KR100985071B1 - Method and Apparatus for detection and prevention malicious code using script languages for computer system - Google Patents

Abstract

The present invention relates to a method and apparatus for real-time detection, blocking of vulnerability code using a scripting language.

According to an embodiment of the present invention, a method for real-time detection and blocking of vulnerability code includes loading a signature database in which signature information of malicious code is stored and a policy database in which a system protection related policy is stored in a memory, script code and Located at the stage between the protected objects, hooking the shared library of the operating system used by the script code and the protected object, and checking the interface of the hooked shared library based on the signature database and policy database through the hooking step. The method may include determining whether the script code is malicious code based on a test result.

According to the present invention, in the process of generating and executing the vulnerability attack code, the attack code using the evasion method such as encryption can be detected in real time and can be detected in real time and block it.

Script, Malware, Vulnerability Attack Code, Real Time Detection

Description

Method and Apparatus for detection and prevention malicious code using script languages for computer system}

The present invention relates to a method and apparatus for detecting and blocking vulnerability code in real time using a scripting language in a computer system, and more particularly, to dynamically execute execution of vulnerability code using a scripting language through shared library hooking. A method and apparatus for detecting and blocking.

Vulnerability code usually uses security vulnerabilities of a specific application system to cause abnormal behavior on the system, or to obtain the system's authority to execute malicious code such as worms or viruses on the user's system, or to secretly obtain personal information. I mean the code that attacks the user in such a way. In addition, it may operate in the form of attacking the third system by using the system of the user who obtained the authority.

Most of these attack codes are written using a scripting language that is read by an interpreter rather than being operated by a compiler and is characterized by being executable and easy to produce in various environments. In particular, the vulnerability exploit code is written as Java Script or Visual Basic Script that can be applied to most computer systems connected to the Internet in order to attack an unspecified number of Internet users. . When a user accesses a specific web page, the vulnerability code in a scripting language is installed and executed on the user's computer system, causing the vulnerability code to run and the malicious code to be downloaded.

COM (Component Object Model) objects can be executed in a language-neutral way, regardless of the type of operating system, and there are certain conventions. This is a convention for external programs to use the object. It is the identifier of the object (e.g., class ID, UUID, etc.), file location, attribute provided by the object, list of interface functions, number of attributes, and data type. Register with the operating system in the form of a type library. Typically, external programs use the object by changing the properties listed in the type library or by calling interface functions. Also, the term COM object is generally used as a high level concept that includes all OLE, OLE Automation, ActiveX, DCOM, COM +, and XPCOM technologies.

For example, the vulnerability could use a COM object's properties or interface functions associated with a keyboard input event installed on the user's computer to obtain a password for a particular website. It may also cause a buffer overflow, etc., to cause an abnormal operation.

The prior art for preventing the damage caused by the attack code was to create a signature of the attack code, such as to diagnose malicious code, and then delete the corresponding script file when an attack code matching the signature pattern is detected. In general, the signature of the attack code is an indicator for identifying the attack code, and is created based on an object that the attack code intends to use during the operation of the attack code, for example, a parameter value to be applied to an interface of a COM object. . Therefore, if a signature is found in a script including an attack code, the damage by the attack code is prevented in the same manner as deleting the script.

However, such a conventional attack code prevention technology has to create signatures of a number of new attack codes one by one, and there is a problem in that when the attack code is encrypted or manipulated, it cannot be detected by a previously created signature. For example, in case of an attack using a parameter of an interface function of an object to be attacked, it is difficult to grasp the attack code through signature information previously created when calling an interface using a method of encrypting a parameter or manipulating a string. This exists.

1 illustrates an example of an attack code using a string manipulation method to evade a conventional attack code detection technique.

If the parameter value input to the interface function in the existing attack code is "This is a very bad parameter", the signature can be written to search for these strings. However, to avoid this, the attack code separates the input values into two, such as “This is a very” and “bad parameter”, stores them in separate string variables, and concatenates them using the concatenation operator. You can also call the interface of the target object. In this case, not only attack code can be detected by existing signatures, but also there are countless ways to manipulate strings. Therefore, it is very difficult to create corresponding signatures. .

As such, the conventional method of detecting attack codes by comparing signatures is not only limited to detecting attack codes that manipulate signatures using encryption or string manipulation, but also includes a list of signatures for all cases where encrypted or strings are manipulated. There was a problem to include in.

SUMMARY OF THE INVENTION The present invention has been made to solve the above problems, and the technical problem to be achieved by the present invention is to execute such an attack code in real time to protect the user's system from attack code using a script using a shared library hooking technique. To provide a method and apparatus for detecting and blocking.

The object of the present invention is not limited to the above-mentioned object, and other objects that are not mentioned will be clearly understood by those skilled in the art from the following description.

In order to achieve the above object, a real-time detection and blocking method of a vulnerability attack code according to an embodiment of the present invention loads a signature database in which signature information of malicious code is stored and a policy database in which a system protection related policy is stored in a memory. Step, which is located between the script code and the protected object, hooking the shared library of the operating system used by the script code and the protected object, and hooking the interface to the signature database and policy database. Checking based on the method, and determining whether the script code is malicious code based on the test result.

Preferably, the object to be protected includes a Component Object Model (COM) object.

Preferably, the policy database includes a protection policy set for each object.

Preferably it further comprises the step of blocking the execution of the object if it is determined that the malicious code.

Preferably, if it is determined that the normal script code is determined, the method further includes checking whether the object is a blocked object based on the policy database, and blocking the execution of the object if the object is a blocked object.

According to another embodiment of the present invention, a method for real-time detection and prevention of vulnerability attack code includes loading a policy database in which a system protection related policy is stored in memory, and is in charge of communication between script code and a protected object. Hooking the shared library of the operating system used by the code and the protected object, and checking the interface of the hooked shared library based on the policy database through the hooking step to determine whether the protected object is set as a blocked object. And blocking the execution of the object when the determination result is a blocking object.

In order to achieve the above object, the apparatus for real-time detection and prevention of vulnerability attack code according to an embodiment of the present invention hooks a signature database in which signature information of malicious code is stored, a policy database in which system protection-related policies are stored, and a shared library. And a decision engine that determines whether an attack code exists based on a hooking engine, a signature database, and a policy database.

It preferably comprises a recording medium having recorded thereon a computer readable program for carrying out the method according to the invention.

Specific details of other embodiments are included in the detailed description and the drawings.

According to the real-time detection, blocking method and apparatus method of the vulnerability attack code using the script language of the present invention as described above has the following effects.

According to the present invention, since a vulnerability attack code is dynamically detected during the generation and execution of the vulnerability, the attack code using an evasion method such as encryption can be detected and blocked in real time.

In addition, even when the diagnosis of the attack code fails, the user's system can be protected by blocking the execution of the object to be protected according to the policy.

Advantages and features of the present invention and methods for achieving them will be apparent with reference to the embodiments described below in detail with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below, but can be implemented in various different forms, and only the embodiments make the disclosure of the present invention complete, and the general knowledge in the art to which the present invention belongs. It is provided to fully inform the person having the scope of the invention, which is defined only by the scope of the claims. Like reference numerals refer to like elements throughout.

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings. It will be appreciated that the combination of each block in the accompanying block diagram and each step in the flowchart may be performed by computer program instructions. These computer program instructions may be mounted on a processor of a general purpose computer, special purpose computer, or other programmable data processing equipment such that instructions executed through the processor of the computer or other programmable data processing equipment may not be included in each block or flowchart of the block diagram. It will create means for performing the functions described in each step. These computer program instructions may be stored in a computer usable or computer readable memory that can be directed to a computer or other programmable data processing equipment to implement functionality in a particular manner, and thus the computer usable or computer readable memory. It is also possible for the instructions stored in to produce an article of manufacture containing instruction means for performing the functions described in each block or flow chart step of the block diagram. Computer program instructions It can also be mounted on a computer or other programmable data processing equipment, so a series of operating steps are performed on the computer or other programmable data processing equipment to create a computer-implemented process to perform the computer or other programmable data processing equipment. It is also possible for the instructions to provide steps for performing the functions described in each block of the block diagram and in each step of the flowchart.

In addition, each block or step may represent a portion of a module, segment, or code that includes one or more executable instructions for executing a specified logical function (s). It should also be noted that in some alternative implementations, the functions noted in the blocks or steps may occur out of order. For example, the two blocks or steps shown in succession may in fact be executed substantially concurrently or the blocks or steps may sometimes be performed in the reverse order, depending on the functionality involved.

Hereinafter, a flow chart of a typical attack code using an execution structure and a script language of a typical COM object in a computer system will be described first to describe a method for real-time detection and blocking of an attack code according to the present invention.

2 is a diagram illustrating a structure showing a step in which a script code executes a COM object in a computer system.

When a script code 210 wants to access and obtain permission to a specific object 230 on the computer system 200, the script code 210 directly accesses the binary of the specific object 230 and Instead of acquiring the right, the right is accessed through the shared library 220 of the operating system to acquire the right. The shared library 220 includes, for example, mshtml.dll and oleaut32.dll in the case of the Microsoft Windows operating system. For example, when the script code 210 wants to access the COM object 230, the script library 210 provides the shared library 220 with information such as an identifier (eg, a class ID) of the COM object 230 to generate the object. The shared library 220 provides the corresponding COM object through this information. This process goes through not only code written in general scripting language but also code to attack vulnerabilities in order to perform normal operation in computer. On the other hand, the object accessible through the shared library is not limited to the COM object may include all objects commonly used in the technical field of the present invention, such as ActiveX, COM +, DCOM, XPCOM.

3 is a flow diagram illustrating a typical flow of attack code using a scripting language.

Typically, the process (S300) of the attack code using the script language to obtain the permission for the object is the same as the process of FIG. 2 described above, and thus description thereof will be omitted. As described above, after the attack code creates the object to be attacked or obtains access to the object, the attack code may change the attribute data value of the object or set a value that may abnormally operate the computer system in the parameter of the interface function. In more detail, in general, an object has an attribute and an interface function as a means for connecting and operating the object. An attribute refers to a variable that can represent the characteristics of an object, and an interface function refers to a function that enables a specific operation of an object. Therefore, if the property value of the object is manipulated, the property of the object may be changed, which may cause a failure in normal operation. In addition, the parameter (argument) value of the interface function is a value required for the operation of the function, for example, if there is a function for stopping the operation of the object for a certain time, the stop time may be one of the argument values. The parameter may be a string, or the computer system may behave abnormally depending on the input value. For example, if a string value larger than a predetermined size of an input string is input to an interface function, a buffer overflow may occur and an object and a computer system may malfunction. Next, when the attack code calls the object, the shared library code of the operating system is executed before the code of the object is operated (S330). The shared library code stage then inputs information received from the attack code, for example, to generate or execute the object. The object is recalled (S340) through information such as an identifier (eg, class ID), an interface function, and a parameter value of the object. That is, normal script code and objects including attack code communicate through shared library code. The attack code may bypass an attempt to detect an attack code by inputting a string manipulated value or an encrypted value to the parameter of the object as described above (S310).

More specifically, when an attack code calls an interface function, the attacker's code must pass through the operating system's shared library. Therefore, if the attacker finds the property value or parameter value of the object passed to the shared library, the property value or parameter value passed to the object is passed. Can be identified. In addition, even if the attack code wants to circumvent how to detect the attack code through a pre-written signature using an encrypted value or a manipulated string on the script code, the value to be finally delivered to the object is decrypted or normally combined. Because it must be a string, the value passed to the shared library is also the restored value. In other words, when the attack code is executed to call the shared library, the signature of the attack code can be determined regardless of encryption by examining various parameter values of the shared library.

The following describes with reference to a flowchart of the method according to the embodiments of the present invention, and as described above, the order of each step of the flowchart is not absolute, and may be performed in the reverse order or omitted within the scope without departing from the spirit of the present invention. It may be.

4 is a flowchart illustrating a real-time detection and prevention method of a vulnerability attack code according to an embodiment of the present invention.

In order to check argument values and the like delivered to the shared library by the script code and to block execution of the object when it is determined that the script code is an attack code based on the check result, the shared library is hooked (S400). Hooking usually means intercepting messages or events that are sent to other processes or threads. In addition, a signature database in which signature related information of attack codes is stored and a policy database in which a policy related to protection of an object, such as a list of objects to be blocked, are stored are loaded into the memory (S410). Next, if a function that is delivered as an object to the hooked shared library is called or an event occurs, it is examined (S420). If it is determined that the vulnerability attack code is based on the signature database or the policy database (YES in S430), the execution of the interface of the object is blocked (S440) to prevent the attack. In addition, it is possible to prevent an attack by blocking the creation of the object itself according to the policy. That is, it dynamically monitors and protects a series of processes from creation to destruction of objects.

Hooking step (S400) may be performed through a method commonly used in the art. Signature information of the attack code is stored in the signature database, and it may be determined whether the attack code is through the comparison with the information obtained through the shared library hooking (S430). A policy database is a database that stores policies that set specific directions for protecting computer systems. For example, a policy database can set the degree of protection for each object to be protected. The object determined to be blocked may be created or executed regardless of the object determined to be an attack code. Therefore, in step S430 of determining that the attack code is determined, only the signature database or the policy database may be determined, or both may be determined simultaneously to determine whether the object is executed.

As described above, the method for detecting and blocking the vulnerability attack code according to the present invention dynamically checks the process of creating an object and performing an interface function at execution time, so that the stability and accuracy of the vulnerability attack code is higher than that of the conventional static method. Is improved. In addition, as described above, when the object is executed, the encrypted or manipulated parameter values are all restored when the shared library calls the object, thereby improving the accuracy of attack code detection.

5 is a diagram illustrating a real-time detection and blocking method of a vulnerability attack code according to another embodiment of the present invention.

Since the shared library hooking step S500, the signature and policy database loading step S510, and the interface function investigation step S520 are the same processes as those of FIG. 4, a detailed description thereof will be omitted. If it is determined that the object is blocked based on the policy database (YES in S530), the interface is blocked (S540).

That is, even if it is determined that the script code is normal, if the object is a frequent attack or an object having high vulnerability (YES in S530), the policy is set to block execution of the interface function of such an object regardless of the attack code. To block execution. The system can be secured by blocking the execution of dangerous objects according to the policy level set for each object. In addition, since it is possible to hook a series of operations of the object from the time of object creation through the shared library hooking, it is also possible to block the creation of the object itself according to the policy set for each object.

6 is a diagram illustrating a real-time detection and blocking method of a vulnerability attack code according to another embodiment of the present invention.

Since the shared library hooking step S600, the signature and policy database loading step S610, and the interface function checking step S620 are the same processes as those of FIG. 4, a detailed description thereof will be omitted. If it is determined that the vulnerability attack code is based on the signature database or the policy database (YES in S630), the attack is prevented by blocking the creation or execution of the interface of the object (S650). In addition, even if it is not determined to be a vulnerability attack code (NO in S630), an object that is determined to be at high risk in execution may be blocked according to the security policy level (YES in S640). As described above, the order of each step is not absolute and may be performed in the reverse order or omitted without departing from the spirit of the present invention.

7 is a block diagram showing the configuration of a real-time detection and blocking device for vulnerability attack code using a scripting language according to an embodiment of the present invention.

An apparatus for real-time detection and blocking of vulnerability code using a scripting language according to the present invention includes a signature database unit 710, a policy database unit 720, a hooking engine unit 730, and a decision engine unit 740. .

The signature database unit 710 stores a malicious code signature that is used as a criterion for checking whether the current script code is an attack code from parameter values and attribute values inputted by the attack code. The policy database unit 720 determines and stores a protection policy, such as setting a protection level for each object or collectively for the operating system 700 or determining whether to execute an object. The hooking engine unit 730 hooks the code of the shared library and then is used to monitor a series of processes such as creating an object and calling and using an interface function. The decision engine unit 740 determines whether to execute the object based on the result obtained from the hooking engine unit 730 and the signature data and the policy data.

Each component described above may refer to software or hardware such as a field-programmable gate array (FPGA) or an application-specific integrated circuit (ASIC). However, the components are not limited to software or hardware, and may be configured to be in an addressable storage medium and may be configured to execute one or more processors. The functions provided in the above components may be implemented by more detailed components, or may be implemented by combining a plurality of components to perform a specific function. In addition, the components may be implemented to execute one or more computers in a system. In addition, not all components are essential components and may not be included or included in a plurality without departing from the spirit of the present invention.

Although embodiments of the present invention have been described above with reference to the accompanying drawings, those skilled in the art to which the present invention pertains may implement the present invention in other specific forms without changing the technical spirit or essential features thereof. I can understand that. It is therefore to be understood that the above-described embodiments are illustrative in all aspects and not restrictive.

1 is an embodiment of a source code of an attack code using a string manipulation method to evade a conventional attack code detection technique.

2 is a diagram illustrating a structure showing a step in which a script code executes a COM object in a computer system.

3 is a flow diagram illustrating a typical flow of attack code using a scripting language.

4 is a flowchart illustrating a real-time detection and prevention method of a vulnerability attack code according to an embodiment of the present invention.

5 is a diagram illustrating a real-time detection and blocking method of a vulnerability attack code according to another embodiment of the present invention.

6 is a diagram illustrating a real-time detection and blocking method of a vulnerability attack code according to another embodiment of the present invention.

7 is a block diagram showing the configuration of a real-time detection and blocking device for vulnerability attack code using a scripting language according to an embodiment of the present invention.

Claims (11)

Loading a signature database in which signature information of malicious code is stored and a policy database in which a system protection related policy is stored in memory; Hooking a shared library of an operating system located between a script code and a protected object and used by the script code and the protected object; Inspecting the interface of the shared library hooked through the hooking based on the signature database and the policy database; Determining whether the script code is malicious code based on a result of the checking step; Real-time detection and blocking of vulnerability exploit code using scripting language. The method of claim 1, The protected object includes a Component Object Model (COM) object. Way. The method of claim 1 The policy database includes a protection policy set for each object. Way. The method of claim 1, If it is determined in the determining that the script code is malicious code, the method further includes blocking generation or execution of the protected object. Way. The method of claim 1, If it is determined in the determining that the script code is a normal script code, checking whether the protected object is a blocked object based on the policy database; And Blocking the creation or execution of the protected object if the protected object is a blocked object; Way. The method of claim 1, The inspecting step is performed from creation to destruction of the object to be protected. Way. Loading a policy database storing system protection related policies into a memory; Hooking a shared library of an operating system that is in charge of communication between script code and a protected object and is used by the script code and the protected object; Inspecting the hooked interface of the shared library based on the policy database to determine whether the protected object is set as a blocked object; And Blocking the creation or execution of the protected object if the protected object is a blocked object; Real-time detection and blocking of vulnerability exploit code using scripting language. The method of claim 7, wherein The protected object includes a COM object Way. The method of claim 1, The determining may be performed from the creation of the protected object to the destruction of the object. Way. A signature database that stores signature information of malicious code; A policy database that stores system protection related policies; A hooking engine positioned between a script code and a protected object and hooking a shared library of an operating system used by the script code and the protected object; And a determination engine that determines whether an attack code exists by checking an interface of the shared library hooked by the hooking engine based on the signature database and the policy database. Real-time detection and blocking of vulnerability exploit code using scripting language. A recording medium on which a computer-readable program is recorded for executing the method according to any one of claims 1 to 9.

Images