CN118278015A - Configuration method and system for application program security function - Google Patents
Configuration method and system for application program security function Download PDFInfo
- Publication number
- CN118278015A CN118278015A CN202410201663.3A CN202410201663A CN118278015A CN 118278015 A CN118278015 A CN 118278015A CN 202410201663 A CN202410201663 A CN 202410201663A CN 118278015 A CN118278015 A CN 118278015A
- Authority
- CN
- China
- Prior art keywords
- function
- verified
- security
- security function
- application program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 64
- 230000006870 function Effects 0.000 claims abstract description 227
- 238000001514 detection method Methods 0.000 claims abstract description 43
- 230000005540 biological transmission Effects 0.000 claims abstract description 3
- 238000004590 computer program Methods 0.000 claims description 5
- 239000000284 extract Substances 0.000 claims description 3
- 238000004458 analytical method Methods 0.000 description 5
- 238000012545 processing Methods 0.000 description 4
- 230000001960 triggered effect Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 238000013459 approach Methods 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 238000012216 screening Methods 0.000 description 2
- 238000013500 data storage Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 238000011897 real-time detection Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Abstract
The invention discloses a configuration method and a system of an application program security function, wherein the configuration method comprises the following steps: acquiring all predefined security functions to be verified when the target application program class is loaded; storing code information of a security function to be verified in a service terminal; adding the security function to be verified into preset detection logic, and marking the security function to be verified as a propagation stage function; performing vulnerability detection on a target application program based on detection logic, removing a return value of a security function to be verified from a tracking object of a data stream, and storing input and return values of the security function to be verified as data stream transmission information; reporting the vulnerability data stream to a service terminal; when the vulnerability data stream can be associated with code information stored in the service terminal, judging whether a function in the vulnerability data stream accords with a security rule, if so, marking the function as an effective security function, and closing the current vulnerability. Based on the method, efficient configuration of the security function is achieved.
Description
Technical Field
The present invention relates to the field of security function configuration technologies, and in particular, to a method and a system for configuring an application security function.
Background
At present, with the continuous development of interactive scanning IAST technology, a vulnerability detection method for forming detection data stream based on tracking taint data is increasingly widely used in the field of real-time detection of application programs, and the detection technology can automatically detect vulnerabilities existing in current application programs and realize detection and protection of specific vulnerabilities.
The security function is a function set used for filtering, encoding, verifying, purifying and the like on the unreliable data in the application program so as to prevent loopholes from generating, and can be used for preventing an attacker from attacking the application program by utilizing loopholes such as buffer overflow and formatting string loopholes. The security function improves the security of the application program and plays a vital role in the vulnerability detection process of the application program.
Some customized security functions exist in the application program, and for the security functions, vulnerability alarm may be triggered in the vulnerability detection process, and the security functions triggering the vulnerability alarm may be effective security functions or ineffective security functions. Therefore, these security functions need to be screened and marked, and for confirming an effective security function, the effective security function can be skipped in the subsequent vulnerability detection process, so that false alarm is avoided, and for confirming an ineffective security function, the effective security function is configured as a common function.
The existing safety function configuration method has the following defects: the configuration of the security functions and the detection of the loopholes are completely fractured, and the whole configuration process adopts a static analysis method, namely all self-defined security functions in the application program are analyzed to verify whether the security functions are effective, so that the analysis workload is large, and time and labor are consumed. However, for an application program, not all security functions can be called by a request, only the called security functions are objects needing to be screened and configured, and for security functions not called by the request, screening and configuration are not needed.
Therefore, there is a need for an improvement in the way security functions are configured in an application.
Disclosure of Invention
The invention aims to provide a configuration method and a system for application program security functions, which can dynamically configure the security functions in an application program to improve the configuration efficiency.
In order to achieve the above object, the present invention discloses a method for configuring security functions of an application program, which includes:
Acquiring all predefined security functions to be verified when the target application program class is loaded;
storing the code information of the security function to be verified in a service terminal;
Adding the security function to be verified into preset detection logic, and marking the security function to be verified as a propagation phase function; the detection logic is used for performing vulnerability detection on the target application program based on a data flow tracking mode;
Performing vulnerability detection on the target application program based on the detection logic, removing the return value of the security function to be verified from the tracking object of the data stream, and storing the input and return values of the security function to be verified as data stream transmission information;
Reporting the vulnerability data stream to the service terminal;
When the vulnerability data stream can be associated with the code information stored in the service terminal, judging whether a function in the vulnerability data stream accords with a safety rule, if so, marking the function as an effective safety function, and closing the current vulnerability; if not, the function is marked as a normal function.
Specifically, the method for acquiring the predefined security function to be verified comprises the following steps:
And instrumentation is carried out on the target application program through an instrumentation tool, a function identification method is implanted into the target application program, and the predefined security function to be verified is extracted based on the function identification method.
Still further, the function recognition method extracts the predefined security function to be verified based on a predefined set of keywords.
Specifically, the code information includes predefined byte code information corresponding to the security function to be verified.
The invention also discloses a configuration system of the application program security function, which works based on the configuration method.
The invention also discloses a configuration system of the application program security function, which comprises:
one or more processors;
A memory;
And one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the programs comprising instructions for performing the configuration method as described above.
The invention also discloses a computer readable storage medium comprising a computer program executable by a processor to perform the configuration method as described above.
Compared with the prior art, the configuration method provided by the technical scheme of the invention comprises the steps of firstly acquiring all predefined security functions to be verified when the target application program class is loaded, then adding the security functions to be verified into preset detection logic and marking the security functions as propagation stage functions, so that the functions can be dynamically tracked and evaluated when the application program runs. In the vulnerability detection stage, the target application program is analyzed by a data flow tracking-based method, so that the performance of the security function to be verified can be monitored and evaluated in real time. This approach can dynamically identify the security functions that are triggered in the actual request, rather than statically analyzing all possible security functions, thereby significantly reducing analysis effort and resource consumption.
In a word, the configuration method effectively saves the configuration workload and improves the configuration accuracy by dynamically evaluating and configuring the security function based on the actual data flow.
Drawings
Fig. 1 is a flowchart of a configuration method in an embodiment of the present invention.
Detailed Description
In order to describe the technical content, the constructional features, the achieved objects and effects of the present invention in detail, the following description is made in connection with the embodiments and the accompanying drawings.
The embodiment discloses a configuration method of an application program security function, which is used for configuring the security function in an application program to avoid false alarm and missing report caused by the security function in the application program vulnerability detection process, namely, providing service for the vulnerability detection of the application program. As shown in fig. 1, the configuration method specifically includes the following steps:
s1: and acquiring all predefined security functions to be verified when the target application program class is loaded.
S2: and storing the code information of the security function to be verified in a service terminal.
S3: and adding the security function to be verified into preset detection logic, and marking the security function to be verified as a propagation stage function. The detection logic is used for performing vulnerability detection on the target application program based on the data flow tracking mode.
S4: and performing vulnerability detection on the target application program based on the detection logic, removing the return value of the security function to be verified from the tracking object of the data stream, and storing the input and return values of the security function to be verified as data stream propagation information. It should be noted that, the purpose of removing the return value of the security function to be verified from the tracking object of the data stream is to avoid that the security function to be verified that is not verified changes the value of the taint data, thereby affecting the next detection flow of the data stream, resulting in false alarm and missed detection of the vulnerability.
S5: and reporting the vulnerability data stream to the service terminal.
S6: when the vulnerability data stream can be associated with the code information stored in the service terminal, judging whether the security function to be verified in the vulnerability data stream accords with the security rule, if so, entering step S61, and if not, entering step S62.
It should be noted that, when the vulnerability data stream fails to be associated with the code information stored in the service terminal, it indicates that the current vulnerability is not caused by the pre-stored security function (caused by the normal function) and does not belong to the content of interest of the scheme, so if the vulnerability data stream fails to be associated with the code information stored in the service terminal, the configuration work is directly ended. In addition, if the vulnerability data stream cannot be generated, that is, when the vulnerability is not detected in the current data stream tracking and detecting process, the vulnerability is not triggered by all security functions in the application program, that is, configuration is not needed, and configuration work can be directly ended.
S61: and marking the security function to be verified as a valid security function, and closing the current vulnerability.
S62: the security function to be verified is marked as a normal function.
In summary, the configuration method firstly obtains all predefined security functions to be verified when the target application program class is loaded, and then stores code information of the functions in the service terminal, so that initial collection and preparation work of the security functions are realized. The security functions to be verified are then added to the preset detection logic and marked as propagation phase functions, so that these functions can be tracked and evaluated dynamically as the application runs.
In the vulnerability detection stage, the target application program is analyzed by a data flow tracking-based method, so that the processing process of the security function to be verified can be monitored and evaluated in real time. This approach can dynamically identify the security functions that are triggered in the actual request, rather than statically analyzing all possible security functions, thereby significantly reducing analysis effort and resource consumption. In the analysis process, the input value and the return value of the security function to be verified are stored and evaluated as data stream propagation information, so that the validity of the function can be judged more accurately.
In addition, when the vulnerability data stream can be associated with code information stored in the service terminal, whether the security function is a valid security function or a normal function is determined according to whether the security rule is met. The method not only saves a great deal of manpower and time resources, but also improves the accuracy of safety function configuration. The effective security function is correctly marked and used, so that false alarms can be avoided. While invalid security functions are identified and reclassified, avoiding their invalid configuration.
In a word, the configuration method disclosed by the embodiment effectively saves the configuration workload by dynamically evaluating and configuring the security function based on the actual data flow, and improves the configuration accuracy and the overall security of the application program.
Specifically, the method for acquiring the predefined security function to be verified comprises the following steps: and inserting the target application program through the inserting tool, implanting a function identification method into the target application program, and extracting a predefined security function to be verified based on the function identification method. In this embodiment, taking a JVM virtual machine as an example, the purpose of the instrumentation target application is to obtain code information of functions in all class files during class loading. And extracting the security function to be verified by a function identification method, and directly acquiring code information corresponding to the security function to be verified by combining the code information of all functions obtained by the instrumentation. It should be noted that, in this embodiment, the code information refers to code file information obtained by compiling a Java application program, and if the application program is written based on an interpreted language such as Python language, the application program can directly use a program file corresponding to the application program as a basis for determining whether the security function to be verified is an effective security function in the next step without instrumentation.
On the other hand, the function recognition method extracts a predefined security function to be verified based on a predefined keyword set. In this embodiment, keywords such as verify, validation, equals, startWith are predefined as the keyword Set key_set, and in the extraction process, when the function name of the function in the application program and/or the code information of the function contains any keyword in the keyword Set, the function is marked as a security function to be verified. The Key word Set Key_set is used as a reference for screening the security function to be verified, and can be freely added by technicians according to the actual requirements of application programs in the implementation process.
Furthermore, the keyword set further comprises a class file keyword, the class file set containing the class file keyword in the application program can be extracted based on the class file keyword, and the function identification method is used in the class file set, so that the security function to be verified, which is more likely to be the security function, can be extracted.
For example, in this embodiment, taking the "cn. Demo. Iast" keyword as an example, the recognition range of the function recognition method can be defined according to whether the prefix of the file name of the class file where the function is located includes the keyword, so that the function under other prefix paths is avoided being screened, and the labor and time costs are saved.
On the other hand, the code information includes byte code information corresponding to a predefined security function to be verified. In this embodiment, the service terminal stores the byte code information of each security function to be verified, and the byte code information can be converted into the program code of the function by decompilation and other techniques, and has portability, and can be adapted and stored in different systems and devices.
On the other hand, the association of the vulnerability data stream with the code information stored in the service terminal is based on the function name of the security function to be verified. In the detection process, the detection logic generates a plurality of data streams, each data stream containing all functions through which the dirty data passes, and the data streams store function names, input values and return values of the functions as data stream function information. In the subsequent detection process, if a vulnerability data stream is generated, according to the extracted set of security functions to be verified and the data stream function information of the vulnerability data stream, whether the security functions to be verified exist in the vulnerability data stream or not can be known, if the security functions do not exist, the configuration work is terminated, if the security functions exist, the byte code information of the security functions to be verified stored in the service terminal can be matched according to the function names of the security functions to be verified contained in the vulnerability data stream, so that the obtained byte code information is converted, further, the program codes of the functions are obtained, and a detector can judge whether the security functions to be verified are effective security functions or not according to the program code information of the functions at the service terminal.
On the other hand, whether the security function to be verified accords with the security rule is judged, namely whether the security function to be verified can carry out operations such as filtering, encoding, verifying, purifying and the like on the data so as to prevent loopholes from being generated is judged, and the security function to be verified can be specifically judged by technicians through byte code information of the security function to be verified, and can also be judged through a preset intelligent judging model.
On the other hand, when the security function to be verified is marked as an effective security function, the current vulnerability is closed, and when the vulnerability is detected again in the subsequent detection process and passes through the effective security function, the vulnerability information is not reported. In addition, after the mark is an effective security function, other loopholes related to the loopholes in the previous detection process are detected, so that the related loopholes are closed at the same time.
On the other hand, when the security function to be verified is converted into the normal function, the normal function is synchronously removed from the tracking object of the data stream, and the data stream tracking is no longer performed.
Taking a function for preventing the uploading of the unsafe file as an example, the function comprises a function segment such as a regular expression and a comparison function and the like containing keywords in a keyword set, and the function is specifically expressed as contacts, STARTWITH, endWith and the like, and based on the keywords, the function can be extracted as a safe function to be verified. Marking the security function to be verified as a propagation phase function, carrying out data flow tracking on the function by a detection logic based on a propagation phase state, removing a return value of the security function to be verified from a tracking object of a data flow, and storing an input value and a return value of the security function to be verified as data flow propagation information, wherein the data flow propagation information comprises the following specific steps of:
cn.demo.iast.Agent.checkSpecialPropagation("cn.demo.iast.engine.uitl.validate ListFilesParameters",[directory,fileFilter],directory);
If the subsequent detection finds out that the loophole uploaded by the unsafe file is generated in a certain data stream, the data stream is the loophole data stream, the loophole data stream is reported to the service terminal, whether the safe function to be verified exists in the loophole data stream is judged by comparing the known information of the safe function to be verified for preventing the unsafe file from being uploaded, and if the safe function to be verified exists, the corresponding byte code information is related according to the function name of the function. When the vulnerability data stream can be associated with the byte code information stored in the service terminal, the byte code information is converted into a program code, and a inspector can judge whether the function preventing the uploading of the unsafe file is an effective safe function according to the program code.
It is worth mentioning that, besides the byte code information, the inspector can also specifically judge whether the security function is a valid security function according to the function of the security function to be verified in combination with corresponding judgment logic. Still taking the function for preventing the uploading of the unsafe file as an example, in an application program, characteristic characters such as./ or. Exe are usually included in the unsafe file, when judging, whether the function can prevent the uploading of the unsafe file or not can be judged according to whether the function has a processing step aiming at whether the uploaded file contains the characteristic characters, namely whether the function is a valid safe function or not.
When a function is marked as a valid security function, the detection logic performs data flow tracking on the function based on the security function state, which is expressed as:
cn.demo.iast.Agent.checkSecurityTag("cn.demo.iast.engine.uitl.validateListFiles Parameters",[directory,fileFilter],directory);
when the function is judged to be a normal function, the detection logic removes the function from the tracked objects of the data stream and no data stream tracking is performed.
In another preferred embodiment of the present invention, a configuration system of application security functions is also disclosed, which operates based on the above configuration method.
The application also discloses a configuration system of the application program security function, which comprises one or more processors, a memory and one or more programs, wherein the one or more programs are stored in the memory and are configured to be executed by the one or more processors, and the programs comprise instructions for executing the configuration method. The processor may be a general-purpose central processing unit (Central Processing Unit, CPU), microprocessor, application SPECIFIC INTEGRATED Circuit (ASIC), or one or more integrated circuits configured to execute the associated programs to perform the configuration methods of the method embodiments of the present application.
The invention also discloses a computer readable storage medium comprising a computer program executable by a processor to perform the configuration method as described above. The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a read-only memory (ROM), or a random-access memory (random access memory, RAM), or a magnetic medium, such as a floppy disk, a hard disk, a magnetic tape, a magnetic disk, or an optical medium, such as a digital versatile disk (DIGITAL VERSATILEDISC, DVD), or a semiconductor medium, such as a Solid State Disk (SSD), or the like.
Embodiments of the present application also disclose a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the electronic device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the electronic device performs the above-described configuration method.
The foregoing description of the preferred embodiments of the present invention is not intended to limit the scope of the claims, which follow, as defined in the claims.
Claims (7)
1. A method for configuring security functions of an application program, comprising:
Acquiring all predefined security functions to be verified when the target application program class is loaded;
storing the code information of the security function to be verified in a service terminal;
Adding the security function to be verified into preset detection logic, and marking the security function to be verified as a propagation phase function; the detection logic is used for performing vulnerability detection on the target application program based on a data flow tracking mode;
Performing vulnerability detection on the target application program based on the detection logic, removing the return value of the security function to be verified from the tracking object of the data stream, and storing the input and return values of the security function to be verified as data stream transmission information;
Reporting the vulnerability data stream to the service terminal;
When the vulnerability data stream can be associated with the code information stored in the service terminal, judging whether a function in the vulnerability data stream accords with a safety rule, if so, marking the function as an effective safety function, and closing the current vulnerability; if not, the function is marked as a normal function.
2. The method for configuring an application security function according to claim 1, wherein the method for acquiring the predefined security function to be verified comprises:
And instrumentation is carried out on the target application program through an instrumentation tool, a function identification method is implanted into the target application program, and the predefined security function to be verified is extracted based on the function identification method.
3. The method for configuring an application security function according to claim 2, wherein the function recognition method extracts the predefined security function to be verified based on a predefined set of keywords.
4. The method for configuring an application security function according to claim 1, wherein the code information includes byte code information corresponding to the security function to be verified, which is predefined.
5. A configuration system of application security functions, characterized in that the configuration system works based on the configuration method of any of claims 1 to 4.
6. A system for configuring security functions of an application, comprising:
one or more processors;
A memory;
And one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the programs comprising instructions for performing the configuration method of claims 1-4.
7. A computer readable storage medium comprising a computer program executable by a processor to perform the configuration method of any one of claims 1 to 4.
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118278015A true CN118278015A (en) | 2024-07-02 |
Family
ID=
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9032516B2 (en) | System and method for detecting malicious script | |
| JP5087661B2 (en) | Malignant code detection device, system and method impersonated into normal process | |
| US9680848B2 (en) | Apparatus, system and method for detecting and preventing malicious scripts using code pattern-based static analysis and API flow-based dynamic analysis | |
| US8424090B2 (en) | Apparatus and method for detecting obfuscated malicious web page | |
| US8745740B2 (en) | Apparatus and method for detecting malicious sites | |
| CN109101815B (en) | Malicious software detection method and related equipment | |
| CN102043915B (en) | Method and device for detecting malicious code contained in non-executable file | |
| CN108959071B (en) | RASP-based PHP deformation webshell detection method and system | |
| CN111404949A (en) | Flow detection method, device, equipment and storage medium | |
| CN113190838A (en) | Web attack behavior detection method and system based on expression | |
| CN115186274A (en) | IAST-based security test method and device | |
| CN103390129B (en) | Detect the method and apparatus of security of uniform resource locator | |
| CN111027072B (en) | Kernel Rootkit detection method and device based on elf binary standard analysis under Linux | |
| CN111125704B (en) | Webpage Trojan horse recognition method and system | |
| CN117435480A (en) | Binary file detection method and device, electronic equipment and storage medium | |
| KR101725399B1 (en) | Apparatus and method for detection and execution prevention for malicious script based on host level | |
| CN118278015A (en) | Configuration method and system for application program security function | |
| CN115955457A (en) | Malicious domain name detection method and device and electronic equipment | |
| CN108573148B (en) | Confusion encryption script identification method based on lexical analysis | |
| CN115357899A (en) | Method and system for detecting storage type loophole based on IAST technology | |
| CN109218284B (en) | XSS vulnerability detection method and device, computer equipment and readable medium | |
| CN112347479A (en) | False alarm correction method, device, equipment and storage medium for malicious software detection | |
| CN111753295A (en) | Vulnerability exploitation program detection method based on vulnerability exploitation program characteristics | |
| CN115203060B (en) | IAST-based security testing method and device | |
| CN112966269B (en) | Searching and killing method and device based on browser plug-in |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication |