CN106921731B

CN106921731B - Vulnerability repair method and device

Info

Publication number: CN106921731B
Application number: CN201710062973.1A
Authority: CN
Inventors: 陈雄; 徐鹏捷
Original assignee: Beijing Qihoo Technology Co Ltd
Current assignee: Beijing Qihoo Technology Co Ltd
Priority date: 2017-01-24
Filing date: 2017-01-24
Publication date: 2021-06-22
Anticipated expiration: 2037-01-24
Also published as: CN106921731A

Abstract

The invention provides a vulnerability repairing method and device. The method comprises the following steps: loading a scanning library matched with a local system platform and containing one or more updating patches; scanning the local vulnerability by using the loaded scanning library according to the scanning rule to obtain a patch to be installed, and determining the identifiers of a plurality of update files which correspond to the patch to be installed and do not exist in the local system; and acquiring the plurality of update files from a file server by using the identifiers of the plurality of update files, and repairing the local vulnerability by using the plurality of update files. Compared with the prior art that accumulated update data containing large and complete update information is obtained, the method and the device for repairing the vulnerability can save data flow and further improve the efficiency of vulnerability repair.

Description

Vulnerability repair method and device

Technical Field

The invention relates to the technical field of information security, in particular to a vulnerability repairing method and device.

Background

In win10, microsoft introduced a new windows update distribution mechanism, i.e., instead of using the past form of a separate installation package, the update package was instead a large cumulative monthly update package. The form solves the problem of serious fragmentation of the system update, and the system update process is simpler. However, there are some problems, for example, the accumulated update package has a large volume (for example, the accumulated update of win10 × 64 exceeds 1G), and contains large and complete update information, which is not all necessary for a specific user terminal, and for a specific user terminal, there is much useless information in the accumulated update package, which causes unnecessary traffic waste.

Disclosure of Invention

In view of the above, the present invention is proposed to provide a bug fixing method and a corresponding device that overcome or at least partially solve the above problems.

According to an aspect of the present invention, there is provided a vulnerability fixing method, including:

loading a scanning library matched with a local system platform and containing one or more updating patches;

scanning the local vulnerability by using the loaded scanning library according to the scanning rule to obtain a patch to be installed, and determining the identifiers of a plurality of update files which correspond to the patch to be installed and do not exist in the local system;

and acquiring the plurality of update files from a file server by using the identifiers of the plurality of update files, and repairing the local vulnerability by using the plurality of update files.

Optionally, loading a scan library matching the local system platform containing one or more update patches, comprising:

acquiring a scanning library of a local system and a scanning library which is issued by an external data issuing server through a designated channel and is matched with a local system platform and contains one or more update patches;

and loading the acquired scanning library.

Optionally, the file server includes a plurality of content delivery network CDN nodes and a KV server, and each CDN node synchronizes an update file corresponding to each patch; and the KV server establishes an index of the identification and address information of the updated file.

Optionally, the recording, in the scan library, identifiers of update files corresponding to the patches, and determining identifiers of a plurality of update files that correspond to the patches to be installed and do not exist in the local system includes:

determining the identifier of the alternative update file corresponding to the patch to be installed according to the identifier of the update file corresponding to each patch recorded in the scanning library;

judging whether the alternative update file exists on a local system or not according to the identifier of the alternative update file;

if not, writing the identifier of the candidate update file into a delta file list, and taking the identifier of the file in the delta file list as the identifiers of the plurality of update files;

if yes, copying the alternative update file on the local system to the temporary installation directory.

Optionally, each CDN node further synchronizes an update package corresponding to each patch, where the update package includes identifiers of multiple update files, and the KV server further establishes an identifier of the update package and an index of address information.

Optionally, the recording, in the scan library, an identifier of an update package corresponding to each patch, and determining identifiers of a plurality of update files that correspond to the patch to be installed and do not exist in the local system includes:

determining the identification of a target update package corresponding to the patch to be installed according to the identification of the update package corresponding to each patch recorded in the scanning library;

acquiring address information of the target update package from the KV server by using the identifier of the target update package;

downloading the target update package from a corresponding CDN node by using the address information of the target update package;

decompressing the target update package determines an identification of the plurality of update files.

Optionally, decompressing the target update package to determine the identities of the plurality of update files comprises:

decompressing the target update package to obtain an identifier of the alternative update file;

Optionally, obtaining the plurality of update files from a file server using the identifiers of the plurality of update files comprises:

acquiring address information of the plurality of update files from the KV server by using the identifiers of the plurality of update files;

and downloading the plurality of update files from corresponding CDN nodes by utilizing the address information of the plurality of update files.

Optionally, repairing the local vulnerability using the plurality of update files includes:

copying the plurality of downloaded update files to the temporary installation directory;

and installing the files in the temporary installation directory to repair the local loophole.

Optionally, the index further includes index information of at least one of the following:

and updating summary information, size, release time and verification information of the file.

Optionally, copying the plurality of downloaded update files to the temporary installation directory includes:

acquiring index information of the plurality of update files, which contains verification information of the update files, from the KV server by using the identifiers of the plurality of update files;

and verifying the plurality of downloaded update files by using the verification information, and copying the plurality of update files to the temporary installation directory after the verification is passed.

Optionally, scanning the local vulnerability according to the scanning rule by using the loaded scanning library to obtain a patch to be installed, including:

scanning the local vulnerability by using the loaded scanning library according to the scanning rule to obtain a scanning result set of the patch which is not installed on the local system;

and selecting patches to be installed from the scanning result set.

Optionally, scanning the local vulnerability according to the scanning rule by using the loaded scanning library to obtain a scanning result set of the patch that is not installed on the local system, including:

enumerating all the loaded patches in the scanning library to obtain an updated list;

and traversing the update list, judging whether each patch is installed on a local system, and if not, adding the patch to the scanning result set.

According to another aspect of the present invention, there is also provided a bug fixing device, including:

the loading module is suitable for loading a scanning library matched with a local system platform and containing one or more updating patches;

the determining module is suitable for scanning the local vulnerability by using the loaded scanning library according to the scanning rule to obtain a patch to be installed, and determining the identifiers of a plurality of update files which correspond to the patch to be installed and do not exist in the local system;

and the vulnerability repairing module is suitable for acquiring the plurality of update files from the file server by using the identifications of the plurality of update files and further repairing the local vulnerability by using the plurality of update files.

Optionally, the loading module is further adapted to:

and loading the acquired scanning library.

Optionally, the determining module is further adapted to:

Optionally, the vulnerability fix module is further adapted to:

Optionally, the determining module is further adapted to:

and selecting patches to be installed from the scanning result set.

Optionally, the determining module is further adapted to:

In the embodiment of the invention, a scanning library matched with a local system platform and containing one or more updating patches is loaded; then, the loaded scanning library is used for scanning the local vulnerability according to the scanning rule to obtain a patch to be installed, and the identification of a plurality of update files which correspond to the patch to be installed and do not exist in the local system is determined; and then, acquiring a plurality of update files from the file server by using the identifiers of the plurality of update files, and further repairing the local vulnerability by using the plurality of update files. Therefore, the scanning library matched with the system platform of the embodiment of the invention is directly loaded when bug fixing is carried out, so that the scanning efficiency can be improved, and the effectiveness of bug fixing can be improved. In addition, the embodiment of the invention directly acquires the update file from the issued file server without acquiring and processing the accumulated update data for repairing the program bug from the program provider, thereby improving the efficiency of acquiring the update file and further improving the efficiency of bug repairing. In addition, because the volume of the accumulated update package is large, the embodiment of the invention obtains a plurality of update files which correspond to the patch to be installed and do not exist in the local system from the file server, and compared with the prior art of obtaining accumulated update data containing large and complete update information, the embodiment of the invention can save data flow and further improve the efficiency of bug repair.

The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.

The above and other objects, advantages and features of the present invention will become more apparent to those skilled in the art from the following detailed description of specific embodiments thereof, taken in conjunction with the accompanying drawings.

Drawings

Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:

FIG. 1 is a flow chart of a bug fix method according to an embodiment of the invention;

FIG. 2 is a schematic diagram illustrating a scanning flow of a client;

FIG. 3 is a schematic diagram illustrating an installation flow of a client;

FIG. 4 is a schematic structural diagram of a bug fix system according to an embodiment of the invention; and

fig. 5 is a schematic structural diagram of a bug fixing device according to an embodiment of the present invention.

Detailed Description

Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.

In order to solve the above technical problem, an embodiment of the present invention provides a vulnerability repair method, which may be applied to a client of a user terminal. Fig. 1 shows a flowchart of a vulnerability fixing method according to an embodiment of the present invention. As shown in fig. 1, the method may include at least the following steps S102 to S106.

Step S102, loading a scanning library matched with the local system platform and containing one or more updating patches.

And step S104, scanning the local vulnerability by using the loaded scanning library according to the scanning rule to obtain a patch to be installed, and determining the identification of a plurality of update files which correspond to the patch to be installed and do not exist in the local system.

And step S106, acquiring a plurality of update files from the file server by using the identifiers of the update files, and repairing the local vulnerability by using the update files.

In the step S102, the scanning library including one or more update patches that is matched with the local system platform is loaded, and an optional scheme is provided in the embodiment of the present invention, that is, the scanning library of the local system and the scanning library including one or more update patches that is issued by the external data distribution server through the designated channel and is matched with the local system platform are obtained, and the obtained scanning library is further loaded.

Further, the data publishing server can synchronously acquire accumulated updating data for repairing the program bug from the program provider according to a specified time period; extracting a full-platform scanning library containing one or more update patches from the accumulated update data, and splitting the full-platform scanning library according to the system platform to obtain scanning libraries of all platforms; and issuing the update files in the accumulated update data to a file server, and issuing the scanning libraries of all the platforms through a specified channel. In addition, when the data publishing server synchronizes the accumulated updated data, the data publishing server can synchronously acquire description information of the accumulated updated data for repairing the program bug from the program provider according to a specified time period, wherein the description information comprises a downloading address for downloading the accumulated updated data; and then downloading according to the download address in the description information to obtain the accumulated updating data.

In the step S104, the loaded scanning library is used to scan the local vulnerability according to the scanning rule to obtain the patch to be installed.

In an optional embodiment, all patches in the loaded scanning library may be enumerated to obtain an update list, then the update list is traversed to determine whether each patch is already installed on the local system, and if not, the patch is added to the scanning result set; if so, continuing to select the next patch from the update list, and judging whether the next patch is installed on the local system, and so on.

In an optional embodiment, before traversing the update list and determining whether each patch has been installed on the local system, it may also be determined whether a parent dependency of each patch has passed the detection, and if so, it is determined whether each patch has been installed on the local system; if not, continuing to select the next patch from the update list, and judging whether the parent dependency of the next patch passes the detection, and so on.

In an alternative embodiment of the present invention, the file server may include a plurality of CDN (Content Delivery Network) nodes and KV servers. Each CDN node in the CDN nodes is suitable for synchronizing the update file corresponding to each patch, and the KV server is suitable for acquiring the identification of the update file and the address information of each CDN node where the update file is located and establishing the index containing the identification and the address information of the update file. The index may be in the form of key-value, the identifier in the index may be a key, and the address information may be a value. In an optional embodiment, the index may further include index information such as summary information, size, release time, and check information of the update file, and these index information may be used as value.

In an alternative embodiment, when each CDN node synchronizes the update file, the data delivery server may upload the update file to the CDN delivery server and synchronize the update file to each CDN node.

In an optional embodiment of the present invention, the obtained scan library records identifiers of update files corresponding to each patch, and the identifiers of a plurality of update files that correspond to the patches to be installed and do not exist in the local system are determined in step S104 above, which provides an optional scheme, that is, the identifiers of alternative update files corresponding to the patches to be installed are determined according to the identifiers of the update files corresponding to the patches recorded in the scan library; judging whether the alternative update file exists on a local system or not according to the identifier of the alternative update file, if not, writing the identifier of the alternative update file into a delta file list, and taking the identifier of the file in the delta file list as the identifiers of a plurality of update files; if yes, copying the alternative update file on the local system to the temporary installation directory. The candidate update files may be all update files corresponding to the patches to be installed, and the plurality of update files are delta update files.

In an optional embodiment of the present invention, each CDN node further synchronizes an update package corresponding to each patch, where the update package includes identifiers of multiple update files, and the KV server further establishes an index of the identifier and address information of the update package. In addition, the scanning library records identifiers of update packages corresponding to the patches, and the identifiers of the update files corresponding to the patches to be installed and not existing in the local system are determined in step S104, in the alternative, the identifiers of the target update packages corresponding to the patches to be installed may be determined according to the identifiers of the update packages corresponding to the patches recorded in the scanning library; further acquiring address information of the target update package from the KV server by using the identifier of the target update package; then, the address information of the target update package is downloaded from the corresponding CDN node to obtain the target update package; the target update package is then decompressed to determine the identity of the plurality of update files.

The embodiment of the present invention provides an optional scheme, that is, decompressing the target update package to obtain an identifier of the candidate update file, and further determining whether the candidate update file already exists on the local system according to the identifier of the candidate update file, if not, writing the identifier of the candidate update file into a delta file list, and using the identifier of the file in the delta file list as the identifiers of the multiple update files; if yes, copying the alternative update file on the local system to the temporary installation directory.

After the identifiers of the plurality of update files are determined in step S104, step S106 obtains the plurality of update files from the file server by using the identifiers of the plurality of update files, specifically, obtains address information of the plurality of update files from the KV server by using the identifiers of the plurality of update files, and further obtains the plurality of update files by downloading from the corresponding CDN node by using the address information of the plurality of update files. And copying the plurality of downloaded update files to a temporary installation directory, and installing the files in the temporary installation directory to repair the local vulnerability. That is, the plurality of update files are merged with files already existing on the local system, and then the local vulnerability is repaired.

In an optional embodiment, in order to ensure the validity of the plurality of update files, information verification may be performed on the plurality of update files, and specifically, index information of the plurality of update files, which includes verification information of the update files, may be acquired from the KV server by using the identifiers of the plurality of update files, and then the plurality of update files obtained by downloading are verified by using the verification information, and after the verification is passed, the plurality of update files are copied to the temporary installation directory.

In the above, a plurality of implementation manners of each link in the embodiment shown in fig. 1 are introduced, and a specific application example is used to describe the vulnerability repair method provided by the embodiment of the present invention, and the method can be applied to the client of each user terminal.

Taking microsoft as an example of a program provider, as introduced above, in win10, microsoft introduced a new windows update distribution mechanism, i.e., instead of using the past form of a distributed independent installation package, the new windows update distribution mechanism is in the form of a large cumulative update package per month. The embodiment of the invention provides the corresponding update files for each user terminal, thereby saving the data flow and improving the efficiency of bug repair.

Firstly, a standard WSUS (Windows Server Update Services) Server is set up, which comprises a standard WSUS service and a series of self-realized data publishing tools.

On the one hand, the WSUS service is responsible for periodically synchronizing the latest update database from the microsoft cloud server, where the update database contains important description information, mainly including a full platform scan library, a Uniform Resource Locator (URL) of a fast experience package for all patches, a complete package URL for all patches, and an updated PSF file URL, etc.

On the other hand, the data publishing tool is responsible for downloading accumulated update data (such as a full platform scanning library, a quick experience package of a patch, a complete package of the patch, a PSF file of each patch, and the like) to the WSUS server according to the description information in the update database. And then, extracting a full-platform scanning library containing one or more update patches from the accumulated update data, and splitting the full-platform scanning library according to the system platform to obtain the scanning libraries of all the platforms. Then, the update file in the accumulated update data is published to a file server, and the scanning libraries of each platform are published through a specified channel. And finally, backing up important data. As the only operation data source, a WSUS server is enough, and the safety of the WSUS server is also important.

Next, the update file distributed from the data distribution server is synchronized by the file server, which is an abstract concept that the file server is not a single server or several servers but a series of server clusters cooperating with each other as a destination of the data distribution. The file server mainly comprises a CDN node and a KV server. On the one hand, each CDN node distributed around the country is responsible for synchronizing the latest delivered update file in time, and is also responsible for responding to hundreds of millions of client file download requests. On the other hand, the KV server cluster is responsible for establishing an index of update data in time and responding to hundreds of millions of client index requests, and specifically, the KV server acquires an identifier of an update file and address information of each CDN node where the update file is located, and establishes an index of the update file that includes the identifier and the address information.

After the data delivery is completed, it is time to play the role of the data, that is, the client requests data from the KV server and the CDN node and updates the operating system or the application program with the data, and this stage may be divided into a scanning stage and an installation stage.

1) Scanning phase

When a user manually or a background timer triggers scanning, a client firstly updates an incremental scanning library liblean 2_ diff.dat, loads the latest version of a target scanning library which is released through an appointed channel and matched with a local system platform after a request is successful, then scans local vulnerabilities according to rules in the target scanning library to obtain a scanning result set of patches which are not installed on a local system, and selects patches to be installed from the scanning result set.

Fig. 2 shows a schematic diagram of a scanning flow of the client, and as shown in fig. 2, the scanning flow of the client may include the following steps S202 to S230.

And step S202, loading a target scanning library which is distributed through a specified channel and matched with the local system platform.

Step S204, enumerate all patches in the target scanning library to obtain an updated list.

Step S206, judging whether the updating list is traversed or not, if not, continuing to execute step S208; if yes, go on to step S230.

In step S208, a patch is retrieved from the update list.

Step S210, judging whether the parent dependency of the patch passes the detection, if not, returning to execute the step S206; if yes, go on to step S212.

Step S212 enumerates all sub-patches of the patch to obtain a sub-update list, and continues to execute step S214.

Step S214, judging whether the traversal of the sub-update list is finished, if not, continuing to execute step S216; if yes, go on to step S226.

In step S216, a sub-patch is retrieved from the sub-update list.

Step S218, judging whether the parent dependency of the sub patch passes the detection, if not, returning to execute the step S214; if yes, go on to step S220.

Step S220, determining whether the patch is already installed on the local system, if yes, returning to step S214; if not, the step S222 is continued.

Step S222, judging whether the patch is applicable, if not, returning to execute the step S214; if yes, go on to step S224.

Step S224, add the sub-patch to the sub-patch scanning result set.

Step S226, determining whether the sub-patch scanning result set is empty, if yes, returning to execute step S206; if not, the process continues to step S228.

In step S228, add the current patch to the updated scan result set, and continue to execute step S206.

In step S230, a scanning result set is obtained.

2) Stage of installation

After the scanning is completed, the user may select a patch to be installed (i.e., a patch to be installed) from the scanning result set, and then start the installation process. Firstly, a key of a quick experience package (namely an update package corresponding to a patch to be installed) is calculated according to a target scanning library, the key is used for requesting the KV server for index information (such as a downloading URL (uniform resource locator) and verification information of the quick experience package), when the KV server returns the index information of the quick experience package, the downloading URL of the quick experience package is extracted from the KV server, then the URL is used for requesting the CDN node for the quick experience package, and when the CDN returns the quick experience package, the verification information such as an abstract in the index information is used for verifying the quick experience package. After the verification of the rapid experience package is passed, the rapid experience package is used for calculating keys of the required difference updating file, the keys are used for requesting difference index information to the KV server, after the KV server returns the difference index information, a downloading URL of the difference updating file is extracted from the keys, then the URL is used for requesting the difference updating file to the CDN node, and after the CDN node returns the difference updating file, the difference updating file is verified by using verification information such as a summary in the index information. And after all the residual quantity updating files pass the verification, generating a complete package by combining the local files and the residual quantity updating files, and finally calling a specified interface to install the synthesized complete package.

Fig. 3 is a schematic diagram illustrating an installation process of a client, and as shown in fig. 3, the installation process of the client may include the following steps S302 to S330.

Step S302, downloading the quick experience package.

Step S304, decompressing the quick experience package to a temporary installation directory.

In this step, the temporary installation directory may be default or custom.

Step S306, enumerating all files ending with psf.cix.xml to obtain an xml file set.

Step S308, judging whether the xml file set is completely taken, if not, continuing to execute step S310; if yes, go on to step S324.

Step S310, one xml file in the set is taken out.

Step S312, enumerating all Files/file nodes in the xml file to obtain a file set.

Step S314, judging whether the file collection is completely taken, if so, returning to execute the step S308; if not, the step S316 is continued.

Step S316, one file in the set is taken out.

Step S318, judging whether the file already exists in the winsxs historical version, if so, executing step S320; if not, go to step S322.

In step S320, the file is copied to the temporary installation directory, and the process returns to step S314.

In step S322, the file relative path is written into the delta file list, and the process returns to step S314.

Step S324, determining whether the delta file list is empty, if yes, continuing to execute step S326; if not, the process continues to step S328.

In step S326, installation of the file in the temporary installation directory is started through the designated interface.

In step S328, the delta file list is used to request the delta file package from the CDN node, and step S330 is continuously performed.

In step S330, after the delta file package is successfully downloaded, the delta file package is decompressed to the temporary installation directory, and the step S326 is continuously executed.

It should be noted that microsoft of the program provider listed herein is only an exemplary scenario and does not limit the present invention, and the embodiments of the present invention can be applied to any scenario that needs bug fixing on a program (such as an operating system, an application program, and the like).

The bug fixing scheme provided by the embodiment of the invention has the core idea of 'accumulative update data dispersion publishing', namely, scanning the current system environment of the user terminal by using the scanning library of the platform, so as to calculate the binary dispersion (fragment file) of all files to be updated, then downloading the required fragment files from the server to the local, and finally using the fragment files and the local file to synthesize a required complete package for installation so as to fix bugs existing on the user terminal. The differential updating and releasing mechanism can save the lower current-carrying capacity by more than 80 percent, and can fundamentally solve the problems of the existing implementation scheme.

Fig. 4 is a schematic structural diagram of a bug fixing system according to an embodiment of the present invention. As shown in fig. 4, the vulnerability repair system 400 (not shown in fig. 4) may include: WSUS server 410, CDN node 421, KV server 422, and client 430.

The workflow of the bug fix system 400 may be divided into a data publishing phase and a client updating phase, which will be described in detail below.

The data distribution phase is first introduced. And in the data release stage, namely when the data is updated by the Microsoft, the vulnerability repair system synchronizes and processes the new data in time and then releases the new data to the users in the whole network in a self-mode. This is a "push" process. The data release stage can be divided into synchronous data updating, data processing and updating, data releasing and data backup stage.

(1) Synchronizing update data

In order to meet the requirement for timely obtaining microsoft cumulative update data, a standard WSUS server 410 needs to be set up, and the WSUS server 410 synchronously obtains description information of the cumulative update data for repairing the system program bugs from a microsoft cloud server regularly (for example, once every 30 minutes), wherein the cumulative update data comprises a full platform scanning library, a quick experience package of patches, a complete package of patches, PSF files of patches and the like, and the description information comprises download addresses for downloading the cumulative update data.

(2) Processing update data

The WSUS server 410 downloads the accumulated updated data according to the download address in the description information. And then, extracting a full-platform scanning library containing one or more update patches from the accumulated update data, and splitting the full-platform scanning library according to the system platform to obtain the scanning libraries of all the platforms.

When the full-platform scanning library is split, a WsusUtil command can be called to extract the full-platform scanning library containing one or more update patches from accumulated update data, then an UpdateMake command is called to derive an update list of the patches of each platform from the full-platform scanning library according to the identification of each system platform, and then a WsusScan command is called to generate the scanning library of each platform according to the full-platform scanning library and the update list. The identification of each system platform herein may be, for example, win7, win8.1, win10, office, etc., and the invention is not limited thereto.

(3) Publishing update data

Once the data is ready, the data can begin to be published. The WSUS server 410 delivers the update file in the accumulated update data to the CDN node 421. Then, the key and index information (such as summary information, size and URL delivered to CDN for client 430 download) of these update files are computed and pushed to KV server 422 cluster to build index. Then, the PE file in the new update file is whitened. And finally, issuing each platform scanning library through a specified channel.

(4) Data backup phase

After the release is completed, important data needs to be backed up, wherein the computed index information and the scanning libraries of each platform mainly need to be backed up, and a remote backup strategy needs to be adopted to be backed up in other servers.

And secondly a client update phase. After the data delivery is completed, it is time to play the role of the data, that is, the client requests data from the KV server and the CDN node and updates the operating system or the application program by applying the data, and this stage may be divided into a scanning stage and an installation stage, which may be referred to in the foregoing description and will not be described herein again.

It should be noted that, in practical applications, all the above optional embodiments may be combined in a combined manner at will to form an optional embodiment of the present invention, and details are not described here any more.

Based on the bug fixing method provided by each embodiment, the embodiment of the invention also provides a bug fixing device based on the same inventive concept.

Fig. 5 is a schematic structural diagram of a bug fixing device according to an embodiment of the present invention. As shown in fig. 5, the apparatus may include at least a loading module 510, a determining module 520, and a vulnerability fixing module 530.

Now, the functions of the components or devices of the bug fixing device and the connection relationship between the components are introduced:

a loading module 510 adapted to load a scan library matching the local system platform containing one or more update patches;

a determining module 520, coupled to the loading module 510, adapted to scan a local vulnerability according to a scanning rule by using the loaded scanning library to obtain a patch to be installed, and determine identifiers of a plurality of update files that correspond to the patch to be installed and do not exist in the local system;

the vulnerability fixing module 530, coupled to the determining module 520, is adapted to obtain the plurality of update files from the file server by using the identifiers of the plurality of update files, and then fix the local vulnerability by using the plurality of update files.

In an embodiment of the present invention, the loading module 510 is further adapted to:

and loading the acquired scanning library.

In an embodiment of the present invention, the file server includes a plurality of content delivery network CDN nodes and a KV server, and each CDN node synchronizes an update file corresponding to each patch; and the KV server establishes an index of the identification and address information of the updated file.

In an embodiment of the present invention, the determining module 520 is further adapted to:

In an embodiment of the present invention, each CDN node further synchronizes an update package corresponding to each patch, where the update package includes identifiers of multiple update files, and the KV server further establishes an identifier of the update package and an index of address information.

In an embodiment of the present invention, the bug fix module 530 is further adapted to:

In an embodiment of the present invention, the index further includes index information of at least one of the following:

and selecting patches to be installed from the scanning result set.

According to any one or a combination of multiple optional embodiments, the embodiment of the present invention can achieve the following advantages:

In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.

Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.

Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.

Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the claims, any of the claimed embodiments may be used in any combination.

The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. It will be appreciated by those skilled in the art that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functionality of some or all of the components in a bug fix arrangement according to embodiments of the invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.

It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.

Thus, it should be appreciated by those skilled in the art that while a number of exemplary embodiments of the invention have been illustrated and described in detail herein, many other variations or modifications consistent with the principles of the invention may be directly determined or derived from the disclosure of the present invention without departing from the spirit and scope of the invention. Accordingly, the scope of the invention should be understood and interpreted to cover all such other variations or modifications.

According to an aspect of the present invention, a1, a bug fixing method is provided, including:

A2, the method of A1, wherein loading a scan library containing one or more update patches matching a local system platform, comprises:

and loading the acquired scanning library.

A3, the method according to A1 or A2, wherein the file server includes a plurality of CDN nodes and KV servers, each CDN node synchronizes an update file corresponding to each patch; and the KV server establishes an index of the identification and address information of the updated file.

A4, the method according to A3, wherein the identification of the update file corresponding to each patch is recorded in the scan library, and the identification of the update files that correspond to the patch to be installed and do not exist in the local system is determined, the method includes:

A5, according to the method described in A3, each CDN node further synchronizes an update package corresponding to each patch, where the update package includes identifiers of multiple update files, and the KV server further establishes an index of the identifier and address information of the update package.

A6, determining, according to the method a5, identifiers of update packages corresponding to the patches to be installed, and identifiers of a plurality of update files that do not exist in the local system, where the identifiers are recorded in the scan library, and the method includes:

A7, the method of A6, wherein decompressing the target update package determines the identity of the plurality of update files, comprising:

A8, the method of any one of A3-A7, wherein the obtaining the plurality of update files from the file server with the identification of the plurality of update files comprises:

A9, the method according to A8, wherein the repairing the local vulnerability using the plurality of update files includes:

A10, the method according to A9, wherein the index further includes index information of at least one of the following:

A11, the method of A10, wherein copying the downloaded plurality of update files to the temporary installation directory includes:

A12, the method according to any one of A1-A11, wherein the step of scanning the local vulnerability according to the scanning rule by using the loaded scanning library to obtain the patch to be installed includes:

and selecting patches to be installed from the scanning result set.

A13, the method according to A12, wherein the scanning of the local vulnerability is performed according to the scanning rule by using the loaded scanning library, and a scanning result set of the patch which is not installed on the local system is obtained, the method includes:

According to another aspect of the present invention, there is also provided B14, a bug fixing device, including:

B15, the apparatus of B14, wherein the load module is further adapted to:

and loading the acquired scanning library.

B16, the device according to B14 or B15, wherein the file server includes a plurality of CDN nodes and KV servers, each CDN node synchronizes the update file corresponding to each patch; and the KV server establishes an index of the identification and address information of the updated file.

B17, the apparatus of B16, wherein the determining module is further adapted to:

B18, the apparatus according to B16, wherein each CDN node further synchronizes an update package corresponding to each patch, the update package includes identifiers of multiple update files, and the KV server further establishes an index of the identifier and address information of the update package.

B19, the apparatus of B18, wherein the determining module is further adapted to:

B20, the apparatus of B19, wherein the determining module is further adapted to:

B21, the apparatus according to any one of B16-B20, wherein the vulnerability fix module is further adapted to:

B22, the apparatus according to B21, wherein the vulnerability fix module is further adapted to:

B23, the device according to B22, wherein the index further includes index information of at least one of the following:

B24, the apparatus according to B23, wherein the vulnerability fix module is further adapted to:

B25, the apparatus according to any one of B14-B24, wherein the determining module is further adapted to:

and selecting patches to be installed from the scanning result set.

B26, the apparatus of B24, wherein the determining module is further adapted to:

Claims

1. A vulnerability fix method, comprising:

loading a scanning library which is matched with a local system platform and contains one or more update patches, wherein the scanning library is obtained by splitting a full-platform scanning library containing one or more update patches according to the system platform;

acquiring the plurality of update files from a file server by using the identifiers of the plurality of update files, and repairing the local vulnerability by using the plurality of update files;

the file server comprises a plurality of Content Delivery Network (CDN) nodes and a KV server, and each CDN node is synchronized with an update file corresponding to each patch; the KV server establishes an index of the identification and address information of the updated file;

obtaining the plurality of update files from a file server using the identifications of the plurality of update files, comprising:

2. The method of claim 1, wherein loading a scan library containing one or more update patches that match a local system platform comprises:

and loading the acquired scanning library.

3. The method of claim 1, wherein the recording of the identifier of the update file corresponding to each patch in the scan library, and the determining of the identifiers of the plurality of update files that correspond to the patch to be installed and do not exist in the local system, includes:

4. The method of claim 1, wherein each CDN node further synchronizes an update package corresponding to each patch, the update package includes identifiers of a plurality of update files, and the KV server further establishes an index of the identifiers and address information of the update package.

5. The method of claim 4, wherein the recording of the identifier of the update package corresponding to each patch in the scan library, and the determining of the identifiers of the plurality of update files that correspond to the patch to be installed and do not exist in the local system, includes:

6. The method of claim 5, wherein decompressing the target update package determines the identity of the plurality of update files, comprising:

7. The method of claim 6, wherein repairing a local vulnerability using the plurality of update files comprises:

8. The method of claim 7, wherein the index further comprises index information for at least one of:

9. The method of claim 8, wherein copying the downloaded plurality of update files to the temporary installation directory comprises:

10. The method according to any one of claims 1 to 6, wherein scanning the local vulnerability according to the scanning rule by using the loaded scanning library to obtain the patch to be installed comprises:

and selecting patches to be installed from the scanning result set.

11. The method of claim 10, wherein scanning the local vulnerability according to the scanning rule by using the loaded scanning library to obtain a scanning result set of the patch that is not installed on the local system comprises:

12. A vulnerability repair apparatus, comprising:

the system comprises a loading module, a judging module and a judging module, wherein the loading module is suitable for loading a scanning library which is matched with a local system platform and contains one or more updating patches, and the scanning library is obtained by splitting a full-platform scanning library which contains one or more updating patches according to the system platform;

the vulnerability repairing module is suitable for acquiring the plurality of update files from a file server by using the identifiers of the plurality of update files and further repairing the local vulnerability by using the plurality of update files;

the vulnerability fix module is further adapted to:

13. The apparatus of claim 12, wherein the loading module is further adapted to:

and loading the acquired scanning library.

14. The apparatus of claim 12, wherein the determination module is further adapted to:

15. The apparatus of claim 12, wherein each CDN node further synchronizes an update package corresponding to each patch, the update package includes identifiers of a plurality of update files, and the KV server further establishes an index of the identifiers and address information of the update package.

16. The apparatus of claim 15, wherein the determination module is further adapted to:

17. The apparatus of claim 16, wherein the determination module is further adapted to:

18. The apparatus of claim 17, wherein the vulnerability remediation module is further adapted to:

19. The apparatus of claim 18, wherein the index further comprises index information for at least one of:

20. The apparatus of claim 19, wherein the vulnerability remediation module is further adapted to:

21. The apparatus of any of claims 12-17, wherein the determination module is further adapted to:

and selecting patches to be installed from the scanning result set.

22. The apparatus of claim 21, wherein the determining module is further adapted to: