CN116975869A

CN116975869A - Attack defense method and device based on address processing, electronic equipment and medium

Info

Publication number: CN116975869A
Application number: CN202211609733.6A
Authority: CN
Inventors: 宋凯; 刘博寒
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2022-12-14
Filing date: 2022-12-14
Publication date: 2023-10-31

Abstract

The application discloses an attack defense method, an attack defense device, an attack defense electronic device and an attack defense medium based on address processing, which can be applied to various scenes such as data security, application program development, memory management and the like. The method comprises the following steps: acquiring first address information in first data corresponding to a first component; when the first address pointed by the first address information is an address in a storage space corresponding to a second component different from the first component, acquiring a first preset identifier corresponding to the first address; storing the association between the first address and the first preset identifier to a first storage space, wherein the first storage space is a storage space outside the storage space corresponding to the first component; updating the first address information and the access information of the object for accessing the first address according to the first preset identification and the association, so that the object can find the first address according to the updated first address information and the updated access information and the association when accessing the first address. The embodiment of the application improves the safety of the component data.

Description

Attack defense method and device based on address processing, electronic equipment and medium

Technical Field

The present application relates to the field of computer security, and in particular, to an attack defense method, apparatus, electronic device, and medium based on address processing.

Background

In the related art, in the software development process, a large amount of software uses a componentized development mode, and a large amount of open-source or self-implemented modularized components are included in daily application programs. Because the security check is not carried out on the application component during development or the iteration repair is not carried out on the disclosed component loopholes, the software attack surface is further enlarged, an attacker can easily attack the users using the application programs by utilizing the disclosed or unknown component loopholes, and the security of software data is poor.

Disclosure of Invention

The embodiment of the application provides an attack defense method, an attack defense device, electronic equipment and a medium based on address processing, which can improve the security of component data in an application program.

In one aspect, an attack defense method based on address processing is provided, the method includes:

acquiring first address information in first data corresponding to a first component;

when a first address pointed by the first address information is an address in a storage space corresponding to a second component, acquiring a first preset identifier corresponding to the first address, wherein the second component is different from the first component;

Storing a first association relation between the first address and the first preset identifier into a first storage space, wherein the first storage space is a storage space outside a target storage space corresponding to the first component;

updating the first address information and first access information of a first object for accessing the first address according to the first preset identifier and the first association relation, so that the first object searches the first address according to the updated first address information, the updated first access information and the first association relation when accessing the first address.

In another aspect, there is provided an attack defense apparatus based on address processing, including:

the acquisition unit is used for acquiring first address information in first data corresponding to the first component;

the acquiring unit is configured to acquire a first preset identifier corresponding to a first address when the first address pointed by the first address information is an address in a storage space corresponding to a second component, where the second component is different from the first component;

the storage unit is used for storing a first association relation between the first address and the first preset identifier into a first storage space, wherein the first storage space is a storage space outside a target storage space corresponding to the first component;

The updating unit is used for updating the first address information and the first access information of the first object for accessing the first address according to the first preset identifier and the first association relation, so that the first address is searched according to the updated first address information, the updated first access information and the first association relation when the first object accesses the first address.

In another aspect, a computer readable storage medium is provided, the computer readable storage medium storing a computer program adapted to be loaded by a processor for performing a method according to any of the embodiments above.

In another aspect, a computer device is provided, the computer device comprising a processor and a memory, the memory having stored therein a computer program, the processor being configured to perform the method according to any of the embodiments above by calling the computer program stored in the memory.

In another aspect, a computer program product is provided comprising computer instructions which, when executed by a processor, implement a method as described in any of the embodiments above.

According to the embodiment of the application, the first address information in the first data corresponding to the first component is acquired; when a first address pointed by the first address information is an address in a storage space corresponding to a second component, acquiring a first preset identifier corresponding to the first address, wherein the second component is different from the first component; storing a first association relation between the first address and the first preset identifier into a first storage space, wherein the first storage space is a storage space outside a target storage space corresponding to the first component; according to the first association relation between the first preset identifier and the first association relation, updating the first address information and the first access information of the first object for accessing the first address, so that when the first object accesses the first address, the first address information after updating, the first access information after updating and the scheme of the first address are searched according to the first address information after updating and the first association relation, from the perspective of the component address, when the component data comprises address information pointing to the external address of the storage space corresponding to the component, the first association relation between the address pointed by the address information and the preset identifier is stored in an independent storage space outside the storage space corresponding to the component, and the component data is updated, so that when the external address is accessed, the external address can be searched through the preset identifier and the first association relation between the preset identifier and the external address in the independent storage space, the attacker can be prevented from searching the component data of other components through the address information pointing to the external address of the storage space corresponding to the component, and the safety of the other components of the component, and the safety of the component data of the application program can be improved.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1a is a schematic diagram of a first flow chart of an address processing-based attack defense method according to an embodiment of the present application;

FIG. 1b is a schematic diagram of a second flow of an address processing-based attack defense method according to an embodiment of the present application;

FIG. 2 is a schematic diagram of a third flow of an address processing-based attack defense method according to an embodiment of the present application;

FIG. 3 is a flow chart illustrating transferring first data to a first storage space according to an embodiment of the present application;

FIG. 4 is a schematic diagram of a data processing method for different types of access requests according to an embodiment of the present application;

FIG. 5 is a schematic diagram of a process for triggering garbage collection on the target storage space according to an embodiment of the present application;

fig. 6 is a fourth flowchart of an attack defense method based on address processing according to an embodiment of the present application;

Fig. 7 is a schematic structural diagram of an attack defense device based on address processing according to an embodiment of the present application;

fig. 8 is a schematic structural diagram of a computer device according to an embodiment of the present application.

Detailed Description

The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to fall within the scope of the application.

The embodiment of the application can be applied to various scenes such as data security, application program development, memory management and the like.

The embodiment of the application provides an attack defense method, an attack defense device, electronic equipment and a medium based on address processing. Specifically, the foregoing attack defense method based on address processing according to the embodiment of the present application may be executed by a computer device, where the computer device may be a device such as a terminal or a server. The terminal can be smart phones, tablet computers, notebook computers, intelligent voice interaction equipment, intelligent household appliances, wearable intelligent equipment, aircrafts, intelligent vehicle-mounted terminals and other equipment, and the terminal can also comprise a client, wherein the client can be a video client, a browser client or an instant messaging client and the like. The server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, content delivery networks (Content Delivery Network, CDN), basic cloud computing services such as big data and artificial intelligent platforms, and the like.

For example, when the method is run on the terminal, the terminal can download and install a corresponding application program, and when the terminal actually runs the method, the terminal is used for displaying a graphical user interface and interacting with a user through the graphical user interface. In particular, the manner in which the terminal presents the graphical user interface to the user may include a variety of ways, for example, the graphical user interface may be rendered for display on a display screen of the terminal, or presented by holographic projection. For example, the terminal may include a touch display screen for presenting a graphical user interface and receiving operation instructions generated by a user acting on the graphical user interface, and a processor for running the aforementioned data processing method, generating the graphical user interface, responding to the operation instructions, and controlling the display of the graphical user interface on the touch display screen.

First, partial terms or terminology appearing in the course of describing the embodiments of the application are explained as follows:

and (3) groupwise: standardized work for encapsulating certain functions that can be multiplexed. The component contains 5 internal UI (User Interface) elements, styles and JavaScript logic code, so that

The embedding is performed quickly anywhere in the application.

The program instrumentation is to insert some probes (also called "probes", essentially code segments for information acquisition, which can be assigned to the program) into the program on the basis of ensuring the original logic integrity of the tested program

Value statement or function call for collecting coverage information), the control flow and data flow information of the program can be obtained through analyzing the data by executing the probe and throwing out the characteristic 0 feature data of the program operation

And obtaining dynamic information such as logic coverage and the like, thereby realizing the test purpose.

Binary vulnerability: binary vulnerabilities are considered when an executable file is encoded, so that an attacker executes memory states by maliciously modifying programs, original normal behaviors of the programs are changed, and finally attack is executed

A class of vulnerabilities for any of the commands of the person. Common binary vulnerabilities include Stack Overflow vulnerability 5 (Stack-Overflow), heap Overflow vulnerability (Heap-Overflow), post-release re-reference vulnerability

(Use-After-Free), double release vulnerability (Double-Free), out-of-range access vulnerability

(Out-of-bounds) and the like.

And (3) garbage recovery: in computer science, garbage collection (English: garbage Collection, abbreviated)

Written as GC) refers to an automatic memory management mechanism. When a part of the memory space 0 occupied by a program is no longer accessed by the program, the program returns the space to the operating system by means of a garbage collection algorithm

A portion of the memory space. Many languages such as Smalltalk, java, C #, go, and D currently support garbage collectors.

Shellcode is a piece of code for execution with software vulnerabilities, shellcode is 16-ary

Is named because it is common for an attacker to obtain a shell. shellcode is often written in machine language 5, and after the control program execution stream, a piece of machine code that can be executed by a central processing unit (central processing unit, CPU) is inserted to allow the victim to execute any instruction of the attacker.

Return-oriented programming (ROP) is a new type of code multiplexing technology-based attack, where an attacker extracts instruction fragments from an existing library or executable file, building malicious code.

0 Control-Flow Integrity (Control-Flow Integrity) is a defense method against Control-Flow hijacking attacks.

AddressSanitizer (ASan) is a compiler-based rapid detection tool for detecting memory errors in native code. ASan may detect the following problems: stack and stack buffer overflow/underflow release followed by stack use, out of range stack use, repeat release/error release.

5 Heap jetting (Heap Spraying) is a technical means to obtain arbitrary code execution Exploit (Exploid) more easily. Heap injection code attempts to allocate itself over a large area in the process stack and write commands to that area in the correct manner, thereby enabling a series of commands to be written in predetermined locations in the memory of the target process.

In the related art, the state of the memory is detected by the instrumentation in the compiling stage when the application program is in the developing stage, so as to realize the management of data security, but the data volume of the application program compiled by the method is large, more disk space is required for storage from the viewpoint of users, and communication traffic between the server and the client is greatly increased for activities such as daily update. According to the Address Sanitizer scheme document, the storage overhead is increased by 0.5 to 2 times. Moreover, when the application program runs, a large amount of memory is required to be occupied to store the memory state, and the released memory cannot be reused in time, so that the memory overhead is increased when running. And a large number of additional instructions need to be run for validity check at each memory access, resulting in an increase in CPU operation resources. According to the Address Sanitizer scheme document, the CPU overhead and the memory overhead are about 2 times as high as before.

In addition, in the related art, from the principle of the general vulnerability defense method, the memory use state is updated mainly by detecting the default memory allocation and release functions of the program, but some general components use the self-implemented allocation and release functions to perform memory management, so that the general vulnerability defense method cannot be detected, and the vulnerability defense method related to the memory can be bypassed, so that the general vulnerability defense method has a great potential safety hazard. In addition, in the development process of the application program, a large amount of software uses a modularized development mode, and the daily application program comprises a large amount of open-source or self-realized modularized components. Because the security check is not carried out on the application component during development or the iteration repair is not carried out on the disclosed component loopholes, the software attack surface is further enlarged, an attacker can easily attack the users using the application programs by utilizing the disclosed or unknown component loopholes, and the security of software data is poor.

The present application provides a solution to at least one of the foregoing technical problems, and each of the problems is described in detail below. It should be noted that the following description order of embodiments is not a limitation of the priority order of embodiments.

The embodiments of the present application provide an attack defense method based on address processing, which may be executed by a terminal or a server. Alternatively, the terminal may be embodied as a terminal used when a related person develops a corresponding application.

The application mainly aims at protecting vulnerable modularized components in application programs, so that the application program is wider in application program scene, and is suitable for protecting various application programs of complex components used by various operating system platforms, and taking engine components as examples: the engine component is a sub-module of the browser component, the browser component is often used as a carrier for interface display interaction in application program development, very wide developers of the application programs at the desktop end and the mobile end compile and release programs by adding the scheme into the used browser component, and a user starts the scheme comprising the application to load the webpage by inputting the URL into an address bar or clicking a link in the application program. The scheme for the engine component can be applied to various application programs of Windows end and An Zhuoduan, and the application programs include but are not limited to: computer desktop browser, mobile terminal browser, instant messaging tool, conference tool, etc.

Fig. 1a is a first flow chart of an attack defense method based on address processing according to an embodiment of the present application, where the method includes S101-S104:

s101, acquiring first address information in first data corresponding to a first component;

alternatively, the first data corresponding to the first component may be data in the first component.

Alternatively, the first address information may be a pointer.

Optionally, the first address pointed to by the first address information may be an address in the target storage space corresponding to the first component, or may be an address outside the target storage space corresponding to the first component. When the first address information is within the influence range of the vulnerability of the attacker, and the first address pointed by the first address information is an address outside the target storage space corresponding to the first component (such as a storage space corresponding to other components), the attacker may modify the first address information (such as a pointer) to obtain the read-write capability for the data in other components, so as to attack other components of the target application program. Therefore, an attacker can easily attack other components using the component containing address information among the components of the target application.

Alternatively, the first component may be a component containing address information among a plurality of components of the target application program. In some optional embodiments provided by the application, for the determination of the first component, the method further comprises S01-S03:

S01, acquiring a plurality of components of a target application program;

s02, determining at least part of the components containing address information in the plurality of components;

s03, determining the first component according to the at least part of components.

In the application, only the first component containing the address information is specially compiled, so that the function of saving defense cost can be achieved.

Optionally, S03, determining the first component according to the at least part of the components may include: any component or components of at least part of the components are taken as first components.

In further alternative embodiments provided by the present application, for the determination of the first component, the method further comprises: acquiring a selection instruction of a user for selecting a first component from a plurality of components of a target application program; and determining the first component according to the selection instruction.

In some scenarios, the user may be a relevant person operating the terminal or the server, where a relevant risk prediction model may be installed in the terminal, where the risk prediction model is used to perform security evaluation on multiple components of the target application program, and screen out a first component that has an attack risk; the user further triggers a selection instruction for selecting the first component from the multiple components of the target application program through the terminal.

S102, when a first address pointed by the first address information is an address in a storage space corresponding to a second component, acquiring a first preset identifier corresponding to the first address, wherein the second component is different from the first component;

alternatively, the second component may be any component other than the first component among the plurality of components of the target application.

Optionally, the storage space corresponding to the second component is used for storing the data corresponding to the second component.

Alternatively, the first preset identifier may be preset index information corresponding to the first address, and the index information may be represented by a number, a letter, or the like.

Optionally, when the first address pointed to by the first address information is an address in the target storage space, the processing is not performed.

S103, storing a first association relation between the first address and the first preset identifier into a first storage space, wherein the first storage space is a storage space outside a target storage space corresponding to the first component;

optionally, the first storage space is a storage space other than the target storage space corresponding to the first component, and is a storage space other than the storage space corresponding to the second component.

Specifically, the first storage space is located in the remaining space except for the storage space corresponding to the second component in the storage space corresponding to the application program to which the first component belongs.

Optionally, the first association relationship between the first address and the first preset identifier may be stored in a related chip in the terminal or the server based on a hardware memory encryption technology.

S104, updating the first address information and the first access information of the first object for accessing the first address according to the first association relation between the first preset identifier and the first association relation, so that the first address is found according to the updated first address information, the updated first access information and the first association relation when the first object accesses the first address.

In some optional embodiments of the present application, in S104, updating the first address information and the first access information of the first object for accessing the first address according to the first association relationship between the first preset identifier and the first association relationship includes: and replacing the first address by using the first preset identifier, and updating first access information of a first object for accessing the first address according to the association relation between the first preset identifier and the first address.

Optionally, the first object accesses the first address through the first access information to invoke the data in the first address.

Alternatively, the first object may be a calling function.

In some embodiments, updating the first access information of the first object for accessing the first address according to the association between the first preset identifier and the first association may include: adding the code corresponding to the first association relation between the first preset identifier and the first association relation to first access information of a first object for accessing the first address, so that when a first access request corresponding to the updated first access information is received, the first address is determined according to the first association relation between the first preset identifier and the first association relation; and determining the data in the first address as an access result corresponding to the first access request. Wherein the first access information of the first object may be a related access function.

Accordingly, the method further comprises: when a first access request corresponding to the updated first access information is received, determining the first address according to the first association relation between the first preset identifier and the first association relation; and determining the data in the first address as an access result corresponding to the first access request.

Specifically, referring to fig. 1b, fig. 1b is a second flow chart of an address processing-based attack defense method according to an embodiment of the present application, where second data corresponding to a first component includes first data corresponding to the first component and a component code segment, the component code segment includes the first object, a storage space corresponding to the first component may include a component code segment space for storing the component code segment, and a target storage space for storing first data corresponding to the first component, where the first data corresponding to the first component may be data for the component code segment to call. When the first address pointed by the first address information contained in the first data corresponding to the first component is the address in the storage space corresponding to the second component: and when the address A is the address A, storing a first association relation between a first preset identifier '1' corresponding to the first address and the address A into a first storage space. The method comprises the steps that an address A in first address information is replaced by 1, codes corresponding to the 1 and the first association relation are added to first access information (which can be contained in a component code section) of a first object for accessing the first address, and when a terminal receives a first access request corresponding to the updated first access information, the address A is determined according to the 1 and the first association relation; and determining the data in the address A as an access result corresponding to the first access request.

According to the embodiment of the application, the first address information in the first data corresponding to the first component is acquired; when a first address pointed by the first address information is an address in a storage space corresponding to a second component, acquiring a first preset identifier corresponding to the first address, wherein the second component is different from the first component; storing a first association relation between the first address and the first preset identifier into a first storage space, wherein the first storage space is a storage space outside a target storage space corresponding to the first component; according to the scheme that the first address information and the first access information of the first object for accessing the first address are updated according to the first preset identifier and the first association relation, when the first object accesses the first address, the external address can be searched according to the updated first address information, the updated first access information and the first association relation, when the component data contains the address information pointing to the external address of the storage space corresponding to the component, the address pointed to by the address information and the first association relation of the preset identifier are stored in the independent storage space outside the storage space corresponding to the component, and the component data is updated, so that when the external address is accessed, the external address can be searched through the preset identifier and the first association relation of the external address in the independent storage space, the blocking of an attacker attack path is realized, the difficulty of utilizing the attack is increased, the possibility of the attacker on the data pointing to the external address of the storage space corresponding to the component is reduced, and the possibility of carrying out the attack on the data of other components of the component is improved.

In other optional embodiments provided by the present application, the first data corresponding to the first component may also be data transferred from an original storage space corresponding to the first component to a target storage space outside the original storage space, referring to fig. 2, fig. 2 is a third flow diagram of an attack defense method based on address processing according to an embodiment of the present application, and the method further includes S201-S203:

s201, acquiring first data corresponding to the first component;

s202, acquiring a preset offset;

s203, transferring the first data corresponding to the first component from an original storage space corresponding to the first component to a target storage space according to the preset offset, wherein the target storage space is a storage space outside the original storage space.

Optionally, the preset offset may be an offset between a first address of the target storage space and a first address of the original storage space.

Alternatively, the preset offset may be set by a person concerned.

Optionally, the preset offset may be further determined according to the obtained memory application request.

In some optional embodiments provided by the present application, referring to fig. 2, the method further includes S301-S303:

S301, determining whether a first address pointed by first address information is an address in a target storage space;

s302, when a first address pointed by the first address information is an address in the target storage space, acquiring an offset of the first address relative to the address of the first address information;

alternatively, the offset of the first address with respect to the address of the first address information may be a difference between the first address and the address of the first address information in the target memory space.

S303, updating the first address information according to the offset to obtain updated first address information;

optionally, in S303, updating the first address information according to the offset, to obtain updated first address information, including:

determining a corresponding identifier according to the offset;

and replacing the first address pointed by the first address information by using the identifier to obtain updated first address information.

S304, updating second access information of a second object for accessing the first address according to the updated first address information and the address of the first address information, so that the second object searches the first address according to the updated first address information and the updated second access information when accessing the first address.

Optionally, S304, updating second access information for accessing a second object of the first address according to the updated first address information and the address of the first address information, including:

adding a code corresponding to a second association relation between the updated first address information and the address of the first address information into second access information of a second object for accessing the first address, so that when a terminal receives a second access request corresponding to the updated second access information, the first address is determined according to the updated first address information and the second association relation; and determining the data in the first address as an access result corresponding to the second access request. Wherein the second access information of the second object may be a related access function.

Specifically, referring to fig. 3, fig. 3 is another flow chart of an attack defending method based on address processing according to an embodiment of the present application, when a first address pointed to by first address information is an address in the target storage space: when the address a is obtained, the offset of the address a relative to the address of the first address information is obtained; and updating the first address information according to the offset to obtain updated first address information. For example, when the address of the first address information is 0190 and the address a is 0194, the offset is 4.

Optionally, when the first data corresponding to the first component may include a plurality of first address information, corresponding processing may be performed specifically according to whether the first address pointed by the first address information is located in the target storage space corresponding to the first component or in the storage space corresponding to the other component (the second component), where the processing is performed, for example: when a first address pointed by first address information add1 is positioned in the target storage space, acquiring the offset of the first address relative to the address of add1; updating the add1 according to the offset to obtain an updated add1; updating second access information of a second object for accessing the first address according to the updated add1 and the address of the add1, so that the second object searches the first address according to the updated add1 and the updated second access information when accessing the first address. When a first address pointed by another first address information add2 is located at an address in a storage space corresponding to another component (such as a second component), a first preset identifier corresponding to the first address is obtained; storing a first association relation between the first address and the first preset identifier into a first storage space, wherein the first storage space is a storage space outside a target storage space corresponding to the first component; updating the add2 and first access information of a first object for accessing the first address according to the first preset identifier and the first association relation, so that the first object searches the first address according to the updated add2, the updated first access information and the first association relation when accessing the first address.

Optionally, the method further comprises: and when the first address pointed by the first address information is not the address outside the target storage space, acquiring a first preset identifier corresponding to the first address, and executing the steps S103 to S104. In some optional embodiments provided by the present application, the method further comprises S501-S502:

s501, when a first access request corresponding to the updated first access information is received, determining the first address according to the first association relation between the first preset identifier and the first association relation;

optionally, the first association relationship may include a plurality of preset identifiers, and addresses corresponding to the preset identifiers, and in S501, when a first access request corresponding to the updated first access information is received, determining the first address according to the first preset identifier and the first association relationship includes: and taking the address corresponding to the preset identifier which is the same as the first preset identifier in the first association relationship as the first address.

S502, determining the data in the first address as an access result corresponding to the first access request.

Optionally, further referring to fig. 4, fig. 4 is a schematic diagram of a data processing method for different types of access requests; the method further comprises the following S41-S44:

S41, acquiring an access request to be processed;

alternatively, the access request may be a request to invoke data upon execution of a function of the first component after the associated target application is online.

S41, determining the type of the access request to be processed;

the type of the access request to be processed may be a first access request for accessing a first address stored in a first storage space outside a target storage space corresponding to the first component, where the first access request is specifically an access request corresponding to first access information of a first object accessing the first address. The first access request may include first access information of the first object, where the first access information may be a related access function.

In addition, the type of the access request to be processed may also be a second access request corresponding to the updated second access information.

Alternatively, the type of the pending access request may be determined by an identification of the type of the pending access request used to indicate the pending access request. S41, if the type of the access request to be processed is the first access request, determining the first address according to the first preset identifier and the first association relation; determining the data in the first address as an access result corresponding to the first access request;

Optionally, a plurality of stored identifiers may be stored in the first association relationship, and a first target address corresponding to each stored identifier is stored; determining the first address according to the association between the first preset identifier and the first association may include: and taking a first target address corresponding to a stored identifier which is the same as the first preset identifier in the first association relationship as a first address.

S41, if the type of the access request to be processed is the second access request, determining the first address according to the updated first address information and the second association relation; and determining the data in the first address as an access result corresponding to the second access request.

Optionally, the second association relationship may include a plurality of stored address information and second target addresses of the stored address information; determining the first address according to the updated first address information and the second association relation comprises: and taking a second target address corresponding to the stored address information which is the same as the updated first address information in the second association relationship as the first address. In some optional embodiments provided by the present application, the method further comprises:

And when the number of memory allocation requests for the target storage space is determined to be larger than a first preset number, and/or when the space size of the occupied storage space in the target storage space is determined to be larger than a first preset space ratio, garbage collection is carried out on the target storage space.

Optionally, the memory allocation request for the target storage space may be a memory allocation request generated when the first data corresponding to the first component needs to apply for occupying the unoccupied memory in the target storage space.

Specifically, for triggering the garbage collection manner of the target storage space, the method further includes S601-S603:

s601, acquiring a first preset number of times;

optionally, the first preset number of times is a number of times set by a related person.

Alternatively, the first preset number of times may also be an automatically generated random number of times.

S602, when a memory allocation request aiming at the target storage space is received once, determining the accumulated times of the memory allocation request;

optionally, a parameter for recording the number of acquired memory allocation requests for the target storage space may be set, where the value of the parameter is the cumulative number of memory allocation requests. And when the memory allocation request aiming at the target storage space is received once, controlling the accumulated times of the memory allocation requests to increase by 1.

Alternatively, determining the cumulative number of memory allocation requests may be performed after performing the foregoing increment of 1.

S603, when the accumulated times are larger than the first preset times, determining that the times of memory allocation requests aiming at the target storage space are larger than the first preset times, clearing the accumulated times of the memory allocation requests, obtaining second preset times, taking the second preset times as new first preset times, and recycling garbage from the target storage space; wherein the first preset times and the second preset times are positive integers.

Optionally, the second preset number of times is a number of times set by the related personnel.

Alternatively, the second preset number of times may also be an automatically generated random number of times. Optionally, the method further comprises S604-S606:

s604, acquiring a first preset duty ratio;

optionally, the first preset duty cycle is a ratio set by the relevant person.

Alternatively, the first preset duty cycle may also be an automatically generated random ratio.

S605, acquiring the duty ratio of the space size of the occupied storage space in the target storage space relative to the space size of the target storage space;

s606, when the space size of the occupied storage space in the target storage space is determined to be not larger than a first preset space size, not processing; when the space size of the occupied storage space in the target storage space is determined to be larger than the first preset space size, a second preset space size is obtained, the second preset space size is used as a new first preset space size, and garbage collection is carried out on the target storage space. The second preset duty ratio is larger than the first preset duty ratio, and the first preset duty ratio and the second preset duty ratio are both larger than 0 and smaller than 1.

By the scheme, the data in the target storage space can be cleaned in time, the logic of the original data storage position is disturbed, and a hacker can be prevented from attacking the data based on the logic of the original data storage position.

Alternatively, the foregoing S604-S606 may also be executed when the accumulated number of times is not greater than the first preset number of times, and the specific process may refer to fig. 5.

In some optional embodiments provided by the present application, garbage collection is performed on the target storage space, including:

and when the addresses of the plurality of address information in the first data are not continuous addresses, performing splicing processing on the plurality of address information so that the addresses of the plurality of address information are continuous addresses.

In other optional embodiments provided by the present application, garbage collection is performed on the target storage space, including:

and for each address information in the plurality of address information in the first data, when the duration that the address of the address information is not accessed exceeds the preset duration, clearing the data in the address of the address information.

Because the memory allocation in the memory space is sequential cutting allocation, for the memory space not subjected to garbage recycling, an attacker may predict the memory allocation of the memory space, and then lay out the attack object to the range which can be influenced by the vulnerability through attack methods such as heap injection and the like, so as to attack. In the process, the memory in the target storage space can be spliced and recovered through garbage collection, so that the memory layout in the target storage space is broken, the memory layout relied by an attacker is broken, the required layout cannot be constructed, or an attack path is blocked due to the fact that errors occur in the garbage collection in advance, so that the attacker cannot change the memory layout in the target storage space, the vulnerability influence range cannot be enlarged, and the safety of component data is effectively improved. In addition, the scheme of the application can also generally solve the potential safety hazard caused by the fact that unsafe components are introduced in a fragmented manner in each application program, and has a certain defense effect on 0-day vulnerability defense.

In some optional embodiments provided by the present application, the method further comprises S701-S703:

s701, when a data writing request aiming at the target storage space is received, setting the authority of the target storage space as a readable and writable authority;

optionally, the data writing request may include corresponding data. The data write request may be triggered by the user using the terminal or server described above.

S702, writing corresponding data according to the data writing request;

s703, setting the authority of the target storage space as a readable executable authority.

When an attacker obtains the global memory read-write authority of the target application program, the memory with the readable and writable executable authority applied by the target application program is tampered, so that the generation of the readable and writable executable authority can be blocked by the scheme, and the security of component data in the target application program is improved.

In some optional embodiments provided by the present application, the method further comprises S801-S803:

s801, obtaining a defending instruction input by a user;

alternatively, the user may trigger the aforementioned defending instruction by clicking on the corresponding button, alternatively, different buttons may correspond to different target algorithms.

S802, acquiring a target algorithm corresponding to the defense instruction;

s803, updating the second data corresponding to the first component according to the target algorithm.

Optionally, the target algorithm corresponding to the defending instruction may include: the Control-Flow Integrity (CFG) algorithm of the llvm compilation tool chain and the CFG (Control Flow guard) algorithm of the Windows compilation tool chain.

Optionally, when the application program system of the application program is an android system or a Linux system, the target algorithm corresponding to the defense instruction is a control flow integrity algorithm of an llvm compiling tool chain; when the application program system is a Windows system, the target algorithm corresponding to the defense instruction is a CFG of a Windows compiling tool chain.

In some optional embodiments, the foregoing first association relationship further includes: object information of an access object for accessing a first address, the method further comprising: when a first access request is acquired, if the object information of a first object carried in the first access request is identical to the object information of the access object, determining that the first address is determined according to the first association relation between the first preset identifier and the first association relation.

Further, the present application is described below in connection with specific scenarios. Referring to fig. 6, fig. 6 is a fourth flowchart of an attack defense method based on address processing according to an embodiment of the present application. The scheme is divided into two stages, namely a compiling stage and an operating stage.

Optionally, the first component to be vulnerable is determined at the compilation stage, i.e. the defensive position is determined. Before a product manufacturer develops a new application program or issues a new version of an original application program, related personnel can acquire a plurality of components of the original application program, perform security evaluation on each component in the plurality of components, and determine whether a first component exists, and a specific security evaluation manner can be seen from the above. When the first component does not exist, the processing is not performed, when the first component exists, the first component is compiled, namely, only vulnerable components are defended, the compiled first component is linked into an original application program, and a target application program is obtained and released.

Optionally, in the running stage, the target application is started, and the first component in the target application is a component compiled based on the four sub-mechanisms, where the four sub-mechanisms are a memory layout blocking mechanism, a global memory read-write blocking mechanism, a Shellcode execution condition blocking mechanism and an ROP attack blocking mechanism, respectively. The memory layout blocking mechanism is used for executing the steps S601-S605; the global memory read-write blocking mechanism is used for executing the steps S101-S104, S201-S203, S301-S303 and S501-S502; the Shellcode performs a conditional blocking mechanism for performing S701-S703 described above; the ROP attack blocking mechanism is used to perform the above S801-S803, and specific procedures can be referred to the above description, and are not repeated here.

All the above technical solutions may be combined to form an optional embodiment of the present application, and will not be described in detail herein.

In order to facilitate better implementation of the address processing-based attack defense method according to the embodiment of the present application, the embodiment of the present application further provides an address processing-based attack defense device, please refer to fig. 7, fig. 7 is a schematic structural diagram of the address processing-based attack defense device according to the embodiment of the present application. The address processing-based attack defense device 70 may include:

an obtaining unit 71, configured to obtain first address information in first data corresponding to a first component;

the obtaining unit 71 is further configured to obtain a first preset identifier corresponding to a first address when the first address pointed to by the first address information is an address in a storage space corresponding to a second component, where the second component is different from the first component;

a storage unit 72, configured to store a first association relationship between the first address and the first preset identifier in a first storage space, where the first storage space is a storage space outside a target storage space corresponding to the first component;

and an updating unit 73, configured to update the first address information and first access information of a first object for accessing the first address according to the first preset identifier and the first association relationship, so that the first object searches the first address according to the updated first address information, the updated first access information, and the first association relationship when accessing the first address.

In some optional embodiments of the present application, when the foregoing apparatus is configured to update the first address information and the first access information of the first object for accessing the first address according to the first association relationship between the first preset identifier and the first association relationship, the foregoing apparatus is specifically configured to:

and replacing the first address by using the first preset identifier, and updating first access information of a first object for accessing the first address according to the association relation between the first preset identifier and the first address.

Optionally, the device is configured to:

when a first access request corresponding to the updated first access information is received, determining the first address according to the first association relation between the first preset identifier and the first association relation;

and determining the data in the first address as an access result corresponding to the first access request.

Optionally, the device is further configured to:

acquiring first data corresponding to the first component;

acquiring a preset offset;

and transferring the first data corresponding to the first component from the original storage space corresponding to the first component to the target storage space according to the preset offset, wherein the target storage space is a storage space outside the original storage space.

Optionally, the device is further configured to:

when the first address pointed by the first address information is an address in the target storage space, acquiring the offset of the first address relative to the address of the first address information;

updating the first address information according to the offset to obtain updated first address information;

updating second access information of a second object for accessing the first address according to the updated first address information and the address of the first address information, so that the second object searches the first address according to the updated first address information and the updated second access information when accessing the first address.

Optionally, the device is further configured to:

when a data writing request aiming at the target storage space is received, setting the authority of the target storage space as a readable and writable authority;

Writing corresponding data according to the data writing request;

and setting the authority of the target storage space as readable executable authority.

Optionally, the device is further configured to:

acquiring a defending instruction input by a user;

acquiring a target algorithm corresponding to the defense instruction;

and updating the second data corresponding to the first component according to the target algorithm.

Optionally, the device is further configured to:

acquiring a plurality of components of a target application program;

determining at least a portion of the plurality of components that includes address information;

the first component is determined from the at least some components.

Optionally, the device is further configured to:

acquiring a selection instruction of a user for selecting a first component from a plurality of components of a target application program;

and determining the first component according to the selection instruction.

The respective units of the address processing-based attack defense apparatus described above may be implemented in whole or in part by software, hardware, and a combination thereof. The above units may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor invokes and executes operations corresponding to the above units.

The address processing-based attack protection device 70 may be integrated in a terminal or a server having a memory and a processor mounted therein and having an arithmetic capability, or the address processing-based attack protection device 70 may be the terminal or the server.

Optionally, the present application further provides a computer device, including a memory and a processor, where the memory stores a computer program, and the processor implements the steps in the above method embodiments when executing the computer program.

Fig. 8 is a schematic structural diagram of a computer device according to an embodiment of the present application, where the computer device may be a terminal or a server. As shown in fig. 8, the computer device 800 may include: a communication interface 801, a memory 802, a processor 803, and a communication bus 804. Communication interface 801, memory 802, and processor 803 communicate with each other via communication bus 804. The communication interface 801 is used for data communication between the computer device 800 and external devices. The memory 802 may be used to store software programs and modules that the processor 803 may operate by running the software programs and modules stored in the memory 802, such as the software programs for corresponding operations in the foregoing method embodiments.

Alternatively, the processor 803 may invoke a software program and modules stored in the memory 802 to perform the following operations:

storing a first association relation between the first address and the first preset identifier into a first storage space, wherein the first storage space is a storage space outside a storage space corresponding to the second component;

updating the first address information and the access information of the object for accessing the first address according to the first preset identifier and the first association relation, so that the object searches the first address according to the updated first address information, the updated access information and the first association relation when accessing the first address.

The present application also provides a computer-readable storage medium storing a computer program. The computer readable storage medium may be applied to a computer device, and the computer program causes the computer device to execute corresponding processes in the methods in the embodiments of the present application, which are not described herein for brevity.

The present application also provides a computer program product comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer readable storage medium, and the processor executes the computer instructions, so that the computer device executes the corresponding flow in the methods in the embodiments of the present application, which is not described herein for brevity.

The present application also provides a computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer readable storage medium, and the processor executes the computer instructions, so that the computer device executes the corresponding flow in the methods in the embodiments of the present application, which is not described herein for brevity.

It should be appreciated that the processor of an embodiment of the present application may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method embodiments may be implemented by integrated logic circuits of hardware in a processor or instructions in software form. The processor may be a general purpose processor, a digital signal processor (Digital Signal Processor, DSP), an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), an off-the-shelf programmable gate array (Field Programmable Gate Array, FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be embodied directly in the execution of a hardware decoding processor, or in the execution of a combination of hardware and software modules in a decoding processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in a memory, and the processor reads the information in the memory and, in combination with its hardware, performs the steps of the above method.

It will be appreciated that the memory in embodiments of the application may be volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The nonvolatile Memory may be a Read-Only Memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an Electrically Erasable EPROM (EEPROM), or a flash Memory. The volatile memory may be random access memory (Random Access Memory, RAM) which acts as an external cache. By way of example, and not limitation, many forms of RAM are available, such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (Double Data Rate SDRAM), enhanced SDRAM (ESDRAM), synchronous DRAM (SLDRAM), and Direct RAM (DR RAM). It should be noted that the memory of the systems and methods described herein is intended to comprise, without being limited to, these and any other suitable types of memory.

It should be understood that the above memory is illustrative but not restrictive, and for example, the memory in the embodiments of the present application may be Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), direct RAM (DR RAM), and the like. That is, the memory in embodiments of the present application is intended to comprise, without being limited to, these and any other suitable types of memory.

Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.

In the several embodiments provided by the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.

The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in the embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.

The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk, etc.

The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. An attack defense method based on address processing, comprising the following steps:

2. The method of claim 1, wherein updating the first address information and the first access information for accessing the first object of the first address according to the first association relationship between the first preset identifier and the first association relationship comprises:

3. The method according to claim 2, wherein the method further comprises:

4. The method according to claim 1, wherein the method further comprises:

acquiring first data corresponding to the first component;

acquiring a preset offset;

5. The method according to claim 4, wherein the method further comprises:

6. The method according to claim 1, wherein the method further comprises:

7. The method according to claim 1, wherein the method further comprises:

Writing corresponding data according to the data writing request;

8. The method according to claim 1, wherein the method further comprises:

acquiring a defending instruction input by a user;

acquiring a target algorithm corresponding to the defense instruction;

9. The method according to claim 1, wherein the method further comprises:

acquiring a plurality of components of a target application program;

the first component is determined from the at least some components.

10. The method according to claim 1, wherein the method further comprises:

and determining the first component according to the selection instruction.

11. An address processing-based attack defense apparatus, the apparatus comprising:

12. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program adapted to be loaded by a processor for performing the method according to any of claims 1-10.

13. A computer device, characterized in that it comprises a processor and a memory, in which a computer program is stored, the processor being arranged to execute the method according to any of claims 1-10 by invoking the computer program stored in the memory.

14. A computer program product comprising computer instructions which, when executed by a processor, implement the method of any of claims 1-10.