CN117130917A - Ash box testing method, device and system for containerized Java application - Google Patents
Ash box testing method, device and system for containerized Java application Download PDFInfo
- Publication number
- CN117130917A CN117130917A CN202311091226.2A CN202311091226A CN117130917A CN 117130917 A CN117130917 A CN 117130917A CN 202311091226 A CN202311091226 A CN 202311091226A CN 117130917 A CN117130917 A CN 117130917A
- Authority
- CN
- China
- Prior art keywords
- target
- java application
- iast
- agent
- application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000012360 testing method Methods 0.000 title claims abstract description 105
- 238000000034 method Methods 0.000 claims abstract description 91
- 230000008569 process Effects 0.000 claims abstract description 60
- 230000007547 defect Effects 0.000 claims abstract description 29
- 239000003795 chemical substances by application Substances 0.000 claims description 119
- 239000000523 sample Substances 0.000 claims description 68
- 238000006243 chemical reaction Methods 0.000 claims description 36
- 238000004590 computer program Methods 0.000 claims description 10
- 238000004458 analytical method Methods 0.000 claims description 9
- 230000006870 function Effects 0.000 claims description 9
- 238000012544 monitoring process Methods 0.000 claims description 7
- 230000005540 biological transmission Effects 0.000 claims description 6
- 239000000428 dust Substances 0.000 claims description 5
- 230000036316 preload Effects 0.000 claims description 5
- 239000012634 fragment Substances 0.000 claims description 3
- 230000000977 initiatory effect Effects 0.000 claims 2
- 239000000758 substrate Substances 0.000 claims 2
- 238000011076 safety test Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 7
- 238000004519 manufacturing process Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 230000001419 dependent effect Effects 0.000 description 4
- 238000011161 development Methods 0.000 description 3
- 230000002452 interceptive effect Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 101001018259 Homo sapiens Microtubule-associated serine/threonine-protein kinase 1 Proteins 0.000 description 2
- 101000693728 Homo sapiens S-acyl fatty acid synthase thioesterase, medium chain Proteins 0.000 description 2
- 102100025541 S-acyl fatty acid synthase thioesterase, medium chain Human genes 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- CSJLBAMHHLJAAS-UHFFFAOYSA-N diethylaminosulfur trifluoride Substances CCN(CC)S(F)(F)F CSJLBAMHHLJAAS-UHFFFAOYSA-N 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 238000005070 sampling Methods 0.000 description 2
- 238000011426 transformation method Methods 0.000 description 2
- 238000003339 best practice Methods 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 230000006866 deterioration Effects 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000010223 real-time analysis Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 239000012085 test solution Substances 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3684—Test management for test design, e.g. generating new test cases
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3664—Environments for testing or debugging software
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3688—Test management for test execution, e.g. scheduling of test suites
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The embodiment of the application discloses a method, a device and a system for testing ash boxes of containerized Java applications. Wherein the method comprises the following steps: the IAST preloading container is created to provide preloaded IAST Agent Jar package files for target Java application copies deployed on a container cloud platform, codes in the IAST Agent Jar package files are loaded and executed to load IAST agents to Java virtual machines in the starting process of the target Java application, and the IAST agents sense the running context of the target Java application to analyze and identify security defects and vulnerabilities of the target Java application, so that deployment efficiency and operability of a containerized Java application ash box test are greatly improved.
Description
Technical Field
The embodiment of the application mainly relates to the field of security of containerized Java applications, and particularly relates to a method, a device and a system for testing ash boxes of containerized Java applications.
Background
Java is a programming language that is currently very popular and is widely used for development of various types of application programs such as Web applications, mobile applications, embedded applications, and the like. Java-based applications (namely Java applications) have the characteristics of cross-platform capability, object-oriented programming and the like, and have the advantages of good ecosystems, developer community resources and the like, so that the Java-based applications are also preferred by developers; with the development of related technologies, java applications are also widely used in the fields of cloud computing, big data, distributed, and the like. However, with the continuous progress of data formation, the production and living activities of the application program in the human society gradually play an increasingly important role, however, with the increase of application breadth and importance, the security of the application program also becomes more important, and with the increase of application security threat. Related research has shown that more security flaws and vulnerabilities are now found to exist in applications and have an increasing duty cycle.
For the challenge of application security situation degradation, the industry has proposed, for example, SAST, DAST, IAST a variety of application security test techniques to reduce the impact of security issues. Wherein IAST (Interactive Application Security Testing), i.e. interactive application security test, is a new generation of application security test solution proposed by Gartner; the method mainly collects and monitors function execution, data transmission and the like of the Web application program during operation through a server probe Agent, a flow Agent and the like, and further efficiently and accurately identifies security defects and loopholes in the Web application program and even positions the security defects/loopholes through real-time analysis. IAST combines the advantages of SAST (commonly known as white box test) and DAST (commonly known as black box test), so that the IAST is also known as gray box test, has high leak detection rate and low false alarm rate, can accurately position security defects and leaks, and is the best practice for realizing application security. In IAST practice facing to single-machine deployment, manual configuration of IAST Agent deployment is mainly adopted.
However, with the advent of the cloud computing revolution age, cloud computing service models such as container cloud are being widely applied to the fields of enterprise IT, education and scientific research, financial securities, health care, and the like, and container cloud technology is becoming a mainstream trend of software applications. The application of the container cloud technology greatly facilitates the development, deployment, management and other activities of the application program. By deploying the container cloud application, more flexible, efficient and economical computing resources and services can be provided for users, and digital transformation and application innovation are greatly promoted. However, in the container cloud security practice with the Java application as the center, not only is the Java application capable of being deployed in the container cloud environment additionally required to be constructed, namely, the containerized Java application is constructed, but also the IAST practice experience facing to single-machine deployment cannot be applied to the IAST practice of the Java application facing to containerized deployment; wherein the mismatch specification represents: each Java application copy under the conventional strategy depends on an image file copy including IAST Agent Jar package files prepared in advance, and then the deployment of manually configuring IAST agents in the starting process of the Java application still needs to be performed in large-scale deployment is necessarily inefficient or even untimely; in addition, based on the above strategy, for the containerized deployment of the same containerized Java application under different computing environments, it is necessary to construct corresponding image files for the containerized deployment of the Java application under different computing environments (mainly to package corresponding dependent items/dependent item combinations for image files corresponding to different computing environments), which is definitely inefficient. In view of this, providing an efficient container Java application ash box test layout has become a problem to be solved in practice for enhancing the security of container Java applications.
Disclosure of Invention
According to the embodiment of the application, an ash box test scheme of a containerized Java application is provided, wherein an IAST preloading container is mainly created to provide a preloaded IAST Agent Jar package file for a target Java application copy deployed on a container cloud platform, and IAST agents are loaded in the starting process of the target Java application and are executed to find out security defects and vulnerabilities of the target Java application, so that the problems of (deployment) efficiency and operability of the containerized Java application ash box test are solved.
In a first aspect of the present disclosure, a method of ash box testing of a containerized Java application is provided. The method comprises the following steps: in the process of target Java application containerization deployment, when a request triggers target Java application deployment, an IAST preloaded container is created before a target application container instance is created; the IAST preloading container is preloaded with IAST Agent Jar package files; and when creating target application container instances on the container cloud platform cluster node, for each target application container instance, loading and executing related code fragments in the IAST Agent Jar package file by a shared volume between the current target application container instance and the IAST preloading container in the starting process of the target Java application to load IAST agents to a Java virtual machine, and collecting/monitoring the running context of the target Java application by the IAST agents so as to analyze and identify security defects and hidden vulnerabilities in the target Java application.
Alternatively, in an implementation manner of the first aspect, the IAST Agent may collect/monitor, through a instrumentation probe, a flow Agent, or the like, a request response, a function execution, a data transmission, or the like, of the target Java application, so as to implement sensing of the running context of the target Java application, and further analyze and identify security flaws and hidden vulnerabilities in the target Java application. The aforementioned flow agents, instrumentation probes, etc. may be used alone or in combination with one another.
Further optionally, in one specific implementation of the foregoing implementation, when the IAST Agent senses, through a instrumentation probe, a context of a running of the target Java application, generally, the implementation is implemented through instrumentation-related probe logic of the target Java application by a probe Agent in the IAST Agent; the process of the probe Agent to apply instrumentation related probe logic to the target Java may be: during the initialization of the probe Agent, the byte code converter for the instrumentation related probe logic is registered according to the configuration file in the IAST Agent Jar package file, and the registered byte code converter (for the instrumentation related probe logic) performs the byte code conversion of the class according to the corresponding byte code conversion rule when the class is loaded, so as to instrumentation related probe logic, and then collect/monitor the running context of the target Java application, and even analyze and identify security defects, hidden vulnerabilities and the like in the target Java application.
Still further, optionally, in one specific implementation of the foregoing implementation manner, a listener may be registered in the aforementioned bytecode converter, and in the running process of the target Java application, when a new class is loaded into the Java virtual machine, if it is monitored that the class meets the matching condition, the bytecode converter performs the bytecode conversion of the class according to the corresponding bytecode conversion rule.
Still further optionally, in a specific implementation of the foregoing implementation, the bytecode conversion rule is recorded in a corresponding probe logic configuration, where the probe logic configuration may be: flexibly configured according to the software characteristics of the class to which the target Java application belongs. The byte code conversion rule in the probe logic configuration can be better adapted to the target Java application, so that the efficient and low-cost gray box test can be provided for the target Java application. The above-mentioned probe logic configuration can be set according to the software characteristics of the field and industry (such as frames and components adopted in the field and industry in a usual way) of the target Java application so as to match or be compatible with the ash box test of the target Java application, and further, missing report and false report can be reduced.
In a second aspect of the present disclosure, there is provided a system for testing a dust box of a containerized Java application for performing the methods of the foregoing first aspect and various implementations thereof of the respective processes of dust box testing of the containerized Java application. The system comprises: IAST preload unit, containerized Java application ash box test unit; the IAST preloading unit is used for preloading IAST Agent Jar package files for a containerized Java application ash box testing unit in each target application container instance deployed on the container cloud platform; the containerized Java application ash box testing unit is used for providing an ash box test for the target Java application in the target application container instance where the containerized Java application ash box testing unit is located; in the process of target Java application containerization deployment, when a request triggers target Java application deployment, the IAST preloading unit creates an IAST preloading container and preloading IAST Agent Jar package files before a target application container instance is created; and then when the container cloud platform creates a target application container instance on the cluster node, loading and executing codes in the IAST Agent Jar package file through a shared volume between the current target application container instance and the IAST preloading container in the starting process of the target Java application by using the containerized Java application ash box test unit so as to load IAST Agent to a Java virtual machine, and collecting/monitoring the running context of the target Java application through the IAST Agent so as to analyze and identify security defects and hidden vulnerabilities in the target Java application.
In a third aspect of the present disclosure, a dust box testing apparatus for containerized Java applications is provided. The device comprises: at least one processor, a memory coupled to the at least one processor, and a computer program stored in the memory; the processor executes the computer program to realize the ash box testing method of the containerized Java application described in the first aspect, and/or a process of creating an IAST preloading container and preloading the IAST Agent Jar package file in the method, and/or a process of carrying out ash box testing on the target Java application in the target application container example in the method.
In a fourth aspect of the present disclosure, a computer-readable storage medium is provided. The computer readable storage medium stores computer instructions related to security testing of the containerized Java application; the computer instructions, when executed by the computer processor, implement the ash box testing method for the containerized Java application described in the first aspect, and/or, in the method, create an IAST preloaded container and preload the IAST Agent Jar package file, and/or, in the method, perform an ash box testing process for the target Java application in the target application container instance.
In a fifth aspect of the present disclosure, a computer program product is provided. The program product comprises a computer program which, when executed by a computer processor, enables the ash box testing method of the containerized Java application described in the first aspect, and/or a process of creating an IAST preloaded container and preloading the IAST Agent Jar package file in the method, and/or a process of performing ash box testing on a target Java application in a target application container instance in the method.
It should be understood that what is described in this summary is not intended to limit the critical or essential features of the embodiments of the disclosure nor to limit the scope of the disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
The above and other features, advantages and aspects of embodiments of the present disclosure will become more apparent by reference to the following detailed description when taken in conjunction with the accompanying drawings. In the drawings, wherein like or similar reference numerals designate like or similar elements, and wherein:
FIG. 1 illustrates a schematic diagram of a process of ash box testing of a containerized Java application set forth in an embodiment of the disclosure;
FIG. 2 illustrates a block diagram of a ash box testing system for a containerized Java application as set forth in an embodiment of the disclosure;
FIG. 3 illustrates a block diagram of a computing device capable of implementing various embodiments of the present disclosure.
Detailed Description
Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While certain embodiments of the present disclosure have been shown in the accompanying drawings, it is to be understood that the present disclosure may be embodied in various forms and should not be construed as limited to the embodiments set forth herein, but are provided to provide a more thorough and complete understanding of the present disclosure. It should be understood that the drawings and embodiments of the present disclosure are for illustration purposes only and are not intended to limit the scope of the present disclosure.
In describing embodiments of the present disclosure, the term "comprising" and its like should be taken to be open-ended, i.e., including, but not limited to. The term "based on" should be understood as "based at least in part on". The term "one embodiment" or "the embodiment" should be understood as "at least one embodiment". The terms "first," "second," and the like, may refer to different or the same object. Other explicit and implicit definitions are also possible below.
In the description of the embodiments of the present disclosure, the technical term "target Java application" refers to any of the containerized Java application programs that are target objects for security testing; in view of the feature that the grey box tests (i.e. the interactive security tests) are executed in parallel, the "target Java application" may in practice be a target object containerized Java application in business tests or production (mainly referred to in sampling mode) that is selected to execute the grey box tests in parallel with the test traffic/production traffic. The technical term "target Java application copy" refers to a copy of "target Java application"; in general, "target Java application copy" generally refers to a copy of a "target Java application" created in a test environment, a production environment, or the like. The technical term "target Java application instance" refers to an independent execution entity created inside a target Java application program; during the running process of the target Java application, a plurality of target Java application instances can be created; each "target Java application instance" is a separate executing entity with its own data and state. The technical term "target application container" refers to a container used to carry and run "target Java applications"; the technical term "target application container instance" refers to a container instance in which a "target Java application copy" is running; in the target application container instance, mainly "target Java applications" and their dependent items encapsulated in the containerization technology, the dependent items in the target application container instance are intended to provide a corresponding computing environment for the "target Java applications". The technical term "target Java application runtime context" mainly refers to "runtime context" of "target Java application" in Java runtime environment; wherein a runtime context can be understood as the environment and state during execution of a "target Java application" that includes the code being executed, the values of variables, function call stacks, object instances, etc.; thus, in the security test process, a "target Java application runtime context" is typically used to provide a data source for detection and analysis for the relevant test. The technical term "target flow" refers to the flow generated by the "target Java application" in the test or production link when the flow agent collects/monitors the running context of the target Java application; it should be noted that, in the production scenario, "target flow rate" generally refers to the sampling flow rate.
Today, which emphasizes rapid delivery deployment and elastic scalability of digital applications, related Java application products are rapidly developed only by virtue of excellent characteristics of Java and good ecosystem and developer community resources, and the rapid market needs cannot be met, so that containerized Java applications are becoming a popular choice for modern software development and operation processes. The containerized Java application mode greatly changes the deployment and management modes of the application program; however, the security risk of the containerized Java applications continues to expand, and the security problem of the containerized Java applications becomes more serious. Even though some security testing technologies taking IAST gray box testing as an example can greatly relieve security situation deterioration of containerized Java applications, in related security testing practices, IAST gray box testing schemes provided in the prior art mainly refer to IAST practical experience of Java applications facing single machine deployment; the method mainly comprises the steps of modifying a starting command line configuration (a starting item configuration) of a target Java application, linking an IAST Agent Jar package file to the starting command line of the Java application, adding an IAST Agent which is an Agent of a Java virtual machine (operated by the Java application) when the target Java application is started, and further realizing related ash box testing through the IAST Agent. However, the traditional mode of manually configuring the IAST Agent to deploy relevant ash box tests, mainly by means of manual work, is obviously insufficient to cope with large-scale deployment of containerized Java applications in a container cloud platform scenario. In view of this, there is a strong need for an efficient containerized Java application cartridge test floor plan that addresses the above-described series of problems.
According to the embodiment of the disclosure, a ash box testing scheme for containerized Java application is provided, and aims to solve the problems of low deployment efficiency, poor operability and the like in the prior art. In the scheme, an IAST preloading container is mainly created to provide preloaded IAST Agent Jar package files for target Java application copies deployed on a container cloud platform, IAST agents are loaded to a Java virtual machine through the IAST Agent Jar package files in the starting process of the target Java application, and the running context of the target Java application is perceived through the IAST agents so as to analyze and identify security defects and vulnerabilities of the target Java application, so that deployment efficiency and operability of a containerized Java application ash box test are improved, and possible interference to services in the ash box test process is reduced.
Embodiments of the present disclosure will be described in detail below with reference to the accompanying drawings.
Fig. 1 shows a schematic diagram of a procedure of ash box testing of a containerized Java application proposed in an embodiment of the present disclosure. As shown in fig. 1, the process 100 of ash box testing of the containerized Java application mainly includes: 101, in the process of target Java application containerization deployment, when a request triggers target Java application deployment, an IAST preloaded container is created before a target application container instance corresponding to a target Java application copy is created; the IAST preloading container can be a public initialization container created according to IAST image files, wherein contents comprising IAST Agent Jar package files are packaged in the IAST image files, so that after the IAST preloading container is created on a container cloud platform, IAST Agent Jar package files are included in the IAST preloading container, and preloading of IAST Agent Jar package files which are used for ash box testing of the containerized Java application is achieved; and 102, when creating target application container instances on container cloud platform cluster nodes, for each target application container instance, loading preloaded IAST Agent Jar package files into the target Java application through a shared volume between the current target application container instance and an IAST preloading container in the starting process of the target Java application, loading IAST agents into a Java virtual machine through executing relevant code fragments in the IAST Agent Jar package files in the process of initializing the target Java application on the Java virtual machine, and further collecting/monitoring the running context of the target Java application through the IAST agents, and immediately analyzing and identifying security defects and hidden vulnerabilities in the target Java application, or outputting the running context of the target Java application to an analysis engine to analyze and identify the security defects and hidden vulnerabilities in the target Java application.
In some embodiments, at 102, the IAST Agent may collect/monitor the target Java application runtime context via a instrumentation probe; specifically, it may be: causing the IAST Agent to be configured to include a probe Agent and causing the probe Agent to stub a first probe logic for a target Java application instance by: collecting/monitoring function execution, data transmission and the like at the running time of the target Java application to capture the running time context of the data flow, the control flow and the like, and further analyzing and identifying security defects and hidden holes in the target Java application based on the running time context of the data flow, the control flow and the like, or outputting the running time context of the target Java application to an analysis engine to analyze and identify the security defects and hidden holes in the target Java application. In addition, in some embodiments (some of these embodiments may also be some of the embodiments described above), the target Java application runtime context may also be collected/monitored by a traffic agent; specifically, it may be: and the IAST Agent is configured to comprise a flow Agent module, and when the target flow passes through the flow Agent module, the current target flow is copied by the flow Agent module and is transformed into a safety test flow, then the safety test is initiated by the transformed safety test flow, and further flow information such as a request, a response and the like in the safety test process is collected to analyze and identify the safety defect and the hidden vulnerability in the target Java application.
Additionally, in a specific implementation of some of the above embodiments, when the IAST Agent is configured to include a probe Agent, a process of the probe Agent to instrumentation a first probe logic for a target Java application may be: in the initializing process of the probe Agent, a byte code converter for inserting the first probe logic is registered according to a configuration file in an IAST Agent Jar package file, and when a class is loaded, the registered first byte code converter performs class byte code conversion according to a first byte code conversion rule to insert the first probe logic, and then the running context of the target Java application is collected/monitored; the first byte code conversion rule refers to a byte code conversion rule corresponding to the first probe logic.
Further, in a specific implementation of some embodiments, a listener may be further registered in the first bytecode converter, so as to monitor a new class loaded into the Java virtual machine during the running process of the target Java application, and when it is monitored that the new class is loaded into the Java virtual machine and meets a matching condition (i.e. the new class is not loaded and can be matched with a corresponding bytecode modification rule), the first bytecode converter performs the bytecode conversion of the class according to the corresponding bytecode conversion rule.
Further still, in a specific implementation of some of the embodiments described above, the first bytecode conversion rule is recited in a first probe logic configuration. In a more specific implementation, it may be: and embedding the first byte code conversion rule in a transformation method or dynamically configuring the first byte code conversion rule in a configuration which can be accessed by the transformation method. The first probe logic configuration can be flexibly configured according to the software characteristics of the class to which the target Java application belongs; for example, the target Java application is set according to the software characteristics of the field and industry (specifically, for example, the frame, the component and other software component compositions of the field/industry software or the main stream) so as to better match or be compatible with the ash box test of the target Java application, and reduce missing report and false report.
Fig. 2 shows a block diagram of a ash box testing system for a containerized Java application as set forth in an embodiment of the disclosure. The system may be used to perform the various processes of the ash box testing of the containerized Java application in the various embodiments described above. The system 200 includes: IAST preload unit 210 and containerized Java application ash box test unit 220. The IAST preloading unit 210 is mainly configured to preload the IAST Agent Jar package file for the containerized Java application ash box testing unit 220 in each target application container instance deployed on the container cloud platform; in the process of target Java application containerization deployment, when a request triggering target Java application deployment exists, IAST preloading unit 210 creates IAST preloading containers before creating target application container instances corresponding to target Java application copies; the IAST preloaded container 210 may be a common initialization container created according to an IAST image file, where the IAST image file packages contents including an IAST Agent Jar package file, so that when the IAST preloaded container is created on the container cloud platform, the IAST Agent Jar package file is included therein, so that loading of the IAST Agent Jar package file is provided for the containerized Java application ash box testing unit 220 in each target application container instance in a subsequent containerized Java application ash box testing process. The containerized Java application ash box testing unit 220 mainly comprises an ash box testing functional module which is symbiotic with the target Java application process in the target Java application container instance and is mainly used for providing an ash box test for the target Java application in the target application container instance where the ash box testing functional module is located; when creating target application container instances on container cloud platform cluster nodes, for each target application container instance, enabling target Java applications therein to generate a containerized Java application ash box testing unit 220 along with a process in a starting process; then, the containerized Java application ash box testing unit 220 loads the preloaded IAST Agent Jar package file into the target Java application through the shared volume between the current target application container instance and the IAST preloaded container, loads the IAST Agent into the Java virtual machine by executing the relevant code segments in the IAST Agent Jar package file during the initialization of the target Java application on the Java virtual machine, and further collects/monitors the target Java application runtime context through the IAST Agent, and instantly analyzes and identifies security defects and hidden vulnerabilities in the target Java application, or outputs the target Java application runtime context to the analysis engine to analyze and identify security defects and hidden vulnerabilities in the target Java application.
In some embodiments, in the process that the containerized Java application ash box testing unit 220 provides ash box testing for the target Java application in the target application container instance, the IAST Agent loaded by the containerized Java application ash box testing unit 220 may be: is configured to include a probe Agent and cause the probe Agent to stub a first probe logic for a target Java application instance by: collecting/monitoring function execution, data transmission and the like at the running time of the target Java application to capture the running time context of the data flow, the control flow and the like, and further analyzing and identifying security defects and hidden holes in the target Java application based on the running time context of the data flow, the control flow and the like, or outputting the running time context of the target Java application to an analysis engine to analyze and identify the security defects and hidden holes in the target Java application. In addition, in some embodiments (some of these embodiments may also be some of the embodiments described above), it may also be: the system is configured to comprise a flow agent module, and when the target flow passes through the flow agent module, the current target flow is copied and transformed into a safety test flow by the flow agent module, then a safety test is initiated by the transformed safety test flow, and further flow information such as requests, responses and the like in the safety test process is collected to analyze and identify safety defects and hidden vulnerabilities in the target Java application.
Additionally, in a specific implementation of some of the above embodiments, when the IAST Agent loaded by the containerized Java application ash box testing unit 220 is configured to include a probe Agent, the process of the probe Agent instrumentation the first probe logic for the target Java application may be: in the initializing process of the probe Agent, a byte code converter for inserting the first probe logic is registered according to a configuration file in an IAST Agent Jar package file, and when a class is loaded, the registered first byte code converter performs class byte code conversion according to a first byte code conversion rule to insert the first probe logic, and then the running context of the target Java application is collected/monitored; the first byte code conversion rule refers to a byte code conversion rule corresponding to the first probe logic.
Further, in a specific implementation of some embodiments, for the IAST Agent loaded by the containerized Java application ash box testing unit 220, a listener may be registered in the first bytecode converter in the probe Agent, so as to listen to a new class loaded into the Java virtual machine during the running process of the target Java application, and when it is detected that the new class is loaded into the Java virtual machine and meets a matching condition (i.e. the new class is not loaded and can be matched with a corresponding bytecode modification rule), the first bytecode converter performs the bytecode conversion of the class according to the corresponding bytecode conversion rule.
Further additionally, in a specific implementation of some of the embodiments described above, for the IAST Agent loaded by the containerized Java application ash box testing unit 220, the first bytecode conversion rule may also be recorded in the first probe logic configuration in the probe Agent therein; in a more specific implementation, this can also be achieved as described in the method scheme in the related embodiments above. The first probe logic configuration can also be flexibly configured according to the software characteristics of the class to which the target Java application belongs; the implementation of the method can also be as described in the method scheme in the related embodiment so as to better adapt to the related security test of the target Java application with high efficiency and low cost, and can also reduce missing report and false report by actively matching or being compatible with the ash box test of the target Java application.
In some embodiments, an apparatus for containerized Java application ash box testing is also presented. The apparatus, in particular, may be implemented by a computing device. FIG. 3 illustrates a block diagram of a computing device that can be used to implement some embodiments of the present disclosure. As shown in fig. 3, the computing device 300 includes a Central Processing Unit (CPU) 301 capable of executing various appropriate operations and processes according to computer program instructions stored in a Read Only Memory (ROM) 302 or computer program instructions loaded from a storage unit 308 into a Random Access Memory (RAM) 303, and in the (RAM) 303, various program codes, data required for the operation of the computing device 300 may also be stored. The CPU301, ROM302, RAM303 are connected to each other via a bus 304, and an input/output (I/O) interface 305 is also connected to the bus 304. Some components of computing device 300 are accessed through I/O interface 305, including: an input unit 306 such as a mouse or the like; an output unit 307 such as a display or the like; a storage unit 308, such as a magnetic disk, an optical disk, a Solid State Disk (SSD), etc., and a communication unit 309, such as a network card, a modem, etc. The communication unit 309 enables the computing device 300 to exchange information/data with other devices over a computer network. The CPU301 is capable of performing the various methods and processes described in the above embodiments, such as process 100. In some embodiments, process 100 may be implemented as a computer software program that is stored on a computer readable medium such as storage unit 308. In some embodiments, part or all of the computer program is loaded or installed into computing device 300. When the computer program is loaded into RAM303 and executed by CPU301, some or all of the operations of process 100 can be performed.
The functions described above herein may all be performed, at least in part, by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: a Field Programmable Gate Array (FPGA), an Application Specific Integrated Circuit (ASIC), an Application Specific Standard Product (ASSP), a system on a chip (SOC), a load programmable logic device (CPLD), etc.
Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus such that the program code, when executed by the processor or controller, causes the functions/operations specified in the flowchart and/or block diagram to be implemented. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
Moreover, although operations are depicted in a particular order, this should be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are included in the above discussion, these should not be construed as limiting the scope of the present disclosure. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single implementation. Conversely, various features that are described in the context of a single implementation can also be implemented in multiple implementations separately or in any suitable subcombination.
Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are example forms of implementing the claims.
Claims (10)
1. A method for testing a dust box of a containerized Java application, the method comprising:
in the target Java application containerized deployment process,
when a request triggers the deployment of a target Java application, an IAST preloading container is created before the creation of a target application container instance; the IAST preloading container is preloaded with IAST Agent Jar package files;
and creating the target application container instance on the container cloud platform cluster node,
for each target application container instance, the target Java application in the target Java application container instance loads a preloaded IAST Agent Jar package file into the target Java application through a shared volume between the current target application container instance and an IAST preloading container in the starting process, loads IAST Agent to the Java virtual machine through executing relevant code fragments in the IAST Agent Jar package file in the process of initializing the target Java application on the Java virtual machine, collects/monitors the running context of the target Java application through the IAST Agent, and instantly analyzes and identifies security defects and hidden vulnerabilities in the target Java application, or sends the running context of the target Java application to an analysis engine to analyze and identify the security defects and hidden vulnerabilities in the target Java application.
2. The method of claim 1, wherein the step of determining the position of the substrate comprises,
the IAST Agent is configured to include a probe Agent,
and causing the probe Agent to pile first probe logic for the target Java application instance by: collecting/monitoring function execution at the running time of the target Java application, data transmission to capture the running time context of the target Java application including data flow and control flow, and analyzing and identifying security defects and hidden holes in the target Java application based on the running time context of the target Java application, or outputting the running time context of the target Java application to an analysis engine to analyze and identify the security defects and hidden holes in the target Java application;
and/or the number of the groups of groups,
the IAST Agent is configured to include a flow Agent module,
and enabling the target flow to pass through the flow agent module, copying the current target flow by the flow agent module when the target flow passes through the flow agent module, modifying the current target flow into a security test flow, initiating a security test by the security test flow, and collecting flow information requested and responded in the security test process to analyze and identify security defects and hidden flaws in the target Java application.
3. The method of claim 2, wherein the step of determining the position of the substrate comprises,
the process of instrumentation of the first probe logic by the probe Agent on the target Java application comprises the following steps: registering a first byte code converter according to a configuration file in an IAST Agent Jar package file in the initializing process of the probe Agent, wherein the first byte code converter is used for inserting a first probe logic, and enabling the registered first byte code converter to perform byte code conversion of a class according to a first byte code conversion rule to insert the first probe logic when the class is loaded; the first byte code conversion rule refers to a byte code conversion rule corresponding to the first probe logic.
4. The method of claim 3, wherein the step of,
registering a monitor in the first byte code converter, and when the new class is monitored to be loaded into a Java virtual machine and matching is met, enabling the first byte code converter to perform byte code conversion of the class according to a corresponding byte code conversion rule;
and/or the number of the groups of groups,
the first bytecode conversion rule is recorded in a first probe logic configuration; and the first probe logic configuration is flexibly configured according to the software characteristics of the class to which the target Java application belongs.
5. A system for testing a dust box of a containerized Java application, the system comprising:
IAST preload unit, containerized Java application ash box test unit;
the IAST preloading unit is used for preloading IAST Agent Jar package files for a containerized Java application ash box testing unit in each target application container instance deployed on the container cloud platform; in the process of target Java application containerization deployment, when a request triggering target Java application deployment exists, the IAST preloading unit creates an IAST preloading container before a target application container instance is created; the IAST preloading container is preloaded with IAST Agent Jar package files;
the containerized Java application ash box testing unit is used for providing an ash box test for the target Java application in the target application container instance where the containerized Java application ash box testing unit is located; when creating target application container instances on container cloud platform cluster nodes, for each target application container instance, a containerized Java application ash box testing unit loads and executes codes in an IAST Agent Jar package file through a shared volume between a current target application container instance and an IAST preloading container in the starting process of a target Java application to load IAST Agent into a Java virtual machine, collects/monitors the running context of the target Java application through the IAST Agent, and instantly analyzes and identifies security defects and hidden vulnerabilities in the target Java application or sends the running context of the target Java application to an analysis engine to analyze and identify the security defects and hidden vulnerabilities in the target Java application.
6. The system of claim 5, wherein the system further comprises a controller configured to control the controller,
in the process that the containerized Java application ash box testing unit provides ash box testing for a target Java application in a target application container instance where the containerized Java application ash box testing unit is located, the IAST Agent is configured to include: probe Agent, and/or flow Agent module;
wherein when configured to include a probe Agent, the probe Agent is caused to, by instrumentation of a target Java application instance, a first probe logic to: collecting/monitoring function execution at the running time of the target Java application, data transmission to capture the running time context of the target Java application including data flow and control flow, and analyzing and identifying security defects and hidden holes in the target Java application based on the running time context of the target Java application, or outputting the running time context of the target Java application to an analysis engine to analyze and identify the security defects and hidden holes in the target Java application;
when configured to include a flow agent module, the method comprises the steps of enabling target flow to pass through the flow agent module, copying current target flow with the flow agent module and modifying the current target flow into security test flow when the target flow passes through, then initiating security test with the security test flow, and collecting flow information requested and responded in the security test process to analyze and identify security defects and hidden vulnerabilities in target Java application.
7. The system of claim 6, wherein the system further comprises a controller configured to control the controller,
when the IAST Agent is configured to include a probe Agent,
the process of instrumentation of the first probe logic by the probe Agent on the target Java application comprises the following steps: registering a first byte code converter according to a configuration file in an IAST Agent Jar package file in the initializing process of the probe Agent, wherein the first byte code converter is used for inserting a first probe logic, and enabling the registered first byte code converter to perform byte code conversion of a class according to a first byte code conversion rule to insert the first probe logic when the class is loaded; the first byte code conversion rule refers to a byte code conversion rule corresponding to the first probe logic.
8. The system of claim 7, wherein the system further comprises a controller configured to control the controller,
in the case of the probe Agent described above,
registering a monitor in the first byte code converter, and when the new class is monitored to be loaded into a Java virtual machine and matching is met, enabling the first byte code converter to perform byte code conversion of the class according to a corresponding byte code conversion rule;
and/or the number of the groups of groups,
the first bytecode conversion rule is recorded in a first probe logic configuration; the first probe logic configuration is flexibly configured according to the software characteristics of the class to which the target Java application belongs.
9. An ash box testing apparatus for containerized Java applications, the apparatus comprising:
at least one processor, a memory coupled to the at least one processor, and a computer program stored in the memory;
wherein the processor executes the computer program to implement the ash box testing method of a containerized Java application of any of claims 1-4,
and/or the number of the groups of groups,
in the method, an IAST preloading container and a process of preloading the IAST Agent Jar package file are created,
and/or the number of the groups of groups,
in the method, a gray box test process is carried out on the target Java application in the target application container instance.
10. A computer-readable storage medium comprising,
the computer readable storage medium stores computer instructions related to security testing of the containerized Java application; which computer instructions when executed by a computer processor are capable of implementing the ash box testing method of a containerized Java application according to any of claims 1-4,
and/or the number of the groups of groups,
in the method, an IAST preloading container and a process of preloading the IAST Agent Jar package file are created,
and/or the number of the groups of groups,
in the method, a gray box test process is carried out on the target Java application in the target application container instance.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311091226.2A CN117130917B (en) | 2023-08-28 | 2023-08-28 | Ash box testing method, device and system for containerized Java application |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311091226.2A CN117130917B (en) | 2023-08-28 | 2023-08-28 | Ash box testing method, device and system for containerized Java application |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117130917A true CN117130917A (en) | 2023-11-28 |
| CN117130917B CN117130917B (en) | 2024-01-23 |
Family
ID=88859387
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311091226.2A Active CN117130917B (en) | 2023-08-28 | 2023-08-28 | Ash box testing method, device and system for containerized Java application |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117130917B (en) |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6971187B1 (en) * | 2002-07-18 | 2005-12-06 | University Of Connecticut | Automated process control using manometric temperature measurement |
| CN109614341A (en) * | 2018-12-29 | 2019-04-12 | 微梦创科网络科技(中国)有限公司 | A kind of test method and system of code coverage |
| WO2020019993A1 (en) * | 2018-07-27 | 2020-01-30 | Huawei Technologies Co., Ltd. | Virtual machine container for applications |
| CN111046396A (en) * | 2020-03-13 | 2020-04-21 | 深圳开源互联网安全技术有限公司 | Web application test data flow tracking method and system |
| CN111723380A (en) * | 2020-06-22 | 2020-09-29 | 深圳前海微众银行股份有限公司 | Method and device for detecting component bugs |
| CN112906011A (en) * | 2021-05-07 | 2021-06-04 | 北京安普诺信息技术有限公司 | Vulnerability discovery method, testing method, security testing method, related device and platform |
| CN113076253A (en) * | 2021-04-16 | 2021-07-06 | 北京京东拓先科技有限公司 | Test method and test device |
| CN114021123A (en) * | 2021-11-02 | 2022-02-08 | 中国联合网络通信集团有限公司 | Construction method, security check method, device and medium of behavior baseline library |
| CN114422278A (en) * | 2022-04-01 | 2022-04-29 | 奇安信科技集团股份有限公司 | Method, system and server for detecting program security |
| CN114444076A (en) * | 2020-10-30 | 2022-05-06 | 华为云计算技术有限公司 | Stain analysis method and device |
| CN115185644A (en) * | 2022-07-25 | 2022-10-14 | 中国电信股份有限公司 | Detection method, system, equipment and storage medium based on container interactive application |
| CN116340943A (en) * | 2023-03-16 | 2023-06-27 | 中国工商银行股份有限公司 | Application program protection method, device, equipment, storage medium and program product |
-
2023
- 2023-08-28 CN CN202311091226.2A patent/CN117130917B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6971187B1 (en) * | 2002-07-18 | 2005-12-06 | University Of Connecticut | Automated process control using manometric temperature measurement |
| WO2020019993A1 (en) * | 2018-07-27 | 2020-01-30 | Huawei Technologies Co., Ltd. | Virtual machine container for applications |
| CN109614341A (en) * | 2018-12-29 | 2019-04-12 | 微梦创科网络科技(中国)有限公司 | A kind of test method and system of code coverage |
| CN111046396A (en) * | 2020-03-13 | 2020-04-21 | 深圳开源互联网安全技术有限公司 | Web application test data flow tracking method and system |
| CN111723380A (en) * | 2020-06-22 | 2020-09-29 | 深圳前海微众银行股份有限公司 | Method and device for detecting component bugs |
| CN114444076A (en) * | 2020-10-30 | 2022-05-06 | 华为云计算技术有限公司 | Stain analysis method and device |
| CN113076253A (en) * | 2021-04-16 | 2021-07-06 | 北京京东拓先科技有限公司 | Test method and test device |
| CN112906011A (en) * | 2021-05-07 | 2021-06-04 | 北京安普诺信息技术有限公司 | Vulnerability discovery method, testing method, security testing method, related device and platform |
| CN114021123A (en) * | 2021-11-02 | 2022-02-08 | 中国联合网络通信集团有限公司 | Construction method, security check method, device and medium of behavior baseline library |
| CN114422278A (en) * | 2022-04-01 | 2022-04-29 | 奇安信科技集团股份有限公司 | Method, system and server for detecting program security |
| CN115185644A (en) * | 2022-07-25 | 2022-10-14 | 中国电信股份有限公司 | Detection method, system, equipment and storage medium based on container interactive application |
| CN116340943A (en) * | 2023-03-16 | 2023-06-27 | 中国工商银行股份有限公司 | Application program protection method, device, equipment, storage medium and program product |
Non-Patent Citations (2)
| Title |
|---|
| P. P. W. PATHIRATHNA 等: "Security testing as a service with docker containerization", 《2017 11TH INTERNATIONAL CONFERENCE ON SOFTWARE, KNOWLEDGE, INFORMATION MANAGEMENT AND APPLICATIONS (SKIMA)》, pages 1 - 7 * |
| 韩晓言 等: "容器化的配电网信息交互分布式测试技术研究", 《电气自动化》, vol. 40, no. 05, pages 80 - 82 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117130917B (en) | 2024-01-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8813039B2 (en) | Method and system for software defect reporting | |
| US6662362B1 (en) | Method and system for improving performance of applications that employ a cross-language interface | |
| US7469362B2 (en) | Using a call stack hash to record the state of a process | |
| US9043653B2 (en) | Introspection of software program components and conditional generation of memory dump | |
| US9229758B2 (en) | Passive monitoring of virtual systems using extensible indexing | |
| CN111723380B (en) | Method and device for detecting component vulnerability | |
| CN112181833A (en) | Intelligent fuzzy test method, device and system | |
| WO2021216081A1 (en) | Runtime application monitoring without modifying application program code | |
| CN103186463B (en) | Determine the method and system of the test specification of software | |
| CN113076253A (en) | Test method and test device | |
| US9779014B2 (en) | Resilient mock object creation for unit testing | |
| US10216620B2 (en) | Static code testing of active code | |
| US10185647B2 (en) | Debugging remote vertex code on test machine | |
| US20090307668A1 (en) | Software problem identification tool | |
| US11263115B2 (en) | Problem diagnosis technique of memory corruption based on regular expression generated during application compiling | |
| CN117130917B (en) | Ash box testing method, device and system for containerized Java application | |
| US20110246967A1 (en) | Methods and systems for automation framework extensibility | |
| US20220012161A1 (en) | Instrumentation trace capture technique | |
| US20060190218A1 (en) | Generative instrumentation framework | |
| US20100050162A1 (en) | Automatically detecting non-modifying transforms when profiling source code | |
| CN114116509A (en) | Program analysis method, program analysis device, electronic device, and storage medium | |
| US20220075875A1 (en) | Language-independent application monitoring through aspect-oriented programming | |
| WO2022020073A1 (en) | Investigative platform for software application development and production | |
| CN117155628A (en) | Method, device and related system for interactive security test of containerized application | |
| CN111324542B (en) | Web application regression test case selection system, method and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |