TWI728637B - Information security protection method and computer-readable medium - Google Patents
Information security protection method and computer-readable medium Download PDFInfo
- Publication number
- TWI728637B TWI728637B TW109100064A TW109100064A TWI728637B TW I728637 B TWI728637 B TW I728637B TW 109100064 A TW109100064 A TW 109100064A TW 109100064 A TW109100064 A TW 109100064A TW I728637 B TWI728637 B TW I728637B
- Authority
- TW
- Taiwan
- Prior art keywords
- vulnerability
- target program
- information
- address
- execute
- Prior art date
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
Description
本發明關於一種資訊安全防護技術,更詳而言之,係一種針對軟體漏洞的資訊安全防護方法及電腦可讀媒介。 The present invention relates to an information security protection technology, more specifically, an information security protection method and a computer-readable medium for software vulnerabilities.
隨著資訊領域的發展,資訊安全的防護也越來越重要。一般而言,現有的資訊安全防護方法在發現目標程式(或軟體)具有漏洞時,會搜尋目標程式的更新版本並加以更新,以修補漏洞。 With the development of the information field, the protection of information security is becoming more and more important. Generally speaking, when the existing information security protection method finds that the target program (or software) has vulnerabilities, it will search for an updated version of the target program and update it to fix the vulnerabilities.
然而,一旦進行程式更新並修改了原始程式碼,則可能會影響到既有的功能及運作;若選擇不更新版本,則會留下漏洞影響資訊安全。因此,如何提供一種具有漏洞防護機制,並可降低或避免對目標程式功能造成影響的資訊安全防護技術,遂成為業界亟待解決的課題。 However, once the program is updated and the original code is modified, the existing functions and operations may be affected; if you choose not to update the version, loopholes will be left to affect information security. Therefore, how to provide an information security protection technology that has a vulnerability protection mechanism and can reduce or avoid the impact on target program functions has become an urgent issue in the industry.
為解決前述習知技術的種種問題,本發明之一目的,即在於提供一種能防堵漏洞,並可降低或避免對目標程式功能造成影響的資訊安全防護方法及電腦可讀媒介。 In order to solve the various problems of the aforementioned conventional technology, one purpose of the present invention is to provide an information security protection method and a computer readable medium that can prevent loopholes and reduce or avoid the impact on the function of the target program.
為了達到前述目的,本發明之資訊安全防護方法,包括以下步驟:搜尋一目標程式之漏洞資訊;依據漏洞資訊制定漏洞防禦方式;定 位目標程式之漏洞位址;依據漏洞位址設置中斷點;優化監控該目標程式之程序;執行並監控目標程式是否觸發漏洞,若否,則記錄已執行之過程並持續監控目標程式,反之則依據中斷點位址中斷目標程式;判斷目標程式之漏洞是否有對應的漏洞防禦方式,若否,則對目標程式執行版本更新,反之則對目標程式執行漏洞修補機制,對目標程式執行漏洞防禦方式,並記錄已執行之過程並持續監控目標程式。 In order to achieve the foregoing objective, the information security protection method of the present invention includes the following steps: searching for vulnerability information of a target program; formulating a vulnerability defense method based on the vulnerability information; The vulnerability address of the target program; set interrupt points according to the vulnerability address; optimize the process of monitoring the target program; execute and monitor whether the target program triggers the vulnerability, if not, record the executed process and continuously monitor the target program, otherwise The target program is interrupted according to the address of the interruption point; it is judged whether the vulnerabilities of the target program have a corresponding vulnerability defense method, if not, the target program version update is performed, otherwise, the target program is implemented with the vulnerability repair mechanism and the target program implements the vulnerability defense method , And record the executed process and continuously monitor the target program.
在一實施例中,該依據漏洞資訊制定漏洞防禦方式的步驟復包括:將該漏洞進行分類;以及依據該漏洞的類別制定對應的漏洞防禦方法。 In one embodiment, the step of formulating a vulnerability defense method based on the vulnerability information further includes: classifying the vulnerability; and formulating a corresponding vulnerability defense method according to the category of the vulnerability.
在一實施例中,該定位目標程式之漏洞位址的步驟復包括:依據該漏洞資訊,追蹤該目標程式之系統底層資訊以取得該漏洞的相關資料;以及依據該相關資料定位該漏洞位址。 In one embodiment, the step of locating the vulnerability address of the target program further includes: tracking the underlying system information of the target program according to the vulnerability information to obtain the relevant data of the vulnerability; and locating the vulnerability address according to the relevant data .
在一實施例中,該系統底層資訊包括Symbol Table資訊或是DWARF資訊。 In one embodiment, the bottom-level information of the system includes Symbol Table information or DWARF information.
在一實施例中,該漏洞的該相關資料包括inode值及offset值。 In one embodiment, the related data of the vulnerability includes an inode value and an offset value.
在一實施例中,該依據漏洞位址設置中斷點的步驟復包括:在執行該目標程式之包含該漏洞之函式之前的位址註冊檢測點;於該檢測點插入斷點指令;以及於該檢測點設置告警機制。 In one embodiment, the step of setting a breakpoint based on the vulnerability address further includes: registering a checkpoint at the address before executing the function containing the vulnerability of the target program; inserting a breakpoint instruction at the checkpoint; and The detection point sets an alarm mechanism.
在一實施例中,該優化監控目標程式的程序的步驟復包括:過濾該目標程式中非包含該漏洞之函式;以及記錄該目標程式中包含該漏洞之函式之執行狀態。 In one embodiment, the step of optimizing the process of monitoring the target program includes: filtering the function that does not contain the vulnerability in the target program; and recording the execution status of the function that contains the vulnerability in the target program.
在一實施例中,該對目標程式執行漏洞修補機制的步驟復包括:在漏洞位址植入防護程式,該防護程式係用以排除該漏洞之異常資料或中斷執行該漏洞。 In one embodiment, the step of executing the vulnerability repair mechanism on the target program further includes: implanting a protection program at the vulnerability address, and the protection program is used to eliminate the abnormal data of the vulnerability or interrupt the execution of the vulnerability.
本發明另提供一種用於資訊安全防護的電腦可讀媒介,應用於具有處理器及記憶體的電腦中,電腦透過處理器及記憶體執行一目標程式及電腦可讀媒介,並用於執行電腦可讀媒介時執行如上所述之資訊安全防護方法。 The present invention also provides a computer-readable medium for information security protection, which is applied to a computer with a processor and a memory. The computer executes a target program and the computer-readable medium through the processor and the memory, and is used to execute the computer-readable medium. When reading media, implement the information security protection method described above.
相較於習知技術,本發明之資訊安全防護方法依據資料庫所提供的目標程式之漏洞資訊制定漏洞防禦方式並定位漏洞位址,之後依據漏洞位址設置中斷點並監控目標程式是否觸發漏洞,一旦發現漏洞被觸發,則中斷目標程式,在判斷漏洞影響程度之後,視情況進行漏洞修補機制以及執行漏洞防禦方式。由於漏洞修補機制以及漏洞防禦方式並非直接修改原始程式,因此能降低或避免對目標程式功能造成影響,充分解決了現有技術所具有的問題。除此之外,還可追蹤系統底層資訊、在漏洞位址設置告警機制或是增加優化監控目標程式的程序,以進一步對漏洞進行行為分析與安全防護。 Compared with the conventional technology, the information security protection method of the present invention formulates a vulnerability defense method and locates the vulnerability address based on the vulnerability information of the target program provided by the database, and then sets the interruption point according to the vulnerability address and monitors whether the target program triggers the vulnerability Once the vulnerability is found to be triggered, the target program will be interrupted. After determining the impact of the vulnerability, the vulnerability repair mechanism and the implementation of vulnerability defense methods will be implemented as appropriate. Since the vulnerability repair mechanism and the vulnerability defense method do not directly modify the original program, it can reduce or avoid the impact on the target program function, and fully solve the problems of the existing technology. In addition, it can also track the underlying information of the system, set an alarm mechanism at the vulnerability address, or increase the process of optimizing the monitoring target program to further conduct behavioral analysis and security protection of the vulnerability.
S10~S20‧‧‧步驟 S10~S20‧‧‧Step
S110~S111‧‧‧步驟 S110~S111‧‧‧Step
S120~S121‧‧‧步驟 S120~S121‧‧‧Step
S130~S132‧‧‧步驟 S130~S132‧‧‧Step
S140~S141‧‧‧步驟 S140~S141‧‧‧Step
第1圖係為本發明之資訊安全防護方法的步驟流程圖。 Figure 1 is a flowchart of the steps of the information security protection method of the present invention.
第2圖係為本發明之資訊安全防護方法的局部步驟流程圖。 Figure 2 is a partial flow chart of the information security protection method of the present invention.
第3圖係為本發明之資訊安全防護方法的局部步驟流程圖。 Figure 3 is a partial flow chart of the information security protection method of the present invention.
第4圖係為本發明之資訊安全防護方法的局部步驟流程圖。 Figure 4 is a partial flow chart of the information security protection method of the present invention.
第5圖係為本發明之資訊安全防護方法的局部步驟流程圖。 Figure 5 is a partial flow chart of the information security protection method of the present invention.
以下藉由特定的具體實施例說明本發明之實施方式,熟悉此技藝之人士可由本說明書所揭示之內容輕易地瞭解本發明之其他優點與功效。本發明亦可藉由其他不同的具體實施例加以施行或應用,本說明書中的各項細節亦可基於不同觀點與應用,在不悖離本發明之精神下進行各種修飾與變更。 The following specific examples illustrate the implementation of the present invention. Those familiar with the art can easily understand the other advantages and effects of the present invention from the content disclosed in this specification. The present invention can also be implemented or applied by other different specific embodiments, and various details in this specification can also be based on different viewpoints and applications, and various modifications and changes can be made without departing from the spirit of the present invention.
本發明之資訊安全防護方法係如第1圖結合第2至5圖之步驟流程所示。如第1圖所示,本發明之資訊安全防護方法主要包括以下步驟: The information security protection method of the present invention is shown in FIG. 1 in combination with the steps in FIGS. 2 to 5. As shown in Figure 1, the information security protection method of the present invention mainly includes the following steps:
S10.搜尋一目標程式之漏洞資訊。 S10. Search for vulnerability information of a target program.
S11.依據漏洞資訊制定漏洞防禦方式。 S11. Develop vulnerability defense methods based on vulnerability information.
S12.定位目標程式之漏洞位址。 S12. Locate the vulnerability address of the target program.
S13.依據漏洞位址設置中斷點。 S13. Set the break point according to the vulnerability address.
S14.優化監控目標程式的程序 S14. Optimize the process of monitoring the target program
S15.執行並監控目標程式是否觸發漏洞,若否,則記錄已執行之過程並持續監控目標程式,若是,則執行下一步驟。 S15. Execute and monitor whether the target program triggers the vulnerability, if not, record the executed process and continuously monitor the target program, if yes, proceed to the next step.
S16.依據中斷點位址中斷目標程式。 S16. Interrupt the target program according to the interrupt point address.
S17.判斷目標程式之漏洞是否有對應的漏洞防禦方式,若否,則對目標程式執行版本更新,若是,則執行下一步驟。 S17. Determine whether the vulnerability of the target program has a corresponding vulnerability defense method, if not, perform a version update of the target program, and if it is, perform the next step.
S18.對目標程式執行漏洞修補機制。 S18. Implement a vulnerability patching mechanism for the target program.
S19.對目標程式執行漏洞防禦方式。 S19. Implement vulnerability defense methods to the target program.
S20.記錄已執行之過程並持續監控目標程式。 S20. Record the executed process and continuously monitor the target program.
在步驟S10中,本發明之資訊安全防護方法係自動化蒐集漏洞情資以建立漏洞資料庫,漏洞情資例如可蒐集自通用漏洞披露(CVE,Common Vulnerabilities and Exposures)資料庫,但不以此為限。 In step S10, the information security protection method of the present invention automatically collects vulnerability information to create a vulnerability database. The vulnerability information can be collected from the Common Vulnerabilities and Exposures (CVE, Common Vulnerabilities and Exposures) database, but not limit.
在步驟S11中,依據漏洞情資制定漏洞防禦方式。 In step S11, a vulnerability defense method is formulated according to the vulnerability information.
在第2圖的替代實施例中,依據漏洞資訊制定漏洞防禦方法的步驟S11復包括: In the alternative embodiment in Figure 2, the step S11 of formulating a vulnerability defense method based on vulnerability information further includes:
S110.將漏洞進行分類。 S110. Classify vulnerabilities.
S111.依據漏洞的類別制定對應的漏洞防禦方式。 S111. Formulate corresponding vulnerability defense methods according to the categories of vulnerabilities.
在步驟S110~S111中,首先依據漏洞資訊將漏洞進行分類,如配置錯誤、驗證授權問題、代碼注入攻擊或存取權限控制等等,並依漏洞類別制定對應的防禦方式,防禦方式可例如是編譯目標程式的安全更新版本、增設嚴格的網路防火牆白名單規則、限制漏洞程式的外部檔案存取權限或導入執行程式白名單機制等,但不以此為限。此外,亦可結合多種防禦方式,將漏洞危害風險降低。 In steps S110~S111, first classify the vulnerabilities based on the vulnerability information, such as configuration errors, authentication and authorization issues, code injection attacks, or access control, etc., and formulate corresponding defense methods according to the vulnerability categories. The defense methods can be, for example, Compile the security update version of the target program, add strict network firewall whitelist rules, restrict the external file access rights of vulnerable programs, or import and execute the program whitelist mechanism, but not limited to this. In addition, a variety of defense methods can also be combined to reduce the risk of vulnerability damage.
舉例來說,當蒐集到CVE-2017-15804漏洞情資指出GNU C Library版本2.12內的glob函式具有高風險漏洞,且由漏洞情資可得知此glob函式會導致緩衝區溢位而使得其他記憶體位置執行了錯誤的讀寫操作,此時若漏洞情資尚未公布GNU C Library的新版本,則本發明之資訊安全防護方法會先編譯目標程式的安全更新版本,並透過沙箱測試了解可能受漏洞影響的目標程式,並分析對應的漏洞防禦方法,例如,提高或限制讀寫及執行等權限。 For example, when the CVE-2017-15804 vulnerability information is collected, it is pointed out that the glob function in GNU C Library version 2.12 has high-risk vulnerabilities, and the vulnerability information can know that this glob function will cause buffer overflow. Makes other memory locations perform wrong read and write operations. At this time, if the new version of the GNU C Library has not been announced by the vulnerability information, the information security protection method of the present invention will first compile the security update version of the target program and use the sandbox Test to understand the target program that may be affected by the vulnerability, and analyze the corresponding vulnerability defense methods, for example, increase or limit the permissions of reading, writing, and execution.
在第1圖之步驟S12中,定位目標程式之漏洞位址。 In step S12 in Figure 1, locate the vulnerability address of the target program.
在第3圖所示之替代實施例中,定位目標程式之漏洞位址的步驟S12復包括: In the alternative embodiment shown in Figure 3, the step S12 of locating the vulnerability address of the target program includes:
S120.依據漏洞資訊,追蹤系統底層資訊以取得漏洞的相關資料。 S120. According to the vulnerability information, track the underlying information of the system to obtain the relevant data of the vulnerability.
S121.依據漏洞之相關資料定位漏洞位址。 S121. Locate the vulnerability address based on the relevant data of the vulnerability.
在步驟S120~S121中,除了依據漏洞資訊外,還利用目標程式的系統底層資訊(例如用於執行目標程式的Symbol Table資訊或是DWARF資訊),經過計算取得漏洞的相關資料(例如inode值及offset值),由此推測目標程式是否可能觸發漏洞,漏洞可能由目標程式之某函式、程式碼區段或特定行數所觸發。 In steps S120~S121, in addition to the vulnerability information, the underlying system information of the target program (such as Symbol Table information or DWARF information used to execute the target program) is also used to obtain vulnerability-related data (such as inode value and offset value) to infer whether the target program may trigger the vulnerability. The vulnerability may be triggered by a function, code section, or specific number of lines of the target program.
在進一步的實施例中,本發明之資訊安全防護方法可依據Symbol Table資訊取得例如漏洞glob的offset值,並透過inode值取得檔案的儲存位址計算出漏洞的記憶體位址,以供後續步驟中觀察執行目標程式時是否會觸發漏洞。此外,本發明之資訊安全防護方法還可根據DWARF資訊算出觸發漏洞的程式碼與記憶體的對應行數。 In a further embodiment, the information security protection method of the present invention can obtain, for example, the offset value of the vulnerability glob based on the Symbol Table information, and obtain the storage address of the file through the inode value to calculate the memory address of the vulnerability for subsequent steps Observe whether the vulnerability is triggered when the target program is executed. In addition, the information security protection method of the present invention can also calculate the corresponding lines of the code and memory that trigger the vulnerability based on the DWARF information.
在步驟S13中,依據漏洞位址設置中斷點。 In step S13, an interruption point is set according to the vulnerability address.
如第4圖所示之替代實施例中,依據漏洞位址設置中斷點的步驟S13復包括: As shown in the alternative embodiment shown in Figure 4, the step S13 of setting the interruption point according to the vulnerability address includes:
S130.在執行漏洞之前的位址註冊檢測點。 S130. Register a detection point at the address before executing the vulnerability.
S131.於檢測點插入斷點指令。 S131. Insert a breakpoint instruction at the detection point.
S132.於檢測點設置告警機制。 S132. Set an alarm mechanism at the detection point.
在步驟S130~S132中,本發明之資訊安全防護方法在目標程式可能執行到包含漏洞的函式前的記憶體位址註冊檢測點並插入斷點(breakpoint)指令(例如INT3指令)並設置告警機制。藉由插入此斷點指令,當目標程式於後續步驟中執行到該記憶體位址時斷點指令會發出一個「程式中斷點」的例外以避免執行漏洞,同時告警機制會於目標程式中斷時發送告警訊息給使用者。 In steps S130~S132, the information security protection method of the present invention registers the detection point at the memory address before the function containing the loophole may be executed by the target program, inserts a breakpoint instruction (for example, INT3 instruction), and sets an alarm mechanism . By inserting this breakpoint instruction, when the target program is executed to the memory address in the subsequent steps, the breakpoint instruction will issue a "program breakpoint" exception to avoid execution loopholes, and the alarm mechanism will be sent when the target program is interrupted Warning message to the user.
接續至步驟S14,優化監控目標程式的程序。 Continue to step S14 to optimize the process of monitoring the target program.
如第5圖所示之替代實施例中,優化監控目標程式的程序的步驟S14復包括: As shown in the alternative embodiment shown in Fig. 5, the step S14 of optimizing the process of monitoring the target program includes:
S140.過濾目標程式非漏洞之函式。 S140. A function to filter non-vulnerabilities in the target program.
S141.記錄漏洞函式之執行狀態。 S141. Record the execution status of the vulnerable function.
在步驟S140~S141中,針對漏洞程式或函式名稱進行搜尋,以過濾目標程式之程式碼中正常的函式(即,不包含漏洞的函式)以找出所有使用漏洞的函式,以及當目標程式的程序執行到包含漏洞的函式時,記錄其執行狀態。執行狀態可記錄例如漏洞函式名稱、漏洞使用之參數類別、參數名稱以及參數內容或記憶體位置、漏洞涵式內的變數名稱、變數類別、變數內容或記憶體位置,但不以此為限。透過上述的方式,可減少不必要的負擔並加速動態追蹤程序。 In steps S140~S141, search for vulnerable programs or function names to filter normal functions (that is, functions that do not contain vulnerabilities) in the code of the target program to find all functions that use vulnerabilities, and When the program of the target program is executed to the function containing the vulnerability, its execution status is recorded. The execution status can record, for example, the name of the vulnerable function, the type of parameter used by the vulnerability, the name of the parameter and the content of the parameter or memory location, the name of the variable in the vulnerability, the type of the variable, the content of the variable or the memory location, but not limited to this . Through the above methods, unnecessary burdens can be reduced and the dynamic tracking process can be accelerated.
舉例來說,本發明之資訊安全防護方法可設定一過濾變數glob並找出所有可能觸發漏洞glob的函式,並在包含glob的函式被觸發時記錄其執行狀態,包括函式名稱glob、參數類別cont char,int,int*,glob_t、參數名稱pattern,flags,errfunc,pglob、參數記憶體位置0x7ffc********及函式內的變數fulename,dirname,dirle,p,q,end_name...等。 For example, the information security protection method of the present invention can set a filter variable glob and find all the functions that may trigger the vulnerable glob, and record the execution status of the function containing the glob when it is triggered, including the function name glob, Parameter category cont char, int, int*, glob_t, parameter name pattern, flags, errfunc, pglob, parameter memory location 0x7ffc******** and the variables fulename, dirname, dirle, p, q in the function ,end_name...etc.
接續於步驟S15,執行並監控目標程式是否觸發漏洞,若否,則記錄已執行之過程並持續監控目標程式,若是,則執行下一步驟S16。雖然目標程式具有漏洞,但不代表一定會執行到漏洞發生點,此時本發明之資訊安全防護方法會協助目標程式之管理人員評估安全更新之影響(如:影響系統、服務運作的程度),以降低發現漏洞至安全更新所花費的代價。若目標程式將會觸發漏洞,則需進行後續處理步驟。 Continue to step S15, execute and monitor whether the target program triggers the vulnerability, if not, record the executed process and continuously monitor the target program, if yes, execute the next step S16. Although the target program has vulnerabilities, it does not mean that it will be executed to the point where the vulnerabilities occur. At this time, the information security protection method of the present invention will assist the management personnel of the target program to evaluate the impact of security updates (such as the extent to which the system and service operations are affected) In order to reduce the cost of discovering vulnerabilities to security updates. If the target program will trigger the vulnerability, follow-up steps are required.
在步驟S16中,依據中斷點位址中斷目標程式,以避免執行漏洞,並接續執行步驟S17。 In step S16, the target program is interrupted according to the interrupt point address to avoid execution loopholes, and step S17 is continued.
在步驟S17中,判斷目標程式之漏洞是否有對應的漏洞防禦方式(例如,步驟S11所制定之漏洞防禦方法),若否,則對目標程式執行版本更新,若是,則執行下一步驟S18。若有對應的漏洞防禦方法,則可進行後續步驟確保目標程式之執行不受漏洞影響。 In step S17, it is determined whether the vulnerability of the target program has a corresponding vulnerability defense method (for example, the vulnerability defense method formulated in step S11), if not, the target program is updated, and if so, the next step S18 is performed. If there is a corresponding vulnerability defense method, follow-up steps can be taken to ensure that the execution of the target program is not affected by the vulnerability.
在步驟S18中,對目標程式執行漏洞修補機制係包括:在漏洞位址植入防護程式,防護程式係用以排除漏洞之異常資料或中斷執行漏洞。 In step S18, the execution of the vulnerability repair mechanism for the target program includes: implanting a protection program at the vulnerability address, and the protection program is used to eliminate abnormal data of the vulnerability or interrupt the execution of the vulnerability.
在步驟S18中,防護程式可用以檢查漏洞影響的相關變數內容或是執行邏輯等等,並排除漏洞之異常資料或中斷執行漏洞。防護程式僅針對漏洞發生處進行防護,不會造成任何功能的變更,故可避免不必要之安全版本更新並達到漏洞防護的功效。 In step S18, the protection program can be used to check the content of the relevant variables or execution logic affected by the vulnerability, and eliminate the abnormal data of the vulnerability or interrupt the execution of the vulnerability. The protection program only protects where the vulnerability occurs and will not cause any functional changes, so it can avoid unnecessary security version updates and achieve the effect of vulnerability protection.
在步驟S19中,對目標程式執行漏洞防禦方法,同樣地,漏洞防禦方法僅針對目標程式之漏洞進行防護,可避免或降低對目標程式之功能造成影響,同時也能達到漏洞防護的功效。 In step S19, the vulnerability defense method is performed on the target program. Similarly, the vulnerability defense method only protects the vulnerabilities of the target program, which can avoid or reduce the impact on the function of the target program, and at the same time achieve the effect of vulnerability protection.
步驟S19之進一步的實施例係以執行程式白名單機制為例:為避免漏洞入侵後執行惡意程式,程式白名單機制會限制僅有白名單程式可以被執行,並在作業系統的底層攔截所有檔案存取之訊息,以用於終止所有非白名單的檔案存取行為,藉此保護處於高風險的主機。 A further embodiment of step S19 takes the execution of the program whitelist mechanism as an example: in order to avoid the execution of malicious programs after vulnerability intrusion, the program whitelist mechanism restricts only whitelisted programs from being executed, and intercepts all files at the bottom of the operating system The access message is used to terminate all non-whitelisted file access behaviors, thereby protecting high-risk hosts.
在步驟S20中,記錄已執行之過程並持續監控目標程式,確保目標程式不會受到漏洞影響。 In step S20, the executed process is recorded and the target program is continuously monitored to ensure that the target program will not be affected by the vulnerability.
本發明另提供一種用於資訊安全防護的電腦可讀媒介,應用於具有處理器及記憶體的電腦中,電腦透過處理器(例如,CPU、GPU等)及記憶體執行一目標程式及電腦可讀媒介,並於執行電腦可讀媒介時執行 如上所述之資訊安全防護方法。此外,電腦係包括一般桌上型電腦、筆記型電腦、各種行動裝置等。 The present invention also provides a computer-readable medium for information security protection, which is used in a computer with a processor and a memory. The computer executes a target program through the processor (for example, CPU, GPU, etc.) and the memory, and the computer can Read the medium, and execute when the computer-readable medium is executed Information security protection methods as described above. In addition, the computer system includes general desktop computers, notebook computers, and various mobile devices.
綜上所述,本發明之資訊安全防護方法依據資料庫所提供的目標程式之漏洞資訊制定漏洞防禦方式並定位漏洞位址,之後依據漏洞位址設置中斷點並監控目標程式是否觸發漏洞,一旦發現漏洞被觸發,則中斷目標程式,在判斷漏洞影響程度之後,視情況進行漏洞修補機制以及執行漏洞防禦方式。由於漏洞修補機制以及漏洞防禦方式並非直接修改原始程式,因此能降低或避免對目標程式功能造成影響,充分解決了現有技術所具有的問題。除此之外,還可追蹤系統底層資訊、在漏洞位址設置告警機制或是增加優化監控目標程式的程序,以進一步對漏洞進行行為分析與安全防護。 In summary, the information security protection method of the present invention formulates a vulnerability defense method and locates the vulnerability address based on the vulnerability information of the target program provided by the database, and then sets the interruption point according to the vulnerability address and monitors whether the target program triggers the vulnerability. When a vulnerability is found to be triggered, the target program will be interrupted. After determining the impact of the vulnerability, the vulnerability repair mechanism and the implementation of vulnerability defense methods will be implemented as appropriate. Since the vulnerability repair mechanism and the vulnerability defense method do not directly modify the original program, it can reduce or avoid the impact on the target program function, and fully solve the problems of the existing technology. In addition, it can also track the underlying information of the system, set an alarm mechanism at the vulnerability address, or increase the process of optimizing the monitoring target program to further conduct behavioral analysis and security protection of the vulnerability.
上述實施方式僅為例示性說明本發明之原理及其功效,而非用於限制本發明。任何熟習此項技藝之人士均可在不違背本發明之精神及範疇下,對上述實施例進行修飾與變化。因此,本發明之權利保護範圍,應如後述之申請專利範圍所列。 The above-mentioned embodiments are merely illustrative to illustrate the principles and effects of the present invention, and are not intended to limit the present invention. Anyone who is familiar with this technique can modify and change the above-mentioned embodiments without departing from the spirit and scope of the present invention. Therefore, the scope of protection of the rights of the present invention should be listed in the scope of patent application described later.
S10~S20‧‧‧步驟 S10~S20‧‧‧Step
Claims (8)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW109100064A TWI728637B (en) | 2020-01-02 | 2020-01-02 | Information security protection method and computer-readable medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW109100064A TWI728637B (en) | 2020-01-02 | 2020-01-02 | Information security protection method and computer-readable medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| TWI728637B true TWI728637B (en) | 2021-05-21 |
| TW202127287A TW202127287A (en) | 2021-07-16 |
Family
ID=77036700
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| TW109100064A TWI728637B (en) | 2020-01-02 | 2020-01-02 | Information security protection method and computer-readable medium |
Country Status (1)
| Country | Link |
|---|---|
| TW (1) | TWI728637B (en) |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TW200825832A (en) * | 2006-12-05 | 2008-06-16 | Fineart Technology Co Ltd | Controlling module for programs and method for the same |
| WO2010105516A1 (en) * | 2009-03-16 | 2010-09-23 | 腾讯科技(深圳)有限公司 | Method and device for patching of vulnerability |
| TW201222314A (en) * | 2010-11-19 | 2012-06-01 | Inst Information Industry | Server, user device and malware detection method thereof |
| TW201224836A (en) * | 2010-12-15 | 2012-06-16 | Inst Information Industry | Malware detection apparatus, malware detection method and computer program product thereof |
| US9817974B1 (en) * | 2015-11-10 | 2017-11-14 | Trend Micro Incorporated | Anti-malware program with stalling code detection |
| TW201805806A (en) * | 2016-07-29 | 2018-02-16 | 美商高通公司 | Kernel-based detection of target application functionality using virtual address mapping |
| US9934376B1 (en) * | 2014-12-29 | 2018-04-03 | Fireeye, Inc. | Malware detection appliance architecture |
| US10033759B1 (en) * | 2015-09-28 | 2018-07-24 | Fireeye, Inc. | System and method of threat detection under hypervisor control |
| TW201828146A (en) * | 2017-01-16 | 2018-08-01 | 新誼整合科技股份有限公司 | Method and system for managing computer sequences |
| TW201917570A (en) * | 2017-10-20 | 2019-05-01 | 中華電信股份有限公司 | Firmware management server and firmware upgrading method |
| TW201917619A (en) * | 2017-10-17 | 2019-05-01 | 中華電信股份有限公司 | Method and apparatus for analyzing malware |
| TW201926948A (en) * | 2017-11-23 | 2019-07-01 | 財團法人資訊工業策進會 | Monitor apparatus, method, and computer program prouct thereof |
| WO2019127869A1 (en) * | 2017-12-28 | 2019-07-04 | 平安科技(深圳)有限公司 | Vulnerability information collection method, apparatus and device, and readable storage medium |
-
2020
- 2020-01-02 TW TW109100064A patent/TWI728637B/en active
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TW200825832A (en) * | 2006-12-05 | 2008-06-16 | Fineart Technology Co Ltd | Controlling module for programs and method for the same |
| WO2010105516A1 (en) * | 2009-03-16 | 2010-09-23 | 腾讯科技(深圳)有限公司 | Method and device for patching of vulnerability |
| TW201222314A (en) * | 2010-11-19 | 2012-06-01 | Inst Information Industry | Server, user device and malware detection method thereof |
| TW201224836A (en) * | 2010-12-15 | 2012-06-16 | Inst Information Industry | Malware detection apparatus, malware detection method and computer program product thereof |
| US9934376B1 (en) * | 2014-12-29 | 2018-04-03 | Fireeye, Inc. | Malware detection appliance architecture |
| US10033759B1 (en) * | 2015-09-28 | 2018-07-24 | Fireeye, Inc. | System and method of threat detection under hypervisor control |
| US9817974B1 (en) * | 2015-11-10 | 2017-11-14 | Trend Micro Incorporated | Anti-malware program with stalling code detection |
| TW201805806A (en) * | 2016-07-29 | 2018-02-16 | 美商高通公司 | Kernel-based detection of target application functionality using virtual address mapping |
| TW201828146A (en) * | 2017-01-16 | 2018-08-01 | 新誼整合科技股份有限公司 | Method and system for managing computer sequences |
| TW201917619A (en) * | 2017-10-17 | 2019-05-01 | 中華電信股份有限公司 | Method and apparatus for analyzing malware |
| TW201917570A (en) * | 2017-10-20 | 2019-05-01 | 中華電信股份有限公司 | Firmware management server and firmware upgrading method |
| TW201926948A (en) * | 2017-11-23 | 2019-07-01 | 財團法人資訊工業策進會 | Monitor apparatus, method, and computer program prouct thereof |
| WO2019127869A1 (en) * | 2017-12-28 | 2019-07-04 | 平安科技(深圳)有限公司 | Vulnerability information collection method, apparatus and device, and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| TW202127287A (en) | 2021-07-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Rudd et al. | A survey of stealth malware attacks, mitigation measures, and steps toward autonomous open world solutions | |
| JP6829718B2 (en) | Systems and methods for tracking malicious behavior across multiple software entities | |
| Yang et al. | Appspear: Bytecode decrypting and dex reassembling for packed android malware | |
| US11507663B2 (en) | Method of remediating operations performed by a program and system thereof | |
| US20200143054A1 (en) | Method of remediating operations performed by a program and system thereof | |
| Petroni Jr et al. | Automated detection of persistent kernel control-flow attacks | |
| US8117660B2 (en) | Secure control flows by monitoring control transfers | |
| CN109583200B (en) | Program abnormity analysis method based on dynamic taint propagation | |
| Zhang et al. | Identifying security critical properties for the dynamic verification of a processor | |
| Kong et al. | Improving software security via runtime instruction-level taint checking | |
| Kurmus et al. | Quantifiable run-time kernel attack surface reduction | |
| JP2019169121A (en) | System and method for creating antivirus record | |
| Maffia et al. | Longitudinal study of the prevalence of malware evasive techniques | |
| Peiró et al. | Detecting stack based kernel information leaks | |
| Ohm et al. | You Can Run But You Can't Hide: Runtime Protection Against Malicious Package Updates For Node. js | |
| US8407523B2 (en) | Method for protecting software programs | |
| Filho et al. | Evasion and countermeasures techniques to detect dynamic binary instrumentation frameworks | |
| Yin et al. | Automatic malware analysis: an emulator based approach | |
| TWI728637B (en) | Information security protection method and computer-readable medium | |
| US9003236B2 (en) | System and method for correct execution of software based on baseline and real time information | |
| Chan | A framework for live forensics | |
| Dileesh et al. | An application specific dynamic behaviour model using function-call sequence and memory access-graph for execution integrity verification | |
| Dong et al. | Kims: kernel integrity measuring system based on trustzone | |
| Barr-Smith et al. | Exorcist: Automated differential analysis to detect compromises in closed-source software supply chains | |
| Saleh | Detection and classification of obfuscated malware |