WO2017166448A1 - Procédé et dispositif de réparation de vulnérabilité de noyau - Google Patents

Procédé et dispositif de réparation de vulnérabilité de noyau Download PDF

Info

Publication number
WO2017166448A1
WO2017166448A1 PCT/CN2016/086412 CN2016086412W WO2017166448A1 WO 2017166448 A1 WO2017166448 A1 WO 2017166448A1 CN 2016086412 W CN2016086412 W CN 2016086412W WO 2017166448 A1 WO2017166448 A1 WO 2017166448A1
Authority
WO
WIPO (PCT)
Prior art keywords
kernel
preset
storage space
repaired
instruction
Prior art date
Application number
PCT/CN2016/086412
Other languages
English (en)
Chinese (zh)
Inventor
卢永强
夏良钊
郑龙日
包沉浮
张煜龙
韦韬
Original Assignee
百度在线网络技术(北京)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 百度在线网络技术(北京)有限公司 filed Critical 百度在线网络技术(北京)有限公司
Publication of WO2017166448A1 publication Critical patent/WO2017166448A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Definitions

  • the present application relates to the field of computers, and in particular to the field of operating systems, and in particular, to a kernel vulnerability repair method and apparatus.
  • the kernel ensures that the security of the kernel is a top priority in security protection. Therefore, when you find a vulnerability in the kernel, you need to fix the vulnerability in the kernel in time.
  • the commonly used vulnerability repair method is: for a version of the kernel, set the vulnerability repair code for the kernel of this version, use the bug fix code to find the address of the kernel kernel function in the kernel that needs to be repaired, and then it will appear Replace the kernel function of the problem with the repaired kernel function.
  • the present application provides a kernel vulnerability repairing method and apparatus for solving the technical problems existing in the above background art.
  • the present application provides a kernel vulnerability repairing method, the method comprising: determining a memory function of a kernel function or a variable indicated by a kernel symbol in a preset vulnerability repair instruction to be loaded in a memory, in a kernel to be repaired, The vulnerability repair instruction is based on the preset leak
  • the hole repair code is compiled and generated; based on the memory address, configure the address of the kernel symbol required by the preset vulnerability repair instruction to call the kernel function or variable; determine the kernel required to load the preset vulnerability repair instruction in the kernel to be repaired
  • the address of the symbol is configured to reserve the storage space of the vulnerability repair instruction; the default vulnerability repair instruction is loaded in the storage space to repair the vulnerability in the repair kernel.
  • the present application provides a kernel vulnerability repairing apparatus, the apparatus comprising: an address determining unit configured to determine a kernel function or a variable indicated by a kernel symbol in a preset vulnerability repairing instruction to be loaded in a memory to be repaired The memory address in the kernel, the preset vulnerability repair instruction is generated based on compiling the preset vulnerability repair code; the setting unit is configured to configure the kernel symbol required for the preset vulnerability repair instruction to call the kernel function or variable based on the memory address Address; a space determining unit configured to determine a storage space of a preset vulnerability repair instruction configured to load an address of a kernel symbol required to load a preset vulnerability repair instruction in the kernel to be repaired; a loading unit configured to be used for Load the default vulnerability fix instructions in the storage space to fix the vulnerabilities in the repair kernel.
  • the kernel vulnerability repairing method and apparatus determine the memory address of the kernel function or variable indicated by the kernel symbol in the preset vulnerability repair instruction to be loaded in the memory in the kernel to be repaired; Set the address of the kernel symbol required to invoke the kernel function or variable in the bug fix command; determine the storage space in the kernel to be loaded to load the preset vulnerability fix; load the preset vulnerability fix command in the storage space. Implements the memory address of the kernel function or variable based on the identified problem, and configures the address of the kernel symbol required by the vulnerability fix instruction.
  • the vulnerability repair instruction When the vulnerability repair instruction is loaded in different versions of the kernel, it can accurately jump to the kernel function corresponding to the kernel symbol or access the variable corresponding to the kernel symbol, and the vulnerability repair instruction is suitable for loading in various versions of the kernel, thereby Complete the repair of the vulnerability in the kernel.
  • FIG. 1 is an exemplary system architecture diagram to which the present application can be applied;
  • FIG. 2 shows a flow of one embodiment of a kernel vulnerability repair method according to the present application.
  • FIG. 3 shows a flow chart of another embodiment of a kernel vulnerability repair method in accordance with the present application.
  • FIG. 4 is a block diagram showing the structure of an embodiment of a kernel vulnerability repairing apparatus according to the present application.
  • FIG. 5 is a schematic structural diagram of a computer system suitable for implementing a terminal device or a server of an embodiment of the present application.
  • FIG. 1 illustrates an exemplary system architecture 100 of an embodiment of a kernel vulnerability repair method or apparatus to which the present application may be applied.
  • system architecture 100 can include terminal devices 101, 102, 103, network 104, and server 105.
  • the network 104 is used to provide a medium for the transmission link between the terminal devices 101, 102, 103 and the server 105.
  • Network 104 may include various types of connections, such as wired, wireless transmission links, or fiber optic cables, to name a few.
  • the user can interact with the server 105 over the network 104 using the terminal devices 101, 102, 103 to receive or transmit messages and the like.
  • Various communication applications such as an instant messaging application, a browser application, a search application, a word processing application, and the like, may be installed on the terminal devices 101, 102, and 103.
  • the terminal devices 101, 102, 103 may be various electronic devices having a display screen and supporting network communication, including but not limited to smart phones, tablets, e-book readers, MP3 players (Moving Picture Experts Group Audio Layer III, dynamic Image Expert compresses standard audio layer 3), MP4 (Moving Picture Experts Group Audio Layer IV, motion imaging experts compress standard audio layers 4) players, laptops and desktop computers, and more.
  • MP3 players Motion Picture Experts Group Audio Layer III, dynamic Image Expert compresses standard audio layer 3
  • MP4 Motion imaging experts compress standard audio layers 4
  • the server 105 can store vulnerability repair codes of a plurality of different processing architectures and different versions of the kernel.
  • the kernel applicable to the processor architecture of the terminal can be vulnerable.
  • the repaired code is sent to the end device for feedback.
  • terminal devices, networks, and servers in Figure 1 is merely illustrative. Depending on the implementation needs, there can be any number of terminal devices, networks, and servers.
  • FIG. 2 illustrates a flow 200 of one embodiment of a kernel vulnerability repair method in accordance with the present application.
  • the kernel vulnerability repairing method provided by the embodiment of the present application is generally performed by the terminal devices 101, 102, and 103 in FIG. The method includes the following steps:
  • Step 201 Determine a memory function of a kernel function or a variable indicated by a kernel symbol in a preset vulnerability repair instruction to be loaded in the memory in the kernel to be repaired.
  • the preset vulnerability repairing instruction is generated based on compiling the preset vulnerability repairing code.
  • the vulnerability repair code for repairing the kernel vulnerability may be preset.
  • the bug fix code can include custom functions and variables for fixing the kernel.
  • the bug fix code can also contain the kernel functions and variables in the kernel that need to be called during the bug fix process. You can use the bug fix code to fix the kernel's instructions and data and complete the kernel bug fix. You can also replace the problematic function with the repaired function by modifying the system call table or function code.
  • the kernel symbol table of the kernel may be first obtained, and then, according to the name of the kernel symbol defined in the kernel symbol table and the memory address of the kernel function or variable corresponding to the kernel symbol in the kernel, the vulnerability repair instruction may be determined.
  • a kernel symbol table for recording kernel functions and variables that the kernel can use for external references is included.
  • the kernel symbol table record the Linux kernel functions, the identifiers of the variables in the Linux kernel, and the kernel addresses of the Linux kernel functions and variables in the Linux kernel in the Linux kernel. able to pass The proc file system of the Linux kernel looks for the Linux kernel symbol table, and then finds the memory address of the kernel function or variable indicated by the Linux kernel symbol in the bug fix command in the kernel to be repaired.
  • the method before determining that the kernel function or the variable indicated by the kernel symbol in the preset vulnerability repair instruction to be loaded in the memory is in the memory address of the core to be repaired, the method further includes: Obtaining the attribute information of the kernel to be repaired and the memory address of the kernel function or variable in the kernel to be repaired, the attribute information includes: the architecture information of the processor on which the kernel to be repaired runs, the kernel version information; and the attribute information is stored corresponding to the memory address. .
  • the attribute information of the target kernel can be obtained through the proc file system.
  • the attribute information may include, but is not limited to, the architecture of the processor on which the kernel is running, and the Linux kernel version.
  • different processor architectures, kernel symbols in kernels of different kernel versions, and addresses of variables in the kernel may be acquired in advance.
  • the proc file system in the kernel gets the memory address of a kernel function or variable in the kernel.
  • the processor architecture identifier of the processor architecture, the version identifier of the kernel version, and the memory address of the kernel function or variable in the kernel are stored. Therefore, when the kernel function or the variable indicated by the kernel symbol in the vulnerability repair instruction is required to be in the memory address of the kernel to be repaired, the architecture of the processor on which the kernel is running, the version information of the kernel, and then, The memory address of the kernel function or the variable in the kernel corresponding to the processor architecture and the kernel version information can be obtained in advance.
  • Step 202 Configure, based on the memory address, an address of a kernel symbol required by a preset vulnerability repair instruction to call a kernel function or a variable.
  • the preset vulnerability repair instruction may be configured to call the kernel function based on the memory address or The address of the kernel symbol required for the variable.
  • the kernel repair symbol can contain kernel symbols, which can be symbols corresponding to functions or variables. When the instruction contains a kernel symbol, it indicates that the instruction is to call the kernel function corresponding to the kernel symbol or access the variables in the kernel.
  • the process of configuring the address of the kernel symbol required to call the kernel function or variable by the preset vulnerability repair instruction based on the memory address is continued.
  • the kernel is included in the vulnerability repair instruction.
  • the function of the instruction is to call the kernel function corresponding to the kernel symbol or access the variable in the kernel corresponding to the kernel symbol.
  • the kernel functions indicated by the kernel symbols or the variables in the kernel have different memory addresses in the kernel. Therefore, when the vulnerability repair instruction is loaded in the kernel, it is necessary to determine the memory address of the kernel function or variable corresponding to the kernel symbol contained in the vulnerability repair instruction in the kernel. Then, based on the memory address, configure the address of the kernel symbol required by the default vulnerability repair instruction to call the kernel function or variable. For example, a part of the storage space is reserved in the corresponding storage space in the preset vulnerability repair instruction for storing the address of the kernel symbol required when the preset vulnerability repair instruction calls the kernel function or the variable, thereby completing the preset vulnerability repair instruction. The configuration of the required kernel symbol address in . Therefore, when the vulnerability repair instruction is executed, the kernel function corresponding to the kernel symbol or the address of the variable in the kernel can be correctly jumped, thereby calling a function corresponding to the kernel symbol or accessing a variable in the kernel corresponding to the kernel symbol.
  • the vulnerability repair instruction is an instruction that calls the kernel function A.
  • the kernel symbol that is, the kernel symbol corresponding to the kernel function A.
  • the bug fix command is loaded into the kernel, it is possible to determine the memory address of kernel function A in the kernel to be loaded by the bug fix instruction. Then, using the memory address, configure the address of the kernel symbol required by the default vulnerability repair instruction to call the kernel function or variable.
  • the vulnerability repair instruction when executed, it can correctly jump to the memory address of the kernel function A in the kernel, and call the kernel function A.
  • Step 203 Determine a storage space of the preset vulnerability repairing instruction in the kernel to be repaired for loading the address of the kernel symbol required for the preset vulnerability repairing instruction.
  • the kernel symbol is in the kernel to be repaired.
  • the storage space of the preset vulnerability repair instruction for loading the address corresponding to the kernel symbol in the kernel to be repaired can be determined.
  • storage space for loading bug fix instructions can be pre-set for different versions of the kernel.
  • Step 204 Load a preset vulnerability repair instruction in the storage space.
  • the preset vulnerability repairing instruction may be loaded in the storage space to repair the kernel.
  • the vulnerability in the fix was fixed.
  • loading the preset vulnerability repairing instruction in the storage space to repair the vulnerability in the repairing kernel includes: obtaining a memory address of the kernel function to be repaired in the kernel to be repaired; The memory address in the system call table in the kernel to be repaired is replaced with the preset memory address.
  • the preset vulnerability repair instruction loaded in the kernel may repair the vulnerability in the kernel in the following manner: for example, the kernel function that has a problem in the kernel to be repaired is repaired, and the proc of the Linux kernel can be used.
  • File system get the kernel symbol table. Then, in the kernel symbol table, you can find the memory address of the kernel function in question. After looking up the memory address of the kernel function in question, you can replace the memory address of the kernel function in the system call table in the kernel to be repaired with the default memory address.
  • loading the preset vulnerability repairing instruction in the storage space to repair the vulnerability in the repairing kernel includes: obtaining a storage space corresponding to the kernel function to be repaired in the kernel to be repaired; Copy the repaired kernel function to the storage space.
  • the preset vulnerability repair command loaded in the kernel may also repair the vulnerability in the kernel in the following manner: for example, the kernel function that has a problem in the kernel to be repaired is repaired, and the linux kernel may be used.
  • the proc file system gets the kernel symbol table. Then, in the kernel symbol table, look for the storage space of the kernel function in question. Then, copy the repaired kernel function to the storage space.
  • the storage space of the kernel function in the kernel stores the repaired kernel function, and the repair of the problem function in the kernel to be repaired.
  • FIG. 3 illustrates another method of kernel vulnerability repairing method according to the present application.
  • Step 301 Determine a memory function of a kernel function or a variable indicated by a kernel symbol in a preset vulnerability repair instruction to be loaded in the memory in the kernel to be repaired.
  • the preset vulnerability repairing instruction is generated based on compiling the preset vulnerability repairing code.
  • the vulnerability repair code for repairing the kernel vulnerability may be preset.
  • the bug fix code can include custom functions and variables for fixing the kernel.
  • the bug fix code can also contain the kernel functions and variables in the kernel that need to be called during the bug fix process. You can use the bug fix code to fix the kernel's instructions and data and complete the kernel bug fix. You can also replace the problematic function with the repaired function by modifying the system call table or function code.
  • Step 302 Configure, based on the memory address, an address of a kernel symbol required by a preset vulnerability repair instruction to call a kernel function or a variable.
  • the preset vulnerability repair instruction may be configured to call the kernel function based on the memory address or The address of the kernel symbol required for the variable.
  • Step 303 The selected storage space or the allocated storage space is used as a storage space for loading a preset vulnerability repair instruction.
  • the storage space for loading the preset vulnerability repair instruction in the kernel to be repaired may be determined by using the preset storage space in the kernel to be repaired as required for loading the preset vulnerability repair instruction.
  • the storage space of the default vulnerability repair instruction after the address of the kernel symbol is configured.
  • the preset storage space may be a storage space having executable permissions.
  • the storage space for loading the preset vulnerability repair instruction in the kernel to be repaired may be determined by using the corresponding kernel function in the kernel to be repaired as a preset vulnerability repair instruction. Storage space.
  • the storage space for loading the preset vulnerability repair instruction in the kernel to be repaired may be determined in the following manner: corresponding to the preset kernel function in the kernel to be repaired
  • the storage space loads a preset storage space allocation instruction, and generates a storage space of a preset size; the generated storage space is used as a storage space for loading a preset vulnerability repair instruction.
  • the code having the memory allocation function can be implemented by modifying the kernel function, such as the code of the uname function. Then, after compiling the code, a memory allocation instruction is generated. After the memory allocation instruction is loaded, a piece of storage space allocated in the Linux kernel can be returned, and the preset vulnerability repair instruction can be loaded into the storage space.
  • Step 304 Load a preset vulnerability repair instruction in the storage space.
  • the preset vulnerability repairing instruction may be loaded in the storage space to repair the kernel.
  • the vulnerability in the fix was fixed.
  • step 303 that is, loading a preset vulnerability in the selected storage space or the allocated storage space.
  • Repair instructions The solution described in this embodiment may further select a storage space for loading a vulnerability repair instruction for different versions of the kernel, and load a vulnerability repair instruction in the storage space.
  • the vulnerability repair instructions can be found in different versions of the kernel, so that other kernel programs in the kernel can communicate with the vulnerability repair code during the vulnerability repair process, for example, passing parameters, further enhancing the vulnerability repair instruction pair. Applicability of different versions of the kernel.
  • the vulnerability repair command is loaded in a version of the kernel as an example to illustrate the kernel vulnerability repair method in this application: the vulnerability repair code can be generated first.
  • the bug fix code contains code for modifying the problem kernel function A to the repaired kernel function A1, which is called in kernel repair function B.
  • the obtained vulnerability repair instruction includes a vulnerability repair instruction for calling kernel function B and a vulnerability instruction for modifying kernel function A to the repaired kernel function A1.
  • the bug fix command can then be loaded into the storage space in the selected kernel.
  • the kernel function B can be called by correctly jumping to the address of the kernel function B in the version of the kernel.
  • the code of the repaired kernel function A1 can be copied to the memory space of the kernel function A in the kernel, thereby repairing the kernel function A in question.
  • the bug fix code needs to find the address of the kernel function in the kernel that needs to be repaired, and then replace the kernel function with the problem with the repaired kernel function. Because of the different kernel versions, the kernel functions have different addresses in the kernel. Therefore, code that replaces kernel functions in one version of the kernel cannot be applied to another version of the kernel. Need to fix the bug fix code for each kernel version and increase development costs.
  • the bug fix code includes code to replace the problem function with the repaired kernel function.
  • a bug fix command can be generated.
  • the kernel function indicated by the kernel symbol in the vulnerability repair instruction that fixes the kernel function in the kernel can be repaired in the memory of the kernel to be repaired.
  • Address configures the address of the kernel symbol required by the vulnerability fix instruction to call the kernel function.
  • the vulnerability repair instruction is loaded in different versions of the kernel, it can accurately jump to the kernel function corresponding to the kernel symbol or access the variable corresponding to the kernel symbol.
  • the vulnerability repair instruction is applicable to loading in various versions of the kernel, and the pair is completed.
  • the repair of kernel functions that have problems in the kernel that is, the repair of the vulnerability in the kernel.
  • the kernel vulnerability repairing apparatus 400 includes an address determining unit 401, a setting unit 402, a space determining unit 403, and a loading unit 404.
  • the address determining unit 401 is configured to determine a memory function of a kernel function or a variable indicated by a kernel symbol in a preset vulnerability repairing instruction to be loaded in the memory, and the preset vulnerability repairing instruction is based on the preset
  • the vulnerability repair code is compiled and generated; the setting unit 402 is configured to configure a preset vulnerability repair instruction to call a kernel function or a variable based on the memory address.
  • the address of the required kernel symbol; the space determining unit 403 is configured to determine a storage space of the preset vulnerability repairing instruction for configuring the address of the kernel symbol required for loading the preset vulnerability repairing instruction in the kernel to be repaired;
  • the 404 configuration is used to load a preset vulnerability fix instruction in the storage space to fix the vulnerability in the repair kernel.
  • the space determining unit 403 includes: a first storage space configuration subunit (not shown) configured to use a preset storage space in the kernel to be repaired as a loading pair.
  • the space determining unit 403 includes: a second storage space configuration subunit (not shown) configured to use a preset kernel function in a corresponding storage space in the kernel to be repaired.
  • a storage space for a preset vulnerability repair instruction configured to load an address of a kernel symbol required for a preset vulnerability repair instruction.
  • the space determining unit 403 includes: a storage space allocation subunit (not shown) configured to load a preset in a corresponding storage space in a kernel to be repaired by a preset kernel function. a storage space allocation instruction, and a storage space of a preset size; a third storage space configuration subunit (not shown) configured to use the generated storage space as a kernel symbol required for loading a preset vulnerability repair instruction The storage address of the preset vulnerability repair instruction after the address is configured.
  • the loading unit 404 includes: a memory address obtaining subunit (not shown) configured to acquire a memory address of a kernel function to be repaired in the kernel to be repaired; (not shown), configured to replace the memory address in the system call table in the kernel to be repaired with the preset memory address.
  • the loading unit 404 includes: a storage space acquisition subunit (not shown) configured to acquire a storage space corresponding to the kernel function to be repaired in the kernel to be repaired; A unit (not shown) configured to copy the repaired kernel function to the storage space.
  • the apparatus 400 further includes: an information acquiring unit (not shown) configured to acquire attribute information of the kernel to be repaired and the kernel to be repaired
  • the memory address of the kernel function or variable in the attribute information includes: architecture information of the processor on which the kernel to be repaired runs, kernel version information; a storage unit (not shown) configured to store the attribute information and the memory address correspondingly .
  • FIG. 5 is a block diagram showing the structure of a computer system suitable for implementing the terminal device or server of the embodiment of the present application.
  • computer system 500 includes a central processing unit (CPU) 501 that can be loaded into a program in random access memory (RAM) 503 according to a program stored in read only memory (ROM) 502 or from storage portion 508. And perform various appropriate actions and processes.
  • RAM random access memory
  • ROM read only memory
  • RAM 503 various programs and data required for the operation of the system 500 are also stored.
  • the CPU 501, the ROM 502, and the RAM 503 are connected to each other through a bus 504.
  • An input/output (I/O) interface 505 is also coupled to bus 504.
  • the following components are connected to the I/O interface 505: an input portion 506 including a keyboard, a mouse, etc.; an output portion 507 including, for example, a cathode ray tube (CRT), a liquid crystal display (LCD), and the like, and a storage portion 508 including a hard disk or the like. And a communication portion 509 including a network interface card such as a LAN card, a modem, or the like. The communication section 509 performs communication processing via a network such as the Internet.
  • Driver 510 is also coupled to I/O interface 505 as needed.
  • a removable medium 511 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory or the like is mounted on the drive 510 as needed so that a computer program read therefrom is installed into the storage portion 508 as needed.
  • an embodiment of the present disclosure includes a computer program product comprising a computer program tangibly embodied on a machine readable medium, the computer program comprising program code for executing the method illustrated in the flowchart.
  • the computer program can be downloaded and installed from the network via the communication portion 509, and/or installed from the removable medium 511.
  • each block of the flowchart or block diagrams can represent a module, a program segment, or a portion of code that includes one or more logic for implementing the specified.
  • Functional executable instructions can also be noted that in some cases as a replacement In the implementation, the functions noted in the blocks may also occur in a different order than that illustrated in the drawings. For example, two successively represented blocks may in fact be executed substantially in parallel, and they may sometimes be executed in the reverse order, depending upon the functionality involved.
  • each block of the block diagrams and/or flowcharts, and combinations of blocks in the block diagrams and/or flowcharts can be implemented in a dedicated hardware-based system that performs the specified function or operation. Or it can be implemented by a combination of dedicated hardware and computer instructions.
  • the present application further provides a non-volatile computer storage medium, which may be a non-volatile computer storage medium included in the apparatus described in the foregoing embodiments; It may be a non-volatile computer storage medium that exists alone and is not assembled into the terminal.
  • the non-volatile computer storage medium stores one or more programs, when the one or more programs are executed by a device, causing the device to: determine a kernel in a preset vulnerability repair instruction to be loaded in the memory The memory function of the kernel function or variable indicated by the symbol in the kernel to be repaired, the preset vulnerability repairing instruction is generated based on compiling the preset vulnerability repairing code; based on the memory address, configuring the preset vulnerability repairing instruction to call the kernel function or The address of the kernel symbol required for the variable; the storage space of the preset vulnerability repair instruction configured to configure the address of the kernel symbol required to load the preset vulnerability repair instruction in the kernel to be repaired; loading in the storage space The preset vulnerability repairing instruction repairs the vulnerability in the kernel to be repaired.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Stored Programmes (AREA)

Abstract

L'invention concerne un procédé et un dispositif de réparation de vulnérabilité de noyau. Un mode de réalisation particulier du procédé consiste : à déterminer une adresse de mémoire, dans un noyau à réparer, d'une fonction de noyau ou d'une variable indiquée par un symbole de noyau dans une instruction de réparation de vulnérabilité préétablie à charger dans une mémoire (201) ; à configurer, selon l'adresse de mémoire, l'adresse d'un symbole de noyau requise lorsque l'instruction de réparation de vulnérabilité préétablie appelle la fonction de noyau ou la variable (202) ; à déterminer un espace de stockage utilisé pour charger une instruction de réparation de vulnérabilité préétablie dans le noyau à réparer après configuration de l'adresse du symbole de noyau requise par l'instruction de réparation de vulnérabilité préétablie (203) ; et à charger l'instruction de réparation de vulnérabilité préétablie dans l'espace de stockage (204). Dans le procédé, l'adresse d'un symbole de noyau requise par une instruction de réparation de vulnérabilité est configurée selon une adresse de mémoire déterminée d'une fonction de noyau ou d'une variable ayant des problèmes, de telle sorte que, lorsqu'elle est chargée dans des noyaux de différentes versions, l'instruction de réparation de vulnérabilité peut sauter précisément vers la fonction de noyau correspondant au symbole de noyau ou accéder à la variable correspondant au symbole de noyau. L'instruction de réparation de vulnérabilité peut s'appliquer à un chargement dans des noyaux de différentes versions, et par conséquent, la vulnérabilité de noyau est réparée.
PCT/CN2016/086412 2016-03-30 2016-06-20 Procédé et dispositif de réparation de vulnérabilité de noyau WO2017166448A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610191535.0A CN105868639A (zh) 2016-03-30 2016-03-30 内核漏洞修复方法和装置
CN201610191535.0 2016-03-30

Publications (1)

Publication Number Publication Date
WO2017166448A1 true WO2017166448A1 (fr) 2017-10-05

Family

ID=56627697

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/086412 WO2017166448A1 (fr) 2016-03-30 2016-06-20 Procédé et dispositif de réparation de vulnérabilité de noyau

Country Status (2)

Country Link
CN (1) CN105868639A (fr)
WO (1) WO2017166448A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111881455A (zh) * 2020-07-27 2020-11-03 绿盟科技集团股份有限公司 一种固件安全分析的方法及装置
CN112906008A (zh) * 2018-11-15 2021-06-04 百度在线网络技术(北京)有限公司 内核漏洞修复方法、装置、服务器及系统

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106598667B (zh) 2016-12-12 2018-07-27 百度在线网络技术(北京)有限公司 用于修复内核漏洞的方法和装置
CN107273750B (zh) * 2017-05-31 2021-03-16 上海交通大学 Android设备内核漏洞的修补系统及方法
CN108415840A (zh) * 2018-03-14 2018-08-17 百度在线网络技术(北京)有限公司 修复函数缺陷的方法、装置及服务器

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103309683A (zh) * 2012-03-07 2013-09-18 京信通信系统(中国)有限公司 硬件设备的软件补丁嵌入方法及装置
CN103324494A (zh) * 2012-03-22 2013-09-25 金蝶软件(中国)有限公司 自动制作补丁的方法、服务器及系统
CN103345412A (zh) * 2013-07-10 2013-10-09 华为技术有限公司 打补丁的方法及装置
CN104679532A (zh) * 2013-11-27 2015-06-03 腾讯科技(深圳)有限公司 内核模块加载方法和装置

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8286238B2 (en) * 2006-09-29 2012-10-09 Intel Corporation Method and apparatus for run-time in-memory patching of code from a service processor
CN101281488A (zh) * 2007-04-06 2008-10-08 上海宇梦通信科技有限公司 Linux操作系统的内核调试方法
CN101799763B (zh) * 2009-02-10 2013-01-30 华为技术有限公司 内核在线补丁的方法、装置和系统
CN101937340B (zh) * 2009-06-29 2014-11-05 中兴通讯股份有限公司 使用补丁对软件进行动态升级与控制的方法和装置

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103309683A (zh) * 2012-03-07 2013-09-18 京信通信系统(中国)有限公司 硬件设备的软件补丁嵌入方法及装置
CN103324494A (zh) * 2012-03-22 2013-09-25 金蝶软件(中国)有限公司 自动制作补丁的方法、服务器及系统
CN103345412A (zh) * 2013-07-10 2013-10-09 华为技术有限公司 打补丁的方法及装置
CN104679532A (zh) * 2013-11-27 2015-06-03 腾讯科技(深圳)有限公司 内核模块加载方法和装置

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112906008A (zh) * 2018-11-15 2021-06-04 百度在线网络技术(北京)有限公司 内核漏洞修复方法、装置、服务器及系统
CN111881455A (zh) * 2020-07-27 2020-11-03 绿盟科技集团股份有限公司 一种固件安全分析的方法及装置
CN111881455B (zh) * 2020-07-27 2023-12-01 绿盟科技集团股份有限公司 一种固件安全分析的方法及装置

Also Published As

Publication number Publication date
CN105868639A (zh) 2016-08-17

Similar Documents

Publication Publication Date Title
US10936293B2 (en) Container image layer reordering
US11663110B2 (en) Analysis to check web API code usage and specification
JP7090657B2 (ja) アプリケーションをアップグレードするための方法、装置、デバイスならびに記憶媒体
WO2017166448A1 (fr) Procédé et dispositif de réparation de vulnérabilité de noyau
WO2017166447A1 (fr) Procédé et dispositif permettant de charger un module de noyau
US10754708B2 (en) Orchestrator and console agnostic method to deploy infrastructure through self-describing deployment templates
US20120204160A1 (en) Managing Non-Common Features for Program Code Translation
US10289397B2 (en) Silent installation of software with dependencies
CN110096424B (zh) 测试的处理方法、装置、电子设备及存储介质
US10908948B2 (en) Multiple application instances in operating systems that utilize a single process for application execution
US9513889B2 (en) System and method of automating installation of applications
US11003668B2 (en) Programming language independent software testing environment
US9639345B2 (en) Methods and apparatuses for providing framework for selective execution of application features
CN110597564A (zh) 一种安装包构建和业务组件加载方法、装置、终端设备
CN115291946A (zh) 鸿蒙系统移植方法、装置、电子设备及可读介质
US10761863B2 (en) Mobile application management by run-time insertion of a replacement instrumentation object into a mobile application process
US9507578B2 (en) Application instance staging
US20200274758A1 (en) Provisioning hybrid cloud resources in an operating environment
US10698677B2 (en) Method and system for lifecycle management optimization
JP2021131897A (ja) スケジューリング方法、装置、設備、記憶設備、及びプログラム
CN116569141A (zh) 工作流修补
US11385923B2 (en) Container-based virtualization system extending kernel functionality using kernel modules compiled by a compiling container and loaded by an application container
US10698703B2 (en) Mobile application management by run-time insertion of a substitute application class loader into a mobile application process
CN111522535A (zh) 数据源聚合方法、装置、存储介质及计算机设备
CN109933355B (zh) 应用程序升级方法及装置

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16896221

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 16896221

Country of ref document: EP

Kind code of ref document: A1