CN117828617A - Vulnerability detection method and device for application code - Google Patents
Vulnerability detection method and device for application code Download PDFInfo
- Publication number
- CN117828617A CN117828617A CN202410178248.0A CN202410178248A CN117828617A CN 117828617 A CN117828617 A CN 117828617A CN 202410178248 A CN202410178248 A CN 202410178248A CN 117828617 A CN117828617 A CN 117828617A
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- operation function
- specified operation
- dependent component
- knowledge base
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 106
- 230000001419 dependent effect Effects 0.000 claims abstract description 212
- 238000000034 method Methods 0.000 claims abstract description 45
- 238000012544 monitoring process Methods 0.000 claims abstract description 38
- 230000006399 behavior Effects 0.000 claims abstract description 34
- 238000002347 injection Methods 0.000 claims abstract description 12
- 239000007924 injection Substances 0.000 claims abstract description 12
- 230000006870 function Effects 0.000 claims description 241
- 230000008569 process Effects 0.000 claims description 24
- 230000008439 repair process Effects 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 9
- 230000004044 response Effects 0.000 claims description 7
- 238000012038 vulnerability analysis Methods 0.000 claims description 4
- 238000005067 remediation Methods 0.000 claims 1
- 238000010586 diagram Methods 0.000 description 13
- 238000004891 communication Methods 0.000 description 7
- 238000012545 processing Methods 0.000 description 7
- 230000004048 modification Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 238000011161 development Methods 0.000 description 3
- 230000001502 supplementing effect Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 239000003795 chemical substances by application Substances 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000000523 sample Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a vulnerability detection method and device for application codes, and relates to the technical field of computers. One embodiment of the method comprises the following steps: performing byte code injection on the appointed operation function in the application code, and generating a data tracking marking function of the appointed operation function so as to monitor the appointed operation function in real time; acquiring monitoring data of a specified operation function, and analyzing the monitoring data to obtain a vulnerability detection result of a dependent component corresponding to the specified operation function; judging whether a dependent component corresponding to the designated operation function is in a vulnerability knowledge base or not under the condition that the vulnerability detection result shows that malicious behaviors exist; and under the condition that the dependent component corresponding to the specified operation function is not in the vulnerability knowledge base, generating the risk level of the dependent component, and adding the dependent component and the risk level into the vulnerability knowledge base. According to the embodiment, the conditions of missing detection and false alarm are avoided, so that the safety risk is reduced, and the vulnerability restoration efficiency and the safety operation efficiency are improved.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and an apparatus for detecting vulnerabilities of application codes.
Background
In the code development process, the vulnerability detection of the source code or the binary program can greatly improve the security of code operation. At present, in the process of code development or online operation, the open source components contained in the detected code items are identified by analyzing the source codes or binary programs, and then whether the open source components contain vulnerabilities is detected based on vulnerability information such as vulnerability risk levels provided by a standard vulnerability knowledge base. However, when vulnerability detection is performed based on a standard vulnerability knowledge base, only known open-source vulnerabilities can be detected, and new unknown security vulnerabilities cannot be detected. Moreover, the vulnerability risk level provided in the standard vulnerability knowledge base cannot be completely adapted to the actual running scene of the target code, so that the situation of false alarm exists in the vulnerability detection result. Therefore, the existing vulnerability detection has the conditions of missing detection and false alarm, possibly causing security risk, and affecting vulnerability restoration efficiency and security operation efficiency.
Disclosure of Invention
In view of the above, the embodiment of the invention provides a method and a device for detecting loopholes of an application code, which can identify loopholes of unknown dependent components in the running process of the application code and add the loopholes into a loophole knowledge base, so that the capability of detecting the loopholes of the unknown dependent components in each stage of software development can be quickly supplemented, the condition of missing detection is avoided, the safety risk is reduced, and the loophole repairing efficiency and the safety running efficiency are improved; meanwhile, the risk level of the dependent component is generated according to the vulnerability detection result, and the vulnerability knowledge base is supplemented by combining the risk level of the dependent component, so that the vulnerability knowledge base is more suitable for the actual running scene of the application code, the false alarm probability is greatly reduced, and the vulnerability restoration efficiency and the safety operation efficiency are improved.
To achieve the above object, according to an aspect of the embodiments of the present invention, there is provided a vulnerability detection method of application code, including:
performing byte code injection on a specified operation function in an application code, and generating a data tracking marking function of the specified operation function to monitor the specified operation function in real time, wherein the specified operation function corresponds to a dependent component on which the application code depends during operation;
responding to the execution of the specified operation function, acquiring monitoring data of the specified operation function, and analyzing the monitoring data to obtain a vulnerability detection result of a dependent component corresponding to the specified operation function;
judging whether the dependent component corresponding to the specified operation function is in a vulnerability knowledge base or not under the condition that the vulnerability detection result shows that malicious behaviors exist;
and under the condition that the dependent component corresponding to the specified operation function is not in the vulnerability knowledge base, generating a risk level of the dependent component corresponding to the specified operation function according to the vulnerability detection result, and adding the dependent component corresponding to the specified operation function and the risk level to the vulnerability knowledge base.
Optionally, the method further comprises: under the condition that the dependent component corresponding to the specified operation function is in the vulnerability knowledge base, vulnerability restoration is directly carried out on the dependent component corresponding to the specified operation function; and after adding the dependency component corresponding to the specified operation function and the risk level to the vulnerability knowledge base, further comprising: and performing bug repair on the dependent component corresponding to the specified operation function.
Optionally, generating the risk level of the dependent component corresponding to the specified operation function according to the vulnerability detection result includes: and generating the risk level of the dependent component corresponding to the specified operation function according to the component information of the dependent component corresponding to the specified operation function and the category of the malicious behavior in the vulnerability detection result.
Optionally, the risk level includes a security risk level and a bug fix priority of the dependent component corresponding to the specified operation function; and after adding the dependency component corresponding to the specified operation function and the risk level to the vulnerability knowledge base, further comprising: and performing vulnerability restoration on the dependent component corresponding to the specified operation function according to the security risk level and the vulnerability restoration priority of the dependent component corresponding to the specified operation function.
Optionally, the method further comprises: in response to detecting that the application code calls a dependent component in the running process, acquiring component information of the truly called dependent component, and judging whether the truly called dependent component is in the vulnerability knowledge base according to the component information; and under the condition that the truly invoked dependent component is in the vulnerability knowledge base, performing vulnerability restoration on the truly invoked dependent component directly.
According to another aspect of the embodiment of the present invention, there is provided a vulnerability detection apparatus for application code, including:
the monitoring starting module is used for injecting byte codes into specified operation functions in application codes, generating a data tracking marking function of the specified operation functions so as to monitor the specified operation functions in real time, wherein the specified operation functions correspond to dependent components on which the application codes depend in running;
the vulnerability analysis module is used for responding to the execution of the specified operation function, acquiring monitoring data of the specified operation function, and analyzing the monitoring data to obtain a vulnerability detection result of a dependent component corresponding to the specified operation function;
the component matching module is used for judging whether the dependent component corresponding to the specified operation function is in a vulnerability knowledge base or not under the condition that the vulnerability detection result is that malicious behaviors exist;
And the knowledge base updating module is used for generating the risk level of the dependent component corresponding to the specified operation function according to the vulnerability detection result under the condition that the dependent component corresponding to the specified operation function is not in the vulnerability knowledge base, and adding the dependent component corresponding to the specified operation function and the risk level into the vulnerability knowledge base.
Optionally, the apparatus further includes a vulnerability restoration module configured to: under the condition that the dependent component corresponding to the specified operation function is in the vulnerability knowledge base, vulnerability restoration is directly carried out on the dependent component corresponding to the specified operation function; and after the dependent components corresponding to the specified operation function and the risk level are added into the vulnerability knowledge base, performing vulnerability restoration on the dependent components corresponding to the specified operation function.
Optionally, when generating the risk level of the dependent component corresponding to the specified operation function according to the vulnerability detection result, the knowledge base updating module may be specifically configured to: and generating the risk level of the dependent component corresponding to the specified operation function according to the component information of the dependent component corresponding to the specified operation function and the category of the malicious behavior in the vulnerability detection result.
Optionally, the risk level includes a security risk level and a bug fix priority of the dependent component corresponding to the specified operation function; and, the vulnerability restoration module is further configured to: after the dependent components corresponding to the specified operation function and the risk level are added to the vulnerability knowledge base, vulnerability restoration is carried out on the dependent components corresponding to the specified operation function according to the security risk level and the vulnerability restoration priority of the dependent components corresponding to the specified operation function.
Optionally, the device further comprises a calling component detection module for: in response to detecting that the application code calls a dependent component in the running process, acquiring component information of the truly called dependent component, and judging whether the truly called dependent component is in the vulnerability knowledge base according to the component information; and under the condition that the truly invoked dependent component is in the vulnerability knowledge base, performing vulnerability restoration on the truly invoked dependent component directly.
According to still another aspect of an embodiment of the present invention, there is provided an electronic apparatus including: one or more processors; and the storage device is used for storing one or more programs, and when the one or more programs are executed by the one or more processors, the one or more processors realize the vulnerability detection method of the application code provided by the embodiment of the invention.
According to still another aspect of the embodiment of the present invention, there is provided a computer readable medium having stored thereon a computer program, which when executed by a processor, implements a vulnerability detection method of application code provided by the embodiment of the present invention.
One embodiment of the above invention has the following advantages or benefits: the method comprises the steps of performing byte code injection on a specified operation function in an application code, and generating a data tracking marking function of the specified operation function to monitor the specified operation function in real time, wherein the specified operation function corresponds to a dependent component on which the application code depends during running; responding to the execution of the specified operation function, acquiring monitoring data of the specified operation function, and analyzing the monitoring data to obtain a vulnerability detection result of the dependent component corresponding to the specified operation function; judging whether a dependent component corresponding to the designated operation function is in a vulnerability knowledge base or not under the condition that the vulnerability detection result shows that malicious behaviors exist; under the condition that the dependent component corresponding to the designated operation function is not in the vulnerability knowledge base, the risk level of the dependent component corresponding to the designated operation function is generated according to the vulnerability detection result, and the dependent component corresponding to the designated operation function and the risk level are added into the vulnerability knowledge base, so that the unknown dependent component vulnerability is identified in the application code operation process and added into the vulnerability knowledge base, the capability of detecting the unknown dependent component vulnerability in each stage of software development can be quickly supplemented, the condition of missed detection is avoided, the safety risk is reduced, and the vulnerability restoration efficiency and the safety operation efficiency are improved; meanwhile, the risk level of the dependent component is generated according to the vulnerability detection result, and the vulnerability knowledge base is supplemented by combining the risk level of the dependent component, so that the vulnerability knowledge base is more suitable for the actual running scene of the application code, the false alarm probability is greatly reduced, and the vulnerability restoration efficiency and the safety operation efficiency are improved.
Further effects of the above-described non-conventional alternatives are described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
FIG. 1 is a schematic diagram of main steps of a vulnerability detection method of application code according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a vulnerability detection flow of application code according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of the main modules of a vulnerability detection apparatus of an application code according to an embodiment of the present invention;
FIG. 4 is an exemplary system architecture diagram in which embodiments of the present invention may be applied;
fig. 5 is a schematic diagram of a computer system suitable for use in implementing an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, in which various details of the embodiments of the present invention are included to facilitate understanding, and are to be considered merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
In the technical scheme disclosed by the invention, the aspects of acquisition, collection, updating, analysis, processing, use, transmission, storage and the like of the related user personal information all conform to the rules of related laws and regulations, are used for legal purposes, and do not violate the popular public order. Necessary measures are taken for the personal information of the user, illegal access to the personal information data of the user is prevented, and the personal information security, network security and national security of the user are maintained.
Fig. 1 is a schematic diagram of main steps of a vulnerability detection method of an application code according to an embodiment of the present invention. As shown in fig. 1, the vulnerability detection method of application code in the embodiment of the present invention mainly includes the following steps S101 to S104.
Step S101: and performing byte code injection on the specified operation function in the application code, and generating a data tracking marking function of the specified operation function to monitor the specified operation function in real time, wherein the specified operation function corresponds to a dependent component on which the application code depends during running. In the process of developing the application code, a calling method or a calling operation function of an external component (namely, a dependent component) relied in the running process of the application code is used as a designated operation function (for example, a sensitive operation function), and the designated operation function is marked so as to facilitate the subsequent processing of data real-time monitoring and the like. Specifically, the method can be marked by adding notes to the set specified operation functions in the application code, and can also be used for applying sensitive operation functions in a code process, such as a log4j2 (a log framework) through an operation byte code anchor point. When the writing of the application codes is completed, in the online running process, a security defense unit RASP (Runtime Application Self-Protection) of the application, which is a security defense tool for self-Protection of the application in running, can inject itself into the application, and runs along with the application, so as to ensure the safety of the application), the unit can perform byte code injection on the designated operation function marked before, and a data tracking marking function of the designated operation function can be generated according to the injected byte code, so that the designated operation function can be monitored in real time. The byte code is a binary file containing an execution program, and is an intermediate code. In embodiments of the present invention, the bytecode may be operated based on a bytecode operation framework (e.g., java Assist), for example.
The data tracking marking function is used for performing data tracking marking on a specified operation function, and can realize a security probe Agent by means of Instrumentation (Java Instrumentation refers to an Agent program which is independent of an application program and can monitor and assist the application program running on a virtual machine), the loading of byte codes in the Agent can be performed through a custom class converter, key classes with attack risks are filtered, detected logics are inserted into byte code files and uniformly enter a Java virtual machine to be executed, the anchor point is added in an application process, when the program running process reaches the anchor point, a data call stack is acquired in real time, the tracking mark is generated, the behavior log of the program process execution is recorded, and the server is reported.
Step S102: and responding to the execution of the specified operation function, acquiring monitoring data of the specified operation function, and analyzing the monitoring data to obtain a vulnerability detection result of the dependent component corresponding to the specified operation function. When the execution of the specified operation function is monitored by the data tracking and marking function, the monitoring data of the specified operation function is acquired, wherein the monitoring data comprises a behavior log of the execution of the program process when the specified operation function is executed. And then sending the monitoring data to a RASP intrusion detection engine in the RASP unit for vulnerability detection, wherein the RASP intrusion detection engine can analyze the request context information, the specific execution operation of the specified operation function and other data contained in the monitoring data to obtain a vulnerability detection result of the dependent component corresponding to the specified operation function. The vulnerability detection result may include, for example, monitoring whether malicious behavior exists in the data, and the like.
Step S103: and judging whether the dependent component corresponding to the specified operation function is in the vulnerability knowledge base or not under the condition that the vulnerability detection result is that malicious behaviors exist. When the vulnerability detection result shows that malicious behaviors exist, the vulnerability exists in the dependent component corresponding to the specified operation function. At this time, it is necessary to determine whether the dependent component is already in the known vulnerability knowledge base, and if the dependent component is already in the vulnerability knowledge base, the vulnerability modification can be directly performed without performing additional update on the vulnerability knowledge base. If the dependent component is not in the vulnerability knowledge base, the vulnerability of the dependent component corresponding to the designated operation function is an unknown component vulnerability, and the vulnerability knowledge base can be updated in a supplementing mode according to a further analysis result of the unknown component vulnerability, so that the vulnerability knowledge base is more complete and comprehensive, a new unknown vulnerability can be adapted, and the comprehensiveness and accuracy of vulnerability detection are improved.
Step S104: under the condition that the dependent component corresponding to the specified operation function is not in the vulnerability knowledge base, generating a risk level of the dependent component corresponding to the specified operation function according to the vulnerability detection result, and adding the dependent component and the risk level corresponding to the specified operation function to the vulnerability knowledge base. If the dependent component is not in the vulnerability knowledge base, the vulnerability of the dependent component corresponding to the designated operation function is an unknown component vulnerability, and the vulnerability knowledge base can be updated in a supplementing mode according to a further analysis result of the unknown component vulnerability, so that the vulnerability knowledge base is more complete and comprehensive, a new unknown vulnerability can be adapted, and the comprehensiveness and accuracy of vulnerability detection are improved. Specifically, when the vulnerability knowledge base is updated in a supplementing manner, the risk level of the dependent component can be determined according to the vulnerability detection result, and then the dependent component and the risk level thereof are added into the vulnerability knowledge base.
According to one embodiment of the invention, the method may further comprise: and under the condition that the dependent component corresponding to the specified operation function is in the vulnerability knowledge base, performing vulnerability restoration on the dependent component corresponding to the specified operation function directly. Under the condition that the dependent component with malicious behaviors is detected in the vulnerability knowledge base, the vulnerability is indicated to be a known vulnerability, and then vulnerability early warning is needed to be carried out and sent to the security operation center SOC (Security Operation Center) so that security operators can carry out vulnerability repair.
According to one embodiment of the present invention, after adding the dependency component corresponding to the specified operation function and the risk level to the vulnerability knowledge base, the method further includes: and performing bug repair on the dependent component corresponding to the specified operation function. After the dependent component corresponding to the specified operation function and the risk level are added to the vulnerability knowledge base, the dependent component and the risk level thereof can be sent to the SOC together so as to carry out vulnerability repair.
According to still another embodiment of the present invention, the generating the risk level of the dependent component corresponding to the specified operation function according to the vulnerability detection result may specifically include: and generating the risk level of the dependent component corresponding to the specified operation function according to the component information of the dependent component corresponding to the specified operation function and the category of the malicious behavior in the vulnerability detection result. The component information is, for example, a component name, a version number, vendor information, and the like; the classes of malicious behaviors include several levels such as high risk, medium risk, low risk, etc., for example, the risks of malicious behaviors such as JNDI (Java Naming and Directory Interface ) remote command execution, reverse serialization, etc., the corresponding classes of malicious behaviors are high risk levels, the risks of network-externally connected malicious domain names, etc., are slightly lower than the risks of the malicious behaviors, the corresponding classes of malicious behaviors are medium risk levels, etc.
According to a specific embodiment of the present invention, the risk level includes a security risk level and a bug fix priority of the dependent component corresponding to the specified operation function. Specifically, the security risk level and the vulnerability restoration priority of the dependent component corresponding to the specified operation function can be correspondingly set according to the malicious behavior type, specifically, if the malicious behavior type is high-risk, the security risk level of the dependent component can be set to be one-level (highest), and meanwhile, the vulnerability restoration priority is set to be one-level (highest), and in a specific implementation process, the vulnerability restoration priority can be flexibly set according to service requirements. And in one embodiment, after adding the dependency component corresponding to the specified operation function and the risk level to the vulnerability knowledge base, the method further includes: and performing vulnerability restoration on the dependent component corresponding to the specified operation function according to the security risk level and the vulnerability restoration priority of the dependent component corresponding to the specified operation function. Namely: and determining the emergency degree of the depending component for bug repair according to the security risk level and the bug priority of the depending component, so as to perform bug repair according to the emergency degree.
According to yet another embodiment of the present invention, the method may further include, while performing the vulnerability detection according to the foregoing steps: in response to detecting that the application code calls a dependent component in the running process, acquiring component information of the truly called dependent component, and judging whether the truly called dependent component is in the vulnerability knowledge base according to the component information; and under the condition that the truly invoked dependent component is in the vulnerability knowledge base, performing vulnerability restoration on the truly invoked dependent component directly. Typically, a component may implement multiple functions, corresponding to multiple interfaces, but only some of the functions may have vulnerabilities, so they may be in a vulnerability knowledge base. When the application program code of the invention calls a dependent component to perform function implementation, the dependent component may be located in a known vulnerability knowledge base, but because part of functions calling the dependent component do not contain vulnerabilities, the monitoring data acquired through the data tracking and marking function of the designated operation function cannot detect malicious behaviors, however, because the dependent component still has dangers, the dependent component still needs to be subjected to vulnerability repair. In order to solve the possible security risk under the condition, the invention can detect the dependency component actually called by the application program in real time in the running process of the application code, and directly carry out bug repair on the dependency component actually called when the dependency component is positioned in the bug knowledge base, thereby avoiding all bug possibilities, reducing bug false alarm of the dependency component and improving bug detection and repair efficiency.
Fig. 2 is a schematic diagram of a vulnerability detection flow of application code according to an embodiment of the present invention. As shown in fig. 2, in one embodiment of the present invention, the vulnerability detection flow of the application code mainly includes the following steps:
step 1, performing byte code injection on a specified operation function in an application code through a RASP unit, and generating a data tracking marking function of the specified operation function so as to monitor the specified operation function in real time;
step 2, acquiring component information of a dependent component which is actually called when an application code runs through a RASP unit while carrying out real-time monitoring on a specified operation function, wherein the component information comprises a component name, a version number and the like;
step 3, through SCA (Software Composition Analysis, software component analysis, a technology for realizing identification, management and tracking of the software by analyzing some information and features contained in the software), the unit matches the obtained dependency components actually called during running with components in a known vulnerability knowledge base to judge whether the dependency components are in the vulnerability knowledge base, if yes, executing step 4, otherwise, indicating that the dependency components have no vulnerability, and returning to the step 2;
step 4, the vulnerability information is sent to the SOC unit, and security vulnerability restoration is carried out on the application codes with the problem of depending component vulnerabilities;
Step 5, when the execution of the specified operation function is detected, acquiring monitoring data of the specified operation function, and sending the monitoring data to an intrusion detection engine of the RASP unit for vulnerability detection;
step 6, analyzing the monitoring data by an intrusion detection engine of the RASP unit to obtain a vulnerability detection result of the dependent component corresponding to the specified operation function, and specifically analyzing request context information, call data of the specified operation function, execution data of the dependent component and the like by the intrusion detection engine of the RASP unit to obtain the vulnerability detection result;
step 7, judging whether the vulnerability detection result is that malicious behaviors exist; if yes, executing the step 8, otherwise, indicating that no malicious behavior exists, and returning to executing the step 5;
and 8, judging whether the dependent component corresponding to the specified operation function is in the vulnerability knowledge base or not under the condition that the vulnerability detection result shows malicious behaviors, specifically, according to the request context information in the vulnerability detection result and the association of the component call stack and the acquired truly-called dependent component, obtaining the dependent component and the dependent component information corresponding to the specified operation function, and then according to the dependent component information, such as component names, version numbers and the like, comparing and matching with the component information in the vulnerability knowledge base, judging whether the dependent component is in the vulnerability knowledge base or not. If yes, executing the step 4, otherwise, indicating that the dependency component has unknown loopholes, and executing the step 9;
Step 9, generating a risk level of the dependent component according to the component information of the dependent component and the category of the malicious behavior in the vulnerability detection result, wherein the risk level comprises a security risk level and a vulnerability restoration priority of the dependent component;
and step 10, adding the dependent component, the security risk level and the vulnerability restoration priority thereof to a vulnerability knowledge base according to the security risk level and the vulnerability restoration priority of the dependent component, and then executing step 4. Specifically, the rule generation of the SCA dependent components is automatically and dynamically generated, component information (such as component names, manufacturers, versions and the like) of the dependent components, vulnerability attack paths, vulnerability exploiting functions, code call stacks and the like are added to a vulnerability knowledge base of the dependent components, so that a new component vulnerability detection rule is formed, the capability of detecting the vulnerabilities of unknown dependent components in each stage of software development is quickly supplemented, and the safety operation efficiency is improved.
Fig. 3 is a schematic diagram of main modules of a device for detecting vulnerabilities of application codes according to an embodiment of the present invention, as shown in fig. 3, a device 300 for detecting vulnerabilities of application codes according to an embodiment of the present invention mainly includes a monitor starting module 301, a vulnerability analyzing module 302, a component matching module 303, and a knowledge base updating module 304.
The monitoring and starting module 301 is configured to perform byte code injection on a specified operation function in an application code, generate a data tracking and marking function of the specified operation function to monitor the specified operation function in real time, where the specified operation function corresponds to a dependent component on which the application code depends when running;
the vulnerability analysis module 302 is configured to obtain monitoring data of the specified operation function in response to the specified operation function being executed, and analyze the monitoring data to obtain a vulnerability detection result of a dependent component corresponding to the specified operation function;
the component matching module 303 is configured to determine whether a dependent component corresponding to the specified operation function is in a vulnerability knowledge base if the vulnerability detection result indicates that a malicious behavior exists;
the knowledge base updating module 304 is configured to generate a risk level of the dependent component corresponding to the specified operation function according to the vulnerability detection result when the dependent component corresponding to the specified operation function is not in the vulnerability knowledge base, and add the dependent component corresponding to the specified operation function and the risk level to the vulnerability knowledge base.
According to an embodiment of the present invention, the vulnerability detection apparatus 300 of the application code further includes a vulnerability restoration module (not shown in the figure) for: under the condition that the dependent component corresponding to the specified operation function is in the vulnerability knowledge base, vulnerability restoration is directly carried out on the dependent component corresponding to the specified operation function; and after the dependent components corresponding to the specified operation function and the risk level are added into the vulnerability knowledge base, performing vulnerability restoration on the dependent components corresponding to the specified operation function.
According to another embodiment of the present invention, when generating the risk level of the dependent component corresponding to the specified operation function according to the vulnerability detection result, the knowledge base update module 304 may specifically be configured to: and generating the risk level of the dependent component corresponding to the specified operation function according to the component information of the dependent component corresponding to the specified operation function and the category of the malicious behavior in the vulnerability detection result.
According to another embodiment of the present invention, the risk level includes a security risk level and a bug fix priority of a dependent component corresponding to the specified operation function; and, the vulnerability restoration module (not shown in the figure) may be further configured to: after the dependent components corresponding to the specified operation function and the risk level are added to the vulnerability knowledge base, vulnerability restoration is carried out on the dependent components corresponding to the specified operation function according to the security risk level and the vulnerability restoration priority of the dependent components corresponding to the specified operation function.
According to yet another embodiment of the present invention, the vulnerability detection apparatus 300 of the application code further includes a calling component detection module (not shown in the figure) for: in response to detecting that the application code calls a dependent component in the running process, acquiring component information of the truly called dependent component, and judging whether the truly called dependent component is in the vulnerability knowledge base according to the component information; and under the condition that the truly invoked dependent component is in the vulnerability knowledge base, performing vulnerability restoration on the truly invoked dependent component directly.
According to the technical scheme of the embodiment of the invention, the byte code injection is carried out on the appointed operation function in the application code, so that the data tracking marking function of the appointed operation function is generated to monitor the appointed operation function in real time, and the appointed operation function corresponds to the dependent component on which the application code depends in operation; responding to the execution of the specified operation function, acquiring monitoring data of the specified operation function, and analyzing the monitoring data to obtain a vulnerability detection result of the dependent component corresponding to the specified operation function; judging whether a dependent component corresponding to the designated operation function is in a vulnerability knowledge base or not under the condition that the vulnerability detection result shows that malicious behaviors exist; under the condition that the dependent component corresponding to the designated operation function is not in the vulnerability knowledge base, the risk level of the dependent component corresponding to the designated operation function is generated according to the vulnerability detection result, and the dependent component corresponding to the designated operation function and the risk level are added into the vulnerability knowledge base, so that the unknown dependent component vulnerability is identified in the application code operation process and added into the vulnerability knowledge base, the capability of detecting the unknown dependent component vulnerability in each stage of software development can be quickly supplemented, the condition of missed detection is avoided, the safety risk is reduced, and the vulnerability restoration efficiency and the safety operation efficiency are improved; meanwhile, the risk level of the dependent component is generated according to the vulnerability detection result, and the vulnerability knowledge base is supplemented by combining the risk level of the dependent component, so that the vulnerability knowledge base is more suitable for the actual running scene of the application code, the false alarm probability is greatly reduced, and the vulnerability restoration efficiency and the safety operation efficiency are improved.
FIG. 4 illustrates an exemplary system architecture 400 of a vulnerability detection method of application code or vulnerability detection apparatus of application code to which embodiments of the present invention may be applied.
As shown in fig. 4, the system architecture 400 may include terminal devices 401, 402, 403, a network 404, and a server 405. The network 404 is used as a medium to provide communication links between the terminal devices 401, 402, 403 and the server 405. The network 404 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
A user may interact with the server 405 via the network 404 using the terminal devices 401, 402, 403 to receive or send messages or the like. Various communication client applications, such as shopping class applications, web browser applications, search class applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only) may be installed on the terminal devices 401, 402, 403.
The terminal devices 401, 402, 403 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.
The server 405 may be a server providing various services, such as a background management server (by way of example only) providing support for code development websites browsed by users using the terminal devices 401, 402, 403. The background management server can perform byte code injection on specified operation functions in application codes on received data such as application code vulnerability detection requests and the like, and generates a data tracking and marking function of the specified operation functions so as to monitor the specified operation functions in real time, wherein the specified operation functions correspond to dependent components on which the application codes run; responding to the execution of the specified operation function, acquiring monitoring data of the specified operation function, and analyzing the monitoring data to obtain a vulnerability detection result of a dependent component corresponding to the specified operation function; judging whether the dependent component corresponding to the specified operation function is in a vulnerability knowledge base or not under the condition that the vulnerability detection result shows that malicious behaviors exist; and under the condition that the dependent component corresponding to the specified operation function is not in the vulnerability knowledge base, generating a risk level of the dependent component corresponding to the specified operation function according to the vulnerability detection result, adding the dependent component corresponding to the specified operation function and the risk level to the vulnerability knowledge base for medium processing, and feeding back a processing result (such as an updated vulnerability knowledge base-only an example) to the terminal equipment.
It should be noted that, in the embodiment of the present invention, the method for detecting the vulnerability of the application code is generally executed by the server 405, and accordingly, the device for detecting the vulnerability of the application code is generally disposed in the server 405.
It should be understood that the number of terminal devices, networks and servers in fig. 4 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Referring now to FIG. 5, there is illustrated a schematic diagram of a computer system 500 suitable for use in implementing a terminal device or server in accordance with an embodiment of the present invention. The terminal device or server shown in fig. 5 is only an example, and should not impose any limitation on the functions and scope of use of the embodiments of the present invention.
As shown in fig. 5, the computer system 500 includes a Central Processing Unit (CPU) 501, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 502 or a program loaded from a storage section 508 into a Random Access Memory (RAM) 503. In the RAM 503, various programs and data required for the operation of the system 500 are also stored. The CPU 501, ROM 502, and RAM 503 are connected to each other through a bus 504. An input/output (I/O) interface 505 is also connected to bus 504.
The following components are connected to the I/O interface 505: an input section 506 including a keyboard, a mouse, and the like; an output portion 507 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker, and the like; a storage portion 508 including a hard disk and the like; and a communication section 509 including a network interface card such as a LAN card, a modem, or the like. The communication section 509 performs communication processing via a network such as the internet. The drive 510 is also connected to the I/O interface 505 as needed. A removable medium 511 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 510 as needed so that a computer program read therefrom is mounted into the storage section 508 as needed.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication portion 509, and/or installed from the removable media 511. The above-described functions defined in the system of the present invention are performed when the computer program is executed by a Central Processing Unit (CPU) 501.
The computer readable medium shown in the present invention may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units or modules involved in the embodiments of the present invention may be implemented in software or in hardware. The described units or modules may also be provided in a processor, for example, as: a processor includes a monitor turn-on module, a vulnerability analysis module, a component matching module, and a knowledge base update module. The names of the units or modules do not form a limitation on the units or modules, for example, a knowledge base updating module may be further described as a module for generating a risk level of a dependent component corresponding to the specified operation function according to the vulnerability detection result and adding the dependent component corresponding to the specified operation function and the risk level to the vulnerability knowledge base when the dependent component corresponding to the specified operation function is not in the vulnerability knowledge base.
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be present alone without being fitted into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to include: performing byte code injection on a specified operation function in an application code, and generating a data tracking marking function of the specified operation function to monitor the specified operation function in real time, wherein the specified operation function corresponds to a dependent component on which the application code depends during operation; responding to the execution of the specified operation function, acquiring monitoring data of the specified operation function, and analyzing the monitoring data to obtain a vulnerability detection result of a dependent component corresponding to the specified operation function; judging whether the dependent component corresponding to the specified operation function is in a vulnerability knowledge base or not under the condition that the vulnerability detection result shows that malicious behaviors exist; under the condition that the dependent component corresponding to the specified operation function is not in the vulnerability knowledge base, generating a risk level of the dependent component corresponding to the specified operation function according to the vulnerability detection result, and adding the dependent component corresponding to the specified operation function and the risk level to the vulnerability knowledge base
According to the technical scheme of the embodiment of the invention, the byte code injection is carried out on the appointed operation function in the application code, so that the data tracking marking function of the appointed operation function is generated to monitor the appointed operation function in real time, and the appointed operation function corresponds to the dependent component on which the application code depends in operation; responding to the execution of the specified operation function, acquiring monitoring data of the specified operation function, and analyzing the monitoring data to obtain a vulnerability detection result of the dependent component corresponding to the specified operation function; judging whether a dependent component corresponding to the designated operation function is in a vulnerability knowledge base or not under the condition that the vulnerability detection result shows that malicious behaviors exist; under the condition that the dependent component corresponding to the designated operation function is not in the vulnerability knowledge base, the risk level of the dependent component corresponding to the designated operation function is generated according to the vulnerability detection result, and the dependent component corresponding to the designated operation function and the risk level are added into the vulnerability knowledge base, so that the unknown dependent component vulnerability is identified in the application code operation process and added into the vulnerability knowledge base, the capability of detecting the unknown dependent component vulnerability in each stage of software development can be quickly supplemented, the condition of missed detection is avoided, the safety risk is reduced, and the vulnerability restoration efficiency and the safety operation efficiency are improved; meanwhile, the risk level of the dependent component is generated according to the vulnerability detection result, and the vulnerability knowledge base is supplemented by combining the risk level of the dependent component, so that the vulnerability knowledge base is more suitable for the actual running scene of the application code, the false alarm probability is greatly reduced, and the vulnerability restoration efficiency and the safety operation efficiency are improved.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives can occur depending upon design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.
Claims (10)
1. A vulnerability detection method for application code, comprising:
performing byte code injection on a specified operation function in an application code, and generating a data tracking marking function of the specified operation function to monitor the specified operation function in real time, wherein the specified operation function corresponds to a dependent component on which the application code depends during operation;
responding to the execution of the specified operation function, acquiring monitoring data of the specified operation function, and analyzing the monitoring data to obtain a vulnerability detection result of a dependent component corresponding to the specified operation function;
judging whether the dependent component corresponding to the specified operation function is in a vulnerability knowledge base or not under the condition that the vulnerability detection result shows that malicious behaviors exist;
And under the condition that the dependent component corresponding to the specified operation function is not in the vulnerability knowledge base, generating a risk level of the dependent component corresponding to the specified operation function according to the vulnerability detection result, and adding the dependent component corresponding to the specified operation function and the risk level to the vulnerability knowledge base.
2. The method according to claim 1, wherein the method further comprises:
under the condition that the dependent component corresponding to the specified operation function is in the vulnerability knowledge base, vulnerability restoration is directly carried out on the dependent component corresponding to the specified operation function;
and after adding the dependency component corresponding to the specified operation function and the risk level to the vulnerability knowledge base, further comprising:
and performing bug repair on the dependent component corresponding to the specified operation function.
3. The method of claim 1, wherein generating the risk level of the dependent component corresponding to the specified operation function according to the vulnerability detection result comprises:
and generating the risk level of the dependent component corresponding to the specified operation function according to the component information of the dependent component corresponding to the specified operation function and the category of the malicious behavior in the vulnerability detection result.
4. A method according to claim 1 or 3, wherein the risk level comprises a security risk level and a vulnerability repair priority of the dependent component corresponding to the specified operation function;
and after adding the dependency component corresponding to the specified operation function and the risk level to the vulnerability knowledge base, further comprising:
and performing vulnerability restoration on the dependent component corresponding to the specified operation function according to the security risk level and the vulnerability restoration priority of the dependent component corresponding to the specified operation function.
5. The method according to claim 1, wherein the method further comprises:
in response to detecting that the application code calls a dependent component in the running process, acquiring component information of the truly called dependent component, and judging whether the truly called dependent component is in the vulnerability knowledge base according to the component information;
and under the condition that the truly invoked dependent component is in the vulnerability knowledge base, performing vulnerability restoration on the truly invoked dependent component directly.
6. A vulnerability detection apparatus for application code, comprising:
the monitoring starting module is used for injecting byte codes into specified operation functions in application codes, generating a data tracking marking function of the specified operation functions so as to monitor the specified operation functions in real time, wherein the specified operation functions correspond to dependent components on which the application codes depend in running;
The vulnerability analysis module is used for responding to the execution of the specified operation function, acquiring monitoring data of the specified operation function, and analyzing the monitoring data to obtain a vulnerability detection result of a dependent component corresponding to the specified operation function;
the component matching module is used for judging whether the dependent component corresponding to the specified operation function is in a vulnerability knowledge base or not under the condition that the vulnerability detection result is that malicious behaviors exist;
and the knowledge base updating module is used for generating the risk level of the dependent component corresponding to the specified operation function according to the vulnerability detection result under the condition that the dependent component corresponding to the specified operation function is not in the vulnerability knowledge base, and adding the dependent component corresponding to the specified operation function and the risk level into the vulnerability knowledge base.
7. The apparatus of claim 6, further comprising a vulnerability remediation module to:
under the condition that the dependent component corresponding to the specified operation function is in the vulnerability knowledge base, vulnerability restoration is directly carried out on the dependent component corresponding to the specified operation function;
and after the dependent components corresponding to the specified operation function and the risk level are added into the vulnerability knowledge base, performing vulnerability restoration on the dependent components corresponding to the specified operation function.
8. The apparatus of claim 6, further comprising a call component detection module to:
in response to detecting that the application code calls a dependent component in the running process, acquiring component information of the truly called dependent component, and judging whether the truly called dependent component is in the vulnerability knowledge base according to the component information;
and under the condition that the truly invoked dependent component is in the vulnerability knowledge base, performing vulnerability restoration on the truly invoked dependent component directly.
9. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs,
when executed by the one or more processors, causes the one or more processors to implement the method of any of claims 1-5.
10. A computer readable medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the method according to any of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410178248.0A CN117828617A (en) | 2024-02-08 | 2024-02-08 | Vulnerability detection method and device for application code |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410178248.0A CN117828617A (en) | 2024-02-08 | 2024-02-08 | Vulnerability detection method and device for application code |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117828617A true CN117828617A (en) | 2024-04-05 |
Family
ID=90523056
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410178248.0A Pending CN117828617A (en) | 2024-02-08 | 2024-02-08 | Vulnerability detection method and device for application code |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117828617A (en) |
-
2024
- 2024-02-08 CN CN202410178248.0A patent/CN117828617A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110929264B (en) | Vulnerability detection method and device, electronic equipment and readable storage medium | |
| US8621613B1 (en) | Detecting malware in content items | |
| CN111783096B (en) | Method and device for detecting security hole | |
| CN112560090B (en) | Data detection method and device | |
| WO2021243555A1 (en) | Quick application test method and apparatus, device, and storage medium | |
| CN111563015A (en) | Data monitoring method and device, computer readable medium and terminal equipment | |
| US10129278B2 (en) | Detecting malware in content items | |
| CN116450533B (en) | Security detection method and device for application program, electronic equipment and medium | |
| CN113010174B (en) | Method and device for monitoring service | |
| CN112416395A (en) | Hot repair updating method and device | |
| CN114626061A (en) | Webpage Trojan horse detection method and device, electronic equipment and medium | |
| CN111488580A (en) | Potential safety hazard detection method and device, electronic equipment and computer readable medium | |
| CN117272369A (en) | Privacy compliance detection method and device, electronic equipment and storage medium | |
| CN110348226A (en) | A kind of scan method of project file, device, electronic equipment and storage medium | |
| CN117828617A (en) | Vulnerability detection method and device for application code | |
| CN116804929A (en) | Version application analysis method and device, electronic equipment and storage medium | |
| CN112948831B (en) | Application risk identification method and device | |
| CN115174192A (en) | Application security protection method and device, electronic equipment and storage medium | |
| CN111885006B (en) | Page access and authorized access method and device | |
| CN114020513A (en) | Method and device for processing log information | |
| CN117195204B (en) | Abnormal data detection method, device, electronic equipment and computer readable medium | |
| US12050687B1 (en) | Systems and methods for malware detection in portable executable files | |
| CN112784272B (en) | Application processing method, device, electronic equipment, system and storage medium | |
| Doan et al. | An Empirical Study on Android malware behavior signature extraction | |
| CN105528298A (en) | Safety testing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |