CN105975862A - Vulnerability detection method and system based on vulnerability trigger mode - Google Patents
Vulnerability detection method and system based on vulnerability trigger mode Download PDFInfo
- Publication number
- CN105975862A CN105975862A CN201510826442.6A CN201510826442A CN105975862A CN 105975862 A CN105975862 A CN 105975862A CN 201510826442 A CN201510826442 A CN 201510826442A CN 105975862 A CN105975862 A CN 105975862A
- Authority
- CN
- China
- Prior art keywords
- file
- joint
- vulnerability
- executable file
- rodata
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a vulnerability detection method and system based on a vulnerability trigger mode, and the technical scheme comprises the steps of analyzing head information by obtaining an executable file or a dynamic database file; determining if the first four bytes of the executable file or the dynamic database file are '0*7f', 'E', 'L', 'F', if yes, continue to obtain knot table related information; obtaining an offset amount and size of rodata knot in the executable file or the dynamic database file according to the knot table related information; furthermore determining if a string /dev/ptmx exists in the rodata knot, if yes, a suspected file is determined. Huge amount of artificial analysis using code or report to existing vulnerability is avoided; a key string with a pseud terminal related device can be positioned by core-trigger-vulnerability; the device name is taken as a detection means; the software has root behavior or the vulnerability behavior can be triggered only by finding the device name.
Description
Technical field
The present invention relates to field of information security technology, particularly relate to a kind of method triggering leak and carry out virus or behavior
Detection.
Background technology
The Application way of method typically one leak of wait detected is carried out currently for the various programs utilizing leak
Or after analysis report occurs, it is analyzed, extracts its committed step as detection means.
Following defect is there is under traditional said method:
(1) formed after detection means needs to wait until that this leak discloses completely, may vulnerability exploit be after forming power of test
The most extensive.
(2) need the online vulnerability exploit code disclosed or report are carried out the analysis of certain depth, take manpower relatively
Greatly.
(3) detection target is single, and the feature extracted for said method can only be leaked at present for single vulnerability exploit means
Cavity form is very strange, and which enlightenment is low.
For make use of kernel level leak, for i.e. make use of the rogue program of linux kernel leak, it is the most permissible
Utilize these known or unknown leaks to obtain root authority, carry out some amendment system files afterwards, leave back door etc.
Operation damages or prevents by antivirus software killing.
And these leaks are all to make use of the defect in Linux code, including failing parameter is effectively detected, slow
Rush the defects such as district's spilling, utilize these defects to read and write kernel spacing.Program is absorbed in CPU residing during kernel spacing and responds rank
Being ring0 privilege, can access any memory address, the code now performed also has highest weight limit.Vulnerability exploit code is past
Toward be utilize kernel code defect to find specific function or structure in kernel, and entering of being revised as oneself specifying
Mouthful, this entrance obtains root authority or other malicious operation often.
For the aspect of vulnerability exploit, it is generally required to place vulnerability exploit code at user's space, by certain means
Make kernel perform stream and jump to code beginning.
The method i.e. make use of this of leak common utilize scene, if desired make kernel perform stream and change, primarily
Condition is to utilize leak to revise certain address of kernel, and next is tried every possible means to call and can read calling of this address.
Common leak triggering mode usually revises certain dev(equipment) file_ of registration in kernel
Operations structure, this structure defines the realization of the file operation for this equipment, such as write, read, fsync
Deng operation, the pointer revising certain operation is oneself definition, and the respective operations then calling this equipment can trigger leak;Should
Structure address in kernel can be by analysis kernel mirror image or reading/proc/kallsyms file under certain conditions
Obtain the file_operations address of correspondence.
The method has a restriction, and the equipment being i.e. triggered needs to affect sufficiently small, by analyzing, find in a large number with
What the software of root function was used is all/dev/ptmx equipment, and ptmx is a pseudo terminal device, and it is general that regular software uses it
Rate is the least, meets the requirement that impact is sufficiently small.Its title corresponding to file_operations structure in kernel is
Ptmx_fops, revises the pointer of its fsync operation after finding it.Revise complete after, outside just can directly open/dev/
Ptmx, calls fsync to it and can trigger leak.
Summary of the invention
The present invention is directed to above-mentioned technical problem, disclose a kind of leak detection method based on leak triggering mode, pass through
Using device name as a kind of detection means, solve detection target single, the problem expending a large amount of manpower.
A kind of leak detection method based on leak triggering mode, including:
Obtain executable file or dynamic library file, resolve its header, it is judged that executable file or front the four of dynamic library file
Whether individual byte be ' 0x7f''E''L''F', if then continuing to obtain joint table relevant information;
By described joint table relevant information, obtain .rodata joint in executable file or the side-play amount of dynamic library file and size;
Judging whether .rodata joint information exists/dev/ptmx character string, if existing, being then judged to apocrypha.
Further, described joint table relevant information includes that joint table offsets, and saves list item size, the number of joint table middle term, saves table
Name string table information.
A kind of leakage location based on leak triggering mode, including:
Parsing module, is used for obtaining executable file or dynamic library file, resolves its header, it is judged that executable file or dynamic
Whether front four bytes of library file be ' 0x7f''E''L''F', if then continuing to obtain joint table relevant information;
By described joint table relevant information, obtain .rodata joint in executable file or the side-play amount of dynamic library file and size;
Judge module, is used for judging whether to exist in .rodata joint information/dev/ptmx character string, if existing, then being judged to can
Doubt file.
Further, described joint table relevant information includes that joint table offsets, and saves list item size, the number of joint table middle term, saves table
Name string table information.
To sum up, the present invention is given a kind of based on leak triggering mode leak detection method and system, described technical side
Case, by obtaining executable file or dynamic library file, resolves its header, it is judged that before executable file or dynamic library file
Whether four bytes be ' 0x7f''E''L''F', if then continuing to obtain joint table relevant information;It is correlated with by described joint table
Information, obtains .rodata joint in executable file or the side-play amount of dynamic library file and size;And then judge .rodata joint letter
Whether breath existing/dev/ptmx character string, if existing, being then judged to apocrypha.
Beneficial effects of the present invention is, need not to existing vulnerability exploit code or report substantial amounts of carry out substantial amounts of manually
Analyze, trigger leak mode only by kernel, the key-strings with pseudo-terminal relevant device can be positioned, with implementor name
Being referred to as a kind of detection means, software has root behavior or triggers leak behavior, to sample to find device name i.e. to can determine whether
Originally after carrying out depth analysis, it appeared that some known or unknown leaks.The enlightenment solving traditional detection method is low,
The feature extracted can only be for the problem of single leak.
Accompanying drawing explanation
In order to be illustrated more clearly that technical scheme, the accompanying drawing used required in embodiment will be made letter below
Singly introduce, it should be apparent that, the accompanying drawing in describing below is only some embodiments described in the present invention, for this area
From the point of view of those of ordinary skill, on the premise of not paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
A kind of based on leak triggering mode the leak detection method embodiment flow chart that Fig. 1 provides for the present invention;
A kind of based on leak triggering mode the leakage location example structure schematic diagram that Fig. 2 provides for the present invention.
Detailed description of the invention
The present invention gives embodiment, for the skill making those skilled in the art be more fully understood that in the embodiment of the present invention
Art scheme, and it is understandable to enable the above-mentioned purpose of the present invention, feature and advantage to become apparent from, below in conjunction with the accompanying drawings in the present invention
Technical scheme is described in further detail:
The present invention is directed to above-mentioned technical problem, disclose a kind of leak detection method based on leak triggering mode, by setting
Standby name is referred to as a kind of detection means, solves detection target single, the problem expending a large amount of manpower.
Present invention firstly provides a kind of leak detection method based on leak triggering mode, as it is shown in figure 1, include:
S101 obtains executable file or dynamic library file, resolves its header, it is judged that executable file or dynamic library file
Whether front four bytes be ' 0x7f''E''L''F', if then continuing to obtain joint table relevant information;
S102 by described joint table relevant information, obtain .rodata joint in executable file or the side-play amount of dynamic library file and
Size;
S103 judges whether to exist in .rodata joint information/dev/ptmx character string, if existing, is then judged to apocrypha.
Preferably, described joint table relevant information includes that joint table offsets, and saves list item size, the number of joint table middle term, saves table name
String table information.
Present invention also offers a kind of leakage location based on leak triggering mode, as in figure 2 it is shown, include:
Parsing module 201, is used for obtaining executable file or dynamic library file, resolves its header, it is judged that executable file or
Whether front four bytes of dynamic library file be ' 0x7f''E''L''F', if then continuing to obtain joint table relevant information;
By described joint table relevant information, obtain .rodata joint in executable file or the side-play amount of dynamic library file and size;
Judge module 202, is used for judging whether to exist in .rodata joint information/dev/ptmx character string, if existing, then judges
For apocrypha.
Preferably, described joint table relevant information includes that joint table offsets, and saves list item size, the number of joint table middle term, saves table name
String table information.
To sum up, the present invention is given a kind of based on leak triggering mode leak detection method and system, described technical side
Case, by obtaining executable file or dynamic library file, resolves its header, it is judged that before executable file or dynamic library file
Whether four bytes be ' 0x7f''E''L''F', if then continuing to obtain joint table relevant information;It is correlated with by described joint table
Information, obtains .rodata joint in executable file or the side-play amount of dynamic library file and size;And then judge .rodata joint letter
Whether breath existing/dev/ptmx character string, if existing, being then judged to apocrypha.
Beneficial effects of the present invention is for need not be by existing vulnerability exploit code or report substantial amounts of further people
Work point is analysed, and triggers leak mode only by kernel, can position the key-strings with pseudo-terminal relevant device, with equipment
Name is referred to as a kind of detection means, and software has root behavior or triggers leak behavior to find device name i.e. to can determine whether, right
After sample carries out depth analysis, it appeared that some known or unknown leaks.Solve the enlightenment of traditional detection method
Low, the feature of extraction can only be for the problem of single leak.
Above example is in order to illustrative not limiting technical scheme.Appointing without departing from spirit and scope of the invention
What amendment or local are replaced, and all should contain in the middle of scope of the presently claimed invention.
Claims (4)
1. a leak detection method based on leak triggering mode, it is characterised in that including:
Obtain executable file or dynamic library file, resolve its header, it is judged that executable file or front the four of dynamic library file
Whether individual byte is ' 0x7f ' ' E''L''F', if then continuing to obtain joint table relevant information;
By described joint table relevant information, obtain .rodata joint in executable file or the side-play amount of dynamic library file and size;
Judging whether .rodata joint information exists/dev/ptmx character string, if existing, being then judged to apocrypha.
2. the method for claim 1, it is characterised in that described joint table relevant information, including: joint table skew, saves list item
Size, the number of joint table middle term, saves table name string table information.
3. a leakage location based on leak triggering mode, it is characterised in that including:
Parsing module, is used for obtaining executable file or dynamic library file, resolves its header, it is judged that executable file or dynamic
Whether front four bytes of library file are ' 0x7f ' ' E''L''F', if then continuing to obtain joint table relevant information;
By described joint table relevant information, obtain .rodata joint in executable file or the side-play amount of dynamic library file and size;
Judge module, is used for judging whether to exist in .rodata joint information/dev/ptmx character string, if existing, then being judged to can
Doubt file.
4. system as claimed in claim 3, it is characterised in that described joint table relevant information, including: joint table skew, saves list item
Size, the number of joint table middle term, saves table name string table information.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510826442.6A CN105975862A (en) | 2015-11-25 | 2015-11-25 | Vulnerability detection method and system based on vulnerability trigger mode |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510826442.6A CN105975862A (en) | 2015-11-25 | 2015-11-25 | Vulnerability detection method and system based on vulnerability trigger mode |
Publications (1)
Publication Number | Publication Date |
---|---|
CN105975862A true CN105975862A (en) | 2016-09-28 |
Family
ID=56988384
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510826442.6A Pending CN105975862A (en) | 2015-11-25 | 2015-11-25 | Vulnerability detection method and system based on vulnerability trigger mode |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105975862A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110941833A (en) * | 2019-12-04 | 2020-03-31 | 厦门安胜网络科技有限公司 | Method and device for detecting bugs in apk file and storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040230331A1 (en) * | 2003-05-15 | 2004-11-18 | Gwan-Hwan Hwang | Multi-user network audio system on UNIX-based operating systems |
US7689566B1 (en) * | 2006-12-12 | 2010-03-30 | Sun Microsystems, Inc. | Method for defining non-native operating environments |
CN101751273A (en) * | 2008-12-15 | 2010-06-23 | 中国科学院声学研究所 | Safety guide device and method for embedded system |
CN104778413A (en) * | 2015-04-15 | 2015-07-15 | 南京大学 | Software vulnerability detection method based on simulation attack |
-
2015
- 2015-11-25 CN CN201510826442.6A patent/CN105975862A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040230331A1 (en) * | 2003-05-15 | 2004-11-18 | Gwan-Hwan Hwang | Multi-user network audio system on UNIX-based operating systems |
US7689566B1 (en) * | 2006-12-12 | 2010-03-30 | Sun Microsystems, Inc. | Method for defining non-native operating environments |
CN101751273A (en) * | 2008-12-15 | 2010-06-23 | 中国科学院声学研究所 | Safety guide device and method for embedded system |
CN104778413A (en) * | 2015-04-15 | 2015-07-15 | 南京大学 | Software vulnerability detection method based on simulation attack |
Non-Patent Citations (1)
Title |
---|
CEDRIC VAN BOCKHAVEN: "《Android patching》", 30 June 2014 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110941833A (en) * | 2019-12-04 | 2020-03-31 | 厦门安胜网络科技有限公司 | Method and device for detecting bugs in apk file and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Xu et al. | Spain: security patch analysis for binaries towards understanding the pain and pills | |
US10303874B2 (en) | Malicious code detection method based on community structure analysis | |
KR101568224B1 (en) | Analysis device and method for software security | |
US9621571B2 (en) | Apparatus and method for searching for similar malicious code based on malicious code feature information | |
CN109525556B (en) | Lightweight method and system for determining protocol bugs in embedded system firmware | |
CN103279710B (en) | Method and system for detecting malicious codes of Internet information system | |
Rathnayaka et al. | An efficient approach for advanced malware analysis using memory forensic technique | |
US20170214704A1 (en) | Method and device for feature extraction | |
CN108459954B (en) | Application program vulnerability detection method and device | |
CN105491053A (en) | Web malicious code detection method and system | |
CN104881607A (en) | XSS vulnerability detection method based on simulating browser behavior | |
EP2881877A1 (en) | Program execution device and program analysis device | |
CN105184169A (en) | Method for vulnerability detection in Windows operating environment based on instrumentation tool | |
CN106203102A (en) | A kind of checking and killing virus method and device of the whole network terminal | |
CN103198260A (en) | Automation positioning method for binary system program vulnerabilities | |
CN101719204B (en) | Heapspray detection method based on intermediate command dynamic instrumentation | |
Li et al. | Large-scale third-party library detection in android markets | |
CN108399321B (en) | Software local plagiarism detection method based on dynamic instruction dependence graph birthmark | |
CN112817877B (en) | Abnormal script detection method and device, computer equipment and storage medium | |
CN111027072B (en) | Kernel Rootkit detection method and device based on elf binary standard analysis under Linux | |
CN105975862A (en) | Vulnerability detection method and system based on vulnerability trigger mode | |
Dam et al. | Learning android malware | |
CN116932381A (en) | Automatic evaluation method for security risk of applet and related equipment | |
CN109784048A (en) | A kind of stack buffer spilling vulnerability checking method based on programme diagram | |
RU168346U1 (en) | VULNERABILITY IDENTIFICATION DEVICE |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160928 |