CN116956310A - Vulnerability protection method, device, equipment and readable storage medium - Google Patents
Vulnerability protection method, device, equipment and readable storage medium Download PDFInfo
- Publication number
- CN116956310A CN116956310A CN202311222540.XA CN202311222540A CN116956310A CN 116956310 A CN116956310 A CN 116956310A CN 202311222540 A CN202311222540 A CN 202311222540A CN 116956310 A CN116956310 A CN 116956310A
- Authority
- CN
- China
- Prior art keywords
- target
- target process
- program component
- authority
- parameter
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 708
- 238000003860 storage Methods 0.000 title claims abstract description 17
- 230000008569 process Effects 0.000 claims abstract description 655
- 230000002159 abnormal effect Effects 0.000 claims abstract description 118
- 230000006870 function Effects 0.000 claims description 112
- 238000012545 processing Methods 0.000 claims description 20
- 238000004590 computer program Methods 0.000 claims description 14
- 230000009191 jumping Effects 0.000 claims description 4
- 238000013480 data collection Methods 0.000 claims description 2
- 230000000977 initiatory effect Effects 0.000 claims 1
- 238000005516 engineering process Methods 0.000 abstract description 25
- 238000007726 management method Methods 0.000 description 35
- 230000006399 behavior Effects 0.000 description 19
- 238000001514 detection method Methods 0.000 description 12
- 230000001960 triggered effect Effects 0.000 description 11
- 230000007547 defect Effects 0.000 description 10
- 238000010586 diagram Methods 0.000 description 9
- 238000013461 design Methods 0.000 description 6
- 238000004891 communication Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 3
- 230000006872 improvement Effects 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 230000000007 visual effect Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 2
- 238000009434 installation Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000012098 association analyses Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000003190 augmentative effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011897 real-time detection Methods 0.000 description 1
- 238000012954 risk control Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Abstract
The embodiment of the application discloses a vulnerability protection method, a device, equipment and a readable storage medium, relating to the fields of cloud technology and traffic, wherein the method comprises the following steps: deploying a protection application on a target terminal, and starting a data acquisition function in the protection application; if the triggering operation for the program component is detected, starting a target process associated with the program component, and acquiring process parameters of the target process based on the data acquisition function, wherein the process parameters are preset and have an association relation with the program component. Further, if the process parameter of the target process is a preset parameter, the process type of the target process is a target process type, and the permission of the target account related to the trigger operation is a first permission, the trigger operation is determined to be an abnormal operation, and further prompt information including the process parameter of the target process can be output, and the prompt information is used for prompting the trigger operation to be the abnormal operation. By adopting the embodiment of the application, the triggering operation can be safely detected, and the data security is improved.
Description
Technical Field
The present application relates to the field of cloud technologies, and in particular, to a vulnerability protection method, device, equipment, and readable storage medium.
Background
Because pkeec (a tool for executing a command with privileges on a Linux system) does not handle the special case that argv (process parameters) is empty, a security problem exists in the device, an attacker can use a local authority-raising vulnerability to maliciously raise own authority, for example, the local authority-raising vulnerability can be used to raise a common authority to a root authority (administrator authority). Therefore, an attacker can realize that the low authority of the attacker is lifted to the root authority in the mode, so that the data corresponding to the root authority is accessed, and a great potential safety hazard exists. Therefore, how to perform security detection on the triggering operation of any account number, and determine whether the triggering operation is the operation of using the vulnerability of programming to raise the authority of the user, so that the improvement of the data security is a problem to be solved.
Disclosure of Invention
The embodiment of the application provides a vulnerability protection method, a vulnerability protection device, vulnerability protection equipment and a readable storage medium, which can be used for carrying out safety detection on triggering operation and improving data safety.
In a first aspect, the present application provides a vulnerability protection method, including:
deploying a protection application on a target terminal, and starting a data acquisition function in the protection application;
If the triggering operation for the program component is detected, starting a target process associated with the program component, and acquiring process parameters of the target process based on the data acquisition function; the process parameters of the target process are preset and have an association relationship with the program component;
if the process parameter of the target process is a preset parameter, the process type of the target process is a target process type, and the authority of the target account related to the trigger operation is a first authority, determining that the trigger operation is an abnormal operation;
outputting prompt information; the prompt information comprises process parameters of the target process, and is used for prompting the triggering operation to be abnormal operation.
In a second aspect, the present application provides a vulnerability protection device, comprising:
the application deployment unit is used for deploying the protection application on the target terminal and starting a data acquisition function in the protection application;
the parameter acquisition unit is used for starting a target process associated with the program component if the triggering operation for the program component is detected, and acquiring process parameters of the target process based on the data acquisition function; the process parameters of the target process are preset and have an association relationship with the program component;
The exception determining unit is used for determining that the trigger operation is an exception operation if the process parameter of the target process is a preset parameter, the process type of the target process is a target process type, and the authority of the target account related to the trigger operation is a first authority;
the information prompt unit is used for outputting prompt information; the prompt information comprises process parameters of the target process, and is used for prompting the triggering operation to be abnormal operation.
In a third aspect, the present application provides a computer device, including a processor and a memory, where the processor is connected to the memory, the memory is configured to store a computer program, and the processor is configured to call the computer program to cause the computer program to execute the above vulnerability protection method.
In a fourth aspect, the present application provides a computer readable storage medium having stored therein a computer program adapted to be loaded and executed by a processor to cause a computer device having the processor to perform the above-described vulnerability protection method.
In a fifth aspect, the present application provides a computer program product comprising computer programs/instructions which when executed by a processor implement the above-described vulnerability protection method.
In the embodiment of the application, the protection application is deployed on the target terminal, the data acquisition function in the protection application is started, and when the triggering operation for the program component is detected, the target process associated with the program component can be started, and the process parameters of the target process are acquired based on the data acquisition function. Because the process parameters of the target process are preset and have an association relation with the program component, when the triggering operation for the program component is detected, the target process associated with the program component can be started, and then the process parameters of the target process are acquired. If the process parameter of the target process is a preset parameter, the process type of the target process is a target process type, and the authority of the target account related to the trigger operation is a first authority, determining that the trigger operation is an abnormal operation, and further outputting prompt information for prompting that the trigger operation is the abnormal operation. The triggering operation can be safely detected by detecting the process parameters of the target process, so that whether the triggering operation is an abnormal operation or not is determined, for example, the abnormal operation can be an operation of utilizing the loophole to raise the authority of the user. Under the condition that the abnormal operation is determined, vulnerability protection can be achieved by processing the abnormal operation, for example, outputting prompt information, and data security is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a network architecture of a vulnerability protection system according to an embodiment of the present application;
fig. 2 is an application scenario schematic diagram of a vulnerability protection method provided by an embodiment of the present application;
FIG. 3 is a schematic flow chart of a vulnerability protection method according to an embodiment of the present application;
FIG. 4 is a schematic view of a process parameter detection scenario according to an embodiment of the present application;
FIG. 5 is a flowchart illustrating another vulnerability protection method according to an embodiment of the present application;
FIG. 6 is a schematic diagram of a composition structure of a vulnerability protection device according to an embodiment of the present application;
fig. 7 is a schematic diagram of a composition structure of a computer device according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
Cloud technology (Cloud technology) refers to a hosting technology for integrating hardware, software, network and other series resources in a wide area network or a local area network to realize calculation, storage, processing and sharing of data. The cloud technology is based on the general names of network technology, information technology, integration technology, management platform technology, application technology and the like applied by the cloud computing business mode, can form a resource pool, and is flexible and convenient as required. Cloud computing technology will become an important support. Background services of technical networking systems require a large amount of computing, storage resources, such as video websites, picture-like websites, and more portals. Along with the high development and application of the internet industry, each article possibly has an own identification mark in the future, the identification mark needs to be transmitted to a background system for logic processing, data with different levels can be processed separately, and various industry data needs strong system rear shield support and can be realized only through cloud computing. The scheme provided by the embodiment of the application belongs to cloud security in the field of cloud technology.
Cloud Security (Cloud Security) refers to a generic term for Security software, hardware, users, institutions, secure Cloud platforms based on Cloud computing business model applications. Cloud security integrates emerging technologies and concepts such as parallel processing, grid computing, unknown dangerous behavior judgment and the like, acquires the latest information of Trojan horse and malicious programs in the Internet through abnormal detection of a large number of network clients on software behaviors in the network, sends the latest information to a server for automatic analysis and processing, and distributes a Trojan horse solution to each client.
The main research directions of cloud security include: 1. cloud computing security, namely, how to guarantee security of cloud and various applications on the cloud, including cloud computer system security, security storage and isolation of user data, user access authentication, information transmission security, network attack protection, compliance audit and the like; 2. clouding of a safety infrastructure, mainly researching how to build and integrate safety infrastructure resources by adopting cloud computing, and optimizing a safety protection mechanism, wherein the cloud computing technology is used for constructing a super-large-scale safety event and an information acquisition and processing platform, realizing acquisition and association analysis of mass information, and improving the control capability and risk control capability of the whole network safety event; 3. cloud security services, mainly research on various security services provided for users based on cloud computing platforms, such as protection services and the like. For example, in the application, the cloud computing security technology can be adopted to judge the process parameters of the target process, determine whether the trigger operation corresponding to the target process is an abnormal operation, and the like.
The intelligent vehicle-road cooperative system (Intelligent Vehicle Infrastructure Cooperative Systems, IVICS), which is simply called a vehicle-road cooperative system, is one development direction of an Intelligent Transportation System (ITS). The vehicle-road cooperative system adopts advanced wireless communication, new generation internet and other technologies, carries out vehicle-vehicle and vehicle-road dynamic real-time information interaction in all directions, develops vehicle active safety control and road cooperative management on the basis of full-time idle dynamic traffic information acquisition and fusion, fully realizes effective cooperation of people and vehicles and roads, ensures traffic safety, improves traffic efficiency, and forms a safe, efficient and environment-friendly road traffic system. The scheme provided by the embodiment of the application belongs to an intelligent vehicle-road cooperative system, and can be used for installing protection application on the intelligent vehicle-road cooperative system, so as to detect and judge the triggering operation in the intelligent vehicle-road cooperative system.
The technical scheme of the application can be applied to the scene of detecting whether the current trigger operation is abnormal operation such as abnormal right lifting operation. For example, security problems caused by the condition that argv process parameters are empty, such as high-risk vulnerabilities CVE-2021-4034 (a local authority promotion vulnerability), an attacker can implement user state authority promotion attack by using the vulnerability, and can promote common authority to root authority. By carrying out security detection on attack operation of an attacker, whether the operation is abnormal operation (such as operation of abnormally lifting authority) is determined, so that the abnormal operation can be alarmed, and the data security is improved. Optionally, the technical scheme of the application can be applied to various scenes, including but not limited to cloud technology, artificial intelligence, intelligent transportation, auxiliary driving and the like.
It should be specifically noted that, in the embodiments of the present application, data (such as process parameters or other data) related to object information is related to, when the embodiments of the present application are applied to specific products or technologies, permission or consent of the object needs to be obtained, and collection, use and processing of related data need to comply with related laws and regulations and standards of related regions. For example, an object may refer to a user of a terminal device or a computer device.
Referring to fig. 1, fig. 1 is a schematic diagram of a network architecture of a vulnerability protection system according to an embodiment of the present application, as shown in fig. 1, a computer device may perform data interaction with terminal devices, and the number of the terminal devices may be one or at least two. For example, when the number of terminal apparatuses is plural, the terminal apparatuses may include the terminal apparatus 101a, the terminal apparatus 101b, the terminal apparatus 101c, and the like in fig. 1. Taking the terminal device 101a as an example, the terminal device 101a may refer to a target terminal, and a protection application may be deployed on the terminal device 101 a. The computer device 102 may determine whether the trigger operation is an abnormal operation based on the detection of the trigger operation for the program component by the protection application, so as to alert the abnormal operation, such as outputting prompt information, when the trigger operation is determined to be the abnormal operation. For example, the computer device 102 may send the reminder information to the management terminal to display the reminder information on a display screen of the management terminal.
It is understood that the computer devices mentioned in the embodiments of the present application include, but are not limited to, terminal devices or servers. In other words, the computer device may be a server or a terminal device, or may be a system formed by the server and the terminal device. The above-mentioned terminal device may be an electronic device, including, but not limited to, a mobile phone, a tablet computer, a desktop computer, a notebook computer, a palm computer, an intelligent voice interaction device, an intelligent home appliance, a vehicle-mounted terminal, an aircraft, an augmented Reality/Virtual Reality (AR/VR) device, a head mounted display, a wearable device, a smart speaker, an intelligent home appliance, an aircraft, a digital camera, a camera, and other mobile internet devices (mobile internet device, MID) with network access capability, etc. The servers mentioned above may be independent physical servers, or may be server clusters or distributed systems formed by a plurality of physical servers, or may be cloud servers that provide cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, vehicle-road collaboration, content distribution networks (Content Delivery Network, CDN), and basic cloud computing services such as big data and artificial intelligence platforms.
Referring to fig. 2, fig. 2 is a schematic application scenario diagram of a vulnerability protection method according to an embodiment of the present application; as shown in fig. 2, for example, the protection application 22 may be deployed on the target terminal 21, and when the switch of the data acquisition function in the protection application 22 is turned on, the process parameters of the target process may be acquired subsequently based on the data acquisition function. If a triggering operation of the object 23 using the target account number on the program component on the target terminal 21 is detected, a target process associated with the program component is started, and process parameters 24 of the target process are acquired based on the data acquisition function. Further, a rule engine may be used to determine whether the process parameters 24 of the target process are in compliance with a rule to determine whether the target process is a malicious process, thereby determining whether the trigger operation is an abnormal operation, e.g., an abnormal operation may refer to an operation that maliciously raises rights. If it is determined that the trigger operation is the abnormal operation 25, an alarm may be given based on the abnormal operation 25, for example, the alarm mode may include outputting a prompt message.
Further, referring to fig. 3, fig. 3 is a schematic flow chart of a vulnerability protection method according to an embodiment of the present application; as shown in fig. 3, the vulnerability protection method may be applied to a computer device, and the vulnerability protection method includes, but is not limited to, the following steps:
S101, deploying a protection application on a target terminal, and starting a data acquisition function in the protection application.
In some scenarios, since there is a defect in argv (a process parameter) design, that is, argv should not be empty all the time under normal conditions, when a program is designed, argv [0] is usually directly referred to as a process name, but when an execution (a system call, such as a kernel-level system call) is used by a user to create a process, the argv parameter can be set to be empty, and Linux (an operating system) kernel does not limit such a scenario, when an attacker creates a process using the execution system call and sets the argv parameter to be empty, unexpected behavior is very likely to occur, for example, the attacker can use this vulnerability to implement a rights-lifting attack.
In view of this, the embodiment of the present application provides a vulnerability protection method, which can implement argv design defect vulnerability universal protection by detecting process parameters of a process in real time, and can detect and alarm a series of security problems caused by neglecting the precondition that the argv parameters are empty when programming, thereby improving data security. The security issues may include, for example, high-risk vulnerabilities such as local privilege elevation vulnerabilities (CVEs-2021-4034), i.e., an attacker may use the high-risk vulnerabilities to implement a user-mode privilege elevation attack to elevate the normal privileges to root privileges.
In the embodiment of the application, the triggering operation on the target terminal and the process parameters of the target process can be detected and collected by deploying the protection application on the target terminal. For example, a protection application may be deployed on the target terminal and a data collection function in the protection application may be started. By deploying the protection application on the target terminal, any triggering operation occurring on the target terminal can be detected based on the protection application, and process parameters of the target process can be acquired.
The protection application may be an application program, or a system, a plug-in or a component, for example, and the protection application may be deployed on the target terminal, for example. For example, an installation package of the protection application may be downloaded on the target terminal, and the protection application may be installed on the target terminal by parsing the installation package of the protection application. Specifically, for example, one or more of an android operating system, ubuntu (one operating system), centos (another operating system) may be installed on the target terminal, and then the protection application may be deployed on the operating system such as android, ubuntu, centos, or the like. By deploying the guard application on the operating system, any operations that launch the application in the operating system may be detected by the guard application.
By deploying the protection application on the target terminal, after the protection application is started, a data acquisition function in the protection application can be started, so that process parameters of any process started on the target terminal can be acquired based on the data acquisition function, then whether trigger operation associated with any process is abnormal operation or not is judged based on the process parameters of any process, and an alarm is given to the abnormal operation, so that data safety is improved.
S102, if the triggering operation for the program component is detected, starting a target process associated with the program component, and acquiring process parameters of the target process based on the data acquisition function.
In the embodiment of the application, if the triggering operation of the object on the target terminal is detected, the target process is started, and the process parameters of the target process are acquired. The triggering operation may refer to a starting operation of any application program triggered at the target terminal, for example, may refer to an operation of starting an interactive application triggered at the target terminal.
Further, if a triggering operation for the program component is detected, a target process associated with the program component is started, and process parameters of the target process are acquired based on the data acquisition function.
The process parameters of the target process are preset and have an association relationship with the program component. Thus, when a trigger operation for a program component is detected, a target process associated with the program component can be started, thereby acquiring process parameters of the target process having an association relationship with the program component. The triggering operation may be, for example, a clicking operation for a program component or program control of a certain application program. The program component or the program control can be displayed on the target terminal in a mode of identification (such as an icon) of the application program, and when the object is detected to click the icon of the application program, the triggering operation for the program component is determined to be detected, and the target process corresponding to the application program is started.
In an alternative implementation, for example, the process parameters of each process may be preset, so that when the target process is started, the process parameters of the target process may be acquired. The target process may refer to a process started by a trigger operation, for example, the trigger operation is an operation of starting an instant messaging application, and then, by starting the target process, a process parameter of the target process may be called, for example, a system call function corresponding to the target process is called, so that the instant messaging application is started, and an application interface corresponding to the instant messaging application is displayed at the target terminal.
When a process is started, an execution function is executed, the function is a system call function, if a trigger operation for a program component is detected to represent an application program associated with the program component needs to be started, the process associated with the program component can be started, process parameters of the process are transmitted to a kernel, and the kernel performs subsequent operations so as to start the program. The target terminal is provided with a plurality of system calls, the execution function is one of the system calls, the kernel has corresponding system call numbers and system call tables for various system calls, the system call tables can be index groups, and call addresses corresponding to all processes are stored in the index groups. When the target object starts the execution system call, the process parameters of the process are transferred to the kernel, and the process parameters can indicate a specific index of the system call table, so that the corresponding kernel function address can be positioned based on the specific index in the system call table, and the corresponding program can be started by calling the positioned kernel function address.
In one embodiment, the triggering operation for the program component may be triggered by the target account number. For example, if a trigger operation of the target account number for the program component is detected, a target process associated with the program component is started. The target account may refer to a login account of an application program corresponding to the login program component, and the triggering operation of the target account with respect to the program component may refer to, for example, the triggering operation of the object using the target account with respect to the program component, and may refer to, for example, the clicking operation of the application program with respect to the object using the target account. It will be appreciated that the number of objects using the target account may be one or more, and any object that uses the target account to log into the application may be referred to as an object that uses the target account. By detecting the triggering operation of the object using the target account number on the program component, the target process associated with the program component can be started, so that the subsequent processes of collecting the process parameters, judging the process parameters and the like can be executed.
In another embodiment, the triggering operation for the program component may be triggered by a condition. For example, if a start condition of a program component is satisfied, a trigger operation for the program component is detected, and a target process associated with the program component is started. The starting condition of the program component comprises starting time of the program component, starting of an associated program of the program component or starting of the target terminal in a default state.
For example, when the current time satisfies the start time of the program component, the program component is started, thereby detecting a trigger operation for the program component, and a target process associated with the program component is started. Alternatively, one or more associated programs of the program component may be preset, and when any associated program is started, the program component is started, so that a triggering operation for the program component is detected, and a target process associated with the program component is started. Or when the target terminal is in a default state such as a starting state (i.e., a power-on start), the program component is started, so that a triggering operation for the program component is detected, and a target process associated with the program component is started.
In the embodiment of the application, when the triggering operation for the program component is triggered by a condition, the target account related to the triggering operation of the program component can be preset, and the target account can be the account logged in when the application program is started. For example, the target account number may be a pre-bound account number, or may be an account number saved last time the application was logged out, or a designated account number, or may be an account number bound to a login account number of an associated program, or the like. When the starting condition of the program component is met, an application program corresponding to the program component can be started, so that triggering operation for the program component is detected, a target process associated with the program component is started, and subsequent processes of collecting process parameters, judging the process parameters and the like can be executed.
In one embodiment, process parameters of a target process may be collected by: modifying an initial address in process parameters of the target process into a target address; and acquiring process parameters of the target process based on the target address.
The initial address is the initial kernel function address which needs to be called by the execution target process. The target address may be used to obtain process parameters of the target process. For example, the target address may refer to an emulated one of the drive addresses. The initial kernel function address required to be called by the execution target process is modified into the target address, when the triggering operation aiming at the program component exists on the target terminal, the target terminal can sense the object behavior equivalent to the real-time detection of the target terminal, and then the object behavior can be detected to determine whether the attack behavior exists or not, and the corresponding processing is performed.
In alternative implementations, the initial address in the process parameters of the target process may be modified to the target address in the following manner. For example, a system call table may be obtained; the system call table includes initial kernel function addresses corresponding to a plurality of processes, for example, the system call table may include initial kernel function addresses corresponding to all processes; and searching an initial kernel function address corresponding to the target process from a system call table, and modifying the initial kernel function address into the target address.
The system call table is globally visible and can be stored in the kernel of the operating system, and the function call table can be an array, for example, and a plurality of kernel function addresses, such as an error system call function address, an open function address, a write function address, a read function address, and the like, are stored in the array. By acquiring the system call table, the initial kernel function address corresponding to the target process in the system call table can be modified to be the target address, and the system call table can jump to the target address, so that the behavior of the object logging in the application program by using the target account number can be perceived based on the target address, and the process parameters of the target process can be acquired.
Because the process parameters of the target process are transmitted to the kernel when the exeve system call is started, the process parameters can indicate a specific index of the system call table, and the target process can jump to the driving address first when the exeve system call is executed by modifying the index address (such as the kernel function address of the array corresponding to the exeve) to the driving address, so that the object behavior such as the triggering operation of the target account on the program component can be perceived, and the process parameters of the target process can be acquired.
In an alternative implementation manner, a kernel hook technology may be used to collect process parameters of the target process, where the hook modifies an array at the kernel level, and modifies a function address of an array corresponding to the exeve to a certain address driven by the hook itself, and when executing an exeve system call, the target process may jump to the driving address first, so that object behaviors such as sensing trigger operation of the target account on a program component may be sensed, and thus the process parameters of the target process are obtained.
S103, if the process parameter of the target process is a preset parameter, the process type of the target process is a target process type, and the permission of the target account related to the triggering operation is a first permission, determining that the triggering operation is an abnormal operation.
In the embodiment of the application, when the process parameters of the target process are acquired, the process parameters of the target process can be judged based on the rule engine to determine whether the target process is a malicious process. And if the target process is a malicious process, determining that the triggering operation is abnormal operation. The abnormal operation may refer to, for example, an operation of maliciously improving the authority of the target account. And if the target process is not a malicious process, determining that the triggering operation is normal operation. If the triggering operation for the program component is triggered by the target account, the target account may be an account associated with the triggering operation. If the triggering operation for the program component is triggered by a condition, the target account number may be an account number of the currently logged-in application program. The rule engine may be configured to determine whether a process parameter of the target process meets a rule, for example, the rule may be configured to determine whether the process parameter of the target process is a preset parameter, whether a process type of the target process is a target process type, and whether a permission of a target account associated with the triggering operation is a first permission. The specific method for determining whether the process parameters of the target process conform to the rules by using the rule engine is described in step S209 below, which is not described here too much. By judging the process parameters of the target process by using the rule engine, whether the target process is a malicious process can be determined, so that corresponding processing can be performed according to a judging result.
In one embodiment, if the process parameter of the target process is a preset parameter, the process type of the target process is a target process type, and the permission of the target account related to the trigger operation is a first permission, determining that the trigger operation is an abnormal operation. The process parameters of the target process are preset parameters, the process parameters used for representing the target process are null, and the target process type is a privileged process.
The preset parameter may be used, for example, to characterize a process parameter as null or a process parameter as null. The privileged process may include, for example, but is not limited to, a suid process (a privileged process) or other privileged process. The first authority may refer to a normal authority, and the authority range of the first authority is lower. Optionally, when the target process is started, the driver may acquire the permission of the target account corresponding to the target process through the system interface.
In the embodiment of the application, when a target process is triggered at the target terminal, the process parameters of the target process are null, the process type of the target process is a privileged process type such as a suid process, and the permission of the target account is a common permission, the triggering operation of the program component is abnormal operation. Because the target account has the common authority but does not have the root authority, the process is attacked by setting the process parameter to be null, the authority of the target account is promoted to be the root authority, the identity of the object using the target account can be shown as an attacker, the attacker utilizes the local authority-promoting loophole to promote the authority of the target account to be the root authority by setting the process parameter to be null, the interface of the root authority can be called, the data in the range of the root authority can be obtained, the risk of data leakage can be increased, and the system security is reduced. By detecting the attack behaviors of the attacker, the attack behaviors can be alarmed before the attacker achieves the permission improvement, so that the attack behaviors are processed, and the data security is improved.
In another embodiment, if the process parameter of the target process is not a preset parameter, the process type of the target process is not the target process type, or the permission of the target account is the second permission, determining that the triggering operation is a normal operation. The authority range of the first authority is smaller than that of the second authority. The first authority may refer to a general authority, and the second authority may refer to a root authority, wherein the range of authority of the root authority is higher than that of the general authority. For example, the viewable right set for data is a root right, the data can be viewed using an object having a root right account, and the data cannot be viewed using an object having a normal right account. Or some functions of the application are set as root rights, those functions of the application cannot be used using an object having a general rights account, and those functions of the application can be used using an object having a root rights account.
In the embodiment of the application, when a target process is started at the target terminal, if the process parameters of the target process are not null, the process type of the target process is not a privileged process type such as a suid process, or the authority of the target account is a root authority, the target process can be indicated as a normal process, and the triggering operation of the target account is a normal operation. Because the target account number has root rights, the privileged process does not need to be attacked in a mode of setting the process parameters to be null, so that the rights of the target account number are improved. Or the target account number does not have root rights, but the target account number does not set the process parameters to be null, the self rights cannot be lifted to be the root rights, and the target process is not a malicious process. Or the target account number does not have root rights, and the process parameters of the target account number are set to be null, but the process type of the target process is not a privileged process such as suid, and the target process is indicated to be not a malicious process. Or the target account does not have root authority, the target account does not set the process parameters to be null, and the process type of the target process is a privileged process such as suid, which indicates that the target process is not a malicious process.
That is, when judging whether the target process is a malicious process, the three conditions of the preset process parameter, the target process type, and the first permission of the target account are combined to judge whether the target process is a malicious process, if any one or more conditions are not met, the target process is not a malicious process, and the triggering operation of the target account is a normal operation. When all three conditions are met, the target process is a malicious process, and the triggering operation of the target account is abnormal operation. By judging the process parameters of the target process and determining whether the target process is a malicious process, the malicious process can be determined before the target process is executed, so that the malicious process is processed, and the data security can be improved. Because a plurality of conditions are combined to judge, misjudgment can be reduced, and the accuracy of safety detection is improved.
In an alternative implementation, before modifying the system call table, the system call table may be backed up to obtain a backup call table, so that the initial address may be skipped through the backup call table afterwards. For example, when the system call table is acquired, the system call table is backed up to obtain a backup call table; the backup call table is the same as the data in the system call table; if the triggering operation is normal operation, the initial kernel function address corresponding to the target process in the backup call table is jumped back to call the initial kernel function address to run the target process. If the trigger operation is normal operation, which means that the current process is not a malicious process, the initial address in the process parameter of the target process can be skipped, and because the system call table is backed up before the system call table is modified, when the trigger operation is determined to be normal operation, the initial address in the backup call table, namely the initial kernel function address corresponding to the target process, can be skipped, so that the initial kernel function address can be called to operate the target process.
In an alternative implementation manner, when the process parameter is obtained through the kernel hook technology, the process parameter may be backed up, for example, an initial address in the process parameter may be backed up, the initial address in the process parameter is modified to be a target address, such as a driving address, through the kernel hook technology, and a corresponding function may be executed in the driving address, for example, a process parameter for judging whether the process parameter is a malicious process or not. When judging that the process parameters are not the process parameters of the malicious process, the method can jump to the initial address to execute the original function of the kernel based on backup. Since the initial address is backed up when the initial address is modified, the initial address is known, and after the target address performs the corresponding function, the initial address can be jumped back, so that the normal triggering operation is prevented from being performed, for example, the starting of an application program is prevented from being influenced.
S104, outputting prompt information.
In the embodiment of the application, when the triggering operation is determined to be abnormal operation, the abnormal operation can be alarmed, so that the system safety is prompted. The alert mode may include, but is not limited to, mail, telephone, short message, or other alert mode of instant messaging. Optionally, the alert mode may be outputting a prompt message, and then a prompt message for prompting that the triggering operation is an abnormal operation may be generated, so as to output the prompt message. The prompt information can comprise process parameters of the target process, and the trigger operation can be prompted to be abnormal operation by outputting the prompt information. For example, by outputting the process parameters of the target process, the triggering operation of the target account number can be prompted to be an abnormal operation, so that the abnormal operation of the target account number can be processed.
The process parameter of the target process may include at least one of an identification of the target account number, an identification of the target process, an initial address of the target process, and a permission of the target account number, and the prompt information may include at least one of an identification of the target terminal, a type of an operating system running on the target terminal, an identification of a target object, an identification of the target process, an initial address of the target process, a permission of the target account number, a date and time of the trigger operation, and may further include other information. For example, the identification of the target account may refer to, for example, the name of the target account or the account ID (Identity Document, identification number) of the target account, and the identification of the target process may refer to, for example, the name of the target process or the number of the target process.
In one implementation, the target terminal may send the prompt message to the management terminal; the management terminal is used for processing the abnormal operation according to the process parameters of the target process. The management terminal and the target terminal are different terminals, for example, the management terminal may be a background control terminal for uniformly managing a plurality of target terminals, or the management terminal may refer to a terminal used by an administrator, and so on.
In the embodiment of the application, when the prompt information is sent to the management terminal, the prompt information can be sent to the management terminal in one or more modes of mail, telephone, short message or other instant messaging. When the trigger operation is determined to be abnormal operation, the prompt information is sent to the management terminal, so that the prompt information can be timely output on the management terminal, and the management terminal is prompted to process the abnormal operation. The manager can timely acquire the abnormal operation triggered by the target account, so that the abnormal operation can be timely processed, such as abnormal inspection, permission modification or operation interception, and the like. The management terminal and the target terminal are different terminals, and the prompt information is sent to the management terminal, so that an administrator can know the condition of the target terminal under the condition that the administrator does not log in the target terminal, and the management terminal and the target terminal can be processed in time.
In one possible implementation manner, when the prompt information is sent to the management terminal, an alarm mode corresponding to the target account number may be selected for sending. For example, the number of anomalies that the target account number is operating as an anomaly with respect to the triggering of the program component may be counted. If the abnormal times are greater than the times threshold, the prompting information is sent to the management terminal in a first alarming mode.
The method comprises the steps of counting the abnormal times that the triggering operation of the target account aiming at the program component is abnormal operation, and determining whether the target account is a risk account or not, namely, whether the object logging in the risk account is an attacker or not. If the abnormal times are greater than the times threshold, the target account is indicated to be frequently subjected to abnormal operation, and the target account can be indicated to be a risk account, namely, an attacker can easily use the target account to execute triggering operation for the program component, and prompt information can be sent to the management terminal through a first alarming mode with higher emergency degree. For example, the first alert mode may include, but is not limited to, a telephone alert, a voice telephone alert, a video telephone alert, etc., or the first alert mode may also include a combined alert mode of a telephone alert and a short message alert, or a combined alert mode of a telephone alert and a mail alert, or a combined alert mode of a voice telephone alert and a short message alert, or a combined alert mode of a voice telephone alert and a mail alert, etc. The first alert mode may also include, but is not limited to, a continuous alert mode or a popup alert mode, and so forth. By using the alarm mode with higher emergency degree to alarm, the importance degree of the manager can be improved, so that the alarm can be processed as soon as possible.
Optionally, if the abnormal times is smaller than or equal to the times threshold, a second alarm mode is adopted to send prompt information to the management terminal; the first alert mode has a higher degree of urgency than the second alert mode. The abnormal times are smaller than or equal to the times threshold, which indicates that the target account is less in abnormal operation, and the target account is not a risk account, and then a second alarming mode with lower emergency degree can be selected to send prompt information to the management terminal. For example, the second alert mode may include, but is not limited to, a SMS alert, a mail phone alert, a notification message alert, and the like. By adopting the second alarming mode to alarm, the purpose of alarming can be realized, so that the manager can process the alarming without affecting the normal operation of the management terminal.
In one possible implementation manner, the target account number may also be determined in combination with the blacklist, so as to determine whether the triggering operation of the target account number on the program component is an abnormal operation. For example, a blacklist may be obtained; the blacklist comprises at least one abnormal account; if the triggering operation of the target account aiming at the program component is detected and the target account belongs to the blacklist, determining that the triggering operation of the target account aiming at the program component is abnormal operation, and outputting prompt information. If the triggering operation of the target account number on the program component is detected and the target account number does not belong to the blacklist, starting a target process associated with the program component, and acquiring process parameters of the target process based on a data acquisition function.
The blacklist may be determined in advance according to the abnormal account number, or may be determined by judging historical abnormal operation conditions of a plurality of account numbers. When the triggering operation of the target account on the program component is detected, the target account is matched through the blacklist, if the target account belongs to the blacklist and the target account is an abnormal account, the triggering operation of the target account on the program component can be considered to be the abnormal operation, prompt information is output to prompt a manager, and prompt efficiency can be improved. If the target account number does not belong to the blacklist, the target process associated with the program component can be further started if the target account number does not belong to the blacklist, and the process parameters of the target process are acquired based on the data acquisition function, so that whether the triggering operation of the target account number on the program component is abnormal or not is determined through judging the process parameters of the target process, and the accuracy of safety detection can be improved.
In one implementation, the prompt may be output in a display screen of the management terminal. The prompt message may be output, for example, through a display screen of the target terminal. The prompt information may be output, for example, through an external interface of the management terminal. By outputting the prompt information in the display screen, the administrator can also check the abnormal operation of the target account through the prompt information output in the display screen, so that the terminal, the type of an operating system on the terminal and a threat behavior of the alarm are determined, and the administrator can conveniently conduct targeted processing.
In an alternative implementation manner, the prompt information can also be output in the display screen of the target terminal. For example, when the triggering operation of the target account is an operation of false triggering by using the object of the target account, the object using the target account can be prompted to modify the process parameters of the target process by displaying the prompt information, so that the corresponding application program is normally started, or the corresponding data is obtained. By outputting the prompt information in the display screen, the target object can view the prompt information, so that the prompt information is convenient to modify.
As shown in fig. 4, fig. 4 is a schematic view of a process parameter detection scenario provided by an embodiment of the present application, where a protection application may be deployed on an operating system of a target terminal 41, for example, on platforms such as android, ubuntu, centos, and the like. After the protection application is started, the protection application can detect trigger operation for the program component by opening a data acquisition function switch in the protection application, and can acquire process parameters of a target process associated with the program component through the data acquisition function. Further, the rule engine 42 determines whether the target process is a malicious process, and transmits the process parameters of the malicious process as an alarm to the alarm system 43, such as a terminal detection and response system (Endpoint Detection and Response, EDR), so as to provide a visual threat behavior alarm. Optionally, the EDR can combine process parameters to perform modes such as data analysis and chart analysis, and can comprehensively present a visualized threat attack link diagram, so that second-level positioning of a risk host is realized in a complex network, and the operation and maintenance cost is greatly reduced.
For example, in a scenario of a local vulnerability type, the object a may log into the target terminal P using a target account number, where the target terminal P may refer to, for example, a Linux server, a Linux desktop distributor, or an android device, and load a protection application on the target terminal P. Further, when the protection application collects the process parameters of the target process and transmits the process parameters to the rule engine, the rule engine judges the process parameters to determine whether the current triggering operation of the target account is the right raising operation initiated by the vulnerability with the argv parameter. If the current triggering operation of the target account is an override operation initiated by using the argv parameter as the null vulnerability, using the target account to log in the object A of the target terminal P as an attacker. By executing the right lifting attack, the acquired process parameters meet the rules corresponding to the rule engine, so that the threat is found, the protection application can report the event such as the process parameters to the EDR, and the EDR displays the alarm to related objects such as an administrator, so that the attack operation is correspondingly processed.
In the embodiment of the application, the safety detection is realized by using the kernel hook technology, and the safety protection application can be started in any kernel version. And the kernel hook technology is based on hot plug driving, and can start the safety protection application on the premise of not upgrading the kernel and restarting the machine. Further, by linking with the EDR, real-time feedback to the EDR as threat activity occurs, visual threat activity alerts may be provided. In addition, the technical scheme of the application is to protect the general rule of a series of attack behaviors caused by argv parameter defects when designing the Linux system, and can accurately detect the related threats.
Alternatively, the hook target of the data acquisition phase may be a bprm_check_security function (a calling function) or a Linux kernel search_binary_handler function (another calling function) provided by a Linux kernel security framework, in addition to the system call related to execution. Because each process call is executed by jumping to a target function address (e.g., a kernel call address) through the system call table, the execution system call can use the target function address as a starting point of execution of the kernel related to the execution system, and the bprm_check_security function and the search_binary_handler function can be regarded as two functions which are necessarily executed in the starting point function. The purpose of the hook is that the execution of the execution system call can be perceived, so that the operation of the target account aiming at the target terminal can be perceived only by executing the hook on any one of the functions which are necessarily executed, and the process parameters are acquired.
In the embodiment of the application, the protection application is deployed on the target terminal, the data acquisition function in the protection application is started, and when the triggering operation for the program component is detected, the target process associated with the program component can be started, and the process parameters of the target process are acquired based on the data acquisition function. Because the process parameters of the target process are preset and have an association relation with the program component, when the triggering operation for the program component is detected, the target process associated with the program component can be started, and then the process parameters of the target process are acquired. If the process parameter of the target process is a preset parameter, the process type of the target process is a target process type, and the authority of the target account related to the trigger operation is a first authority, determining that the trigger operation is an abnormal operation, and further outputting prompt information for prompting that the trigger operation is the abnormal operation. The triggering operation can be safely detected by detecting the process parameters of the target process, so that whether the triggering operation is an abnormal operation or not is determined, for example, the abnormal operation can be an operation of utilizing the loophole to raise the authority of the user. Under the condition that the abnormal operation is determined, vulnerability protection can be achieved by processing the abnormal operation, for example, outputting prompt information, and data security is improved.
Further, referring to fig. 5, fig. 5 is a flow chart of another vulnerability protection method according to an embodiment of the present application. The vulnerability protection method can be applied to computer equipment; as shown in fig. 5, the vulnerability protection method includes, but is not limited to, the following steps:
s201, deploying a protection application on the target terminal, and starting a data acquisition function in the protection application.
In a specific implementation, for example, an administrator may log in a target terminal in advance to deploy a protection application and start a data acquisition function in the protection application, and when a subsequent arbitrary object logs in the target terminal, the arbitrary object executes an operation instruction on the terminal and can trigger the data acquisition function.
S202, when the target account logs in the target terminal, triggering operation of the target account aiming at a program component on the target terminal is detected.
Here, the target account may be any account logged into the application program of the target terminal, and when any account logs into the application program on the target terminal, the operation triggered by the target account on the target terminal may be detected. If the target account number does not trigger the operation on the target terminal, the target terminal can be continuously detected through the protection application until the triggering operation of the target account number on the program component on the target terminal is detected.
And S203, triggering a data acquisition function if the triggering operation of the target account is detected, starting a target process based on the triggering operation of the target account, and acquiring process parameters of the target process based on the data acquisition function.
Here, the object logging in the target terminal by using the target account number may call a process when executing all application programs on the target terminal, and may trigger a data acquisition function. When detecting that an object using the target account executes any application program on the target terminal, for example, starting an instant messaging application program, the triggering operation of the target account for a program component of the instant messaging application program can be considered to be detected, the data acquisition function is triggered, the instant messaging application program related target process is started based on the triggering operation of the target account, and the process parameters of the target process are acquired based on the data acquisition function. The target process is a process that needs to be started when the instant messaging application program runs on the target terminal.
In an alternative implementation, a whitelist of processes may be preset, and the whitelist of processes may include at least one process. When the target process generated by the triggering operation of the target account belongs to the white list process list, the triggering operation of the target account can be determined to be normal operation, and the target process is released. When the target process generated by the triggering operation of the target account number does not belong to the white list process list, whether the triggering operation of the target account number is abnormal operation can be further judged by combining the process parameters of the target process. By setting the white list process list, the target process can be quickly matched to determine whether the target process is a normal process.
S204, judging whether the process parameters of the target process are preset parameters.
In the embodiment of the present application, if yes, that is, if the process parameter of the target process is the preset parameter, step S205 is executed to determine whether the process type of the target process is the target process type. If not, that is, if the process parameter of the target process is not the preset parameter, step S209 is executed to determine that the triggering operation of the target object is a normal operation.
S205, judging whether the process type of the target process is the target process type.
In the embodiment of the present application, if yes, that is, the process type of the target process is the target process type, that is, if it is determined that the target process is a subprocess, step S206 is executed to determine whether the permission of the target account is the first permission. If not, that is, if the process type of the target process is not the target process type, step S209 is executed to determine that the triggering operation of the target account is a normal operation.
S206, judging whether the authority of the target account is the first authority.
In the embodiment of the present application, if the authority of the target account is the first authority, step S207 is executed to determine that the triggering operation of the target account is an abnormal operation. If not, that is, the authority of the target account is not the first authority, for example, the authority of the target account is the second authority, step S209 is executed to determine that the triggering operation of the target account is the normal operation.
It is understood that the execution sequence of steps S204 to S206 may be changed in the embodiment of the present application, for example, step S205 is executed first, then step S204 and step S206 are executed, or step S206 is executed first, then step S204 and step S205 are executed, or step S204 is executed first, then step S206 and step S205 are executed, so that the same effect can be achieved.
S207, determining that the triggering operation of the target account number is abnormal operation.
When the judging results of step S204 to step S206 are yes, that is, the process parameter of the target process is the preset parameter, the process type of the target process is the target process type, and the permission of the target account is the first permission, it is determined that the target process is a malicious process for improving the permission of the account, that is, the target process is a malicious process, so that the triggering operation of the target account is abnormal operation.
S208, outputting prompt information.
Here, the prompt information may be displayed through a display screen of the target terminal, or may be transmitted to the management terminal, and the management terminal may process the abnormal operation based on the prompt information.
S209, determining that the triggering operation of the target account number is normal operation.
If one or more of the judging results in step S204 to step S206 is no, that is, the process parameter of the target process is not a preset parameter, or the process type of the target process is not the target process type, or the authority of the target object is not the first authority, it is determined that the target process is not a process for maliciously improving the authority of the object, that is, the target process is a normal process, and the triggering operation of the target object is a normal operation.
In an optional implementation manner, when the target account number of the first authority executes a target process of the target process type, such as a subid process, the subid process argv parameter is not a preset parameter, such as null, and the rule engine can pass the subid process, so that the subid process is normally invoked to execute a corresponding operation.
Further, when the target account of the first authority attacks the suid process by using the program design defect with the argv parameter being empty, the argv parameter of the suid process is empty; when the target account number of the first authority attacks the suid process by using the program design defect with the argv parameter being blank, the current process is the suid process; when the target account number of the first authority attacks the suid process by using the program design defect with the argv parameter being blank, the main aim is to improve the authority, namely, the first authority of the target account number is improved to a second authority such as root authority through unexpected behavior and no password verification. When the permission of the target account is the ordinary permission, the target process is the subprocess, and the process parameters of the target process are null, the target account is indicated to be an abnormal account, for example, an object logging in the target account is an attack object. When the process parameters of the target process corresponding to the attack object meet the three conditions, the process parameters are captured by the rule engine. When the rule engine determines that the target process is a process for maliciously upgrading the object rights, for example, the rule engine can intercept the target process so as to prevent the target process from continuing to run to achieve the purpose of maliciously upgrading the rights, and synchronize process parameters of the target process to an alarm system such as EDR. The EDR may communicate this alarm to an administrator, for example, the EDR may communicate to the administrative terminal by way of visual presentation, so that the administrator may be aware of the current alarm information of the target terminal.
In an alternative implementation, the basic principle of the embodiment of the present application includes selection of a kernel hook target, and the design of the rule engine may be, for example, as follows:
the kernel hook target in the embodiment of the application can select the execution series system call, and after the related system call is executed, the data acquisition function is activated, so that the process parameters of the current process can be acquired, for example, the attribute (such as whether the current process is a subid process) of the current process and the account authority to which the current process belongs can be acquired.
Further, the rules engine mainly covers the following three rules:
1. judging whether the process parameters of the current process are null or not, and judging that the process parameters of the normal process are not null, so that the phenomenon of directly referencing argv [0] data as a process name often occurs in the general programming. However, because the Linux kernel has a design defect, when the exeve system is used for calling and starting a process, the content of argv process parameters can be empty, and the Linux kernel does not process such an exception, an attacker often attacks a high-authority process such as a subd process by utilizing the defect, and further, the object authority of the attacker is improved.
2. The current process is a suid process, and an attacker designs a defect attack system by using argv parameters to realize that the target of the authority improvement is a high-authority process, and the argv is controllable for the attacker, so that the suid process is a common attack target.
3. The purpose of the attacker is to raise the self-authority, so that the authority of the account number used by the attacker should be the ordinary authority when the attack is implemented.
By setting the three rules, the method can ensure that an attacker can be captured in time and does not generate false alarm when the attacker attacks the operating system by using argv design defects.
In the embodiment of the application, the kernel hook technology can collect the process starting parameters such as the process parameters of the current process, so that the characteristics of the process parameters can be judged, and meanwhile, by combining the authority characteristics of the account number for starting the current process, whether the current process belongs to an attack process or not is further judged. For example, when the Suid privilege process is started, the characteristic that the argv parameter is empty exists, meanwhile, the object running the Suid privilege process is a common authority, and the current behavior can be considered as an attack behavior by combining the two behaviors, namely, the current process is a malicious authority-lifting process.
In the embodiment of the application, the protection application is deployed on the target terminal, the data acquisition function in the protection application is started, and when the triggering operation for the program component is detected, the target process associated with the program component can be started, and the process parameters of the target process are acquired based on the data acquisition function. Because the process parameters of the target process are preset and have an association relation with the program component, when the triggering operation for the program component is detected, the target process associated with the program component can be started, and then the process parameters of the target process are acquired. If the process parameter of the target process is a preset parameter, the process type of the target process is a target process type, and the authority of the target account related to the trigger operation is a first authority, determining that the trigger operation is an abnormal operation, and further outputting prompt information for prompting that the trigger operation is the abnormal operation. The triggering operation can be safely detected by detecting the process parameters of the target process, so that whether the triggering operation is an abnormal operation or not is determined, for example, the abnormal operation can be an operation of utilizing the loophole to raise the authority of the user. Under the condition that the abnormal operation is determined, vulnerability protection can be achieved by processing the abnormal operation, for example, outputting prompt information, and data security is improved.
The method of the embodiment of the application is described above, and the device of the embodiment of the application is described below.
Referring to fig. 6, fig. 6 is a schematic structural diagram of a vulnerability protection device according to an embodiment of the present application, where the vulnerability protection device may be deployed on a computer device; the vulnerability protection device can be used for executing corresponding steps in the vulnerability protection method provided by the embodiment of the application. The vulnerability protection device 60 includes:
an application deployment unit 601, configured to deploy a protection application on a target terminal, and open a data acquisition function in the protection application;
the parameter acquisition unit 602 is configured to, if a trigger operation for a program component is detected, start a target process associated with the program component, and acquire a process parameter of the target process based on the data acquisition function; the process parameters of the target process are preset and have an association relationship with the program component;
an anomaly determination unit 603, configured to determine that the trigger operation is an anomaly operation if the process parameter of the target process is a preset parameter, the process type of the target process is a target process type, and the permission of the target account related to the trigger operation is a first permission;
An information prompt unit 604 for outputting prompt information; the prompt information comprises process parameters of the target process, and is used for prompting the triggering operation to be abnormal operation.
Optionally, the anomaly determination unit 603 is further configured to:
if the process parameter of the target process is not a preset parameter, the process type of the target process is not a target process type, or the permission of the target account is a second permission, determining that the triggering operation is a normal operation; the authority range of the first authority is smaller than that of the second authority.
Optionally, the parameter acquisition unit 602 is specifically configured to:
modifying an initial address in process parameters of the target process into a target address; the initial address is the initial kernel function address which needs to be called for executing the target process;
and collecting the process parameters of the target process based on the target address.
Optionally, the parameter acquisition unit 602 is specifically configured to:
acquiring a system call table; the system call table comprises initial kernel function addresses corresponding to a plurality of processes;
and searching an initial kernel function address corresponding to the target process from a system call table, and modifying the initial kernel function address into the target address.
Optionally, the vulnerability protection device 60 further includes: an address jumping unit 605, the address jumping unit 605 being configured to:
when the system call table is acquired, backing up the system call table to obtain a backup call table; the backup call table is the same as the data in the system call table;
if the triggering operation is normal operation, the initial kernel function address corresponding to the target process in the backup call table is jumped back to call the initial kernel function address to run the target process.
Optionally, the parameter acquisition unit 602 is specifically configured to:
if the triggering operation of the target account number aiming at the program component is detected, starting a target process associated with the program component; or if the starting condition of the program component is met, detecting a triggering operation for the program component, and starting a target process associated with the program component;
the starting condition of the program component comprises the starting time of the program component or the starting of an associated program of the program component.
Optionally, the process parameter of the target process is a preset parameter, the process parameter used for representing the target process is null, and the target process type is a privileged process.
Optionally, the process parameter of the target process includes at least one of an identification of the target account number, an identification of the target process, an initial address of the target process, and a right of the target account number; the information prompt unit 604 is specifically configured to:
The prompt message is displayed in a display screen.
Optionally, the process parameter of the target process includes at least one of an identification of the target object, an identification of the target process, an initial address of the target process, and a right of the target object; the information prompt unit 604 is specifically configured to:
the prompt information is sent to a management terminal; the management terminal is used for processing the abnormal operation according to the process parameters of the target process.
Optionally, the information prompting unit 604 is specifically configured to:
counting the abnormal times of the triggering operation of the target account aiming at the program component as abnormal operation;
if the abnormal times are greater than the times threshold, the prompt information is sent to the management terminal in a first alarm mode;
if the abnormal times are smaller than or equal to the times threshold, a second alarming mode is adopted to send the prompt information to the management terminal; the first alarm mode has a higher degree of urgency than the second alarm mode.
Optionally, the vulnerability protection device 60 further includes: an account number comparing unit 606, the account number comparing unit 606 is configured to:
obtaining a blacklist; the blacklist comprises at least one abnormal account;
If the triggering operation of the target account aiming at the program component is detected and the target account belongs to the blacklist, determining that the triggering operation of the target account aiming at the program component is abnormal operation and outputting prompt information;
if the triggering operation of the target account number on the program component is detected and the target account number does not belong to the blacklist, starting a target process associated with the program component, and acquiring process parameters of the target process based on the data acquisition function.
It should be noted that, in the embodiment corresponding to fig. 6, the content not mentioned may be referred to the description of the method embodiment, and will not be repeated here.
In the embodiment of the application, the protection application is deployed on the target terminal, the data acquisition function in the protection application is started, and when the triggering operation for the program component is detected, the target process associated with the program component can be started, and the process parameters of the target process are acquired based on the data acquisition function. Because the process parameters of the target process are preset and have an association relation with the program component, when the triggering operation for the program component is detected, the target process associated with the program component can be started, and then the process parameters of the target process are acquired. If the process parameter of the target process is a preset parameter, the process type of the target process is a target process type, and the authority of the target account related to the trigger operation is a first authority, determining that the trigger operation is an abnormal operation, and further outputting prompt information for prompting that the trigger operation is the abnormal operation. The triggering operation can be safely detected by detecting the process parameters of the target process, so that whether the triggering operation is an abnormal operation or not is determined, for example, the abnormal operation can be an operation of utilizing the loophole to raise the authority of the user. Under the condition that the abnormal operation is determined, vulnerability protection can be achieved by processing the abnormal operation, for example, outputting prompt information, and data security is improved.
Referring to fig. 7, fig. 7 is a schematic diagram of a composition structure of a computer device according to an embodiment of the present application. As shown in fig. 7, the above-described computer device 70 may include: a processor 701 and a memory 702. The processor 701 is connected to a memory 702, for example, the processor 701 may be connected to the memory 702 through a bus. Optionally, the computer device 70 may further include: a network interface 703, wherein the network interface 703 is coupled to the processor 701 and the memory 702, e.g., the processor 701 may be coupled to the memory 702 and the network interface 703 via a bus. The computer device may be a terminal device or a server.
The processor 701 is configured to support the vulnerability protection device to perform the corresponding functions in the vulnerability protection method described above. The processor 701 may be a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), a hardware chip or any combination thereof. The hardware chip may be an Application-specific integrated circuit (ASIC), a programmable logic device (Programmable Logic Device, PLD), or a combination thereof. The PLD may be a complex programmable logic device (Complex Programmable Logic Device, CPLD), a Field programmable gate array (Field-Programmable Gate Array, FPGA), general array logic (Generic Array Logic, GAL), or any combination thereof.
The memory 702 stores program codes and the like. The Memory 702 may include Volatile Memory (VM), such as random access Memory (Random Access Memory, RAM); the Memory 702 may also include a Non-Volatile Memory (NVM), such as Read-Only Memory (ROM), flash Memory (flash Memory), hard Disk (HDD) or Solid State Drive (SSD); the memory 702 may also include a combination of the above types of memory.
The network interface 703 is used to provide network communication functions.
The processor 701 may call the program code to:
deploying a protection application on a target terminal, and starting a data acquisition function in the protection application;
if the triggering operation for the program component is detected, starting a target process associated with the program component, and acquiring process parameters of the target process based on the data acquisition function; the process parameters of the target process are preset and have an association relationship with the program component;
if the process parameter of the target process is a preset parameter, the process type of the target process is a target process type, and the authority of the target account related to the trigger operation is a first authority, determining that the trigger operation is an abnormal operation;
Outputting prompt information; the prompt information comprises process parameters of the target process, and is used for prompting the triggering operation to be abnormal operation.
Optionally, the processor 701 is further configured to:
if the process parameter of the target process is not a preset parameter, the process type of the target process is not a target process type, or the permission of the target account is a second permission, determining that the triggering operation is a normal operation; the authority range of the first authority is smaller than that of the second authority.
Optionally, the processor 701 is specifically configured to:
modifying an initial address in process parameters of the target process into a target address; the initial address is the initial kernel function address which needs to be called for executing the target process;
and collecting the process parameters of the target process based on the target address.
Optionally, the processor 701 is specifically configured to:
acquiring a system call table; the system call table comprises initial kernel function addresses corresponding to a plurality of processes;
and searching an initial kernel function address corresponding to the target process from a system call table, and modifying the initial kernel function address into the target address.
Optionally, the processor 701 is specifically further configured to:
When the system call table is acquired, backing up the system call table to obtain a backup call table; the backup call table is the same as the data in the system call table;
if the triggering operation is normal operation, the initial kernel function address corresponding to the target process in the backup call table is jumped back to call the initial kernel function address to run the target process.
Optionally, the processor 701 is specifically configured to:
if the triggering operation of the target account number aiming at the program component is detected, starting a target process associated with the program component; or if the starting condition of the program component is met, detecting a triggering operation for the program component, and starting a target process associated with the program component;
the starting condition of the program component comprises the starting time of the program component or the starting of an associated program of the program component.
Optionally, the process parameter of the target process is a preset parameter, the process parameter used for representing the target process is null, and the target process type is a privileged process.
Optionally, the process parameter of the target process includes at least one of an identification of the target account number, an identification of the target process, an initial address of the target process, and a right of the target account number; the processor 701 is specifically configured to:
The prompt message is displayed in a display screen.
Optionally, the process parameter of the target process includes at least one of an identification of the target object, an identification of the target process, an initial address of the target process, and a right of the target object; the processor 701 is specifically configured to:
the prompt information is sent to a management terminal; the management terminal is used for processing the abnormal operation according to the process parameters of the target process.
Optionally, the processor 701 is specifically configured to:
counting the abnormal times of the triggering operation of the target account aiming at the program component as abnormal operation;
if the abnormal times are greater than the times threshold, the prompt information is sent to the management terminal in a first alarm mode;
if the abnormal times are smaller than or equal to the times threshold, a second alarming mode is adopted to send the prompt information to the management terminal; the first alarm mode has a higher degree of urgency than the second alarm mode.
Optionally, the processor 701 is further configured to:
obtaining a blacklist; the blacklist comprises at least one abnormal account;
if the triggering operation of the target account aiming at the program component is detected and the target account belongs to the blacklist, determining that the triggering operation of the target account aiming at the program component is abnormal operation and outputting prompt information;
If the triggering operation of the target account number on the program component is detected and the target account number does not belong to the blacklist, starting a target process associated with the program component, and acquiring process parameters of the target process based on the data acquisition function.
It should be understood that the computer device 70 described in the embodiment of the present application may perform the above-mentioned method of protecting against vulnerabilities in the embodiments corresponding to fig. 3 and 5, and may also perform the above-mentioned device of protecting against vulnerabilities in the embodiment corresponding to fig. 6, which are not described herein. In addition, the description of the beneficial effects of the same method is omitted.
In the embodiment of the application, the protection application is deployed on the target terminal, the data acquisition function in the protection application is started, and when the triggering operation for the program component is detected, the target process associated with the program component can be started, and the process parameters of the target process are acquired based on the data acquisition function. Because the process parameters of the target process are preset and have an association relation with the program component, when the triggering operation for the program component is detected, the target process associated with the program component can be started, and then the process parameters of the target process are acquired. If the process parameter of the target process is a preset parameter, the process type of the target process is a target process type, and the authority of the target account related to the trigger operation is a first authority, determining that the trigger operation is an abnormal operation, and further outputting prompt information for prompting that the trigger operation is the abnormal operation. The triggering operation can be safely detected by detecting the process parameters of the target process, so that whether the triggering operation is an abnormal operation or not is determined, for example, the abnormal operation can be an operation of utilizing the loophole to raise the authority of the user. Under the condition that the abnormal operation is determined, vulnerability protection can be achieved by processing the abnormal operation, for example, outputting prompt information, and data security is improved.
Optionally, the program instructions may further implement other steps of the method in the above embodiment when executed by the processor, which is not described herein.
The embodiments of the present application also provide a computer readable storage medium storing a computer program comprising program instructions which, when executed by a computer, cause the computer to perform a method as in the previous embodiments, the computer being part of a computer device as mentioned above. As an example, the program instructions may be executed on one computer device or on multiple computer devices located at one site, or alternatively, on multiple computer devices distributed across multiple sites and interconnected by a communication network, which may constitute a blockchain network.
Embodiments of the present application also provide a computer program product comprising a computer program/instruction which, when executed by a processor, performs some or all of the steps of the above method. For example, the computer instructions are stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device performs the steps performed in the embodiments of the methods described above.
Those skilled in the art will appreciate that all or part of the processes in the methods of the above embodiments may be implemented by a computer program for instructing relevant hardware, where the program may be stored in a computer readable storage medium, and where the program, when executed, may include processes of the embodiments of the methods as described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a random-access Memory (Random Access Memory, RAM), or the like.
The foregoing disclosure is illustrative of the present application and is not to be construed as limiting the scope of the application, which is defined by the appended claims.
Claims (13)
1. A vulnerability protection method, the method comprising:
deploying a protection application on a target terminal, and starting a data acquisition function in the protection application;
if the triggering operation for the program component is detected, starting a target process associated with the program component, and acquiring process parameters of the target process based on the data acquisition function; the process parameters of the target process are preset and have an association relationship with the program component;
If the process parameter of the target process is a preset parameter, the process type of the target process is a target process type, and the authority of the target account number associated with the trigger operation is a first authority, determining that the trigger operation is an abnormal operation;
outputting prompt information; the prompt information comprises process parameters of the target process, and is used for prompting the triggering operation to be abnormal operation.
2. The method according to claim 1, wherein the method further comprises:
if the process parameter of the target process is not a preset parameter, the process type of the target process is not a target process type, or the permission of the target account is a second permission, determining that the triggering operation is a normal operation; the authority range of the first authority is smaller than that of the second authority.
3. The method of claim 1, wherein the collecting process parameters of the target process based on the data collection function comprises:
modifying an initial address in process parameters of the target process into a target address; the initial address is an initial kernel function address which needs to be called for running the target process;
And acquiring process parameters of the target process based on the target address.
4. A method according to claim 3, wherein said modifying the initial address in the process parameters of the target process to the target address comprises:
acquiring a system call table; the system call table comprises initial kernel function addresses corresponding to a plurality of processes;
and searching an initial kernel function address corresponding to the target process from the system call table, and modifying the initial kernel function address into a target address.
5. The method according to claim 4, wherein the method further comprises:
when the system call table is acquired, backing up the system call table to obtain a backup call table; the backup call table is the same as the data in the system call table;
and if the triggering operation is normal operation, jumping back to an initial kernel function address corresponding to the target process in the backup call table to call the initial kernel function address to run the target process.
6. The method of claim 1, wherein the initiating a target process associated with a program component if a trigger operation for the program component is detected comprises:
If the triggering operation of the target account number for the program component is detected, starting a target process associated with the program component; or if the starting condition of the program component is met, detecting a triggering operation for the program component, and starting a target process associated with the program component;
the starting condition of the program component comprises the starting time of the program component or the starting of an associated program of the program component.
7. The method of any of claims 1-6, wherein the process parameter of the target process is a preset parameter, the process parameter used to characterize the target process is null, and the target process type is a privileged process.
8. The method of claim 1, wherein the process parameters of the target process include at least one of an identification of the target account number, an identification of the target process, an initial address of the target process, and a right of the target account number;
the output prompt message includes:
the prompt information is sent to a management terminal; the management terminal is used for processing the abnormal operation according to the process parameters of the target process.
9. The method of claim 8, wherein the sending the hint information to a management terminal comprises:
counting the abnormal times of the triggering operation of the target account aiming at the program component as abnormal operation;
if the abnormal times are greater than a times threshold, a first alarming mode is adopted to send the prompt information to the management terminal;
if the abnormal times are smaller than or equal to the times threshold, a second alarming mode is adopted to send the prompt information to the management terminal; the emergency degree of the first alarm mode is higher than that of the second alarm mode.
10. The method according to claim 1, wherein the method further comprises:
obtaining a blacklist; the blacklist comprises at least one abnormal account;
if the triggering operation of the target account for the program component is detected and the target account belongs to the blacklist, determining that the triggering operation of the target account for the program component is abnormal operation, and executing the step of outputting prompt information;
and if the triggering operation of the target account number on the program component is detected and the target account number does not belong to the blacklist, executing the step of starting the target process associated with the program component and acquiring the process parameters of the target process based on the data acquisition function.
11. A vulnerability protection apparatus, the apparatus comprising:
the application deployment unit is used for deploying the protection application on the target terminal and starting a data acquisition function in the protection application;
the parameter acquisition unit is used for starting a target process associated with the program component if the triggering operation for the program component is detected, and acquiring process parameters of the target process based on the data acquisition function; the process parameters of the target process are preset and have an association relationship with the program component;
the exception determining unit is used for determining that the trigger operation is an exception operation if the process parameter of the target process is a preset parameter, the process type of the target process is a target process type, and the authority of the target account related to the trigger operation is a first authority;
the information prompt unit is used for outputting prompt information; the prompt information comprises process parameters of the target process, and is used for prompting the triggering operation to be abnormal operation.
12. A computer device comprising a processor and a memory, wherein the processor is connected to the memory, the memory being for storing a computer program, the processor being for invoking the computer program to cause the computer program to perform the method of any of claims 1-10.
13. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein a computer program adapted to be loaded and executed by a processor to cause a computer device having the processor to perform the method of any of claims 1-10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311222540.XA CN116956310B (en) | 2023-09-21 | 2023-09-21 | Vulnerability protection method, device, equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311222540.XA CN116956310B (en) | 2023-09-21 | 2023-09-21 | Vulnerability protection method, device, equipment and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116956310A true CN116956310A (en) | 2023-10-27 |
| CN116956310B CN116956310B (en) | 2023-12-29 |
Family
ID=88453286
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311222540.XA Active CN116956310B (en) | 2023-09-21 | 2023-09-21 | Vulnerability protection method, device, equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116956310B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8499354B1 (en) * | 2011-03-15 | 2013-07-30 | Symantec Corporation | Preventing malware from abusing application data |
| CN105224868A (en) * | 2014-06-03 | 2016-01-06 | 腾讯科技(深圳)有限公司 | The detection method that system vulnerability is attacked and device |
| CN111191226A (en) * | 2019-07-04 | 2020-05-22 | 腾讯科技(深圳)有限公司 | Method, device, equipment and storage medium for determining program by using privilege-offering vulnerability |
| CN112307469A (en) * | 2019-07-29 | 2021-02-02 | 北京奇虎科技有限公司 | Kernel intrusion prevention method and device, computing equipment and computer storage medium |
| US11663325B1 (en) * | 2022-04-05 | 2023-05-30 | Cyberark Software Ltd. | Mitigation of privilege escalation |
-
2023
- 2023-09-21 CN CN202311222540.XA patent/CN116956310B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8499354B1 (en) * | 2011-03-15 | 2013-07-30 | Symantec Corporation | Preventing malware from abusing application data |
| CN105224868A (en) * | 2014-06-03 | 2016-01-06 | 腾讯科技(深圳)有限公司 | The detection method that system vulnerability is attacked and device |
| CN111191226A (en) * | 2019-07-04 | 2020-05-22 | 腾讯科技(深圳)有限公司 | Method, device, equipment and storage medium for determining program by using privilege-offering vulnerability |
| CN112307469A (en) * | 2019-07-29 | 2021-02-02 | 北京奇虎科技有限公司 | Kernel intrusion prevention method and device, computing equipment and computer storage medium |
| US11663325B1 (en) * | 2022-04-05 | 2023-05-30 | Cyberark Software Ltd. | Mitigation of privilege escalation |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116956310B (en) | 2023-12-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10893068B1 (en) | Ransomware file modification prevention technique | |
| US10984097B2 (en) | Methods and apparatus for control and detection of malicious content using a sandbox environment | |
| US10872151B1 (en) | System and method for triggering analysis of an object for malware in response to modification of that object | |
| US9251343B1 (en) | Detecting bootkits resident on compromised computers | |
| US10581879B1 (en) | Enhanced malware detection for generated objects | |
| US10904286B1 (en) | Detection of phishing attacks using similarity analysis | |
| US9438613B1 (en) | Dynamic content activation for automated analysis of embedded objects | |
| CN102081722B (en) | Method and device for protecting appointed application program | |
| CN113661693A (en) | Detecting sensitive data exposure via logs | |
| CN107634959B (en) | Protection method, device and system based on automobile | |
| CN110851241A (en) | Safety protection method, device and system for Docker container environment | |
| CN117171743A (en) | Real-time detection and protection of steganography in kernel mode | |
| KR20180097527A (en) | Dual Memory Introspection to Protect Multiple Network Endpoints | |
| CN102224505A (en) | System and method for run-time attack prevention | |
| CN110912876A (en) | Mimicry defense system, method and medium for information system | |
| US20200167491A1 (en) | Data protection and threat detection | |
| US20170357805A1 (en) | Macro-Script Execution Control | |
| CN112653654A (en) | Security monitoring method and device, computer equipment and storage medium | |
| CN112653655A (en) | Automobile safety communication control method and device, computer equipment and storage medium | |
| CN109241769B (en) | Electronic equipment privacy safety early warning method and system | |
| CN108595957B (en) | Browser homepage tampering detection method, device and storage medium | |
| CN116956310B (en) | Vulnerability protection method, device, equipment and readable storage medium | |
| CN105791221B (en) | Rule issuing method and device | |
| CN107818260B (en) | Method and device for guaranteeing system safety | |
| US20220237286A1 (en) | Kernel based exploitation detection and prevention using grammatically structured rules |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |