CN114117443A - Automatic vulnerability detection method and device based on vulnerability model - Google Patents
Automatic vulnerability detection method and device based on vulnerability model Download PDFInfo
- Publication number
- CN114117443A CN114117443A CN202111287922.1A CN202111287922A CN114117443A CN 114117443 A CN114117443 A CN 114117443A CN 202111287922 A CN202111287922 A CN 202111287922A CN 114117443 A CN114117443 A CN 114117443A
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- function
- file
- type
- end module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 32
- 238000000034 method Methods 0.000 claims abstract description 4
- 230000006870 function Effects 0.000 claims description 42
- 238000013515 script Methods 0.000 claims description 10
- 238000012545 processing Methods 0.000 claims description 5
- 238000002347 injection Methods 0.000 claims description 4
- 239000007924 injection Substances 0.000 claims description 4
- 238000007493 shaping process Methods 0.000 claims description 4
- 238000012360 testing method Methods 0.000 claims description 3
- 238000012217 deletion Methods 0.000 claims description 2
- 230000037430 deletion Effects 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 description 3
- 230000006378 damage Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
- 238000012038 vulnerability analysis Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
本发明提供一种基于漏洞模型的自动化脆弱点的探测装置与方法,首先上传待检测的目标二进制文件,在此二进制文件的逆向结果中运行漏洞模型,以漏洞模型特征匹配返回可能存在的脆弱点位置。利用本发明可以对各类二进制程序进行脆弱点位置的检测,并对后续漏洞的动态分析提供有力支撑,对二进制程序恶意代码的分析工作具有重要的指导和借鉴意义。
The invention provides an automatic vulnerability detection device and method based on a vulnerability model. First, a target binary file to be detected is uploaded, the vulnerability model is run in the reverse result of the binary file, and the possible vulnerability points are returned by matching the characteristics of the vulnerability model. Location. The invention can detect the position of vulnerable points of various binary programs, provide strong support for the dynamic analysis of subsequent vulnerabilities, and has important guidance and reference significance for the analysis of malicious codes of binary programs.
Description
Technical Field
The invention relates to the technical field of automatic vulnerability detection, in particular to an automatic vulnerability detection method and device based on a vulnerability model.
Background
Vulnerability refers to some functional or security logical flaw in the system, including all factors that cause threat and damage to the security of the computer system, and is the flaw and deficiency of the computer system in the specific implementation of hardware, software, protocol or system security policy. For a variety of reasons, the existence of vulnerabilities is unavoidable, and once some more serious vulnerabilities are discovered by an attacker, they may be exploited to gain unauthorized access to or destruction of the computer system. Discovering and timely patching vulnerabilities prior to an attacker can effectively reduce threats from the network. Therefore, the system security vulnerability is actively discovered and analyzed, and the method has important significance for network defense and attack warfare.
The current vulnerability detection technologies have many kinds: the traditional manual detection mode is time-consuming and labor-consuming, and has higher requirements on the safety technical level of detection personnel; the simple static scanning mode is used for simply analyzing the fragile point function of the target source program, and the false alarm rate is high.
Disclosure of Invention
In order to solve the problems in the background art, the invention provides an automatic vulnerability detection method and device based on a vulnerability model.
An automatic vulnerability detection method based on a vulnerability model comprises the following steps:
s1, reversing the binary file into an assembly layer language representation file;
s2, performing vulnerability function matching on the reverse binary file;
s3, searching controllable variables by using taint propagation, and further matching the fragile point function meeting the conditions.
Based on the above, step S1 includes:
s101, creating a binary file storage directory for storing the binary file to be detected.
S102, downloading the target binary file to the storage directory created in the step S101; if the target to be detected is the firmware type, extracting the executable program by using a firmware analysis tool and then storing the executable program into the directory created in S101;
and S103, carrying out IDA reverse analysis on the downloaded file of the S102, and converting the file into an assembly layer code.
Based on the above, step S2 includes:
s201, representing codes converted into assembly level in an assembly level language representation file by using a Hex-Rays Decompiler plug-in, and processing the codes which cannot be decompiled by using a self-programming Python script;
s202, in the decompiling layer code in the step S201, different detection scripts are operated according to different vulnerability detection types of the target program, the detection scripts are divided into a character string detection type, a command injection type, a memory copy type, a formatting character string type and a shaping overflow type, and all fragile point functions of the corresponding types are searched;
and S203, extracting all calling function lists by using the Get _ func _ name () function in the idc for the vulnerability extracted in the step S202.
Based on the above, step S3 includes:
s301, generating a ControlFloworant object for one function in the S203 function list by using a FIDL (flame eye) frame;
s302, searching for a controllable variable by utilizing taint propagation, and firstly tracking and searching for a primary pollution variable at least comprising a default controllable variable and a supplementary controllable variable;
s303, further searching secondary pollution variables in the step S302, wherein the secondary pollution variables at least comprise direct controllable variables and indirect controllable variables;
s304, carrying out secondary matching according to the characteristics of the fragile point functions of different categories, and finding out the fragile point function with the vulnerability;
s305, recording and storing the matching result in the step S304;
and S306, repeating all the steps from S301 to S305 until the residual function number in the function list is empty.
An automatic vulnerability detection device based on vulnerability model comprises
The front-end module is used for interacting with a user, displaying a generated result, uploading a file to be detected, selecting a testing vulnerability type and adding a deletion task;
the scheduling module is configured to communicate and schedule between the front-end module and the rear-end module, temporarily store a task queue created by the front-end module and control the start and stop of tasks of the rear-end module;
and the back-end module is used for realizing the technical scheme, internally configures a virtual environment, and returns a result to the scheduling module after running the target task.
Compared with the prior art, the invention has prominent substantive characteristics and remarkable progress, particularly:
(1) compared with the traditional reverse static analysis tool, the reverse analysis and vulnerability detection capability of the binary program are greatly improved, the vulnerability model is utilized for feature matching, the probability of finding a fragile point function is improved, and the accuracy is improved;
(2) the invention provides a front-end page easy to interactively display and a rear-end automatic task processing flow mechanism for a user, the user only needs to upload a binary file to be detected on the front end, and the rear end automatically carries out a vulnerability analysis process and returns a result to the front end for displaying;
(3) the technology of the invention utilizes the stain propagation principle, so that the controllable variables found aiming at the suspected fragile point function are more comprehensive and wider in coverage, and the efficiency of finding the fragile point function is improved.
Drawings
FIG. 1 is a schematic flow diagram of the present invention.
FIG. 2 is a detailed flow diagram of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without inventive effort based on the embodiments of the present invention, are within the scope of the present invention.
As shown in fig. 1 and fig. 2, an automated vulnerability detection method based on vulnerability model includes a step S1 of reversing binary files into assembly layer language representation; s2, performing vulnerability function matching on the reverse binary file; s3, searching for controllable variables by utilizing taint propagation to further match the qualified fragile point function.
Converting the target program into a form of assembly layer language by using an IDA reverse tool, and converting the assembly language into a disassembling form by using a disassembling plug-in; and automatically processing the target program which cannot be directly disassembled into a disassembling language form by using a self-programming script. And respectively searching all fragile point functions of the corresponding types of the vulnerability models by using the character string detection type, the command injection type, the memory copy type, the formatting character string type and the shaping overflow type vulnerability models according to the types of the target program. And tracking primary pollution variables such as default controllable variables and supplementary controllable variables and secondary pollution variables such as direct controllable variables and indirect controllable variables of the matched fragile point function list by using a taint propagation technology, matching by using different vulnerability models again, and screening out the fragile point function with higher accuracy.
Specifically, step S1 includes step S101, creating a binary file saving directory for storing the binary file to be detected. S102, downloading the target binary file to the directory created in S101; if the target to be detected is a firmware type, extracting the executable program by using a firmware analysis tool such as BinWalk and storing the extracted executable program into the directory created in S101. And S103, carrying out IDA reverse analysis on the downloaded file of the S102, and converting the file into an assembly layer code.
Step S2 includes step S201, representing the code converted to assembly level in S103 in Decompiler form using Hex-Rays Decompiler plug-in, and processing the code that cannot be decompiled using self-programming Python script. S202, in the decompilation layer code of the step S201, different detection scripts are operated according to different vulnerability detection types of the target program, the detection scripts are divided into a character string detection type, a command injection type, a memory copy type, a formatting character string type and a shaping overflow type, and all fragile point functions of the corresponding types are searched. And S203, extracting all calling function lists by using a Get _ func _ name () function in idc for the vulnerability extracted in the S202.
Step S3 includes step S301 of generating a contofloworant object for a function in the list of functions of S203 using the FIDL frame. S302, searching for a controllable variable by utilizing taint propagation, and firstly tracking and searching for primary pollution variables such as a default controllable variable, a supplementary controllable variable and the like. And S303, further searching secondary pollution variables such as direct controllable variables, indirect controllable variables and the like in the step S302. And S304, carrying out matching again according to the characteristics of the fragile point functions of different categories, and finding out the fragile point function possibly having the vulnerability. And S305, recording and storing the matching result in the S304. And S306, repeating all the steps from S301 to S305 until the residual function number in the function list is empty.
An automatic vulnerability detection device based on a vulnerability model implementing the technical scheme comprises a front-end module, a scheduling module and a rear-end module: the front-end module is used for displaying interaction with a user and a generated result, and has the functions of uploading a file to be detected, selecting a testing vulnerability type and adding and deleting tasks; the scheduling module is used for communication and scheduling between the front-end functional module and the rear-end functional module, and has the functions of temporarily storing a task queue created by the front end and controlling starting and stopping of a rear-end task; the back end module is used for realizing the technical scheme, a virtual environment exists in the back end module, and the back end module returns a result to the scheduling module after the target task is operated.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein.
Claims (5)
1. An automatic vulnerability detection method based on a vulnerability model is characterized by comprising the following steps:
s1, reversing the binary file into an assembly layer language representation file;
s2, performing vulnerability function matching on the reverse binary file;
s3, searching controllable variables by using taint propagation, and further matching the fragile point function meeting the conditions.
2. The automated vulnerability detection method based on vulnerability model of claim 1, wherein step S1 comprises:
s101, creating a binary file storage directory for storing the binary file to be detected.
S102, downloading the target binary file to the storage directory created in the step S101; if the target to be detected is the firmware type, extracting the executable program by using a firmware analysis tool and then storing the executable program into the directory created in S101;
and S103, carrying out IDA reverse analysis on the downloaded file of the S102, and converting the file into an assembly layer code.
3. The automated vulnerability detection method based on vulnerability model of claim 1, wherein step S2 comprises:
s201, representing codes converted into assembly level in an assembly level language representation file by using a Hex-Rays Decompiler plug-in, and processing the codes which cannot be decompiled by using a self-programming Python script;
s202, in the decompiling layer code in the step S201, different detection scripts are operated according to different vulnerability detection types of the target program, the detection scripts are divided into a character string detection type, a command injection type, a memory copy type, a formatting character string type and a shaping overflow type, and all fragile point functions of the corresponding types are searched;
and S203, extracting all calling function lists by using the Get _ func _ name () function in the idc for the vulnerability extracted in the step S202.
4. The automated vulnerability detection method based on vulnerability model of claim 3, wherein step S3 comprises:
s301, generating a ControlFloworant object for one function in the S203 function list by using a FIDL (flame eye) frame;
s302, searching for a controllable variable by utilizing taint propagation, and firstly tracking and searching for a primary pollution variable at least comprising a default controllable variable and a supplementary controllable variable;
s303, further searching secondary pollution variables in the step S302, wherein the secondary pollution variables at least comprise direct controllable variables and indirect controllable variables;
s304, carrying out secondary matching according to the characteristics of the fragile point functions of different categories, and finding out the fragile point function with the vulnerability;
s305, recording and storing the matching result in the step S304;
and S306, repeating all the steps from S301 to S305 until the residual function number in the function list is empty.
5. An automated vulnerability detection apparatus based on vulnerability models using the method of any one of claims 1-4, characterized by: comprises that
The front-end module is used for interacting with a user, displaying a generated result, uploading a file to be detected, selecting a testing vulnerability type and adding a deletion task;
the scheduling module is configured to communicate and schedule between the front-end module and the rear-end module, temporarily store a task queue created by the front-end module and control the start and stop of tasks of the rear-end module;
and the back-end module is used for realizing the technical scheme, internally configures a virtual environment, and returns a result to the scheduling module after running the target task.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111287922.1A CN114117443A (en) | 2021-11-02 | 2021-11-02 | Automatic vulnerability detection method and device based on vulnerability model |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111287922.1A CN114117443A (en) | 2021-11-02 | 2021-11-02 | Automatic vulnerability detection method and device based on vulnerability model |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114117443A true CN114117443A (en) | 2022-03-01 |
Family
ID=80380562
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111287922.1A Pending CN114117443A (en) | 2021-11-02 | 2021-11-02 | Automatic vulnerability detection method and device based on vulnerability model |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114117443A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101814053A (en) * | 2010-03-29 | 2010-08-25 | 中国人民解放军信息工程大学 | Method for discovering binary code vulnerability based on function model |
| WO2018101575A1 (en) * | 2016-11-29 | 2018-06-07 | 한국전력공사 | Binary code-based embedded software vulnerability analysis device and method therefor |
| CN109460641A (en) * | 2018-11-15 | 2019-03-12 | 成都网域复兴科技有限公司 | A kind of loophole positioning excavation system and method for binary file |
| CN109525556A (en) * | 2018-10-18 | 2019-03-26 | 中国电力科学研究院有限公司 | It is a kind of for determining the light weight method and system of protocol bug in embedded system firmware |
| US20190147168A1 (en) * | 2017-11-15 | 2019-05-16 | Korea Internet & Security Agency | Method and apparatus for identifying security vulnerability in binary and location of cause of security vulnerability |
-
2021
- 2021-11-02 CN CN202111287922.1A patent/CN114117443A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101814053A (en) * | 2010-03-29 | 2010-08-25 | 中国人民解放军信息工程大学 | Method for discovering binary code vulnerability based on function model |
| WO2018101575A1 (en) * | 2016-11-29 | 2018-06-07 | 한국전력공사 | Binary code-based embedded software vulnerability analysis device and method therefor |
| US20190147168A1 (en) * | 2017-11-15 | 2019-05-16 | Korea Internet & Security Agency | Method and apparatus for identifying security vulnerability in binary and location of cause of security vulnerability |
| CN109525556A (en) * | 2018-10-18 | 2019-03-26 | 中国电力科学研究院有限公司 | It is a kind of for determining the light weight method and system of protocol bug in embedded system firmware |
| CN109460641A (en) * | 2018-11-15 | 2019-03-12 | 成都网域复兴科技有限公司 | A kind of loophole positioning excavation system and method for binary file |
Non-Patent Citations (3)
| Title |
|---|
| CHRIS EAGLE ETAL.(石华耀 等译): "IDA Pro权威指南(第2版)", vol. 2, 29 February 2012, 人民邮电出版社 * |
| RYAN WARNS ETAL.: "FIDL: FLARE\'s IDA Decompiler Library", pages 1 - 5, Retrieved from the Internet <URL:https://cloud.google.com/blog/topics/threat-intelligence/fidl-flares-ida-decompiler-library> * |
| 李永伟;尹青;舒辉;李继中;: "基于反编译的循环脆弱点检测", 计算机应用研究, no. 05, 15 May 2013 (2013-05-15) * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9715588B2 (en) | Method of detecting a malware based on a white list | |
| WO2017049800A1 (en) | Method and apparatus for detecting loophole code in application | |
| US9892261B2 (en) | Computer imposed countermeasures driven by malware lineage | |
| CN108833186B (en) | Network attack prediction method and device | |
| CN110837640B (en) | Malicious file searching and killing method, device, storage medium and device | |
| CN109271782B (en) | Method, medium, system and computing device for detecting attack behavior | |
| Naik et al. | Evaluating automatically generated YARA rules and enhancing their effectiveness | |
| CN109918907B (en) | Method, controller and medium for obtaining evidence of malicious codes in process memory of Linux platform | |
| CN106549980B (en) | Malicious C & C server determination method and device | |
| CN112257077A (en) | Automatic vulnerability mining method based on deep learning | |
| CN114157450A (en) | Internet of things honeypot-based network attack induction method and device | |
| Le Jamtel | Swimming in the Monero pools | |
| US12050681B2 (en) | Software build system protection engine | |
| CN115840940A (en) | File-free Trojan horse detection method, system, medium and equipment | |
| CN110955894A (en) | Malicious content detection method and device, electronic equipment and readable storage medium | |
| CN114117443A (en) | Automatic vulnerability detection method and device based on vulnerability model | |
| CN117610001A (en) | Automatic analysis method for fine-grained malicious behaviors in Internet of things malicious software | |
| CN117563217A (en) | Score generation method and device, electronic equipment and storage medium | |
| CN117493522A (en) | Vulnerability information query method, device, equipment and medium based on large model technology | |
| CN110472418B (en) | Security vulnerability protection method and system and related equipment | |
| Islam et al. | Cyber Safety Analysis Using Reverse Engineering | |
| CN112749390A (en) | Virus detection method, device, equipment and computer readable storage medium | |
| CN112966270A (en) | Application program security detection method and device, electronic equipment and storage medium | |
| KR102817813B1 (en) | Threat detection system to comparative analysis of installer file based on sbom with point of view of consumer | |
| Lee et al. | IoT malware static and dynamic analysis system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |