WO2023241529A1 - 漏洞信息处理方法、服务装置和漏洞检测模块 - Google Patents

漏洞信息处理方法、服务装置和漏洞检测模块 Download PDF

Info

Publication number
WO2023241529A1
WO2023241529A1 PCT/CN2023/099764 CN2023099764W WO2023241529A1 WO 2023241529 A1 WO2023241529 A1 WO 2023241529A1 CN 2023099764 W CN2023099764 W CN 2023099764W WO 2023241529 A1 WO2023241529 A1 WO 2023241529A1
Authority
WO
WIPO (PCT)
Prior art keywords
component
vulnerability
version
invariant
identification
Prior art date
Application number
PCT/CN2023/099764
Other languages
English (en)
French (fr)
Inventor
刘瑞超
周昊
Original Assignee
阿里云计算有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 阿里云计算有限公司 filed Critical 阿里云计算有限公司
Publication of WO2023241529A1 publication Critical patent/WO2023241529A1/zh

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Definitions

  • the embodiments of this application provide a vulnerability information processing method, service device and vulnerability detection module to solve problems existing in related technologies.
  • the technical solutions are as follows:
  • embodiments of this application provide a vulnerability information processing method, including:
  • embodiments of this application provide a vulnerability information processing method, including:
  • embodiments of the present application provide a service device, which includes a memory, a processor, and a computer program stored in the memory.
  • the processor executes the computer program, it implements the method provided by any embodiment of the present application.
  • embodiments of the present application provide an Internet of Things device, including the vulnerability detection device provided by any embodiment of the present application. test module.
  • embodiments of the present application provide a computer-readable storage medium.
  • a computer program is stored in the computer-readable storage medium.
  • the computer program is executed by a processor, the method provided by any embodiment of the present application is implemented.
  • a first vulnerability library for storing vulnerability triggering information of a component can be built in advance.
  • the corresponding vulnerability triggering information can be found in the first vulnerability library to exploit the first component.
  • the vulnerability trigger information corresponding to a component triggers the first component to call the vulnerability function to determine whether the component actually has a vulnerability. This avoids false detection of vulnerabilities due to the fragmented scenario characteristics of IoT devices, thus improving the accuracy of vulnerability detection results.
  • Figure 1 is a schematic diagram of an exemplary application scenario according to the embodiment of the present application.
  • Figure 3 is a flow chart of a vulnerability information processing method according to another embodiment of the present application.
  • FIG. 5 is a structural block diagram of the vulnerability information processing system in the application example of this application.
  • Figure 6 is a structural block diagram of the IoT device vulnerability operation and maintenance framework in the application example of this application;
  • FIG. 9 is a structural block diagram of the IoT device vulnerability identification framework in the application example of this application.
  • FIG 1 shows a schematic diagram of an exemplary application scenario.
  • a service device for vulnerability detection is deployed.
  • the service device can access the public vulnerability database to obtain the information security vulnerabilities disclosed in the public vulnerability database.
  • the public vulnerability library may include CVE (Common Vulnerabilities & Exposures, Common Vulnerability Disclosure), which is similar to a dictionary, provides public names for widely recognized information security vulnerabilities for users or related services to query.
  • CVE Common Vulnerabilities & Exposures, Common Vulnerability Disclosure
  • the vulnerability service device can analyze the IoT device components involved in each vulnerability.
  • the service device can also access the source code library to obtain the source code of the IoT device components.
  • the service device can further analyze the IoT device components involved in the vulnerability to obtain the corresponding vulnerability trigger information, such as the functions involved in the vulnerability, the function parameters that cause the vulnerability, the return values corresponding to the function parameters based on the vulnerability, etc. Based on one or more of the above information, the service device can build a dedicated vulnerability library to use the dedicated vulnerability library for more accurate vulnerability detection.
  • the service device can also build a component feature library.
  • the service device can compile the binary file of the IoT device component based on the source code of the IoT device component obtained from the source code library, and thereby obtain the identification characteristics of the IoT device component by analyzing the binary file.
  • identification features that are independent of device systems and architectures.
  • these identification features can also be optimized to overcome multiple operating systems, multiple architectures, and The impact of diverse compilation conditions and software tailoring characteristics on component identification.
  • the service device can construct a component feature library, so as to use the component feature library to identify relevant components in the Internet of Things device.
  • a vulnerability detection module can be configured in the IoT device to interact with the service device to complete vulnerability detection.
  • the vulnerability detection module can access the component feature library to identify relevant components in the Internet of Things device by utilizing the identification features of vulnerability-related components in the component feature library.
  • the vulnerability detection module can send information about the relevant component to the service device, so that the service device returns information corresponding to the component in the dedicated vulnerability library. The vulnerability detection module can use this information to accurately determine whether the vulnerability actually exists.
  • Figure 2 shows a flow chart of a vulnerability information processing method according to an embodiment of the present application. As shown in Figure 2, the method may include:
  • S220 Search the first vulnerability database for vulnerability triggering information corresponding to the first component; wherein the vulnerability triggering information is used to trigger the first component to call the vulnerability function to determine whether the first component has a vulnerability.
  • the above steps may be performed by the service device shown in FIG. 1 .
  • the service device can determine the first component contained in the IoT device by interacting with the vulnerability detection module in the IoT device, for example, by receiving component information sent by the IoT device, and determining based on the component information the first component contained in the IoT device. First component. After searching for the vulnerability trigger information corresponding to the first component in the first vulnerability library, the service device can also send the vulnerability trigger information to the vulnerability detection module to use the vulnerability detection module to trigger the first component to call the vulnerability function to determine whether the first component exists. loopholes.
  • the above steps can also be performed by a vulnerability detection module in the IoT device.
  • the vulnerability detection module can determine the first component by itself, and access the first vulnerability library to find the corresponding vulnerability trigger information to call the vulnerability function.
  • the components in the embodiment of this application may include open source components in Internet of Things devices.
  • the first vulnerability database is used to store multiple vulnerability triggering information respectively corresponding to multiple components.
  • the multiple components may include components that are at risk of vulnerabilities.
  • the first vulnerability library may be a dedicated vulnerability library as shown in Figure 1, in which the component information and vulnerability triggering information are obtained based on the public vulnerability library and source code library.
  • the first vulnerability database can be specifically used to store description information of vulnerabilities corresponding to multiple components, and store vulnerability trigger information corresponding to each vulnerability. Based on this, in the above step S220, the description information of the vulnerability corresponding to the first component can be first searched in the first vulnerability database, and then the corresponding vulnerability trigger information can be obtained based on the description information of the vulnerability.
  • the first component may include any component in the IoT device, or may include specific components in the IoT device, such as components with vulnerability risks.
  • the vulnerability detection module in the IoT device can periodically perform vulnerability detection on any component in the IoT device, and send the identification information of the component such as name, version number, etc. to the service device, and the service device searches for the first vulnerability. Whether relevant information about this component exists in the library. If it does not exist, it is considered that the component does not have a vulnerability; if it exists, the vulnerability trigger information of the component is returned to the vulnerability detection module, so that the vulnerability detection module triggers the component to call the vulnerability function, and determines whether the vulnerability is real based on the return result of the vulnerability function. exist.
  • the vulnerability detection module in the IoT device can access a pre-built component feature library, such as a component feature library built based on the source code of the component involved in the vulnerability, and combine the identification features of the components in the IoT device with the component features. Compare the identification features of each component in the library to determine whether the IoT device contains a component in the component signature library. This component is a component with vulnerability risk in the IoT device. If included, the identification information of the component is sent to the service device, and the service device searches for the vulnerability triggering information of the component in the first vulnerability library, and returns the vulnerability triggering information of the component to the vulnerability detection module, so that the vulnerability detection module triggers the vulnerability detection module. The component calls the vulnerability function and determines whether the vulnerability actually exists based on the return result of the vulnerability function.
  • a pre-built component feature library such as a component feature library built based on the source code of the component involved in the vulnerability
  • the above vulnerability functions include vulnerability-related functions in the component, which can be determined by analyzing the source code of the component and vulnerability information such as vulnerability patches provided by public vulnerability libraries.
  • the above vulnerability triggering information may include the vulnerability function, function parameters used to trigger the vulnerability function, and a preset return value.
  • the function parameter may be a function parameter that causes the vulnerability determined by analyzing the source code of the component and the vulnerability information provided by the public vulnerability library.
  • the preset return value can be a function return value based on the above function parameters and the vulnerability, which can be determined by analyzing the source code of the component and the vulnerability information provided by the public vulnerability library. If the preset return value is the same as the return value obtained by calling the vulnerable function based on the above function parameters in actual applications, the first component can be considered to be vulnerable; if the preset return value is the same as the return value obtained by calling the vulnerable function based on the above function parameters in actual applications.
  • the return value is different, it can be considered that there is no vulnerability in the component. That is to say, the function parameters are used to call the vulnerable function in the first component to obtain the return value of the vulnerable function. The default return value is used with the return of the vulnerable function The values are compared to determine whether the first component is vulnerable.
  • the first vulnerability library for storing the vulnerability triggering information of the component can be built in advance.
  • the corresponding vulnerability triggering information is found in the first vulnerability library to
  • the vulnerability trigger information corresponding to the first component is used to trigger the first component to call the vulnerability function to determine whether the component actually has a vulnerability. This avoids false detection of vulnerabilities due to the fragmented scenario characteristics of IoT devices, thus improving the accuracy of vulnerability detection results.
  • this embodiment of the present application also provides an operation and maintenance method for the above-mentioned first vulnerability library.
  • the above method may also include:
  • the above steps can be performed by the service device, or by the IoT device vulnerability operation and maintenance framework including the service device.
  • the framework connects the second vulnerability library and the source code library, and outputs information and stores it in the first vulnerability library.
  • the second vulnerability database can be a public vulnerability database, such as CVE, including NVD (National Vulnerability Database, U.S. National Common Vulnerability Database), CNNVD (China National Vulnerability Database of Information, China National Information Security Vulnerability Database), CNVD (China National Vulnerability Database, National Information Security Vulnerability Sharing Platform), etc.
  • CVE public vulnerability database
  • NVD National Vulnerability Database, U.S. National Common Vulnerability Database
  • CNNVD China National Vulnerability Database of Information
  • CNVD China National Vulnerability Database, National Information Security Vulnerability Sharing Platform
  • the second component is a vulnerability-related component determined based on vulnerability information in the second vulnerability database.
  • the source code of the second component can be obtained from the source code library, and analyzed based on vulnerability information such as vulnerability patches, causes of vulnerabilities, and the source code to determine the vulnerability triggering information of the second component. , including the vulnerable function in the second component as well as the function parameters and default return values that cause the vulnerability, etc. If the above vulnerability triggering information is stored in the first vulnerability database, when the IoT device needs to check for vulnerability risks, the vulnerability triggering information of the relevant components can be found by accessing the first vulnerability database to determine whether the vulnerability actually exists in the component of the IoT device. .
  • Figure 3 shows a vulnerability information processing method according to another embodiment of the present application. This method can be executed by the service device shown in Figure 1, or by the IoT component feature operation and maintenance framework including the service device, but It doesn't stop there. The method includes:
  • the source code library can be an open source community warehouse or a local source code library.
  • the open source community warehouse can be accessed periodically, the source code of each component in the first vulnerability library can be pulled, and a local source code library can be constructed.
  • the corresponding binary files can be compiled based on the source code and mainstream system architecture.
  • a binary file warehouse can also be built to store the binary files.
  • the invariant set obtained by parsing the binary file may include one or more invariants.
  • invariants may refer to field information that always exists in the process of compiling source code to binary files. Since the Internet of Things has fragmented characteristics such as multi-architecture and multi-system, different CPU architectures, operating systems, and compilation optimization options will cause even the same source code to have large differences in the final compiled binary files. Therefore, obtaining the component identification features of components based on the invariant set can improve the identification accuracy.
  • the invariant set may include constant strings, constant values, function lists, function parameter lists, etc.
  • the corresponding source code, binary file, and invariant set are determined in sequence, thereby obtaining multiple invariant sets corresponding to the multiple versions.
  • multiple invariant sets can be calculated to filter and optimize the invariants to obtain the final component identification features.
  • Step S340 Obtaining at least one component identification feature of the third component based on multiple invariant sets includes: obtaining the first component identification feature of the third component based on the intersection of multiple invariant sets.
  • intersection of multiple invariant sets may be directly used as the first component identification feature, or the intersection may be subjected to predetermined processing and used as the first component identification feature. For example, invariants whose component coverage is greater than a first threshold are eliminated from the intersection of multiple invariant sets to obtain the first component identification feature of the third component.
  • Step S340 Obtain at least one component identification feature of the third component based on multiple invariant sets, including: obtaining a second component identification feature of the third component based on similarities between multiple invariant sets.
  • the similarity between multiple invariant sets corresponding to multiple versions of the third component can be directly used as a component identification feature of the third component, and stored in the component feature library.
  • the similarity between multiple invariant sets represents the similarity between multiple versions of the third component, which can include the similarity between multiple invariant sets, and can also include multiple groups of invariant sets.
  • the degree of similarity between them wherein each set of invariant combinations includes two invariant sets, and each set of invariant sets can be selected from the above multiple invariant sets based on preset rules.
  • specific strings in their binary files contain the name and version information of the component. Based on these specific strings, regular expressions that directly identify the components can be constructed. These regular expressions can be used as an identification feature. Improve the recognition rate and speed of components.
  • the above vulnerability information processing method may also include:
  • At least one version identification feature of the first version among the multiple versions is obtained; wherein the at least one version identification feature is used to identify the version of the third component when the Internet of Things device contains a third component.
  • the first version can be any version of the third component, or the first version can represent each version of the third component. That is, for each version, multiple invariant sets of the above components can be used to obtain At least one version identifies the feature.
  • Example 4 Based on multiple invariant sets, obtain at least one version identification feature of the first version among the multiple versions, including: determining the first invariant set among the multiple invariant sets and other invariant sets among the multiple invariant sets The difference set between the invariant sets, based on the difference set, the first version identification feature of the first version is obtained.
  • the first invariant set is an invariant set corresponding to the first version among the multiple invariant sets.
  • the other invariant sets mentioned above may include all invariant sets among the multiple invariant sets except the first invariant set; or include invariant sets corresponding to the first N versions of the first version, where N is greater than or equal to an integer of 1.
  • the difference between the first invariant set and other invariant sets may include the difference between the first invariant set and all other invariant sets as a whole, and the difference only includes the differences unique to the first invariant set. of invariants, therefore, the first version corresponding to the first invariant set can be accurately identified based on the difference set.
  • the difference set between the first invariant set and other invariant sets may include the invariant set corresponding to the previous version of the first version. Since in the process of technology update iteration, algorithm functions are often added based on the previous version, therefore, calculating the above difference set based on the invariant set corresponding to the previous version can improve efficiency.
  • the difference set can be directly used as the version identification feature of the first version, or the difference set can be subjected to predetermined processing to obtain the version identification feature of the first version.
  • obtaining the first version identification feature of the first version includes: eliminating invariants whose occurrence frequency is greater than the second threshold in the difference set to obtain the first version identification feature of the first version.
  • the frequency of occurrence of a certain invariant can be obtained by counting the invariants parsed from the binary files of multiple components. Specifically, the frequency of occurrence is used to characterize the number of occurrences of the invariant in all components. For example, you can count the number of occurrences of an invariant in each file in the binary file library to obtain the frequency of occurrence. Among them, invariants that appear multiple times in different versions of the same component can be recorded only once in the frequency of occurrence.
  • invariants whose occurrence frequency is greater than the first threshold are eliminated from the above difference set, thereby avoiding the impact of invariants without personalized characteristics on the recognition effect, and further improving the recognition accuracy.
  • Example 5 Based on multiple invariant sets, obtain at least one version identification feature of the first version among multiple versions, including: based on the similarity between the first invariant set and other invariant sets, obtain the first version Second version identification features.
  • the similarity between the first invariant set corresponding to the first version and other invariant sets can be directly used as a version identification feature of the first version, and stored in the component feature library.
  • the similarity between the first invariant set and other invariant sets may include the similarity between the first invariant set and each other invariant set.
  • the similarity may be represented based on a vector, each element in the vector corresponds to an invariant set, and each element represents the similarity between the first invariant set and the invariant set corresponding to the element.
  • Example 6 Based on multiple invariant sets, obtain at least one version identification feature of the first version among multiple versions, including: building a regular expression based on a specific string in the first invariant set, and using the regular expression as The third version of the first version identifies features.
  • specific strings in their binary files contain the version information of the component. Based on these specific strings, regular expressions that directly identify the version can be constructed. These regular expressions can be used as an identification feature to improve the component version. recognition rate and speed.
  • the corresponding component identification characteristics and version identification characteristics can be obtained for each component in the first vulnerability library, which can facilitate the vulnerability detection module in the Internet of Things device to communicate with the components in the Internet of Things device based on these identification characteristics. Compare the identification features to identify the components and versions in the IoT device.
  • Figure 4 shows a vulnerability information processing method according to another embodiment of the present application.
  • This method can be executed by a vulnerability detection module in an Internet of Things device, but is not limited to this.
  • the method can include:
  • S430 Trigger the first component to call the vulnerability function based on the vulnerability trigger information to determine whether the first component has a vulnerability.
  • the vulnerability triggering information may include: vulnerability functions, function parameters used to trigger the vulnerability function, and preset return values. Accordingly, step S430, triggering the first component to call the vulnerability function based on the vulnerability trigger information to determine whether the first component has a vulnerability, may include:
  • the first component is triggered to call the vulnerable function and the return value of the vulnerable function is obtained;
  • the return value of the vulnerable function is consistent with the preset return value, it is determined that the first component has a vulnerability; if the return value of the vulnerable function is inconsistent with the preset return value, it is determined that the first component does not have a vulnerability.
  • step S430 it may be determined whether the first component contains the vulnerability function. If the first component does not contain the vulnerability function, it may be directly determined that the vulnerability does not exist in the first component. If the first component contains the vulnerability parameter, the above step S430 is executed for further judgment.
  • step S410 determining the first component contained in the Internet of Things device, may include:
  • the identification features corresponding to the component binary file of the IoT device itself can be compared or calculated by accessing the component feature library to identify the object.
  • the identification features may include component identification features and/or version identification features, and accordingly, the identified information may include components and/or component versions.
  • the identification information corresponding to the component binary file may include the name and/or path of the binary file.
  • the component binaries can include binaries for multiple versions of a component.
  • the identification features corresponding to multiple versions of the binary file can be downloaded from the cloud.
  • the identification feature may include the component identification feature corresponding to the component binary file and/or the version identification feature of each version, or the component identification feature corresponding to the component binary file and/or the version identification feature of each version can be parsed from the identification feature Features, thereby using component identification features to identify components in the IoT device, and then using version identification features to identify the specific version of the component.
  • the at least one component identification feature mentioned above can be implemented with reference to the foregoing Examples 1-3.
  • a condition can be preset for each component identification feature.
  • the Internet of Things device contains the i-th component. component, that is, the i-th component is the first component.
  • i is an integer greater than or equal to 1.
  • the intersection of the first component identification feature corresponding to the device and the first component identification feature of the i-th component can be used to compare with the first component identification feature of the i-th component. , if the proportion of the number of elements in the intersection relative to the number of elements of the first component identification feature of the i-th component is greater than the third threshold, the condition is considered to be met.
  • the difference between the second component identification feature corresponding to the device and the second component identification feature of the i-th component can be used to compare it with the fourth threshold. If the difference is less than the i-th component, Four thresholds are considered to meet the conditions.
  • the third component identification feature that contains regular expressions, it can be directly or indirectly determined whether the component binary file contains a specific string. If it is included, the condition is considered to be met.
  • the above-mentioned determination of the first component and/or the version of the first component contained in the Internet of Things device based on the identification characteristics includes:
  • FIG. 5 shows the structural block diagram of the vulnerability information processing system in this application example.
  • the IoT device vulnerability operation and maintenance framework can obtain public vulnerability information, parse the relationship between the vulnerability and components, the functions affected by the vulnerability, etc., and store the parsed information in the first vulnerability library it built.
  • the IoT device component feature operation and maintenance framework analyzes the binary file of the component affected by the vulnerability to construct the identification feature of the component, and stores the identification feature in the component feature library it builds.
  • the IoT device component data collection and component identification framework uses the security agent (security agent module, the above-mentioned vulnerability detection module) preset on the device to collect device system files and identify specific components and versions based on the identification characteristics of the components to obtain IoT device components. list.
  • the IoT device vulnerability identification framework obtains vulnerability trigger information from the first vulnerability library based on the IoT device component list, uses the device's preset security agent to determine the validity of the vulnerability, and gives the final vulnerability identification result, which is the IoT device vulnerability list.
  • Figure 7 shows the structural block diagram of the characteristic operation and maintenance framework of IoT device components in the system.
  • IoT scenarios we will face a variety of systems and architectures, but the binary files in the final device will have certain invariants, such as constant strings, constant values, function lists, function parameter lists, etc.
  • These invariants of components The set of can uniquely represent the component, and a subset of it can represent each version of the component. Some invariants may even directly contain component and version information.
  • the component's identification characteristics include three levels and multiple dimensions.
  • the first level refers to the inclusion relationship between binary files and components. According to the name of the binary file, its component information can be roughly analyzed; the second level refers to the component name that can be accurately identified based on the invariant characteristics of the binary file; the third level
  • Each level refers to the invariant characteristics of a binary file that can accurately identify which version of the component it belongs to.
  • Multiple dimensions refer to specific combinations of invariants that represent components, similarity values that represent components, specific combinations of invariants that represent component versions, specific strings that can match component versions, etc.
  • this framework is based on the first vulnerability library built by the IoT device vulnerability operation and maintenance framework, analyzes the list of components involved in the vulnerability, and periodically pulls the source code of each component in the component list from the open source community warehouse to build local group Component source code warehouse, compile component binary files based on mainstream system architecture, and build component binary warehouse.
  • the similarity values of the invariants of different versions of the component can also be calculated, such as simhash (similar hash) as the second component identification feature of the component.
  • simhash similar hash
  • the difference set of invariants between different versions of a component is used as the original feature of the component version, and invariants whose occurrence frequency is greater than F are eliminated to constitute the invariant feature for component version identification, that is, the first version identification feature.
  • some specific invariants contain the name and current version of the component.
  • a regular expression can be constructed to directly identify the component and version. These regular expression features can be used as component features.
  • a feature warehouse for identifying components a feature warehouse for identifying component versions, and a regular expression feature warehouse for identifying components and versions were constructed.
  • invariants that have nothing to do with the device system and architecture are used, so they are not affected by the specific operating system and architecture of the device.
  • the invariant features of components and different versions can still provide a high recognition rate even when components are reduced, which is suitable for fragmented and equipment resource-constrained scenarios such as IoT.
  • the corresponding relationship between components and vulnerabilities is recorded in the first vulnerability database. Then the vulnerabilities in the components can be queried using the identified component names and version information.
  • the first vulnerability library records the functions affected by the vulnerability and the vulnerability triggering conditions, then use the security agent Actually call the relevant function in the device, and judge whether the vulnerability actually exists based on the function return value. Specifically, it is divided into several dimensions:
  • the security agent By calling the function, the security agent returns the vulnerability determination result and obtains the real vulnerability list of the component.
  • a first vulnerability library for storing vulnerability triggering information of a component can be built in advance.
  • the corresponding vulnerability triggering information can be found in the vulnerability library to
  • the vulnerability trigger information corresponding to the first component is used to trigger the first component to call the vulnerability function to determine whether the component actually has a vulnerability. This avoids false detection of vulnerabilities due to the fragmented scenario characteristics of IoT devices, thus improving the accuracy of vulnerability detection results.
  • the electronic device also includes:
  • the memory 1010, the processor 1020 and the communication interface 1030 are integrated on one chip, the memory 1010, the processor 1020 and the communication interface 1030 can communicate with each other through the internal interface.
  • An embodiment of the present application also provides an Internet of Things device, including the above vulnerability detection module.
  • Embodiments of the present application also provide a computer-readable storage medium, which stores a computer program. When the program is executed by a processor, the method provided in any embodiment of the present application is implemented.
  • An embodiment of the present application also provides a computer program product, which includes a computer program that implements the method provided in any embodiment of the present application when executed by a processor.
  • An embodiment of the present application also provides a chip, which includes a processor for calling and running instructions stored in the memory, so that the communication device installed with the chip executes the method provided by the embodiment of the present application.
  • Embodiments of the present application also provide a chip, including: an input interface, an output interface, a processor and a memory.
  • the input interface, the output interface, the processor and the memory are connected through an internal connection path, and the processor is used to execute the code in the memory. , when the code is executed, the processor is used to execute the method provided by the application embodiment.
  • processor can be a central processing unit (Central Processing Unit, CPU), or other general-purpose processor, digital signal processor (Digital Signal Processing, DSP), application specific integrated circuit (Application Specific Integrated Circuit, ASIC), Field Programmable Gate Array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • CPU Central Processing Unit
  • DSP Digital Signal Processing
  • ASIC Application Specific Integrated Circuit
  • FPGA Field Programmable Gate Array
  • a general-purpose processor can be a microprocessor or any conventional processor, etc. It is worth noting that the processor may be a processor that supports Advanced RISC Machines (ARM) architecture.
  • ARM Advanced RISC Machines
  • the above-mentioned memory may include read-only memory and random access memory, and may also include non-volatile random access memory.
  • the memory may be volatile memory or non-volatile memory, or may include both volatile and non-volatile memory.
  • non-volatile memory can include read-only memory (Read-only Memory, ROM), programmable read-only memory (Programmable ROM, PROM), erasable programmable read-only memory (Erasable PROM, EPROM), electrically removable memory.
  • Erase programmable read-only memory Electrically EPROM, EEPROM
  • Volatile memory may include Random Access Memory (RAM), which acts as an external cache. By way of illustration, but not limitation, many forms of RAM are available.
  • a computer program product includes one or more computer instructions.
  • the computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable device.
  • Computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium.
  • references to the terms “one embodiment,” “some embodiments,” “an example,” “specific examples,” or “some examples” or the like means that specific features are described in connection with the embodiment or example.
  • structures, materials or features are included in at least one embodiment or example of the present application.
  • the specific features, structures, materials or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
  • those skilled in the art may combine and combine different embodiments or examples and features of different embodiments or examples described in this specification unless they are inconsistent with each other.
  • first and second are used for descriptive purposes only and cannot be understood as indicating or implying relative importance or implicitly indicating the quantity of indicated technical features. Therefore, the characteristics defined by “first” and “second” can be expressed or implicitly implicitly includes at least one of these features.
  • plurality means two or more than two, unless otherwise explicitly and specifically limited.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Stored Programmes (AREA)

Abstract

本申请提出一种漏洞信息处理方法、服务装置和漏洞检测模块。技术方案如下:确定物联网设备包含的第一组件;在第一漏洞库中查找第一组件对应的漏洞触发信息;其中,漏洞触发信息用于触发第一组件调用漏洞函数,以确定第一组件是否存在漏洞。根据本申请实施例,可以提升漏洞检测结果的准确度。

Description

漏洞信息处理方法、服务装置和漏洞检测模块
本申请要求于2022年06月17日提交中国专利局、申请号为202210691626.6、申请名称为“漏洞信息处理方法、服务装置和漏洞检测模块”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
技术领域
本申请涉及物联网领域,尤其涉及一种漏洞信息处理方法、服务装置和漏洞检测模块。
背景技术
随着IoT(Internet of Things,物联网)业务的蓬勃发展,IoT设备的安全问题也不断暴露出来,IoT设备漏洞作为IoT攻击的一个重要的突破口,成为IoT安全领域重点关注的内容之一。由于IoT设备中会引入开源组件,所以IoT设备中组件的漏洞检测是IoT设备漏洞检测的重点内容。而IoT设备开发存在碎片化的特点,多系统架构、多编译工具、为节省空间裁减软件等因素,导致IoT设备中组件的漏洞检测结果准确度较低。
发明内容
本申请实施例提供一种漏洞信息处理方法、服务装置和漏洞检测模块,以解决相关技术存在的问题,技术方案如下:
第一方面,本申请实施例提供了一种漏洞信息处理方法,包括:
确定物联网设备包含的第一组件;
在第一漏洞库中查找第一组件对应的漏洞触发信息;其中,漏洞触发信息用于触发第一组件调用漏洞函数,以确定第一组件是否存在漏洞。
第二方面,本申请实施例提供了一种漏洞信息处理方法,包括:
确定物联网设备包含的第一组件;
向服务装置发送第一组件的标识信息,以获取服务装置在第一漏洞库中查找的与第一组件对应的漏洞触发信息;
基于漏洞触发信息触发第一组件调用漏洞函数,以确定第一组件是否存在漏洞。
第三方面,本申请实施例提供一种服务装置,包括存储器、处理器及存储在存储器上的计算机程序,处理器在执行计算机程序时实现本申请任一实施例提供的方法。
第四方面,本申请实施例提供一种漏洞检测模块,用于设置于物联网设备中,该漏洞检测模块包括存储器、处理器及存储在存储器上的计算机程序,处理器在执行计算机程序时实现本申请任一实施例提供的方法。
第五方面,本申请实施例提供一种物联网设备,包括本申请任一实施例提供的漏洞检 测模块。
第六方面,本申请实施例提供一种计算机可读存储介质,计算机可读存储介质内存储有计算机程序,计算机程序被处理器执行时实现本申请任一实施例提供的方法。
根据本申请实施例,可以预先构建用于存储组件的漏洞触发信息的第一漏洞库,针对物联网设备包含的第一组件,通过在第一漏洞库中查找对应的漏洞触发信息,以利用第一组件对应的漏洞触发信息触发第一组件调用漏洞函数来确定组件是否真实存在漏洞,避免因IoT设备的碎片化场景特点导致漏洞误检,从而提升了漏洞检测结果的准确度。
上述概述仅仅是为了说明书的目的,并不意图以任何方式进行限制。除上述描述的示意性的方面、实施方式和特征之外,通过参考附图和以下的详细描述,本申请进一步的方面、实施方式和特征将会是容易明白的。
附图说明
在附图中,除非另外规定,否则贯穿多个附图相同的附图标记表示相同或相似的部件或元素。这些附图不一定是按照比例绘制的。应该理解,这些附图仅描绘了根据本申请公开的一些实施方式,而不应将其视为是对本申请范围的限制。
图1为本申请实施例一个示例性的应用场景的示意图;
图2为根据本申请一实施例的漏洞信息处理方法的流程图;
图3为根据本申请另一实施例的漏洞信息处理方法的流程图;
图4为根据本申请又一实施例的漏洞信息处理方法的流程图;
图5为本申请应用示例中漏洞信息的处理系统的结构框图;
图6为本申请应用示例中IoT设备漏洞运维框架的结构框图;
图7为本申请应用示例中IoT设备组件特征运维框架的结构框图;
图8为本申请应用示例中IoT设备组件数据采集与组件识别框架的结构框图;
图9为本申请应用示例中IoT设备漏洞识别框架的结构框图;
图10为用于实现本申请实施例的方法的电子设备的结构框图。
具体实施方式
在下文中,仅简单地描述了某些示例性实施例。正如本领域技术人员可认识到的那样,在不脱离本申请的精神或范围的情况下,可通过各种不同方式修改所描述的实施例。因此,附图和描述被认为本质上是示例性的而非限制性的。
为便于理解本申请实施例的技术方案,首先介绍可用于实现本申请实施例的漏洞信息处理方法的应用场景。
图1示出了一个示例性的应用场景的示意图。如图1所示,在该应用场景中,部署用于漏洞检测的服务装置。该服务装置可以访问公共漏洞库,以获取公共漏洞库中披露的信息安全漏洞。例如,该公共漏洞库可以包括CVE(Common Vulnerabilities & Exposures, 通用漏洞披露),其类似于一个字典表,为广泛认同的信息安全漏洞提供公共的名称,以供用户或相关服务查询。基于从公共漏洞库中获取的信息,漏洞服务装置可以分析出各漏洞涉及的物联网设备组件。在一些场景中,该服务装置还可以访问源代码库,以获取物联网设备组件的源代码。如此,该服务装置可以针对漏洞涉及的物联网设备组件,进一步分析得到对应的漏洞触发信息,例如漏洞涉及的函数、引发漏洞的函数参数、基于该漏洞导致该函数参数对应的返回值等。基于上述一种或多种信息,服务装置可以构建专用漏洞库,以利用专用漏洞库进行更准确的漏洞检测。
如图1所示,在一些应用场景中,通过访问源代码库,服务装置还可以构建组件特征库。例如,服务装置可以基于从源代码库获取的物联网设备组件的源代码,编译得到物联网设备组件的二进制文件,从而通过对二进制文件进行分析,得到物联网设备组件的识别特征。在本申请的一些实施例中,提出采用与设备系统、架构无关的识别特征,在一些场景中,还可以对这些识别特征进行优化,以克服物联网碎片化场景中多运行系统、多架构、编译条件多样、软件裁剪的特点对组件识别带来的影响。基于上述识别特征,服务装置可以构建组件特征库,以便于利用组件特征库识别出物联网设备中的相关组件。
如图1所示,在物联网设备中可以配置漏洞检测模块,用于与服务装置交互,完成漏洞检测。示例性地,该漏洞检测模块可以访问组件特征库,以利用组件特征库中与漏洞相关的组件的识别特征,识别出物联网设备中的相关组件。进一步地,漏洞检测模块可以将相关组件的信息发送至服务装置,以使服务装置返回专用漏洞库中的与该组件对应的信息。漏洞检测模块可利用这些信息准确确定漏洞是否真实存在。
为了能够更加详尽地了解本申请实施例的特点与技术内容,下面结合附图对本申请实施例的实现进行详细阐述,所附附图仅供参考说明之用,并非用来限定本申请实施例。
图2示出根据本申请一实施例的漏洞信息处理方法的流程图。如图2所示,该方法可以包括:
S210、确定物联网设备包含的第一组件;
S220、在第一漏洞库中查找第一组件对应的漏洞触发信息;其中,漏洞触发信息用于触发第一组件调用漏洞函数,以确定第一组件是否存在漏洞。
可选地,上述步骤可以由图1所示的服务装置执行。示例性地,服务装置可以通过与物联网设备中的漏洞检测模块交互,确定物联网设备包含的第一组件,例如通过接收物联网设备发送的组件信息,基于该组件信息确定物联网设备包含的第一组件。服务装置在第一漏洞库中查找第一组件对应的漏洞触发信息之后,还可以向漏洞检测模块发送该漏洞触发信息,以利用漏洞检测模块触发第一组件调用漏洞函数,确定第一组件是否存在漏洞。该漏洞检测模块可以是物联网设备中集成编译到设备固件中的功能模块,也可以是与物联网设备互相独立并可装配到物联网设备上的功能模块。可以理解,由于漏洞检测模块为物联网设备提供安全方面的功能,因此,漏洞检测模块也可以理解为物联网设备中的安全代理模块。可以看到,服务装置中用于实现上述步骤S210和S220的程序模块与物联网设备 中的漏洞检测模块构成一个IoT设备漏洞识别框架,该框架通过调用漏洞函数判断漏洞是否真实存在。
可选地,上述步骤还可以由物联网设备中的漏洞检测模块执行。例如漏洞检测模块可以自行确定第一组件,并访问第一漏洞库查找对应的漏洞触发信息,以调用漏洞函数。
可选地,在本申请实施例中的组件,可以包括物联网设备中的开源组件。
可选地,第一漏洞库用于存储与多个组件分别对应的多个漏洞触发信息。该多个组件可以包括存在漏洞风险的组件。示例性地,该第一漏洞库可以是如图1所示的专用漏洞库,其中的组件信息和漏洞触发信息是基于公共漏洞库和源代码库得到的。
可选地,第一漏洞库具体可以用于存储于多个组件分别对应的漏洞的描述信息,并存储各漏洞对应的漏洞触发信息。基于此,在上述步骤S220中,可以先在第一漏洞库中查找第一组件对应的漏洞的描述信息,再基于该漏洞的描述信息得到对应的漏洞触发信息。
可选地,第一组件可以包括物联网设备中的任一组件,也可以包括物联网设备中特定的组件,例如存在漏洞风险的组件。
例如,物联网设备中的漏洞检测模块可以周期性地对物联网设备中的任一组件进行漏洞检测,将该组件的标识信息例如名称、版本号等发送至服务装置,服务装置查找第一漏洞库中是否存在该组件的相关信息。若不存在,则认为该组件不存在漏洞;若存在,则将该组件的漏洞触发信息返回漏洞检测模块,以使漏洞检测模块触发该组件调用漏洞函数,根据漏洞函数的返回结果确定漏洞是否真实存在。
又例如,物联网设备中的漏洞检测模块可以通过访问预先构建的组件特征库,例如基于漏洞涉及的组件的源代码构建的组件特征库,通过将物联网设备中的组件的识别特征与组件特征库中的各组件的识别特征进行比对,确定物联网设备中是否包含组件特征库中的某个组件,该组件即物联网设备中存在漏洞风险的组件。若包含,则将该组件的标识信息发送至服务装置,服务装置查找第一漏洞库中该组件的漏洞触发信息,并将该组件的漏洞触发信息返回漏洞检测模块,以使漏洞检测模块触发该组件调用漏洞函数,根据漏洞函数的返回结果确定漏洞是否真实存在。
可选地,上述漏洞函数包括组件中与漏洞相关的函数,可以通过对组件的源代码以及公用漏洞库提供的漏洞信息例如漏洞补丁等进行分析而确定。
可选地,上述漏洞触发信息可以包括该漏洞函数、用于触发该漏洞函数的函数参数以及预设返回值。其中,该函数参数可以是通过对组件的源代码以及公用漏洞库提供的漏洞信息进行分析而确定的引发漏洞的函数参数。该预设返回值可以是基于上述函数参数和漏洞导致的函数返回值,可以通过对组件的源代码以及公用漏洞库提供的漏洞信息进行分析而确定。如果该预设返回值与实际应用中基于上述函数参数调用漏洞函数得到的返回值相同,则可以认为第一组件存在漏洞;如果该预设返回值与实际应用中基于上述函数参数调用漏洞函数得到的返回值不同,则可以认为组件不存在漏洞。也就是说,函数参数用于在第一组件中调用漏洞函数,以得到漏洞函数的返回值。预设返回值用于与漏洞函数的返回 值进行比对,以确定第一组件是否存在漏洞。
可以看到,根据上述方法,可以预先构建用于存储组件的漏洞触发信息的第一漏洞库,针对物联网设备包含的第一组件,通过在第一漏洞库中查找对应的漏洞触发信息,以利用第一组件对应的漏洞触发信息触发第一组件调用漏洞函数来确定组件是否真实存在漏洞,避免因IoT设备的碎片化场景特点导致漏洞误检,从而提升了漏洞检测结果的准确度。
可选地,本申请实施例还提供上述第一漏洞库的运维方式。具体地,上述方法还可以包括:
在第二漏洞库中读取漏洞信息,确定与漏洞相关的第二组件;
基于漏洞信息以及第二组件的源代码,确定第二组件的漏洞触发信息;
将第二组件的标识信息与漏洞触发信息存储于第一漏洞库中。
上述步骤可以由服务装置执行,或者由包含服务装置的IoT设备漏洞运维框架执行。该框架对接第二漏洞库和源代码库,并输出信息存储于第一漏洞库。
其中,第二漏洞库可以是公共漏洞库,例如CVE,包括NVD(National Vulnerability Database,美国国家通用漏洞库)、CNNVD(China National Vulnerability Database of Information,中国国家信息安全漏洞库)、CNVD(China National Vulnerability Database,国家信息安全漏洞共享平台)等。
第二漏洞库中的漏洞信息,可以包括存在漏洞风险的组件、组件的版本信息、漏洞补丁等。在一些场景中,漏洞信息还可以包括对漏洞的具体描述、引发漏洞的原因等。
在本申请实施例中,第二组件为基于第二漏洞库中的漏洞信息确定的与漏洞相关的组件。在确定第二组件后,可以从源代码库中获取第二组件的源代码,并基于漏洞信息例如漏洞补丁、引发漏洞的原因等信息以及源代码进行分析,从而确定第二组件的漏洞触发信息,包括第二组件中的漏洞函数以及引发漏洞的函数参数、预设返回值等。将上述漏洞触发信息存储于第一漏洞库,则当物联网设备需要排查漏洞风险时,可以通过访问第一漏洞库找到相关组件的漏洞触发信息,以确定在物联网设备的组件是否真实存在漏洞。
如前述说明,在本申请的一些实施例中,还提出采用与设备系统、架构无关的识别特征,识别物联网设备中的组件,以克服物联网碎片化场景中多运行系统、多架构、编译条件多样、软件裁剪的特点对组件识别带来的影响。示例性地,图3示出了根据本申请另一实施例的漏洞信息处理方法,该方法可以由图1所示的服务装置执行,或者由包含服务装置的IoT组件特征运维框架执行,但不仅限于此。该方法包括:
S310、在第一漏洞库中读取第三组件的标识信息,基于标识信息获取与第三组件的多个版本分别对应的多个源代码;
S320、基于多个源代码,得到多个二进制文件;
S330、对多个二进制文件分别进行解析,得到与多个二进制文件分别对应的多个不变量集合;
S340、基于多个不变量集合,得到第三组件的至少一个组件识别特征;其中,至少一 个组件识别特征用于识别物联网设备是否包含第三组件。
示例性地,上述第三组件可以包括第一漏洞库中的任一组件,例如,第三组件可以表示第一漏洞库中的每一个组件。可以看到,上述实施例给出了确定第三组件的至少一个组件识别特征的步骤。基于各组件的识别特征,可以构建和维护组件特征库,从而使得物联网设备中的漏洞检测模块可以通过访问组件特征库,识别物联网设备中的组件。
在上述方法中,可以通过访问源代码库获取与第三组件的多个版本分别对应的多个源代码。其中,该源代码库可以是开源社区仓库,也可以是本地源代码库。示例性地,可以根据第一漏洞库提供的与漏洞相关的组件列表,周期性地访问开源社区仓库,拉取第一漏洞库中的各组件的源代码,构建出本地源代码库。进一步地,可以基于源代码和主流的系统架构编译出对应的二进制文件,可选地,还可以构建二进制文件仓库以存储二进制文件。
示例性地,对二进制文件进行解析得到的不变量集合,可以包括一个或多个不变量。在本申请实施例中,不变量可以指从源代码编译至二进制文件的过程中始终存在的字段信息。由于物联网具有多架构、多系统等碎片化特点,而不同的CPU架构、操作系统、编译优化选项会导致即使是同一个源代码,最终编译生成的二进制文件之间也具有较大的差异,因此,基于不变量集合得到组件的组件识别特征,可以提升识别准确度。示例性地,不变量集合可以包括常量字符串、常量数值、函数列表、函数参数列表等。
根据上述方法,针对第三组件的多个版本中的每个版本,会依次确定对应的源代码、二进制文件、不变量集合,从而得到多个版本对应的多个不变量集合。实际应用中,可以通过对多个不变量集合进行计算,以对不变量进行筛选、优化,得到最终的组件识别特征。具体地,基于多个不变量集合得到组件识别特征,有多种可选的实施方式。以下提供几个示例,可以理解,本领域技术人员可以选择其中一个或多个示例的方式得到第三组件的组件识别特征。
示例1:
步骤S340、基于多个不变量集合,得到第三组件的至少一个组件识别特征,包括:基于多个不变量集合的交集,得到第三组件的第一组件识别特征。
由于不变量集合的交集,体现了第三组件的多个版本共有的不变量,因此基于该交集能够得到准确的组件识别特征。
可选地,可以直接多个不变量集合的交集作为上述第一组件识别特征,也可以对该交集进行预定处理后作为上述第一组件识别特征。例如,在多个不变量集合的交集中剔除组件覆盖度大于第一阈值的不变量,得到第三组件的第一组件识别特征。
其中,可以通过对从多个组件的二进制文件中解析到的不变量进行统计,得到某个不变量的组件覆盖度。具体地,组件覆盖度用于表征包含该不变量的组件的数量相对所有组件的数量的占比。例如,可以针对不变量在二进制文件库中各文件中的出现次数进行统计,得到组件覆盖度。
根据上述示例,在上述交集中剔除组件覆盖度大于第一阈值的不变量,从而避免了不 具有个性化特征的不变量对识别效果的影响,可以进一步提升识别准确度。
示例2:
步骤S340、基于多个不变量集合,得到第三组件的至少一个组件识别特征,包括:基于多个不变量集合之间的相似度,得到第三组件的第二组件识别特征。
示例性地,可以直接采用第三组件的多个版本对应的多个不变量集合之间的相似度,作为第三组件的一个组件识别特征,并存储于组件特征库中。
其中,多个不变量集合之间的相似度,表征第三组件的多个版本之间的相似度,可以包括多个不变量集合两两之间的相似度,也可以包括多组不变量集合之间的相似度,其中,每组不变量组合包括两个不变量集合,且每组不变量集合可以基于预设规则从上述多个不变量集合中选取。
采用同一组件的不同版本的不变量集合之间的相似度作为组件识别特征,可以方便存储和加快组件识别速度。
示例3:
步骤S340、基于多个不变量集合,得到第三组件的至少一个组件识别特征,包括:基于多个不变量集合中的特定字符串,构建正则表达式,将正则表达式作为第三组件的第三组件识别特征。
在一些组件中,其二进制文件中的特定字符串包含了该组件的名称和版本信息,基于这些特定字符串可以构建出直接识别组件的正则表达式,这些正则表达式可作为一种识别特征,提高组件的识别率和识别速度。
在本申请的一些实施例中,还提出利用上述不变量集合,对组件版本进行识别。具体地,上述漏洞信息处理方法还可以包括:
基于多个不变量集合,得到多个版本中的第一版本的至少一个版本识别特征;其中,至少一个版本识别特征用于在物联网设备包含第三组件的情况下,识别第三组件的版本。
其中,第一版本可以是第三组件的任一版本,或者,第一版本可以代表第三组件中的每个版本,即针对每个版本,均可以利用上述组件的多个不变量集合,得到至少一个版本识别特征。
基于多个不变量集合得到版本识别特征,有多种可选的实施方式。以下提供几个示例,可以理解,本领域技术人员可以选择其中一个或多个示例的方式得到第三组件的第一版本的组件识别特征。
示例4:基于多个不变量集合,得到多个版本中的第一版本的至少一个版本识别特征,包括:确定多个不变量集合中的第一不变量集合与多个不变量集合中的其他不变量集合之间的差集,基于该差集,得到第一版本的第一版本识别特征。
其中,第一不变量集合为多个不变量集合中与第一版本对应的不变量集合。
示例性地,上述其他不变量集合可以包括多个不变量集合中除第一不变量集合以外的所有不变量集合;或者,包括第一版本的前N个版本对应的不变量集合,N为大于或等于 1的整数。例如,第一不变量集合与其他不变量集合之间的差集,可以包括第一不变量集合与其他所有不变量集合整体之间的差集,该差集仅包含第一不变量集合所特有的不变量,因此,基于该差集可以准确识别第一不变量集合所对应的第一版本。又例如,第一不变量集合与其他不变量集合之间的差集,可以包括第一版本的前一个版本对应的不变量集合。由于在技术更新迭代的过程中,往往是在前一版本的基础上增加算法函数,因此,基于前一版本对应的不变量集合计算上述差集,可以提高效率。
可选地,可以直接将该差集作为第一版本的版本识别特征,也可以对该差集进行预定处理得到第一版本的版本识别特征。例如,基于该差集,得到第一版本的第一版本识别特征,包括:在差集中剔除出现频次大于第二阈值的不变量,得到第一版本的第一版本识别特征。
其中,可以通过对从多个组件的二进制文件中解析到的不变量进行统计,得到某个不变量的出现频次。具体地,出现频次用于表征该不变量在所有组件中的出现次数。例如,可以针对不变量在二进制文件库中各文件中的出现次数进行统计,得到该出现频次。其中,不变量在同一组件的不同版本中出现多次,在出现频次中可以只记为一次。
根据上述示例,在上述差集中剔除出现频次大于第一阈值的不变量,从而避免了不具有个性化特征的不变量对识别效果的影响,可以进一步提升识别准确度。
示例5:基于多个不变量集合,得到多个版本中的第一版本的至少一个版本识别特征,包括:基于第一不变量集合与其他不变量集合之间的相似度,得到第一版本的第二版本识别特征。
示例性地,可以直接采用第一版本对应的第一不变量集合与其他不变量集合之间的相似度,作为第一版本的一个版本识别特征,并存储于组件特征库中。
其中,第一不变量集合与其他不变量集合之间的相似度,可以包括第一不变量集合与其他每个不变量集合之间的相似度。示例性地,该相似度可以基于向量表示,向量中的每个元素对应于一个不变量集合,每个元素表征第一不变量集合与元素对应的不变量集合之间的相似度。
采用不变量集合之间的相似度作为版本识别特征,可以方便存储和加快组件识别速度。
示例6:基于多个不变量集合,得到多个版本中的第一版本的至少一个版本识别特征,包括:基于第一不变量集合中的特定字符串,构建正则表达式,将正则表达式作为第一版本的第三版本识别特征。
在一些组件中,其二进制文件中的特定字符串包含了组件的版本信息,基于这些特定字符串可以构建出直接识别版本的正则表达式,这些正则表达式可作为一种识别特征,提高组件版本的识别率和识别速度。
通过以上说明,可以针对第一漏洞库中的各组件,均获得其对应的组件识别特征以及版本识别特征,从而可便于物联网设备中的漏洞检测模块基于这些识别特征与物联网设备中的组件的识别特征进行比对,识别物联网设备中的组件以及版本。
示例性地,图4示出了根据本申请另一实施例的漏洞信息处理方法,该方法可以由物联网设备中的漏洞检测模块执行,但不仅限于此。该方法可以包括:
S410、确定物联网设备包含的第一组件;
S420、向服务装置发送第一组件的标识信息,以获取服务装置在第一漏洞库中查找的与第一组件对应的漏洞触发信息;
S430、基于漏洞触发信息触发第一组件调用漏洞函数,以确定第一组件是否存在漏洞。
上述方法中的技术细节可以参考前述实施例实现,在此不一一进行赘述。
可选地,漏洞触发信息可以包括:漏洞函数、用于触发漏洞函数的函数参数以及预设返回值。相应地,步骤S430、基于漏洞触发信息触发第一组件调用漏洞函数,以确定第一组件是否存在漏洞,可以包括:
基于该函数参数触发第一组件调用漏洞函数,得到漏洞函数的返回值;
对漏洞函数的返回值与预设返回值进行比对,以确定第一组件是否存在漏洞。
其中,若漏洞函数的返回值与预设返回值一致,则确定第一组件存在漏洞;若漏洞函数的返回值与预设返回值不一致,则确定第一组件不存在漏洞。
可选地,在步骤S430之前,可以先对第一组件是否包含该漏洞函数进行判断,若第一组件不包含该漏洞函数,则可以直接确定第一组件不存在该漏洞。若第一组件包含该漏洞参数才执行上述步骤S430进行进一步判断。
可选地,上述步骤S410,确定物联网设备包含的第一组件,可以包括:
获取物联网设备的组件二进制文件对应的识别特征;
基于识别特征,确定物联网设备包含的第一组件和/或第一组件的版本。
具体地,在获取物联网设备本身的组件二进制文件对应的识别特征后,可以通过访问组件特征库,对组件二进制文件对应的识别特征和多个组件的识别特征进行比对或计算,识别出物联网设备包含的组件。这里,识别特征可以包括组件识别特征和/或版本识别特征,相应地,识别得到的信息可以包括组件和/或组件版本。
示例性地,获取物联网设备的组件二进制文件对应的识别特征,包括:
获取物联网设备的组件二进制文件的标识信息;
基于组件二进制文件的标识信息,从云端下载组件二进制文件对应的识别特征。
这里,组件二进制文件对应的标识信息,可以包括二进制文件的名称和/或路径。该组件二进制文件可以包括一个组件的多个版本的二进制文件。相应地,基于组件二进制文件的标识信息,可以从云端下载多个版本的二进制文件对应的识别特征。该识别特征可以包括组件二进制文件对应的组件识别特征和/或每个版本的版本识别特征,或者,从该识别特征可以解析出组件二进制文件对应的组件识别特征和/或每个版本的版本识别特征,从而利用组件识别特征识别出物联网设备中的组件,再利用版本识别特征识别出组件的具体版本。
示例性地,上述基于识别特征,确定物联网设备包含的第一组件和/或第一组件的版本,包括:
基于物联网设备的组件二进制文件对应的至少一个组件识别特征,以及预先存储的多个组件中每个组件的至少一个组件识别特征,在多个组件中确定出物联网设备包含的第一组件。
其中,上述至少一个组件识别特征可以参考前述示例1-3实现。具体地,可以针对每个组件识别特征分别预设一个条件,当上述多个组件中的第i个组件的每个组件识别特征均满足条件的情况下,可以确定物联网设备包含该第i个组件,即第i个组件为第一组件。其中,i为大于或等于1的整数。
对于包含至少一个不变量的第一组件识别特征,可以利用设备对应的第一组件识别特征和第i个组件的第一组件识别特征的交集,与第i个组件的第一组件识别特征进行比较,若交集中的元素数量相对第i个组件的第一组件识别特征的元素数量的占比大于第三阈值,则认为满足条件。
对于包含相似度值的第二组件识别特征,可以利用设备对应的第二组件识别特征和第i个组件的第二组件识别特征的差值,与第四阈值进行比较,若该差值小于第四阈值,则认为满足条件。
对于包含正则表达式的第三组件识别特征,可以直接或间接确定组件二进制文件中是否包含特定字符串,若包含,则认为满足条件。
类似地,在物联网设备包含第一组件的情况下,上述基于识别特征,确定物联网设备包含的第一组件和/或第一组件的版本,包括:
基于物联网设备的组件二进制文件对应的至少一个版本识别特征,以及第一组件的每个版本的至少一个版本识别特征,确定物联网设备中的第一组件的版本。
其中,上述至少一个版本识别特征可以参考前述示例1-4实现。具体地,可以针对每个版本识别特征分别预设一个条件,当上述多个版本中的第j个版本的每个版本识别特征均满足条件的情况下,可以确定物联网设备中的第一组件的版本为第j个版本。其中,j为大于或等于1的整数。
对于包含至少一个不变量的第一版本识别特征,可以利用设备对应的第一版本识别特征和第j个版本的第一版本识别特征的交集,与第j个版本的第一版本识别特征进行比较,若交集中的元素数量相对第j个版本的第一版本识别特征的元素数量的占比大于第三阈值,则认为满足条件。
对于包含相似度值的第二版本识别特征,可以利用设备对应的第二版本识别特征和第j个版本的第二版本识别特征的差值,与第四阈值进行比较,若该差值小于第四阈值,则认为满足条件。
对于包含正则表达式的第三版本识别特征,可以直接或间接确定组件二进制文件中是否包含特定字符串,若包含,则认为满足条件。
上述识别过程可以采用基于物联网设备中的漏洞检测模块构成的IoT设备组件数据采集与组件识别框架实现。可以看到,在本申请实施例的一些应用过程中,物联网设备与服 务装置可以形成漏洞信息的处理系统,该系统基于服务装置与各数据库的连接,以及服务装置与物联网设备中的漏洞检测模块之间的交互,提供IoT设备漏洞运维框架、IoT设备组件特征运维框架、IoT设备组件数据采集与组件识别框架、IoT设备漏洞识别框架等功能框架,从多方面提升漏洞检测的准确度,且不受设备的系统、架构限制。为了更清楚地呈现本申请的技术思路,下面从这几个框架的角度提供一个具体的应用示例。
图5示出了本应用示例中漏洞信息的处理系统的结构框图。如图5所示,IoT设备漏洞运维框架可获取公开的漏洞信息,并解析出漏洞与组件的关系、漏洞影响的函数等,将解析信息存储于其构建的第一漏洞库中。IoT设备组件特征运维框架分析受漏洞影响的组件的二进制文件构建出组件的识别特征,将识别特征存储于其构建的组件特征库中。IoT设备组件数据采集与组件识别框架使用设备上预置的安全Agent(安全代理模块,即上述漏洞检测模块)采集设备系统文件并根据组件的识别特征识别出具体的组件和版本,得到IoT设备组件列表。IoT设备漏洞识别框架根据IoT设备组件列表从第一漏洞库中获取漏洞触发信息,并利用设备预置的安全Agent判断漏洞的有效性,并给出最终的漏洞识别结果,即IoT设备漏洞列表。
图6示出了系统中IoT设备漏洞运维框架的结构框图。如图6所示,该框架从公共漏洞库例如NVD、CNNVD、CNVD等采集漏洞信息,解析出漏洞与组件的对应关系,并存储于第一漏洞库中;并从开源社区仓库采集组件源代码,构建本地组件源代码仓库。基于从本地组件源代码仓库获取的源代码,结合第一漏洞库中的漏洞补丁,分析出漏洞所影响的组件的函数,并分析出函数参数与漏洞的关系,如输入特定参数给漏洞函数,漏洞函数返回特定结果即表示该漏洞存在。分析结果也存放于第一漏洞库中。则基于该框架构建的第一漏洞库包含漏洞的描述、漏洞与组件及版本的对应关系、漏洞与组件函数的对应关系、触发漏洞的函数参数及预设返回值。
图7示出了系统中IoT设备组件特征运维框架的结构框图。在IoT场景中会面临多种多样的系统、体系架构,但最终设备中的二进制文件都会存在一定的不变量,如常量字符串、常量数值、函数列表、函数参数列表等,组件的这些不变量的集合就可以唯一的表征该组件,其中的子集就可以表征该组件的各个版本,甚至有些不变量会直接包含组件及版本信息。
本应用示例中,组件的识别特征包含三个层次和多个维度。第一个层次是指二进制文件与组件的包含关系,根据二进制文件的名称即可以粗略分析出其组件信息;第二个层次是指根据二进制文件的不变量特征可准确识别到组件名称;第三个层次是指根据二进制文件的不变量特征可准确识别出其属于组件的哪个版本。多个维度是指表征组件的特定不变量组合、表征组件的相似度值、表征组件版本的特定不变量组合、可匹配出组件版本的特定字符串等。
如图7所示,该框架基于IoT设备漏洞运维框架构建的第一漏洞库,分析出漏洞涉及的组件列表,从开源社区仓库周期性的拉取组件列表中各组件的源代码,构建出本地的组 件源代码仓库,基于主流的系统架构编译出组件二进制文件,构建了组件二进制仓库。
基于二进制文件仓库,首先构建了组件与二进制关系仓库,其次解析出不同系统架构下所有组件文件中的不变量,构建组件不变量仓库,基于该仓库计算每个不变量的组件覆盖度c和出现频次f,并设定覆盖度的阈值为C,设定出现频次的阈值为F。将组件不同版本的不变量集合的交集作为组件的原始特征,剔除覆盖度阈值大于C的不变量即构成组件识别的不变量特征,即第一组件识别特征。为方便存储和加快组件识别速度,还可计算组件不同版本不变量的相似度值,如simhash(相似哈希)等作为组件的第二组件识别特征。将组件不同版本间不变量的差集作为组件版本的原始特征,剔除出现频次大于F的不变量即构成组件版本识别的不变量特征,即第一版本识别特征。在大部分的组件中,有些特定的不变量中包含了该组件的名称和当前的版本,基于该不变量可构建出直接识别组件及版本的正则表达式,这些正则表达式特征可作为组件特征的补充,例如作为第三组件识别特征、第三版本识别特征,进一步提高组件的识别率和识别速度。基于此,构建了识别组件的特征仓库、识别组件版本的特征仓库、识别组件与版本的正则表达式特征仓库。
在使用组件/版本不变量特征时,需要设定特征识别的阈值S1。基于该阈值,若满足:则该二进制文件可识别为该组件的该版本。使用组件版本的不变量相似度特征时,需要设定特征识别的相似度S2。基于该阈值,若满足:待识别二进制不变量集合的相似度与组件版本的不变量相似度之间的差值<S2,则该二进制文件可识别为组件的该版本。使用组件版本的正则表达式特征时,使用正则表达式可直接或间接从二进制文件的不变量中解析组件及版本。
图8示出了系统中IoT设备组件数据采集与组件识别框架的结构框图。该框架利用运行于IoT设备中的安全Agent扫描设备二进制文件的名称和路径,从云端下载相应文件的组件识别特征,然后解析出二进制文件中的不变量,利用组件特征识别出组件名称,再利用组件版本的特征识别出组件的具体版本。
在识别过程中使用的安全Agent是运行于IoT设备中的安全信息采集工具,可集成编译到设备固件中,也可后装到设备中。该工具运行于设备中可采集设备的静态及运行时信息。
在组件识别过程中,因采用的是设备系统、架构无关的不变量,所以不受设备具体运行系统、架构的影响。组件及不同版本的不变量特征可在组件被裁减的情况下仍然能够提供较高的识别率,适合于IoT这种碎片化、设备资源紧张的场景中。
图9示出了系统中IoT设备漏洞识别框架的结构框图。该框架根据识别出的组件的名称、版本列表,在第一漏洞库中查询获取组件漏洞列表,然后利用安全Agent实时调用漏洞函数判断漏洞是否真实存在。
具体而言,一方面,如图9所示,第一漏洞库中记录了组件与漏洞的对应关系,那么使用识别出的组件名称及版本信息即可查询出组件存在的漏洞。
另一方面,第一漏洞库中记录了漏洞影响的函数及漏洞触发条件,那么使用安全Agent 在设备中实际调用相关函数,根据函数返回值即可判断漏洞是否真实存在。具体来说又分为几个维度:
1.漏洞相关的函数不存在,则漏洞不存在;
2.漏洞相关的函数存在,且采用漏洞触发参数调用该函数,函数的返回值不符合漏洞对应的结果,则说明该漏洞已经被修复;
3.漏洞相关的函数存在,且采用漏洞触发参数调用该函数,函数的返回值符合漏洞对应的结果,则说明该漏洞未被修复,该设备有被利用该漏洞入侵的可能性。
通过调用函数,安全Agent返回漏洞判定结果,并得到组件真实漏洞列表。
可以看到,根据本申请实施例,可以预先构建用于存储组件的漏洞触发信息的第一漏洞库,针对物联网设备包含的第一组件,通过在漏洞库中查找对应的漏洞触发信息,以利用第一组件对应的漏洞触发信息触发第一组件调用漏洞函数来确定组件是否真实存在漏洞,避免因IoT设备的碎片化场景特点导致漏洞误检,从而提升了漏洞检测结果的准确度。
本申请实施例还提供了一种用于实现上述方法的电子设备。该电子设备例如是上述服务装置或物联网设备中的漏洞检测模块。图10示出根据本申请实施例的电子设备的结构框图。如图10所示,该电子设备包括:存储器1010和处理器1020,存储器1010内存储有可在处理器1020上运行的计算机程序。处理器1020执行该计算机程序时实现上述实施例中的漏洞信息处理方法。存储器1010和处理器1020的数量可以为一个或多个。
该电子设备还包括:
通信接口1030,用于与外界设备进行通信,进行数据交互传输。
如果存储器1010、处理器1020和通信接口1030独立实现,则存储器1010、处理器1020和通信接口1030可以通过总线相互连接并完成相互间的通信。该总线可以是工业标准体系结构(Industry Standard Architecture,ISA)总线、外部设备互连(Peripheral Component Interconnect,PCI)总线或扩展工业标准体系结构(Extended Industry Standard Architecture,EISA)总线等。该总线可以分为地址总线、数据总线、控制总线等。为便于表示,图10中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。
可选的,在具体实现上,如果存储器1010、处理器1020及通信接口1030集成在一块芯片上,则存储器1010、处理器1020及通信接口1030可以通过内部接口完成相互间的通信。
本申请实施例还提供一种物联网设备,包括上述漏洞检测模块。
本申请实施例还提供一种计算机可读存储介质,其存储有计算机程序,该程序被处理器执行时实现本申请任一实施例中提供的方法。
本申请实施例还提供一种计算机程序产品,其包括计算机程序,该计算机程序在被处理器执行时实现本申请任一实施例中提供的方法。
本申请实施例还提供了一种芯片,该芯片包括,包括处理器,用于从存储器中调用并运行存储器中存储的指令,使得安装有芯片的通信设备执行本申请实施例提供的方法。
本申请实施例还提供了一种芯片,包括:输入接口、输出接口、处理器和存储器,输入接口、输出接口、处理器以及存储器之间通过内部连接通路相连,处理器用于执行存储器中的代码,当代码被执行时,处理器用于执行申请实施例提供的方法。
应理解的是,上述处理器可以是中央处理器(Central Processing Unit,CPU),还可以是其他通用处理器、数字信号处理器(Digital Signal Processing,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现场可编程门阵列(Field Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者是任何常规的处理器等。值得说明的是,处理器可以是支持进阶精简指令集机器(Advanced RISC Machines,ARM)架构的处理器。
进一步地,可选的,上述存储器可以包括只读存储器和随机存取存储器,还可以包括非易失性随机存取存储器。该存储器可以是易失性存储器或非易失性存储器,或可包括易失性和非易失性存储器两者。其中,非易失性存储器可以包括只读存储器(Read-only Memory,ROM)、可编程只读存储器(Programmable ROM,PROM)、可擦除可编程只读存储器(Erasable PROM,EPROM)、电可擦除可编程只读存储器(Electrically EPROM,EEPROM)或闪存。易失性存储器可以包括随机存取存储器(Random Access Memory,RAM),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的RAM可用。例如,静态随机存取存储器(Static RAM,SRAM)、动态随机存取存储器(Dynamic Random Access Memory,DRAM)、同步动态随机存取存储器(Synchronous DRAM,SDRAM)、双倍数据速率同步动态随机存取存储器(Double Data Rate SDRAM,DDR SDRAM)、增强型同步动态随机存取存储器(Enhanced SDRAM,ESDRAM)、同步连接动态随机存取存储器(Sync Link DRAM,SLDRAM)和直接内存总线随机存取存储器(Direct Rambus RAM,DR RAM)。
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行计算机程序指令时,全部或部分地产生按照本申请的流程或功能。计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输。
在本说明书的描述中,参考术语“一个实施例”、“一些实施例”、“示例”、“具体示例”、或“一些示例”等的描述意指结合该实施例或示例描述的具体特征、结构、材料或者特点包括于本申请的至少一个实施例或示例中。而且,描述的具体特征、结构、材料或者特点可以在任一个或多个实施例或示例中以合适的方式结合。此外,在不相互矛盾的情况下,本领域的技术人员可以将本说明书中描述的不同实施例或示例以及不同实施例或示例的特征进行结合和组合。
此外,术语“第一”、“第二”仅用于描述目的,而不能理解为指示或暗示相对重要性或者隐含指明所指示的技术特征的数量。由此,限定有“第一”、“第二”的特征可以明示或隐 含地包括至少一个该特征。在本申请的描述中,“多个”的含义是两个或两个以上,除非另有明确具体的限定。
流程图中或在此以其他方式描述的任何过程或方法描述可以被理解为,表示包括一个或更多个用于实现特定逻辑功能或过程的步骤的可执行指令的代码的模块、片段或部分。并且本申请的优选实施方式的范围包括另外的实现,其中可以不按所示出或讨论的顺序,包括根据所涉及的功能按基本同时的方式或按相反的顺序,来执行功能。
在流程图中表示或在此以其他方式描述的逻辑和/或步骤,例如,可以被认为是用于实现逻辑功能的可执行指令的定序列表,可以具体实现在任何计算机可读介质中,以供指令执行系统、装置或设备(如基于计算机的系统、包括处理器的系统或其他可以从指令执行系统、装置或设备取指令并执行指令的系统)使用,或结合这些指令执行系统、装置或设备而使用。
应理解的是,本申请的各部分可以用硬件、软件、固件或它们的组合来实现。在上述实施方式中,多个步骤或方法可以用存储在存储器中且由合适的指令执行系统执行的软件或固件来实现。上述实施例方法的全部或部分步骤是可以通过程序来指令相关的硬件完成,该程序可以存储于一种计算机可读存储介质中,该程序在执行时,包括方法实施例的步骤之一或其组合。
此外,在本申请各个实施例中的各功能单元可以集成在一个处理模块中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。上述集成的模块如果以软件功能模块的形式实现并作为独立的产品销售或使用时,也可以存储在一个计算机可读存储介质中。该存储介质可以是只读存储器,磁盘或光盘等。
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到其各种变化或替换,这些都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以权利要求的保护范围为准。

Claims (14)

  1. 一种漏洞信息处理方法,包括:
    确定物联网设备包含的第一组件;
    在第一漏洞库中查找所述第一组件对应的漏洞触发信息;其中,所述漏洞触发信息用于触发所述第一组件调用漏洞函数,以确定所述第一组件是否存在漏洞。
  2. 根据权利要求1所述的方法,其中,所述漏洞触发信息包括所述漏洞函数、用于触发所述漏洞函数的函数参数以及预设返回值;
    所述函数参数用于在所述第一组件中调用所述漏洞函数,以得到所述漏洞函数的返回值;
    所述预设返回值用于与所述漏洞函数的返回值进行比对,以确定所述第一组件是否存在漏洞。
  3. 根据权利要求1所述的方法,其中,所述方法还包括:
    在第二漏洞库中读取漏洞信息,确定与漏洞相关的第二组件;
    基于所述漏洞信息以及所述第二组件的源代码,确定所述第二组件的漏洞触发信息;
    将所述第二组件的标识信息与所述漏洞触发信息存储于所述第一漏洞库中。
  4. 根据权利要求1所述的方法,其中,所述方法还包括:
    在第一漏洞库中读取第三组件的标识信息,基于所述标识信息获取与所述第三组件的多个版本分别对应的多个源代码;
    基于所述多个源代码,得到多个二进制文件;
    对所述多个二进制文件分别进行解析,得到与所述多个二进制文件分别对应的多个不变量集合;
    基于所述多个不变量集合,得到所述第三组件的至少一个组件识别特征;其中,所述至少一个组件识别特征用于识别所述物联网设备是否包含所述第三组件。
  5. 根据权利要求4所述的方法,其中,所述基于所述多个不变量集合,得到所述第三组件的至少一个组件识别特征,包括以下步骤中的至少之一:
    在所述多个不变量集合的交集中剔除组件覆盖度大于第一阈值的不变量,得到所述第三组件的第一组件识别特征;
    基于所述多个不变量集合之间的相似度,得到所述第三组件的第二组件识别特征;
    基于所述多个不变量集合中的特定字符串,构建正则表达式,将所述正则表达式作为所述第三组件的第三组件识别特征。
  6. 根据权利要求5所述的方法,其中,所述方法还包括:
    基于所述多个不变量集合,得到所述多个版本中的第一版本的至少一个版本识别特征;其中,所述至少一个版本识别特征用于在所述物联网设备包含所述第三组件的情况下,识别所述第三组件的版本。
  7. 根据权利要求6所述的方法,其中,所述基于所述多个不变量集合,得到所述多个 版本中的第一版本的至少一个版本识别特征,包括以下步骤中的至少之一:
    确定所述多个不变量集合中的第一不变量集合与所述多个不变量集合中的其他不变量集合之间的差集,并在所述差集中剔除出现频次大于第二阈值的不变量,得到所述第一版本的第一版本识别特征;
    基于所述第一不变量集合与所述其他不变量集合之间的相似度,得到所述第一版本的第二版本识别特征;
    基于所述第一不变量集合中的特定字符串,构建正则表达式,将所述正则表达式作为所述第一版本的第三版本识别特征;
    其中,所述第一不变量集合为所述多个不变量集合中与所述第一版本对应的不变量集合。
  8. 一种漏洞信息处理方法,包括:
    确定物联网设备包含的第一组件;
    向服务装置发送所述第一组件的标识信息,以获取所述服务装置在第一漏洞库中查找的与所述第一组件对应的漏洞触发信息;
    基于所述漏洞触发信息触发所述第一组件调用漏洞函数,以确定所述第一组件是否存在漏洞。
  9. 根据权利要求8所述的方法,其中,所述确定物联网设备包含的第一组件,包括:
    获取物联网设备的组件二进制文件对应的识别特征;
    基于所述识别特征,确定所述物联网设备包含的第一组件和/或所述第一组件的版本。
  10. 根据权利要求8或9所述的方法,其中,所述获取物联网设备的组件二进制文件对应的识别特征,包括:
    获取所述物联网设备的组件二进制文件的标识信息;
    基于所述组件二进制文件的标识信息,从云端下载所述组件二进制文件对应的识别特征。
  11. 一种服务装置,包括存储器、处理器及存储在存储器上的计算机程序,所述处理器在执行所述计算机程序时实现权利要求1-7中任一项所述的方法。
  12. 一种漏洞检测模块,用于设置于物联网设备中,所述漏洞检测模块包括存储器、处理器及存储在存储器上的计算机程序,所述处理器在执行所述计算机程序时实现权利要求8-10中任一项所述的方法。
  13. 一种物联网设备,包括如权利要求12所述的漏洞检测模块。
  14. 一种计算机可读存储介质,所述计算机可读存储介质内存储有计算机程序,所述计算机程序被处理器执行时实现权利要求1-10中任一项所述的方法。
PCT/CN2023/099764 2022-06-17 2023-06-12 漏洞信息处理方法、服务装置和漏洞检测模块 WO2023241529A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210691626.6A CN114969762A (zh) 2022-06-17 2022-06-17 漏洞信息处理方法、服务装置和漏洞检测模块
CN202210691626.6 2022-06-17

Publications (1)

Publication Number Publication Date
WO2023241529A1 true WO2023241529A1 (zh) 2023-12-21

Family

ID=82964443

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/099764 WO2023241529A1 (zh) 2022-06-17 2023-06-12 漏洞信息处理方法、服务装置和漏洞检测模块

Country Status (2)

Country Link
CN (1) CN114969762A (zh)
WO (1) WO2023241529A1 (zh)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3896591A1 (en) * 2020-04-17 2021-10-20 NSR S.r.l. Method and system for security assessment of iot devices
CN114969762A (zh) * 2022-06-17 2022-08-30 阿里云计算有限公司 漏洞信息处理方法、服务装置和漏洞检测模块

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190294801A1 (en) * 2018-03-20 2019-09-26 ReFirm Labs, Inc. Evaluation of security of firmware
CN112685746A (zh) * 2021-01-08 2021-04-20 中国科学技术大学 一种面向物联网设备固件的漏洞检测方法及系统
CN113515457A (zh) * 2021-07-22 2021-10-19 苏州知微安全科技有限公司 一种物联网设备固件安全性检测方法及装置
CN113778509A (zh) * 2021-08-13 2021-12-10 国网河北省电力有限公司电力科学研究院 一种确定开源组件的版本的方法、存储介质和电子装置
CN114398069A (zh) * 2021-12-10 2022-04-26 中国人民解放军战略支援部队信息工程大学 一种基于交叉指纹分析的公共组件库精确版本识别方法及系统
CN114969762A (zh) * 2022-06-17 2022-08-30 阿里云计算有限公司 漏洞信息处理方法、服务装置和漏洞检测模块

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190294801A1 (en) * 2018-03-20 2019-09-26 ReFirm Labs, Inc. Evaluation of security of firmware
CN112685746A (zh) * 2021-01-08 2021-04-20 中国科学技术大学 一种面向物联网设备固件的漏洞检测方法及系统
CN113515457A (zh) * 2021-07-22 2021-10-19 苏州知微安全科技有限公司 一种物联网设备固件安全性检测方法及装置
CN113778509A (zh) * 2021-08-13 2021-12-10 国网河北省电力有限公司电力科学研究院 一种确定开源组件的版本的方法、存储介质和电子装置
CN114398069A (zh) * 2021-12-10 2022-04-26 中国人民解放军战略支援部队信息工程大学 一种基于交叉指纹分析的公共组件库精确版本识别方法及系统
CN114969762A (zh) * 2022-06-17 2022-08-30 阿里云计算有限公司 漏洞信息处理方法、服务装置和漏洞检测模块

Also Published As

Publication number Publication date
CN114969762A (zh) 2022-08-30

Similar Documents

Publication Publication Date Title
WO2023241529A1 (zh) 漏洞信息处理方法、服务装置和漏洞检测模块
Alrabaee et al. Fossil: a resilient and efficient system for identifying foss functions in malware binaries
CN107292170B (zh) Sql注入攻击的检测方法及装置、系统
US8935677B2 (en) Automatic reverse engineering of input formats
US20120072988A1 (en) Detection of global metamorphic malware variants using control and data flow analysis
JP2015026365A (ja) ソースコードをポーティングする方法及び装置
CN106709336A (zh) 识别恶意软件的方法和装置
RU2722692C1 (ru) Способ и система выявления вредоносных файлов в неизолированной среде
CN108710662B (zh) 语言转换方法和装置、存储介质、数据查询系统和方法
He et al. Sofi: Reflection-augmented fuzzing for javascript engines
CN113312618A (zh) 程序漏洞检测方法、装置、电子设备及介质
US9600644B2 (en) Method, a computer program and apparatus for analyzing symbols in a computer
Zhao et al. VULDEFF: Vulnerability detection method based on function fingerprints and code differences
Wi et al. HiddenCPG: large-scale vulnerable clone detection using subgraph isomorphism of code property graphs
CN112817877B (zh) 异常脚本检测方法、装置、计算机设备和存储介质
CN117940894A (zh) 用于检测代码克隆的系统和方法
KR102411383B1 (ko) 사이버 위협 정보 처리 장치, 사이버 위협 정보 처리 방법 및 사이버 위협 정보 처리하는 프로그램을 저장하는 저장매체
US11687652B1 (en) Clustering of binary files using architecture-agnostic digests
US10789067B2 (en) System and method for identifying open source usage
Tukaram Design and development of software tool for code clone search, detection, and analysis
Xiao et al. Performing high efficiency source code static analysis with intelligent extensions
CN110244954A (zh) 一种应用程序的编译方法及设备
CN116775040B (zh) 实现代码疫苗的插桩方法及基于代码疫苗的应用测试方法
Liu et al. PTDETECTOR: An Automated JavaScript Front-end Library Detector
US20230252144A1 (en) Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23823097

Country of ref document: EP

Kind code of ref document: A1