CN116932381A

CN116932381A - Automatic evaluation method for security risk of applet and related equipment

Info

Publication number: CN116932381A
Application number: CN202310755129.2A
Authority: CN
Inventors: 马敏燕; 贾世琳; 龙泉; 杨华雨; 何能强; 祝旭晨
Original assignee: Zhejiang Branch Of National Computer Network And Information Security Management Center
Current assignee: Zhejiang Branch Of National Computer Network And Information Security Management Center
Priority date: 2023-06-25
Filing date: 2023-06-25
Publication date: 2023-10-24

Abstract

The application provides an automatic evaluation method for security risk of an applet and related equipment. The method comprises the following steps: performing feature detection on the applet to obtain a plurality of alternative features; matching the alternative features with a pre-constructed safety detection feature library, and determining first vulnerability information of the applet according to first features, wherein the first features matched with the alternative features exist in the safety detection feature library; wherein the security detection feature library comprises a plurality of first features; and generating a security assessment report according to the first vulnerability information. According to the scheme, the loopholes in the applet are detected by utilizing the pre-built security detection feature library, and the features with the same behaviors as the feature library are matched in the applet, so that the loopholes in the applet are quickly searched and a security evaluation report is obtained, the applet security can be prevented, and the information security can be effectively protected.

Description

Automatic evaluation method for security risk of applet and related equipment

Technical Field

The application relates to the technical field of information security, in particular to an automatic evaluation method for security risk of an applet and related equipment.

Background

The applet (Mini Program) is an application that can be used without downloading an installation, and a user can open the application by sweeping or searching. In recent years, the application field of the applet is wider and more, which brings more convenience to the life of people, but at the same time, the application of the applet also brings a plurality of security risks.

However, the security solutions in the related art are not designed for the applet, so that the problem of suitability often occurs, and the developer of the applet often needs to expend a lot of effort in terms of compatibility with the security service, tuning, and possibly also affecting the continued operation of the applet.

Disclosure of Invention

Accordingly, an objective of the present application is to provide an automated evaluation method and related device for security risk of an applet, so as to solve or partially solve the above-mentioned problems.

The application provides an automatic evaluation method for security risk of an applet, which comprises the following steps:

performing feature detection on the applet to obtain a plurality of alternative features;

matching the alternative features with a pre-constructed safety detection feature library, and determining first vulnerability information of the applet according to first features, wherein the first features matched with the alternative features exist in the safety detection feature library; wherein the security detection feature library comprises a plurality of first features;

And generating a security assessment report according to the first vulnerability information.

Optionally, the feature detection is performed on the applet to obtain a plurality of alternative features, including:

extracting source codes of the applet;

compiling the source code to generate an abstract syntax tree;

converting the abstract syntax tree to obtain a code attribute graph;

and performing feature detection on the code attribute graph by utilizing a predefined vulnerability detection rule to obtain a plurality of alternative features.

Optionally, the method further comprises constructing a security detection feature library by the following method:

analyzing the source code to obtain a feature code; wherein the feature code characterizes a code that generates a code vulnerability;

converting the feature codes to obtain feature vectors;

generating a vulnerability text vector according to the feature vector;

classifying the vulnerability text vector by utilizing a classification model obtained by pre-training to obtain a classification result;

and constructing and obtaining the safety detection feature library according to the classification result.

Optionally, the method further comprises:

extracting data from the database of the applet to obtain a plurality of first data;

in response to determining that the first data is plaintext data, identifying the first data according to preset sensitive data characteristics, and determining second data; wherein the second data characterizes sensitive data;

And clearing the second data from the database.

Optionally, the method further comprises performing a penetration test on the applet by:

intercepting a first request for the applet;

modifying the first request to generate a second request;

and sending the second request to the applet to obtain second vulnerability information.

Optionally, before the feature detection of the applet, the method further includes:

inputting the name of the applet to be tested;

and performing simulation operation on the applet.

In a second aspect of the present application, there is provided an automated applet risk assessment apparatus comprising:

a detection module configured to: performing feature detection on the applet to obtain a plurality of alternative features;

a determination module configured to: matching the alternative features with a pre-constructed safety detection feature library, and determining first vulnerability information of the applet according to first features, wherein the first features matched with the alternative features exist in the safety detection feature library; wherein the security detection feature library comprises a plurality of first features;

a generation module configured to: and generating a security assessment report according to the first vulnerability information.

In a third aspect the present application provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable by the processor, characterized in that the processor implements the method according to the first aspect when executing the computer program.

In a fourth aspect of the application, there is provided a non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the method according to the first aspect.

In a fifth aspect of the application, a computer program product is presented, comprising computer program instructions which, when run on a computer, cause the computer to perform the method according to the first aspect.

From the above, the automatic evaluation method and the related equipment for the security risk of the applet, provided by the application, detect the loopholes in the applet by utilizing the pre-constructed security detection feature library, and match the features with the same behaviors as the feature library in the applet, thereby realizing the rapid search of the loopholes in the applet and obtaining the security evaluation report, further preventing the security of the applet and effectively protecting the information security.

Drawings

In order to more clearly illustrate the technical solutions of the present application or related art, the drawings that are required to be used in the description of the embodiments or related art will be briefly described below, and it is apparent that the drawings in the following description are only embodiments of the present application, and other drawings may be obtained according to the drawings without inventive effort to those of ordinary skill in the art.

FIG. 1 is a flow chart of an automated evaluation method for security risk of an applet in an embodiment of the application;

FIG. 2 is a schematic diagram of a code attribute diagram according to an embodiment of the present application;

FIG. 3 is a schematic view of a traversal process of a spot analysis according to an embodiment of the application;

FIG. 4 is a flow chart of feature classification in the process of constructing a security detection feature library according to an embodiment of the present application;

FIG. 5 is a schematic diagram of a static analysis feature extraction process according to an embodiment of the present application;

FIG. 6 is a flow chart illustrating a feature vector generation process according to an embodiment of the present application;

FIG. 7 is a flowchart of an automated evaluation method for security risk of an applet in accordance with another embodiment of the present application;

FIG. 8 is a schematic flow chart of an applet penetration test according to an embodiment of the application;

FIG. 9 is a schematic flow chart of database security detection according to an embodiment of the present application;

FIG. 10 is a schematic flow chart of security detection for the whole of the front end and the background WEB end of the applet according to the embodiment of the application;

FIG. 11 is a schematic diagram of an automated evaluation device for security risk of an applet in an embodiment of the application;

fig. 12 is a schematic structural diagram of an electronic device according to an embodiment of the present application.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the present application more apparent, embodiments of the present application will be described in detail below with reference to the accompanying drawings.

It should be noted that unless otherwise defined, technical or scientific terms used in the embodiments of the present application should be given the ordinary meaning as understood by one of ordinary skill in the art to which the present application belongs. The terms "first," "second," and the like, as used in embodiments of the present application, do not denote any order, quantity, or importance, but rather are used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that elements or items preceding the word are included in the element or item listed after the word and equivalents thereof, but does not exclude other elements or items. The terms "connected" or "connected," and the like, are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", etc. are used merely to indicate relative positional relationships, which may also be changed when the absolute position of the object to be described is changed.

The applet (Mini Program) is an application that can be used without downloading an installation, and a user can open the application by sweeping or searching. In recent years, the application field of the applet is wider and more, which brings more convenience to the life of people, but at the same time, the application of the applet also brings a plurality of security risks. Along with the continuous development of the applet, the applet also becomes the target of an invader gradually, and the attack mode of the invader for carrying out malicious codes purposefully is gradually changed into the applet malicious codes, so that not only are the unsafe factors caused to users, but also the potential safety hazard is formed for network safety.

Specifically, the applet security hole refers to a defect or deficiency that some of the applet security holes can be utilized by malicious attackers and threaten the applet security use due to algorithm holes or negligence of developers in the applet design and implementation process. With the increasing size and number of applets and increasing complexity of applets, robust applet systems have been difficult to design and implement, and therefore the existence of applet vulnerabilities is unavoidable. Thus, there is a need to quickly and accurately discover applet security vulnerabilities to reduce property and security losses due to applet vulnerabilities.

In view of this, the embodiment of the application provides an automatic evaluation method for security risk of an applet and related equipment, which utilize a pre-built security detection feature library to detect vulnerabilities in the applet and match features with the same behavior as the feature library in the applet, so as to quickly find out vulnerabilities in the applet and obtain a security evaluation report, thereby preventing the security of the applet and effectively protecting information security.

In the embodiment of the application, the feature form supports the detection features such as character strings, network behaviors and the like, supports the logic combination of the detection features, and supports the detection feature description of the regular form.

Fig. 1 shows a schematic flow diagram of an automated evaluation method 100 for security risk of an applet in an embodiment of the application. As shown in fig. 1, the method 100 may include the following steps.

And step S101, performing feature detection on the applet to obtain a plurality of alternative features.

In this embodiment, the name (for example, XX riding code) of the applet to be tested is input, and the applet is simulated, so that feature detection is further performed on the applet.

Extracting source codes of the small programs in the specific implementation; compiling the source code to generate an abstract syntax tree; converting the abstract syntax tree to obtain a code attribute graph; and performing feature detection on the code attribute graph by utilizing a predefined vulnerability detection rule to obtain a plurality of alternative features.

In some embodiments, different acquisition modes may be employed for different electronic devices to obtain the source code of the applet. Specifically, for a mobile terminal (for example, a mobile phone terminal and a tablet terminal), the simulator designed can be connected with the mobile terminal to perform command searching and copying so as to acquire the source code of the applet; and for the computer end, running the applet needing to extract the source codes, ensuring the loading of all pages, obtaining an encrypted package of the applet, and decrypting the encrypted package to obtain a source code file of the applet.

Taking the mobile phone end as an example, the command may be as follows:

the adb shell// enters a mobile phone system command line;

su// switch root users;

To the catalog where the applet resides (e.g.,/data/data/com. Tent. Mm/MicroMsg/{ { a string of 32-bit 16-ary string name folders }/appbrand/pkg /);

finding out small programs according to the time sequence, and copying out the apkg file;

confirming the file according to the time of first accessing the applet;

it is downloaded locally using commands.

Thus, the source codes are extracted and processed, and based on the technical principle of static analysis, the source codes are compiled into an intermediate form which can facilitate static analysis, and a mat is made for the construction of the subsequent data stream.

In some embodiments, an abstract syntax tree of source code is constructed, allowing code to be processed in an abstract and robust manner. In particular, parsing of source code may be accomplished by re-writing a lexical analyzer and a syntax analyzer, or the syntax analyzer may be utilized to translate the code into an abstract syntax tree for subsequent static analysis. It should be noted that, there is a function capable of processing source code, "token_get_all", in the source code, but the function is to process the source code into a token stream, and the processing effect is poor for some complex code analysis.

Further, referring to fig. 2, a code attribute diagram is constructed. As shown in FIG. 2, a control flow graph, a variable pass graph, and a function dependency graph need to be built separately based on an abstract syntax tree to obtain a code attribute graph. The specific construction process can be as follows.

(1) Control flow graph construction

In this step, the abstract syntax tree needs to be further processed, and is converted into a control flow graph, meanwhile, the concept of the map is introduced, and the control flow graph in the form of the map is constructed, so that the abstract syntax tree structure obtained in the previous step needs to be further analyzed, and the internal and external relations of each structure are mined.

Firstly, performing unified construction according to a specific abstract syntax tree node type as a father node, such as operations of variable definition, variable assignment, function call and the like, wherein the operation node generally comprises child nodes, then filling leaf nodes according to syntax tree information of the father node, such as specific variable names, function names and the like, and simultaneously filling node information for each node, such as the number of lines where codes are located, whether a call function is a PHP built-in function and the like. Finally, adding the file name as the root node of the abstract syntax tree of each file, and adding the entry node and the exit node of the program.

After all abstract syntax tree nodes are built, relation establishment and nesting processing are needed to be carried out on each father node, the basis of relation establishment is to judge which father nodes are abstract syntax tree nodes and control flow nodes by checking node types, and generally, variable assignment and function call are related to a plurality of node information, so that when a control flow graph is built, the relation establishment is needed to be carried out on each father node, and the global control flow graph can be built. In addition, since function calls may occur in variable assignments, the parent node of the function call is nested in the parent node of the variable assignment and exists in the control flow graph as a child node of the parent node.

When a control flow graph is constructed, a plurality of structured control flow sentences (for/while) and unstructured control flow sentences (continuous/break) are often encountered, corresponding path rules are required to be defined for the structured control flow sentences, so that a preliminary control flow path graph is established, and then path graph correction processing is carried out for the unstructured control flow sentences, and certain control flow paths are added or deleted.

(2) Variable transfer graph construction

In the related art, after establishing the bug code segments, the bug analysis is performed on all the code segments, and in this embodiment, the code quantity of the bug analysis can be greatly reduced by constructing the variable transfer graph to preferentially traverse. Specifically, according to the control flow graph, the state of the variable is judged by analyzing the definition nodes of the variable, and after the variable is defined and before redefined, the transfer relationship of each father node in the variable use path is established, wherein the transfer relationship is the variable name. Therefore, a traversing basis is provided for a subsequent graph traversing algorithm, and only a transmission path is required to be traversed and traced under a certain condition, so that the time complexity and the space complexity of subsequent stain analysis are reduced.

Therefore, by constructing the variable transfer diagram, only the data flow path of the taint variable can be focused when carrying out taint analysis, so that analysis on other irrelevant codes is reduced, the advantages of the map construction technology are utilized to a certain extent, and the workload of the taint analysis can be lightened.

(3) Function dependency graph construction

If no dependency relation is established for function call of the variable, the non-connectivity of the self-defined function control flow and the file integral control flow is shown in the graph database, and the subsequent graph traversal can cause the termination of the traversal path, so that complete data flow information is not obtained.

Therefore, after the control flow graph and the variable transfer graph are constructed, a dependency relationship of function calls needs to be established for the function types, and the function calls are mainly divided into four types: custom function calls (test ()), static method calls (test:: test ()), constructor calls (new test ()) and dynamic method calls ($a- > test ()). For the first three types of function call, the function call name has no ambiguity, so that the dependency relationship between the father node of the variable passing through the function and the function call can be directly established; for the last dynamic method call, if the function call name is the unique function name in the file, the dependency relationship is directly established, and if the function call name is the same function call name in different classes, the function dependency relationship is not established, because in this case, if the function dependency relationship is still wanted to be established, the variables need to be traced back, and the defined original class names are analyzed.

In this way, the graph knowledge is combined with the code audit technology, the compiling result is subjected to form conversion and expansion, and the node, the attribute and the relation are constructed according to the graph theory knowledge. Further, in some embodiments, a code attribute map is constructed, and feature detection is performed on the code attribute map by using a predefined vulnerability detection rule to obtain a plurality of alternative features.

Specifically, the vulnerability detection rule comprises a stain variable source rule and a dangerous function rule. The source rule of the stain variable is mainly used for defining the source mode of the controllable variable in the stain analysis, namely user controllable points, for example, common controllable points in PHP language include $_GET, $_POST, $COOKIE and the like, and the data stream acquisition of the stain analysis can be completed by defining a relatively complete source rule of the stain variable; the dangerous function rule is mainly to define some sensitive functions capable of triggering the loopholes, and as different sensitive functions may trigger functions of the same type, when the dangerous function rule is defined, the dangerous function needs to be corresponding to the loopholes, and meanwhile, one dangerous function possibly corresponds to various loopholes, when the stain variable enters the dangerous function, the loopholes are triggered to a great extent, so that the dangerous function rule as comprehensive as possible needs to be defined to detect more loopholes. The rules of the hazard function may be as shown in table 1 below.

TABLE 1 rules of hazard function

In this way, after the codes are converted into the code attribute graphs and stored in the graph database, the graph traversal algorithm can be used for carrying out taint analysis on the nodes and the relations among the nodes by matching with all the defined vulnerability detection rules, wherein the graph traversal algorithm comprises reverse traversal and forward traversal. The acquisition of the data stream is perfected through two traversal algorithms, and the analysis false alarm rate and the missing report rate are reduced.

In some embodiments, the data in the applet is marked as blobs or non-blobs using a blobs analysis technique, and when blobs data can affect non-blobs data according to an information streaming policy, the data is marked as blobs, and when blobs tags eventually propagate with the data to a designated storage area or information leakage point, the information streaming policy is violated.

FIG. 3 shows a traversal flow chart of the spot analysis. As shown in fig. 3, node positioning is performed on a map through a dangerous function rule, all possible vulnerability triggering points are found, node searching is performed directly according to function names in the dangerous function rule in the map based on the constructed code attribute map, a termination node of a potential taint path is established, a start point of a taint path is an introduction point of a controllable variable, an end point is a calling relation of a sensitive function and the taint variable, and a data flow path from the start point to the end point is called a taint path.

Then, according to the dangerous function node, variable searching is carried out, and as the relation between the father node and the child node is constructed previously, the node type of the function call is the father node, and the child node is the name of the call function and the variable name of the function call, the dangerous function name and the variable name of the function call can be obtained through traversal of the father and child nodes, and at the moment, the transfer relation of the call variables is traced back according to the concept of reverse traversal. It should be noted that, the triggering of a part of loopholes is based on a function configuration item, that is, if the configuration is incorrect when the function is used, the loopholes are triggered, for example, the curl function has the configuration item, and the configuration item capable of triggering the SSRF loopholes only has the curlpt_url item, so that when the curl function obtains the dangerous variable thereof, the function configuration item needs to be additionally checked, thereby improving the recognition rate of the stain path.

It should be understood that the determination of the parent node of the dangerous function is required before the reverse traversal, because the function call is most likely to occur in the variable assignment stage, in this stage, both the pass function name and the mapped variable name are required to be obtained, and meanwhile, the relationship between the parent nodes of each subtree is established when the variable transfer graph is constructed, so that the determination of the parent node is required, whether the node type of the variable assignment is determined, if yes, the variable mapping is required before the next step of backtracking, and the backtracking basis is provided, so that the stain path graph can be further enriched, and the accuracy of the stain analysis is improved.

Further, if it is found that when the stain path is analyzed, the dangerous function is not present in the custom function segment, but when the data flow is traced back, it is found that there is a case that the custom function is called, because the basis of the reverse traversal is a variable transfer relationship, but in the custom function, the data flow is from top to bottom, in this case, the complete stain path information cannot be obtained by adopting the reverse traversal method, so that the forward traversal method needs to be used to assist in matching with the reverse traversal to perfect the acquisition of the data flow.

Specifically, when reverse traversal obtains a call function name and finds that the current call function is a custom function, according to a function call graph constructed previously, the call function name and an initial function variable are required to be mapped to the corresponding variable name in the custom function because the function name and the initial function variable are defined in the custom function, then the data flow path graph of the variable is obtained in a top-down mode, the traversal basis is the transfer relation among the variables, the final entry to a termination node of the custom function is realized through continuous dependence transfer, the current traversal process is exited, and the data flow path obtained through forward traversal is added to the path of the original variable, so that the paths are continuously enriched and perfected.

Step S102, matching the alternative features with a pre-constructed safety detection feature library, and determining first vulnerability information of the applet according to first features matched with the alternative features in response to determining that the first features exist in the safety detection feature library; wherein the security detection feature library comprises a number of first features.

In this embodiment, a security detection feature library is first constructed by utilizing a vulnerability in a static analysis detection applet, and the security detection feature library may include a code defect feature, a code vulnerability feature, a communication security feature, and the like. Therefore, based on the security detection feature library, the detection features such as character strings, network behaviors and the like can be utilized, and features with the same behaviors as the feature library can be matched from the applet by utilizing the logical combination of the detection features and the regular expression mode, so that the loopholes in the applet can be found quickly.

In specific implementation, the security detection feature library can be constructed by the following method: analyzing the source code of the applet to obtain a feature code; wherein the feature code characterizes a code that generates a code vulnerability; converting the feature codes to obtain feature vectors; generating a vulnerability text vector according to the feature vector; classifying the vulnerability text vector by utilizing a classification model obtained by pre-training to obtain a classification result; and constructing and obtaining the safety detection feature library according to the classification result.

Wherein, for the training set and the test set of the classification model, each sample is composed of a set of input samples, and each sample includes an input object (feature vector) and its corresponding label.

Fig. 4 shows a schematic flow diagram of feature classification in the process of constructing a security detection feature library. As shown in fig. 4, the step of generating the feature vector may include: the feature vector is obtained by preprocessing (e.g., removing punctuation and special characters, segmentation, capitalization of characters, etc.) the applet code data (i.e., the applet source code), and then performing feature extraction.

In some embodiments, feature codes that produce code vulnerabilities are extracted from the applet in combination with the static analysis intermediate results, and labeled with classifications (fig. 5 is a static analysis feature extraction flowchart), and then these feature codes are converted into feature vectors. Also, the feature vector generation process may be as shown in fig. 6.

Specifically, feature vectors describe applet defect holes in three dimensions: meta-features, text features, and code features. Meta-features refer to predefined fields of the bug of the applet code, such as reporting time, priority, severity and the like, at least including bug numbers, bug names, bug code features, bug engine rule descriptions, danger levels and the like, and can also provide potential marks for bug report identification; text features refer to the text content of the defect report, text features refer to summary fields, which are sentences given by the defect submitter summarizing the submitter's description of the defect, possibly containing potential semantic information that can be used for vulnerability recognition; the code feature refers to the code attribute of an applet source code file, which can be divided into four parts, whether a dangerous function or an external input function exists, the number of code lines added or deleted in a defect patch, the number of files related to applet loopholes and the complexity of applet defects.

For each dimension of the feature vector, a series of characteristics is extracted. Thus, the feature vector of an applet can be expressed as:

V _report ＝{v _meta ,v _text ,v _code }；

wherein v is _meta Is transformed from a set of characteristics, v _text Is converted from a set of text features, v _code Is converted from a set of code features.

For meta-features, these fields undergo numerical mapping and normalization processing, and are finally converted into meta-feature vectors, expressed as:

in some embodiments, after the feature vectors are generated, a Support Vector Machine (SVM) is utilized to construct the vulnerability automated recognition model. The basic model of an SVM is a linear classifier with maximized space, and although it is a linear model, it can efficiently implement nonlinear classification by mapping the input to a higher-dimensional feature space through a kernel function. In particular, a radial basis function (Radial Basis Function, RBF) can be chosen as a kernel function because it can map the original features from a low-dimensional space to a high-dimensional space, thus dealing well with nonlinear relationships between class labels and attributes.

In the related art, the high dimensionality and sparsity presented by the word vector space generated by the text feature extraction method TF-IDF, information gain and the like lead to low accuracy of vulnerability classification, the description of vulnerability log text is short, the log description of some vulnerabilities is similar although the categories are different, and the problem of difficulty in feature extraction exists. Therefore, in this example, the TFI-W2V algorithm is utilized to generate the vulnerability text vector, and the TF-IDF and information gain method and the Word vector generated based on the Skip-gram language model training of Word2Vec are weighted to represent the vulnerability text information.

In some embodiments, a textCGRU vulnerability classification model based on text CNN and GRU feature fusion is established, the model fully utilizes CNN to extract local features of vulnerability text vectors, GRU extracts global features related to text contexts, then the extracted features are fused to serve as basic information for distinguishing each vulnerability, so that the extracted features can represent semantic and grammar information of more accurate vulnerability log description, and finally the textCGRU model is applied to vulnerability classification, so that automatic classification of vulnerability features is realized.

Finally, by taking the loopholes in the NVD loophole library as experimental research basis, analyzing and processing the loophole data in the NVD loophole library in detail, and extracting the information of the loophole data. And taking NVD as experimental data, performing experimental verification and result analysis on the proposed TFI-W2V vulnerability text representation method and the textCGRU vulnerability classification model, and performing experimental comparison with a neural network vulnerability classification model based on TF-IDF and information gain methods, thereby showing the advantages of the proposed textCGRU vulnerability classification model based on a TFI-W2V algorithm. Finally, a safety detection feature library is constructed by utilizing a machine learning and natural language processing model method.

Thus, the security detection feature library obtained by the construction is utilized to detect the loopholes in the applet, and the features with the same behaviors as the feature library are matched in the applet, so that the loopholes in the applet can be quickly searched. Specifically, a plurality of first features in the constructed safety detection feature library can be respectively matched with detection features (namely a plurality of alternative features) obtained by static analysis, namely, the detection features such as character strings, network behaviors and the like are utilized, and the features with the same behaviors as the feature library are matched from the applet in a mode of logical combination and regular expression of the detection features; if the candidate features are matched, determining the candidate features as target features, and determining first vulnerability information according to the target features, namely according to the first features corresponding to the target features, so as to find vulnerabilities in the applet.

Furthermore, in some embodiments, an attack vector may also be generated. Specifically, in the automatic generation stage of the attack vector, a general attack vector library aiming at each vulnerability is constructed, and constraint rules of filtering functions and purifying functions of various vulnerabilities are constructed, so that constraint solution is utilized to automatically generate the attack vector which can be utilized.

And step S103, generating a security assessment report according to the first vulnerability information.

In this embodiment, the generated security assessment report is not a simple summary of security defects, and may further determine the severity of security defects of the applet and give appropriate repair suggestions. And from ease of use, defect reporting may support grouping, ordering, masking specific results, etc.

It should be noted that, the security evaluation report not only includes the first vulnerability information, but also includes other security risk evaluation detection information such as whether the applet has sensitive information leakage, code protection intensity, source code exposure risk, source code defect, and the like. The process of acquiring these security risk assessment detection information will be described in detail later.

FIG. 7 is a flow chart of an automated evaluation method for security risk of an applet in accordance with another embodiment of the application. As shown in fig. 7, the applet security risk automated assessment method may include: dynamic detection analysis, static detection analysis, feature library construction, comprehensive analysis, automatic detection report generation and the like are carried out on the small program.

In some embodiments, the applet security risk automated assessment method may also include common vulnerability and security problem detection. Regarding common vulnerability and security problem detection, it may include: client code security detection, server security detection, business logic security detection, and applet specific security detection. The client code safety detection is used for detecting whether the client has sensitive information leakage, whether the code protection intensity is enough and the like through static scanning of the applet client code; the server security detection detects whether the server uses software with holes or easy to attack, whether unreasonable service configuration exists or not by scanning the server environment; the service logic safety detection is used for checking the safety of the small program service, checking whether the service has risks, has the authority, contains advertisements and the like; the special safety detection of the small program detects whether the API of the small program calling WeChat accords with the specification or not and whether the risk of leakage of client information or session information and the like exists. Specifically, a combination of penetration test technology, safety detection technology and applet reinforcement technology can be adopted. The small program reinforcement technology comprises a code confusion technology, a tamper-proof technology and an anti-debugging technology.

That is, for common loopholes and security problem detection, detection of content such as server communication security, business logic security, information leakage risk, common SQL injection, arbitrary file uploading, path crossing, catalog enumeration Web loopholes and the like of the applet is supported; the detection engine can analyze the data communicated between the applet and the server, judge whether plaintext transmission exists or not and whether excessive user information is transmitted outwards or not, and can drive various security detection tools to test and analyze whether SQL injection, any file uploading, path crossing and directory enumeration Web loopholes exist in the applet or not.

In some alternative embodiments, the applet may be subjected to penetration testing by: intercepting a first request for the applet; modifying the first request to generate a second request; and sending the second request to the applet to obtain second vulnerability information.

Thus, various security risks such as service data leakage, asset damage, data tampering and the like can be found out by performing penetration test on the applet service system in a form of simulating hacking. Therefore, high-risk loopholes are found in the test stage, repair is carried out in advance, safety risks and asset loss caused by code loopholes are avoided as soon as possible, and deep loopholes are excavated aiming at the logic safety of small program business and the safety of WEB frames.

Referring to fig. 8, a flow chart of the applet penetration test is shown. As shown in fig. 8, the penetration test may include the following steps.

(1) Sniffing the test object and collecting information, this step being mainly aimed at finding a weak password in order to make the penetration test faster.

(2) The test object is remotely connected, and in the step, the host can be connected through some command lines, and the corresponding tool can also be used for connection. The remote connection test mainly aims at accessing or logging in the test target and realizing the operation of the test target.

(3) The attack test target mainly comprises log removal, virtual back door placement and the like, and the steps mainly comprise operations executed after logging in the test target, namely an attack stage and a penetration test stage. The main task of the step is to obtain the corresponding data information, eliminate some virtual illegal operation signs and put in the virtual backdoor to prepare for the next intrusion, and the penetration test mainly obtains whether the user network is safe or not, which is also the evidence obtaining stage.

(4) The test target is scanned, and information of the test target is further collected by scanning the test target, wherein the stage is basically similar to the sniffing stage and mainly used for finding weak passwords and vulnerability information.

(5) The weak password detection is carried out, and the weak password existing in the test target is obtained through accessing the test target.

(6) The vulnerability utilization, utilizing the vulnerability information obtained by scanning, executes corresponding tools aiming at the vulnerability information, and can reach the aim of attacking the test targets more quickly.

(7) The authority is lifted, and after the ordinary authority of the test object is obtained, the degree of attack hazard to the test object is different due to different authorities, if only the ordinary user authority is obtained, only a simple operation can be performed on the attack object, and more useful information cannot be obtained. And the administrator authority is obtained through the authority improvement, more operations are executed, more useful information is obtained, the damage to the attack target is larger, the user can be more powerfully proved to have great network security problems by taking the administrator as an executor of the penetration test, and the user can increase the network security degree.

(8) Denial of service attacks, including DOS and DDOS attacks, have the primary purpose of causing the resource consumption of the test target, even off-the-shelf. The step is mainly performed in the mode that the steps do not play an attack role, the user network is relatively safe, but the step is performed for testing the bearing capacity of the network, so that the maximum bearing capacity of the user network can be obtained, reasonable suggestions can be provided for the user, the step can bring some influence to the user, and generally, when the step is performed, the user agrees to be obtained, and the proper time is selected for execution.

In some embodiments, the applet security risk automated assessment method may further comprise database security detection. Specifically, firstly, automatic sniffing of a database is carried out, an in-network database is automatically searched, the capability of dynamically finding the database is supported, and flow package information is analyzed by automatically grabbing and accessing a database flow package. The extracted data is then automatically identified during execution of the task based on specified or predefined sensitive data characteristics. By automatically identifying the sensitive data, the tedious work of defining sensitive data elements according to fields can be avoided, and new sensitive data can be continuously discovered. And then carrying out sensitive data leakage analysis and sensitive data clearing, and completely clearing the sensitive data to prevent the sensitive data from being leaked. The conventional data clearing method can restore the cleared data, adopts a data coverage method to cover the original data by using new data, and then adopts data clearing software to clear, so that the sensitive data can be thoroughly cleared.

In the specific implementation, the data asset can be detected by scanning the flow information of the given equipment, the information and the distribution of the data asset are verified, the distribution of a database is found, the sensitive data is found by the prefabricated discovery rule, the sensitive data are classified in a grading manner, the visual sensitive data distribution is presented, and the use heat of the asset is judged by the SQL statement quantity and the session concurrency quantity of the asset.

Fig. 9 shows a schematic flow chart of database security detection. As shown in fig. 9, the following steps and their corresponding embodiments may be included.

(1) Database automatic sniffing

I.e. the function of automatically searching the database in the network, or the range of the IP section and the port can be specified for searching. Basic information that can automatically discover a database includes: port number, database type, database instance name, database server IP address, etc. It is also necessary to support the capability of dynamically discovering a database, and by automatically capturing and accessing a database flow packet, analyzing flow packet information, the basic information of the automatic discovery database includes: port number, database type, database instance name, database server IP address, etc.

(2) Automatic identification of encrypted and sensitive data

I.e. the extracted data is automatically identified during the execution of the task based on the specified sensitive data or predefined sensitive data characteristics. Firstly, judging whether the extracted data is encrypted data or not, and if the extracted data is plaintext data, further carrying out sensitive data identification. After identifying the sensitive data, a list of discovered sensitive data may be exported according to rules. And analyzing the dynamic flow packet passing through the bypass link to obtain access object information, and automatically identifying the access object according to a part of sensitive data specified by a user or predefined sensitive data characteristics, so that the sensitive data distribution can be dynamically discovered. By automatically identifying the sensitive data, the tedious work of defining sensitive data elements according to fields can be avoided, and new sensitive data can be continuously discovered.

(3) Hierarchical classification of sensitive data

I.e., sensitive data to common data (e.g., name, card number, bank account, amount, date, address, telephone number, email address, license plate number, frame number, business name, business registration number, organization code, tax payer identification number, etc.) according to different data feature built-in algorithms. The user may specify different sensitivity levels for different data types and the system may automatically score the sensitivity of the table, schema, library containing the sensitive data.

(4) Sensitive data leakage analysis and sensitive data clearing mechanism

And obtaining fingerprint information to be detected through text extraction and fingerprint generation, and finally calculating text similarity between the fingerprint to be detected and the fingerprint of the sensitive information, and judging whether sensitive data leakage occurs or not through a text similarity result. To prevent sensitive data from leaking, sensitive data needs to be thoroughly cleared. For the data clearing scheme in the related art, an attacker can recover the cleared data, so that the data coverage method is adopted in the embodiment to cover the original data with the new data, and then clearing is performed, so that the sensitive data can be thoroughly cleared. Specifically, the overwriting method can adopt a binary data storage method, and the original data is covered with irregular 0 and 1, so that the original data information is scrambled and the integrity of the data file is destroyed. According to the classification level of the sensitive data, different modes such as bit-by-bit overwriting, skip bit overwriting, random overwriting and the like can be selected, and the more the number of times of overwriting is, the higher the security of the sensitive data clearing is.

In another embodiment, data extraction is performed on the database of the applet to obtain a plurality of first data; in response to determining that the first data is plaintext data, identifying the first data according to preset sensitive data characteristics, and determining second data; wherein the second data characterizes sensitive data; and clearing the second data from the database. Thus, automatic discovery of data assets, hierarchical classification of data, sensitive data cleaning, and the like can be achieved.

In some alternative embodiments, the applet security risk automated assessment method may further include applet augmentation, i.e., encryption of applet front end code. The encryption tool can be used for encrypting the codes, so that various protection measures such as character string encryption, attribute encryption, call conversion, code confusion and the like can be realized, the difficulty of an attacker in analyzing the H5 front-end code logic is improved, and the safety of the applet codes is further protected.

In particular, the applet is warped by the code obfuscation method to conceal the true code function. The control flow confusion can be realized by replacing related names in an original program by simple irregular characters, can be divided based on basic code blocks and then is confused, and the principle is that a switch structure is utilized to flatten the control flow, so that the flow of the program becomes complex and changeable and is not easy to analyze, and the attacker is confused by inserting garbage codes, such as opaque predicates and the like. Thus, if the reverse personnel decompiles the source code file by using a decompilation tool, only irregular code naming of some single characters or double characters can be seen, so that protection is realized.

In particular, tamper-resistant methods are employed to prevent program modification through a series of active defensive means. If an applet is attacked by malicious code, advertisements, and modified program flows, the properties of the file are changed, so that the file can be checked against tamper. The Hash value of the file can be calculated by using an encryption algorithm and compared with a locally stored value, and once the program is found to be modified and the verification value is necessarily different, the running of the program can be ended in the code.

In the specific implementation, the code can be prevented from being dynamically debugged by an attacker through code detection by adopting an anti-debugging technology, and the system defines a function for judging the debugging state. In addition, the debug status may be determined based on the anti-debug mode of the debug status feature, for example, in the debug status, because an attacker may manually execute the code step by step, which may result in a longer code execution time.

In addition, in some embodiments, security detection may be performed for the applet front end and the backend WEB end as a whole, as shown in fig. 10. The method can cover foreground code security and API use specifications, and business CGI and security detection on WEB frames, including SQL injection, XSS cross-site script, directory traversal, information leakage and other mainstream Web attack modes.

It should be noted that the foregoing describes some embodiments of the present application. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments described above and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.

Based on the same technical concept, the application also provides an automatic evaluation device 110 for the safety risk of the applet, which corresponds to the method in any embodiment.

Referring to fig. 11, the applet security risk automation evaluation device 110 includes:

a detection module 1101 configured to: performing feature detection on the applet to obtain a plurality of alternative features;

a determination module 1102 configured to: matching the alternative features with a pre-constructed safety detection feature library, and determining first vulnerability information of the applet according to first features, wherein the first features matched with the alternative features exist in the safety detection feature library; wherein the security detection feature library comprises a plurality of first features;

A generating module 1103 configured to: and generating a security assessment report according to the first vulnerability information.

Optionally, the detection module 1101 is specifically configured to: extracting source codes of the applet; compiling the source code to generate an abstract syntax tree; converting the abstract syntax tree to obtain a code attribute graph; and performing feature detection on the code attribute graph by utilizing a predefined vulnerability detection rule to obtain a plurality of alternative features.

Optionally, the determining module 1102 is specifically configured to: analyzing the source code to obtain a feature code; wherein the feature code characterizes a code that generates a code vulnerability; converting the feature codes to obtain feature vectors; generating a vulnerability text vector according to the feature vector; classifying the vulnerability text vector by utilizing a classification model obtained by pre-training to obtain a classification result; and constructing and obtaining the safety detection feature library according to the classification result.

For convenience of description, the above devices are described as being functionally divided into various modules, respectively. Of course, the functions of each module may be implemented in the same piece or pieces of software and/or hardware when implementing the present application.

The device of the foregoing embodiment is configured to implement the corresponding applet security risk automatic assessment method in any of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiment, which is not described herein.

Based on the same technical concept, the application also provides an electronic device corresponding to the method of any embodiment, which comprises a memory, a processor and a computer program stored on the memory and executable by the processor, wherein the processor realizes the automatic evaluation method of the small program security risk according to any embodiment when executing the computer program.

Fig. 12 is a schematic diagram showing a hardware structure of a more specific electronic device according to the present embodiment, where the device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 implement communication connections therebetween within the device via a bus 1050.

The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit ), microprocessor, application specific integrated circuit (Application Specific Integrated Circuit, ASIC), or one or more integrated circuits, etc. for executing relevant programs to implement the technical solutions provided in the embodiments of the present disclosure.

The Memory 1020 may be implemented in the form of ROM (Read Only Memory), RAM (Random Access Memory ), static storage device, dynamic storage device, or the like. Memory 1020 may store an operating system and other application programs, and when the embodiments of the present specification are implemented in software or firmware, the associated program code is stored in memory 1020 and executed by processor 1010.

The input/output interface 1030 is used to connect with an input/output module for inputting and outputting information. The input/output module may be configured as a component in a device (not shown) or may be external to the device to provide corresponding functionality. Wherein the input devices may include a keyboard, mouse, touch screen, microphone, various types of sensors, etc., and the output devices may include a display, speaker, vibrator, indicator lights, etc.

Communication interface 1040 is used to connect communication modules (not shown) to enable communication interactions of the present device with other devices. The communication module may implement communication through a wired manner (such as USB, network cable, etc.), or may implement communication through a wireless manner (such as mobile network, WIFI, bluetooth, etc.).

Bus 1050 includes a path for transferring information between components of the device (e.g., processor 1010, memory 1020, input/output interface 1030, and communication interface 1040).

It should be noted that although the above-described device only shows processor 1010, memory 1020, input/output interface 1030, communication interface 1040, and bus 1050, in an implementation, the device may include other components necessary to achieve proper operation. Furthermore, it will be understood by those skilled in the art that the above-described apparatus may include only the components necessary to implement the embodiments of the present description, and not all the components shown in the drawings.

The electronic device of the foregoing embodiment is configured to implement the corresponding applet security risk automated assessment method in any of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiment, which is not described herein.

Based on the same technical concept, the application also provides a non-transitory computer readable storage medium corresponding to the method of any embodiment, wherein the non-transitory computer readable storage medium stores computer instructions for causing a computer to execute the method for automatically evaluating the security risk of the applet according to any embodiment.

The computer readable media of the present embodiments, including both permanent and non-permanent, removable and non-removable media, may be used to implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device.

The storage medium of the foregoing embodiments stores computer instructions for causing the computer to perform the method for automated evaluation of security risk of an applet as in any one of the foregoing embodiments, and has the advantages of the corresponding method embodiments, which are not described in detail herein.

Based on the same technical idea, the application also provides a computer program product corresponding to the method of any embodiment, which comprises the computer program instructions. In some embodiments, the computer program instructions may be executable by one or more processors of a computer to cause the computer and/or the processor to perform the applet security risk automated assessment method. Corresponding to the execution subject corresponding to each step in each embodiment of the method for automatically evaluating the security risk of the applet, the processor executing the corresponding step may belong to the corresponding execution subject.

The computer program product of the above embodiment is configured to enable the computer and/or the processor to perform the applet security risk automated assessment method according to any one of the above embodiments, and has the advantages of corresponding method embodiments, which are not described in detail herein.

Those of ordinary skill in the art will appreciate that: the discussion of any of the embodiments above is merely exemplary and is not intended to suggest that the scope of the application (including the claims) is limited to these examples; the technical features of the above embodiments or in the different embodiments may also be combined within the idea of the application, the steps may be implemented in any order, and there are many other variations of the different aspects of the embodiments of the application as described above, which are not provided in detail for the sake of brevity.

Additionally, well-known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown within the provided figures, in order to simplify the illustration and discussion, and so as not to obscure the embodiments of the present application. Furthermore, the devices may be shown in block diagram form in order to avoid obscuring the embodiments of the present application, and also in view of the fact that specifics with respect to implementation of such block diagram devices are highly dependent upon the platform within which the embodiments of the present application are to be implemented (i.e., such specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the application, it should be apparent to one skilled in the art that embodiments of the application can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative in nature and not as restrictive.

While the application has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of those embodiments will be apparent to those skilled in the art in light of the foregoing description. For example, other memory architectures (e.g., dynamic RAM (DRAM)) may use the embodiments discussed.

The present embodiments are intended to embrace all such alternatives, modifications and variances which fall within the broad scope of the appended claims. Therefore, any omissions, modifications, equivalent substitutions, improvements, and the like, which are within the spirit and principles of the embodiments of the application, are intended to be included within the scope of the application.

Claims

1. An automated evaluation method for security risk of an applet, comprising:

2. The method of claim 1, wherein the feature detection of the applet results in a number of alternative features, including:

extracting source codes of the applet;

compiling the source code to generate an abstract syntax tree;

converting the abstract syntax tree to obtain a code attribute graph;

3. The method of claim 2, further comprising building the security detection feature library by:

converting the feature codes to obtain feature vectors;

generating a vulnerability text vector according to the feature vector;

4. The method according to claim 1, wherein the method further comprises:

and clearing the second data from the database.

5. The method of claim 1, further comprising performing a penetration test on the applet by:

intercepting a first request for the applet;

modifying the first request to generate a second request;

6. The method of claim 1, wherein prior to feature detection of the applet, the method further comprises:

inputting the name of the applet to be tested;

and performing simulation operation on the applet.

7. An automated applet risk assessment device, comprising:

8. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable by the processor, wherein the processor implements the method of any of claims 1-6 when executing the computer program.

9. A non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the method of any one of claims 1-6.

10. A computer program product comprising computer program instructions which, when run on a computer, cause the computer to perform the method of any of claims 1-6.