability.
2. The method of claim 1, wherein the establishing a corresponding root node in the taint propagation structure comprises:
establishing a root node associated with a taint source function in the taint propagation structure, and recording corresponding root node information;
and recording the hash value of the parameters of the stain source function into the stain hash table.
3. The method of claim 2, wherein monitoring the stippling propagation function by the pre-stub probe, determining whether there is stippling propagation, and if so, establishing a corresponding propagator node in the stippling propagation structure, comprises:
monitoring a taint propagation function through the pre-inserted pile probe, and searching whether a hash value of an input parameter of the taint propagation function exists in the taint hash table; if so, judging that the stain spread exists;
establishing a propagation sub-node associated with the taint propagation function in the taint propagation structure, and recording corresponding propagation sub-node information; the propagation child node is established under a root node associated with a stain source function corresponding to the hash value;
and recording the hash value of the output parameter of the stain propagation function into the stain hash table.
4. The method of claim 3, wherein monitoring the spot aggregation function with the pre-stake probe to determine whether a vulnerability is detected, and if so, establishing a corresponding aggregation child node in the spot propagation structure, comprises:
monitoring a stain converging function through the pre-pile-inserted probe, and searching whether a hash value of an input parameter of the stain converging function exists in the stain hash table; if so, judging that the loophole is detected;
establishing a sink node associated with a stain aggregation function in the stain propagation structure, and recording corresponding sink node information; the sink child node is built under a propagation child node associated with a stain propagation function corresponding to a hash value which is found, or under a root node associated with a stain source function corresponding to the hash value which is found;
and recording the hash value of the input parameter of the stain converging function into the stain hash table.
5. The method according to any one of claims 2 to 4, wherein the hash value is calculated by: and using the memory address of the parameter as a first hash code, calculating a second hash code by using the content of the parameter, performing shift operation on the first hash code, and performing OR operation on the first hash code and the second hash code to obtain a hash value.
6. The method according to claim 4, wherein the root node information comprises detailed information of a pollution point source function, in particular: the stain data type is the source, the name of the stain source function, the parameters of the stain source function and stack tracking information;
the root node information also comprises request information of a request corresponding to parameters of the pollution point source function;
the propagation child node information comprises detailed information of a taint propagation function, and specifically comprises the following steps: the type of the taint data is the name of the taint spreading function, the input parameter and the output parameter of the taint spreading function, and the stack tracking information;
the sink node information comprises detailed information of a stain sink function, and specifically comprises the following steps: the stain data type is the name of the stain converging function, the input parameters of the stain converging function and the stack tracking information;
the sink child node information also comprises a specific execution command corresponding to the stain sink function and a vulnerability triggering type; and determining the vulnerability triggering type according to the name of the stain aggregation function.
7. The method of claim 6, wherein verifying whether the detected vulnerability is truly valid comprises:
Acquiring a stain transmission structure after the loophole is detected;
performing depth-first search by taking a sink child node associated with the taint sink function when the vulnerability is detected as an initial node to traverse the taint propagation structure to obtain a taint propagation tree structure diagram;
the method comprises the steps of cutting off useless branches in a stain propagation tree structure diagram, wherein the useless branches refer to propagation paths in the stain propagation tree structure diagram including custom cleaning functions or not including stain source functions;
acquiring information of a sink node corresponding to the sink node and information of a root node corresponding to the root node in the stain propagation tree structure diagram;
and selecting a corresponding vulnerability detection rule according to the vulnerability triggering type in the aggregation child node information, and verifying whether the detected vulnerability is true and effective.
8. The method of claim 7, wherein the vulnerability triggering type is a path traversing vulnerability, the selecting a corresponding vulnerability detection rule according to the vulnerability triggering type in the sink child node information, and verifying whether the detected vulnerability is truly valid comprises:
judging whether a stain source function associated with the root node is path class or not;
if yes, judging whether the parameters of the stain source function associated with the root node are of the string type, and judging whether the input parameters of the stain aggregation function associated with the aggregation child node are of the string type;
If yes, judging whether crossing symbols exist in the sink node information;
if yes, judging whether the parameter end of the stain source function exists in the input parameters of the stain converging function;
if yes, determining that the path passes through the vulnerability.
9. The method of claim 7, wherein the vulnerability triggering type is XXE vulnerability, the selecting a corresponding vulnerability detection rule according to the vulnerability triggering type in the sink child node information, and verifying whether the detected vulnerability is truly valid comprises:
acquiring a system identifier and stack tracking information in the sink node information;
judging whether the request parameters in the root node information contain a system identifier, if so, continuously judging whether the file content contains the system identifier;
if so, judging whether stack tracking information in the sink node information exists in a preset white list stack or not;
if not, a XXE vulnerability is determined.
10. The method according to claim 1, wherein the method further comprises:
and continuously monitoring a stain converging function through the pre-pile-inserted probe, and continuously creating a queue analysis task in the stain analysis thread pool when judging that the detected loopholes exist so as to continuously verify whether the detected loopholes are real and effective in real time.
11. A code vaccine based real-time vulnerability verification device, comprising:
the instrumentation module is used for pre-instrumentation of probes for key functions of the target program, wherein the key functions comprise a function related to a request, a stain source function, a stain propagation function and a stain convergence function;
the preprocessing module is used for loading the pre-stake-inserting probe when the target program runs, and establishing a stain analysis thread pool in the initialization stage of the pre-stake-inserting probe;
the target program is also used for receiving the request, monitoring the function related to the request through the pre-inserted probe and acquiring request information;
the method is also used for establishing a stain pool corresponding to the request, constructing a stain hash table and a stain propagation structure in the stain pool and supplementing acquired request information;
the first monitoring module is used for monitoring a stain source function through the pre-inserted pile probe, judging whether stain input exists, and if so, establishing a corresponding root node in the stain propagation structure;
the second monitoring module is used for monitoring the stain propagation function through the pre-inserted pile probe and judging whether the stain propagation exists or not, and if the stain propagation exists, a corresponding propagation child node is established in the stain propagation structure;
The third monitoring module is used for monitoring the stain aggregation function through the pre-inserted pile probe and judging whether the leak is detected, and if so, a corresponding aggregation child node is established in the stain propagation structure; meanwhile, newly creating an analysis task in the stain analysis thread pool, verifying whether the detected loopholes are truly effective, and reporting the loopholes if the detected loopholes are truly effective; otherwise ignoring the vulnerability.
12. An electronic device comprising a memory storing a computer program and a processor executing the method of any of claims 1 to 10 when the computer program is run.
13. A readable storage medium, characterized in that it has stored therein a computer program which, when run on a processor, performs the method of any of claims 1 to 10.
CN202311084273.4A 2023-08-28 2023-08-28 Code vaccine-based vulnerability real-time verification method, device, equipment and medium Active CN116842531B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311084273.4A CN116842531B (en) 2023-08-28 2023-08-28 Code vaccine-based vulnerability real-time verification method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311084273.4A CN116842531B (en) 2023-08-28 2023-08-28 Code vaccine-based vulnerability real-time verification method, device, equipment and medium

Publications (2)

Publication Number Publication Date
CN116842531A true CN116842531A (en) 2023-10-03
CN116842531B CN116842531B (en) 2023-11-03

Family

ID=88162022

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311084273.4A Active CN116842531B (en) 2023-08-28 2023-08-28 Code vaccine-based vulnerability real-time verification method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN116842531B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117150514A (en) * 2023-10-30 2023-12-01 北京安普诺信息技术有限公司 Vulnerability active verification method and device based on code vaccine IAST probe
CN117272331A (en) * 2023-11-23 2023-12-22 北京安普诺信息技术有限公司 Cross-thread vulnerability analysis method, device, equipment and medium based on code vaccine
CN117610009A (en) * 2023-11-23 2024-02-27 北京安普诺信息技术有限公司 Cross-thread vulnerability repairing method and device based on code vaccine RASP probe

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104765687A (en) * 2015-04-10 2015-07-08 江西师范大学 J2EE (Java 2 Enterprise Edition) program bug detection method based on object tracking and taint analysis
CN109462583A (en) * 2018-10-31 2019-03-12 南京邮电大学 A kind of reflection-type leak detection method combined based on static and dynamic
WO2021232279A1 (en) * 2020-05-20 2021-11-25 深圳市欢太科技有限公司 Method and apparatus for detecting file leakage vulnerability, electronic device and storage medium
CN116167058A (en) * 2023-04-23 2023-05-26 北京安普诺信息技术有限公司 Runtime vulnerability analysis method and device based on code vaccine
CN116451228A (en) * 2023-04-23 2023-07-18 北京安普诺信息技术有限公司 Dynamic taint tracking method, device and related online taint propagation analysis system
CN116541855A (en) * 2023-07-06 2023-08-04 北京大学 Cross-coroutine runtime vulnerability analysis method and device, electronic equipment and storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104765687A (en) * 2015-04-10 2015-07-08 江西师范大学 J2EE (Java 2 Enterprise Edition) program bug detection method based on object tracking and taint analysis
CN109462583A (en) * 2018-10-31 2019-03-12 南京邮电大学 A kind of reflection-type leak detection method combined based on static and dynamic
WO2021232279A1 (en) * 2020-05-20 2021-11-25 深圳市欢太科技有限公司 Method and apparatus for detecting file leakage vulnerability, electronic device and storage medium
CN116167058A (en) * 2023-04-23 2023-05-26 北京安普诺信息技术有限公司 Runtime vulnerability analysis method and device based on code vaccine
CN116451228A (en) * 2023-04-23 2023-07-18 北京安普诺信息技术有限公司 Dynamic taint tracking method, device and related online taint propagation analysis system
CN116541855A (en) * 2023-07-06 2023-08-04 北京大学 Cross-coroutine runtime vulnerability analysis method and device, electronic equipment and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
梁彬;龚伟刚;游伟;李赞;石文昌;: "JavaScript优化编译执行模式下的动态污点分析技术", 清华大学学报(自然科学版), no. 09 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117150514A (en) * 2023-10-30 2023-12-01 北京安普诺信息技术有限公司 Vulnerability active verification method and device based on code vaccine IAST probe
CN117150514B (en) * 2023-10-30 2024-02-02 北京安普诺信息技术有限公司 Vulnerability active verification method and device based on code vaccine IAST probe
CN117272331A (en) * 2023-11-23 2023-12-22 北京安普诺信息技术有限公司 Cross-thread vulnerability analysis method, device, equipment and medium based on code vaccine
CN117272331B (en) * 2023-11-23 2024-02-02 北京安普诺信息技术有限公司 Cross-thread vulnerability analysis method, device, equipment and medium based on code vaccine
CN117610009A (en) * 2023-11-23 2024-02-27 北京安普诺信息技术有限公司 Cross-thread vulnerability repairing method and device based on code vaccine RASP probe

Also Published As

Publication number Publication date
CN116842531B (en) 2023-11-03

Similar Documents

Publication Publication Date Title
CN116842531B (en) Code vaccine-based vulnerability real-time verification method, device, equipment and medium
Fonseca et al. Testing and comparing web vulnerability scanning tools for SQL injection and XSS attacks
US10057280B2 (en) Methods and systems of detecting and analyzing correlated operations in a common storage
CN110266669A (en) A kind of Java Web frame loophole attacks the method and system of general detection and positioning
Halfond et al. Improving penetration testing through static and dynamic analysis
CN112182588A (en) Operating system vulnerability analysis and detection method and system based on threat intelligence
CN111104579A (en) Identification method and device for public network assets and storage medium
IL265518B2 (en) Management of security vulnerabilities
CN113868659B (en) Vulnerability detection method and system
Alkhalaf et al. Viewpoints: differential string analysis for discovering client-and server-side input validation inconsistencies
CN113158197B (en) SQL injection vulnerability detection method and system based on active IAST
Yan et al. Detection method of the second-order SQL injection in Web applications
Scalco et al. On the feasibility of detecting injections in malicious npm packages
KR101914874B1 (en) METHOD FOR GENERATING ASSOCIATION ANALYSIS RULE, RECORDING MEDIUM FOR PERFORMING THE METHOD, METHOD AND APPARATUS FOR DETECTING corporate data leakage USING ASSOCIATION ANALYSIS RULE
Appelt et al. Assessing the impact of firewalls and database proxies on sql injection testing
CN113868669A (en) Vulnerability detection method and system
KR101464736B1 (en) Security Assurance Management System and Web Page Monitoring Method
Shahriar et al. OCL fault injection-based detection of LDAP query injection vulnerabilities
CN111885088A (en) Log monitoring method and device based on block chain
Costamagna et al. Identifying and evading android sandbox through usage-profile based fingerprints
Bozic et al. Planning-based security testing of web applications
CN111241547B (en) Method, device and system for detecting override vulnerability
Deng et al. {NAUTILUS}: Automated {RESTful}{API} Vulnerability Detection
CN111934949A (en) Safety test system based on database injection test
Thomas et al. Mutation analysis of magento for evaluating threat model-based security testing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant