WO2019004503A1 - Procédé et système de détection de vulnérabilité d'application - Google Patents

Procédé et système de détection de vulnérabilité d'application Download PDF

Info

Publication number
WO2019004503A1
WO2019004503A1 PCT/KR2017/006913 KR2017006913W WO2019004503A1 WO 2019004503 A1 WO2019004503 A1 WO 2019004503A1 KR 2017006913 W KR2017006913 W KR 2017006913W WO 2019004503 A1 WO2019004503 A1 WO 2019004503A1
Authority
WO
WIPO (PCT)
Prior art keywords
pattern
detection
file
vulnerability
searching
Prior art date
Application number
PCT/KR2017/006913
Other languages
English (en)
Korean (ko)
Inventor
안성범
정명주
전상훈
김태우
서동필
한광희
류주현
정상민
임성열
Original Assignee
라인 가부시키가이샤
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 라인 가부시키가이샤 filed Critical 라인 가부시키가이샤
Priority to PCT/KR2017/006913 priority Critical patent/WO2019004503A1/fr
Priority to JP2019569960A priority patent/JP2020531936A/ja
Publication of WO2019004503A1 publication Critical patent/WO2019004503A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Definitions

  • the following description relates to a method and system for detecting vulnerabilities in an application and to a computer program stored on a computer readable recording medium for causing a computer to execute a vulnerability detection method in combination with the computer.
  • the App store is an online content marketplace that sells a variety of applications that can be installed on terminals such as smart phones.
  • an application developer registers a file (for example, an Android application package (APK)) for installing the developed application on a terminal in the App Store, and users of the application The user can download the file for the application and install and operate the application in his / her terminal.
  • various game applications such as game publishers are distributed to users. As such, there are application publishers that register various applications that developers themselves have not developed and distribute registered applications to users.
  • the first risk of an application is that the application contains information developed with malicious intent, such as malicious code, so that the application publisher in which the application is registered, or a malicious function in the terminal of the user This is the risk of the case.
  • Korean Patent Laid-Open No. 10-2014-0098025 relates to a system and method for security evaluation of an application uploaded to an application store. When an application to be registered in the application store is detected as performing a malicious function, (Registration in the AppStore) of the application.
  • the second risk of an application is the risk to the security of the application itself.
  • the application performs functions other than those originally intended by the developer, thereby reducing the reliability of the service to be provided through the application Lt; / RTI > Accordingly, there is a need for application publishers to provide a certain level of security to applications in distributing various applications (installation files of applications) that they have not developed directly.
  • each application may have security solutions at different security levels and may not include any security measures.
  • a vulnerability detection method and system capable of detecting a vulnerability of a package file of an application registered for distribution on the basis of a detection pattern set in advance and a search pattern for diagnosing an application vulnerability are preset.
  • a method for detecting a vulnerability of an application comprising: detecting a predetermined detection pattern for diagnosing a vulnerability of the application, with respect to at least one of files included in a package file for installing and running an application and codes included in the files; ; Registering a package file for distribution to users for installation and operation of an application; And analyzing the registered package file according to the detection pattern of at least one of the detection patterns to detect the vulnerability information according to the at least one detection pattern.
  • a computer program for causing the computer to execute the vulnerability detection method is recorded in the computer readable recording medium.
  • a system for detecting a vulnerability in an application comprising: at least one processor configured to execute computer readable instructions, the at least one processor comprising: Managing a predetermined detection pattern for diagnosing a vulnerability of the application with respect to at least one of codes included in the files, registering a package file for distribution to users for installation and operation of the application, Analyzing the registered package file according to at least one detection pattern among the patterns, and detecting the vulnerability information according to the at least one detection pattern.
  • a search pattern for diagnosing an application vulnerability can be set in advance and a vulnerability of a package file of an application registered for distribution based on a set detection pattern can be detected.
  • FIG. 1 is a diagram illustrating an example of a network environment according to an embodiment of the present invention.
  • FIG. 2 is a block diagram illustrating an internal configuration of an electronic device and a server according to an embodiment of the present invention.
  • FIG. 3 is a block diagram of a security evaluation system according to an embodiment of the present invention.
  • FIG. 4 is a diagram for explaining a call relationship between instruction masses in an embodiment of the present invention.
  • FIG. 5 is a diagram for explaining a calling relationship between methods in an embodiment of the present invention.
  • FIG. 6 is a diagram for explaining rules and patterns according to an embodiment of the present invention.
  • FIG. 7 is a diagram for explaining a structure of a pattern in an embodiment of the present invention.
  • FIG. 8 is a diagram for explaining a source of a pattern in an embodiment of the present invention.
  • FIG. 9 is a diagram showing an example of a pattern for arbitrary files in an embodiment of the present invention.
  • FIG. 10 is a diagram illustrating an example of a result of detecting a specific character string in a file and a result of detecting a specific file in a package file in an embodiment of the present invention.
  • FIG. 11 is a diagram showing an example of a pattern for an Android manifest file in an embodiment of the present invention.
  • FIG. 12 is a diagram showing an example of a pattern for a Dex file in an embodiment of the present invention.
  • FIG. 13 is a diagram showing an example of a pattern for a so file in an embodiment of the present invention.
  • FIG. 14 is a diagram showing an example of a pattern for a dll file in an embodiment of the present invention.
  • the vulnerability detection system can be implemented through a server to be described later, and a vulnerability detection method according to embodiments of the present invention can be performed through the server described above.
  • a computer program according to an exemplary embodiment of the present invention may be installed and operated on a server, and the server may perform a vulnerability detection method according to an embodiment of the present invention under the control of a computer program that is run .
  • the above-described computer program may be stored in a computer-readable recording medium in combination with a computer-implemented server to cause the computer to execute the vulnerability detection method.
  • 1 is a diagram illustrating an example of a network environment according to an embodiment of the present invention. 1 shows an example in which a plurality of electronic devices 110, 120, 130, 140, a plurality of servers 150, 160, and a network 170 are included. 1, the number of electronic devices and the number of servers are not limited to those shown in FIG.
  • the plurality of electronic devices 110, 120, 130, 140 may be a fixed terminal implemented as a computer device or a mobile terminal.
  • Examples of the plurality of electronic devices 110, 120, 130 and 140 include a smart phone, a mobile phone, a navigation device, a computer, a notebook, a digital broadcast terminal, a PDA (Personal Digital Assistants) ), And tablet PCs.
  • FIG. 1 illustrates the shape of a smartphone as an example of the first electronic device 110, but in the embodiments of the present invention, the first electronic device 110 transmits the network 170 using a wireless or wired communication method. May refer to any one of a variety of physical devices capable of communicating with other electronic devices 120, 130, 140 and / or servers 150,
  • the communication method is not limited, and may include a communication method using a communication network (for example, a mobile communication network, a wired Internet, a wireless Internet, a broadcasting network) that the network 170 may include, as well as a short-range wireless communication between the devices.
  • the network 170 may be a personal area network (LAN), a local area network (LAN), a campus area network (CAN), a metropolitan area network (MAN), a wide area network (WAN) , A network such as the Internet, and the like.
  • the network 170 may also include any one or more of a network topology including a bus network, a star network, a ring network, a mesh network, a star-bus network, a tree or a hierarchical network, It is not limited.
  • Each of the servers 150 and 160 is a computer device or a plurality of computers that communicate with a plurality of electronic devices 110, 120, 130 and 140 through a network 170 to provide commands, codes, files, Lt; / RTI > devices.
  • the server 150 may be a system that provides a first service to a plurality of electronic devices 110, 120, 130, 140 connected through a network 170, 170, and 140 to the first and second electronic devices 110, 120, 130, and 140, respectively. More specifically, the server 150 may be at least a part of the apparatuses constituting the system of the application publisher, and the package file of the application installed and operated in the plurality of electronic apparatuses 110, 120, 130 and 140 may be registered And distribute the service as the first service.
  • the server 160 may provide a service associated with the application as a second service to a plurality of electronic devices 110, 120, 130, 140 that install and operate the application through the distributed package file .
  • the server 150 may be used to implement a dedicated system for detecting vulnerability information of a package file to be registered.
  • 2 is a block diagram illustrating an internal configuration of an electronic device and a server according to an embodiment of the present invention. 2 illustrates an internal configuration of the electronic device 1 (110) and the server 150 as an example of the electronic device. Other electronic devices 120, 130, 140 and server 160 may also have the same or similar internal configuration as electronic device 1 110 or server 150 described above.
  • the electronic device 1 110 and the server 150 may include memories 211 and 221, processors 212 and 222, communication modules 213 and 223 and input / output interfaces 214 and 224.
  • the memories 211 and 221 may be a computer-readable recording medium and may include a permanent mass storage device such as a random access memory (RAM), a read only memory (ROM), and a disk drive.
  • the non-decaying mass storage device such as a ROM and a disk drive may be included in the electronic device 110 or the server 150 as a separate persistent storage device different from the memory 211 or 221.
  • the memory 211 and the memory 221 are provided with an operating system and at least one program code (for example, a program installed in the electronic device 1 (110) and used for a browser or an application installed in the electronic device 1 Code) can be stored.
  • These software components may be loaded from a computer readable recording medium separate from the memories 211 and 221.
  • a computer-readable recording medium may include a computer-readable recording medium such as a floppy drive, a disk, a tape, a DVD / CD-ROM drive, and a memory card.
  • the software components may be loaded into memory 211, 221 via communication modules 213, 223 rather than a computer readable recording medium.
  • At least one program may be a computer program installed by files provided by a file distribution system (e.g., the server 160 described above) that distributes installation files of developers or applications, May be loaded into the memory 211, 221 based on the application (e.g., the application described above).
  • a file distribution system e.g., the server 160 described above
  • the application e.g., the application described above.
  • Processors 212 and 222 may be configured to process instructions of a computer program by performing basic arithmetic, logic, and input / output operations.
  • the instructions may be provided to the processors 212 and 222 by the memories 211 and 221 or the communication modules 213 and 223.
  • the processor 212, 222 may be configured to execute a command received in accordance with a program code stored in a recording device, such as the memory 211, 221.
  • the communication modules 213 and 223 may provide functions for the electronic device 1 110 and the server 150 to communicate with each other through the network 170 and may be provided to the electronic device 1 110 and / May provide a function for communicating with another electronic device (e.g., electronic device 2 120) or another server (e.g., server 160).
  • another electronic device e.g., electronic device 2 120
  • another server e.g., server 160
  • the request generated by the processor 212 of the electronic device 1 110 according to the program code stored in the recording device such as the memory 211 is transmitted to the server 170 via the network 170 under the control of the communication module 213 150 < / RTI > Conversely, control signals, commands, contents, files, and the like provided under the control of the processor 222 of the server 150 are transmitted to the communication module 223 of the electronic device 110 via the communication module 223 and the network 170 213 to the electronic device 1 (110).
  • control signals, commands, contents, files, and the like of the server 150 received through the communication module 213 can be transmitted to the processor 212 or the memory 211, (The above-mentioned persistent storage device), which may further include a storage medium 110.
  • the input / output interface 214 may be a means for interfacing with the input / output device 215.
  • the input device may include a device such as a keyboard or a mouse, and the output device may include a device such as a display, a speaker, and the like.
  • the input / output interface 214 may be a means for interfacing with a device having integrated functions for input and output, such as a touch screen.
  • the input / output device 215 may be composed of the electronic device 1 (110) and one device.
  • the input / output interface 224 of the server 150 may be a means for interfacing with the server 150 or an interface with a device (not shown) for input or output that the server 150 may include.
  • the configuration is performed using the data provided by the server 150 or the electronic device 2 (120)
  • a service screen or contents can be displayed on the display through the input / output interface 214.
  • electronic device 1 110 and server 150 may include more components than the components of FIG. However, there is no need to clearly illustrate most prior art components.
  • electronic device 1 110 may be implemented to include at least a portion of input / output devices 215 described above, or may be implemented with other components such as a transceiver, Global Positioning System (GPS) module, camera, Elements. More specifically, when the electronic device 1 (110) is a smart phone, the acceleration sensor, the gyro sensor, the camera module, various physical buttons, buttons using a touch panel, input / output ports, A vibrator, and the like may be further included in the electronic device 1 (110).
  • GPS Global Positioning System
  • FIG. 3 is a block diagram of a security evaluation system according to an embodiment of the present invention.
  • the security evaluation system 300 of FIG. 3 may be implemented through the server 150 described above.
  • the vulnerability detection system described above may be implemented to be included in the security evaluation system 300, It is possible to include only the configuration for detecting the vulnerability separately.
  • the package decomposition module 310 may be used as a function of the processor 222 in which the processor 222 of the server 150 decomposes the package file according to control commands included in the computer program.
  • the vulnerability detection module 342 included in the analysis module 340 may be implemented as a core module for detecting the vulnerability.
  • the server 150 may provide a service for distributing package files of applications registered by developers to users.
  • the package decomposition module 310 can decompose the registered package files.
  • the Android Application Package has a file extension of '.apk' as the file format of the package file used for Android's software and middleware distribution, the mobile operating system.
  • APK Android Application Package
  • embodiments of the present invention will be described based on a package file such as APK, but it will be understood by those skilled in the art that the same or similar features may be applied to other kinds of package files .
  • the file identification module 320 can identify files included in the decomposed package file.
  • the extensions ('dex', 'so', 'dll', 'json', 'ini', 'apk', 'xml', 'cert') shown in FIG. 3, It will be readily apparent to those skilled in the art.
  • the parsing module 330 may parse the identified files. To do this, the parser 331 may parse files of a particular extension (e.g., 'dex', 'so', 'dll') of the identified files and the collector 332 may parse the files of a particular extension You can gather the necessary information from the files 'json', 'ini', 'apk', 'xml', 'cert'
  • a particular extension e.g., 'dex', 'so', 'dll'
  • the parsing module 330 can identify each of the classes and methods included in the 'dex' file, track instructions included in the method, And the like. Masses of instructions can be separated by a branch instruction such as a 'goto' statement, a 'switch' statement, or an 'if' statement.
  • the parsing module 330 may generate and manage information about the call relationships between these instruction masses. For example, the call relationships between instruction masses can be managed in a tree structure, and the information about the call relationship can include information about the methods that a particular instruction mass calls. The generation and management of such information can be processed for each of the files included in the package file such as the APK file, and the parsing method can be changed according to the characteristics of the file.
  • the parsed information and the collected information may be passed to the analysis module 340.
  • the analyzing module 340 analyzes the package file (or the application installed and operated on the user terminal such as the electronic device 1 110 through the package file) based on the information transmitted from the parsing module 330, vulnerability viewpoints, and security solutions from the viewpoints of security, obfuscation, vulnerability, and security solution.
  • obfuscation detection module 341 may generate analysis information about how much obfuscation is applied to files of a particular extension (e.g., 'dex', 'so', 'dll') .
  • the obfuscation detection module 341 can determine whether obfuscation is applied to each item set in advance according to the type of the file.
  • the vulnerability detection module 342 generates analysis information as to what vulnerability exists in the files of a specific extension (for example, 'dex', 'so', or the extension of the configuration file 'config' can do.
  • the security evaluation system 300 can manage information on already known vulnerabilities, and the vulnerability detection module 342 uses information on the vulnerabilities to determine what vulnerabilities exist in which files Can be generated.
  • the platform detection module 343 can extract information about a platform on which the application is developed and / or a platform on which the application operates.
  • the security assessment system 300 can utilize different analysis methods depending on the platform in which the application is developed (for example, a development tool such as Unity or Cocos).
  • the security evaluation system 300 may utilize different analysis methods for each platform.
  • the security evaluation system 300 can extract information about the platform for the package file, analyze the package file based on the information, or provide the extracted platform information to the outside.
  • the security tool detection module 344 may detect the security solution that the developers of the package file themselves have inserted into the package file. For example, a first security tool provided in the form of a library by a third party may be added to the corresponding package file by the developer. As another example, the second security tool developed by the developer may be added to the corresponding package file by the developer. In other words, the security tool detection module 344 can generate analysis information on whether the security tool is applied to the package file.
  • the relationship analysis module 345 can generate analysis information on a reference relationship between files included in the package file. For example, when the first file includes a code for calling a second file, analysis information may be generated such that information about a reference relationship between the first file and the second file is included in the analysis information.
  • the report module 350 collects analysis information generated by the analysis module 340 and provides a report for providing the analysis information to the persons concerned (for example, the administrator of the server 150 or the security inspection team of the application publisher) of the security evaluation system 300 Lt; / RTI > Such a report can be provided to a terminal of an interested party using Hypertext Markup Language (HTML) or XML (extensible Markup Language) as in the example of FIG.
  • HTML Hypertext Markup Language
  • XML extensible Markup Language
  • FIG. 4 is a diagram for explaining a call relationship between instruction masses in an embodiment of the present invention.
  • FIG. 4 illustrates a method 400 for a method A 400 including a root mass 410, an instruction mass 1 420, an instruction mass 2 430, an instruction mass 3 440, Five instruction masses, such as mass 5 (450), are identified.
  • instruction masses can be distinguished based on branch instructions, and when each of the instruction masses is assumed to be a node, the dashed arrows in FIG. 4 indicate the parent node of the particular node.
  • FIG. 4 shows that the parent node of instruction mass 3 (440) is instruction mass 2 (430).
  • the child node may include a mass of instructions which are classified according to a branch instruction included in the parent node.
  • the root mass 410 may be the mass of instructions that are executed first for the method A 400.
  • instruction mass 1 420 includes instructions for a conditional branch 421 and that instructions of instruction mass 3 440 or instruction mass 4 450 are executed according to the conditions
  • instruction mass 3 440 and instruction mass 4 450 can be identified, and the parent nodes of instruction mass 3 440 and instruction mass 4 450 can be Instance Mass 1 420 .
  • the position to be moved to instruction mass 3 440 according to the instruction for conditional branch 421 is moved by label 1 (Lable 1, 441) and the position where instruction mass 4 (450) 2, and 451, respectively.
  • a call can be detected at instruction mass 1 420 and instruction masses 440 and 450, which are called through the detected call, can be directed through labels 441 and 451.
  • solid lines indicate such an indicating relationship.
  • FIG. 5 is a diagram for explaining a calling relationship between methods in an embodiment of the present invention.
  • 5 shows information 510 and method a 520 for call reference.
  • Method a 520 may include at least one instruction mass, and
  • FIG. 5 illustrates one instruction mass 521.
  • FIG. 5 shows an example in which a call to the method b 511 and the method c 512 is detected in the instruction mass 521.
  • Each method can be identified by a unique method ID.
  • the vulnerability detection system acquires information on the method b 511 and the method c 512 using the method ID of the method a 520 in the information 510 of the call reference in accordance with the detected call can do.
  • the information on the method b 511 and the method c 512 are information on the instruction masses for the called method b 511 and the method c 512, respectively, as described with reference to FIG. 4, And information on the reference relationship between the nodes. Therefore, the vulnerability detection system can grasp how the execution control of the program according to the file is being transferred.
  • 6 is a diagram for explaining rules and patterns according to an embodiment of the present invention. 6 illustrates an example of the structure of a rule (Rule) 600 according to the present embodiment.
  • the rule 600 may include information on a detection pattern for detecting a vulnerability corresponding to any one of known vulnerabilities.
  • the 'Name' item 610 may include the name of the corresponding rule 600
  • the 'Description' item 620 may include a detailed description of the corresponding rule 600
  • the rule 600 may include explanatory information on the vulnerability.
  • the 'Guide' item 640 may include information on the behavioral principles and instructions related to the use of the rule 600.
  • the 'Priority' item 630 may include information on the risk level for the vulnerability. For example, a value for one of three risk classes, such as 'Critical', 'Warning', and 'Normal' is set to 'Priority' item 630 . It is clear that this risk level may be set to two or more than four levels.
  • the 'Dependency' item 650 may indicate whether there is a condition that dynamically determines the actual vulnerability of the vulnerable layer. For example, there may be cases where the risk for a single vulnerability is conditional. For example, a vulnerability a may have a "critical" risk rating in condition 1, but a vulnerability a may have a "normal” risk rating in condition 2, or no risk at all . Therefore, in order to distinguish such a conditional difference, the 'Dependency' item 650 may include information on the condition and information on the danger level according to the condition. Or may simply include information as to whether such conditions exist.
  • the items of the rule 600 described above can be optionally included in the rule 600 according to the embodiment.
  • the 'Pattern' item 660 may include one or more detection patterns for detecting vulnerabilities.
  • the detection patterns may be preset, and one rule 600 may include one detection pattern for detecting vulnerabilities or a combination of two or more detection patterns.
  • the detection pattern may be implemented with at least one instruction, and each of the at least one instruction may be implemented in the form of a method or class having parameters.
  • the parameter may be set in advance or dynamically set to a value extracted through another pattern.
  • FIG. 7 is a diagram for explaining a structure of a pattern in an embodiment of the present invention.
  • the rule table may include information on the set rule.
  • 'rule_id (pk)' may mean a rule corresponding to a primary key (pk) among the set rules.
  • 'rule_id (pk)' may refer to a function that takes the main identifier pk as a parameter and returns the identifier of the corresponding rule.
  • 'name (key)' can mean the name of the rule corresponding to the key. This 'name (key)' can also mean a function that actually returns the name of the corresponding rule by taking the key key as a parameter. In this way, 'x (y)' in FIG.
  • 'pattern_hash (fk)' may mean a hash value of a pattern corresponding to an external identifier (foreign key, fk).
  • 'description', 'priority', 'guide' and 'dependency' are 'Description' item 620, 'Priority item' May refer to values corresponding to a 'Priority' item 630, a 'Guide' item 640, and a 'Dependency' item 650.
  • 'pattern_hash (key)' can mean a hash value of the pattern corresponding to the key.
  • the vulnerability detection system can obtain information on necessary rules using the rule table 710 and obtain a hash value of the pattern as an identifier of the pattern included in the obtained rule.
  • the pattern table may include information on the set pattern.
  • 'pattern_id (pk)' may refer to a pattern corresponding to a primary key (pk)
  • 'rule_id (pk)' may refer to a rule corresponding to an external identifier (foreign key, fk).
  • 'source' may mean information about the source of the pattern.
  • the source of a pattern may represent the type of file to be searched in a package file such as APK.
  • 'Join_pattern' is information of another pattern composing one rule, 'join_type (and / or or)', and 'join_type' is information of a type of pattern to be returned.
  • the vulnerability detection system can identify the patterns included in the rule through information on rules obtained from the rule table 710 and obtain information on the patterns included in the rule through the pattern table 720 .
  • the dex file table may include information extracted from the DEK file of the APK.
  • 'pattern_id (fk)' may mean a pattern corresponding to the foreign key (fk) among the set patterns.
  • 'Called_class_name' may be a value for identifying a class name to be called, and 'called_method_name' may be a value for identifying a method name to be called.
  • 'argument_index (optional)' is a function that returns the index of the argument, and 'argument_type' is the type of the argument that is returned. It can mean.
  • the dex file table 730 also includes an argument (argument_from_detect_api_list) from the detected API list, an argument (argument_from_except_api_list) from the exception-treated API list, an argument from the detected field list (argument_from_detect_field_list) (argument_from_except_list).
  • the vulnerability detection system can refer to the dex file table 730 in detecting information necessary for detecting a vulnerability according to a pattern. For example, the vulnerability detection system can identify a method or a class to be invoked in a corresponding instruction mass by using a dex file table 730 in detecting a vulnerability to a specific instruction mass.
  • the file table may include pattern information for extracting information of a specific file included in the package file.
  • 'pattern_id (fk)' may mean a pattern corresponding to an external identifier (foreign key) fk
  • 'pattern_hash (key)' may mean a hash value of a pattern corresponding to a key.
  • 'File_type' is the type of the file to be searched through the pattern
  • 'file_extension' is the extension of the file to be searched through the pattern
  • 'file_name' is the file Quot ;, respectively.
  • the content table may include pattern information for extracting characters included in the file.
  • 'pattern_id (fk)' may mean a pattern corresponding to an external identifier (foreign key) fk
  • 'pattern_hash (key)' may mean a hash value of a pattern corresponding to a key.
  • 'File_type' is the type of the file to be searched through the pattern
  • 'character_type' is the type of the character (or string)
  • 'character' is the character String).
  • the permission table may include pattern information for extracting permission information of the package file.
  • 'pattern_id (fk)' may mean a pattern corresponding to an external identifier (fk) among the set patterns, and 'name' may mean the name of a permission.
  • the activity table may include pattern information for extracting activity information.
  • 'pattern_id (fk)' may mean a pattern corresponding to an external identifier (fk) among the set patterns, and 'name' may mean the name of an activity.
  • an activity means a screen with a user interface.
  • an activity class can be inherited from an APK. As such, terms such as activities and permissions described above will be readily understood by those skilled in the art through conventional techniques for APK.
  • the SDK table may include pattern information for extracting information on an SDK (Software Development Kit).
  • 'pattern_id (fk)' may mean a pattern corresponding to an external identifier (fk) among the set patterns
  • 'version' means version information of SDK
  • 'version detection condition' Can each mean a detection condition of the version. For example, if the version is set to '21' and the 'conditional_equality' is 'small or equal', then the version of the SDK may be detected if the version is 21 or less.
  • the source of the pattern 660 included in the rule 600 may be a specific file of a package file such as APK.
  • the pattern 660 includes any file (810), a dex file (dex) 820, an Android manifest file (AndroidManifest.xml) 830, Or a dll file (dll, 850) as a source.
  • FIG. 9 is a diagram showing an example of a pattern for arbitrary files in an embodiment of the present invention.
  • FIG. 9 shows the types of patterns 900 for arbitrary files 810.
  • FIG. 9 shows the types of patterns 900 for arbitrary files 810.
  • the pattern of the first kind 910 may refer to a pattern for finding a specific character (or string) in a file, and may be expressed as pattern 1 below.
  • a pattern for finding a URL (Uniform Resource Locator) in a JavaScript Object Notation (JSON) file can be implemented as 'RetrieveFileContents: FileType (json) CharacterType (string) Character (http: // *)'.
  • the above-mentioned example pattern may be a command to search for 'http: // *' as a string of a 'string' type in a file of 'json' type as a pattern for retrieving contents contained in a file.
  • the file type 'all' can mean files of all extensions.
  • the parameter of the character type 'CharacterType ()' may mean a character or a string type such as 'string', 'hexa', and the like.
  • a parameter of 'Character ()' may mean a string to be searched, and an asterisk (*) may mean any string starting with a string before the asterisk.
  • the pattern of the second kind 920 may refer to a pattern for finding a specific file in the package file, and may be expressed as pattern 2 below.
  • a pattern that contains a DLL (Dynamic Linking Library) type and has a file name of "Assembly-Csharp" among the files included in the package file is "RetrieveFile: FileType (string) FileName (Assembly-Csharp) Can be implemented together.
  • a pattern for searching DLL type files among the files included in the package file can be implemented as 'RetrieveFile: FileType (string)'.
  • the parameters of the file type 'FileType ()' are the file extensions such as 'all', 'apk', 'txt', 'ini', 'property', 'json', 'xml', 'img', 'mp4' Or may be set dynamically.
  • the parameters of the file name 'FileName ()' can also be pre-set or dynamically set.
  • 'FileExtension ()' may be further used to search for a file based on the file extension, and the 'FileExtension ()' parameter may be set in advance or dynamically.
  • FIG. 10 is a diagram illustrating an example of a result of detecting a specific character string in a file and a result of detecting a specific file in a package file in an embodiment of the present invention.
  • the detected information 1010 indicates that it may include a detected file name 1011 and a match string 1012 according to the pattern of the first type 910.
  • a detected file name 1011 when there are three 'json' type files, 'http: // *' can be searched as a string of 'string' type in each of the three files, May be provided by file name. If one 'json' file contains multiple URLs, multiple strings may be detected.
  • the detected information 1020 indicates that it may include a file name (File name, 1021) detected in the package file according to the pattern of the second kind (920). Even in this case, a plurality of file names can be searched according to the pattern.
  • 11 is a diagram showing an example of a pattern for an Android manifest file in an embodiment of the present invention. 11 shows the type of the pattern 1100 for the Android manifest file (AndroidManifest.xml, 830).
  • the pattern of the third kind 1110 may refer to a pattern for finding a permission group in the Android manifest file 830 and may be expressed as pattern 3 below.
  • permissions such as 'android.permission.GET_TASKS' and 'android.permission.INTERNET' may be provided.
  • a permission with that name may be searched for a specific permission name, such as the pattern 'RetrievePermission: Name (android.permission.READ_EXTERNAL_STORAGE)'.
  • a vulnerability associated with a particular permission is known, a pattern can be set to detect if the permission exists and vulnerability detection can be performed based on the configured pattern.
  • the common factors may include a common role.
  • the pattern of the fourth kind 1120 may refer to a pattern for finding an activity group in the Android manifest file 830 and may be expressed as pattern 4 below.
  • the pattern of the fifth kind 1130 may refer to a pattern for finding the minimum SDK API version in the Android manifest file 830 and may be expressed as pattern 5 below.
  • the parameter of version 'Version ()' can be set to dynamically set the value of the desired version as a string type, or an asterisk (*) to mean all versions.
  • 'ConditionalEquality' which means a comparison condition, can be utilized for comparison between the value set in the version 'Version ()' using the equal sign or inequality and the SDK API version set in the Android manifest file.
  • 'RetrieveMinSDK Version (21)
  • the pattern of the sixth kind 1140 may refer to a pattern for searching the target SDK API version in the Android manifest file 830 and may be expressed as pattern 6 below.
  • the version 'Version ()' and 'ConditionalEquality' which means the comparison condition, can be common with the pattern 6.
  • the pattern of the seventh kind 1150 may refer to a pattern in which the main application is found in the Android manifest file 830 and may be expressed as pattern 7 below.
  • the pattern of the eighth kind 1160 may refer to a pattern of finding a service group in the Android manifest file 830 and may be expressed as pattern 8 below.
  • the pattern of the ninth kind 1170 may refer to a pattern for finding a receiver group in the Android manifest file 830 and may be expressed as pattern 9 below.
  • the pattern of the tenth kind (1180) may refer to a pattern of finding a provider group in the Android manifest file (830), and may be expressed as pattern 10 below.
  • the permissions, activity, minimum SDK API version, target SDK API version, main application, service, receiver, and provider searched in the Android manifest file 830 may be readily understood by those skilled in the art through well known prior art techniques for APK .
  • 12 is a diagram showing an example of a pattern for a Dex file in an embodiment of the present invention. 12 shows the types of the patterns 1200 for the dex file dex 820. FIG.
  • the pattern of the eleventh kind 1210 may refer to a pattern for searching a called API, and may be expressed as pattern 11 below.
  • 'DexFindApi' can refer to the pattern name of the pattern for which the called API is searched.
  • 'DexCalledAPI' can mean a factor for specifying a specific method of a specific class. These classes and methods can be specified according to 'ClassName' and 'MethodName'.
  • 'DexTraceArgument' may refer to a factor for specifying a specific index and / or an argument of a certain type.
  • 'DexArgumentFrom' can mean a factor for determining whether to handle an exception, detecting an argument from a null, or specifying a specific API list or a field list.
  • Table 1 below shows a first example of an instruction mass
  • Table 2 shows a first example of a pattern.
  • DexFindApi DexCalledAPI :: ClassName (Liavax / net / ssl / SSLContext) MethodName (init)
  • the pattern in Table 2 can refer to a pattern that looks for an API that calls the method 'init' in class 'Liavax / net / ssl / SSLContext'.
  • the vulnerability detection system can detect that the method 'mfindMe' of the class' cfindMe 'calls the corresponding method' init 'in the instruction mass of Table 1 based on the corresponding pattern, and' called from cfindMe- gt; mfindMe '. < / RTI >
  • Table 3 below shows the second example of the instruction mass, and Table 4 shows the second example of the pattern.
  • DexFindApi DexCalledAPI :: ClassName (Ljavax / net / ssl / SSLContext) MethodName (init)
  • DexTraceArgument ArgumentIndex (2): ArgumentType (Ljavax / net / ssl / TrustManager) FromApiList :: FromApiList [0] ⁇ ClassName (Ljavax / net / ssl / TrustManagerFactory), MethodName (getTrustManagers) ⁇ : Exception (true)
  • the pattern in Table 4 finds the API calling the method 'init' in class 'Liavax / net / ssl / SSLContext' and traces the arguments of type 'Ljavax / net / ssl / TrustManager' in index '2'
  • this can mean a pattern treated as an exception (true) for the class 'Ljavax / net / ssl / TrustManagerFactory' specified in ApiList and method 'getTrustManagers'.
  • the API calling the method 'init' of the class' Liavax / net / ssl / SSLContext ' is the method' mfindMe 'of the class' cfindMe' and the type 'Ljavax / net / ssl / TrustManager 'argument is' tm'.
  • the method 'getTrustManagers' of the class 'Ljavax / net / ssl / TrustManagerFactory' does exception handling, the method 'mfindMe' of the argument 'tm' or class 'cfindMe' can be detected without exception.
  • Table 5 below shows a third example of the instruction mass
  • Table 6 shows a third example of the pattern.
  • DexFindApi DexCalledAPI :: ClassName (Ljavax / net / ssl / SSLContext) MethodName (init) DexTraceArgument :: ArgumentIndex (2) DexArgumentFrom :: FromNull
  • the pattern in Table 6 finds the API calling the method 'init' in class 'Liavax / net / ssl / SSLContext' and traces the argument of index '2' in method 'init' May refer to a pattern of looking for.
  • the API calling the method 'init' of class 'Liavax / net / ssl / SSLContext' is the method 'mfindMe' of class 'cfindMe' and the argument of index '2' Is null.
  • 'DexCalledAPI' it can detect that method 'mfindMe' of class 'cfindMe' calls its method 'init', and arguments from 'null' according to 'DexTraceArgument' and 'DexArgumentFrom' init 'at index 2.
  • 'called from cfindMe-> mfindMe' message and 'argument from null' message may be provided.
  • Table 7 below shows the fourth example of the instruction mass
  • Table 8 shows the fourth example of the pattern.
  • DexFindApi DexCalledAPI :: ClassName (System) MethodName (loadLibrary) DexTraceArgument :: ArgumentIndex (1)
  • the pattern in Table 8 can refer to a pattern that looks for APIs that call the method 'loadLibrary' in class 'System' and traces the arguments at index '1' in method 'loadLibrary'.
  • the detection result of the pattern can be provided as shown in the message of Table 9 below.
  • str input (parameter) may mean that the argument 'str' was passed as parameter 'input', and parameter ' It can mean "xxx" in method 'init'. Therefore, it can be seen that the argument 'str' of the index '1' of the method 'loadLibrary' of the class 'System' has the value 'xxxxx' of the current 'string' type.
  • Table 10 below shows the fifth example of the instruction mass
  • Table 11 shows the fifth example of the pattern.
  • DexFindApi DexCalledAPI :: ClassName (Liavax / net / ssl / TrustManager) MethodName (init) DexTraceArgument :: ArgumentIndex (2) DexArgumentFrom : Exception (false): FromFieldList FromField [0] ⁇ ClassName (Lorg / apache / http / conn / ssl / SSLSocketFactory), FieldName (ALLOW_ALL_HOSTNAME_VERIFIER)
  • the pattern in Table 11 finds the API calling the method 'init' in class 'Liavax / net / ssl / SSLContext' and traces the arguments of index '2' in method 'init' May refer to a pattern that does not handle exceptions.
  • the API calling the method 'init' of the class 'Liavax / net / ssl / SSLContext' (called from cfindMe -> mfindMe, for example) may be provided as a result of detection, and the argument 'tm' of index '2' of method 'init' (E.g., 'argument from SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER') to indicate that it is an argument from SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER may be further provided as a detection result.
  • the pattern of the twelfth kind 1220 may refer to a pattern for finding a specific instruction of a method, and may be expressed as pattern 12 below.
  • 'DexMethodyBody' can refer to a pattern name to find a specific instruction within a particular method.
  • 'MethodName' may mean a factor for specifying a method.
  • 'DexInstructionList' may mean a factor for specifying an instruction to detect.
  • 'List ⁇ DexInstruction>' can be used to specify the instruction to detect, and 'Except (true / false)' can be used to determine whether to handle the specified instruction.
  • 'VoidBody' can be used to specify an instruction of type void, and 'InvokeInstruction' can be used to specify the instruction to be called.
  • Table 12 below shows the sixth example of the instruction mass
  • Table 13 shows the sixth example of the pattern.
  • DexMethodyBody MethodName :: checkServerTrusted
  • DexInstructionList :: ⁇ DexInstruction (VoidBody) ⁇ : Except (false)
  • the pattern in Table 13 can refer to a pattern that checks whether the method 'checkServerTrusted' is a void type. Since the method 'checkServerTrusted' is declared as void type in the instruction mass of Table 12, a message (for example, 'Body is void') may be provided to notify that the method 'checkServerTrusted' is of type void.
  • Table 14 below shows the seventh example of the instruction mass, and Table 15 shows the seventh example of the pattern.
  • DexMethodyBody MethodName :: checkServerTrusted
  • DexInstructionList :: ⁇ DexInstruction (InvokeInstruction (Ljava / security / cert / CertificateException, ⁇ init>), DexInstruction (Ljava / lang / IllegalArgumentException,
  • the pattern in Table 13 can refer to a method that calls the method 'Ljava / security / cert / CertificateException' in the method 'checkServerTrusted' and the instruction to call the method 'Ljava / lang / IllegalArgumentException'.
  • the instruction mass in Table 14 it can be seen that there is an instruction to call the method 'Ljava / security / cert / CertificateException'.
  • a message eg, 'Invoke instruction isdetected, CertificateException -> ⁇ init>'
  • the patterns can be joined. For example, you can use the pattern 'DexFindApi' to find a specific class 'a', then use the pattern 'DexMethodyBody' to find the specific instruction in the method of class 'a'. For example, these two patterns can be joined and included in one rule.
  • the pattern of the thirteenth kind 1230 may refer to a pattern of finding a child class of a specific class, and may be expressed as pattern 13 below.
  • DexFindSubClass
  • 'DexFindSubClass' can refer to a pattern name for finding a child class of a specific class.
  • 'DexParent' can be a factor for specifying the parent class of the child class to be searched.
  • Table 16 below shows the eighth example of the instruction mass, and Table 17 shows the eighth example of the pattern.
  • Class cfindMe extend IamYourFather ⁇
  • Class csearchMe extend IamYourFather ⁇
  • DexFindSubClass DexParent :: ClassName (IamYourFather)
  • Table 17 can refer to a pattern for locating a child class that has the class 'IamYourFather' as its parent.
  • class' cfindMe 'and class' csearchMe' can be detected respectively, because class' cfindMe 'and class' csearchMe' are child nodes of class' IamYourFather 'respectively and detected class' cfindMe &Quot; and a class " csearchMe " may be provided.
  • the joins between the patterns can be utilized in various ways. For example, the pattern 'DexFindSubClass' is used to find the child class 'b' having the class 'a' as a parent, and then the detected class 'b' is dynamically changed as 'ClassName (b)' in the pattern 'DexFindApi' It can be used as a parameter.
  • FIG. 13 is a diagram showing an example of a pattern for a so file in an embodiment of the present invention.
  • FIG. 13 shows the types of patterns 1400 for the so file 840.
  • FIG. 13 shows the types of patterns 1400 for the so file 840.
  • the pattern of the 14th type 1310 may be a pattern for searching a string (specific string) in the so file 840, and may be expressed as pattern 14 below.
  • the pattern 'RetrieveSoContents' may be a pattern name for retrieving a string in the so file 840, and' Character (string) 'may be a specific string (for example,' http: Quot; // * "). At this time, the string can be retrieved from the '.rdata' section included in the so file 840.
  • the pattern of the fifteenth kind 1320 may be a pattern for searching the API in the so file 840 and may be expressed as pattern 15 below.
  • the pattern 'RetrieveApiContents' may refer to a pattern name for retrieving the API in the so file 840, and 'APIType ()' indicates the type of the API as one of an Import Address Table (IAT) and an Export Address Table , And 'Name ()' may be a factor for specifying a name of an API to be searched.
  • 'APIType ()' indicates the type of the API as one of an Import Address Table (IAT) and an Export Address Table
  • And 'Name ()' may be a factor for specifying a name of an API to be searched.
  • FIG. 14 is a diagram showing an example of a pattern for a dll file in an embodiment of the present invention. 14 shows the type of the pattern 1400 with respect to the dll file 850. Fig.
  • the pattern of the sixteenth kind 1410 may refer to a pattern for searching a string (specific string) in the dll file 850, and may be expressed as pattern 16 below.
  • the pattern 'RetrieveDllContents' may refer to a pattern name for searching a string in the dll file 850, and' Character (string) 'refers to a specific string (for example,' http: Quot; // * ").
  • the parameters in the pattern can be dynamically determined as described above.
  • the value extracted through the pattern a through the combination of the pattern a and the pattern b can be dynamically utilized as a parameter for the pattern b.
  • the patterns 1 to 16 described above are examples for the APK, and other patterns may be utilized for other package files.
  • the vulnerability detection system can provide the administrator or user with an editor function to register such patterns or to edit registered patterns. For example, if a new vulnerability is known to an application, a new pattern can be registered through the editor function to detect a newly known vulnerability.
  • the vulnerability detection system analyzes the package files of the application through a new pattern Vulnerabilities can be detected.
  • the types of patterns may appear as shown in Table 18 below.
  • the pattern 'dex (find_api)' may correspond to the pattern 11 'DexFindApi' described above.
  • This pattern 'dex (find_api)' can be a pattern for detecting calls to the specified api in a method.
  • the pattern 'dex (find_sub)' may correspond to the pattern 13 'DexFindSubClass' described above, and may be used to detect child classes inherited from the specified class.
  • the pattern 'dex (method_body)' may correspond to the pattern 12 'DexMethodBody' described above, and may be used for comparing and detecting invoke instructions, instructions, method names, and the like in aptjem.
  • the pattern 'dex (method_annotation)' can also be used in Java to detect annotations specified in a method.
  • the pattern 'dex (exist_api)' may be used to detect whether a particular class and / or method exists. For example, when a combination of patterns using logic operations to be described later is used, a pattern combination (dex (exist_api) sub dex (find_api)) is a pattern that is searched for a class found through 'dex (exist_api) You can search for api calls specified via the pattern 'dex (find_api)'.
  • the pattern 'dex (exist_field)' can be used to search for the existence of a member of a specific class.
  • the pattern 'dex (exist_field)' can be searched for a member of the specified regular expression by specifying a regular expression to compare the value of the form 'class ⁇ member name' with the value of that member.
  • the pattern 'manifest' can be used for comparison with the items in AndroidManifest.xml.
  • the patterns 'xml', 'so', 'dll', and 'find_file' can be used to perform searches on xml files, so files, dll files, and all files.
  • a search in a dll file is described in more detail in Pattern 16 (RetrieveDllContents).
  • the patterns may be combined using logical operations and parentheses.
  • Table 19 shows examples of logic operations that can be used for combinations of patterns.
  • pattern A is detected in (pattern A or pattern B)
  • detection for pattern B may not be performed because it is already 'true'.
  • pattern A is 'false' (pattern A sub pattern B)
  • detection for pattern B may not be performed.
  • a more specific example of a combination of patterns using such logic operations is a pattern combination (dex (find_sub_class) sub dex (find_api)).
  • the children of all activities are searched through the pattern 'dex (find_sub_class)' on the left, and the classes searched through the pattern on the left can be used as classes for the right pattern.
  • the right pattern 'dex (find_api)' traverses the api in the classes found through the left pattern.
  • FIG. 15 is a block diagram illustrating an example of a component that a processor of a server according to an exemplary embodiment of the present invention may include;
  • FIG. 16 is a diagram illustrating a vulnerability detection method Fig.
  • the vulnerability detection system may be implemented in the form of a computer device such as the server 150 described above.
  • the processor 222 of the server 150 is a component for implementing a vulnerability detection system, and includes a detection pattern management unit 1510, a package file registration unit 1520, and a vulnerability information detection unit 1530, . ≪ / RTI >
  • the components of the processor 222 and the processor 222 may perform the steps 1610 through 1630 of the vulnerability detection method of FIG.
  • the components of the processor 222 and the processor 222 may be implemented to execute control instructions according to code of the operating system or code of at least one program that the memory 221 includes.
  • processor 222 may be representations of different functions of processor 222 performed by processor 222 in accordance with the control instructions provided by the code stored in server 150 .
  • the detection pattern manager 1510 may be used as a functional representation of the processor 222 in which the processor 222 manages detection patterns in accordance with the control commands described above.
  • the detection pattern management unit 1510 determines whether or not a predetermined detection pattern for diagnosing the vulnerability of the application is detected in association with at least one of the files included in the package file for installation and operation of the application, Can be managed. It should be understood by those skilled in the art that the above detailed embodiments of the detection patterns have been described and that various embodiments can be derived according to the vulnerability.
  • the detection pattern management unit 1510 provides an editor function for registering a new detection pattern or editing a registered detection pattern in step 1610, and provides information on the registered or edited detection pattern through the provided editor function Stored and managed.
  • the editor function can be provided to the administrator or user of the vulnerability detection system in the form of a specific web page or a specific application, for example.
  • an administrator terminal and a vulnerability detection system can communicate with each other through a specific application installed in an administrator's terminal, and information about a detection pattern registered or edited in a specific application can be transmitted to the vulnerability detection system through the network have.
  • the detection pattern management unit 1510 can register a new detection pattern or update the edited detection pattern.
  • the parameters of the factors included in the patterns may be preset, but may be dynamically determined as necessary, and the detection patterns may be implemented in a more various ways as the parameters can be dynamically determined .
  • the package file registration unit 1520 may register a package file to be distributed to users for installation and operation of the application.
  • the server 150 may be implemented in a form including a vulnerability detection system as described above.
  • the server 150 may be implemented as a combination of an application publisher system and a vulnerability detection system.
  • the package file can be registered and received from the developer side for distributing to the users by the application publisher.
  • each file can be identified in the registered package file, and classes and methods can be identified.
  • each of the methods may be classified in the form of an instruction mass based on a branch instruction (branch statement), and a call relationship between instruction masses and / or a call relation between methods may be stored in the form of a data structure such as a tree structure And managed. Information about this call relationship can be used to trace arguments, retrieve APIs, and so on.
  • the vulnerability information detection unit 1530 may analyze the registered package file according to at least one detection pattern among the detection patterns to detect vulnerability information according to at least one detection pattern. Detection of such vulnerability information has been described in detail in various embodiments above. At this time, the vulnerability information detection unit 1530 combines the plurality of detection patterns and dynamically changes the first information detected in the package file registered according to the first detection pattern to a parameter of the factor including the second detection pattern And detect the vulnerability information in the registered package file according to the second detection pattern including the fact that the detected first information is set as a parameter.
  • the detection pattern may include a pattern for retrieving a specific string from at least one of the files included in the registered package file.
  • Pattern 1, Pattern 14, and Pattern 16 described above describe a pattern for retrieving a specific string (or string) in a file.
  • Pattern 1 explained that a registered package file includes a factor for designating a specific type of file to be included.
  • the detection pattern may include a pattern for searching at least one of a file of a specific type and a file of a specific file name among the files included in the registered package file.
  • pattern 2 described above describes a pattern for searching a file of a specified type and / or a file of a specified filename.
  • the detection pattern includes a pattern for searching for permission in the Android manifest file included in the APK (Android application package), a pattern for searching for activity, an SDK (Application Development Programming) API, At least one of a pattern for searching a version, a pattern for searching a main application, a pattern for searching for a service, a pattern for searching for a receiver, and a pattern for searching for a provider Pattern. ≪ / RTI > These patterns have been described in detail in Patterns 3 to 10.
  • the detection pattern may also include a pattern for retrieving an API called from at least one of a specified class and a specified method.
  • the pattern for searching the called API includes a factor specifying at least one of a class and a method, a factor specifying at least one of an index and a type of the argument to track an argument of the specified method, A factor specifying at least one of an API, a field, and a null to detect an argument passed from at least one of an API specified for the argument, a specified field, and a null .
  • the detection pattern may also include a pattern that retrieves the specified instruction from the specified method.
  • the pattern for searching for a specific instruction may include a factor for specifying an instruction to be searched, a factor for specifying a type of an instruction to be searched, and a factor for specifying a class and a method to be searched by the instruction to be searched. have. These patterns are described in detail in Pattern 12.
  • the detection pattern may include a pattern for searching a child class of a designated class and / or a pattern for searching an API in at least one of the files included in the registered package file.
  • a search pattern for diagnosing the vulnerability of an application is set in advance, and a vulnerability of a package file of an application registered for distribution based on a set detection pattern It can detect.
  • the system or apparatus described above may be implemented as a hardware component, a software component or a combination of hardware components and software components.
  • the apparatus and components described in the embodiments may be implemented within a computer system, such as, for example, a processor, a controller, an arithmetic logic unit (ALU), a digital signal processor, a microcomputer, a field programmable gate array (FPGA) , A programmable logic unit (PLU), a microprocessor, or any other device capable of executing and responding to instructions.
  • the processing device may execute an operating system (OS) and one or more software applications running on the operating system.
  • the processing device may also access, store, manipulate, process, and generate data in response to execution of the software.
  • OS operating system
  • the processing device may also access, store, manipulate, process, and generate data in response to execution of the software.
  • the processing apparatus may be described as being used singly, but those skilled in the art will recognize that the processing apparatus may have a plurality of processing elements and / As shown in FIG.
  • the processing unit may comprise a plurality of processors or one processor and one controller.
  • Other processing configurations are also possible, such as a parallel processor.
  • the software may include a computer program, code, instructions, or a combination of one or more of the foregoing, and may be configured to configure the processing device to operate as desired or to process it collectively or collectively Device can be commanded.
  • the software and / or data may be in the form of any type of machine, component, physical device, virtual equipment, computer storage media, or device As shown in FIG.
  • the software may be distributed over a networked computer system and stored or executed in a distributed manner.
  • the software and data may be stored on one or more computer readable recording media.
  • the method according to an embodiment may be implemented in the form of a program command that can be executed through various computer means and recorded in a computer-readable medium.
  • the computer-readable medium may include program instructions, data files, data structures, and the like, alone or in combination.
  • the program instructions to be recorded on the medium may be those specially designed and configured for the embodiments or may be available to those skilled in the art of computer software.
  • Examples of computer-readable media include magnetic media such as hard disks, floppy disks and magnetic tape; optical media such as CD-ROMs and DVDs; magnetic media such as floppy disks; Magneto-optical media, and hardware devices specifically configured to store and execute program instructions such as ROM, RAM, flash memory, and the like.
  • Such a recording medium may be a variety of recording means or storage means in the form of a single or a plurality of hardware combined and is not limited to a medium directly connected to any computer system but may be dispersed on a network.
  • Examples of program instructions include machine language code such as those produced by a compiler, as well as high-level language code that can be executed by a computer using an interpreter or the like.

Abstract

La présente invention concerne un procédé et un système de détection de vulnérabilité d'application. Le procédé de détection de vulnérabilité peut comprendre les étapes consistant à : gérer des modèles de détection prédéterminés pour diagnostiquer des vulnérabilités d'une application par rapport à au moins l'un parmi des fichiers inclus dans un fichier progiciel pour installer et exécuter l'application, et des codes inclus dans les fichiers ; enregistrer le fichier progiciel en vue d'une distribution à des utilisateurs de façon à permettre l'installation et l'exécution de l'application ; et par analyse du fichier progiciel enregistré conformément à au moins un modèle de détection parmi les modèles de détection, détecter des données de vulnérabilité pour le/chacun des modèle(s) de détection.
PCT/KR2017/006913 2017-06-29 2017-06-29 Procédé et système de détection de vulnérabilité d'application WO2019004503A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/KR2017/006913 WO2019004503A1 (fr) 2017-06-29 2017-06-29 Procédé et système de détection de vulnérabilité d'application
JP2019569960A JP2020531936A (ja) 2017-06-29 2017-06-29 アプリケーションの脆弱点を探知する方法およびシステム

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/KR2017/006913 WO2019004503A1 (fr) 2017-06-29 2017-06-29 Procédé et système de détection de vulnérabilité d'application

Publications (1)

Publication Number Publication Date
WO2019004503A1 true WO2019004503A1 (fr) 2019-01-03

Family

ID=64741748

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2017/006913 WO2019004503A1 (fr) 2017-06-29 2017-06-29 Procédé et système de détection de vulnérabilité d'application

Country Status (2)

Country Link
JP (1) JP2020531936A (fr)
WO (1) WO2019004503A1 (fr)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112632553A (zh) * 2019-10-09 2021-04-09 Oppo(重庆)智能科技有限公司 漏洞处理方法及相关产品
CN112765611A (zh) * 2021-01-19 2021-05-07 上海微盟企业发展有限公司 一种越权漏洞检测方法、装置、设备及存储介质
US11356470B2 (en) * 2019-12-19 2022-06-07 Group IB TDS, Ltd Method and system for determining network vulnerabilities
US11985147B2 (en) 2021-06-01 2024-05-14 Trust Ltd. System and method for detecting a cyberattack

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101324691B1 (ko) * 2011-12-08 2013-11-04 한국인터넷진흥원 모바일 악성 행위 어플리케이션 탐지 시스템 및 방법
KR101402057B1 (ko) * 2012-09-19 2014-06-03 주식회사 이스트시큐리티 위험도 계산을 통한 리패키지 애플리케이션의 분석시스템 및 분석방법
JP5654944B2 (ja) * 2011-05-02 2015-01-14 Kddi株式会社 アプリケーション解析装置およびプログラム
KR20150044490A (ko) * 2013-10-16 2015-04-27 (주)이스트소프트 안드로이드 악성 애플리케이션의 탐지장치 및 탐지방법
KR20160099159A (ko) * 2015-02-11 2016-08-22 한국전자통신연구원 악성 코드를 탐지하기 위한 전자 시스템 및 방법

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5077455B2 (ja) * 2011-03-07 2012-11-21 富士通株式会社 脆弱性監査プログラム、脆弱性監査装置、脆弱性監査方法
JP5651065B2 (ja) * 2011-04-08 2015-01-07 Kddi株式会社 アプリケーション評価装置およびプログラム

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5654944B2 (ja) * 2011-05-02 2015-01-14 Kddi株式会社 アプリケーション解析装置およびプログラム
KR101324691B1 (ko) * 2011-12-08 2013-11-04 한국인터넷진흥원 모바일 악성 행위 어플리케이션 탐지 시스템 및 방법
KR101402057B1 (ko) * 2012-09-19 2014-06-03 주식회사 이스트시큐리티 위험도 계산을 통한 리패키지 애플리케이션의 분석시스템 및 분석방법
KR20150044490A (ko) * 2013-10-16 2015-04-27 (주)이스트소프트 안드로이드 악성 애플리케이션의 탐지장치 및 탐지방법
KR20160099159A (ko) * 2015-02-11 2016-08-22 한국전자통신연구원 악성 코드를 탐지하기 위한 전자 시스템 및 방법

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112632553A (zh) * 2019-10-09 2021-04-09 Oppo(重庆)智能科技有限公司 漏洞处理方法及相关产品
US11356470B2 (en) * 2019-12-19 2022-06-07 Group IB TDS, Ltd Method and system for determining network vulnerabilities
CN112765611A (zh) * 2021-01-19 2021-05-07 上海微盟企业发展有限公司 一种越权漏洞检测方法、装置、设备及存储介质
US11985147B2 (en) 2021-06-01 2024-05-14 Trust Ltd. System and method for detecting a cyberattack

Also Published As

Publication number Publication date
JP2020531936A (ja) 2020-11-05

Similar Documents

Publication Publication Date Title
WO2018159997A1 (fr) Appareil et procédé de réalisation d'essai à l'aide d'un jeu d'essais
WO2011122724A1 (fr) Système exécutant une inspection de code pour effectuer une inspection de code sur les codes sources abap
WO2010062063A2 (fr) Procédé et système pour prévenir une utilisation illicite liée à un logiciel de navigation
WO2019004503A1 (fr) Procédé et système de détection de vulnérabilité d'application
WO2020233077A1 (fr) Procédé, dispositif et appareil de surveillance de service de système et support d'informations
WO2017213400A1 (fr) Détection de logiciels malveillants par exploitation des variations de re-composition de logiciel malveillant
WO2017213304A1 (fr) Système de données de navire intégrées et navire comprenant celui-ci
CA3002605C (fr) Systeme et procedes de detection d'un maliciel d'algorithme de generation de domaine (dga)
WO2022114689A1 (fr) Procédé et dispositif de détection de logiciel malveillant basée sur une image, et système de détection de point d'extrémité basé sur une intelligence artificielle et système de réponse l'utilisant
WO2010087635A2 (fr) Procédé et appareil permettant le traitement d'une interface utilisateur composée d'objets constitutifs
WO2017126786A1 (fr) Dispositif électronique d'analyse de code malveillant et procédé associé
EP3241102A1 (fr) Système électronique doté d'un mécanisme de gestion d'accès, et son procédé de fonctionnement
WO2017052053A1 (fr) Appareil et procédé de protection d'informations dans un système de communication
WO2018194196A1 (fr) Procédé et système de détection d'application d'obfuscation et d'évaluation de la sécurité d'un fichier elf
WO2023171887A1 (fr) Appareil et procédé d'activation d'une transaction d'image jnf de type à sceau invisible
WO2020022819A1 (fr) Communication par le biais d'un utilisateur simulé
WO2018188342A1 (fr) Procédé, appareil et dispositif permettant de générer un fichier de script, et support d'informations lisible par ordinateur
WO2022108318A1 (fr) Appareil et procédé d'analyse de vulnérabilités de code de contrat intelligent
WO2018080272A1 (fr) Procédé, serveur, système et programme informatique permettant de fournir des informations personnalisées en temps réel à un utilisateur de jeu
WO2018199366A1 (fr) Procédé et système permettant de détecter si un obscurcissement a été appliqué à un fichier dex et d'évaluer la sécurité
WO2017094967A1 (fr) Schéma de traitement de langage naturel et procédé et système pour établir une base de données de connaissances pour ce dernier
WO2023017931A1 (fr) Dispositif de traitement d'informations de cybermenace, procédé de traitement d'informations de cybermenace et support de stockage stockant un programme de traitement d'informations de cybermenace
WO2018043861A1 (fr) Dispositif de recommandation d'article de location au moyen d'un emploi du temps de l'utilisateur et procédé associé
WO2014168453A1 (fr) Appareil, terminal utilisateur et procédé pour contrôler un message
WO2019172613A1 (fr) Procédé et dispositif électronique pour afficher une page web

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17915886

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2019569960

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17915886

Country of ref document: EP

Kind code of ref document: A1