CN117610009B - Cross-thread vulnerability repairing method and device based on code vaccine RASP probe - Google Patents
Cross-thread vulnerability repairing method and device based on code vaccine RASP probe Download PDFInfo
- Publication number
- CN117610009B CN117610009B CN202311572075.2A CN202311572075A CN117610009B CN 117610009 B CN117610009 B CN 117610009B CN 202311572075 A CN202311572075 A CN 202311572075A CN 117610009 B CN117610009 B CN 117610009B
- Authority
- CN
- China
- Prior art keywords
- thread
- request
- vulnerability
- function
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 107
- 239000000523 sample Substances 0.000 title claims abstract description 85
- 229960005486 vaccine Drugs 0.000 title claims abstract description 38
- 238000001514 detection method Methods 0.000 claims abstract description 49
- 230000008439 repair process Effects 0.000 claims abstract description 38
- 230000006870 function Effects 0.000 claims description 253
- 238000012545 processing Methods 0.000 claims description 30
- 238000004590 computer program Methods 0.000 claims description 15
- 230000008569 process Effects 0.000 description 34
- 230000004044 response Effects 0.000 description 12
- 238000010586 diagram Methods 0.000 description 10
- 238000005516 engineering process Methods 0.000 description 4
- 238000002347 injection Methods 0.000 description 4
- 239000007924 injection Substances 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 4
- 239000000243 solution Substances 0.000 description 4
- 230000001360 synchronised effect Effects 0.000 description 4
- 239000003550 marker Substances 0.000 description 3
- 230000010076 replication Effects 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 238000010606 normalization Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000012502 risk assessment Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 239000006185 dispersion Substances 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000012634 fragment Substances 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the invention provides a cross-thread vulnerability restoration method and device based on a code vaccine RASP probe, and relates to the technical field of network security. The method comprises the following steps: installing a probe in a tested program, and pre-inserting piles through the probe; generating a request data table according to the intercepted request information of the request; based on the request data table, performing vulnerability detection according to the intercepted function information of the risk function; when the loophole is detected, judging whether the risk function is a risk function of an asynchronous task; if yes, copying the request data table to the current thread, and marking the current thread as an asynchronous thread; in the asynchronous thread, whether the loophole is repaired or not is selected according to the utilization state of the loophole. The embodiment of the invention can detect and repair the loopholes across threads and ensure the operation safety of the application program.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a cross-thread vulnerability restoration method and device based on a code vaccine RASP probe.
Background
The code vaccine technology is characterized in that the code security capability is injected into an application server like a vaccine, the analyzed flow is clearly seen in the application server, the context of the running process of the application program is perceived, the vulnerability position and defect cause of the application program can be diagnosed when the application program runs, autonomous detection and response are realized, and external hazards are actively defended. Among them, the code vaccine technology includes RASP (Runtime application self-protection ) technology.
The existing RASP protection scheme aims at single service, and under the scene of processing single-thread safety protection, detecting vulnerabilities according to risk analysis associated with the threads, and performing operations such as alarming, interception, repairing and the like on the detected vulnerabilities to realize application program safety protection.
In practical application, the scenario of processing the same business logic by multiple requests and multiple threads is often adopted, for example, when a user performs a transaction on a transaction website, multiple times of one-way requests such as acquiring commodity information, submitting a transaction order, providing a payment portal and the like are required to be initiated to a service end of the transaction website, and the service end of the transaction website needs to process the one-way requests initiated by multiple users at the same time. In the scenario of processing multi-thread security protection, if the existing RASP protection scheme is used, risk analysis associated with each thread cannot be obtained to perform cross-thread detection and fix vulnerabilities, so that the running risk of an application program exists.
Disclosure of Invention
The embodiment of the invention aims to provide a cross-thread vulnerability repairing method and device based on a code vaccine RASP probe, which are used for realizing cross-thread detection and vulnerability repairing and guaranteeing the technical effect of application program operation safety.
In a first aspect, an embodiment of the present invention provides a cross-thread vulnerability restoration method based on a code vaccine RASP probe, including:
installing a probe in a tested program, and pre-inserting piles through the probe;
generating a request data table according to the intercepted request information of the request;
based on the request data table, performing vulnerability detection according to the intercepted function information of the risk function;
When detecting the loopholes, judging whether the risk function is a risk function of an asynchronous task;
if yes, copying the request data table to a current thread, and marking the current thread as an asynchronous thread;
and in the asynchronous thread, selecting whether to repair the vulnerability according to the utilization state of the vulnerability.
In the implementation process, the probe is installed in the tested program to perform pre-instrumentation, vulnerability detection and asynchronous thread judgment are performed according to the intercepted information, and when a vulnerability exists in the request processing process and the current thread executes an asynchronous task, the associated request data table is copied to the current thread, so that the current thread can read the associated information to detect and repair the vulnerability, thereby realizing cross-thread detection and repair of the vulnerability, and guaranteeing the operation safety of the application program.
Further, the pre-pile inserting through the probe specifically includes:
pre-inserting a request function through the probe to intercept the request information of the request;
And pre-inserting piles for the risk functions through the probes so as to intercept function information of the risk functions.
In the implementation process, the probe in the tested program is utilized to pre-insert the request function and the risk function, so that the request information of the request and the function information of the risk function can be intercepted in real time in the running process of the tested program.
Further, before the request data table is generated according to the request information of the intercepted request, the method further comprises:
When the request information of the request is intercepted, the request information of the request is stored in threadcontext classes.
In the implementation process, by storing the request information of the request in threadcontext types, the stain information can be tracked by adopting modes of cross-thread copying and the like, so that cross-thread detection and bug repair are realized, and the safe operation of the application program is ensured.
Further, the generating a request data table according to the request information of the intercepted request specifically includes:
initializing the request data table when the request information of the request is intercepted;
Intercepting function information of a stain source function according to the request information of the request;
extracting the input parameters and the output parameters of the stain source function from the function information of the stain source function;
And storing the hash value of the input parameter and the hash value of the output parameter of the stain source function in the request data table.
In the implementation process, the request data table is generated by intercepting the function information of the taint source function according to the request information of the request, so that the taint information of the nodes where all the taint sources are located in the request processing process can be comprehensively acquired to generate the request data table, and the follow-up accurate leak detection is ensured.
Further, the performing vulnerability detection according to the intercepted function information of the risk function based on the request data table specifically includes:
extracting the parameter of the risk function from the function information of the risk function;
inquiring whether the hash value of the parameter entering of the risk function exists in the request data table;
if yes, judging that the loopholes exist, and acquiring the loophole information of the loopholes.
In the implementation process, whether the vulnerability detection mode exists in the request processing process is judged by inquiring whether the hash value of the entry parameter of the risk function exists in the request data table, so that the vulnerability detection can be rapidly and accurately carried out, the efficiency of cross-thread detection and vulnerability repair is improved, and the running safety of the application program is better ensured.
Further, the determining whether the risk function is a risk function of an asynchronous task specifically includes:
judging whether the task submitted by the monitored thread pool has parameters for using the request or not;
And if yes, judging the risk function as the risk function of the asynchronous task.
In the implementation process, by adopting an asynchronous thread judging mode of judging whether the task submitted by the monitored thread pool has the parameters of the use request to judge whether the risk function is the risk function of the asynchronous task, the asynchronous thread judgment can be rapidly and accurately carried out, the efficiency of cross-thread detection and bug repair is improved, and the running safety of the application program is better ensured.
Further, in the asynchronous thread, selecting whether to repair the vulnerability according to the utilization state of the vulnerability specifically includes:
Judging whether the loopholes are successfully utilized or not according to the loophole information of the loopholes based on a predefined loophole utilization state judging rule in the asynchronous thread;
If yes, repairing the loopholes according to the loophole information of the loopholes based on a predefined loophole repairing rule.
In the implementation process, the vulnerability utilization state is judged in the asynchronous thread based on the predefined vulnerability utilization state judgment rule, and the successfully utilized vulnerability is repaired based on the predefined vulnerability repair rule, so that the externally successfully utilized vulnerability can be quickly and accurately repaired in the asynchronous thread, the efficiency of cross-thread detection and vulnerability repair is improved, and the running safety of an application program is better ensured.
Further, the vulnerability exploitation state judgment rule is a vulnerability exploitation state judgment rule corresponding to the operation type of the dangerous function in a rule base, and the vulnerability restoration rule is a vulnerability restoration rule corresponding to the operation type of the dangerous function in the rule base.
In the implementation process, the vulnerability utilization state is judged by inquiring the vulnerability utilization state judging rule corresponding to the operation type of the dangerous function from the rule base, and the successfully utilized vulnerability is repaired by inquiring the vulnerability repairing rule corresponding to the operation type of the dangerous function from the rule base, so that the externally successfully utilized vulnerability can be quickly and accurately repaired in an asynchronous thread, the efficiency of cross-thread detection and vulnerability repairing is improved, and the operation safety of an application program is better ensured.
Further, the vulnerability information of the vulnerability comprises request information of the request, function information of the risk function, stack tracking information of the risk function and asynchronous thread information; the asynchronous thread information includes a name and a tag of the asynchronous thread.
In the implementation process, the vulnerability information of the vulnerability is obtained by obtaining the request information of the request, the function information of the risk function, the stack tracking information of the risk function and the asynchronous thread information, so that the vulnerability can be quickly and effectively repaired, the efficiency of cross-thread detection and vulnerability repair is improved, and the running safety of the application program is better ensured.
In a second aspect, an embodiment of the present invention provides a cross-thread vulnerability restoration device based on a code vaccine RASP probe, including:
the probe pre-pile inserting module is used for installing a probe in a tested program and carrying out pre-pile inserting through the probe;
The request processing module is used for generating a request data table according to the intercepted request information of the request;
the vulnerability detection module is used for carrying out vulnerability detection according to the intercepted function information of the risk function based on the request data table;
The asynchronous judging module is used for judging whether the risk function is a risk function of an asynchronous task or not when the loophole is detected;
The asynchronous processing module is used for copying the request data table to a current thread if yes, and marking the current thread as an asynchronous thread;
And the vulnerability restoration module is used for selecting whether to restore the vulnerability or not according to the utilization state of the vulnerability in the asynchronous thread.
In a third aspect, embodiments of the present invention provide an electronic device comprising a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor; the memory is coupled to the processor, and the processor, when executing the computer program, implements a cross-thread vulnerability restoration method based on a code vaccine RASP probe as described above.
In a fourth aspect, embodiments of the present invention provide a computer-readable storage medium including a stored computer program; and controlling the equipment where the computer readable storage medium is located to execute the cross-thread vulnerability restoration method based on the code vaccine RASP probe when the computer program runs.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments of the present invention will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and should not be considered as limiting the scope, and other related drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic flow chart of a cross-thread vulnerability restoration method based on a code vaccine RASP probe according to a first embodiment of the present invention;
FIG. 2 is a schematic diagram of a system architecture employing a cross-thread vulnerability restoration method based on a code vaccine RASP probe, as exemplified in a first embodiment of the present invention;
FIG. 3 is a schematic structural diagram of a cross-thread vulnerability repair device based on a code vaccine RASP probe according to a second embodiment of the present invention;
fig. 4 is a schematic structural diagram of an electronic device according to a third embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be described below with reference to the accompanying drawings in the embodiments of the present invention.
It should be noted that: in the description of the present invention, the terms "first," "second," and the like are used merely to distinguish between descriptions and are not to be construed as indicating or implying relative importance. Meanwhile, step numbers herein are only for convenience of explanation of the embodiments of the present invention, and are not used as limiting the order of execution of the steps. The method provided by the embodiment of the invention can be executed by the related terminal equipment, and the following description takes the server side as an execution main body as an example.
Referring to fig. 1, fig. 1 is a flow chart of a cross-thread bug repair method based on a code vaccine RASP probe according to a first embodiment of the present invention. The first embodiment of the invention provides a cross-thread vulnerability restoration method based on a code vaccine RASP probe, which comprises the following steps of S101 to S106:
s101, installing a probe in a tested program, and pre-inserting piles through the probe;
S102, generating a request data table according to the intercepted request information of the request;
S103, performing vulnerability detection according to the intercepted function information of the risk function based on the request data table;
S104, when the loophole is detected, judging whether the risk function is a risk function of an asynchronous task;
s105, if yes, copying the request data table to the current thread, and marking the current thread as an asynchronous thread;
S106, in the asynchronous thread, whether the vulnerability is repaired or not is selected according to the utilization state of the vulnerability.
As an example, according to the actual detection requirement, before the tested program runs, a probe is installed in the tested program, and at least one byte code is pre-inserted through the probe, so that monitoring of functions such as a request function, a risk function and the like is realized.
The instrumentation refers to a method for detecting dynamic information such as logic coverage and the like by inserting byte codes, namely detecting logic codes, into probes in a tested program on the basis of ensuring the original logic integrity of the tested program, so that the detecting logic codes can be executed to capture program operation data in the running process of the tested program, and analyzing the program operation data to obtain control flow and data flow of the tested program.
According to the actual detection requirement, at least one instrumentation point in the tested program is determined, the program operation data required to be captured at each instrumentation point are respectively considered, a byte code with a corresponding capturing function is designed, and corresponding byte codes are respectively inserted at each instrumentation point through a probe in the tested program, so that the required program operation data is captured through each byte code of the probe pre-instrumentation.
According to actual test requirements, only one byte code can be pre-instrumented at one instrumentation point in the tested program by the probe, and a plurality of different byte codes can be pre-instrumented at a plurality of different instrumentation points in the tested program by the probe.
The concrete process of pile inserting is as follows:
1. When a class is loaded by a class loader, the byte codes of the class are firstly handed to a custom converter for processing;
2. the custom Transformer judges whether the class is the class requiring hook, if yes, the class is handed to a byte code processing framework for processing;
3. the byte code processing framework gradually analyzes each function according to the event-driven model, and inserts the byte code of the class into the function when the byte code is matched with the function needing to be inserted, such as inserting the byte code for acquiring the request information at the beginning or the end of the request function or inserting the byte code of the protection strategy at the beginning or the end of the risk function;
4. the inserted bytecode is returned to the custom fransformer to be loaded into the Java virtual machine.
For cross-line Cheng Loudong repair based on a code vaccine RASP probe, the stake points include: instrumentation points for monitoring asynchronous threads, such as native thread related methods, thread pool commit task related methods, concurrency stream forkjoin framework related methods, timed task related methods; a instrumentation point for monitoring request information of a request, such as a request function; the instrumentation point, such as a risk function, is used to monitor the spot information during the processing of the request.
The method related to the native Thread comprises a start method of Thread. The thread pool commit task related methods include the execution method of ThreadPoolExecutor, the submit method of ThreadPoolExecutor. Concurrent flow forkjoin framework related methods include the execution method of ForkJoinPool, the submit method of ForkJoinPool. Methods related to the timed task framework include the schedule method ScheduledThreadPool, the scheduleAtFixedRate method ScheduledThreadPool, the scheduleWithFixedDelay method ScheduledThreadPool, the execute method ScheduledThreadPool, and the submit method ScheduledThreadPool. The request function includes a function that obtains request information, such as: post and get request related functions in http; obtaining a value of the request header according to the request header name, wherein the value is a function of a plurality of values, namely energy < String > GETHEADERS (STRING NAME); acquiring a function String [ ] getParameterValues (String name) of the request parameter value according to the request parameter name; the function Map < String, string [ ] > GETPARAMETERMAP (), which obtains all request parameters and saves them to the Map set. The risk functions include functions related to execution of dangerous operations, such as run time reg-time (). Exec for command execution, java. Sql. Resultset executeQuery for sql query, new URL for external dependent load function, rmi for external method call function.
In the running process of the tested program, the request information of the request is intercepted in real time by utilizing the byte code of the request function pre-instrumentation, and the function information of the risk function is intercepted in real time by utilizing the byte code of the risk function pre-instrumentation.
When the server receives the request, the request information of the request is intercepted by utilizing byte codes inserted by the probe at a request function in the tested program, the request information of the request comprises various parameters of the request, and a request data table is generated according to the request information of the request.
When the server generates a request data table, the function information of the risk function is intercepted by utilizing byte codes inserted by the probe at the risk function in the tested program, and vulnerability detection is carried out according to the function information of the risk function.
When the server detects the loophole, the server acquires the loophole information of the loophole, monitors the asynchronous thread by utilizing the byte code inserted by the probe at the inserting point of the asynchronous thread in the tested program, and judges whether the risk function is the risk function of the asynchronous task according to the monitoring result.
When the server side judges that the risk function is the risk function of the asynchronous task, the request data table is copied to the current thread in consideration of the fact that the asynchronous thread cannot access the request data table, and the current thread is marked as the asynchronous thread.
And the server side judges the utilization state of the vulnerability in the asynchronous thread and selects whether to repair the vulnerability according to the utilization state of the vulnerability.
According to the embodiment of the invention, the probe is installed in the tested program to perform pre-instrumentation, vulnerability detection and asynchronous thread judgment are performed according to the intercepted information, and when a vulnerability exists in the request processing process and the current thread executes an asynchronous task, the associated request data table is copied to the current thread, so that the current thread can read the associated information to detect and repair the vulnerability, thereby realizing cross-thread detection and repair of the vulnerability, and ensuring the operation safety of the application program.
In an alternative embodiment, the pre-staking performed by the probe specifically includes: pre-inserting a request function through a probe to intercept request information of a request; and pre-inserting the risk function through the probe to intercept the function information of the risk function.
As an example, according to an actual detection requirement, in order to intercept request information of a request and function information of a risk function to perform vulnerability detection, a instrumentation point needs to be set at the request function and the risk function in a tested program, the request function is pre-instrumented by a probe in the tested program, the request function can be monitored in real time in the running process of the tested program, the request information of the request is intercepted, the risk function is pre-instrumented by the probe in the tested program, the risk function can be monitored in real time in the running process of the tested program, and the function information of the risk function is intercepted.
According to the embodiment of the invention, the probe in the tested program is utilized to pre-insert the request function and the risk function, so that the request information of the request and the function information of the risk function can be intercepted in real time in the running process of the tested program.
In an alternative embodiment, before the generating the request data table according to the request information of the intercepted request, the method further includes: when the requested request information is intercepted, the requested request information is stored in threadcontext classes.
Illustratively, the thread context (request, response) in Java (an object-oriented programming language) is uniformly managed and named by the threadlocal class (threadlocal class may have a plurality of types), but the threadlocal class only supports cross threads under thread, cannot support asynchronous threads generated by a thread pool or other special modes, and in a complex scenario, the threadlocal class also causes memory leakage.
For this reason, the default processing of threadlocal classes is not adopted to support cross-thread, one threadcontext class is newly built, all threadlocal classes are replaced by threadcontext classes, all thread context information is globally managed through threadcontext classes, and cross-thread copy support, current data copy and the like are realized.
Creating a threadcontext class, since the role of the threadcontext class is to globally manage all thread context information in a unified way, all variables in the threadcontext class are final decorated in order to prevent malicious modification. At the beginning of the request, the detection environment is initialized by using threadcontext classes, which specifically include: request and response related information is acquired, and a request data table is initialized. It will be appreciated that the unified global context avoids the dispersion of multiple threadcontext classes, and also makes subsequent cross-thread replication easier to implement.
The server stores the request information of the intercepted request in threadcontext types. The subsequent cross-thread replication is mainly divided into the following cases when entering a cross-thread risk point:
1. The native thread starts:
after the native thread is started, performing threadcontext class snapshot copying by using asm injection byte codes in the process of constructing the thread, changing the snapshot copying into a local variable of the thread, then intercepting a start method of the thread, adding a pointer of the local variable into the threadlocal class, and calling a recovery method of threadcontext snapshot to copy a stain pool to the asynchronous thread.
In this way, a large number of variable replications are avoided, almost equal to zero overhead.
2. Thread pool commit:
Thread pool commit in Java is typically performed by means of some submit methods, some FutureTask and some Callable, runable, by replacing FutureTask, callable and Runnable with custom classes IastFutureTask, iastCallable and IastRunnable after reconstruction, copying threadcontext snapshots inside these classes, and then intercepting get, call, run etc. methods of the thread pool to commit asynchronous tasks. The snapshot content is restored to be in threadlocal classes before the method is executed, and then the snapshot is cleaned after the method is executed.
3. Forkjoin frames are as above.
When the server intercepts the request information of the request, the server stores the request information of the request in threadcontext types, and tracks the taint information in the request processing process in a cross-thread mode such as cross-thread copy through threadcontext types.
According to the embodiment of the invention, by storing the request information of the request in threadcontext types, the stain information can be tracked by adopting modes of cross-thread copying and the like, so that cross-thread detection and bug repair are realized, and the safe operation of the application program is ensured.
In an optional embodiment, the generating a request data table according to the request information of the intercepted request specifically includes: when the request information of the request is intercepted, initializing a request data table; intercepting function information of a stain source function according to the request information of the request; extracting the input parameters and the output parameters of the stain point source function from the function information of the stain point source function; the hash value of the in-parameter and the hash value of the out-parameter of the stain source function are stored in a request data table.
As an example, when the server intercepts the request information of the request, the request data table is initialized for the request.
The server takes all parameters of the request as a dirty point source according to the request information of the request, such as query, form, path, form-data, body and other parameters of the request as the dirty point source, monitors the dirty source function in real time by utilizing byte codes inserted by the probe at the dirty source function corresponding to the tested program, and intercepts the function information of the dirty source function.
The server extracts the input parameters and the output parameters of the stain source function from the function information of the stain source function, respectively carries out hash calculation on the input parameters and the output parameters of the stain source function to obtain hash values of the input parameters and the output parameters of the stain source function, and stores the hash values of the input parameters and the hash values of the output parameters of the stain source function in a request data table.
According to the embodiment of the invention, the function information of the taint source function is intercepted according to the request information of the request to generate the request data table, so that the taint information of the nodes where all the taint sources are located in the request processing process can be comprehensively acquired to generate the request data table, and the follow-up accurate vulnerability detection is ensured.
In an optional embodiment, the performing vulnerability detection based on the request data table according to the intercepted function information of the risk function specifically includes: extracting the parameter of the risk function from the function information of the risk function; inquiring whether the hash value of the parameter entering of the risk function exists in the request data table; if so, judging that the loopholes exist, and acquiring the loophole information of the loopholes.
As an example, when intercepting function information of the risk function, the server extracts an entry parameter of the risk function from the function information of the risk function, and performs hash calculation on the entry parameter of the risk function to obtain a hash value of the entry parameter of the risk function.
The server side inquires whether the hash value of the entering parameter of the risk function exists in the request data table, if not, the server side judges that the loophole does not exist in the request processing process; if so, judging that the loopholes exist in the request processing process, and acquiring the loophole information of the loopholes.
According to the embodiment of the invention, the hash value of the entering parameter of the risk function in the query request data table is adopted to judge whether the leak exists in the request processing process, so that the leak detection can be rapidly and accurately carried out, the efficiency of cross-thread detection and leak repair is improved, and the running safety of the application program is better ensured.
In an alternative embodiment, the determining whether the risk function is a risk function of an asynchronous task specifically includes: judging whether the task submitted by the monitored thread pool has a parameter of a use request or not; if yes, judging the risk function as the risk function of the asynchronous task.
As an example, the server side uses the byte code inserted by the probe in the tested program at the method related to the task submitted by the thread pool to monitor the task submitted by the thread pool in real time, and judges whether the task submitted by the thread pool has the parameters of the use request or not when the task submitted by the thread pool is monitored, if not, the current thread is considered to execute the synchronous task and is a synchronous thread, and the risk function is judged to be the risk function of the synchronous task at the moment, so that the loophole can be directly detected and repaired without performing subsequent operations such as cross-thread copying; if yes, the current thread executes the asynchronous task and is considered to be the asynchronous thread, the risk function is judged to be the risk function of the asynchronous task, and subsequent operations such as cross-thread copying and the like are needed to be performed to detect and repair the loopholes.
The specific process of copying the request data table to the current thread and marking the current thread as an asynchronous thread is as follows:
and (3) carrying out proxy on the task object submitted by the thread pool, and independently writing a jar packet, wherein the jar packet comprises a custom proxy class.
When the task object is constructed, the request data table is copied to a local variable (because the subsequent asynchronous execution cannot be accessed) in the same thread, the task object accesses the local variable in a pile inserting mode when the asynchronous thread is executed, task logic is executed through a specific interface (the asynchronous of Java has a specific interface), and the snapshot is restored to threadcontext, so that the pointer of threadcontext is modified, and 0 overhead is realized.
The modification of the pointer to threadcontext is specifically: the byte code of Java is accessed by using ASM technology, the pointer corresponding to the local variable threadcontext is extracted, and then the pointer is reset into the current thread by changing the pointer position.
For example, for a synchronous execution code threadcontext is set in threadlocal of the current thread, this threadcontext is disconnected when asynchronous tasks are executed, so a snapshot is created first and then the pointer to the snapshot is reset to the current thread.
Threadcontext is marked as executing an asynchronous task, the current thread is marked as an asynchronous thread, and the name and the marker of the asynchronous thread are recorded, wherein the marker of the asynchronous thread can be an ID obtained according to a request ID, namely traceId of Java. And determining the task submitted by the thread pool as an asynchronous task, and recording asynchronous task information, wherein the asynchronous task information comprises: function information of the risk function, such as function name, parameter and return value of the risk function; stack tracking information of the risk function; asynchronous thread information, which includes the name and tag of the asynchronous thread. The asynchronous task information also includes hash tables corresponding to the in-parameters/out-parameters. It will be appreciated that marking the current thread as an asynchronous thread, the asynchronous propagation flow may be better distinguished because multiple different threads may be involved, with no bad positioning recorded.
According to the embodiment of the invention, by adopting an asynchronous thread judging mode for judging whether the task submitted by the monitored thread pool has the parameters of the use request to judge whether the risk function is the risk function of the asynchronous task, the asynchronous thread judgment can be rapidly and accurately carried out, the efficiency of cross-thread detection and bug repair is improved, and the running safety of the application program is better ensured.
In an optional embodiment, in the asynchronous thread, selecting whether to repair the vulnerability according to the exploitation state of the vulnerability specifically includes: judging whether the loopholes are successfully utilized or not according to the loophole information of the loopholes based on a predefined loophole utilization state judging rule in the asynchronous thread; if yes, repairing the loopholes according to the loophole information of the loopholes based on a predefined loophole repairing rule.
Illustratively, according to the actual detection requirement, the vulnerability exploitation state judgment rule is predefined, the vulnerability restoration rule is predefined, and the predefined vulnerability exploitation state judgment rule and the predefined vulnerability restoration rule are stored in the server.
In the asynchronous thread, the server judges whether the loophole is successfully utilized or not based on a predefined loophole state judging rule and repairs the loophole based on a predefined loophole repairing rule when judging that the loophole is successfully utilized according to the loophole information of the loophole.
According to the embodiment of the invention, the vulnerability utilization state is judged in the asynchronous thread based on the predefined vulnerability utilization state judgment rule, and the successfully utilized vulnerability is repaired based on the predefined vulnerability repair rule, so that the externally successfully utilized vulnerability can be quickly and accurately repaired in the asynchronous thread, the efficiency of cross-thread detection and vulnerability repair is improved, and the running safety of the application program is better ensured.
In an alternative embodiment, the exploit state judging rule is an exploit state judging rule corresponding to an operation type of the dangerous function in a rule base, and the bug repairing rule is an bug repairing rule corresponding to the operation type of the dangerous function in the rule base.
As an example, a rule base is configured in the server, and the rule base stores exploit state judgment rules and exploit repair rules corresponding to a plurality of dangerous functions with different operation types.
And the server side determines the operation type of the dangerous function in the tested program in the asynchronous thread, and invokes the vulnerability utilization state judgment rule and the vulnerability restoration rule corresponding to the operation type of the dangerous function from the rule base. Based on a predefined vulnerability state judging rule, judging whether the vulnerability is successfully utilized according to vulnerability information of the vulnerability, and when judging that the vulnerability is successfully utilized, repairing the vulnerability according to the vulnerability information of the vulnerability based on a predefined vulnerability repairing rule.
For example, the specific procedure of bug fixes is as follows:
1. The method comprises the steps of extracting request information of a request from vulnerability information of the vulnerability, wherein the request information comprises request response information input by a user, such as URL (Uniform Resource Locator ), request header, request method, request body, response header, response status code and the like.
The user input request response information is normalized, and the normalized processing flow is specifically as follows:
1.1, modifying target characters in response information of user input request, such as deleting redundant characters such as slash, deleting characters such as a plurality of suffix names of file names allowed by some middleware (no processing will have a payload bypass).
1.2, Classifying according to the request content types, such as xml or json, recursively analyzing all parameters of the request, extracting all parameter values for caching, and detecting in a risk function (run. Getrun. Exec) later.
1.3, Modifying the target code in the user input request response information, such as converting redundant segmenters in the file into a uniform format. For example, when the request is subject to attacks such as directory traversal, the file path bypasses the paths of "\\", "/", "\", and the like, and at this time, some normalization processing is needed, the redundant separators in the file are converted into a unified format for comparison, so that the bypass is prevented, and the file class operation task is generally required.
2. And extracting asynchronous task information from the vulnerability information of the vulnerability, wherein the asynchronous task information comprises function information of the risk function, stack tracking information of the risk function and asynchronous thread information.
The asynchronous task information is normalized, and dangerous operations executed by the risk function are generally classified into file operations, reflection code execution, command execution, sql injection and the like. Different normalization processes are performed on asynchronous task information for different operation types, where parameters sometimes need to be preprocessed, such as extracting lexical markers for sql statements.
3. After the vulnerability information of the vulnerability is normalized, a corresponding vulnerability utilization state judgment rule is called according to the operation type of the dangerous function to judge the vulnerability utilization state.
Assuming that the operation type of the hazard function is sql injection, the called vulnerability exploitation state judging rule may be to judge whether the parameter values of each parameter extracted from the user input request response information completely appear in the thread context information of the hazard function for the step 1.2, if yes, judging that the vulnerability is successfully exploited, otherwise, judging that the vulnerability is not successfully exploited, and the vulnerability exploitation state judging flow specifically includes:
And 3.1, acquiring parameter values of all parameters in response information of a user input request, such as an sql injection, firstly performing lexical analysis on a currently executed sql sentence to acquire a series of lexical marks (lexical mark sequences), then traversing the lexical mark sequences, respectively comparing the parameter values of each parameter with the appearance positions of the lexical marks, and then determining whether the content input by the user is an executable sql fragment.
3.2, If the user input completely appears and is a valid cmd command, namely, the user input is determined through matching with the lexical marker sequence and occupies a valid execution segment range, judging that the vulnerability is successfully utilized.
4. After judging that the vulnerability is successfully utilized, according to the operation type corresponding to the risk function, a corresponding vulnerability restoration rule is called, and restoration processing such as log reporting, request interception, parameter modification (such as xss codes in cleaning response), return value modification and the like is executed according to action marks specified in the vulnerability restoration rule.
According to the embodiment of the invention, the vulnerability utilization state is judged by inquiring the vulnerability utilization state judgment rule corresponding to the operation type of the dangerous function from the rule base, and the successfully utilized vulnerability is repaired by inquiring the vulnerability repair rule corresponding to the operation type of the dangerous function from the rule base, so that the externally successfully utilized vulnerability can be quickly and accurately repaired in an asynchronous thread, the efficiency of cross-thread detection and vulnerability repair is improved, and the operation safety of an application program is better ensured.
In an alternative embodiment, the vulnerability information of the vulnerability comprises request information of a request, function information of a risk function, stack tracking information of the risk function and asynchronous thread information; the asynchronous thread information includes the name and tag of the asynchronous thread.
As an example, when detecting a vulnerability, the server side obtains vulnerability information of the vulnerability, where the vulnerability information of the vulnerability includes request information of a request, function information of a risk function, stack tracking information of the risk function, and asynchronous thread information, and the asynchronous thread information includes a name and a tag of an asynchronous thread.
According to the embodiment of the invention, the vulnerability information of the vulnerability is obtained by obtaining the request information of the request, the function information of the risk function, the stack tracking information of the risk function and the asynchronous thread information, so that the vulnerability can be quickly and effectively repaired, the efficiency of cross-thread detection and vulnerability repair is improved, and the running safety of the application program is better ensured.
As an example, in order to more clearly illustrate the cross-thread bug repairing method based on the code vaccine RASP probe provided by the first embodiment of the present invention, a system architecture of the cross-thread bug repairing method based on the code vaccine RASP probe is shown in fig. 2, and in fig. 2, a detection mode refers to recording bug information of a bug in detail when the bug is detected, and a blocking mode not only can detect the bug, but also can intercept the bug at the same time, and timely acquire alarm information and security risk through corresponding security protection configuration.
Referring to fig. 3, fig. 3 is a schematic structural diagram of a cross-thread bug repair device based on a code vaccine RASP probe according to a second embodiment of the present invention. The second embodiment of the invention provides a cross-thread vulnerability repair device based on a code vaccine RASP probe, which comprises the following components: a probe pre-stake-inserting module 201, which is used for installing a probe in a tested program and performing pre-stake-inserting through the probe; a request processing module 202, configured to generate a request data table according to the request information of the intercepted request; the vulnerability detection module 203 is configured to perform vulnerability detection according to the intercepted function information of the risk function based on the request data table; the asynchronous judging module 204 is configured to judge whether the risk function is a risk function of an asynchronous task when the vulnerability is detected; the asynchronous processing module 205 is configured to copy the request data table to a current thread if yes, and mark the current thread as an asynchronous thread; and the bug fix module 206 is configured to select whether to fix the bug according to the utilization state of the bug in the asynchronous thread.
In an alternative embodiment, the pre-staking performed by the probe specifically includes: pre-inserting a request function through a probe to intercept request information of a request; and pre-inserting the risk function through the probe to intercept the function information of the risk function.
In an alternative embodiment, the request processing module 202 is further configured to store the requested request information in the threadcontext class when the requested request information is intercepted before the request data table is generated according to the intercepted request information of the request.
In an optional embodiment, the generating a request data table according to the request information of the intercepted request specifically includes: when the request information of the request is intercepted, initializing a request data table; intercepting function information of a stain source function according to the request information of the request; extracting the input parameters and the output parameters of the stain point source function from the function information of the stain point source function; the hash value of the in-parameter and the hash value of the out-parameter of the stain source function are stored in a request data table.
In an optional embodiment, the performing vulnerability detection based on the request data table according to the intercepted function information of the risk function specifically includes: extracting the parameter of the risk function from the function information of the risk function; inquiring whether the hash value of the parameter entering of the risk function exists in the request data table; if so, judging that the loopholes exist, and acquiring the loophole information of the loopholes.
In an alternative embodiment, the determining whether the risk function is a risk function of an asynchronous task specifically includes: judging whether the task submitted by the monitored thread pool has a parameter of a use request or not; if yes, judging the risk function as the risk function of the asynchronous task.
In an optional embodiment, in the asynchronous thread, selecting whether to repair the vulnerability according to the exploitation state of the vulnerability specifically includes: judging whether the loopholes are successfully utilized or not according to the loophole information of the loopholes based on a predefined loophole utilization state judging rule in the asynchronous thread; if yes, repairing the loopholes according to the loophole information of the loopholes based on a predefined loophole repairing rule.
In an alternative embodiment, the exploit state judging rule is an exploit state judging rule corresponding to an operation type of the dangerous function in a rule base, and the bug repairing rule is an bug repairing rule corresponding to the operation type of the dangerous function in the rule base.
In an alternative embodiment, the vulnerability information of the vulnerability comprises request information of a request, function information of a risk function, stack tracking information of the risk function and asynchronous thread information; the asynchronous thread information includes the name and tag of the asynchronous thread.
The implementation process of the functions and roles of each module in the above device is specifically shown in the implementation process of the corresponding steps in the above method, and will not be described herein again.
Referring to fig. 4, fig. 4 is a schematic structural diagram of an electronic device according to a third embodiment of the present invention. A third embodiment of the invention provides an electronic device 30 comprising a processor 301, a memory 302 and a computer program stored in the memory 302 and configured to be executed by the processor 301; the memory 302 is coupled to the processor 301, and the processor 301 implements the cross-thread bug repair method based on the code vaccine RASP probe according to the first embodiment of the present invention when executing the computer program, and can achieve the same advantages as the method.
The processor 301 may implement the method according to any embodiment of the code vaccine RASP probe-based cross-thread bug repair method according to the first embodiment of the present invention when reading a computer program from the memory 302 via the bus 303 and executing the computer program.
The processor 301 may process digital signals and may include various computing structures. Such as a complex instruction set computer architecture, a reduced instruction set computer architecture, or an architecture that implements a combination of instruction sets. In some examples, processor 301 may be a microprocessor.
Memory 302 may be used for storing instructions to be executed by processor 301 or data relating to the execution of instructions. Such instructions and/or data may include code to implement some or all of the functions of one or more of the modules described in embodiments of the present invention. The processor 301 of the disclosed embodiment may be configured to execute instructions in the memory 302 to implement a cross-thread vulnerability restoration method based on a code vaccine RASP probe according to the first embodiment of the present invention. Memory 302 includes dynamic random access memory, static random access memory, flash memory, optical memory, or other memory known to those skilled in the art.
A fourth embodiment of the present invention provides a computer-readable storage medium including a stored computer program; the device where the computer readable storage medium is located is controlled to execute the cross-thread vulnerability restoration method based on the code vaccine RASP probe according to the first embodiment of the invention when the computer program runs, and the same beneficial effects as the cross-thread vulnerability restoration method can be achieved.
In summary, the embodiment of the invention provides a cross-thread vulnerability restoration method and device based on a code vaccine RASP probe, wherein the method comprises the following steps: installing a probe in a tested program, and pre-inserting piles through the probe; generating a request data table according to the intercepted request information of the request; based on the request data table, performing vulnerability detection according to the intercepted function information of the risk function; when the loophole is detected, judging whether the risk function is a risk function of an asynchronous task; if yes, copying the request data table to the current thread, and marking the current thread as an asynchronous thread; in the asynchronous thread, whether the loophole is repaired or not is selected according to the utilization state of the loophole. According to the embodiment of the invention, the probe is installed in the tested program to perform pre-instrumentation, vulnerability detection and asynchronous thread judgment are performed according to the intercepted information, and when a vulnerability exists in the request processing process and the current thread executes an asynchronous task, the associated request data table is copied to the current thread, so that the current thread can read the associated information to detect and repair the vulnerability, thereby realizing cross-thread detection and repair of the vulnerability, and ensuring the operation safety of the application program.
In the several embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other manners. The apparatus embodiments described above are merely illustrative, for example, flow diagrams and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present invention may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any person skilled in the art will readily appreciate variations or alternatives within the scope of the present invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.
Claims (11)
1. A cross-thread vulnerability restoration method based on a code vaccine RASP probe is characterized by comprising the following steps:
installing a probe in a tested program, and pre-inserting piles through the probe;
generating a request data table according to the intercepted request information of the request;
based on the request data table, performing vulnerability detection according to the intercepted function information of the risk function;
When detecting the loopholes, judging whether the risk function is a risk function of an asynchronous task; the judging whether the risk function is a risk function of an asynchronous task specifically includes: judging whether the task submitted by the monitored thread pool has parameters for using the request or not; if yes, judging that the risk function is a risk function of an asynchronous task;
If yes, copying the request data table to a current thread, and marking the current thread as an asynchronous thread; copying the request data table to a current thread, and marking the current thread as an asynchronous thread, wherein the method specifically comprises the following steps: the task object submitted by the thread pool is proxied, and a jar packet is created; copying the request data table to a local variable when the task object is constructed, enabling the task object to access the local variable when the asynchronous thread is executed, executing task logic, and restoring the snapshot to threadcontext; marking threadcontext as executing an asynchronous task, causing the current thread to be marked as the asynchronous thread;
and in the asynchronous thread, selecting whether to repair the vulnerability according to the utilization state of the vulnerability.
2. The cross-thread vulnerability restoration method based on code vaccine RASP probe according to claim 1, wherein the pre-staking is performed by the probe, specifically comprising:
pre-inserting a request function through the probe to intercept the request information of the request;
And pre-inserting piles for the risk functions through the probes so as to intercept function information of the risk functions.
3. The method for cross-thread vulnerability restoration based on code vaccine RASP probe of claim 1, further comprising, before generating a request data table based on the request information of the intercepted request:
When the request information of the request is intercepted, the request information of the request is stored in threadcontext classes.
4. The cross-thread vulnerability restoration method based on code vaccine RASP probe according to claim 1, wherein the generating a request data table according to the request information of the intercepted request specifically comprises:
initializing the request data table when the request information of the request is intercepted;
Intercepting function information of a stain source function according to the request information of the request;
extracting the input parameters and the output parameters of the stain source function from the function information of the stain source function;
And storing the hash value of the input parameter and the hash value of the output parameter of the stain source function in the request data table.
5. The cross-thread vulnerability restoration method based on the code vaccine RASP probe according to claim 1, wherein the vulnerability detection is performed according to the function information of the intercepted risk function based on the request data table, and specifically comprises:
extracting the parameter of the risk function from the function information of the risk function;
inquiring whether the hash value of the parameter entering of the risk function exists in the request data table;
if yes, judging that the loopholes exist, and acquiring the loophole information of the loopholes.
6. The cross-thread vulnerability restoration method based on a code vaccine RASP probe according to claim 1, wherein in the asynchronous thread, whether to restore the vulnerability is selected according to the utilization state of the vulnerability, specifically comprising:
Judging whether the loopholes are successfully utilized or not according to the loophole information of the loopholes based on a predefined loophole utilization state judging rule in the asynchronous thread;
If yes, repairing the loopholes according to the loophole information of the loopholes based on a predefined loophole repairing rule.
7. The cross-thread vulnerability restoration method based on the code vaccine RASP probe according to claim 6, wherein the vulnerability exploitation state judgment rule is an vulnerability exploitation state judgment rule corresponding to the operation type of the risk function in a rule base, and the vulnerability restoration rule is a vulnerability restoration rule corresponding to the operation type of the risk function in the rule base.
8. The cross-thread vulnerability restoration method based on code vaccine RASP probe according to claim 5 or 6, wherein the vulnerability information of the vulnerability comprises request information of the request, function information of the risk function, stack tracking information of the risk function, asynchronous thread information; the asynchronous thread information includes a name and a tag of the asynchronous thread.
9. Cross-thread vulnerability repair device based on code vaccine RASP probe, characterized by comprising:
the probe pre-pile inserting module is used for installing a probe in a tested program and carrying out pre-pile inserting through the probe;
The request processing module is used for generating a request data table according to the intercepted request information of the request;
the vulnerability detection module is used for carrying out vulnerability detection according to the intercepted function information of the risk function based on the request data table;
The asynchronous judging module is used for judging whether the risk function is a risk function of an asynchronous task or not when the loophole is detected; the judging whether the risk function is a risk function of an asynchronous task specifically includes: judging whether the task submitted by the monitored thread pool has parameters for using the request or not; if yes, judging that the risk function is a risk function of an asynchronous task;
The asynchronous processing module is used for copying the request data table to a current thread if yes, and marking the current thread as an asynchronous thread; copying the request data table to a current thread, and marking the current thread as an asynchronous thread, wherein the method specifically comprises the following steps: the task object submitted by the thread pool is proxied, and a jar packet is created; copying the request data table to a local variable when the task object is constructed, enabling the task object to access the local variable when the asynchronous thread is executed, executing task logic, and restoring the snapshot to threadcontext; marking threadcontext as executing an asynchronous task, causing the current thread to be marked as the asynchronous thread;
And the vulnerability restoration module is used for selecting whether to restore the vulnerability or not according to the utilization state of the vulnerability in the asynchronous thread.
10. An electronic device comprising a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor; the memory is coupled to the processor and the processor when executing the computer program implements a cross-thread vulnerability restoration method based on a code vaccine RASP probe according to any one of claims 1 to 8.
11. A computer readable storage medium, wherein the computer readable storage medium comprises a stored computer program; wherein the computer program, when run, controls the device in which the computer readable storage medium is located to perform the cross-thread vulnerability restoration method based on the code vaccine RASP probe according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311572075.2A CN117610009B (en) | 2023-11-23 | 2023-11-23 | Cross-thread vulnerability repairing method and device based on code vaccine RASP probe |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311572075.2A CN117610009B (en) | 2023-11-23 | 2023-11-23 | Cross-thread vulnerability repairing method and device based on code vaccine RASP probe |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117610009A CN117610009A (en) | 2024-02-27 |
| CN117610009B true CN117610009B (en) | 2024-06-11 |
Family
ID=89959117
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311572075.2A Active CN117610009B (en) | 2023-11-23 | 2023-11-23 | Cross-thread vulnerability repairing method and device based on code vaccine RASP probe |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117610009B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2575069A2 (en) * | 2011-09-30 | 2013-04-03 | Tata Consultancy Services Ltd. | Security vulnerability correction |
| CN112464242A (en) * | 2020-11-12 | 2021-03-09 | 苏州浪潮智能科技有限公司 | Webpage platform vulnerability collection method, system, terminal and storage medium |
| CN112528296A (en) * | 2021-02-10 | 2021-03-19 | 腾讯科技(深圳)有限公司 | Vulnerability detection method and device, storage medium and electronic equipment |
| CN113076233A (en) * | 2021-03-30 | 2021-07-06 | 中国建设银行股份有限公司 | IO performance detection method, device, equipment and storage medium |
| WO2022267343A1 (en) * | 2021-06-25 | 2022-12-29 | 深圳前海微众银行股份有限公司 | Vulnerability detection method and device, and readable storage medium |
| CN116842531A (en) * | 2023-08-28 | 2023-10-03 | 北京安普诺信息技术有限公司 | Code vaccine-based vulnerability real-time verification method, device, equipment and medium |
| CN116992438A (en) * | 2023-09-25 | 2023-11-03 | 北京安普诺信息技术有限公司 | Method, device, equipment and medium for repairing real-time loopholes based on code vaccine |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8347272B2 (en) * | 2008-07-23 | 2013-01-01 | International Business Machines Corporation | Call graph dependency extraction by static source code analysis |
-
2023
- 2023-11-23 CN CN202311572075.2A patent/CN117610009B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2575069A2 (en) * | 2011-09-30 | 2013-04-03 | Tata Consultancy Services Ltd. | Security vulnerability correction |
| CN112464242A (en) * | 2020-11-12 | 2021-03-09 | 苏州浪潮智能科技有限公司 | Webpage platform vulnerability collection method, system, terminal and storage medium |
| CN112528296A (en) * | 2021-02-10 | 2021-03-19 | 腾讯科技(深圳)有限公司 | Vulnerability detection method and device, storage medium and electronic equipment |
| CN113076233A (en) * | 2021-03-30 | 2021-07-06 | 中国建设银行股份有限公司 | IO performance detection method, device, equipment and storage medium |
| WO2022267343A1 (en) * | 2021-06-25 | 2022-12-29 | 深圳前海微众银行股份有限公司 | Vulnerability detection method and device, and readable storage medium |
| CN116842531A (en) * | 2023-08-28 | 2023-10-03 | 北京安普诺信息技术有限公司 | Code vaccine-based vulnerability real-time verification method, device, equipment and medium |
| CN116992438A (en) * | 2023-09-25 | 2023-11-03 | 北京安普诺信息技术有限公司 | Method, device, equipment and medium for repairing real-time loopholes based on code vaccine |
Non-Patent Citations (2)
| Title |
|---|
| Hamza, A 等.Diminisher: A Linux Kernel Based Countermeasure for TAA Vulnerability.《LECTURE NOTES IN ARTIFICIAL INTELLIGENCE》.2022,477-495. * |
| 刘露平 ; 方勇 ; 刘亮 ; 龙刚 ; .基于动态插桩的缓冲区溢出漏洞检测技术研究.信息安全与通信保密.2015,(04),80-82+87. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117610009A (en) | 2024-02-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7962798B2 (en) | Methods, systems and media for software self-healing | |
| Xu et al. | Early detection of configuration errors to reduce failure damage | |
| Smirnov et al. | DIRA: Automatic Detection, Identification and Repair of Control-Hijacking Attacks. | |
| Long et al. | Automatic runtime error repair and containment via recovery shepherding | |
| Dolan-Gavitt et al. | Robust signatures for kernel data structures | |
| US20050108562A1 (en) | Technique for detecting executable malicious code using a combination of static and dynamic analyses | |
| CN105141647B (en) | A kind of method and system of detection Web applications | |
| CN112181833A (en) | Intelligent fuzzy test method, device and system | |
| CN112733150A (en) | Firmware unknown vulnerability detection method based on vulnerability analysis | |
| Kim et al. | Efficient patch-based auditing for web application vulnerabilities | |
| CN112422581B (en) | Webshell webpage detection method, device and equipment in JVM (Java virtual machine) | |
| Cho et al. | Anti-debugging scheme for protecting mobile apps on android platform | |
| US8788884B2 (en) | Automatic correction of program logic | |
| CN111859380A (en) | A Zero False Positive Detection Method for Android App Vulnerabilities | |
| Fetzer et al. | An automated approach to increasing the robustness of C libraries | |
| CN112464236B (en) | A method, system and related device for detecting malicious programs | |
| CN117610009B (en) | Cross-thread vulnerability repairing method and device based on code vaccine RASP probe | |
| CN116467712B (en) | Dynamic taint tracking method, device and related taint propagation analysis system | |
| CN109726115B (en) | Anti-debugging automatic bypass method based on tracking of Intel processor | |
| Sha letian et al. | PVDF: An automatic patch-based vulnerability description and fuzzing method | |
| Laranjeiro et al. | Protecting database centric web services against SQL/XPath injection attacks | |
| Park et al. | RPS: An extension of reference monitor to prevent race-attacks | |
| KR101842263B1 (en) | Method and apparatus for preventing reverse engineering | |
| Durães et al. | A methodology for the automated identification of buffer overflow vulnerabilities in executable software without source-code | |
| Benameur et al. | {MINESTRONE}: Testing the {SOUP} |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |