CN113158191A - Vulnerability verification method based on intelligent probe and related IAST method and system - Google Patents

Vulnerability verification method based on intelligent probe and related IAST method and system Download PDF

Info

Publication number
CN113158191A
CN113158191A CN202110576575.8A CN202110576575A CN113158191A CN 113158191 A CN113158191 A CN 113158191A CN 202110576575 A CN202110576575 A CN 202110576575A CN 113158191 A CN113158191 A CN 113158191A
Authority
CN
China
Prior art keywords
test
target
vulnerability
attack
probe
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110576575.8A
Other languages
Chinese (zh)
Other versions
CN113158191B (en
Inventor
张涛
宁戈
牛伟颖
刘恩炙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Anpro Information Technology Co ltd
Original Assignee
Beijing Anpro Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Anpro Information Technology Co ltd filed Critical Beijing Anpro Information Technology Co ltd
Priority to CN202110576575.8A priority Critical patent/CN113158191B/en
Publication of CN113158191A publication Critical patent/CN113158191A/en
Application granted granted Critical
Publication of CN113158191B publication Critical patent/CN113158191B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/575Secure boot
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The application provides a vulnerability verification method based on an intelligent probe and a related IAST method and system, and relates to the field of computer network information security. Wherein, include: by means of the intelligent probe for target program instrumentation and when receiving the simulation attack test, the corresponding intelligent probe can verify the known type vulnerability possibly hidden in the target program, so as to realize the active vulnerability verification of the server; on the basis, the required simulated attack test is provided by matching a controllable test unit, so that the active IAST gray box test is realized. Compared with the prior art, the IAST gray box test which is more intelligent, efficient, easy to use, low in invasiveness and capable of enabling a tested program to be unaware can be provided through the built-in lightweight intelligent probe.

Description

Vulnerability verification method based on intelligent probe and related IAST method and system
Technical Field
The embodiment of the disclosure mainly relates to the field of computer software security testing, and more particularly relates to a vulnerability verification method based on an intelligent probe and a related IAST method and system.
Background
With the advent of the digital age, B/S-based Web application technology is widely used in the digital transformation of government and enterprise businesses. However, the ensuing application security threats have also increased significantly. Related research has shown that more and more security vulnerabilities occur at the application layer, rather than the network layer that we have previously recognized. In order to ensure that an application can safely and stably provide services after delivery and deployment, vulnerabilities and vulnerabilities in the application are usually discovered and repaired by applying security tests before delivery, so as to prevent relevant applications from being utilized by hackers and illegal persons to cause security hazards. However, due to the development of attack side technology and the security challenge brought by the application of open source components to the defense side, and under the premise that a developer entity/individual is forced to turn to a development mode capable of meeting frequent updating and rapid version release due to factors such as market competition, new problems and requirements are brought to the application security test of related software products before delivery without benefit. At this time, in view of the above situation, it is a technical problem to provide a more efficient and reliable application security test to satisfy the requirement of enabling development testers to quickly complete the security test before delivering relevant application service codes to the online.
Disclosure of Invention
According to an example embodiment of the present disclosure, an intelligent probe-based vulnerability verification scheme is provided, and based thereon, an IAST gray box security testing scheme is further provided.
In a first aspect of the present disclosure, a vulnerability verification method based on an intelligent probe is provided. The method is based on an Agent technology and specifically comprises the following steps: at a server, inserting corresponding intelligent probes into target key functions in a target program; the target key function refers to a key function relative to the target type vulnerability; corresponding to the target type loophole, the target program comprises at least one target key function; the intelligent probe is configured to receive effective message content of a corresponding message for simulating an attack test, obtain effective runtime data when a data stream of the simulating attack test is executed to a pile inserting point of the intelligent probe, judge whether a plugged target key function is executed abnormally when the plugged target key function is attacked by the simulating attack according to the effective runtime data, corresponding plugged target key function information and the received effective message content of the simulating attack test message, and further determine whether a target program has a target type bug hidden; the simulation attack test is a test for detecting whether a target type vulnerability exists or not based on simulation attack; the simulation attack test message carries a payload which can trigger the target type vulnerability; the target key function information, that is, the information identifying the target key function, may be, for example, a function name of the target key function, or the like.
In a second aspect of the disclosure, an active IAST method based on a built-in smart probe is provided. As a novel gray box testing method, on the basis of the vulnerability verification method described in the first aspect, the iatt method includes: executing the operation of the vulnerability verification method in the first aspect at the server, inserting an intelligent probe into the target program, and performing verification detection on known types of vulnerabilities which may be hidden in the target program through the corresponding intelligent probe when receiving the simulated attack test; generating simulation attack test flow at the test end, simulating an attack server end target program, and providing a corresponding simulation attack test; the simulation attack test is a test for detecting whether a target type vulnerability exists or not based on simulation attack; enabling the generated simulated attack flow to comprise a corresponding simulated attack test message; the simulated attack test packet should carry a payload that can trigger the target type vulnerability.
In a third aspect of the present disclosure, an IAST gray box testing system based on a built-in smart probe is provided. The system comprises: a vulnerability detection unit and a test unit; the vulnerability detection unit is deployed at a server based on an Agent technology and used for detecting and analyzing a known type vulnerability in a target program in an IAST gray box testing process; the vulnerability detection unit is configured to execute the operation of the vulnerability verification method in the first aspect, pile an intelligent probe into the target program, and perform verification detection on known types of vulnerabilities which may be hidden in the target program through the corresponding intelligent probe when the target program is subjected to the simulated attack test; the test unit is deployed at the test end and used for generating simulation attack test flow, simulating an attack server end target program and providing a corresponding simulation attack test; the test unit comprises at least one attack test node; an attack test node capable of performing the simulated attack test; the simulation attack test is a test for detecting whether a target type vulnerability exists or not based on simulation attack; the simulation attack flow comprises a corresponding simulation attack test message; the simulated attack test packet should carry a payload that can trigger the target type vulnerability.
In a fourth aspect of the disclosure, an apparatus for implementing vulnerability verification is provided. The device includes: at least one processor, a memory coupled to the at least one processor, and a computer program stored in the memory; the processor executes the computer program, and accordingly can implement the vulnerability verification method described in the first aspect.
In a fifth aspect of the disclosure, a computer-readable storage medium is provided. The medium has stored thereon computer instructions for IAST correlation, which computer instructions, when executed by a computer processor, are capable of performing part or all of the methods described in the first and second aspects.
In a sixth aspect of the disclosure, a computer program product is provided. The program product comprises a computer program enabling, when executed by a computer processor, to carry out part or all of the methods described in the first and second aspects.
It should be understood that the statements herein reciting aspects are not intended to limit the critical or essential features of the embodiments of the present disclosure, nor are they intended to limit the scope of the present disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
The above and other features, advantages and aspects of various embodiments of the present disclosure will become more apparent by referring to the following detailed description when taken in conjunction with the accompanying drawings. In the drawings, like or similar reference characters designate like or similar elements, and wherein:
fig. 1 shows an example schematic diagram of an active iatt in the prior art.
FIG. 2 illustrates a schematic diagram of an example environment in which or in which components can be implemented in accordance with various embodiments of the present disclosure;
FIG. 3 illustrates a schematic diagram of a process for vulnerability verification based on smart probes, in accordance with some embodiments of the present disclosure;
FIG. 4 is a schematic diagram illustrating a process by which the smart probe of some of the above embodiments determines whether the target critical function it is instrumented is performing abnormally when it is under targeted simulated attack;
FIG. 5 is a schematic diagram of the process of another of the above embodiments in which the smart probe determines whether the target key function inserted by the smart probe is abnormally executed when the smart probe is subjected to a targeted simulation attack;
FIG. 6 illustrates a schematic diagram of a process for built-in smart probe based active IAST gray box testing, according to some embodiments of the present disclosure;
FIG. 7 illustrates a block diagram of an IAST gray box testing system based on a built-in smart probe according to some embodiments of the present disclosure;
FIG. 8 illustrates a block diagram of an electronic device for implementing vulnerability verification, in accordance with some embodiments of the present disclosure.
Detailed Description
Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While certain embodiments of the present disclosure are shown in the drawings, it is to be understood that the present disclosure may be embodied in various forms and should not be construed as limited to the embodiments set forth herein, but rather are provided for a more thorough and complete understanding of the present disclosure. It should be understood that the drawings and embodiments of the disclosure are for illustration purposes only and are not intended to limit the scope of the disclosure.
The terms "include" and its similar terms are to be understood as open-ended inclusions, i.e., "including but not limited to," in the description of the embodiments of the present disclosure. The term "based on" should be understood as "based at least in part on". The term "one embodiment" or "the embodiment" should be understood as "at least one embodiment".
The technical term "probe" in the description of the embodiments of the present disclosure refers to a "instrumented" probe, which is essentially a piece of code that performs information collection, and may be an assignment statement or a function call that collects overlay information. In the description of the embodiments of the present disclosure, the technical term "instrumentation", also called "program instrumentation", refers to a method for inserting a "probe" into a program on the basis of ensuring the original logic integrity of the program to be tested, and obtaining the control flow and data flow of the program by analyzing the program running characteristic data (i.e., running data) thrown by the "probe", so as to obtain dynamic information such as logic coverage, thereby achieving the test purpose. The probe can be designed to have corresponding capture function according to different peg insertion points, data capture requirements and the like, and required data can be acquired. In the same tested program, only one probe is inserted according to different testing requirements, or the probe is inserted into a plurality of different insertion points. In the general "stake" based IAST gray box test, the key is the "probe" of the stake; generally, these "probes" need to be developed according to different languages, but have basically the same functions, and mainly include: parameter passing in code execution, database queries (e.g., ODBC), directory queries (e.g., LDAP), file system permissions, monitoring specific values in memory, identifying contaminated inputs, third party library usage, calls to external applications and services, etc.
The technical term "target program" in the description of the embodiments of the present disclosure refers to a computer application program that is an object of detection in a security test process. For computer programs, security holes are inevitable. The program is programmed by people, the code quality and the development efficiency are considered, and the large application program which completely conforms to the programming specification and has no bugs and defects cannot exist at the development stage; especially those B/S based Web applications with complex business logic that meet many functional requirements, are inevitably vulnerable and flawed. Today in the digital age, software, particularly various applications (e.g., various mobile phone apps related to clothes and people), increasingly define every part of our lives, and considering that most security vulnerabilities exist in applications, applications are generally required to pass application security tests before being deployed online in order to reduce damage caused by illegal exploitation. The "target program" herein mainly refers to a Web application to be tested in a security test process.
The technical term "critical functions" in the description of embodiments of the present disclosure refers to those functions of the "target program" that are executed abnormally when a potential vulnerability is triggered. For various types of vulnerabilities that may be hidden in the target program, corresponding to each type of vulnerability, the target program includes at least one corresponding key function. "target key function" refers to "target type vulnerability"; in other words, it corresponds to a "key function".
In the description of the embodiment of the present disclosure, the technical term "target type bug" refers to a type of bug that is assumed to exist in a target program during bug verification/IAST gray box test, and is intended to verify whether the target program is hidden in the type of bug through a corresponding simulated attack test. The "target type vulnerability" may be any known type vulnerability; in each vulnerability verification process, there is usually and only one known type of vulnerability as the "target type vulnerability" for the current vulnerability verification detection.
The technical term "simulated attack test" in the description of embodiments of the present disclosure refers to an attack test that is capable of triggering a latent vulnerability in a target program. The simulation attack test is mainly realized by sending a simulation attack test request to a target program. The "simulated attack test message" refers to a message of a "simulated attack test request". A plurality of different known types of bugs can be hidden in the target program, so that a simulation attack test corresponding to the current target type of bug needs to be adopted in the process of bug verification; different known types of vulnerabilities need to be corresponded, and correspondingly, different 'simulated attack test messages' are needed; the simulated attack test message carries different payloads corresponding to the known types of vulnerabilities.
The technical term "Payload", i.e. "Payload", in the description of the embodiments of the present disclosure refers to the actual information carried in a data transmission, also commonly referred to as actual data or a data body. In order to make data transmission more reliable when transmitting data, each batch of data is usually required to be sleeved with some auxiliary information, and each batch of data and an auxiliary 'outer sleeve' thereof form a basic transmission unit of a transmission channel, namely a data frame or a data packet; these "jackets" are typically used for auxiliary data transmission, also referred to as overhead data; and the raw data therein is typically considered the payload. The 'payload' is one of specific implementation of an attack vector, and the key for realizing the purpose of attack and successfully utilizing corresponding types of vulnerabilities is shown in an example. In the attack testing process of vulnerability verification, the effective load is effective test data used for verifying whether the target program hides the corresponding type of vulnerability.
With the application of new technologies and new trends such as artificial intelligence, software sourcing, cloud and the like, the continuing effect of network weapon leakage is gradually changing the logic and means of network attack, and the situation of 'attack and defense inequality' is more severe. This is mainly manifested in: 1. the attack technology is more advanced and intelligent, the capabilities of attack means in the aspects of latency, concealment, directionality, autonomy, fusion and the like are increasingly enhanced, and intelligent analysis makes it possible to quickly bypass multiple defense means; 2. the network weapon research and development and utilization are accelerated, automatic attack utilization based on known and unknown bugs is continuously developed, an attack threshold is greatly reduced, and security events such as sensitive data leakage occur frequently; 3. software is open to the great way, attack events are frequently sent based on a trusted software supply chain, attack object ranges are wide, attack modes are hidden, great challenge attack technology is advanced and intelligent for business security defense of government and enterprise users, capabilities of attack means in aspects of latency, concealment, directionality, autonomy, fusion and the like are enhanced day by day, and intelligent analysis enables that multiple defense means can be bypassed rapidly. Particularly, with the popularization of cloud-based and open-source technologies, the B/S-based Web application technology is widely applied to the development of business digital transformation of a plurality of government and enterprise entities, and the application security threat faced by the B/S-based Web application technology is also remarkably increased.
In order to fundamentally break the current situation of 'attack and defense inequality', the concept of 'safe left shift' is proposed and practiced. The safety left shift aims to preposition the application threat discovery capability to a development testing link, softly embed safety work into the existing software development system of the government and enterprise organization, and realize the transparent safety test of the online application item from the source of the application life cycle. Among them, the IAST gray box test is an important technical support for practicing "safe left shift". IAST (Interactive Application Security Testing) is a new generation of Interactive Application Security Testing scheme, collects and monitors function execution and data transmission during the operation of Web Application by deploying runtime plug-in, terminal flow Agent/VPN, bypass flow mirror image, deploying host Agent flow sniffing software and the like at a Web Application service end, and interacts with an analysis engine end in real time, so that Security defects and vulnerabilities are identified efficiently and accurately. FIG. 1 illustrates an example of some active instrumented IAST gray box tests that are available. As shown in fig. 1, an active instrumentation iatt architecture 100 is similar to an improved DAST, and mainly includes deploying iatt Agents at a service end 110, and tracking data flow, scan coverage rate, and the like of a program under test deployed at the service end 110 in a manner of throwing out runtime data through the deployed iatt Agents 130 during scanning, and a scanning end 120 mainly constructs a security test packet by crawling, and accordingly generates a large amount of malicious attack traffic to cover the program under test scanned at the scanning service end 110. A large amount of data streams, scan coverage, etc. tracked by widely deployed iatt Agents 130 are uploaded to the analysis unit 140 for vulnerability detection analysis. However, although the widely deployed iatt Agents 130 throw out the runtime data acquired within their respective capability ranges and upload, summarize and analyze the runtime data, and can track the tested program data stream, scanning coverage rate, and the like that are relatively comprehensive and global during scanning, a certain amount of data transmission, even low-value and worthless data transmission, is involved in the process, and although each iatt Agent has low intrusiveness on the tested program, the overall architecture is highly dependent on the outside, and transmission of a large amount of data, especially cross-end transmission, will generate a certain overhead, and meanwhile, the widely deployed iatt Agents used for the tested program data stream during scanning will generate a small overhead, which will affect the performance of the service end.
According to the embodiment of the disclosure, a vulnerability verification scheme based on an intelligent probe and an active IAST gray box test scheme based on a built-in intelligent probe are provided. In the related scheme, the target program is instrumented with the intelligent probes, and when the target program is subjected to the simulated attack test, the corresponding intelligent probes can verify the known type of bugs which are possibly hidden in the target program, so that the active verification of the bugs of the server side is realized; on the basis, the required simulated attack test is provided by matching the controllable test unit, and more efficient active IAST gray box test can be realized.
The disclosed solution, through the built-in lightweight smart probe, provides a more intelligent, efficient, easy-to-use, and less intrusive IAST gray box test than the prior art, and makes the tested program unaware. The vulnerability verification scheme can provide targeted IAST tests for high-risk vulnerabilities and fatal defects through corresponding built-in intelligent probes.
Embodiments of the present disclosure will be described below in detail with reference to the accompanying drawings. FIG. 2 illustrates a schematic diagram of an example environment in which embodiments of the present disclosure can be implemented or on components thereof. As shown in FIG. 2, an example environment 200 includes: a service end 210 and a test end 220; the server 210 and the test end 220 may be entity server devices, or may be a server/cloud server cluster composed of hardware device nodes/virtual nodes. On the server 210, a target program is deployed, and according to the need of target program vulnerability verification, an intelligent probe 230 may be deployed and coupled with the target program (for example, according to relevant configuration settings and program execution, and parasitized in the target program). The testing end 220 is configured to send a simulation attack test packet to the service end 210 to initiate a simulation attack test to trigger verification detection of a corresponding intelligent probe for a specific known type of vulnerability corresponding to the intelligent probe.
According to some embodiments of the present disclosure, a vulnerability verification method based on an intelligent probe is provided. The method is applied to a server based on Agent technology (Agent here, is a concept in the field of distributed computing, and relates to a concept of a computing entity with autonomy, interactivity, reactivity, and initiative, which continuously and autonomously plays a role), including an example implemented on the server 210 in the example environment 200. Fig. 3 is a schematic diagram illustrating the procedure of vulnerability verification based on the smart probe according to the above example. As shown in fig. 3, the intelligent probe-based vulnerability verification method in the example may be implemented on the server 210 in the example environment 200, wherein the intelligent probe-based vulnerability verification process 300 includes: determining known types of vulnerabilities as verification detection targets and corresponding key functions (as corresponding target key functions); corresponding to any target type vulnerability (a known type vulnerability serving as a current verification detection target), the target program comprises at least one target key function; at a server, inserting corresponding intelligent probes into target key functions corresponding to target type bugs in a target program (refer to a block 301); while a target program runs, enabling a pile-inserting intelligent probe coupled with the target program to be configured to receive effective message content of a corresponding message of a simulation attack test when the target program is subjected to simulation attack, acquiring effective running data when a data stream of the simulation attack test is executed to a pile inserting point of the intelligent probe, and further determining whether a target type vulnerability is hidden in the target program or not according to the effective running data and corresponding information of a target key function to be inserted and the received effective message content of the simulation attack test message, and judging whether the target key function to be inserted is abnormally executed when the target key function is subjected to the simulation attack or not (reference block 302); generally, when a target key function is attacked by simulation, abnormal execution represents that the system has vulnerability, namely a target type bug is hidden in a target program; the simulation attack test is a test for detecting whether a target type vulnerability exists or not based on simulation attack; the simulation attack test message carries a payload which can trigger the target type vulnerability; the target key function information, that is, the information identifying the target key function (even further information identifying the instrumentation site of the target key function), may be, for example, function name information of the target key function, and the like, wherein the information may be even further specific to the instrumentation site, and the like.
The specific process of the smart probe determining whether its instrumented target key function is abnormally executed when the instrumented target key function is attacked in the above-mentioned block 302 in some embodiments will be described below with reference to fig. 4 and 5. Fig. 4 is a schematic diagram illustrating a process of the smart probe in some of the above embodiments to determine whether the target key function inserted by the smart probe is abnormally executed when the smart probe is subjected to a targeted simulation attack. As shown in fig. 4, the process in which the smart probe determines whether the target key function inserted by the smart probe is abnormally executed when the target key function is subjected to the targeted simulation attack may include: d1: judging whether the effective message content of the simulated attack test message comprises an effective load parameter capable of triggering the target type bug; if so, then D2: judging whether the effective runtime data comprises the harmless processed effective load parameter content of the simulated attack test message according to the effective load parameter content in the simulated attack test message, the effective runtime data and the corresponding plugged target key function information; if not, judging that the target key function is executed abnormally.
And fig. 5 shows a schematic diagram of the process of the other intelligent probes in the above embodiments to determine whether the target key function inserted by the intelligent probe is abnormally executed when the target key function is subjected to the targeted simulation attack. As shown in fig. 5, the process in which the smart probe determines whether the target key function inserted by the smart probe is abnormally executed when the target key function is subjected to the targeted simulation attack may include: configuring so that the effective message content of the simulated attack test message received by the intelligent probe also comprises a corresponding request parameter value in the simulated attack test message; d1: judging whether the effective message content of the simulated attack test message comprises an effective load parameter capable of triggering the target type bug; if so, then D2: judging whether the effective runtime data comprises the harmless processed effective load parameter content of the simulated attack test message according to the effective load parameter content in the simulated attack test message, the effective runtime data and the corresponding plugged target key function information; and, D3: judging whether the effective runtime data comprises the request parameter value; if D2 is NO and D3 is YES, it is determined that the target key function is executing abnormally.
In some embodiments, for a target type vulnerability, a plurality of target critical functions are included in the target program, and at least two corresponding intelligent probes are inserted into the target program, wherein the intelligent probes can be independently used for determining whether the target type vulnerability is hidden in the target program. Specifically, for a target type bug, the target program comprises a plurality of target key functions, corresponding intelligent probes are respectively inserted into all or part of the target key functions, and for verification of whether the target type bug is hidden, any intelligent probe judges that the target key function is abnormally executed during the simulated attack test, and can independently determine that the target type bug is hidden in the target program.
In some embodiments, in block 301, the target program may also be instrumented with corresponding auxiliary probes; the auxiliary probe is mainly used for acquiring effective message contents of the simulated attack test message provided for the intelligent probe or acquiring a response message returned to the test end by the target program. Specifically, in block 301, while the corresponding smart probes are instrumented for the target key functions in the target program corresponding to the target type vulnerability, the method may further include: inserting corresponding auxiliary probes into the target program; inserting a plurality of auxiliary probes with corresponding functions into corresponding sites in a target program; the auxiliary probes may be all or part of the auxiliary probes, and may be used to obtain effective message content of the simulated attack test message received by the intelligent probe and provide the effective message content to the corresponding intelligent probe, or may be used to obtain a response message returned by the target program to the test end; the obtained response message is used for auxiliary analysis of target type vulnerability verification and the like.
Additionally, in some embodiments, the auxiliary probe instrumented for the target program in block 301 may be multiplexed in the verification process of different types of vulnerabilities to obtain valid message content or response message of the simulated attack test message that has the same obtaining site and meets the same content format requirement, and to provide corresponding valid message content of the simulated attack test message for different intelligent probes or provide corresponding response message for different vulnerability verification auxiliary analysis processes. Specifically, for different types of vulnerabilities, in the verification process, corresponding analog attack test data streams of the vulnerabilities have path overlapping parts, common and appropriate peg points are selected as much as possible to obtain related data, and particularly when the effective message contents or response messages of the corresponding analog attack test messages meet the same content format requirements, the auxiliary probe can be designed and configured to obtain data which can belong to the same type and meet the same content format requirements during operation instead of only obtaining data meeting the specific content requirements, and meanwhile, the auxiliary probe can identify the effective message contents or response messages of the different types of analog attack test messages used for different types of vulnerability verification and provide the effective message contents or response messages to the corresponding intelligent probe or the corresponding vulnerability verification auxiliary analysis component/module/process.
In some embodiments, in block 301, various probes corresponding to the target program may also be instrumented in a runtime instrumentation manner, so as to obtain various data information for verification analysis based on a minimally invasive principle. Specifically, the probe can be instrumented to the allele of the relevant key function during the starting process of the target program through corresponding configuration setting. Taking Java programmed target program as an example, performing runtime instrumentation on the target program, in the class loading process of the detected Java program, using a bytecode instrumentation tool or the like to instrumentation a corresponding probe (e.g., a smart probe or an auxiliary probe) at a corresponding site (e.g., a head or a tail of a key function).
In some embodiments, in block 302, the smart probe acquiring valid runtime data at its peg point may further include: function call stack information; the function call stack information comprises code line information capable of determining target type vulnerability triggering; and the function call stack information is used for accurately positioning the position of the target type vulnerability.
According to some embodiments of the present disclosure, an active IAST method based on a built-in smart probe is proposed. On the basis of the vulnerability verification method described in the above embodiment, the iatt method mainly includes: the method comprises the following steps of (1) a vulnerability verification process executed at a server side and a corresponding simulation attack test process executed at a separately deployed test side; the method specifically comprises the following steps: at the server, executing the operation of the vulnerability verification method described in the embodiment, inserting an intelligent probe into the target program, and carrying out verification detection on known types of vulnerabilities which may be hidden in the target program through the corresponding intelligent probe when receiving the simulated attack test; generating simulation attack test flow at the test end, simulating an attack server end target program, and providing a corresponding simulation attack test; the simulation attack test is a test for detecting whether a target type vulnerability exists or not based on simulation attack; enabling the generated simulated attack flow to comprise a corresponding simulated attack test message; the simulated attack test packet should carry a payload that can trigger the target type vulnerability. The specific processes of the above-described active IAST method based on a built-in smart probe are described in detail below with reference to a specific example thereof implemented in the example environment 200 and with reference to FIG. 6. FIG. 6 is a schematic diagram illustrating the process of the active IAST gray box test based on the built-in smart probe according to the above embodiment. As shown in FIG. 6, an active IAST gray box test procedure 600 based on a built-in smart probe includes: at the server 210, as for example, by corresponding configuration, during the starting process of the target program, the relevant key function alleles are instrumented with corresponding predefined built-in smart probes and other required Agent tools (refer to block 601); after the corresponding intelligent probe is inserted, generating a corresponding simulation attack test flow at the test end 220, simulating an attack server target program, and providing a corresponding simulation attack test, so as to detect whether a target type vulnerability exists based on the simulation attack (refer to block 602); the simulation attack test flow comprises a corresponding message for simulation attack test, and the simulation attack test message carries a payload capable of triggering a target type bug; the configuration is such that the intelligent probe receives the effective message content of the corresponding message of the simulated attack test when being attacked by simulation, and obtains the effective run-time data when the data stream of the simulated attack test is executed to the pile insertion point of the intelligent probe, and then judges whether the target key function to be inserted is executed abnormally when being attacked by simulation according to the effective run-time data, the corresponding information of the target key function to be inserted and the received effective message content of the simulated attack test message, and further determines whether the target program is hidden with the target type (refer to a block 603).
In correspondence with some of the above-mentioned embodiments of the built-in smart probe-based active IAST method, FIG. 7 illustrates a block diagram of a built-in smart probe-based IAST gray box testing system, according to some embodiments of the present disclosure. As shown in fig. 7, the iatt gray box testing system includes: a vulnerability detection unit 710 and a test unit 720; the vulnerability detection unit 710 is deployed at a server based on an Agent technology and used for detecting and analyzing known types of vulnerabilities in a target program in an IAST gray box testing process; a vulnerability detection unit 710 configured to perform the operations of the vulnerability verification method described in the above embodiments, pile an intelligent probe for the target program, and perform verification detection on known types of vulnerabilities that may be hidden in the target program through the corresponding intelligent probe when receiving the simulated attack test; the test unit 720 is deployed at the test end and used for generating a simulation attack test flow, simulating an attack server end target program and providing a corresponding simulation attack test; a test unit 720 including at least one attack test node; an attack test node capable of performing the simulated attack test; the simulation attack test is a test for detecting whether a target type vulnerability exists or not based on simulation attack; the simulation attack flow comprises a corresponding simulation attack test message; the simulated attack test packet should carry a payload that can trigger the target type vulnerability.
According to some embodiments of the present disclosure, an apparatus for implementing vulnerability verification is provided. The device is used for realizing local verification detection of known type bugs of the target program of the server. Generally, the vulnerability verification is accompanied and coupled with the service end target program, and related vulnerability verifiability detection generally depends on the service end local equipment resource. Therefore, the device is often a server device. And figure 8 shows a block diagram of an electronic device for implementing vulnerability verification of some of the above embodiments. As shown in fig. 8, the electronic apparatus 800 includes a Central Processing Unit (CPU)801 capable of performing various appropriate operations and processes according to computer program instructions stored in a Read Only Memory (ROM)802 or computer program instructions loaded from a storage unit 808 into a Random Access Memory (RAM)803, and in the (RAM)803, various program codes, data required for the operation of the electronic apparatus 800 can also be stored. The CPU801, ROM802, RAM803 are connected to each other via a bus 804, and an input/output (I/O) interface 805 is also connected to the bus 804. Some of the components of the electronic device 800 are accessed through the I/O interface 805, including: an input unit 806, such as a keyboard and mouse; an output unit 807 such as a display or the like; a storage unit 808 such as a magnetic disk, an optical disk, a Solid State Disk (SSD), etc., and a communication unit 809 such as a network card, a modem, etc. The communication unit 809 enables the electronic apparatus 800 to exchange information/data with other apparatuses through a computer network. The CPU801 is capable of performing various methods and processes described in the above embodiments, such as part of the operations of the implementation of process 300 and/or process 600. In some embodiments, the implementation of process 300 and/or process 600 may be implemented as a computer software program tangibly embodied in a computer-readable medium, e.g., in storage unit 808. In some embodiments, part or all of the computer program is loaded or installed into several electronic devices 800. When loaded into RAM803 and executed by CPU801, the computer programs are able to perform some or all of the operations of process 300 and/or the implementation of process 600.
The functions described herein above may all be performed, at least in part, by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: a Field Programmable Gate Array (FPGA), an Application Specific Integrated Circuit (ASIC), an Application Specific Standard Product (ASSP), a system on a chip (SOC), a load programmable logic device (CPLD), and the like.
Program code for implementing the methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowchart and/or block diagram to be performed. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
Further, while operations are depicted in a particular order, this should be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. Under certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are included in the above discussion, these should not be construed as limitations on the scope of the disclosure. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single implementation. Conversely, various features that are described in the context of a single implementation can also be implemented in multiple implementations separately or in any suitable subcombination.
Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.

Claims (10)

1. A vulnerability verification method based on an intelligent probe is characterized in that the method is based on an Agent technology and comprises the following steps:
at a server, inserting corresponding intelligent probes into target key functions in a target program; corresponding to the target type loophole, the target program comprises at least one target key function;
the intelligent probe is configured to receive effective message content of a corresponding message for simulating an attack test, obtain effective runtime data when a data stream of the simulating attack test is executed to a pile inserting point of the intelligent probe, judge whether a plugged target key function is executed abnormally when the plugged target key function is attacked by the simulating attack according to the effective runtime data, corresponding plugged target key function information and the received effective message content of the simulating attack test message, and further determine whether a target program has a target type bug hidden;
the simulation attack test is a test for detecting whether a target type vulnerability exists or not based on simulation attack; the simulated attack test packet should carry a payload that can trigger the target type vulnerability.
2. The method of claim 1,
the intelligent probe judges whether the target key function of the inserted pile is abnormally executed when the target key function is subjected to targeted simulation attack, and the process comprises the following steps:
d1: judging whether the effective message content of the simulated attack test message comprises an effective load parameter capable of triggering the target type bug; if so, then D2: judging whether the effective runtime data comprises the harmless processed effective load parameter content of the simulation attack test message according to the effective load parameter content in the simulation attack test message, the effective runtime data and the target key function information; if not, judging that the target key function is executed abnormally;
or comprises the following steps:
configuring to enable the effective message content of the simulated attack test message received by the intelligent probe to also comprise a request parameter value; d1: judging whether the effective message content of the simulated attack test message comprises an effective load parameter capable of triggering the target type bug; if so, then D2: judging whether the effective runtime data comprises the harmless processed effective load parameter content of the simulation attack test message according to the effective load parameter content in the simulation attack test message, the effective runtime data and the target key function information; and, D3: judging whether the effective runtime data comprises the request parameter value; if D2 is NO and D3 is YES, it is determined that the target key function is executing abnormally.
3. The method of claim 1,
for the target type bug, an intelligent probe inserted into the target program can be independently used for determining whether the target type bug is hidden in the target program;
and/or the presence of a gas in the gas,
inserting corresponding auxiliary probes into the target program; the auxiliary probe is used for acquiring effective message content of a simulation attack test message provided for the intelligent probe and/or acquiring a response message returned to the test end by the target program;
and the response message is used for auxiliary analysis of target type vulnerability verification.
4. The method of claim 3,
the auxiliary probe can be multiplexed to the acquisition of effective message contents or response messages of the simulated attack test messages which have the same acquisition site and meet the requirements of the same content format in the verification process of different types of vulnerabilities, and provides the corresponding effective message contents of the simulated attack test messages for different intelligent probes or provides the corresponding response messages for different vulnerability verification auxiliary analysis processes.
5. The method according to any one of claims 1 or 3,
and (4) adopting a pile inserting mode during operation to insert a corresponding probe into the target program.
6. The method of claim 1,
the efficient runtime data further comprises: function call stack information; the function call stack information comprises code line information capable of determining target type vulnerability triggering; and the function call stack information is used for accurately positioning the position of the target type vulnerability.
7. An active IAST method based on a built-in intelligent probe is characterized by comprising the following steps:
at a server side, executing the operation of the vulnerability verification method according to any one of claims 1 to 6, inserting an intelligent probe into a target program, and carrying out verification detection on known types of vulnerabilities which are possibly hidden in the target program through the corresponding intelligent probe when the target program is subjected to a simulation attack test; generating simulation attack test flow at the test end, simulating an attack server end target program, and providing a corresponding simulation attack test; the simulation attack test is a test for detecting whether a target type vulnerability exists or not based on simulation attack; enabling the generated simulated attack flow to comprise a corresponding simulated attack test message; the simulated attack test packet should carry a payload that can trigger the target type vulnerability.
8. An IAST gray box test system based on a built-in intelligent probe is characterized by comprising: a vulnerability detection unit and a test unit;
the vulnerability detection unit is deployed at a server based on an Agent technology and used for detecting and analyzing a known type vulnerability in a target program in an IAST gray box testing process; the vulnerability detection unit is configured to execute the operation of the vulnerability verification method according to any one of claims 1-6, pile an intelligent probe for the target program, and perform verification detection on known types of vulnerabilities which may be hidden in the target program through the corresponding intelligent probe when receiving the simulation attack test;
the test unit is deployed at the test end and used for generating simulation attack test flow, simulating an attack server end target program and providing a corresponding simulation attack test; the test unit comprises at least one attack test node; the attack test node can execute the simulation attack test; the simulation attack test is a test for detecting whether a target type vulnerability exists or not based on simulation attack; the simulation attack flow comprises a corresponding simulation attack test message; the simulated attack test packet should carry a payload that can trigger the target type vulnerability.
9. An apparatus for implementing vulnerability verification,
at least one processor, a memory coupled to the at least one processor, and a computer program stored in the memory;
wherein the processor executes the computer program to implement the intelligent probe-based vulnerability verification method of any of claims 1-6.
10. A computer-readable storage medium, characterized in that,
the medium has stored thereon computer instructions for IAST correlation,
the computer instructions, when executed by a computer processor, are capable of implementing the intelligent probe-based vulnerability verification method of any of claims 1-6,
and/or, the active IAST method based on built-in smart probe of claim 7.
CN202110576575.8A 2021-05-26 2021-05-26 Vulnerability verification method based on intelligent probe and related IAST method and system Active CN113158191B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110576575.8A CN113158191B (en) 2021-05-26 2021-05-26 Vulnerability verification method based on intelligent probe and related IAST method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110576575.8A CN113158191B (en) 2021-05-26 2021-05-26 Vulnerability verification method based on intelligent probe and related IAST method and system

Publications (2)

Publication Number Publication Date
CN113158191A true CN113158191A (en) 2021-07-23
CN113158191B CN113158191B (en) 2022-01-07

Family

ID=76877468

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110576575.8A Active CN113158191B (en) 2021-05-26 2021-05-26 Vulnerability verification method based on intelligent probe and related IAST method and system

Country Status (1)

Country Link
CN (1) CN113158191B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114661362A (en) * 2022-03-01 2022-06-24 深圳开源互联网安全技术有限公司 DevSecOps-based pipeline implementation method and system
CN117061222A (en) * 2023-09-12 2023-11-14 北京安全共识科技有限公司 Vulnerability data acquisition method and vulnerability verification method
CN117155628A (en) * 2023-08-28 2023-12-01 北京安普诺信息技术有限公司 Method, device and related system for interactive security test of containerized application

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110266737A (en) * 2019-07-30 2019-09-20 杭州安恒信息技术股份有限公司 A kind of leak detection method, device, equipment and medium that cross-domain resource is shared
CN110516448A (en) * 2019-09-02 2019-11-29 杭州安恒信息技术股份有限公司 A kind of grey box testing method, apparatus, equipment and readable storage medium storing program for executing
CN110929264A (en) * 2019-11-21 2020-03-27 中国工商银行股份有限公司 Vulnerability detection method and device, electronic equipment and readable storage medium
CN112560045A (en) * 2020-12-11 2021-03-26 腾讯科技(深圳)有限公司 Application program vulnerability detection method and device, computer equipment and storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110266737A (en) * 2019-07-30 2019-09-20 杭州安恒信息技术股份有限公司 A kind of leak detection method, device, equipment and medium that cross-domain resource is shared
CN110516448A (en) * 2019-09-02 2019-11-29 杭州安恒信息技术股份有限公司 A kind of grey box testing method, apparatus, equipment and readable storage medium storing program for executing
CN110929264A (en) * 2019-11-21 2020-03-27 中国工商银行股份有限公司 Vulnerability detection method and device, electronic equipment and readable storage medium
CN112560045A (en) * 2020-12-11 2021-03-26 腾讯科技(深圳)有限公司 Application program vulnerability detection method and device, computer equipment and storage medium

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114661362A (en) * 2022-03-01 2022-06-24 深圳开源互联网安全技术有限公司 DevSecOps-based pipeline implementation method and system
CN114661362B (en) * 2022-03-01 2023-11-03 深圳开源互联网安全技术有限公司 Pipeline implementation method and system based on DevSecOps
CN117155628A (en) * 2023-08-28 2023-12-01 北京安普诺信息技术有限公司 Method, device and related system for interactive security test of containerized application
CN117061222A (en) * 2023-09-12 2023-11-14 北京安全共识科技有限公司 Vulnerability data acquisition method and vulnerability verification method
CN117061222B (en) * 2023-09-12 2024-05-07 北京基调网络股份有限公司 Vulnerability data acquisition method and vulnerability verification method

Also Published As

Publication number Publication date
CN113158191B (en) 2022-01-07

Similar Documents

Publication Publication Date Title
CN113158191B (en) Vulnerability verification method based on intelligent probe and related IAST method and system
CN112906010B (en) Automatic attack testing method and automatic safety testing method based on same
US10581879B1 (en) Enhanced malware detection for generated objects
Martignoni et al. A layered architecture for detecting malicious behaviors
CN113162945B (en) Vulnerability detection analysis method and device and vulnerability verification method and system based on vulnerability detection analysis method and device
CN112906011B (en) Vulnerability discovery method, testing method, security testing method, related device and platform
CN110929264B (en) Vulnerability detection method and device, electronic equipment and readable storage medium
CN108830084A (en) Realize the handheld terminal and means of defence of computer information safe protection vulnerability scanning and protective reinforcing
CN104751056A (en) Vulnerability verification system and method based on attack library
CN111813696A (en) Application testing method, device and system and electronic equipment
CN103268448B (en) The method and system of the security of detection of dynamic Mobile solution
CN109948338B (en) Android application sensitive path triggering method based on static analysis
Alhanahnah et al. Dina: Detecting hidden android inter-app communication in dynamic loaded code
Chester et al. M-perm: A lightweight detector for android permission gaps
WO2021243555A1 (en) Quick application test method and apparatus, device, and storage medium
CN116305120A (en) Dual-verification android malicious software hybrid detection system and method
CN116415300A (en) File protection method, device, equipment and medium based on eBPF
Bu et al. When program analysis meets mobile security: an industrial study of misusing android internet sockets
CN113761539B (en) HongMong security vulnerability defense method and system
Khanmohammadi et al. On the Use of API Calls for Detecting Repackaged Malware Apps: Challenges and Ideas
CN117056918A (en) Code analysis method and related equipment
CN113672933A (en) Hongmen security vulnerability detection method and system
Lin et al. Mobile malware detection in sandbox with live event feeding and log pattern analysis
CN112506782A (en) Application program testing method, device, equipment and storage medium
CN111385253A (en) Vulnerability detection system for network security of power distribution automation system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant