CN117932604A

CN117932604A - Security detection method, apparatus, device, and computer-readable storage medium

Info

Publication number: CN117932604A
Application number: CN202410011944.2A
Authority: CN
Inventors: 林子敏; 鲁璐; 裴开明; 李奇; 卢一宁
Original assignee: Alibaba China Co Ltd
Current assignee: Alibaba China Co Ltd
Priority date: 2024-01-03
Filing date: 2024-01-03
Publication date: 2024-04-26

Abstract

The embodiment of the application discloses a security detection method, a security detection device, security detection equipment and a computer readable storage medium. The main technical scheme comprises the following steps: performing static analysis on the target program to obtain a static analysis result; generating a test case by using the static analysis result; providing the generated test case for the target program for execution, and acquiring the context information of the target program for executing the test case; and carrying out risk identification based on the context information to obtain risk information of the target program. According to the application, the test case is generated on the basis of static analysis of the target program, and the risk identification is performed by utilizing the context information obtained by executing the test case by the target program, so that the safety detection of the application program is realized, and the detection result is more accurate.

Description

Security detection method, apparatus, device, and computer-readable storage medium

Technical Field

The present application relates to the field of information security technologies, and in particular, to a security detection method, apparatus, device, and computer readable storage medium.

Background

With the rapid development of information network technology and the wide popularization of mobile intelligent terminals, the market of application programs presents an explosive growth situation. However, with the increasing number of application programs and the continuous innovation of technology, security risks such as phishing attack, damage to normal operation of application programs, security vulnerabilities, malicious software and other technical risks are also increasingly highlighted. The trend of various applications to meet the increasing demands of society is irreversible, and security detection for applications is an urgent need.

Disclosure of Invention

The application provides a security detection method, a security detection device, a security detection system and a computer readable storage medium, so as to realize security detection of an application program.

The application provides the following scheme:

in a first aspect, a security detection method is provided, the method comprising:

Performing static analysis on the target program to obtain a static analysis result;

generating a test case by using the static analysis result;

providing the generated test case for the target program for execution, and acquiring the context information of the target program for executing the test case;

And carrying out risk identification based on the context information to obtain risk information of the target program.

According to one implementation manner of the embodiment of the present application, before the test case is provided to the target program for execution, the method further includes:

initializing an execution system environment, and installing the target program in the execution system.

According to one implementation manner of the embodiment of the present application, the performing static analysis on the target program includes:

Analyzing a source code of the target program or analyzing a binary file of the target program to obtain a configuration file of the target program, wherein the binary file is obtained by reversely compiling the target program;

and analyzing the configuration file of the target program to obtain the exposure component of the target program and the triggering condition information of the exposure component.

According to one implementation manner of the embodiment of the present application, the static analysis result includes: the exposure component information of the target program and the triggering condition information of the exposure component;

the generating test cases by using the static analysis results comprises the following steps:

And generating test input aiming at the exposure component as the test case by utilizing the trigger condition information of the exposure component.

According to an implementation manner of the embodiment of the present application, the obtaining the context information of the target program for executing the test case includes:

Acquiring event information generated by the target program in the process of executing the test case by using a hook pre-installed in an execution system corresponding to the target program;

And analyzing the event information to obtain the context information.

According to still another implementation manner of the embodiment of the present application, the performing risk identification based on the context information, and obtaining risk information of the target program includes:

And analyzing the event behavior information based on a preset risk identification strategy to determine risk information of the target program.

According to yet another implementation manner of the embodiment of the present application, the method further includes:

Generating a new test case by using the acquired context information and the static analysis result;

And utilizing the generated new test case, and turning to the step of executing the step of providing the generated test case for the target program to execute until the preset cycle ending condition is met.

According to yet another implementation manner of the embodiment of the present application, the static analysis result includes exposure component information;

Generating a new test case by using the acquired context information and the static analysis result includes:

generating a system command for the exposed component as the new test case by utilizing trigger condition information corresponding to event behaviors included in the context information; or alternatively

And generating an entry calling an interface corresponding to the exposure component as the new test case by using trigger condition information corresponding to the event behavior included in the context information.

In a second aspect, a security detection method is disclosed, which is applied to a cloud server, and is characterized in that the method includes:

Acquiring a target program installation file uploaded by a user terminal;

Installing the target program in an execution system by using the target program installation file;

performing static analysis on the target program, wherein the obtained static analysis result comprises the following steps: the exposure component of the target program and the triggering condition information of the exposure component;

generating a test case by using the static analysis result;

performing risk identification based on the context information to obtain risk information of the target program;

and sending the risk information to the user terminal.

According to an implementation manner of the embodiment of the present application, if the target program is identified as having a security risk, the risk information includes: information indicating that the target program has a security risk, and context information on which the target program is identified as having a security risk.

In a third aspect, a security detection system is disclosed, comprising:

The static analysis unit is configured to perform static analysis on the target program, and the obtained static analysis result comprises: the exposure component of the target program and the triggering condition information of the exposure component;

The case generation unit is configured to generate a test case by using the static analysis result;

The dynamic execution unit is configured to provide the generated test case for the target program for execution and acquire the context information of the target program for executing the test case;

and the risk identification unit is configured to perform risk identification based on the context information to obtain risk information of the target program.

In a fourth aspect, a computer readable storage medium is disclosed, on which a computer program is stored, characterized in that the program is executed by a processor for performing the steps of the method according to any of the first aspects above.

In a fifth aspect, an electronic device is disclosed, comprising:

one or more processors; and

A memory associated with the one or more processors, the memory for storing program instructions that, when read for execution by the one or more processors, perform the steps of the method of any of the first aspects above.

According to the specific embodiment provided by the application, the application discloses the following technical effects:

1) According to the application, the static analysis result is obtained by static analysis of the target program, the static analysis result is utilized to generate the test case, and the context information of the test case executed by the target program is utilized to perform risk identification, so that the safety detection of the target program is realized.

2) According to the application, the test case is generated on the basis of static analysis on the target program, and the risk identification is carried out by utilizing the context information obtained by executing the test case by the target program, so that the detection result is more accurate compared with the traditional safety detection mode only adopting static analysis.

3) The method and the system can utilize the contextual information obtained by dynamically executing the test cases to generate new security test cases, trigger more and deeper event behaviors, discover more security risks, improve the leak coverage rate of security tests on the application program, and detect security leaks triggered by complex conditions.

4) The method and the system can acquire event information generated by the target program in the process of executing the test case by using a hook installed by an execution system, can identify the context information according to a preset risk identification strategy, acquire various risk information, and perform personalized setting on the risk information of the application behavior based on the preset risk identification strategy.

Of course, it is not necessary for any one product to practice the application to achieve all of the advantages set forth above at the same time.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a diagram of a system architecture to which embodiments of the present application are applicable;

FIG. 2 is a flow chart of a security detection method according to an embodiment of the present application;

FIG. 3 is a flowchart of a method for detecting security according to an embodiment of the present application;

Fig. 4 is a flowchart of a security detection method applied to a cloud server according to an embodiment of the present application;

FIG. 5 is a system architecture diagram of a security detection system according to an embodiment of the present application;

fig. 6 is a system architecture diagram of a security detection system applied to a cloud server according to an embodiment of the present application;

fig. 7 is a schematic block diagram of an electronic device according to an embodiment of the present application.

Detailed Description

The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which are derived by a person skilled in the art based on the embodiments of the application, fall within the scope of protection of the application.

The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.

It should be understood that the term "and/or" as used herein is merely one relationship describing the association of the associated objects, meaning that there may be three relationships, e.g., a and/or B, may represent: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.

Depending on the context, the word "if" as used herein may be interpreted as "at … …" or "at … …" or "in response to a determination" or "in response to a detection". Similarly, the phrase "if determined" or "if detected (stated condition or event)" may be interpreted as "when determined" or "in response to determination" or "when detected (stated condition or event)" or "in response to detection (stated condition or event), depending on the context.

There are some security detection techniques for application programs, such as static analysis, which is a relatively common security detection method. The static analysis is mainly to analyze the source code or binary file of the program, analyze and judge the behavior from the entrance to the risk of the application program, but the static analysis method has certain limitation, has poor accuracy for detecting the loopholes, such as larger false alarm, and can not detect the loopholes corresponding to the complex code logic, and the like.

In view of this, the present application provides a new idea. To facilitate an understanding of the present application, a system architecture on which the present application is based will first be described. FIG. 1 illustrates an exemplary system architecture to which embodiments of the application may be applied, as shown in FIG. 1, the system architecture may include: security detection device and user terminal.

The security detection device can be arranged at the server side or the user side and is used for performing security detection on the target program by adopting the method provided by the embodiment of the application.

In the embodiment of the application, the target program refers to an application program to be subjected to security detection. Application programs are developed by program developers and released to the public to meet the demands of the social group. In this embodiment, the target program may be provided by a developer before being online, or may be provided by a user or a third party. The object program involved may be an application program that can be installed and run on various operating systems. The operating system may include, but is not limited to, an android operating system, an IOS, a Windows operating system, and the like. The application program can be an online client application program of the HTML5 technology, and can also be various programs running on computer equipment. Electronic devices for target program operation include tablet devices, notebook computers, palm top computers (PDAs, personal DigitalAssistants), wearable devices (e.g., smart glasses, smart watches, etc.), and the like, to which one or more embodiments of the present description are not limited. In the application, mobile applications are taken as examples, the main mobile application operating system is android and IOS, and the enumeration of the mobile applications in the embodiment does not limit the format of the target program in the application.

As one of the possible ways, the security detection means may be provided at the user side, for example the security detection means may be provided at the user terminal. The user (for example, a developer of the application program) can install the target program on the user terminal, then the method provided by the embodiment of the application is adopted to carry out security detection on the target program, and the detection result is displayed to the user.

As another possible implementation, if the security detection device may be provided on the server side. The user uploads the installation file of the target program to the server side through the user terminal, then the safety detection device adopts the method provided by the embodiment of the application to carry out safety detection on the target program, the detection result is returned to the user terminal, and the user terminal displays the detection result to the user. The security detection device and the user terminal may interact through a network, and the system shown in fig. 1 illustrates such an implementation.

The security detection device may be provided in a single server, may be provided in a server group constituted by a plurality of servers, or may be provided in a cloud server. The cloud server is also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so as to solve the defects of large management difficulty and weak service expansibility in the traditional physical host and Virtual Private Server (VPS) PRIVATE SERVER service.

The user terminals may include, but are not limited to, such as: intelligent mobile terminals, intelligent home devices, wearable devices, PCs (Personal Computer, personal computers), etc. Wherein the smart mobile device may include, for example, a cell phone, tablet computer, notebook computer, PDA (Personal DigitalAssistant ), internet car, etc. The smart home devices may include smart home devices such as smart televisions, smart refrigerators, and the like that are capable of uploading installation files and exhibiting security detection results. Wearable devices may include devices such as smart watches, smart glasses, smart bracelets, VR (Virtual Reality) devices, AR (Augmented Reality, augmented Reality devices), mixed Reality devices (i.e., devices that can support Virtual Reality and augmented Reality), and so forth.

After the risk detection is completed, the mode of returning the detection result by the risk detection device can comprise mail, short message, link, certain communication application, webpage and the like. The user who submits the target program and the user who obtains the detection result often coincide, but may not coincide. For example, the user who submits the target program is a program developer, and the user who obtains the detection result may be a security expert of a department, a user of an application, or the like.

Fig. 2 is a flowchart of a security detection method according to an embodiment of the present application, and the method may be performed by the system shown in fig. 1. As shown in fig. 2, the method may include the steps of:

step 201: and carrying out static analysis on the target program to obtain a static analysis result.

Step 203: and generating a test case by using the static analysis result.

Step 205: and providing the generated test case for the target program execution, and acquiring the context information of the test case executed by the target program.

Step 207: and carrying out risk identification based on the context information to obtain risk information of the target program.

The above flow can be seen that the static analysis result is obtained by utilizing the static analysis of the target program, the test case is generated by utilizing the static analysis result, the target program executes the test case, the context information executed by the target program is obtained, and the risk identification is carried out, so that the safety detection of the target program is realized.

Each step in the above-described flow and effects that can be further produced are described in detail below with reference to examples.

The above step 201, i.e. "perform static analysis on target program to obtain static analysis result" will be described in detail in connection with the embodiments.

The static analysis is mainly carried out by adopting two modes of manual review and automatic detection, the manual review has high cost, and when facing a large number of static analysis projects, automatic detection tools or combination of automatic detection and manual review are often adopted. In the embodiment of the application, taking an automatic detection tool as an example, some static analysis detection tools exist at present, for example Coverity, klocwork, apkPecker, fortify, and as different static analysis automatic detection tools have different advantages and disadvantages and aim at objects, we can select according to the aimed target program. Static analysis includes stream analysis and pattern analysis, and the static analysis does not execute the program itself, and performs check analysis on source code, bytecode or binary execution form of the program.

The static analysis automatic detection tool analyzes the target program to obtain a static analysis result, and in the embodiment of the application, the static analysis result mainly comprises an exposure component of the target program and trigger condition information of the exposure component. It should be noted that, the static analysis result may also include other information such as the installation package name of the application program.

Among the risks that a target program presents, a significant portion of the risks are caused by the exposed components of the target program, which can cause the target program to be triggered by other applications and execute malicious code logic. Therefore, in the static analysis process of the target program in the embodiment of the present application, the exposure component of the target program and the trigger condition information of the exposure component are mainly analyzed, and the trigger condition information is used as the main content of the static analysis result. The application may be used for security detection in other ways, the principle being similar to that of the exposed components.

As one implementation of the present application, performing static analysis on the target program includes:

Analyzing a source code of the target program or analyzing a binary file of the target program to obtain a configuration file of the target program, wherein the binary file is obtained by reversely compiling the target program; and analyzing the configuration file of the target program to obtain the exposure component of the target program and the triggering condition information of the exposure component.

The static analysis can be performed by adopting an automatic detection tool, and specifically, the target program can be analyzed by adopting decompilation (namely, reverse compilation), disassembly and the like. The object program essentially consists of codes, after the object program is obtained, the object program is subjected to static analysis, so that the program code of the object program can be obtained, and the program code contains the configuration information, the data format and other information of the object program. Taking a mobile application program as an example, the installation file (the format is apk) of the mobile application with the android version contains configuration file information, and the android management file, namely the configuration file of the mobile application, can be obtained through decompilation of the mobile application. The external exposure component and the triggering condition information of the exposure component can be obtained by analysis from the android management. Similarly, the decompilation process for mobile applications of IOS is also similar, all for the purpose of obtaining static analysis results. Similar approaches are also used for static analysis of other programs.

The step 203 of generating test cases using the static analysis results is described in detail below with reference to the embodiments.

As described above, after the static analysis result of the target program is obtained, unlike the conventional method of identifying risk by directly using the static analysis result after the static analysis result is obtained, the embodiment of the application generates the test case based on the static analysis result and is further used for dynamically executing the test case by the subsequent target program.

In the embodiment of the application, the test case is generated based on the static analysis result. For example, the test case is automatically generated by using the exposure component of the target program in the static analysis result and the triggering condition information of the exposure component. In addition, the exposed component and the triggering condition information of the exposed component in the static analysis result can be used for generating the test case together with preset test case information (such as a preset test case template).

The test cases mainly contain test inputs (which may contain information such as execution conditions, input data, etc.) and expected results. For providing to the subject to be tested (the target program in the embodiment of the application) after constructing the test input, thereby determining whether the subject to be tested can obtain the expected result. The information in the static analysis results can be used to construct test cases and perform security detection, and as one of the achievable ways, the triggering condition information of the exposed components can be utilized to generate test inputs for the exposed components.

In the embodiment of the application, the static analysis result can be utilized to generate the test case. For the test case, part of default information can be configured as a test case template, and the static analysis result can be used together with the test case template to generate the test case. The information in the test case templates may be configured by default or according to test requirements.

As mentioned above, the security detection according to the embodiments of the present application is mainly directed to vulnerabilities caused by the exposed components, so that it is necessary to simulate events triggered by the exposed components (i.e. by constructing test inputs) to determine whether an expected result is obtained (i.e. whether a critical behavior is caused, where the type of the critical behavior may be preset). Wherein, when simulating the event triggered for the exposed component, various modes can be adopted:

As one implementation of the application, the triggering condition information of the exposed component can be utilized to generate a system command aiming at the exposed component as a test case.

This is accomplished by building system commands for the exposed components.

For building test cases, the key is the construction of test inputs and expected results. In embodiments of the present application, the test input may be generated using trigger condition information for the exposed components contained in the static analysis results. For example, the test input is generated by randomly populating the data with information such as content and format required to expose the triggering condition of the component. The test input in the test case database can also be randomly called by using the content, format and other information required by the triggering condition of the exposed component to generate the test input in the step. The test case database may be stored in the cloud or locally, and is not limited herein.

For example, assume that after static analysis, the format of the trigger condition corresponding to the exposure component 1 is known as follows: "ABC:/[ string ]" wherein [ ] indicates the type of content that needs to be filled in. Thus, a test input can be randomly constructed as: "ABC:// xxxx", where "xxxx" is a randomly generated string.

Because the embodiment of the application carries out security detection on the application program, the security hole of the application program is usually caused by a certain behavior, and the expected result of the test case can adopt a preset type of key event behavior. The expected result is used to determine whether the target program performs a critical action after the input test is input to the target program.

As another implementation manner, triggering condition information of the exposure component can be utilized to generate an entry for calling an interface corresponding to the exposure component as a test case.

This is accomplished by mimicking interface calls to exposed components.

The application can also use the triggering condition information of the exposure component, such as using the triggering condition information of the exposure component to generate test input, and using the test input to obtain the input parameters for calling the interface corresponding to the exposure component, thereby constructing the test case. Wherein the test inputs, the generation of the expected results can be found in the previous description.

The following describes the step 205 in detail, namely, "providing the generated test case to the target program for execution and obtaining the context information of the test case executed by the target program" with reference to an embodiment.

As an implementation manner of the present application, before performing this step, the method may further include: initializing the execution system environment and installing the target program in the execution system. The target program can execute the test case in the physical environment, and can also execute the test case in the virtual environment. The purpose of initializing the execution environment is to provide a suitable operating system environment for the installation and operation of the target program, and to reserve enough running space and running resources for the target program to execute the test case, etc.

And monitoring information generated by the target program execution test case in the process of executing the test case by the target program to obtain the context information of the execution target program. In the execution process of the test case, the context information contains environment information generated in the process of executing the test case by the target program. The environment information may include event behavior information and trigger condition information corresponding to the event behavior, and may further include other related parameter information.

When the context information of the execution test case of the target program is acquired, the hook which is installed in the execution system corresponding to the target program in advance can be utilized to acquire event information generated by the target program in the process of executing the test case; and analyzing the event information to obtain the context information.

Hook technology, i.e., a Hook function, essentially hangs hooks into a system through a system call by a piece of programming that handles system messages (i.e., events). If a specific event occurs, the hook program can capture the event information. In addition to the hook approach, the present application is not limited to obtaining event information generated during execution of test cases in other ways, such as by listening to a particular interface.

The above step 207, i.e. "performing risk identification based on context information to obtain risk information of the target program" will be described in detail with reference to the embodiments.

It has been mentioned above that the context information obtained by executing the test case includes: event behavior information and trigger condition information corresponding to the event behavior. The context information is obtained by analyzing event information generated in the process of executing the test case by the target program, wherein event behaviors are key to generating loopholes. Therefore, as an implementation manner of the present application, the event behavior information may be analyzed to determine risk information of the target program based on a preset risk identification policy. That is, judging whether the target program generates event behaviors conforming to the risks specified by the risk identification strategy in the process of executing the test case, and if so, considering that the target program has risks; otherwise the target program may be considered to be risk-free.

The risk identification policy may include preset rules, and the rules may be summarized and set in advance according to actual risk identification requirements, experience, risk identification history, and the like. If the event behavior meets the rule, it is considered a risk behavior. For example, the behavior type and the parameter attribute in the risk identification policy are predefined, and if the event behavior contained in the context information conforms to the behavior type and the parameter attribute, it is regarded as a risk behavior.

For example, assuming that a test case is input, an event behavior is generated in the process of executing the test case by the target program: and opening a page, wherein the parameter attribute of the page is controllable by the URL, and the risk that the page corresponding to any URL can be opened through an exposure component of the target program is indicated, so that the risk of the target program is determined.

The risk information of the target program obtained in this step may include various forms such as whether there is a risk, a risk level, and the like. For example, the risk information obtained is: the target program is at risk or the target program is not at risk. For another example, according to different risk identification strategies, obtaining risk information includes: no risk, low risk, medium risk, high risk, etc.

Further, if the target program has a security risk, the risk information may further include context information based on which the target program is identified as having a security risk, in addition to the information indicating that the target program has a security risk, that is, by which context information the target program is identified as having a security risk. Such as event behavior information, trigger condition information for event behavior, and the like. Such information can provide a reference to the developer to learn what causes the security risk, thereby improving the target program in a targeted manner.

Fig. 3 is a flowchart of another security detection method according to an embodiment of the present application, unlike the flowchart shown in fig. 2, after "obtaining the context information of the execution test case of the target program" in step 205, the method further includes:

step 209: judging whether the cycle end condition is satisfied, if not, executing step 211; if so, the update of the test case is ended.

Step 211: generating a new test case by using the acquired context information and the static analysis result; with the new test case generated, the process proceeds to step 205..

In this embodiment, except for adding new steps 209 and 211, the detailed description of other steps may be referred to the relevant descriptions in the embodiment shown in fig. 2, which is not repeated here.

The context information comprises event behavior information of the target program execution test case and trigger condition information of the event behavior. The test case generated in step 203 may not be able to override the trigger condition of the critical event behavior, but may be obtained during the execution of the test case, so that a new test case may be generated for the exposed component using the trigger condition of the event behavior contained in the context information.

As one of the realizable modes, the system command for the exposed component may be generated as a new test case by using the trigger condition information corresponding to the event behavior included in the context information.

Specifically, the static analysis result includes information of the exposed component, and when a new test case is generated for the exposed component, a system command for the exposed component can be generated by using trigger conditions of event behaviors included in context information obtained in the process of executing the test case.

Continuing the previous example, assume that in the process of executing the test input "ABC:// xxxx" of the test case by the target program, the context information obtained by the hook contains an event behavior "dosomething ()", the event behavior is a preset key event behavior, and the corresponding trigger condition is "if (input. Containers (" yyyyy "))", that is, whether the input contains a "yyyyyy" character string is judged. Then a new test case may be generated for that same exposed component with the test input being "ABC:// yyyyy". Then, the process goes to step 205, where the target program provided by the new test case is executed, so as to cycle, gradually find new trigger conditions and generate a new test case until a preset cycle end condition is satisfied. Wherein generating a new test case refers to a test case that is different from the test case that has been generated and executed.

As another implementation manner, triggering condition information corresponding to the event behavior included in the context information may be used to generate an entry for calling an interface corresponding to the exposure component as a new test case. Unlike the former approach, the system commands are not generated for the exposed components, but rather as an enroll that invokes the interface to which the exposed components correspond. Other implementations may also be employed, not specifically recited herein.

The preset cycle end conditions involved in step 209 may include: reaching a preset detection duration, no new test case generation, reaching a preset cycle number, and the like.

According to the embodiment, the context information obtained by dynamically executing the test case is utilized to generate a new security test case, more and deeper event behaviors are triggered, more security risks are found, the vulnerability coverage rate of security tests on the application program can be improved, and security vulnerabilities triggered by complex conditions can be detected.

Fig. 4 is a flowchart of a security detection method for a cloud server according to an embodiment of the present application, where, as shown in fig. 4, the method includes:

Step 401: and obtaining the target program installation file uploaded by the user terminal.

In the embodiment of the application, the security detection system is arranged on the cloud server and is used as a security detection tool for a developer. The developer can upload the installation file of the application program to be detected through the user terminal as a target program installation file to the security detection system in the cloud server.

Step 403: and installing the target program in the execution system by using the target program installation file.

The security detection system provides an execution environment (i.e. an execution system) for the installation and operation of the target program by utilizing the cloud computing resources and the cloud operating system, and the target program is installed in the execution system after the initialization of the execution system is carried out.

Step 405: and performing static analysis on the target program to obtain a static analysis result.

Step 407: and generating a test case by using the static analysis result.

Step 409: and providing the generated test case for the target program execution, and acquiring the context information of the test case executed by the target program.

Step 411: and carrying out risk identification based on the context information to obtain risk information of the target program.

The specific implementation process of the steps 405 to 411 may be referred to the relevant descriptions of the steps 201 to 207 in the embodiment shown in fig. 2, and will not be described herein.

Step 413: and sending the risk information to the user terminal.

As one of the realizable ways, if the target program is identified to have a security risk, the risk information may include: information indicating that the target program has security risk, and context information on which the target program is identified as having security risk. Such information can provide a reference to the developer to learn what causes the security risk, thereby improving the target program in a targeted manner.

By the method, a unified security detection tool can be provided for all developers on the side face of the cloud server, and the developers can conveniently upload the installation files of the developed application programs to the cloud server for security detection and acquire the risk information of the application programs.

The method provided by the embodiment of the application can be applied to various application scenes, for example, before a new application program is on line or before a new version of the application program is on line, the method provided by the embodiment of the application can be adopted, the application program to be on line is taken as a target program, the safety detection is carried out on the target program by adopting the method flow provided by any embodiment, and the risk information of the target program is acquired. If the target program has risk, the developer can modify the application program according to the risk information, and then the modified application program adopts the method flow provided by any embodiment to perform security detection on the target program again, and obtains the risk information of the target program. If the target program does not have the risk, the new application program, the new version of the application program or the improved application program can be arranged to be online for the user to download and use.

The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.

Fig. 5 is a schematic structural diagram of a security detection system according to an embodiment of the present application, where the security detection system may be an application program set on a server side, or a plug-in unit or an SDK (Software Development Kit ) set in the application program, or may be set in a computer terminal. As shown in fig. 5, the security detection system may include: the static analysis unit 501, the use case generation unit 503, the dynamic execution unit 505, and the risk identification unit 507 may further include: a management scheduling unit 500, a loop control unit 509. The above-described functional units may have the following functions:

The static analysis unit 501 is configured to perform static analysis on the target program, and obtain a static analysis result.

The case generating unit 503 is configured to generate a test case using the static analysis result.

The dynamic execution unit 505 is configured to provide the generated test case to the target program for execution, and acquire the context information of the test case executed by the target program.

The risk identification unit 507 is configured to perform risk identification based on the context information, and obtain risk information of the target program.

As an implementation manner in the embodiment of the present application, the management scheduling module 500 is configured to: initializing the execution system environment and installing the target program in the execution system.

As an implementation manner in the embodiment of the present application, the static analysis unit 501 may be specifically configured to: analyzing a source code of the target program or analyzing a binary file of the target program to obtain a configuration file of the target program, wherein the binary file is obtained by reversely compiling the target program; and analyzing the configuration file of the target program to obtain the exposure component of the target program and the triggering condition information of the exposure component.

The static analysis results may include: the exposure component of the target program and trigger condition information of the exposure component. As an implementation manner of the present application, the use case generating unit 503 may be specifically configured to: generating a system command aiming at the exposure component as a test case by utilizing the triggering condition information of the exposure component; or generating an entry calling an interface corresponding to the exposure component as a test case by using the triggering condition information of the exposure component.

As one implementation of the present application, the dynamic execution unit 505 may be specifically configured to: acquiring event information generated by a target program in the process of executing a test case by using a hook which is pre-installed in an execution system corresponding to the target program; and analyzing the event information to obtain the context information.

As an implementation manner in the embodiment of the present application, the context information may include: event behavior information and trigger condition information corresponding to the event behavior.

As an achievable implementation of the embodiment of the application, the risk identification unit 507 may be specifically configured to: and analyzing the event behavior information based on a preset risk identification strategy to determine risk information of the target program.

As an implementation manner in the embodiment of the present application, the loop control unit 509 may be configured to determine whether a preset loop ending condition is satisfied after the dynamic execution unit 505 acquires the context information of the target program execution test case, and if not, trigger the case generation unit 503.

The user generation unit 503 may be further configured to: after being triggered by the loop control unit 509, a new test case is generated by using the context information acquired by the dynamic execution unit 505 and the static analysis result obtained by the static analysis unit 501, and the new test case is provided to the dynamic execution unit 505.

As an achievable implementation of the embodiment of the application, the use case generating unit 503 is specifically configured to: generating a system command aiming at the exposed component as a new test case by utilizing trigger condition information corresponding to event behaviors included in the context information; or generating an entry calling the interface corresponding to the exposure component as a new test case by using trigger condition information corresponding to the event behavior included in the context information.

Fig. 6 is a system architecture diagram of a security detection system applied to a cloud server according to an embodiment of the present application, where the system architecture further includes an obtaining unit 601 and a sending unit 613 on the basis of the system architecture shown in fig. 5. Wherein, the main functions of each functional unit are as follows:

an obtaining unit 601 is configured to obtain an object program installation file uploaded by the user terminal.

A management scheduling unit 500 configured to install the target program in the execution system using the target program installation file;

The static analysis unit 501 is configured to perform static analysis on the target program to obtain a static analysis result.

The risk identification unit 507 is configured to perform risk identification based on the context information to obtain risk information of the target program;

A transmitting unit 613, configured to transmit the risk information to the user terminal.

As an implementation manner in this embodiment of the present application, if the risk identification unit 507 identifies that the target program has a security risk, the risk information sent by the sending unit 613 may include: information indicating that the target program has security risk, and context information on which the target program is identified as having security risk.

In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for the device embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference is made to the description of the method embodiments for relevant points. The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.

It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are information and data authorized by the user or fully authorized by each party, and the collection, use and processing of the related data need to comply with the related laws and regulations and standards of the related country and region, and provide corresponding operation entries for the user to select authorization or rejection.

In addition, the embodiment of the application also provides a computer readable storage medium, on which a computer program is stored, which when being executed by a processor, implements the steps of the method of any one of the previous method embodiments.

And an electronic device comprising:

one or more processors; and

A memory associated with the one or more processors for storing program instructions that, when read for execution by the one or more processors, perform the steps of the method of any of the preceding method embodiments.

The application also provides a computer program product comprising a computer program which, when executed by a processor, implements the steps of the method of any of the preceding method embodiments.

Fig. 7 illustrates an architecture of an electronic device, which may include a processor 710, a video display adapter 711, a disk drive 712, an input/output interface 713, a network interface 714, and a memory 720, among others. The processor 710, the video display adapter 711, the disk drive 712, the input/output interface 713, the network interface 714, and the memory 720 may be communicatively connected via a communication bus 730.

The processor 710 may be implemented by a general-purpose CPU, a microprocessor, an Application SPECIFIC INTEGRATED Circuit (ASIC), or one or more integrated circuits, etc. for executing related programs to implement the technical solution provided by the present application.

The Memory 720 may be implemented in the form of ROM (Read Only Memory), RAM (RandomAccess Memory ), static storage, dynamic storage, etc. The memory 720 may store an operating system 721 for controlling the operation of the electronic device 700, and a Basic Input Output System (BIOS) 722 for controlling the low-level operation of the electronic device 700. In addition, a web browser 723, a data storage management system 724, a security detection device 725, and the like may be stored. The safety detection device 725 may be an application program that specifically implements the operations of the foregoing steps in the embodiments of the present application. In general, when the technical solution provided by the present application is implemented by software or firmware, relevant program codes are stored in the memory 720 and invoked by the processor 710 for execution.

The input/output interface 713 is used to connect with an input/output module to enable information input and output. The input/output module may be configured as a component in a device (not shown) or may be external to the device to provide corresponding functionality. Wherein the input devices may include a keyboard, mouse, touch screen, microphone, various types of sensors, etc., and the output devices may include a display, speaker, vibrator, indicator lights, etc.

The network interface 714 is used to connect communication modules (not shown) to enable communication interactions of the device with other devices. The communication module may implement communication through a wired manner (such as USB, network cable, etc.), or may implement communication through a wireless manner (such as mobile network, WIFI, bluetooth, etc.).

Bus 730 includes a path to transfer information between various components of the device (e.g., processor 710, video display adapter 711, disk drive 712, input/output interface 713, network interface 714, and memory 720).

It should be noted that although the above devices illustrate only the processor 710, the video display adapter 711, the disk drive 712, the input/output interface 713, the network interface 714, the memory 720, the bus 730, etc., the device may include other components necessary to achieve proper operation in an implementation. Furthermore, it will be appreciated by those skilled in the art that the apparatus may include only the components necessary to implement the present application, and not all of the components shown in the drawings.

From the above description of embodiments, it will be apparent to those skilled in the art that the present application may be implemented in software plus a necessary general hardware platform. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a computer program product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments of the present application.

The foregoing has outlined rather broadly the more detailed description of the application in order that the detailed description of the application that follows may be better understood, and in order that the present principles and embodiments may be better understood; also, it is within the scope of the present application to be modified by those of ordinary skill in the art in light of the present teachings. In view of the foregoing, this description should not be construed as limiting the application.

Claims

1. A security detection method, the method comprising:

generating a test case by using the static analysis result;

2. The method of claim 1, wherein prior to providing the test case to the target program execution, the method further comprises:

3. The method of claim 1, wherein the performing static analysis of the target program comprises:

4. The method of claim 1, wherein the static analysis results comprise: the exposure component information of the target program and the triggering condition information of the exposure component;

generating the test case by using the static analysis result comprises the following steps:

5. The method of claim 1, wherein obtaining the context information of the target program executing the test case comprises:

And analyzing the event information to obtain the context information.

6. The method according to any one of claims 1 to 5, wherein the context information comprises: event behavior information and trigger condition information corresponding to the event behavior.

7. The method of claim 6, wherein performing risk identification based on the context information to obtain risk information for the target program comprises:

8. The method of any of claims 1 to 5, wherein after obtaining the context information of the target program executing the test case, the method further comprises:

9. The method of claim 8, wherein the static analysis results include exposure component information;

10. The security detection method is applied to a cloud server, and is characterized by comprising the following steps:

Acquiring a target program installation file uploaded by a user terminal;

generating a test case by using the static analysis result;

and sending the risk information to the user terminal.

11. The method of claim 10, wherein if the target program is identified as having a security risk, the risk information includes: information indicating that the target program has a security risk, and context information on which the target program is identified as having a security risk.

12. A security detection system, the security detection system comprising:

the static analysis unit is configured to perform static analysis on the target program to obtain a static analysis result;

13. A computer readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the steps of the method of any of claims 1 to 11.

14. An electronic device, comprising:

one or more processors; and

A memory associated with the one or more processors for storing program instructions that, when read for execution by the one or more processors, perform the steps of the method of any of claims 1 to 11.