WO2017166448A1 - Kernel vulnerability repair method and device - Google Patents

Kernel vulnerability repair method and device Download PDF

Info

Publication number
WO2017166448A1
WO2017166448A1 PCT/CN2016/086412 CN2016086412W WO2017166448A1 WO 2017166448 A1 WO2017166448 A1 WO 2017166448A1 CN 2016086412 W CN2016086412 W CN 2016086412W WO 2017166448 A1 WO2017166448 A1 WO 2017166448A1
Authority
WO
WIPO (PCT)
Prior art keywords
kernel
preset
storage space
repaired
instruction
Prior art date
Application number
PCT/CN2016/086412
Other languages
French (fr)
Chinese (zh)
Inventor
卢永强
夏良钊
郑龙日
包沉浮
张煜龙
韦韬
Original Assignee
百度在线网络技术(北京)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 百度在线网络技术(北京)有限公司 filed Critical 百度在线网络技术(北京)有限公司
Publication of WO2017166448A1 publication Critical patent/WO2017166448A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Definitions

  • the present application relates to the field of computers, and in particular to the field of operating systems, and in particular, to a kernel vulnerability repair method and apparatus.
  • the kernel ensures that the security of the kernel is a top priority in security protection. Therefore, when you find a vulnerability in the kernel, you need to fix the vulnerability in the kernel in time.
  • the commonly used vulnerability repair method is: for a version of the kernel, set the vulnerability repair code for the kernel of this version, use the bug fix code to find the address of the kernel kernel function in the kernel that needs to be repaired, and then it will appear Replace the kernel function of the problem with the repaired kernel function.
  • the present application provides a kernel vulnerability repairing method and apparatus for solving the technical problems existing in the above background art.
  • the present application provides a kernel vulnerability repairing method, the method comprising: determining a memory function of a kernel function or a variable indicated by a kernel symbol in a preset vulnerability repair instruction to be loaded in a memory, in a kernel to be repaired, The vulnerability repair instruction is based on the preset leak
  • the hole repair code is compiled and generated; based on the memory address, configure the address of the kernel symbol required by the preset vulnerability repair instruction to call the kernel function or variable; determine the kernel required to load the preset vulnerability repair instruction in the kernel to be repaired
  • the address of the symbol is configured to reserve the storage space of the vulnerability repair instruction; the default vulnerability repair instruction is loaded in the storage space to repair the vulnerability in the repair kernel.
  • the present application provides a kernel vulnerability repairing apparatus, the apparatus comprising: an address determining unit configured to determine a kernel function or a variable indicated by a kernel symbol in a preset vulnerability repairing instruction to be loaded in a memory to be repaired The memory address in the kernel, the preset vulnerability repair instruction is generated based on compiling the preset vulnerability repair code; the setting unit is configured to configure the kernel symbol required for the preset vulnerability repair instruction to call the kernel function or variable based on the memory address Address; a space determining unit configured to determine a storage space of a preset vulnerability repair instruction configured to load an address of a kernel symbol required to load a preset vulnerability repair instruction in the kernel to be repaired; a loading unit configured to be used for Load the default vulnerability fix instructions in the storage space to fix the vulnerabilities in the repair kernel.
  • the kernel vulnerability repairing method and apparatus determine the memory address of the kernel function or variable indicated by the kernel symbol in the preset vulnerability repair instruction to be loaded in the memory in the kernel to be repaired; Set the address of the kernel symbol required to invoke the kernel function or variable in the bug fix command; determine the storage space in the kernel to be loaded to load the preset vulnerability fix; load the preset vulnerability fix command in the storage space. Implements the memory address of the kernel function or variable based on the identified problem, and configures the address of the kernel symbol required by the vulnerability fix instruction.
  • the vulnerability repair instruction When the vulnerability repair instruction is loaded in different versions of the kernel, it can accurately jump to the kernel function corresponding to the kernel symbol or access the variable corresponding to the kernel symbol, and the vulnerability repair instruction is suitable for loading in various versions of the kernel, thereby Complete the repair of the vulnerability in the kernel.
  • FIG. 1 is an exemplary system architecture diagram to which the present application can be applied;
  • FIG. 2 shows a flow of one embodiment of a kernel vulnerability repair method according to the present application.
  • FIG. 3 shows a flow chart of another embodiment of a kernel vulnerability repair method in accordance with the present application.
  • FIG. 4 is a block diagram showing the structure of an embodiment of a kernel vulnerability repairing apparatus according to the present application.
  • FIG. 5 is a schematic structural diagram of a computer system suitable for implementing a terminal device or a server of an embodiment of the present application.
  • FIG. 1 illustrates an exemplary system architecture 100 of an embodiment of a kernel vulnerability repair method or apparatus to which the present application may be applied.
  • system architecture 100 can include terminal devices 101, 102, 103, network 104, and server 105.
  • the network 104 is used to provide a medium for the transmission link between the terminal devices 101, 102, 103 and the server 105.
  • Network 104 may include various types of connections, such as wired, wireless transmission links, or fiber optic cables, to name a few.
  • the user can interact with the server 105 over the network 104 using the terminal devices 101, 102, 103 to receive or transmit messages and the like.
  • Various communication applications such as an instant messaging application, a browser application, a search application, a word processing application, and the like, may be installed on the terminal devices 101, 102, and 103.
  • the terminal devices 101, 102, 103 may be various electronic devices having a display screen and supporting network communication, including but not limited to smart phones, tablets, e-book readers, MP3 players (Moving Picture Experts Group Audio Layer III, dynamic Image Expert compresses standard audio layer 3), MP4 (Moving Picture Experts Group Audio Layer IV, motion imaging experts compress standard audio layers 4) players, laptops and desktop computers, and more.
  • MP3 players Motion Picture Experts Group Audio Layer III, dynamic Image Expert compresses standard audio layer 3
  • MP4 Motion imaging experts compress standard audio layers 4
  • the server 105 can store vulnerability repair codes of a plurality of different processing architectures and different versions of the kernel.
  • the kernel applicable to the processor architecture of the terminal can be vulnerable.
  • the repaired code is sent to the end device for feedback.
  • terminal devices, networks, and servers in Figure 1 is merely illustrative. Depending on the implementation needs, there can be any number of terminal devices, networks, and servers.
  • FIG. 2 illustrates a flow 200 of one embodiment of a kernel vulnerability repair method in accordance with the present application.
  • the kernel vulnerability repairing method provided by the embodiment of the present application is generally performed by the terminal devices 101, 102, and 103 in FIG. The method includes the following steps:
  • Step 201 Determine a memory function of a kernel function or a variable indicated by a kernel symbol in a preset vulnerability repair instruction to be loaded in the memory in the kernel to be repaired.
  • the preset vulnerability repairing instruction is generated based on compiling the preset vulnerability repairing code.
  • the vulnerability repair code for repairing the kernel vulnerability may be preset.
  • the bug fix code can include custom functions and variables for fixing the kernel.
  • the bug fix code can also contain the kernel functions and variables in the kernel that need to be called during the bug fix process. You can use the bug fix code to fix the kernel's instructions and data and complete the kernel bug fix. You can also replace the problematic function with the repaired function by modifying the system call table or function code.
  • the kernel symbol table of the kernel may be first obtained, and then, according to the name of the kernel symbol defined in the kernel symbol table and the memory address of the kernel function or variable corresponding to the kernel symbol in the kernel, the vulnerability repair instruction may be determined.
  • a kernel symbol table for recording kernel functions and variables that the kernel can use for external references is included.
  • the kernel symbol table record the Linux kernel functions, the identifiers of the variables in the Linux kernel, and the kernel addresses of the Linux kernel functions and variables in the Linux kernel in the Linux kernel. able to pass The proc file system of the Linux kernel looks for the Linux kernel symbol table, and then finds the memory address of the kernel function or variable indicated by the Linux kernel symbol in the bug fix command in the kernel to be repaired.
  • the method before determining that the kernel function or the variable indicated by the kernel symbol in the preset vulnerability repair instruction to be loaded in the memory is in the memory address of the core to be repaired, the method further includes: Obtaining the attribute information of the kernel to be repaired and the memory address of the kernel function or variable in the kernel to be repaired, the attribute information includes: the architecture information of the processor on which the kernel to be repaired runs, the kernel version information; and the attribute information is stored corresponding to the memory address. .
  • the attribute information of the target kernel can be obtained through the proc file system.
  • the attribute information may include, but is not limited to, the architecture of the processor on which the kernel is running, and the Linux kernel version.
  • different processor architectures, kernel symbols in kernels of different kernel versions, and addresses of variables in the kernel may be acquired in advance.
  • the proc file system in the kernel gets the memory address of a kernel function or variable in the kernel.
  • the processor architecture identifier of the processor architecture, the version identifier of the kernel version, and the memory address of the kernel function or variable in the kernel are stored. Therefore, when the kernel function or the variable indicated by the kernel symbol in the vulnerability repair instruction is required to be in the memory address of the kernel to be repaired, the architecture of the processor on which the kernel is running, the version information of the kernel, and then, The memory address of the kernel function or the variable in the kernel corresponding to the processor architecture and the kernel version information can be obtained in advance.
  • Step 202 Configure, based on the memory address, an address of a kernel symbol required by a preset vulnerability repair instruction to call a kernel function or a variable.
  • the preset vulnerability repair instruction may be configured to call the kernel function based on the memory address or The address of the kernel symbol required for the variable.
  • the kernel repair symbol can contain kernel symbols, which can be symbols corresponding to functions or variables. When the instruction contains a kernel symbol, it indicates that the instruction is to call the kernel function corresponding to the kernel symbol or access the variables in the kernel.
  • the process of configuring the address of the kernel symbol required to call the kernel function or variable by the preset vulnerability repair instruction based on the memory address is continued.
  • the kernel is included in the vulnerability repair instruction.
  • the function of the instruction is to call the kernel function corresponding to the kernel symbol or access the variable in the kernel corresponding to the kernel symbol.
  • the kernel functions indicated by the kernel symbols or the variables in the kernel have different memory addresses in the kernel. Therefore, when the vulnerability repair instruction is loaded in the kernel, it is necessary to determine the memory address of the kernel function or variable corresponding to the kernel symbol contained in the vulnerability repair instruction in the kernel. Then, based on the memory address, configure the address of the kernel symbol required by the default vulnerability repair instruction to call the kernel function or variable. For example, a part of the storage space is reserved in the corresponding storage space in the preset vulnerability repair instruction for storing the address of the kernel symbol required when the preset vulnerability repair instruction calls the kernel function or the variable, thereby completing the preset vulnerability repair instruction. The configuration of the required kernel symbol address in . Therefore, when the vulnerability repair instruction is executed, the kernel function corresponding to the kernel symbol or the address of the variable in the kernel can be correctly jumped, thereby calling a function corresponding to the kernel symbol or accessing a variable in the kernel corresponding to the kernel symbol.
  • the vulnerability repair instruction is an instruction that calls the kernel function A.
  • the kernel symbol that is, the kernel symbol corresponding to the kernel function A.
  • the bug fix command is loaded into the kernel, it is possible to determine the memory address of kernel function A in the kernel to be loaded by the bug fix instruction. Then, using the memory address, configure the address of the kernel symbol required by the default vulnerability repair instruction to call the kernel function or variable.
  • the vulnerability repair instruction when executed, it can correctly jump to the memory address of the kernel function A in the kernel, and call the kernel function A.
  • Step 203 Determine a storage space of the preset vulnerability repairing instruction in the kernel to be repaired for loading the address of the kernel symbol required for the preset vulnerability repairing instruction.
  • the kernel symbol is in the kernel to be repaired.
  • the storage space of the preset vulnerability repair instruction for loading the address corresponding to the kernel symbol in the kernel to be repaired can be determined.
  • storage space for loading bug fix instructions can be pre-set for different versions of the kernel.
  • Step 204 Load a preset vulnerability repair instruction in the storage space.
  • the preset vulnerability repairing instruction may be loaded in the storage space to repair the kernel.
  • the vulnerability in the fix was fixed.
  • loading the preset vulnerability repairing instruction in the storage space to repair the vulnerability in the repairing kernel includes: obtaining a memory address of the kernel function to be repaired in the kernel to be repaired; The memory address in the system call table in the kernel to be repaired is replaced with the preset memory address.
  • the preset vulnerability repair instruction loaded in the kernel may repair the vulnerability in the kernel in the following manner: for example, the kernel function that has a problem in the kernel to be repaired is repaired, and the proc of the Linux kernel can be used.
  • File system get the kernel symbol table. Then, in the kernel symbol table, you can find the memory address of the kernel function in question. After looking up the memory address of the kernel function in question, you can replace the memory address of the kernel function in the system call table in the kernel to be repaired with the default memory address.
  • loading the preset vulnerability repairing instruction in the storage space to repair the vulnerability in the repairing kernel includes: obtaining a storage space corresponding to the kernel function to be repaired in the kernel to be repaired; Copy the repaired kernel function to the storage space.
  • the preset vulnerability repair command loaded in the kernel may also repair the vulnerability in the kernel in the following manner: for example, the kernel function that has a problem in the kernel to be repaired is repaired, and the linux kernel may be used.
  • the proc file system gets the kernel symbol table. Then, in the kernel symbol table, look for the storage space of the kernel function in question. Then, copy the repaired kernel function to the storage space.
  • the storage space of the kernel function in the kernel stores the repaired kernel function, and the repair of the problem function in the kernel to be repaired.
  • FIG. 3 illustrates another method of kernel vulnerability repairing method according to the present application.
  • Step 301 Determine a memory function of a kernel function or a variable indicated by a kernel symbol in a preset vulnerability repair instruction to be loaded in the memory in the kernel to be repaired.
  • the preset vulnerability repairing instruction is generated based on compiling the preset vulnerability repairing code.
  • the vulnerability repair code for repairing the kernel vulnerability may be preset.
  • the bug fix code can include custom functions and variables for fixing the kernel.
  • the bug fix code can also contain the kernel functions and variables in the kernel that need to be called during the bug fix process. You can use the bug fix code to fix the kernel's instructions and data and complete the kernel bug fix. You can also replace the problematic function with the repaired function by modifying the system call table or function code.
  • Step 302 Configure, based on the memory address, an address of a kernel symbol required by a preset vulnerability repair instruction to call a kernel function or a variable.
  • the preset vulnerability repair instruction may be configured to call the kernel function based on the memory address or The address of the kernel symbol required for the variable.
  • Step 303 The selected storage space or the allocated storage space is used as a storage space for loading a preset vulnerability repair instruction.
  • the storage space for loading the preset vulnerability repair instruction in the kernel to be repaired may be determined by using the preset storage space in the kernel to be repaired as required for loading the preset vulnerability repair instruction.
  • the storage space of the default vulnerability repair instruction after the address of the kernel symbol is configured.
  • the preset storage space may be a storage space having executable permissions.
  • the storage space for loading the preset vulnerability repair instruction in the kernel to be repaired may be determined by using the corresponding kernel function in the kernel to be repaired as a preset vulnerability repair instruction. Storage space.
  • the storage space for loading the preset vulnerability repair instruction in the kernel to be repaired may be determined in the following manner: corresponding to the preset kernel function in the kernel to be repaired
  • the storage space loads a preset storage space allocation instruction, and generates a storage space of a preset size; the generated storage space is used as a storage space for loading a preset vulnerability repair instruction.
  • the code having the memory allocation function can be implemented by modifying the kernel function, such as the code of the uname function. Then, after compiling the code, a memory allocation instruction is generated. After the memory allocation instruction is loaded, a piece of storage space allocated in the Linux kernel can be returned, and the preset vulnerability repair instruction can be loaded into the storage space.
  • Step 304 Load a preset vulnerability repair instruction in the storage space.
  • the preset vulnerability repairing instruction may be loaded in the storage space to repair the kernel.
  • the vulnerability in the fix was fixed.
  • step 303 that is, loading a preset vulnerability in the selected storage space or the allocated storage space.
  • Repair instructions The solution described in this embodiment may further select a storage space for loading a vulnerability repair instruction for different versions of the kernel, and load a vulnerability repair instruction in the storage space.
  • the vulnerability repair instructions can be found in different versions of the kernel, so that other kernel programs in the kernel can communicate with the vulnerability repair code during the vulnerability repair process, for example, passing parameters, further enhancing the vulnerability repair instruction pair. Applicability of different versions of the kernel.
  • the vulnerability repair command is loaded in a version of the kernel as an example to illustrate the kernel vulnerability repair method in this application: the vulnerability repair code can be generated first.
  • the bug fix code contains code for modifying the problem kernel function A to the repaired kernel function A1, which is called in kernel repair function B.
  • the obtained vulnerability repair instruction includes a vulnerability repair instruction for calling kernel function B and a vulnerability instruction for modifying kernel function A to the repaired kernel function A1.
  • the bug fix command can then be loaded into the storage space in the selected kernel.
  • the kernel function B can be called by correctly jumping to the address of the kernel function B in the version of the kernel.
  • the code of the repaired kernel function A1 can be copied to the memory space of the kernel function A in the kernel, thereby repairing the kernel function A in question.
  • the bug fix code needs to find the address of the kernel function in the kernel that needs to be repaired, and then replace the kernel function with the problem with the repaired kernel function. Because of the different kernel versions, the kernel functions have different addresses in the kernel. Therefore, code that replaces kernel functions in one version of the kernel cannot be applied to another version of the kernel. Need to fix the bug fix code for each kernel version and increase development costs.
  • the bug fix code includes code to replace the problem function with the repaired kernel function.
  • a bug fix command can be generated.
  • the kernel function indicated by the kernel symbol in the vulnerability repair instruction that fixes the kernel function in the kernel can be repaired in the memory of the kernel to be repaired.
  • Address configures the address of the kernel symbol required by the vulnerability fix instruction to call the kernel function.
  • the vulnerability repair instruction is loaded in different versions of the kernel, it can accurately jump to the kernel function corresponding to the kernel symbol or access the variable corresponding to the kernel symbol.
  • the vulnerability repair instruction is applicable to loading in various versions of the kernel, and the pair is completed.
  • the repair of kernel functions that have problems in the kernel that is, the repair of the vulnerability in the kernel.
  • the kernel vulnerability repairing apparatus 400 includes an address determining unit 401, a setting unit 402, a space determining unit 403, and a loading unit 404.
  • the address determining unit 401 is configured to determine a memory function of a kernel function or a variable indicated by a kernel symbol in a preset vulnerability repairing instruction to be loaded in the memory, and the preset vulnerability repairing instruction is based on the preset
  • the vulnerability repair code is compiled and generated; the setting unit 402 is configured to configure a preset vulnerability repair instruction to call a kernel function or a variable based on the memory address.
  • the address of the required kernel symbol; the space determining unit 403 is configured to determine a storage space of the preset vulnerability repairing instruction for configuring the address of the kernel symbol required for loading the preset vulnerability repairing instruction in the kernel to be repaired;
  • the 404 configuration is used to load a preset vulnerability fix instruction in the storage space to fix the vulnerability in the repair kernel.
  • the space determining unit 403 includes: a first storage space configuration subunit (not shown) configured to use a preset storage space in the kernel to be repaired as a loading pair.
  • the space determining unit 403 includes: a second storage space configuration subunit (not shown) configured to use a preset kernel function in a corresponding storage space in the kernel to be repaired.
  • a storage space for a preset vulnerability repair instruction configured to load an address of a kernel symbol required for a preset vulnerability repair instruction.
  • the space determining unit 403 includes: a storage space allocation subunit (not shown) configured to load a preset in a corresponding storage space in a kernel to be repaired by a preset kernel function. a storage space allocation instruction, and a storage space of a preset size; a third storage space configuration subunit (not shown) configured to use the generated storage space as a kernel symbol required for loading a preset vulnerability repair instruction The storage address of the preset vulnerability repair instruction after the address is configured.
  • the loading unit 404 includes: a memory address obtaining subunit (not shown) configured to acquire a memory address of a kernel function to be repaired in the kernel to be repaired; (not shown), configured to replace the memory address in the system call table in the kernel to be repaired with the preset memory address.
  • the loading unit 404 includes: a storage space acquisition subunit (not shown) configured to acquire a storage space corresponding to the kernel function to be repaired in the kernel to be repaired; A unit (not shown) configured to copy the repaired kernel function to the storage space.
  • the apparatus 400 further includes: an information acquiring unit (not shown) configured to acquire attribute information of the kernel to be repaired and the kernel to be repaired
  • the memory address of the kernel function or variable in the attribute information includes: architecture information of the processor on which the kernel to be repaired runs, kernel version information; a storage unit (not shown) configured to store the attribute information and the memory address correspondingly .
  • FIG. 5 is a block diagram showing the structure of a computer system suitable for implementing the terminal device or server of the embodiment of the present application.
  • computer system 500 includes a central processing unit (CPU) 501 that can be loaded into a program in random access memory (RAM) 503 according to a program stored in read only memory (ROM) 502 or from storage portion 508. And perform various appropriate actions and processes.
  • RAM random access memory
  • ROM read only memory
  • RAM 503 various programs and data required for the operation of the system 500 are also stored.
  • the CPU 501, the ROM 502, and the RAM 503 are connected to each other through a bus 504.
  • An input/output (I/O) interface 505 is also coupled to bus 504.
  • the following components are connected to the I/O interface 505: an input portion 506 including a keyboard, a mouse, etc.; an output portion 507 including, for example, a cathode ray tube (CRT), a liquid crystal display (LCD), and the like, and a storage portion 508 including a hard disk or the like. And a communication portion 509 including a network interface card such as a LAN card, a modem, or the like. The communication section 509 performs communication processing via a network such as the Internet.
  • Driver 510 is also coupled to I/O interface 505 as needed.
  • a removable medium 511 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory or the like is mounted on the drive 510 as needed so that a computer program read therefrom is installed into the storage portion 508 as needed.
  • an embodiment of the present disclosure includes a computer program product comprising a computer program tangibly embodied on a machine readable medium, the computer program comprising program code for executing the method illustrated in the flowchart.
  • the computer program can be downloaded and installed from the network via the communication portion 509, and/or installed from the removable medium 511.
  • each block of the flowchart or block diagrams can represent a module, a program segment, or a portion of code that includes one or more logic for implementing the specified.
  • Functional executable instructions can also be noted that in some cases as a replacement In the implementation, the functions noted in the blocks may also occur in a different order than that illustrated in the drawings. For example, two successively represented blocks may in fact be executed substantially in parallel, and they may sometimes be executed in the reverse order, depending upon the functionality involved.
  • each block of the block diagrams and/or flowcharts, and combinations of blocks in the block diagrams and/or flowcharts can be implemented in a dedicated hardware-based system that performs the specified function or operation. Or it can be implemented by a combination of dedicated hardware and computer instructions.
  • the present application further provides a non-volatile computer storage medium, which may be a non-volatile computer storage medium included in the apparatus described in the foregoing embodiments; It may be a non-volatile computer storage medium that exists alone and is not assembled into the terminal.
  • the non-volatile computer storage medium stores one or more programs, when the one or more programs are executed by a device, causing the device to: determine a kernel in a preset vulnerability repair instruction to be loaded in the memory The memory function of the kernel function or variable indicated by the symbol in the kernel to be repaired, the preset vulnerability repairing instruction is generated based on compiling the preset vulnerability repairing code; based on the memory address, configuring the preset vulnerability repairing instruction to call the kernel function or The address of the kernel symbol required for the variable; the storage space of the preset vulnerability repair instruction configured to configure the address of the kernel symbol required to load the preset vulnerability repair instruction in the kernel to be repaired; loading in the storage space The preset vulnerability repairing instruction repairs the vulnerability in the kernel to be repaired.

Abstract

A kernel vulnerability repair method and device. A specific embodiment of the method comprises: determining a memory address, in a kernel to be repaired, of a kernel function or variable indicated by a kernel symbol in a preset vulnerability repair instruction to be loaded in a memory (201); configuring, according to the memory address, the address of a kernel symbol required when the preset vulnerability repair instruction calls the kernel function or variable (202); determining a storage space used for loading a preset vulnerability repair instruction in the kernel to be repaired after configuring the address of the kernel symbol required by the preset vulnerability repair instruction (203); and loading the preset vulnerability repair instruction in the storage space (204). In the method, the address of a kernel symbol required by a vulnerability repair instruction is configured according to a determined memory address of a kernel function or variable having problems, so that when loaded in kernels of different versions, the vulnerability repair instruction can accurately jump to the kernel function corresponding to the kernel symbol or access the variable corresponding to the kernel symbol. The vulnerability repair instruction is applicable to loading in kernels of various versions, and therefore, the kernel vulnerability is repaired.

Description

内核漏洞修复方法和装置Kernel vulnerability repair method and device
相关申请的交叉引用Cross-reference to related applications
本申请要求于2016年3月30日提交的中国专利申请号为“201610191535.0”的优先权,其全部内容作为整体并入本申请中。The present application claims the priority of the Chinese Patent Application Serial No. PCT-A------
技术领域Technical field
本申请涉及计算机领域,具体涉及操作系统领域,尤其涉及内核漏洞修复方法和装置。The present application relates to the field of computers, and in particular to the field of operating systems, and in particular, to a kernel vulnerability repair method and apparatus.
背景技术Background technique
内核作为操作系统的核心,确保内核的安全是安全防护中的重中之重。因此,当发现内核中的漏洞时,需要及时对内核中的漏洞进行修复。目前,通常采用的漏洞修复方式为:针对一个版本的内核,设置适用于该版本的内核的漏洞修复代码,利用漏洞修复代码需要查找到需要修复的内核内核函数在内核中的地址,然后将出现问题的内核函数替换为修复后的内核函数。As the core of the operating system, the kernel ensures that the security of the kernel is a top priority in security protection. Therefore, when you find a vulnerability in the kernel, you need to fix the vulnerability in the kernel in time. At present, the commonly used vulnerability repair method is: for a version of the kernel, set the vulnerability repair code for the kernel of this version, use the bug fix code to find the address of the kernel kernel function in the kernel that needs to be repaired, and then it will appear Replace the kernel function of the problem with the repaired kernel function.
然而,当采用上述方式进行漏洞修复时,由于内核版本的不同,内核函数在内核中的地址也是不同的,因此,针对一个版本的内核中的内核函数进行替换的代码,无法应用于另一版本的内核上。需要针对每一个内核版本,配置漏洞修复代码,增加开发成本。However, when the vulnerability is fixed in the above manner, the kernel function has different addresses in the kernel due to different kernel versions. Therefore, the code for replacing the kernel function in one version of the kernel cannot be applied to another version. On the kernel. Need to fix the bug fix code for each kernel version and increase development costs.
发明内容Summary of the invention
本申请提供了内核漏洞修复方法和装置,用于解决上述背景技术部分存在的技术问题。The present application provides a kernel vulnerability repairing method and apparatus for solving the technical problems existing in the above background art.
第一方面,本申请提供了内核漏洞修复方法,该方法包括:确定待加载在内存中的预设漏洞修复指令中的内核符号所指示的内核函数或变量在待修复内核中的内存地址,预设漏洞修复指令基于对预设漏 洞修复代码进行编译而生成;基于内存地址,配置预设漏洞修复指令调用内核函数或变量时所需的内核符号的地址;确定待修复内核中用于加载对预设漏洞修复指令所需的内核符号的地址进行配置后的预设漏洞修复指令的存储空间;在存储空间加载预设漏洞修复指令,以对待修复内核中的漏洞进行修复。In a first aspect, the present application provides a kernel vulnerability repairing method, the method comprising: determining a memory function of a kernel function or a variable indicated by a kernel symbol in a preset vulnerability repair instruction to be loaded in a memory, in a kernel to be repaired, The vulnerability repair instruction is based on the preset leak The hole repair code is compiled and generated; based on the memory address, configure the address of the kernel symbol required by the preset vulnerability repair instruction to call the kernel function or variable; determine the kernel required to load the preset vulnerability repair instruction in the kernel to be repaired The address of the symbol is configured to reserve the storage space of the vulnerability repair instruction; the default vulnerability repair instruction is loaded in the storage space to repair the vulnerability in the repair kernel.
第二方面,本申请提供了内核漏洞修复装置,该装置包括:地址确定单元,配置用于确定待加载在内存中的预设漏洞修复指令中的内核符号所指示的内核函数或变量在待修复内核中的内存地址,预设漏洞修复指令基于对预设漏洞修复代码进行编译而生成;设置单元,配置用于基于内存地址,配置预设漏洞修复指令调用内核函数或变量时所需的内核符号的地址;空间确定单元,配置用于确定待修复内核中用于加载对预设漏洞修复指令所需的内核符号的地址进行配置后的预设漏洞修复指令的存储空间;加载单元,配置用于在存储空间加载预设漏洞修复指令,以对待修复内核中的漏洞进行修复。In a second aspect, the present application provides a kernel vulnerability repairing apparatus, the apparatus comprising: an address determining unit configured to determine a kernel function or a variable indicated by a kernel symbol in a preset vulnerability repairing instruction to be loaded in a memory to be repaired The memory address in the kernel, the preset vulnerability repair instruction is generated based on compiling the preset vulnerability repair code; the setting unit is configured to configure the kernel symbol required for the preset vulnerability repair instruction to call the kernel function or variable based on the memory address Address; a space determining unit configured to determine a storage space of a preset vulnerability repair instruction configured to load an address of a kernel symbol required to load a preset vulnerability repair instruction in the kernel to be repaired; a loading unit configured to be used for Load the default vulnerability fix instructions in the storage space to fix the vulnerabilities in the repair kernel.
本申请提供的内核漏洞修复方法和装置,通过确定待加载在内存中的预设漏洞修复指令中的内核符号所指示的内核函数或变量在待修复内核中的内存地址;基于内存地址,配置预设漏洞修复指令调用内核函数或变量时所需的内核符号的地址;确定待修复内核中用于加载预设漏洞修复的存储空间;在存储空间加载预设漏洞修复指令。实现了基于确定出的出现问题的内核函数或变量的内存地址,配置漏洞修复指令所需的内核符号的地址。使得漏洞修复指令在加载在不同版本的内核中时,均可以准确地跳转到内核符号对应的内核函数或访问内核符号对应的变量,漏洞修复指令适用于在各种版本的内核中加载,从而完成对内核中的漏洞的修复。The kernel vulnerability repairing method and apparatus provided by the present application determine the memory address of the kernel function or variable indicated by the kernel symbol in the preset vulnerability repair instruction to be loaded in the memory in the kernel to be repaired; Set the address of the kernel symbol required to invoke the kernel function or variable in the bug fix command; determine the storage space in the kernel to be loaded to load the preset vulnerability fix; load the preset vulnerability fix command in the storage space. Implements the memory address of the kernel function or variable based on the identified problem, and configures the address of the kernel symbol required by the vulnerability fix instruction. When the vulnerability repair instruction is loaded in different versions of the kernel, it can accurately jump to the kernel function corresponding to the kernel symbol or access the variable corresponding to the kernel symbol, and the vulnerability repair instruction is suitable for loading in various versions of the kernel, thereby Complete the repair of the vulnerability in the kernel.
附图说明DRAWINGS
通过阅读参照以下附图所作的对非限制性实施例所作的详细描述,本申请的其它特征、目的和优点将会变得更明显:Other features, objects, and advantages of the present application will become more apparent from the detailed description of the accompanying drawings.
图1是本申请可以应用于其中的示例性系统架构图;1 is an exemplary system architecture diagram to which the present application can be applied;
图2示出了根据本申请的内核漏洞修复方法的一个实施例的流程 图;2 shows a flow of one embodiment of a kernel vulnerability repair method according to the present application. Figure
图3示出了根据本申请的内核漏洞修复方法的另一个实施例的流程图;3 shows a flow chart of another embodiment of a kernel vulnerability repair method in accordance with the present application;
图4示出了根据本申请的内核漏洞修复装置的一个实施例的结构示意图;4 is a block diagram showing the structure of an embodiment of a kernel vulnerability repairing apparatus according to the present application;
图5是适于用来实现本申请实施例的终端设备或服务器的计算机系统的结构示意图。FIG. 5 is a schematic structural diagram of a computer system suitable for implementing a terminal device or a server of an embodiment of the present application.
具体实施方式detailed description
下面结合附图和实施例对本申请作进一步的详细说明。可以理解的是,此处所描述的具体实施例仅仅用于解释相关发明,而非对该发明的限定。另外还需要说明的是,为了便于描述,附图中仅示出了与有关发明相关的部分。The present application will be further described in detail below with reference to the accompanying drawings and embodiments. It is understood that the specific embodiments described herein are merely illustrative of the invention, rather than the invention. It is also to be noted that, for the convenience of description, only the parts related to the related invention are shown in the drawings.
需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。下面将参考附图并结合实施例来详细说明本申请。It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict. The present application will be described in detail below with reference to the accompanying drawings.
图1示出了可以应用本申请的内核漏洞修复方法或装置的实施例的示例性系统架构100。FIG. 1 illustrates an exemplary system architecture 100 of an embodiment of a kernel vulnerability repair method or apparatus to which the present application may be applied.
如图1所示,系统架构100可以包括终端设备101、102、103,网络104和服务器105。网络104用以在终端设备101、102、103和服务器105之间提供传输链路的介质。网络104可以包括各种连接类型,例如有线、无线传输链路或者光纤电缆等等。As shown in FIG. 1, system architecture 100 can include terminal devices 101, 102, 103, network 104, and server 105. The network 104 is used to provide a medium for the transmission link between the terminal devices 101, 102, 103 and the server 105. Network 104 may include various types of connections, such as wired, wireless transmission links, or fiber optic cables, to name a few.
用户可以使用终端设备101、102、103通过网络104与服务器105交互,以接收或发送消息等。终端设备101、102、103上可以安装有各种通讯应用,例如、即时通讯类应用、浏览器类应用、搜索类应用、文字处理类应用等。The user can interact with the server 105 over the network 104 using the terminal devices 101, 102, 103 to receive or transmit messages and the like. Various communication applications, such as an instant messaging application, a browser application, a search application, a word processing application, and the like, may be installed on the terminal devices 101, 102, and 103.
终端设备101、102、103可以是具有显示屏并且支持网络通信的各种电子设备,包括但不限于智能手机、平板电脑、电子书阅读器、MP3播放器(Moving Picture Experts Group Audio Layer III,动态影像专家压缩标准音频层面3)、MP4(Moving Picture Experts Group Audio  Layer IV,动态影像专家压缩标准音频层面4)播放器、膝上型便携计算机和台式计算机等等。The terminal devices 101, 102, 103 may be various electronic devices having a display screen and supporting network communication, including but not limited to smart phones, tablets, e-book readers, MP3 players (Moving Picture Experts Group Audio Layer III, dynamic Image Expert compresses standard audio layer 3), MP4 (Moving Picture Experts Group Audio Layer IV, motion imaging experts compress standard audio layers 4) players, laptops and desktop computers, and more.
服务器105可以存储多个不同处理架构、不同版本的内核的漏洞修复代码,当接收到终端设备101、102、103发送的下载请求时,可以将适用于对终端的处理器架构下的内核进行漏洞修复的代码发送至反馈给终端设备。The server 105 can store vulnerability repair codes of a plurality of different processing architectures and different versions of the kernel. When receiving the download request sent by the terminal devices 101, 102, and 103, the kernel applicable to the processor architecture of the terminal can be vulnerable. The repaired code is sent to the end device for feedback.
应该理解,图1中的终端设备、网络和服务器的数目仅仅是示意性的。根据实现需要,可以具有任意数目的终端设备、网络和服务器。It should be understood that the number of terminal devices, networks, and servers in Figure 1 is merely illustrative. Depending on the implementation needs, there can be any number of terminal devices, networks, and servers.
请参考图2,其示出了根据本申请的内核漏洞修复方法的一个实施例的流程200。需要说明的是,本申请实施例所提供的内核漏洞修复方法一般由图1中的终端设备101、102、103执行。该方法包括以下步骤:Please refer to FIG. 2, which illustrates a flow 200 of one embodiment of a kernel vulnerability repair method in accordance with the present application. It should be noted that the kernel vulnerability repairing method provided by the embodiment of the present application is generally performed by the terminal devices 101, 102, and 103 in FIG. The method includes the following steps:
步骤201,确定待加载在内存中的预设漏洞修复指令中的内核符号所指示的内核函数或变量在待修复内核中的内存地址。Step 201: Determine a memory function of a kernel function or a variable indicated by a kernel symbol in a preset vulnerability repair instruction to be loaded in the memory in the kernel to be repaired.
在本实施例中,预设漏洞修复指令基于对预设漏洞修复代码进行编译而生成。In this embodiment, the preset vulnerability repairing instruction is generated based on compiling the preset vulnerability repairing code.
在本实施例中,可以预先设置用于对内核漏洞进行修复的漏洞修复代码。漏洞修复代码中可以包含用于对内核进行修复的自定义函数和变量。同时,漏洞修复代码中还可以包含在漏洞修复过程中需要调用的内核函数和内核中的变量。可以利用漏洞修复代码对内核的指令和数据进行修复,完成内核漏洞修复。也可以通过修改系统调用表或者函数代码来将出现问题的函数替换为修复后的函数。In this embodiment, the vulnerability repair code for repairing the kernel vulnerability may be preset. The bug fix code can include custom functions and variables for fixing the kernel. At the same time, the bug fix code can also contain the kernel functions and variables in the kernel that need to be called during the bug fix process. You can use the bug fix code to fix the kernel's instructions and data and complete the kernel bug fix. You can also replace the problematic function with the repaired function by modifying the system call table or function code.
在本实施例中,可以首先获取内核的内核符号表,然后,根据内核符号表中定义的内核符号的名称和内核符号对应的内核函数或变量在内核中的内存地址,可以确定漏洞修复指令中的内核符号所指示的内核函数或变量在待修复内核中的内存地址。In this embodiment, the kernel symbol table of the kernel may be first obtained, and then, according to the name of the kernel symbol defined in the kernel symbol table and the memory address of the kernel function or variable corresponding to the kernel symbol in the kernel, the vulnerability repair instruction may be determined. The kernel function indicated by the kernel symbol or the memory address of the variable in the kernel to be repaired.
以Linux操作系统的Linux内核为例,在Linux内核中,包含用于记录内核可供外部引用的内核函数和变量的内核符号表。在内核符号表中,记录Linux内核函数、Linux内核中的变量的标识以及Linux内核函数、Linux内核中的变量在Linux内核中的内核地址。可以通过 linux内核的proc文件系统,查找Linux内核符号表,进而查找出漏洞修复指令中的Linux内核符号所指示的内核函数或变量在待修复内核中的内存地址。Take the Linux kernel of the Linux operating system as an example. In the Linux kernel, a kernel symbol table for recording kernel functions and variables that the kernel can use for external references is included. In the kernel symbol table, record the Linux kernel functions, the identifiers of the variables in the Linux kernel, and the kernel addresses of the Linux kernel functions and variables in the Linux kernel in the Linux kernel. able to pass The proc file system of the Linux kernel looks for the Linux kernel symbol table, and then finds the memory address of the kernel function or variable indicated by the Linux kernel symbol in the bug fix command in the kernel to be repaired.
在本实施例的一些可选的实现方式中,在确定待加载在内存中的预设漏洞修复指令中的内核符号所指示的内核函数或变量在待修复内核中的内存地址之前,还包括:获取待修复内核的属性信息和待修复内核中的内核函数或变量的内存地址,属性信息包括:待修复内核所运行在的处理器的架构信息、内核版本信息;将属性信息与内存地址对应存储。In some optional implementation manners of the embodiment, before determining that the kernel function or the variable indicated by the kernel symbol in the preset vulnerability repair instruction to be loaded in the memory is in the memory address of the core to be repaired, the method further includes: Obtaining the attribute information of the kernel to be repaired and the memory address of the kernel function or variable in the kernel to be repaired, the attribute information includes: the architecture information of the processor on which the kernel to be repaired runs, the kernel version information; and the attribute information is stored corresponding to the memory address. .
在本实施例中,可以通过proc文件系统,获取目标内核的属性信息。属性信息可以包括但不限于:内核所运行在的处理器的架构、Linux内核版本。In this embodiment, the attribute information of the target kernel can be obtained through the proc file system. The attribute information may include, but is not limited to, the architecture of the processor on which the kernel is running, and the Linux kernel version.
在本实施例中,可以预先获取不同的处理器架构、不同的内核版本的内核中的内核符号和内核中的变量的地址。例如,通过内核中的proc文件系统获取内核函数或变量在内核中的内存地址。然后,将处理器架构的处理器架构标识、内核版本的版本标识与内核函数或变量在内核中的内存地址对应存储。从而,当需要预设漏洞修复指令中的内核符号所指示的内核函数或变量在待修复内核中的内存地址时,可以首先获取内核所运行在的处理器的架构,内核的版本信息,然后,可以获取到预先存储的与处理器架构、内核的版本信息对应的内核函数或变量在内核中的内存地址。In this embodiment, different processor architectures, kernel symbols in kernels of different kernel versions, and addresses of variables in the kernel may be acquired in advance. For example, the proc file system in the kernel gets the memory address of a kernel function or variable in the kernel. Then, the processor architecture identifier of the processor architecture, the version identifier of the kernel version, and the memory address of the kernel function or variable in the kernel are stored. Therefore, when the kernel function or the variable indicated by the kernel symbol in the vulnerability repair instruction is required to be in the memory address of the kernel to be repaired, the architecture of the processor on which the kernel is running, the version information of the kernel, and then, The memory address of the kernel function or the variable in the kernel corresponding to the processor architecture and the kernel version information can be obtained in advance.
步骤202,基于内存地址,配置预设漏洞修复指令调用内核函数或变量时所需的内核符号的地址。Step 202: Configure, based on the memory address, an address of a kernel symbol required by a preset vulnerability repair instruction to call a kernel function or a variable.
在本实施例中,在获取了预设漏洞修复指令中的内核符号所指示的内核函数或变量在待修复内核中的内存地址之后,可以基于内存地址,配置预设漏洞修复指令调用内核函数或变量时所需的内核符号的地址。In this embodiment, after obtaining the memory function of the kernel function or variable indicated by the kernel symbol in the preset vulnerability repair instruction in the kernel to be repaired, the preset vulnerability repair instruction may be configured to call the kernel function based on the memory address or The address of the kernel symbol required for the variable.
在说明本申请中对指令中的内核符号的地址进行配置之前,首先说明代码的编译过程:为了使得漏洞修复代码可以加载内存中运行,需要对漏洞修复代码进行编译。在对漏洞修复代码进行编译之后,可 以生成漏洞修复代码对应的机器指令。可以将该机器指令称之为漏洞修复指令。漏洞修复指令中可以包含内核符号,该内核符号可以为函数或变量对应的符号。当指令中包含内核符号时,表示该指令的作用为调用内核符号对应的内核函数或访问内核中的变量。Before describing the address of the kernel symbol in the instruction in this application, the code compilation process is first described: in order to make the vulnerability repair code loadable in memory, the vulnerability repair code needs to be compiled. After compiling the bug fix code, To generate a machine command corresponding to the vulnerability fix code. This machine instruction can be referred to as a vulnerability repair instruction. The kernel repair symbol can contain kernel symbols, which can be symbols corresponding to functions or variables. When the instruction contains a kernel symbol, it indicates that the instruction is to call the kernel function corresponding to the kernel symbol or access the variables in the kernel.
基于上述说明的代码的编译过程,继续说明基于内存地址,配置预设漏洞修复指令调用内核函数或变量时所需的内核符号的地址的过程:在本实施例中,当漏洞修复指令中包含内核符号时,即该指令的作用为调用内核符号对应的内核函数或访问内核符号对应的内核中的变量。Based on the compilation process of the code described above, the process of configuring the address of the kernel symbol required to call the kernel function or variable by the preset vulnerability repair instruction based on the memory address is continued. In this embodiment, the kernel is included in the vulnerability repair instruction. When the symbol is used, the function of the instruction is to call the kernel function corresponding to the kernel symbol or access the variable in the kernel corresponding to the kernel symbol.
由于内核版本的不同,内核符号所指示的内核函数或内核中的变量在内核中的内存地址也是不同的。因此,当在内核中加载漏洞修复指令时,需要确定漏洞修复指令中包含的内核符号对应的内核函数或变量在内核中的内存地址。然后,基于该内存地址,配置预设漏洞修复指令调用内核函数或变量时所需的内核符号的地址。例如,在预设漏洞修复指令中对应的存储空间中预留部分存储空间用于存储该预设漏洞修复指令调用内核函数或变量时所需的内核符号的地址,从而完成对预设漏洞修复指令中所需的内核符号地址的配置。从而,当执行该漏洞修复指令时,可以正确的跳转到该内核符号对应的内核函数或变量在内核中的地址,从而调用内核符号对应的函数或访问内核符号对应的内核中的变量。Due to the different kernel versions, the kernel functions indicated by the kernel symbols or the variables in the kernel have different memory addresses in the kernel. Therefore, when the vulnerability repair instruction is loaded in the kernel, it is necessary to determine the memory address of the kernel function or variable corresponding to the kernel symbol contained in the vulnerability repair instruction in the kernel. Then, based on the memory address, configure the address of the kernel symbol required by the default vulnerability repair instruction to call the kernel function or variable. For example, a part of the storage space is reserved in the corresponding storage space in the preset vulnerability repair instruction for storing the address of the kernel symbol required when the preset vulnerability repair instruction calls the kernel function or the variable, thereby completing the preset vulnerability repair instruction. The configuration of the required kernel symbol address in . Therefore, when the vulnerability repair instruction is executed, the kernel function corresponding to the kernel symbol or the address of the variable in the kernel can be correctly jumped, thereby calling a function corresponding to the kernel symbol or accessing a variable in the kernel corresponding to the kernel symbol.
以漏洞修复指令为调用内核函数A的指令为例,在该漏洞修复指令中,包含内核符号即内核函数A对应的内核符号。在该漏洞修复指令加载到内核中运行时,可以确定内核函数A在漏洞修复指令即将加载的内核中的内存地址。然后,利用该内存地址,配置预设漏洞修复指令调用内核函数或变量时所需的内核符号的地址。从而,该漏洞修复指令执行时,可以正确的跳转到内核函数A在内核中的内存地址,调用内核函数A。For example, the vulnerability repair instruction is an instruction that calls the kernel function A. In the vulnerability repair instruction, the kernel symbol, that is, the kernel symbol corresponding to the kernel function A, is included. When the bug fix command is loaded into the kernel, it is possible to determine the memory address of kernel function A in the kernel to be loaded by the bug fix instruction. Then, using the memory address, configure the address of the kernel symbol required by the default vulnerability repair instruction to call the kernel function or variable. Thus, when the vulnerability repair instruction is executed, it can correctly jump to the memory address of the kernel function A in the kernel, and call the kernel function A.
步骤203,确定待修复内核中用于加载对预设漏洞修复指令所需的内核符号的地址进行配置后的预设漏洞修复指令的存储空间。Step 203: Determine a storage space of the preset vulnerability repairing instruction in the kernel to be repaired for loading the address of the kernel symbol required for the preset vulnerability repairing instruction.
在本实施例中,在对漏洞修复指令中内核符号在待修复内核中对 应的地址进行设置之后,可以确定待修复内核中用于加载对内核符号对应的地址进行设置后的预设漏洞修复指令的存储空间。例如,可以针对不同版本内核,预先设置用于加载漏洞修复指令的存储空间。In this embodiment, in the bug fix command, the kernel symbol is in the kernel to be repaired. After the address is set, the storage space of the preset vulnerability repair instruction for loading the address corresponding to the kernel symbol in the kernel to be repaired can be determined. For example, storage space for loading bug fix instructions can be pre-set for different versions of the kernel.
步骤204,在存储空间加载预设漏洞修复指令。Step 204: Load a preset vulnerability repair instruction in the storage space.
在本实施例中,在确定待修复内核中用于加载对内核符号对应的地址进行设置后的预设漏洞修复指令的存储空间之后,可以在存储空间加载预设漏洞修复指令,以对待修复内核中的漏洞进行修复。In this embodiment, after determining the storage space of the preset vulnerability repairing instruction for loading the address corresponding to the kernel symbol in the kernel to be repaired, the preset vulnerability repairing instruction may be loaded in the storage space to repair the kernel. The vulnerability in the fix was fixed.
在本实施例的一些可选的实现方式中,在存储空间加载预设漏洞修复指令,以对待修复内核中的漏洞进行修复包括:获取待修复内核中的待修复的内核函数的内存地址;将待修复内核中的系统调用表中的内存地址替换为预设内存地址。In some optional implementation manners of the embodiment, loading the preset vulnerability repairing instruction in the storage space to repair the vulnerability in the repairing kernel includes: obtaining a memory address of the kernel function to be repaired in the kernel to be repaired; The memory address in the system call table in the kernel to be repaired is replaced with the preset memory address.
在本实施例中,加载在内核中的预设漏洞修复指令可以采用以下方式对内核中的漏洞进行修复:以对待修复的内核中出现问题的内核函数进行修复为例,可以通过linux内核的proc文件系统,获取内核符号表。然后,可以在内核符号表中,查找出现问题的内核函数的内存地址。在查找出现问题的内核函数的内存地址之后,可以将待修复内核中的系统调用表中的出现问题的内核函数的内存地址替换为预设内存地址。In this embodiment, the preset vulnerability repair instruction loaded in the kernel may repair the vulnerability in the kernel in the following manner: for example, the kernel function that has a problem in the kernel to be repaired is repaired, and the proc of the Linux kernel can be used. File system, get the kernel symbol table. Then, in the kernel symbol table, you can find the memory address of the kernel function in question. After looking up the memory address of the kernel function in question, you can replace the memory address of the kernel function in the system call table in the kernel to be repaired with the default memory address.
在本实施例的一些可选的实现方式中,在存储空间加载预设漏洞修复指令,以对待修复内核中的漏洞进行修复包括:获取待修复内核中的待修复的内核函数对应的存储空间;将修复后的内核函数拷贝至存储空间。In some optional implementation manners of the embodiment, loading the preset vulnerability repairing instruction in the storage space to repair the vulnerability in the repairing kernel includes: obtaining a storage space corresponding to the kernel function to be repaired in the kernel to be repaired; Copy the repaired kernel function to the storage space.
在本实施例中,加载在内核中的预设漏洞修复指令还可以采用以下方式对内核中的漏洞进行修复:以对待修复的内核中出现问题的内核函数进行修复为例,可以通过linux内核的proc文件系统,获取内核符号表。然后,在内核符号表中,查找出现问题的内核函数的存储空间。然后,将修复后的内核函数拷贝至该存储空间。从而,在内核中的存储出现问题的内核函数的存储空间存储修复后的内核函数,实现对待修复内核中的问题函数的修复。In this embodiment, the preset vulnerability repair command loaded in the kernel may also repair the vulnerability in the kernel in the following manner: for example, the kernel function that has a problem in the kernel to be repaired is repaired, and the linux kernel may be used. The proc file system gets the kernel symbol table. Then, in the kernel symbol table, look for the storage space of the kernel function in question. Then, copy the repaired kernel function to the storage space. Thus, the storage space of the kernel function in the kernel stores the repaired kernel function, and the repair of the problem function in the kernel to be repaired.
请参考图3,其示出了根据本申请的内核漏洞修复方法的另一个 实施例的流程图300。需要说明的是,本申请实施例所提供的方法一般由图1中的终端设备101、102、103执行,该方法包括以下步骤:Please refer to FIG. 3, which illustrates another method of kernel vulnerability repairing method according to the present application. Flowchart 300 of an embodiment. It should be noted that the method provided by the embodiment of the present application is generally performed by the terminal devices 101, 102, and 103 in FIG. 1, and the method includes the following steps:
步骤301,确定待加载在内存中的预设漏洞修复指令中的内核符号所指示的内核函数或变量在待修复内核中的内存地址。Step 301: Determine a memory function of a kernel function or a variable indicated by a kernel symbol in a preset vulnerability repair instruction to be loaded in the memory in the kernel to be repaired.
在本实施例中,预设漏洞修复指令基于对预设漏洞修复代码进行编译而生成。In this embodiment, the preset vulnerability repairing instruction is generated based on compiling the preset vulnerability repairing code.
在本实施例中,可以预先设置用于对内核漏洞进行修复的漏洞修复代码。漏洞修复代码中可以包含用于对内核进行修复的自定义函数和变量。同时,漏洞修复代码中还可以包含在漏洞修复过程中需要调用的内核函数和内核中的变量。可以利用漏洞修复代码对内核的指令和数据进行修复,完成内核漏洞修复。也可以通过修改系统调用表或者函数代码来将出现问题的函数替换为修复后的函数。In this embodiment, the vulnerability repair code for repairing the kernel vulnerability may be preset. The bug fix code can include custom functions and variables for fixing the kernel. At the same time, the bug fix code can also contain the kernel functions and variables in the kernel that need to be called during the bug fix process. You can use the bug fix code to fix the kernel's instructions and data and complete the kernel bug fix. You can also replace the problematic function with the repaired function by modifying the system call table or function code.
步骤302,基于内存地址,配置预设漏洞修复指令调用内核函数或变量时所需的内核符号的地址。Step 302: Configure, based on the memory address, an address of a kernel symbol required by a preset vulnerability repair instruction to call a kernel function or a variable.
在本实施例中,在获取了预设漏洞修复指令中的内核符号所指示的内核函数或变量在待修复内核中的内存地址之后,可以基于内存地址,配置预设漏洞修复指令调用内核函数或变量时所需的内核符号的地址。In this embodiment, after obtaining the memory function of the kernel function or variable indicated by the kernel symbol in the preset vulnerability repair instruction in the kernel to be repaired, the preset vulnerability repair instruction may be configured to call the kernel function based on the memory address or The address of the kernel symbol required for the variable.
步骤303,将选取出的存储空间或分配的存储空间作为用于加载预设漏洞修复指令的存储空间。Step 303: The selected storage space or the allocated storage space is used as a storage space for loading a preset vulnerability repair instruction.
在本实施例中,可以采用以下方式确定待修复内核中用于加载预设漏洞修复指令的存储空间:将待修复内核中的预设存储空间作为用于加载对预设漏洞修复指令所需的内核符号的地址进行配置后的预设漏洞修复指令的存储空间。例如,该预设存储空间可以为具有可执行权限的存储空间。In this embodiment, the storage space for loading the preset vulnerability repair instruction in the kernel to be repaired may be determined by using the preset storage space in the kernel to be repaired as required for loading the preset vulnerability repair instruction. The storage space of the default vulnerability repair instruction after the address of the kernel symbol is configured. For example, the preset storage space may be a storage space having executable permissions.
在本实施例中,可以采用以下方式确定待修复内核中用于加载预设漏洞修复指令的存储空间:将预设内核函数在待修复内核中对应的存储空间作为用于加载预设漏洞修复指令的存储空间。In this embodiment, the storage space for loading the preset vulnerability repair instruction in the kernel to be repaired may be determined by using the corresponding kernel function in the kernel to be repaired as a preset vulnerability repair instruction. Storage space.
在本实施例中,可以采用以下方式确定待修复内核中用于加载预设漏洞修复指令的存储空间:在预设内核函数在待修复内核中对应的 存储空间加载预设存储空间分配指令,以及生成预设大小的存储空间;将生成的存储空间作为用于加载预设漏洞修复指令的存储空间。In this embodiment, the storage space for loading the preset vulnerability repair instruction in the kernel to be repaired may be determined in the following manner: corresponding to the preset kernel function in the kernel to be repaired The storage space loads a preset storage space allocation instruction, and generates a storage space of a preset size; the generated storage space is used as a storage space for loading a preset vulnerability repair instruction.
在本实施例中,可以通过修改内核函数,例如uname函数的代码,实现具有内存分配功能的代码。然后,对该代码进行编译之后,生成内存分配指令。在内存分配指令加载完成之后,可以返回在Linux内核中分配的一段存储空间,可以将预设漏洞修复指令加载在该存储空间中。In this embodiment, the code having the memory allocation function can be implemented by modifying the kernel function, such as the code of the uname function. Then, after compiling the code, a memory allocation instruction is generated. After the memory allocation instruction is loaded, a piece of storage space allocated in the Linux kernel can be returned, and the preset vulnerability repair instruction can be loaded into the storage space.
步骤304:在存储空间加载预设漏洞修复指令。Step 304: Load a preset vulnerability repair instruction in the storage space.
在本实施例中,在确定待修复内核中用于加载对内核符号对应的地址进行设置后的预设漏洞修复指令的存储空间之后,可以在存储空间加载预设漏洞修复指令,以对待修复内核中的漏洞进行修复。In this embodiment, after determining the storage space of the preset vulnerability repairing instruction for loading the address corresponding to the kernel symbol in the kernel to be repaired, the preset vulnerability repairing instruction may be loaded in the storage space to repair the kernel. The vulnerability in the fix was fixed.
从图3中可以看出,与图2对应的实施例不同的是,本实施例中的方法的流程300突出了步骤303,即在选取出的存储空间或分配的存储空间中加载预设漏洞修复指令。本实施例描述的方案可以进一步针对不同版本的内核,选取出加载漏洞修复指令的存储空间,在该存储空间加载漏洞修复指令。使得在不同版本的内核中,均可以查找到漏洞修复指令,从而使得在漏洞修复过程中,内核中的其他内核程序可以与漏洞修复代码进行通信,例如,传递参数,进一步增强了漏洞修复指令对不同版本的内核的适用性。It can be seen from FIG. 3 that, unlike the embodiment corresponding to FIG. 2, the process 300 of the method in this embodiment highlights step 303, that is, loading a preset vulnerability in the selected storage space or the allocated storage space. Repair instructions. The solution described in this embodiment may further select a storage space for loading a vulnerability repair instruction for different versions of the kernel, and load a vulnerability repair instruction in the storage space. The vulnerability repair instructions can be found in different versions of the kernel, so that other kernel programs in the kernel can communicate with the vulnerability repair code during the vulnerability repair process, for example, passing parameters, further enhancing the vulnerability repair instruction pair. Applicability of different versions of the kernel.
下面以内核中的内核函数A出现问题,在一个版本的内核中加载漏洞修复指令为例,说明本申请中的内核漏洞修复方法:可以首先生成漏洞修复代码。该漏洞修复代码中包含用于将出现问题内核函数A修改为修复后的内核函数A1的代码,该漏洞修复代码中调用了内核函数B。在对漏洞修复代码进行编译之后,得到的漏洞修复指令中包含用于调用内核函数B的漏洞修复指令和用于将内核函数A修改为修复后的内核函数A1的漏洞指令。The following is a problem with the kernel function A in the kernel. The vulnerability repair command is loaded in a version of the kernel as an example to illustrate the kernel vulnerability repair method in this application: the vulnerability repair code can be generated first. The bug fix code contains code for modifying the problem kernel function A to the repaired kernel function A1, which is called in kernel repair function B. After compiling the vulnerability repair code, the obtained vulnerability repair instruction includes a vulnerability repair instruction for calling kernel function B and a vulnerability instruction for modifying kernel function A to the repaired kernel function A1.
首先,分别确定内核函数A、内核函数B在该版本内核中的内存地址,然后,将内核函数B在该版本内核中的内存地址配置为漏洞修复指令调用内核函数B时所需的内核符号即内核函数B对应的内核符号的地址。 First, determine the memory address of the kernel function A and the kernel function B in the kernel of the version, and then configure the kernel address of the kernel function B in the kernel of the kernel to be the kernel symbol required for the kernel repair function to call the kernel function B. The address of the kernel symbol corresponding to kernel function B.
然后,可以将漏洞修复指令加载在选取出的内核中的存储空间中。当漏洞修复指令执行,可以正确的跳转到内核函数B在该版本内核中的地址,从而调用内核函数B。同时,可以将修复后的内核函数A1的代码拷贝到内核函数A在内核中的存储空间中,从而对出现问题的内核函数A进行修复。The bug fix command can then be loaded into the storage space in the selected kernel. When the bug fix instruction is executed, the kernel function B can be called by correctly jumping to the address of the kernel function B in the version of the kernel. At the same time, the code of the repaired kernel function A1 can be copied to the memory space of the kernel function A in the kernel, thereby repairing the kernel function A in question.
下面基于上述实施例中说明的内核漏洞修复方法,说明本申请中的内核漏洞修复方法与现有技术的区别:The following describes the difference between the kernel vulnerability repair method in the present application and the prior art based on the kernel vulnerability repair method described in the above embodiment:
以对出现问题的内核函数进行修复为例,在现有技术中,漏洞修复代码需要查找到需要修复的内核函数在内核中的地址,然后将出现问题的内核函数替换为修复后的内核函数。由于内核版本的不同,内核函数在内核中的地址也是不同的,因此,针对一个版本的内核中的内核函数进行替换的代码,无法应用于另一版本的内核上。需要针对每一个内核版本,配置漏洞修复代码,增加开发成本。For example, in the prior art, the bug fix code needs to find the address of the kernel function in the kernel that needs to be repaired, and then replace the kernel function with the problem with the repaired kernel function. Because of the different kernel versions, the kernel functions have different addresses in the kernel. Therefore, code that replaces kernel functions in one version of the kernel cannot be applied to another version of the kernel. Need to fix the bug fix code for each kernel version and increase development costs.
而在本申请中,相当于预先创建了漏洞修复代码的模板。该漏洞修复代码中包含了用于对问题函数替换为修复后的内核函数的代码。在对漏洞修复代码编译之后,可以生成漏洞修复指令。当需要对内核中出现问题的内核函数进行修复时,可以基于确定出的对内核中出现问题的内核函数进行修复的漏洞修复指令中的内核符号所指示的内核函数在待修复的内核中的内存地址,配置漏洞修复指令调用内核函数时所需的内核符号的地址。使得漏洞修复指令在加载在不同版本的内核中时,均可以准确地跳转到内核符号对应的内核函数或访问内核符号对应的变量,漏洞修复指令适用于各种版本的内核中加载,完成对内核中出现问题的内核函数的修复,即完成对内核中的漏洞的修复。In this application, it is equivalent to a template in which the bug fix code is created in advance. The bug fix code includes code to replace the problem function with the repaired kernel function. After the bug fix code is compiled, a bug fix command can be generated. When it is necessary to repair a kernel function that has a problem in the kernel, the kernel function indicated by the kernel symbol in the vulnerability repair instruction that fixes the kernel function in the kernel can be repaired in the memory of the kernel to be repaired. Address, configures the address of the kernel symbol required by the vulnerability fix instruction to call the kernel function. When the vulnerability repair instruction is loaded in different versions of the kernel, it can accurately jump to the kernel function corresponding to the kernel symbol or access the variable corresponding to the kernel symbol. The vulnerability repair instruction is applicable to loading in various versions of the kernel, and the pair is completed. The repair of kernel functions that have problems in the kernel, that is, the repair of the vulnerability in the kernel.
请参考图4,其示出了根据本申请的内核漏洞修复装置的一个实施例的结构示意图。内核漏洞修复装置400包括:地址确定单元401,设置单元402,空间确定单元403,加载单元404。其中,地址确定单元401配置用于确定待加载在内存中的预设漏洞修复指令中的内核符号所指示的内核函数或变量在待修复内核中的内存地址,预设漏洞修复指令基于对预设漏洞修复代码进行编译而生成;设置单元402配置用于基于内存地址,配置预设漏洞修复指令调用内核函数或变量时所 需的内核符号的地址;空间确定单元403配置用于确定待修复内核中用于加载对预设漏洞修复指令所需的内核符号的地址进行配置后的预设漏洞修复指令的存储空间;加载单元404配置用于在存储空间加载预设漏洞修复指令,以对待修复内核中的漏洞进行修复。Please refer to FIG. 4, which shows a schematic structural diagram of an embodiment of a kernel vulnerability repairing apparatus according to the present application. The kernel vulnerability repairing apparatus 400 includes an address determining unit 401, a setting unit 402, a space determining unit 403, and a loading unit 404. The address determining unit 401 is configured to determine a memory function of a kernel function or a variable indicated by a kernel symbol in a preset vulnerability repairing instruction to be loaded in the memory, and the preset vulnerability repairing instruction is based on the preset The vulnerability repair code is compiled and generated; the setting unit 402 is configured to configure a preset vulnerability repair instruction to call a kernel function or a variable based on the memory address. The address of the required kernel symbol; the space determining unit 403 is configured to determine a storage space of the preset vulnerability repairing instruction for configuring the address of the kernel symbol required for loading the preset vulnerability repairing instruction in the kernel to be repaired; The 404 configuration is used to load a preset vulnerability fix instruction in the storage space to fix the vulnerability in the repair kernel.
在本实施例的一些可选的实现方式中,空间确定单元403包括:第一存储空间配置子单元(未示出),配置用于将待修复内核中的预设存储空间作为用于加载对预设漏洞修复指令所需的内核符号的地址进行配置后的预设漏洞修复指令的存储空间,预设存储空间包括:具有可执行权限的存储空间。In some optional implementation manners of the embodiment, the space determining unit 403 includes: a first storage space configuration subunit (not shown) configured to use a preset storage space in the kernel to be repaired as a loading pair. The storage space of the preset vulnerability repair instruction after the address of the kernel symbol required by the preset vulnerability repair instruction is configured, and the preset storage space includes: a storage space with executable authority.
在本实施例的一些可选的实现方式中,空间确定单元403包括:第二存储空间配置子单元(未示出),配置用于将预设内核函数在待修复内核中对应的存储空间作为用于加载对预设漏洞修复指令所需的内核符号的地址进行配置后的预设漏洞修复指令的存储空间。In some optional implementation manners of the embodiment, the space determining unit 403 includes: a second storage space configuration subunit (not shown) configured to use a preset kernel function in a corresponding storage space in the kernel to be repaired. A storage space for a preset vulnerability repair instruction configured to load an address of a kernel symbol required for a preset vulnerability repair instruction.
在本实施例的一些可选的实现方式中,空间确定单元403包括:存储空间分配子单元(未示出),配置用于在预设内核函数在待修复内核中对应的存储空间加载预设存储空间分配指令,以及生成预设大小的存储空间;第三存储空间配置子单元(未示出),配置用于将生成的存储空间作为用于加载对预设漏洞修复指令所需的内核符号的地址进行配置后的预设漏洞修复指令的存储空间。In some optional implementation manners of the embodiment, the space determining unit 403 includes: a storage space allocation subunit (not shown) configured to load a preset in a corresponding storage space in a kernel to be repaired by a preset kernel function. a storage space allocation instruction, and a storage space of a preset size; a third storage space configuration subunit (not shown) configured to use the generated storage space as a kernel symbol required for loading a preset vulnerability repair instruction The storage address of the preset vulnerability repair instruction after the address is configured.
在本实施例的一些可选的实现方式中,加载单元404包括:内存地址获取子单元(未示出),配置用于获取待修复内核中的待修复的内核函数的内存地址;替换子单元(未示出),配置用于将待修复内核中的系统调用表中的内存地址替换为预设内存地址。In some optional implementation manners of the embodiment, the loading unit 404 includes: a memory address obtaining subunit (not shown) configured to acquire a memory address of a kernel function to be repaired in the kernel to be repaired; (not shown), configured to replace the memory address in the system call table in the kernel to be repaired with the preset memory address.
在本实施例的一些可选的实现方式中,加载单元404包括:存储空间获取子单元(未示出),配置用于获取待修复内核中的待修复的内核函数对应的存储空间;拷贝子单元(未示出),配置用于将修复后的内核函数拷贝至存储空间。In some optional implementation manners of the embodiment, the loading unit 404 includes: a storage space acquisition subunit (not shown) configured to acquire a storage space corresponding to the kernel function to be repaired in the kernel to be repaired; A unit (not shown) configured to copy the repaired kernel function to the storage space.
在本实施例的一些可选的实现方式中,装置400还包括:信息获取单元(未示出),配置用于获取待修复内核的属性信息和待修复内核 中的内核函数或变量的内存地址,属性信息包括:待修复内核所运行在的处理器的架构信息、内核版本信息;存储单元(未示出),配置用于将属性信息与内存地址对应存储。In some optional implementation manners of the embodiment, the apparatus 400 further includes: an information acquiring unit (not shown) configured to acquire attribute information of the kernel to be repaired and the kernel to be repaired The memory address of the kernel function or variable in the attribute information includes: architecture information of the processor on which the kernel to be repaired runs, kernel version information; a storage unit (not shown) configured to store the attribute information and the memory address correspondingly .
图5示出了适于用来实现本申请实施例的终端设备或服务器的计算机系统的结构示意图。FIG. 5 is a block diagram showing the structure of a computer system suitable for implementing the terminal device or server of the embodiment of the present application.
如图5所示,计算机系统500包括中央处理单元(CPU)501,其可以根据存储在只读存储器(ROM)502中的程序或者从存储部分508加载到随机访问存储器(RAM)503中的程序而执行各种适当的动作和处理。在RAM503中,还存储有系统500操作所需的各种程序和数据。CPU501、ROM502以及RAM503通过总线504彼此相连。输入/输出(I/O)接口505也连接至总线504。As shown in FIG. 5, computer system 500 includes a central processing unit (CPU) 501 that can be loaded into a program in random access memory (RAM) 503 according to a program stored in read only memory (ROM) 502 or from storage portion 508. And perform various appropriate actions and processes. In the RAM 503, various programs and data required for the operation of the system 500 are also stored. The CPU 501, the ROM 502, and the RAM 503 are connected to each other through a bus 504. An input/output (I/O) interface 505 is also coupled to bus 504.
以下部件连接至I/O接口505:包括键盘、鼠标等的输入部分506;包括诸如阴极射线管(CRT)、液晶显示器(LCD)等以及扬声器等的输出部分507;包括硬盘等的存储部分508;以及包括诸如LAN卡、调制解调器等的网络接口卡的通信部分509。通信部分509经由诸如因特网的网络执行通信处理。驱动器510也根据需要连接至I/O接口505。可拆卸介质511,诸如磁盘、光盘、磁光盘、半导体存储器等等,根据需要安装在驱动器510上,以便于从其上读出的计算机程序根据需要被安装入存储部分508。The following components are connected to the I/O interface 505: an input portion 506 including a keyboard, a mouse, etc.; an output portion 507 including, for example, a cathode ray tube (CRT), a liquid crystal display (LCD), and the like, and a storage portion 508 including a hard disk or the like. And a communication portion 509 including a network interface card such as a LAN card, a modem, or the like. The communication section 509 performs communication processing via a network such as the Internet. Driver 510 is also coupled to I/O interface 505 as needed. A removable medium 511 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory or the like is mounted on the drive 510 as needed so that a computer program read therefrom is installed into the storage portion 508 as needed.
特别地,根据本公开的实施例,上文参考流程图描述的过程可以被实现为计算机软件程序。例如,本公开的实施例包括一种计算机程序产品,其包括有形地包含在机器可读介质上的计算机程序,所述计算机程序包含用于执行流程图所示的方法的程序代码。在这样的实施例中,该计算机程序可以通过通信部分509从网络上被下载和安装,和/或从可拆卸介质511被安装。In particular, the processes described above with reference to the flowcharts may be implemented as a computer software program in accordance with an embodiment of the present disclosure. For example, an embodiment of the present disclosure includes a computer program product comprising a computer program tangibly embodied on a machine readable medium, the computer program comprising program code for executing the method illustrated in the flowchart. In such an embodiment, the computer program can be downloaded and installed from the network via the communication portion 509, and/or installed from the removable medium 511.
附图中的流程图和框图,图示了按照本申请各种实施例的系统、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个模块、程序段、或代码的一部分,所述模块、程序段、或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在有些作为替换的 实现中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个接连地表示的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图和/或流程图中的每个方框、以及框图和/或流程图中的方框的组合,可以用执行规定的功能或操作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。The flowchart and block diagrams in the Figures illustrate the architecture, functionality and operation of possible implementations of systems, methods and computer program products in accordance with various embodiments of the present application. In this regard, each block of the flowchart or block diagrams can represent a module, a program segment, or a portion of code that includes one or more logic for implementing the specified. Functional executable instructions. It should also be noted that in some cases as a replacement In the implementation, the functions noted in the blocks may also occur in a different order than that illustrated in the drawings. For example, two successively represented blocks may in fact be executed substantially in parallel, and they may sometimes be executed in the reverse order, depending upon the functionality involved. It is also noted that each block of the block diagrams and/or flowcharts, and combinations of blocks in the block diagrams and/or flowcharts, can be implemented in a dedicated hardware-based system that performs the specified function or operation. Or it can be implemented by a combination of dedicated hardware and computer instructions.
作为另一方面,本申请还提供了一种非易失性计算机存储介质,该非易失性计算机存储介质可以是上述实施例中所述装置中所包含的非易失性计算机存储介质;也可以是单独存在,未装配入终端中的非易失性计算机存储介质。上述非易失性计算机存储介质存储有一个或者多个程序,当所述一个或者多个程序被一个设备执行时,使得所述设备:确定待加载在内存中的预设漏洞修复指令中的内核符号所指示的内核函数或变量在待修复内核中的内存地址,所述预设漏洞修复指令基于对预设漏洞修复代码进行编译而生成;基于内存地址,配置预设漏洞修复指令调用内核函数或变量时所需的内核符号的地址;确定待修复内核中用于加载对预设漏洞修复指令所需的内核符号的地址进行配置后的预设漏洞修复指令的存储空间;在所述存储空间加载所述预设漏洞修复指令,以对待修复内核中的漏洞进行修复。In another aspect, the present application further provides a non-volatile computer storage medium, which may be a non-volatile computer storage medium included in the apparatus described in the foregoing embodiments; It may be a non-volatile computer storage medium that exists alone and is not assembled into the terminal. The non-volatile computer storage medium stores one or more programs, when the one or more programs are executed by a device, causing the device to: determine a kernel in a preset vulnerability repair instruction to be loaded in the memory The memory function of the kernel function or variable indicated by the symbol in the kernel to be repaired, the preset vulnerability repairing instruction is generated based on compiling the preset vulnerability repairing code; based on the memory address, configuring the preset vulnerability repairing instruction to call the kernel function or The address of the kernel symbol required for the variable; the storage space of the preset vulnerability repair instruction configured to configure the address of the kernel symbol required to load the preset vulnerability repair instruction in the kernel to be repaired; loading in the storage space The preset vulnerability repairing instruction repairs the vulnerability in the kernel to be repaired.
以上描述仅为本申请的较佳实施例以及对所运用技术原理的说明。本领域技术人员应当理解,本申请中所涉及的发明范围,并不限于上述技术特征的特定组合而成的技术方案,同时也应涵盖在不脱离所述发明构思的情况下,由上述技术特征或其等同特征进行任意组合而形成的其它技术方案。例如上述特征与本申请中公开的(但不限于)具有类似功能的技术特征进行互相替换而形成的技术方案。 The above description is only a preferred embodiment of the present application and a description of the principles of the applied technology. It should be understood by those skilled in the art that the scope of the invention referred to in the present application is not limited to the specific combination of the above technical features, and should also be covered by the above technical features without departing from the inventive concept. Other technical solutions formed by any combination of their equivalent features. For example, the above features are combined with the technical features disclosed in the present application, but are not limited to the technical features having similar functions.

Claims (16)

  1. 一种内核漏洞修复方法,其特征在于,所述方法包括:A kernel vulnerability repair method, characterized in that the method comprises:
    确定待加载在内存中的预设漏洞修复指令中的内核符号所指示的内核函数或变量在待修复内核中的内存地址,所述预设漏洞修复指令基于对预设漏洞修复代码进行编译而生成;Determining a memory function of a kernel function or a variable indicated by a kernel symbol in a preset vulnerability repair instruction to be loaded in the memory in the kernel to be repaired, the preset vulnerability repair instruction being generated based on compiling the preset vulnerability repair code ;
    基于内存地址,配置预设漏洞修复指令调用内核函数或变量时所需的内核符号的地址;Based on the memory address, configure the address of the kernel symbol required by the default vulnerability repair instruction to call the kernel function or variable;
    确定待修复内核中用于加载对预设漏洞修复指令所需的内核符号的地址进行配置后的预设漏洞修复指令的存储空间;Determining a storage space of a preset vulnerability repair instruction configured to load an address of a kernel symbol required for a preset vulnerability repair instruction in the kernel to be repaired;
    在所述存储空间加载所述预设漏洞修复指令,以对待修复内核中的漏洞进行修复。Loading the preset vulnerability repair instruction in the storage space to repair the vulnerability in the repair kernel.
  2. 根据权利要求1所述的方法,其特征在于,确定待修复内核中用于加载对预设漏洞修复指令所需的内核符号的地址进行配置后的预设漏洞修复指令的存储空间包括:The method according to claim 1, wherein the storage space of the preset vulnerability repairing instruction for configuring the address of the kernel symbol required to load the preset vulnerability repairing instruction in the kernel to be repaired comprises:
    将待修复内核中的预设存储空间作为用于加载对预设漏洞修复指令所需的内核符号的地址进行配置后的预设漏洞修复指令的存储空间,所述预设存储空间包括:具有可执行权限的存储空间。The preset storage space in the kernel to be repaired is used as a storage space of a preset vulnerability repair instruction configured to load an address of a kernel symbol required for a preset vulnerability repair instruction, and the preset storage space includes: The storage space for the execution permission.
  3. 根据权利要求1所述的方法,其特征在于,确定待修复内核中用于加载对预设漏洞修复指令所需的内核符号的地址进行配置后的预设漏洞修复指令的存储空间包括:The method according to claim 1, wherein the storage space of the preset vulnerability repairing instruction for configuring the address of the kernel symbol required to load the preset vulnerability repairing instruction in the kernel to be repaired comprises:
    将预设内核函数在待修复内核中对应的存储空间作为用于加载对预设漏洞修复指令所需的内核符号的地址进行配置后的预设漏洞修复指令的存储空间。The storage space of the preset vulnerability repair instruction after the corresponding kernel function in the kernel to be repaired is configured as an address for loading the kernel symbol required for the preset vulnerability repair instruction.
  4. 根据权利要求1所述的方法,其特征在于,确定待修复内核中用于加载对预设漏洞修复指令所需的内核符号的地址进行配置后的预设漏洞修复指令的存储空间包括: The method according to claim 1, wherein the storage space of the preset vulnerability repairing instruction for configuring the address of the kernel symbol required to load the preset vulnerability repairing instruction in the kernel to be repaired comprises:
    在预设内核函数在待修复内核中对应的存储空间加载预设存储空间分配指令,以及生成预设大小的存储空间;The preset kernel function loads a preset storage space allocation instruction in a corresponding storage space in the kernel to be repaired, and generates a storage space of a preset size;
    将生成的存储空间作为用于加载对预设漏洞修复指令所需的内核符号的地址进行配置后的预设漏洞修复指令的存储空间。The generated storage space is used as a storage space for the preset vulnerability repair instruction configured to load the address of the kernel symbol required for the preset vulnerability repair instruction.
  5. 根据权利要求1-4之一所述的方法,其特征在于,在所述存储空间加载所述预设漏洞修复指令,以对待修复内核中的漏洞进行修复包括:The method according to any one of claims 1 to 4, wherein loading the preset vulnerability repairing instruction in the storage space to repair a vulnerability in the repair kernel includes:
    获取待修复内核中的待修复的内核函数的内存地址;Obtaining the memory address of the kernel function to be repaired in the kernel to be repaired;
    将待修复内核中的系统调用表中的所述内存地址替换为预设内存地址。Replace the memory address in the system call table in the kernel to be repaired with the preset memory address.
  6. 根据权利要求1-4之一所述的方法,其特征在于,在所述存储空间加载所述预设漏洞修复指令,以对待修复内核中的漏洞进行修复包括:The method according to any one of claims 1 to 4, wherein loading the preset vulnerability repairing instruction in the storage space to repair a vulnerability in the repair kernel includes:
    获取待修复内核中的待修复的内核函数对应的存储空间;Obtaining a storage space corresponding to the kernel function to be repaired in the kernel to be repaired;
    将修复后的内核函数拷贝至所述存储空间。Copy the repaired kernel function to the storage space.
  7. 根据权利要求1所述的方法,其特征在于,在确定待加载在内存中的预设漏洞修复指令中的内核符号所指示的内核函数或变量在待修复内核中的内存地址之前,所述方法还包括:The method according to claim 1, wherein the method determines a kernel function or a variable indicated by a kernel symbol in a preset vulnerability repair instruction to be loaded in a memory before a memory address in a core to be repaired Also includes:
    获取待修复内核的属性信息和待修复内核中的内核函数或变量的内存地址,所述属性信息包括:待修复内核所运行在的处理器的架构信息、内核版本信息;Obtaining the attribute information of the kernel to be repaired and the memory address of the kernel function or variable in the kernel to be repaired, where the attribute information includes: architecture information of the processor on which the kernel to be repaired runs, and kernel version information;
    将所述属性信息与所述内存地址对应存储。The attribute information is stored corresponding to the memory address.
  8. 一种内核漏洞修复装置,其特征在于,所述装置包括:A kernel vulnerability repairing device, characterized in that the device comprises:
    地址确定单元,配置用于确定待加载在内存中的预设漏洞修复指令中的内核符号所指示的内核函数或变量在待修复内核中的内存地址,所述预设漏洞修复指令基于对预设漏洞修复代码进行编译而生成; An address determining unit configured to determine a memory function of a kernel function or a variable indicated by a kernel symbol in a preset vulnerability repairing instruction to be loaded in the memory, wherein the preset vulnerability repairing instruction is based on a preset The bug fix code is compiled and generated;
    设置单元,配置用于基于内存地址,配置预设漏洞修复指令调用内核函数或变量时所需的内核符号的地址;a setting unit configured to configure, based on a memory address, an address of a kernel symbol required to invoke a kernel function or variable by a preset vulnerability repair instruction;
    空间确定单元,配置用于确定待修复内核中用于加载对预设漏洞修复指令所需的内核符号的地址进行配置后的预设漏洞修复指令的存储空间;a space determining unit configured to determine a storage space of a preset vulnerability repairing instruction configured to load an address of a kernel symbol required for a preset vulnerability repairing instruction in the kernel to be repaired;
    加载单元,配置用于在所述存储空间加载所述预设漏洞修复指令,以对待修复内核中的漏洞进行修复。And a loading unit configured to load the preset vulnerability repairing instruction in the storage space to repair a vulnerability in the repairing kernel.
  9. 根据权利要求8所述的装置,其特征在于,空间确定单元包括:The apparatus according to claim 8, wherein the space determining unit comprises:
    第一存储空间配置子单元,配置用于将待修复内核中的预设存储空间作为用于加载对预设漏洞修复指令所需的内核符号的地址进行配置后的预设漏洞修复指令的存储空间,所述预设存储空间包括:具有可执行权限的存储空间。a first storage space configuration sub-unit configured to store a preset space in the kernel to be repaired as a storage space of a preset vulnerability repair instruction configured to load an address of a kernel symbol required for a preset vulnerability repair instruction The preset storage space includes: a storage space having executable permissions.
  10. 根据权利要求8所述的装置,其特征在于,空间确定单元包括:The apparatus according to claim 8, wherein the space determining unit comprises:
    第二存储空间配置子单元,配置用于将预设内核函数在待修复内核中对应的存储空间作为用于加载对预设漏洞修复指令所需的内核符号的地址进行配置后的预设漏洞修复指令的存储空间。a second storage space configuration sub-unit configured to pre-configure the default kernel function in the corresponding storage space in the kernel to be repaired as a preset vulnerability repair for loading an address of a kernel symbol required for the preset vulnerability repair instruction The storage space for the instruction.
  11. 根据权利要求8所述的装置,其特征在于,空间确定单元包括:The apparatus according to claim 8, wherein the space determining unit comprises:
    存储空间分配子单元,配置用于在预设内核函数在待修复内核中对应的存储空间加载预设存储空间分配指令,以及生成预设大小的存储空间;a storage space allocation sub-unit configured to load a preset storage space allocation instruction in a corresponding storage space of the preset kernel function in the kernel to be repaired, and generate a storage space of a preset size;
    第三存储空间配置子单元,配置用于将生成的存储空间作为用于加载对预设漏洞修复指令所需的内核符号的地址进行配置后的预设漏洞修复指令的存储空间。 The third storage space configuration subunit is configured to use the generated storage space as a storage space of a preset vulnerability repair instruction configured to load an address of a kernel symbol required for the preset vulnerability repair instruction.
  12. 根据权利要求8-11之一所述的装置,其特征在于,所述加载单元包括:The device according to any one of claims 8-11, wherein the loading unit comprises:
    内存地址获取子单元,配置用于获取待修复内核中的待修复的内核函数的内存地址;a memory address obtaining subunit configured to obtain a memory address of a kernel function to be repaired in the kernel to be repaired;
    替换子单元,配置用于将待修复内核中的系统调用表中的所述内存地址替换为预设内存地址。The replacement subunit is configured to replace the memory address in the system call table in the kernel to be repaired with a preset memory address.
  13. 根据权利要求8-11之一所述的装置,其特征在于,所述加载单元包括:The device according to any one of claims 8-11, wherein the loading unit comprises:
    存储空间获取子单元,配置用于获取待修复内核中的待修复的内核函数对应的存储空间;The storage space acquisition subunit is configured to obtain a storage space corresponding to the kernel function to be repaired in the kernel to be repaired;
    拷贝子单元,配置用于将修复后的内核函数拷贝至所述存储空间。A copy subunit configured to copy the repaired kernel function to the storage space.
  14. 根据权利要求7所述的装置,其特征在于,所述装置还包括:The device according to claim 7, wherein the device further comprises:
    信息获取单元,配置用于获取待修复内核的属性信息和待修复内核中的内核函数或变量的内存地址,所述属性信息包括:待修复内核所运行在的处理器的架构信息、内核版本信息;The information obtaining unit is configured to obtain attribute information of the kernel to be repaired and a memory address of a kernel function or a variable in the kernel to be repaired, where the attribute information includes: architecture information of the processor on which the kernel to be repaired is running, and kernel version information. ;
    存储单元,配置用于将所述属性信息与所述内存地址对应存储。And a storage unit configured to store the attribute information corresponding to the memory address.
  15. 一种设备,包括:A device that includes:
    处理器;和Processor; and
    存储器,Memory,
    所述存储器中存储有能够被所述处理器执行的计算机可读指令,在所述计算机可读指令被执行时,所述处理器执行内核漏洞修复方法,所述方法包括:The memory stores computer readable instructions executable by the processor, the processor executing a kernel vulnerability repair method when the computer readable instructions are executed, the method comprising:
    确定待加载在内存中的预设漏洞修复指令中的内核符号所指示的内核函数或变量在待修复内核中的内存地址,所述预设漏洞修复指令基于对预设漏洞修复代码进行编译而生成;Determining a memory function of a kernel function or a variable indicated by a kernel symbol in a preset vulnerability repair instruction to be loaded in the memory in the kernel to be repaired, the preset vulnerability repair instruction being generated based on compiling the preset vulnerability repair code ;
    基于内存地址,配置预设漏洞修复指令调用内核函数或变量时所需的内核符号的地址; Based on the memory address, configure the address of the kernel symbol required by the default vulnerability repair instruction to call the kernel function or variable;
    确定待修复内核中用于加载对预设漏洞修复指令所需的内核符号的地址进行配置后的预设漏洞修复指令的存储空间;Determining a storage space of a preset vulnerability repair instruction configured to load an address of a kernel symbol required for a preset vulnerability repair instruction in the kernel to be repaired;
    在所述存储空间加载所述预设漏洞修复指令,以对待修复内核中的漏洞进行修复。Loading the preset vulnerability repair instruction in the storage space to repair the vulnerability in the repair kernel.
  16. 一种非易失性计算机存储介质,所述计算机存储介质存储有能够被处理器执行的计算机可读指令,当所述计算机可读指令被处理器执行时,所述处理器执行内核漏洞修复方法,所述方法包括:A non-volatile computer storage medium storing computer readable instructions executable by a processor, the processor executing a kernel vulnerability repair method when the computer readable instructions are executed by a processor , the method includes:
    确定待加载在内存中的预设漏洞修复指令中的内核符号所指示的内核函数或变量在待修复内核中的内存地址,所述预设漏洞修复指令基于对预设漏洞修复代码进行编译而生成;Determining a memory function of a kernel function or a variable indicated by a kernel symbol in a preset vulnerability repair instruction to be loaded in the memory in the kernel to be repaired, the preset vulnerability repair instruction being generated based on compiling the preset vulnerability repair code ;
    基于内存地址,配置预设漏洞修复指令调用内核函数或变量时所需的内核符号的地址;Based on the memory address, configure the address of the kernel symbol required by the default vulnerability repair instruction to call the kernel function or variable;
    确定待修复内核中用于加载对预设漏洞修复指令所需的内核符号的地址进行配置后的预设漏洞修复指令的存储空间;Determining a storage space of a preset vulnerability repair instruction configured to load an address of a kernel symbol required for a preset vulnerability repair instruction in the kernel to be repaired;
    在所述存储空间加载所述预设漏洞修复指令,以对待修复内核中的漏洞进行修复。 Loading the preset vulnerability repair instruction in the storage space to repair the vulnerability in the repair kernel.
PCT/CN2016/086412 2016-03-30 2016-06-20 Kernel vulnerability repair method and device WO2017166448A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610191535.0A CN105868639A (en) 2016-03-30 2016-03-30 Kernel vulnerability repair method and device
CN201610191535.0 2016-03-30

Publications (1)

Publication Number Publication Date
WO2017166448A1 true WO2017166448A1 (en) 2017-10-05

Family

ID=56627697

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/086412 WO2017166448A1 (en) 2016-03-30 2016-06-20 Kernel vulnerability repair method and device

Country Status (2)

Country Link
CN (1) CN105868639A (en)
WO (1) WO2017166448A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111881455A (en) * 2020-07-27 2020-11-03 绿盟科技集团股份有限公司 Firmware security analysis method and device
CN112906008A (en) * 2018-11-15 2021-06-04 百度在线网络技术(北京)有限公司 Kernel vulnerability repairing method, device, server and system

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109117169B (en) * 2016-12-12 2022-06-07 百度在线网络技术(北京)有限公司 Method and device for repairing kernel vulnerability
CN107273750B (en) * 2017-05-31 2021-03-16 上海交通大学 Android device kernel vulnerability repairing system and method
CN108415840A (en) * 2018-03-14 2018-08-17 百度在线网络技术(北京)有限公司 The method, apparatus and server of repair function defect

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103309683A (en) * 2012-03-07 2013-09-18 京信通信系统(中国)有限公司 Software patch embedding method and device for hardware equipment
CN103324494A (en) * 2012-03-22 2013-09-25 金蝶软件(中国)有限公司 Automatic patch making method, server and system
CN103345412A (en) * 2013-07-10 2013-10-09 华为技术有限公司 Patching method and device
CN104679532A (en) * 2013-11-27 2015-06-03 腾讯科技(深圳)有限公司 Method and device for loading kernel module

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8286238B2 (en) * 2006-09-29 2012-10-09 Intel Corporation Method and apparatus for run-time in-memory patching of code from a service processor
CN101281488A (en) * 2007-04-06 2008-10-08 上海宇梦通信科技有限公司 Inner core debug method of Linux operating system
CN101799763B (en) * 2009-02-10 2013-01-30 华为技术有限公司 Method, device and system for patching kernel on line
CN101937340B (en) * 2009-06-29 2014-11-05 中兴通讯股份有限公司 Method and device for dynamically updating and controlling software by using patches

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103309683A (en) * 2012-03-07 2013-09-18 京信通信系统(中国)有限公司 Software patch embedding method and device for hardware equipment
CN103324494A (en) * 2012-03-22 2013-09-25 金蝶软件(中国)有限公司 Automatic patch making method, server and system
CN103345412A (en) * 2013-07-10 2013-10-09 华为技术有限公司 Patching method and device
CN104679532A (en) * 2013-11-27 2015-06-03 腾讯科技(深圳)有限公司 Method and device for loading kernel module

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112906008A (en) * 2018-11-15 2021-06-04 百度在线网络技术(北京)有限公司 Kernel vulnerability repairing method, device, server and system
CN111881455A (en) * 2020-07-27 2020-11-03 绿盟科技集团股份有限公司 Firmware security analysis method and device
CN111881455B (en) * 2020-07-27 2023-12-01 绿盟科技集团股份有限公司 Firmware security analysis method and device

Also Published As

Publication number Publication date
CN105868639A (en) 2016-08-17

Similar Documents

Publication Publication Date Title
US10936293B2 (en) Container image layer reordering
WO2017166448A1 (en) Kernel vulnerability repair method and device
JP7090657B2 (en) Methods, devices, devices and storage media for upgrading applications
WO2017166447A1 (en) Method and device for loading kernel module
US20180121320A1 (en) Analysis to check web api code usage and specification
US10754708B2 (en) Orchestrator and console agnostic method to deploy infrastructure through self-describing deployment templates
CN110096424B (en) Test processing method and device, electronic equipment and storage medium
US20120204160A1 (en) Managing Non-Common Features for Program Code Translation
US10289397B2 (en) Silent installation of software with dependencies
US10908948B2 (en) Multiple application instances in operating systems that utilize a single process for application execution
US9684788B2 (en) Self-repair and distributed-repair of applications
US9513889B2 (en) System and method of automating installation of applications
US11003668B2 (en) Programming language independent software testing environment
CN110597564A (en) Installation package construction and service component loading method, device and terminal equipment
US20160291955A1 (en) Methods and Apparatuses for Providing Framework for Selective Execution of Application Features
CN115291946A (en) Hongmong system transplanting method, device, electronic equipment and readable medium
US10761863B2 (en) Mobile application management by run-time insertion of a replacement instrumentation object into a mobile application process
US9507578B2 (en) Application instance staging
US20200274758A1 (en) Provisioning hybrid cloud resources in an operating environment
US10698677B2 (en) Method and system for lifecycle management optimization
JP2021131897A (en) Scheduling method, device, equipment, storage equipment, and program
CN116569141A (en) Workflow repair
US11385923B2 (en) Container-based virtualization system extending kernel functionality using kernel modules compiled by a compiling container and loaded by an application container
CN111522535A (en) Data source aggregation method and device, storage medium and computer equipment
CN109933355B (en) Application program upgrading method and device

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16896221

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 16896221

Country of ref document: EP

Kind code of ref document: A1