CN116992438A - Method, device, equipment and medium for repairing real-time loopholes based on code vaccine - Google Patents
Method, device, equipment and medium for repairing real-time loopholes based on code vaccine Download PDFInfo
- Publication number
- CN116992438A CN116992438A CN202311237423.0A CN202311237423A CN116992438A CN 116992438 A CN116992438 A CN 116992438A CN 202311237423 A CN202311237423 A CN 202311237423A CN 116992438 A CN116992438 A CN 116992438A
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- information
- patch
- function
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 66
- 229960005486 vaccine Drugs 0.000 title claims abstract description 22
- 230000008439 repair process Effects 0.000 claims abstract description 82
- 230000008569 process Effects 0.000 claims abstract description 15
- 230000006870 function Effects 0.000 claims description 178
- 230000009471 action Effects 0.000 claims description 17
- 230000004044 response Effects 0.000 claims description 12
- 238000009434 installation Methods 0.000 claims description 9
- 238000012544 monitoring process Methods 0.000 claims description 7
- 238000004590 computer program Methods 0.000 claims description 5
- 230000014509 gene expression Effects 0.000 description 13
- 238000012545 processing Methods 0.000 description 8
- 239000000523 sample Substances 0.000 description 6
- 230000000903 blocking effect Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 239000000203 mixture Substances 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 238000012512 characterization method Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000005314 correlation function Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000003745 diagnosis Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000004807 localization Effects 0.000 description 1
- 230000007935 neutral effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/25—Integrating or interfacing systems involving database management systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Abstract
The embodiment of the application provides a method, a device, equipment and a medium for repairing real-time loopholes based on code vaccines, which relate to the field of network security loopholes repair and comprise the following steps: obtaining a vulnerability type through at least one vulnerability information, wherein the at least one vulnerability information is generated by a user in the process of operating a target application; generating a repair patch based on the at least one vulnerability information if the vulnerability type does not exist in the vulnerability database; and installing the repair patch to a target position of the target application. According to the method and the device for repairing the loopholes, the patches can be automatically generated under the condition that the patches of the current loophole types do not exist in the loophole database, so that the loopholes can be repaired in real time, and the dependence on the loophole database and the limit of loophole repair are reduced.
Description
Technical Field
The embodiment of the application relates to the field of network security vulnerability restoration, in particular to a method, a device, equipment and a medium for real-time vulnerability restoration based on a code vaccine.
Background
In the related technology, vulnerability information is obtained through a probe, and then a hot repair code is obtained through comparison of a vulnerability database. However, the related technology needs rule policy matching for the vulnerability and repair time, so that only quick response to a security attack event can be realized, and the vulnerability can not be repaired in real time. In addition, because the vulnerability database is required to be used for matching, the related technology can only carry out hot repair on vulnerabilities with similar characteristics as the vulnerability database, so that the limitation exists.
Therefore, how to improve the bug repair efficiency and reduce the limitation of bug repair become problems to be solved.
Disclosure of Invention
The embodiment of the application provides a method, a device, equipment and a medium for repairing a real-time bug based on a code vaccine.
In a first aspect, the present application provides a method for real-time vulnerability restoration based on a code vaccine, the method comprising: obtaining a vulnerability type through at least one vulnerability information, wherein the at least one vulnerability information is generated by a user in the process of operating a target application; generating a repair patch based on the at least one vulnerability information if the vulnerability type does not exist in the vulnerability database; and installing the repair patch to a target position of the target application.
Therefore, unlike the prior art that the repair patch can only be obtained through the vulnerability database, the method and the device generate the repair patch through the user request information, can ensure that the repair patch which does not exist in the vulnerability database is timely obtained, and repair the vulnerability in real time, thereby reducing the dependence on the vulnerability database and the vulnerability repair limitation, and realizing the repair of the discovered vulnerability in real time under the condition that the repair patch does not exist in the vulnerability database.
With reference to the first aspect, in one embodiment of the present application, the vulnerability information includes risk function information and user request information corresponding to the risk function information; before the obtaining the vulnerability type through the at least one vulnerability information, the method further comprises: inserting byte codes in preset positions in the target application function, wherein the byte codes are at least used for acquiring the user request information and the risk function information; the obtaining the vulnerability type through at least one vulnerability information includes: acquiring the user request information through the byte code, and storing the user request information in a request data table; acquiring the risk function information through the byte code monitoring risk function, and acquiring vulnerability information when confirming that user request information corresponding to the risk function information exists in the request data table; and determining the vulnerability type through the vulnerability information.
Therefore, the embodiment of the application can monitor real-time user requests and quickly find out the calling operation of the risk function by inserting the byte codes into the function of the target application, thereby quickly finding out the loopholes, obtaining the loophole information and improving the safety of the target application.
With reference to the first aspect, in an embodiment of the present application, the byte code includes a first byte code and a second byte code; the inserting the byte code in the preset position in the function of the target application comprises the following steps: inserting the first byte code in a preset position in a function related to the request of the target application, wherein the first byte code is used for acquiring the user request information; and inserting the second byte code in a preset position in the risk function of the target application, wherein the second byte code is used for acquiring the risk function information.
Therefore, the embodiment of the application can quickly acquire the user request and risk function information by inserting the byte codes into the function and the risk function related to the user request.
With reference to the first aspect, in an implementation manner of the present application, the generating a repair patch based on the at least one vulnerability information includes: generating a matching condition corresponding to the at least one piece of vulnerability information; and generating the repair patch through the matching condition and the patch strategy action.
Therefore, by generating the repair patch corresponding to the user request information, the embodiment of the application can make the corresponding repair patch for the current user request in real time, reduce the repair time, enable the bug repair process to be more flexible, and prevent the situation that the bug cannot be repaired in time due to the fact that the corresponding patch does not exist in the bug database.
With reference to the first aspect, in an embodiment of the present application, the repair patch includes a traffic patch and/or a pile-inserted patch; the installing the repair patch to a target location of the target application includes: installing the traffic patch to at least one preset location in a request-related function of the target application; and/or installing the pile-inserting patch at a preset position corresponding to at least one risk function.
Therefore, according to the embodiment of the application, the pile-inserting patch is installed in the function similar to the risk function, so that the abnormal request of the user can be intercepted in advance, the safety of the target application is improved, and other functions of the risk function can be ensured to be normally performed.
With reference to the first aspect, in an embodiment of the present application, at least one preset location in the function related to the request is at least one of URL related to the request, request header, request method, request body, response header, and response status code.
With reference to the first aspect, in an implementation manner of the present application, the generating a repair patch based on the at least one vulnerability information includes: and generating a traffic patch and/or the instrumentation patch based on the vulnerability information according to vulnerability conditions or function attributes.
Therefore, the embodiment of the application can prevent the situation that the normal operation of the application program is influenced due to bug repair by selecting different types of patches according to bug situations or function attributes.
With reference to the first aspect, in an embodiment of the present application, before the generating a repair patch based on the at least one vulnerability information, the method further includes: and determining a preliminary protection strategy corresponding to the risk function information, and executing the preliminary protection strategy.
Therefore, the embodiment of the application can ensure that the abnormal user request is intercepted first by executing the preliminary protection strategy before generating the patch, thereby ensuring the safety of the target application.
In a second aspect, the present application provides a device for real-time bug fixes based on code vaccine, the device comprising: the vulnerability acquisition module is configured to acquire a vulnerability type through at least one vulnerability information, wherein the at least one vulnerability information is generated by a user in the process of operating a target application; a patch generation module configured to generate a repair patch based on the at least one vulnerability information if it is determined that the vulnerability type does not exist in the vulnerability database; a patch installation module configured to install the repair patch to a target location of the target application.
With reference to the second aspect, in one embodiment of the present application, the vulnerability information includes risk function information and user request information corresponding to the risk function information; the vulnerability acquisition module is further configured to: inserting byte codes in preset positions in the target application function, wherein the byte codes are at least used for acquiring the user request information and the risk function information; acquiring the user request information through the byte code, and storing the user request information in a request data table; acquiring the risk function information through the byte code monitoring risk function, and acquiring vulnerability information when confirming that user request information corresponding to the risk function information exists in the request data table; and determining the vulnerability type through the vulnerability information.
With reference to the second aspect, in an embodiment of the present application, the byte code includes a first byte code and a second byte code; the vulnerability acquisition module is further configured to: inserting the first byte code in a preset position in a function related to the request of the target application, wherein the first byte code is used for acquiring the user request information; and inserting the second byte code in a preset position in the risk function of the target application, wherein the second byte code is used for acquiring the risk function information.
With reference to the second aspect, in an embodiment of the present application, the patch generating module is further configured to: generating a matching condition corresponding to the at least one piece of vulnerability information; and generating the repair patch through the matching condition and the patch strategy action.
With reference to the second aspect, in an embodiment of the present application, the repair patch includes a traffic patch and/or a pile-inserted patch; the patch installation module is further configured to: installing the traffic patch to at least one preset location in a request-related function of the target application; and/or installing the pile-inserting patch at a preset position corresponding to at least one risk function.
With reference to the second aspect, in one embodiment of the present application, the at least one preset location in the function related to the request is at least one of URL related to the request, request header, request method, request body, response header, and response status code.
With reference to the second aspect, in an embodiment of the present application, the patch generating module is further configured to: and generating a traffic patch and/or the instrumentation patch based on the user request information according to the vulnerability situation or the function attribute selection.
With reference to the second aspect, in an embodiment of the present application, the patch installation module is further configured to: and determining a preliminary protection strategy corresponding to the risk function information, and executing the preliminary protection strategy.
In a third aspect, the present application provides an electronic device, comprising: a processor, a memory, and a bus; the processor is connected to the memory via the bus, the memory storing a computer program which, when executed by the processor, performs the method according to any embodiment of the first aspect.
In a fourth aspect, the present application provides a computer readable storage medium having stored thereon a computer program which, when executed, performs a method according to any embodiment of the first aspect.
Drawings
Fig. 1 is a schematic view of a scene composition of real-time bug fixes based on a code vaccine according to an embodiment of the present application;
FIG. 2 is a flow chart of a method for real-time bug fixes based on code vaccine according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a method for real-time bug fixes based on a code vaccine according to an embodiment of the present application;
FIG. 4 is a schematic diagram illustrating a device composition for real-time bug fixes based on code vaccine according to an embodiment of the present application;
fig. 5 is a schematic diagram of an electronic device according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present application, but not all embodiments of the present application. The components of the embodiments of the present application generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the application, as presented in the figures, is not intended to limit the scope of the application, as claimed, but is merely representative of selected embodiments of the application. All other embodiments, which can be made by a person skilled in the art without any inventive effort, are intended to be within the scope of the present application based on the embodiments of the present application.
The repair scheme in the related art requires a lot of time for a series of processes such as vulnerability localization, code modification, compiling, test online, and the like. In the repair process, the service needs to be suspended, and a series of repair processes are performed, so that the normal operation of the service is influenced by the vulnerability repair process, and when the repair time is too long, the middle neutral period can possibly appear in the condition of attack through the vulnerability. In order to solve the above problems, in the prior art, RASP probes are loaded in a web server, vulnerability information is obtained through the probes, and then vulnerability database is compared to perform vulnerability repair, but in the prior art, only vulnerabilities with similar characteristics to the vulnerability database can be thermally repaired, so that limitations exist.
It should be noted that, the application runtime self-protection (RASP) is a novel application security protection technology, which injects a protection program into an application program like a vaccine, and the application program is integrated, so that the application program can detect and block security attacks in real time, and has self-protection capability, and when the application program is damaged by actual attacks, the application program can be automatically defended without manual intervention.
Code vaccine technology: the code security capability is injected into the application server like a vaccine, so that the analyzed flow is clearly seen in the application server, and the context of the application running process is perceived. The method can realize the diagnosis of the leak position and defect cause existing in the application during running, and based on the leak position and defect cause, the autonomous detection and response can be realized, and the external danger is actively defended.
Therefore, the application can solve the problems that the existing loopholes cannot be directly repaired during service operation, and the repairing time and the repairing period are long. The real-time repair can not be realized, the service is affected, and the safe service can not be ensured. That is, the existing rule policy matching scheme can only perform thermal restoration on vulnerabilities with similar characteristics in the vulnerability database, and has limitations.
In order to solve the problems in the background art, in some embodiments of the present application, firstly, a vulnerability type is obtained through at least one vulnerability information, then, under the condition that the vulnerability type is confirmed to be absent in a vulnerability database, a repair patch is generated based on the at least one vulnerability information, and finally, the repair patch is installed at a target position of a target application, so that the patch can be automatically generated under the condition that the patch of the current vulnerability type is absent in the vulnerability database, thereby realizing real-time repair of the vulnerability, and reducing the dependency on the vulnerability database and the vulnerability repair limitation.
The method steps in the embodiments of the present application are described in detail below with reference to the drawings.
Fig. 1 provides a schematic view of the composition of a scenario for real-time bug fixes based on a code vaccine, the scenario including a user 110 and a client 120, in some embodiments of the application. Specifically, after the user 110 sends a user request to the client 120, the client 120 obtains the vulnerability type through at least one piece of vulnerability information, then generates a repair patch according to the vulnerability type and the vulnerability information, and finally installs the repair patch to the target location of the target application.
The method for repairing the real-time loopholes based on the code vaccine provided by some embodiments of the application is exemplified by a client. It can be appreciated that the technical scheme of the vulnerability restoration method according to the embodiment of the present application can be applied to any electronic device loaded with an application program, for example, a mobile phone, a computer, etc., and the present application does not limit the type of the electronic device loaded with the application program.
At least to solve the problems in the background art, as shown in fig. 2 and 3, some embodiments of the present application provide a method for real-time bug fixes based on code vaccine, which includes:
s210, obtaining the vulnerability type through at least one vulnerability information.
It should be noted that the vulnerability information includes at least one risk function information and user request information corresponding to each risk function information. The user request information is generated during the operation of the target application, for example, the user clicks the reference button of the target application to generate corresponding user request information, or the user requests to change or delete the file or process in the target application to generate corresponding user request information. The risk function information is information generated by calling a risk function.
In one embodiment of the present application, the specific implementation steps for obtaining the vulnerability type through at least one vulnerability information are as follows:
s2101: and inserting byte codes at preset positions in the function of the target application, wherein the byte codes are at least used for acquiring user request information and risk function information.
It will be appreciated that the risk function is used to detect the user's operational behaviour in the application, and is a function that is relevant to the user performing the dangerous action, and once the risk function is invoked, the current user request may be an exception request. For example, a "run time (). Exec" function for command execution, a "java. Sql. Resultset execu query" function for database query, an external dependency load function new URL, an external method call function rmi, and the like.
That is, in order to ensure that the user request information and the risk function information generated by calling the risk function can be timely obtained, the functions related to the request and the risk function are subjected to instrumentation in a mode based on instrumentation probes, so that the subsequent real-time bug repair is facilitated.
Specifically, the byte codes comprise a first byte code and a second byte code, and the first byte code is inserted into a preset position in a function related to a request of a target application, wherein the first byte code is used for acquiring user request information. And inserting a second byte code in a preset position in the risk function of the target application, wherein the second byte code is used for acquiring the risk function information.
That is, the first bytecode for acquiring the request information is inserted at the beginning or end of the request-related function, and the second bytecode is inserted at the beginning or end of the risk function, so that the client acquires the user request-related information during the execution of the request, and acquires the risk function information when the risk function is executed.
It will be appreciated that in the process of acquiring the risk function information, only one risk function may be triggered, so as to acquire one risk function information, and a plurality of risk functions may be triggered, so as to acquire a plurality of corresponding risk function information.
It can be understood that the preset location in the request related function is at least one of URL, request header, request method, request body, response header, and response status code related to the request. The preset position may be adjusted according to actual requirements, and the preset position is the beginning or the end of the function, which is only an example, and the application is not limited thereto.
Specifically, when a class is loaded by a class loader (ClassLoader), the class bytecode is firstly submitted to a custom converter (transducer) for processing, then the custom converter judges whether the class is a class requiring instrumentation (hook), if yes, the class is submitted to a bytecode processing framework for processing, then the bytecode processing framework gradually analyzes each function according to an event-driven model, when the bytecode is matched with the function requiring instrumentation, the first bytecode instrumentation for acquiring request information is positioned at the beginning or the end of the function related to the request, the second bytecode is inserted into the beginning or the end of the risk function, and finally the function inserted with the bytecode is returned to the custom converter for loading the java virtual machine.
As a specific embodiment of the present application, the function related to the request may be a function related to a post and a get request in http, may be a "operation < String > getHeaders" function, which indicates that a value of a request header is acquired according to a request header name, where the value is a plurality of values, may be a "String [ ] getParameterValues (String name)" indicating that a request parameter value is acquired according to a request parameter name, and may be a "Map < String, string [ ] getParametermap ()", indicating that all request parameters are acquired, and the request parameter is saved to a Map set.
S2102: user request information is acquired through the byte code and stored in a request data table.
That is, after the user sends a request to the client, a function of a corresponding application in the client is called, the stub can acquire the user request information in the bytecode in S2101, and then the acquired user request information is stored in the request data table. In other words, a function related to the monitoring request, the user request information is obtained through the probe (namely, byte code), and the hash value of the request parameter in the user request information is stored in the request data table.
S2103: acquiring risk function information through monitoring a risk function by using a byte code, and obtaining vulnerability information when confirming that user request information corresponding to the risk function information exists in a request data table.
That is, in the process of discovering the vulnerability, the risk function is monitored through the second byte code, the risk function information (including parameters of the risk function) is obtained when the risk function is called, then the hash of the parameters of the current risk function is searched in the request data table, and if the hash value is successfully matched, the vulnerability is indicated to exist, and the vulnerability information is obtained. In other words, after storing the hash value of the request parameter in the user request information in the request data table, monitoring that the hash value of the parameter of the called risk function exists in the request data table, indicating that a vulnerability exists, and then acquiring vulnerability information corresponding to the vulnerability.
The vulnerability information includes stack trace information of user request information (request header, request body, etc.) and a risk function, and specifically includes function parameters, specifically executed commands, class names, function names, etc.
S2104: and determining the vulnerability type through the vulnerability information.
Specifically, whether the vulnerability is known or not is judged through vulnerability information, and the vulnerability type comprises data injection, command execution and anti-serialization attack, and is mainly determined through commands specifically executed by a vulnerability function in the vulnerability information. The vulnerability information also comprises vulnerability policies, wherein the known type of vulnerability policies comprise custom black-and-white lists and policies of different vulnerability types. If the vulnerability type is the known type vulnerability, directly searching a corresponding patch in a vulnerability database to repair the vulnerability.
It can be appreciated that, since there are a plurality of vulnerability information, one vulnerability information may be used to determine a corresponding vulnerability type, or a plurality of vulnerability information may be used to determine a vulnerability type together.
S2105: and determining a preliminary protection strategy corresponding to the risk function information, and executing the preliminary protection strategy.
That is, according to the explicit dangerous action executed by the user calling the risk function in the risk function information, a preliminary protection strategy corresponding to the dangerous action is executed, so that the dangerous action can be quickly prevented from being continuously executed. For example, if the dangerous action performed by the user calling the risk function is command execution, the preliminary protection policy is to prevent command execution. If the dangerous action executed by the user calling the risk function is file creation, the preliminary protection strategy is to prevent file creation. If the dangerous action executed by the user calling the risk function is the network external connection, the preliminary protection strategy is to prevent the network external connection.
It will be appreciated that the preliminary protection strategy described above is merely exemplary, and that the present application may implement a preliminary protection strategy corresponding to any dangerous action.
S220, generating a repair patch based on at least one piece of vulnerability information under the condition that the vulnerability type does not exist in the vulnerability database.
It should be noted that the vulnerability database includes patches of a plurality of vulnerability types.
That is, in the case that the vulnerability type is not a known vulnerability type and a corresponding repair patch cannot be directly found in the vulnerability database, the repair patch is automatically generated based on the vulnerability information, so that the patch of an unknown vulnerability type can be repaired in time.
In one embodiment of the present application, generating a repair patch based on user request information specifically includes: generating a matching condition corresponding to at least one piece of vulnerability information; and generating the repair patch by matching the condition and the patch policy action.
Specifically, the unknown vulnerabilities need to be analyzed before the patch is generated, including obtaining risk function class names (run times), function names (exec), parameters of the functions, and the like, according to the obtained vulnerability information. The parameters of the user request in the user request information need to be extracted, including url, header, body, etc. It is also necessary to extract function stack information.
The repair patch comprises a flow patch, and the flow patch is used as a value of the flow patch according to the acquired parameters requested by the user when the flow patch is generated. The traffic patch content comprises patch information and patch rules, wherein the patch information comprises patch names, issuing languages and protection strategies; the protection strategy further comprises log record and alarm or blocking interception, the patch rule comprises patch type, patch parameter and constraint rule, the constraint rule comprises a conditional expression and conditional content, the conditional expression comprises or does not comprise, and the conditional content is the value of the parameter.
For example: the traffic patch is as follows:
"interface matching condition: url/header/request parameters
The expression: the values of url/header/request parameters include, equal to, do not include
Values of parameters: /p/562081766
Protection policy actions: log recording/blocking interception "
The interface matching condition characterization can select one type from url, header or request parameters for matching, the expression characterization can match url, match header, match a value containing the request parameters, match a value equal to the request parameters or match a value not containing the request parameters, and the value of the parameters can be url, header or request parameters, and the protection strategy action is a protection strategy executed after the expression matching is successful. For example, the request parameter in the above-mentioned traffic patch is "/p/562081766" and the expression is "/p/562081766", then after the current user request is successfully matched with the expression, the actions of logging and/or blocking interception are performed.
The repair patch also includes a instrumented patch, the instrumented patch content including patch information and patch rules. The patch information comprises a patch name, an issuing language, a protection strategy and processing logic. The patch rules include patch types, patch class names, function names, and constraint rules, which include: the condition, the function parameter, the parameter position, the condition expression and the condition content corresponding to the condition. Wherein the number of patches may be one or more and the relationship may be and/or. A patch corresponds to a parameter of a request or a function, and under the condition that a plurality of patches exist, the plurality of patches can be added with a plurality of flow patches or operation expressions of pile-inserted patches to synthesize a patch, and the characteristics of the vulnerability can be combined to comprehensively generate a perfect patch, so that the vulnerability restoration effect is improved.
For example, for calling a risk function: runtime. Getrun. Exec (), patch for instrumentation:
"interface matching condition:
class name run time getrun time
Function name exec
The expression: containing values of parameters, equal to values of parameters, or not containing values of parameters
Position of parameters: parameters of the function of which number can be specified
Values of parameters: rm/-f (i.e. delete all files command of hard disk)
Protection policy actions: log recording/blocking interception "
The interface matching condition represents class names and function names of matching risk functions, the expression representation comprises rm/-f, is equal to rm/-f or does not comprise rm/-f, the position of the parameter represents the position of the matching parameter, the current parameter is matched with the parameter of the function, and when the conditions are matched successfully, log recording and/or blocking interception are executed.
In one embodiment of the application, the traffic patch and/or instrumentation patch is generated based on user request information according to vulnerability profiles or function attributes.
That is, in order not to affect the normal operation of the target application, different repair patches may be selected according to the actual vulnerability situation, such as the attack mode of the vulnerability, that is, selecting a traffic patch and a instrumentation patch, selecting only a traffic patch, or selecting only an instrumentation patch. For example, if the vulnerability does not require interception, only instrumentation patches are used. For example, if the function is inconvenient to instrumentation, or the instrumentation may have an impact, then only the traffic patch is used. For example, if the function of the target application does not have a constraint on the patch, then both types of patches, traffic patches and instrumentation patches, may be selected.
It should be noted that, in order to reduce the amount of calculation in the patch generation process, only part of the content in the repair patch of one risk function may be modified after the repair patch of another risk function is generated. For example, if the expression in the repair patch in the risk function a is a value containing a parameter, then in the process of generating the repair patch in the risk function B, only the expression may be modified to a value not containing a parameter, and the other contents are the same, thereby reducing the amount of calculation.
And S230, installing the repair patch to the target position of the target application.
In one embodiment of the application, the traffic patch is installed to at least one preset location in the request-related function of the target application.
That is, the traffic patch may be installed at the position of the stake in the step S210, that is, the preset position in S210 is the target position of the traffic patch when the patch is installed.
In one embodiment of the application, the stake-inserting patch is installed in a predetermined location corresponding to at least one risk function.
That is, according to the found called risk function, a function close to the risk function is selected as the location of the instrumentation function in the function stack information, or a plurality of function points in the function stack information may be instrumented, where the instrumentation patch needs to be re-instrumented, which is the same manner as the instrumentation of S210. For example, the risk function may set a position B separated from the position a by 1 function as a target position, and may set a position C separated from the position a by 2 functions as another target position, and perform a pile-inserting operation to install the pile-inserted patch.
It will be appreciated that not only may the instrumentation be performed at a location near the risk function, but the instrumentation location of the risk function in S210 may also be used as the target location for installing the patch.
It should be noted that any one of the flow patch and the pile patch may be selected for installation, or both may be installed, so as to improve the protection effect.
In one embodiment of the present application, the process of bug fixes using the fix patch is: and analyzing the issued patch content, if the current patch is a flow patch, analyzing the patch parameters and the constraint condition rules, inserting the patch parameters into the positions of the patch parameters, and executing the constraint condition rules. If the current patch is the instrumentation patch, analyzing the patch class name, the function name and the constraint condition rule, inserting the patch into the position of the patch parameter according to the instrumentation class name and the function name, and executing the constraint condition rule.
As shown in fig. 3, in one embodiment of the present application, user request information is obtained by a request correlation function, and risk function information corresponding to each risk function is obtained by a plurality of risk functions. First, a first byte code is inserted into a function related to a request, a second byte code is inserted into each risk function (see S2101 for details), then the obtained parameter hash value of the user request information is stored in a request data table (see S2102 for details), and vulnerability information is obtained by matching each risk function information with the request data table through parameter hash (see S2103 for details). Then, in the case that the current vulnerability type does not exist in the vulnerability database, a repair patch including a traffic patch and a instrumentation patch is generated based on the plurality of vulnerability information (see S220 described above for details). Finally, the traffic patch is installed at the preset location of the request-related function, and the instrumentation patch is installed at the preset location of the risk function (see above for details S230).
Therefore, the method and the device can solve the problem that the conventional bug repairing scheme cannot realize bug thermal repairing protected by a rule strategy, can realize the effect of real-time thermal repairing, and realize a better bug repairing result by combining the flow, the pile and one or more patches.
According to the method, the critical function pre-inserted probes are used for extracting the vulnerability information in real time, different patch schemes are provided according to different vulnerabilities, real-time vulnerability repair is realized, meanwhile, virtual patch thermal repair can cover all vulnerabilities, and the problems that the existing vulnerabilities cannot be repaired directly during service operation, the repair time is long, the repair period is long, real-time repair cannot be realized, service operation is affected, and meanwhile, service safety cannot be guaranteed are solved. And the problem that the existing rule policy matching scheme can only carry out hot repair on vulnerabilities with similar characteristics in the vulnerability database and has limitations is solved.
The method for repairing the real-time loopholes based on the code vaccine is described above, and the device for repairing the real-time loopholes based on the code vaccine is described below.
As shown in fig. 4, some embodiments of the present application provide an apparatus 300 for real-time bug fixes based on code vaccine, the apparatus comprising: vulnerability acquisition module 310, patch generation module 320, and patch installation module 330.
A vulnerability obtaining module 310 configured to obtain a vulnerability type through at least one vulnerability information, wherein the at least one vulnerability information is generated by a user in a process of operating a target application; a patch generation module 320 configured to generate a repair patch based on the at least one vulnerability information if it is confirmed that the vulnerability type does not exist in the vulnerability database; a patch installation module 330 is configured to install the repair patch to a target location of the target application.
In one embodiment of the present application, the vulnerability information includes risk function information and user request information corresponding to the risk function information; vulnerability acquisition module 310 is further configured to: inserting byte codes in preset positions in the target application function, wherein the byte codes are at least used for acquiring the user request information and the risk function information; acquiring the user request information through the byte code, and storing the user request information in a request data table; acquiring the risk function information through the byte code monitoring risk function, and acquiring vulnerability information when confirming that user request information corresponding to the risk function information exists in the request data table; and determining the vulnerability type through the vulnerability information.
In one embodiment of the present application, the bytecode includes a first bytecode and a second bytecode; the vulnerability acquisition module 310 is further configured to: inserting the first byte code in a preset position in a function related to the request of the target application, wherein the first byte code is used for acquiring the user request information; and inserting the second byte code in a preset position in the risk function of the target application, wherein the second byte code is used for acquiring the risk function information.
In one embodiment of the present application, the patch generation module 320 is further configured to: generating a matching condition corresponding to the at least one piece of vulnerability information; and generating the repair patch through the matching condition and the patch strategy action.
In one embodiment of the application, the repair patch comprises a traffic patch and/or a instrumentation patch; the patch installation module 330 is further configured to: installing the traffic patch to at least one preset location in a request-related function of the target application; and/or installing the pile-inserting patch at a preset position corresponding to at least one risk function.
In one embodiment of the present application, the at least one preset location in the function related to the request is at least one of URL related to the request, request header, request method, request body, response header, and response status code.
In one embodiment of the application, patch generation module 320 is further configured to: and generating a traffic patch and/or the instrumentation patch based on the user request information according to the vulnerability situation or the function attribute selection.
In one embodiment of the present application, the patch installation module 330 is further configured to: and determining a preliminary protection strategy corresponding to the risk function information, and executing the preliminary protection strategy.
In the embodiment of the application, the module shown in fig. 4 can implement each process in the embodiments of the methods of fig. 1, 2 and 3. The operation and/or function of the individual modules in fig. 4 are for the purpose of realizing the respective flows in the method embodiments in fig. 1 and 2, 3, respectively. Reference is specifically made to the description in the above method embodiments, and detailed descriptions are omitted here as appropriate to avoid repetition.
As shown in fig. 5, an embodiment of the present application provides an electronic device 400, including: a processor 410, a memory 420 and a bus 430, said processor being connected to said memory by means of said bus, said memory storing computer readable instructions for implementing the method according to any of the above-mentioned embodiments, when said computer readable instructions are executed by said processor, see in particular the description of the above-mentioned method embodiments, and detailed descriptions are omitted here as appropriate for avoiding repetition.
Wherein the bus is used to enable direct connection communication of these components. The processor in the embodiment of the application can be an integrated circuit chip with signal processing capability. The processor may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU for short), a network processor (Network Processor, NP for short), etc.; but may also be a Digital Signal Processor (DSP), application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The Memory may be, but is not limited to, random access Memory (Random Access Memory, RAM), read Only Memory (ROM), programmable Read Only Memory (Programmable Read-Only Memory, PROM), erasable Read Only Memory (Erasable Programmable Read-Only Memory, EPROM), electrically erasable Read Only Memory (Electric Erasable Programmable Read-Only Memory, EEPROM), etc. The memory has stored therein computer readable instructions which, when executed by the processor, perform the method described in the above embodiments.
It will be appreciated that the configuration shown in fig. 5 is illustrative only and may include more or fewer components than shown in fig. 5 or have a different configuration than shown in fig. 5. The components shown in fig. 5 may be implemented in hardware, software, or a combination thereof.
Embodiments of the present application also provide a computer readable storage medium, on which a computer program is stored, which when executed by a server, implements a method according to any one of the foregoing embodiments, and specifically reference may be made to the description in the foregoing method embodiments, and detailed descriptions are omitted herein as appropriate for avoiding repetition.
The above description is only of the preferred embodiments of the present application and is not intended to limit the present application, but various modifications and variations can be made to the present application by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application. It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (11)
1. A method of real-time vulnerability restoration based on a code vaccine, the method comprising:
obtaining a vulnerability type through at least one vulnerability information, wherein the at least one vulnerability information is generated by a user in the process of operating a target application;
generating a repair patch based on the at least one vulnerability information if the vulnerability type does not exist in the vulnerability database;
and installing the repair patch to a target position of the target application.
2. The method of claim 1, wherein the vulnerability information includes risk function information and user request information corresponding to the risk function information;
before the obtaining the vulnerability type through the at least one vulnerability information, the method further comprises:
Inserting byte codes in preset positions in the target application function, wherein the byte codes are at least used for acquiring the user request information and the risk function information;
the obtaining the vulnerability type through at least one vulnerability information includes:
acquiring the user request information through the byte code, and storing the user request information in a request data table;
acquiring the risk function information through the byte code monitoring risk function, and acquiring vulnerability information when confirming that user request information corresponding to the risk function information exists in the request data table;
and determining the vulnerability type through the vulnerability information.
3. The method of claim 2, wherein the bytecode comprises a first bytecode and a second bytecode;
the inserting the byte code in the preset position in the function of the target application comprises the following steps:
inserting the first byte code in a preset position in a function related to the request of the target application, wherein the first byte code is used for acquiring the user request information;
and inserting the second byte code in a preset position in the risk function of the target application, wherein the second byte code is used for acquiring the risk function information.
4. A method according to any of claims 1-3, wherein the generating a repair patch based on the at least one vulnerability information comprises:
generating a matching condition corresponding to the at least one piece of vulnerability information;
and generating the repair patch through the matching condition and the patch strategy action.
5. A method according to any of claims 1-3, wherein the repair patch comprises a traffic patch and/or a pile-in patch;
the installing the repair patch to a target location of the target application includes:
installing the traffic patch to at least one preset location in a request-related function of the target application; and/or the number of the groups of groups,
and installing the pile-inserting patch at a preset position corresponding to at least one risk function.
6. The method of claim 5, wherein the at least one predetermined location in the request-related function is at least one of a request-related URL, a request header, a request method, a request body, a response header, and a response status code.
7. The method of claim 5, wherein the generating a repair patch based on the at least one vulnerability information comprises:
And generating a traffic patch and/or the instrumentation patch based on the vulnerability information according to vulnerability conditions or function attributes.
8. A method according to any of claims 1-3, wherein prior to said generating a repair patch based on said at least one vulnerability information, the method further comprises:
and determining a preliminary protection strategy corresponding to the risk function information, and executing the preliminary protection strategy.
9. An apparatus for real-time vulnerability restoration based on code vaccine, the apparatus comprising:
the vulnerability acquisition module is configured to acquire a vulnerability type through at least one vulnerability information, wherein the at least one vulnerability information is generated by a user in the process of operating a target application;
a patch generation module configured to generate a repair patch based on the at least one vulnerability information if it is determined that the vulnerability type does not exist in the vulnerability database;
a patch installation module configured to install the repair patch to a target location of the target application.
10. An electronic device, comprising: a processor, a memory, and a bus;
the processor is connected to the memory via the bus, the memory storing a computer program which, when executed by the processor, performs the method according to any of claims 1-8.
11. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program which, when executed, implements the method according to any of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311237423.0A CN116992438A (en) | 2023-09-25 | 2023-09-25 | Method, device, equipment and medium for repairing real-time loopholes based on code vaccine |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311237423.0A CN116992438A (en) | 2023-09-25 | 2023-09-25 | Method, device, equipment and medium for repairing real-time loopholes based on code vaccine |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116992438A true CN116992438A (en) | 2023-11-03 |
Family
ID=88523464
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311237423.0A Pending CN116992438A (en) | 2023-09-25 | 2023-09-25 | Method, device, equipment and medium for repairing real-time loopholes based on code vaccine |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116992438A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117610009A (en) * | 2023-11-23 | 2024-02-27 | 北京安普诺信息技术有限公司 | Cross-thread vulnerability repairing method and device based on code vaccine RASP probe |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170153882A1 (en) * | 2015-12-01 | 2017-06-01 | Salesforce.Com, Inc. | Application aware virtual patching |
| US20170242687A1 (en) * | 2014-09-01 | 2017-08-24 | Hewlett Packard Enterprise Development Lp | Dynamically applying a patch to a shared library |
| CN108874438A (en) * | 2018-06-25 | 2018-11-23 | 南京中感微电子有限公司 | Patch generation method, device, electronic equipment and computer program product |
| US20200264863A1 (en) * | 2019-02-19 | 2020-08-20 | Baidu Online Network Technology (Beijing) Co., Ltd. | Hot update method, operating system, terminal device, and storage medium |
| CN115168847A (en) * | 2022-07-27 | 2022-10-11 | 中国电信股份有限公司 | Application patch generation method and device, computer equipment and readable storage medium |
| CN115333805A (en) * | 2022-07-27 | 2022-11-11 | 深圳开源互联网安全技术有限公司 | Code hot repair method, device, equipment and computer readable storage medium |
| CN116208386A (en) * | 2023-01-18 | 2023-06-02 | 重庆长安汽车股份有限公司 | Vulnerability management method, system, electronic equipment and medium for automobile network security |
-
2023
- 2023-09-25 CN CN202311237423.0A patent/CN116992438A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170242687A1 (en) * | 2014-09-01 | 2017-08-24 | Hewlett Packard Enterprise Development Lp | Dynamically applying a patch to a shared library |
| US20170153882A1 (en) * | 2015-12-01 | 2017-06-01 | Salesforce.Com, Inc. | Application aware virtual patching |
| CN108874438A (en) * | 2018-06-25 | 2018-11-23 | 南京中感微电子有限公司 | Patch generation method, device, electronic equipment and computer program product |
| US20200264863A1 (en) * | 2019-02-19 | 2020-08-20 | Baidu Online Network Technology (Beijing) Co., Ltd. | Hot update method, operating system, terminal device, and storage medium |
| CN115168847A (en) * | 2022-07-27 | 2022-10-11 | 中国电信股份有限公司 | Application patch generation method and device, computer equipment and readable storage medium |
| CN115333805A (en) * | 2022-07-27 | 2022-11-11 | 深圳开源互联网安全技术有限公司 | Code hot repair method, device, equipment and computer readable storage medium |
| CN116208386A (en) * | 2023-01-18 | 2023-06-02 | 重庆长安汽车股份有限公司 | Vulnerability management method, system, electronic equipment and medium for automobile network security |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117610009A (en) * | 2023-11-23 | 2024-02-27 | 北京安普诺信息技术有限公司 | Cross-thread vulnerability repairing method and device based on code vaccine RASP probe |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9268945B2 (en) | Detection of vulnerabilities in computer systems | |
| KR101122650B1 (en) | Apparatus, system and method for detecting malicious code injected with fraud into normal process | |
| JP5639725B2 (en) | Method and apparatus for measuring software reliability | |
| Halfond et al. | Improving penetration testing through static and dynamic analysis | |
| US11086983B2 (en) | System and method for authenticating safe software | |
| JP2018502351A (en) | RASP for script language | |
| US20110219454A1 (en) | Methods of identifying activex control distribution site, detecting security vulnerability in activex control and immunizing the same | |
| CN110225029B (en) | Injection attack detection method, device, server and storage medium | |
| KR101902747B1 (en) | Method and Apparatus for Analyzing Web Vulnerability for Client-side | |
| CN116992438A (en) | Method, device, equipment and medium for repairing real-time loopholes based on code vaccine | |
| CN110059007B (en) | System vulnerability scanning method and device, computer equipment and storage medium | |
| CN113190839A (en) | Web attack protection method and system based on SQL injection | |
| CN110708278B (en) | Method, system, device and readable storage medium for detecting HTTP response header | |
| CN113190838A (en) | Web attack behavior detection method and system based on expression | |
| CN105791250B (en) | Application program detection method and device | |
| JP2006146600A (en) | Operation monitoring server, terminal apparatus and operation monitoring system | |
| Bozic et al. | Planning-based security testing of web applications | |
| US11695793B2 (en) | Vulnerability scanning of attack surfaces | |
| CN110798356B (en) | Firmware monitoring method and device, storage medium and computer equipment | |
| CN113343223B (en) | Jar package safety monitoring method and device, computer equipment and storage medium | |
| CN114329486A (en) | Asset vulnerability management method and device, electronic equipment and storage medium | |
| CN113591087A (en) | Process injection attack detection method and device, electronic equipment and storage medium | |
| CN111538990B (en) | Internet analysis system | |
| CN113343222B (en) | Java project engineering safety verification method and device, computer equipment and storage medium | |
| CN117421734A (en) | Cross-site scripting attack vulnerability detection method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |