CN113556336B

CN113556336B - Detection method and device for privilege-offering vulnerability attack and electronic equipment

Info

Publication number: CN113556336B
Application number: CN202110813767.6A
Authority: CN
Inventors: 张云涛; 崔翔; 王忠儒; 杜春来
Original assignee: Dingniu Information Security Technology Jiangsu Co ltd; Beijing Digapis Technology Co ltd
Current assignee: Dingniu Information Security Technology Jiangsu Co ltd; Beijing Digapis Technology Co ltd
Priority date: 2021-07-19
Filing date: 2021-07-19
Publication date: 2022-02-11
Anticipated expiration: 2041-07-19
Also published as: CN113556336A

Abstract

The disclosure relates to a detection method and a device for an authorization vulnerability attack, and an electronic device, wherein the method comprises the following steps: acquiring jump instruction information, attribute information of a corresponding process, attribute information of an account and attribute information of a file owned by the account when a target program runs; determining that a privilege escalation attack is underway when at least two of the following conditions are met: determining that an abnormal jump instruction exists; determining that the attribute information changes; and determining that the authority of the account or the attribute information of all files is modified according to the attribute information of the account, the attribute information of all files owned by the account, the standard attribute information of the account and the standard attribute information of all files owned by the account. The embodiment of the disclosure observes from three different angles, and is determined as the right-raising attack only if at least two conditions are violated, thereby ensuring the precision of detecting the right-raising attack by using the binary vulnerability and reducing the false alarm and the false alarm.

Description

Detection method and device for privilege-offering vulnerability attack and electronic equipment

Technical Field

The present disclosure relates to the field of security technologies, and in particular, to a method and an apparatus for detecting an authorization vulnerability attack, and an electronic device.

Background

The privilege-granting vulnerability attack is that an attacker can utilize the vulnerability to promote the privilege of an account and promote the account from a lower privilege to a highest privilege in a system. At present, a program which provides service to a client by a server runs on a physical machine in a binary form. After an attacker acquires the low-level authority by using the vulnerability of the binary program providing the service, the highest authority of the system can be acquired in an authority-lifting mode, so that the physical machine is completely controlled. Once the attacker successfully gives the right, the data stored by the server can be acquired, such as: the user information can even transversely move to attack other servers.

Disclosure of Invention

According to an aspect of the present disclosure, a method for detecting an authorization vulnerability attack is provided, the method including:

acquiring jump instruction information, attribute information of a corresponding process, attribute information of an account and attribute information of a file owned by the account when a target program runs, wherein the attribute information of the process comprises authority attribute information of the process, a library function called by the process and system calling;

determining that a privilege escalation attack is underway when at least two of the following conditions are met:

determining that an abnormal jump instruction exists according to the jump instruction information and a preset jump instruction information set;

determining that attribute information changes according to the attribute information of the process and standard attribute information of the process, wherein the attribute information changes comprise at least one of permission attribute information changes, process calling of sensitive library functions and calling of sensitive system calls;

and determining that the authority of the account or the attribute information of all files is modified according to the attribute information of the account, the attribute information of all files owned by the account, the standard attribute information of the account and the standard attribute information of all files owned by the account.

In one possible embodiment, the method further comprises:

determining direct jump instruction information of the target program by using a static analysis tool;

determining indirect jump instruction information and indirect call instruction information according to the pointer information of the target program;

obtaining a preset jump instruction information set of the target program according to the direct jump instruction information, the indirect jump instruction information and the indirect call instruction information;

and storing the preset jump instruction information set to a jump judgment process.

In one possible embodiment, the method further comprises:

and running the target program in a test environment, and acquiring standard attribute information of a process corresponding to the running of the target program, wherein the standard attribute information comprises standard authority attribute information, and a library function and a system call set which are possibly called by the process.

In one possible embodiment, the accounts include a primary account and a senior account having higher authority than the primary account, and the determining that the authority of the account or the attribute information of all files owned by the account is modified includes:

determining that the authority of the primary account is elevated and/or that attribute information of a file owned by the premium account of the premium account is modified; or

Determining that attribute information of a file owned by the premium account is modified by the primary account for which permissions are elevated.

In one possible embodiment, the target program comprises a service program of a service end.

According to an aspect of the present disclosure, there is provided an apparatus for detecting an authorization vulnerability attack, the apparatus including:

the information acquisition module is used for acquiring jump instruction information, attribute information of a corresponding process, attribute information of an account and attribute information of files owned by the account when a target program runs, wherein the attribute information of the process comprises authority attribute information of the process, library functions called by the process and system calling;

the attack determining module is connected to the information obtaining module and used for determining that the privilege-granting vulnerability attack is carried out when at least two conditions are met:

In a possible implementation, the apparatus further includes a first obtaining module configured to:

In a possible implementation, the apparatus further includes a second obtaining module configured to:

According to an aspect of the present disclosure, there is provided an electronic device including: a processor; a memory for storing processor-executable instructions; wherein the processor is configured to invoke the memory-stored instructions to perform the above-described method.

According to an aspect of the present disclosure, there is provided a computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the above-described method.

The method and the device can acquire the jump instruction information, the attribute information of the corresponding process, the attribute information of the account and the attribute information of all files owned by the account when the target program runs, execute various judgments by using the acquired information, and determine that an abnormal jump instruction exists according to the jump instruction information and a preset jump instruction information set when the judgment is satisfied; determining that the attribute information changes according to the attribute information of the process and the standard attribute information of the process; when determining that the authority of the account or at least two conditions in the process of modifying the attribute information of all files are determined according to the attribute information of the account, the attribute information of all files owned by the account, the standard attribute information of the account and the standard attribute information of all files owned by the account, the method and the device determine that the authority-raising vulnerability attack is carried out.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure. Other features and aspects of the present disclosure will become apparent from the following detailed description of exemplary embodiments, which proceeds with reference to the accompanying drawings.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and, together with the description, serve to explain the principles of the disclosure.

Fig. 1 shows a flowchart of a detection method of a privilege vulnerability attack according to an embodiment of the present disclosure.

FIG. 2 shows a schematic diagram of an inspection model operation according to an embodiment of the present disclosure.

Fig. 3 shows a block diagram of a detection apparatus for a privilege vulnerability attack according to an embodiment of the present disclosure.

FIG. 4 shows a block diagram of an electronic device in accordance with an embodiment of the present disclosure.

FIG. 5 shows a block diagram of an electronic device in accordance with an embodiment of the present disclosure.

Detailed Description

Various exemplary embodiments, features and aspects of the present disclosure will be described in detail below with reference to the accompanying drawings. In the drawings, like reference numbers can indicate functionally identical or similar elements. While the various aspects of the embodiments are presented in drawings, the drawings are not necessarily drawn to scale unless specifically indicated.

In the description of the present disclosure, it is to be understood that the terms "length," "width," "upper," "lower," "front," "rear," "left," "right," "vertical," "horizontal," "top," "bottom," "inner," "outer," and the like, as used herein, refer to an orientation or positional relationship indicated in the drawings, which is solely for the purpose of facilitating the description and simplifying the description, and does not indicate or imply that the referenced device or element must have a particular orientation, be constructed and operated in a particular orientation, and, therefore, should not be taken as limiting the present disclosure.

Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature. In the description of the present disclosure, "a plurality" means two or more unless specifically limited otherwise.

In the present disclosure, unless otherwise expressly stated or limited, the terms "mounted," "connected," "secured," and the like are to be construed broadly and can, for example, be fixedly connected, detachably connected, or integral; can be mechanically or electrically connected; either directly or indirectly through intervening media, either internally or in any other relationship. The specific meaning of the above terms in the present disclosure can be understood by those of ordinary skill in the art as appropriate.

The word "exemplary" is used exclusively herein to mean "serving as an example, embodiment, or illustration. Any embodiment described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments.

The term "and/or" herein is merely an association describing an associated object, meaning that three relationships may exist, e.g., a and/or B, may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the term "at least one" herein means any one of a plurality or any combination of at least two of a plurality, for example, including at least one of A, B, C, and may mean including any one or more elements selected from the group consisting of A, B and C.

Furthermore, in the following detailed description, numerous specific details are set forth in order to provide a better understanding of the present disclosure. It will be understood by those skilled in the art that the present disclosure may be practiced without some of these specific details. In some instances, methods, means, elements and circuits that are well known to those skilled in the art have not been described in detail so as not to obscure the present disclosure.

In the related technical scheme, whether authority is granted is generally judged only through attributes of process running, but in an actual situation, a user may also implement operations related to authority switching, the operations may cause changes of authority of a service process, and if all processes with changed authority are identified as being attacked by the authority being granted, higher false alarm may be caused. Meanwhile, the related technical scheme mainly focuses on that a common authority user modifies own authority to be the highest authority, neglects the behavior that the process with low authority carries out right-raising attack by modifying the file attribute of the process with high authority, and causes the report missing.

The execution subject of the detection method of the privilege-granting vulnerability attack can be a detection device of the privilege-granting vulnerability attack. For example, the method for detecting the privilege vulnerability attack may be executed by a terminal device or a server or other processing device. The terminal device may be a User Equipment (UE), a mobile device, a User terminal, a handheld device, a computing device, or a vehicle-mounted device, and some examples of the terminal device are as follows: a Mobile Phone (Mobile Phone), a tablet computer, a notebook computer, a palm computer, a Mobile Internet Device (MID), a wearable device, a Virtual Reality (VR) device, an Augmented Reality (AR) device, a wireless terminal in Industrial Control (Industrial Control), a wireless terminal in unmanned driving (self driving), a wireless terminal in Remote Surgery (Remote medical Surgery), a wireless terminal in Smart Grid, a wireless terminal in Transportation Safety, a wireless terminal in Smart City (Smart City), a wireless terminal in Smart Home (Smart Home), a wireless terminal in car networking, and the like.

In some possible implementations, the method for detecting a privilege vulnerability attack may be implemented by a processing component calling computer-readable instructions stored in a memory. In one example, a processing component includes, but is not limited to, a single processor, or discrete components, or a combination of a processor and discrete components. The processor may comprise a controller having functionality to execute instructions in an electronic device, which may be implemented in any suitable manner, e.g., by one or more Application Specific Integrated Circuits (ASICs), Digital Signal Processors (DSPs), Digital Signal Processing Devices (DSPDs), Programmable Logic Devices (PLDs), Field Programmable Gate Arrays (FPGAs), controllers, micro-controllers, microprocessors or other electronic components. Within the processor, the executable instructions may be executed by hardware circuits such as logic gates, switches, Application Specific Integrated Circuits (ASICs), programmable logic controllers, and embedded microcontrollers. As shown in fig. 1, the method for detecting a privilege vulnerability attack includes steps S11 to S12.

Referring to fig. 1, fig. 1 is a flowchart illustrating a method for detecting a privilege vulnerability attack according to an embodiment of the present disclosure.

As shown in fig. 1, the method includes:

step S11, acquiring jump instruction information when the target program runs, attribute information of a corresponding process, attribute information of an account and attribute information of files owned by the account, wherein the attribute information of the process comprises authority attribute information of the process, library functions called by the process and System Call (System Call);

step S12, when at least two conditions are satisfied, determining that the privilege escalation attack is being carried out:

In a possible implementation manner, the target program includes a service program of a server or other types of programs, and the embodiment of the present disclosure is not limited to specific types, contents, and functions of the target program.

For example, when an attacker attacks using a binary vulnerability, the attacker often selects a control flow hijacking method, acquires the control right of the server through the control flow hijacking, and then performs a right-lifting operation to further realize the overall control of the server or other electronic devices. Accordingly, embodiments of the present disclosure propose the use of control flow integrity mechanisms to capture in advance the behavior that an attacker may be entitled to. The control flow jump of the program is always within the range limited by the legal control flow graph through the control flow transfer in the monitoring program.

The jump instruction information may be obtained in various ways in the embodiments of the present disclosure, which is not limited in the embodiments of the present disclosure. Illustratively, when a target program runs, the embodiments of the present disclosure may insert a check code into a jump instruction in the program to obtain jump instruction information to determine whether a jump range of the target program is legal, but to achieve a better detection effect, each indirect jump instruction in the program needs to be instrumented, so that the overhead is too large and the target program is difficult to deploy in an actual environment. For example, in order to reduce the system overhead and reduce the deployment difficulty, the embodiments of the present disclosure may employ a hardware assist mechanism BTB (branch Trace buffer) to capture information of all jump instructions when the target program runs, for example, the BTB may write the information into a buffer specified by a controller (e.g., a CPU), and when the buffer is full, another process (e.g., a jump judgment process) may perform a validity judgment. The embodiment of the disclosure obtains the jump instruction information through a BTB mechanism, determines that an abnormal jump instruction exists by using another process according to the jump instruction information and a preset jump instruction information set, and judges the jump validity of the jump instruction, so that the system overhead can be reduced and the deployment difficulty in a system environment can be reduced.

In a possible implementation manner, the embodiment of the present disclosure may obtain a preset jump instruction information set in advance, and store the preset jump instruction information set to a jump judgment process specially used for checking validity of a jump instruction.

In one possible embodiment, the method may further include:

In one example, static analysis tools may include IDA Pro (Interactive Disassembler Professional), binoa, etc., and embodiments of the present disclosure may utilize the static analysis tools to analyze a binary of a target program, build a Control Flow Graph (CFG) of the target program, where each directed edge of the CFG represents a possible Control Flow transition, such as a jump from address a to address B. The disclosed embodiments may determine direct jump instruction information of the target program using a static analysis tool.

In an example, the embodiment of the present disclosure may determine indirect jump instruction information and indirect call instruction information by analyzing the pointer information of the target program, and a specific tool or manner for analyzing the pointer information of the target program is not limited in the embodiment of the present disclosure, and those skilled in the art may implement the method according to needs.

According to the implementation of the present disclosure, a complete CFG of the target program, i.e., a preset jump instruction information set, can be obtained according to the direct jump instruction information and the indirect jump instruction information, so as to obtain legal jump information of all jump instructions of the target program, and preferably store the preset jump instruction information set to a jump judgment process, so as to reduce overhead. Of course, the embodiment of the present disclosure may also store the preset jump instruction information set in the database.

For example, the embodiments of the present disclosure may determine whether an unexpected control flow jump outside the preset jump instruction information set exists according to comparing the jump instruction information with jump instruction information in the preset jump instruction information set, and if an unexpected control flow jump exists, the integrity of the control flow is violated, and a potential privilege-raising vulnerability attack may be determined.

Illustratively, when an attacker performs the privilege lifting, the privilege field in the process attribute needs to be modified. Attribute information related to a Process is generally stored in a PCB (Process Control Block), for example: the content related to the rights in the linux system is recorded in a bred structure of the PCB, wherein a field euid in the bred structure represents the access rights of the process, that is, the attacker modifies the field to successfully issue the rights. Therefore, the embodiment of the disclosure extracts information of sensitive library functions and system calls related to the program, for example, for the program of Linux, the system call called when the strand monitoring process is executed, the library function called when the strand monitoring process is executed, and when the program executes the sensitive library function or the system call, it indicates that the behavior of the attacker for privilege extraction is captured.

The disclosed embodiments may run a target program in a trusted test environment to determine standard attribute information of a process in advance.

In one possible embodiment, the method may further include:

Illustratively, the rights attribute information may include, for example, uid, gid, suid, euid, and the like.

The embodiment of the present disclosure does not limit the type of the system, the system may be a linux system, a windows system, a UNIX system, or another system, and for different systems, the permission attribute information, the library function, and the system call may differ.

The embodiment of the present disclosure does not limit the specific implementation manners of collecting the authority attribute information, the library function called by the process, and the system call, and those skilled in the art can determine the specific implementation manners as needed.

For example, the embodiment of the present disclosure may compare the attribute information of the process with the standard attribute information of the process, and if it is determined that the attribute information of the process changes, for example, the attribute information of the process is modified (e.g., the end of the process is modified), or the behavior of the process is abnormal, for example, a sensitive system call (e.g., execute ()) is called, or a sensitive library function (e.g., commit _ crops (), prepare _ kernel _ cred ()) is called, it may be determined that a vulnerability attack is potentially lifted.

In one possible implementation, the accounts may include at least a primary account and a senior account, the senior account having higher authority than the primary account, wherein different types of accounts may have different identities, account registration may be determined according to the different account identities, and the embodiment of the present disclosure is not limited to the specific type of the identity. For example, taking a linux system and a unix system as examples, the high-level account may have root rights, the account having the root rights may add, delete, modify, check, and the like any file in the system, and the primary account may be an account without the root rights. Illustratively, the right to promote an account is, for example, promoting a primary account to a premium account.

For example, an attacker can perform an authorization-granting attack through the attribute of the file to which the high-authority user belongs, in addition to modifying the authority of the process to be the high authority, so that the embodiment of the disclosure extracts the attribute information of the primary account and/or the high-level account and the attribute information of the file owned by the primary account and/or the high-level account, and determines whether a potential authorization-granting vulnerability attack exists.

For example, when the target program runs, the embodiment of the present disclosure may record attribute information of each account and attribute information of a file owned by each account in real time.

In a possible implementation manner, the determining that the authority of the account or the attribute information of all files is modified may include:

For example, when the authority of a normal user is raised or the attribute of a file to which a high-authority user belongs is modified, or it is determined that the attribute information of a file owned by the high-level account is modified by the primary account with the elevated authority, it may be determined that a potential privilege-raising vulnerability attack is caused.

In order to reduce the false alarm rate, the embodiment of the disclosure determines that the process is being authorized when it is determined that at least two angles detect that an attacker utilizes a vulnerability to perform authorization behavior.

Referring to fig. 2, fig. 2 is a schematic diagram illustrating an operation of a detection model according to an embodiment of the disclosure.

In one example, as shown in fig. 2, the detection model of the embodiment of the disclosure may include a control flow extraction module, a process information extraction module, and a user information extraction module, and may acquire a preset jump instruction information set by using the control flow extraction module, for example, determine direct jump instruction information of the target program by using a static analysis tool, determine indirect jump instruction information and indirect call instruction information according to pointer information of the target program, obtain a preset jump instruction information set of the target program according to the direct jump instruction information, the indirect jump instruction information, and the indirect call instruction information, and store the preset jump instruction information set to a jump judgment process, for example, in the acquired jump instruction information set, a control flow includes a- > B- > D, A- > C- > E, C- > E, A- > C- > F; the target program may be run in a test environment by using a process information extraction module, and standard attribute information of a process corresponding to the running of the target program is obtained, for example, the UID of a primary account in the standard attribute information is 12; the standard attribute information of an account and the standard attribute information of files owned by the account can be acquired by using a user information extraction module. The standard attribute information of the process, the standard attribute information of the account and the standard attribute information of the file owned by the account can be stored in a high-performance distributed time sequence database, wherein the high-performance distributed time sequence database can support tasks with low time delay and real-time performance, can realize rich data analysis and distributed computing functions, and improves detection efficiency.

In an example, as shown in fig. 2, the detection model may further include a runtime monitoring module, configured to monitor control flow jump, behavior, and user attribute information of the program when the program at the server provides the service, that is, when the service providing process runs, jump instruction information of the target program when the program runs, attribute information of the corresponding process, attribute information of the account, and attribute information of a file owned by the account are obtained, where, for example, the obtained jump instruction information includes C- > B, and the UID of an ordinary user is 0.

In an example, as shown in fig. 2, the detection model may include a data analysis system, configured to compare the collected runtime information with information stored in a high performance database, determine whether an abnormal jump instruction exists according to the jump instruction information and a preset jump instruction information set, and determine whether attribute information changes according to the attribute information of the process and standard attribute information of the process; and determining whether the authority of the account or the attribute information of all files is modified according to the attribute information of the account, the attribute information of all files owned by the account, the standard attribute information of the account and the standard attribute information of all files owned by the account, and when at least two conditions are met, determining that the authorization vulnerability attack is carried out, for example, a data analysis system finds that a control flow jump C- > B is not in an original control flow graph and the UID of a user changes, violates two observation points, and determining that the process is under the authorization attack.

The processing mode after the right-lifting attack is determined is not limited in the embodiment of the disclosure.

The embodiment of the disclosure preprocesses the monitored process and the corresponding binary program and account, and collects necessary information, such as: and extracting a legal jump target set of a jump instruction in the binary program, attributes of a process, sensitive functions which can be executed, system calls, attribute information of common and highest authority accounts, file attribute information and the like, and storing the information in a high-performance distributed time sequence database. The process is then monitored for changes in attributes, behavior, and account attributes as it executes. And finally, judging whether the process is subjected to the privilege escalation attack by using a data analysis system, monitoring during operation and capturing the privilege escalation attack on the premise of not influencing the normal service provision of the program, and capturing the behavior of the attacker for privilege escalation by using the binary vulnerability by using a heterogeneous observation chain method.

It is understood that the above-mentioned method embodiments of the present disclosure can be combined with each other to form a combined embodiment without departing from the logic of the principle, which is limited by the space, and the detailed description of the present disclosure is omitted. Those skilled in the art will appreciate that in the above methods of the specific embodiments, the specific order of execution of the steps should be determined by their function and possibly their inherent logic.

Referring to fig. 3, fig. 3 is a block diagram illustrating an apparatus for detecting a privilege vulnerability attack according to an embodiment of the present disclosure.

As shown in fig. 3, the apparatus includes:

the information acquisition module 10 is configured to acquire jump instruction information when a target program runs, attribute information of a corresponding process, attribute information of an account, and attribute information of files owned by the account, where the attribute information of the process includes authority attribute information of the process, a library function called by the process, and system call;

an attack determining module 20, connected to the information obtaining module, configured to determine that an authorization vulnerability attack is being performed when at least two of the following conditions are met:

In some embodiments, functions of or modules included in the apparatus provided in the embodiments of the present disclosure may be used to execute the method described in the above method embodiments, and specific implementation thereof may refer to the description of the above method embodiments, and for brevity, will not be described again here.

Embodiments of the present disclosure also provide a computer-readable storage medium having stored thereon computer program instructions, which when executed by a processor, implement the above-mentioned method. The computer readable storage medium may be a non-volatile computer readable storage medium.

An embodiment of the present disclosure further provides an electronic device, including: a processor; a memory for storing processor-executable instructions; wherein the processor is configured to invoke the memory-stored instructions to perform the above-described method.

The disclosed embodiments also provide a computer program product comprising computer readable code or a non-transitory computer readable storage medium carrying computer readable code, which when run in a processor of an electronic device, the processor in the electronic device performs the above method.

The electronic device may be provided as a terminal, server, or other form of device.

Referring to fig. 4, fig. 4 is a block diagram of an electronic device according to an embodiment of the disclosure.

For example, the electronic device 800 may be a mobile phone, a computer, a digital broadcast terminal, a messaging device, a game console, a tablet device, a medical device, a fitness device, a personal digital assistant, or the like terminal.

Referring to fig. 4, electronic device 800 may include one or more of the following components: processing component 802, memory 804, power component 806, multimedia component 808, audio component 810, input/output (I/O) interface 812, sensor component 814, and communication component 816.

The processing component 802 generally controls overall operation of the electronic device 800, such as operations associated with display, telephone calls, data communications, camera operations, and recording operations. The processing components 802 may include one or more processors 820 to execute instructions to perform all or a portion of the steps of the methods described above. Further, the processing component 802 can include one or more modules that facilitate interaction between the processing component 802 and other components. For example, the processing component 802 can include a multimedia module to facilitate interaction between the multimedia component 808 and the processing component 802.

The memory 804 is configured to store various types of data to support operations at the electronic device 800. Examples of such data include instructions for any application or method operating on the electronic device 800, contact data, phonebook data, messages, pictures, videos, and so forth. The memory 804 may be implemented by any type or combination of volatile or non-volatile memory devices such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.

The power supply component 806 provides power to the various components of the electronic device 800. The power components 806 may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power for the electronic device 800.

The multimedia component 808 includes a screen that provides an output interface between the electronic device 800 and a user. In some embodiments, the screen may include a Liquid Crystal Display (LCD) and a Touch Panel (TP). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive an input signal from a user. The touch panel includes one or more touch sensors to sense touch, slide, and gestures on the touch panel. The touch sensor may not only sense the boundary of a touch or slide action, but also detect the duration and pressure associated with the touch or slide operation. In some embodiments, the multimedia component 808 includes a front facing camera and/or a rear facing camera. The front camera and/or the rear camera may receive external multimedia data when the electronic device 800 is in an operation mode, such as a shooting mode or a video mode. Each front camera and rear camera may be a fixed optical lens system or have a focal length and optical zoom capability.

The audio component 810 is configured to output and/or input audio signals. For example, the audio component 810 includes a Microphone (MIC) configured to receive external audio signals when the electronic device 800 is in an operational mode, such as a call mode, a recording mode, and a voice recognition mode. The received audio signals may further be stored in the memory 804 or transmitted via the communication component 816. In some embodiments, audio component 810 also includes a speaker for outputting audio signals.

The I/O interface 812 provides an interface between the processing component 802 and peripheral interface modules, which may be keyboards, click wheels, buttons, etc. These buttons may include, but are not limited to: a home button, a volume button, a start button, and a lock button.

The sensor assembly 814 includes one or more sensors for providing various aspects of state assessment for the electronic device 800. For example, the sensor assembly 814 may detect an open/closed state of the electronic device 800, the relative positioning of components, such as a display and keypad of the electronic device 800, the sensor assembly 814 may also detect a change in the position of the electronic device 800 or a component of the electronic device 800, the presence or absence of user contact with the electronic device 800, orientation or acceleration/deceleration of the electronic device 800, and a change in the temperature of the electronic device 800. Sensor assembly 814 may include a proximity sensor configured to detect the presence of a nearby object without any physical contact. The sensor assembly 814 may also include a light sensor, such as a Complementary Metal Oxide Semiconductor (CMOS) or Charge Coupled Device (CCD) image sensor, for use in imaging applications. In some embodiments, the sensor assembly 814 may also include an acceleration sensor, a gyroscope sensor, a magnetic sensor, a pressure sensor, or a temperature sensor.

The communication component 816 is configured to facilitate wired or wireless communication between the electronic device 800 and other devices. The electronic device 800 may access a wireless network based on a communication standard, such as a wireless network (WiFi), a second generation mobile communication technology (2G) or a third generation mobile communication technology (3G), or a combination thereof. In an exemplary embodiment, the communication component 816 receives a broadcast signal or broadcast related information from an external broadcast management system via a broadcast channel. In an exemplary embodiment, the communication component 816 further includes a Near Field Communication (NFC) module to facilitate short-range communications. For example, the NFC module may be implemented based on Radio Frequency Identification (RFID) technology, infrared data association (IrDA) technology, Ultra Wideband (UWB) technology, Bluetooth (BT) technology, and other technologies.

In an exemplary embodiment, the electronic device 800 may be implemented by one or more Application Specific Integrated Circuits (ASICs), Digital Signal Processors (DSPs), Digital Signal Processing Devices (DSPDs), Programmable Logic Devices (PLDs), Field Programmable Gate Arrays (FPGAs), controllers, micro-controllers, microprocessors or other electronic components for performing the above-described methods.

In an exemplary embodiment, a non-transitory computer-readable storage medium, such as the memory 804, is also provided that includes computer program instructions executable by the processor 820 of the electronic device 800 to perform the above-described methods.

Referring to fig. 5, fig. 5 is a block diagram of an electronic device according to an embodiment of the disclosure.

For example, the electronic device 1900 may be provided as a server. Referring to fig. 5, electronic device 1900 includes a processing component 1922 further including one or more processors and memory resources, represented by memory 1932, for storing instructions, e.g., applications, executable by processing component 1922. The application programs stored in memory 1932 may include one or more modules that each correspond to a set of instructions. Further, the processing component 1922 is configured to execute instructions to perform the above-described method.

The electronic device 1900 may also include a power component 1926 configured to perform power management of the electronic device 1900, a wired or wireless network interface 1950 configured to connect the electronic device 1900 to a network, and an input/output (I/O) interface 1958. The electronic device 1900 may operate based on an operating system, such as the Microsoft Server operating system (Windows Server), stored in the memory 1932^TM) From apple IncBased on the graphic user interface operating system (Mac OS X)^TM) Multi-user, multi-process computer operating system (Unix)^TM) Free and open native code Unix-like operating System (Linux)^TM) Open native code Unix-like operating System (FreeBSD)^TM) Or the like.

In an exemplary embodiment, a non-transitory computer readable storage medium, such as the memory 1932, is also provided that includes computer program instructions executable by the processing component 1922 of the electronic device 1900 to perform the above-described methods.

The present disclosure may be systems, methods, and/or computer program products. The computer program product may include a computer-readable storage medium having computer-readable program instructions embodied thereon for causing a processor to implement various aspects of the present disclosure.

The computer readable storage medium may be a tangible device that can hold and store the instructions for use by the instruction execution device. The computer readable storage medium may be, for example, but is not limited to, an electronic memory device, a magnetic memory device, an optical memory device, an electromagnetic memory device, a semiconductor memory device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a Static Random Access Memory (SRAM), a portable compact disc read-only memory (CD-ROM), a Digital Versatile Disc (DVD), a memory stick, a floppy disk, a mechanical coding device, such as punch cards or in-groove projection structures having instructions stored thereon, and any suitable combination of the foregoing. Computer-readable storage media as used herein is not to be construed as transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission medium (e.g., optical pulses through a fiber optic cable), or electrical signals transmitted through electrical wires.

The computer-readable program instructions described herein may be downloaded from a computer-readable storage medium to a respective computing/processing device, or to an external computer or external storage device via a network, such as the internet, a local area network, a wide area network, and/or a wireless network. The network may include copper transmission cables, fiber optic transmission, wireless transmission, routers, firewalls, switches, gateway computers and/or edge servers. The network adapter card or network interface in each computing/processing device receives computer-readable program instructions from the network and forwards the computer-readable program instructions for storage in a computer-readable storage medium in the respective computing/processing device.

The computer program instructions for carrying out operations of the present disclosure may be assembler instructions, Instruction Set Architecture (ISA) instructions, machine-related instructions, microcode, firmware instructions, state setting data, or source or object code written in any combination of one or more programming languages, including an object oriented programming language such as Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The computer-readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider). In some embodiments, the electronic circuitry that can execute the computer-readable program instructions implements aspects of the present disclosure by utilizing the state information of the computer-readable program instructions to personalize the electronic circuitry, such as a programmable logic circuit, a Field Programmable Gate Array (FPGA), or a Programmable Logic Array (PLA).

Various aspects of the present disclosure are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the disclosure. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer-readable program instructions.

These computer-readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer-readable program instructions may also be stored in a computer-readable storage medium that can direct a computer, programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer-readable medium storing the instructions comprises an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.

The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer, other programmable apparatus or other devices implement the functions/acts specified in the flowchart and/or block diagram block or blocks.

The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

The computer program product may be embodied in hardware, software or a combination thereof. In an alternative embodiment, the computer program product is embodied in a computer storage medium, and in another alternative embodiment, the computer program product is embodied in a Software product, such as a Software Development Kit (SDK), or the like.

Having described embodiments of the present disclosure, the foregoing description is intended to be exemplary, not exhaustive, and not limited to the disclosed embodiments. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein is chosen in order to best explain the principles of the embodiments, the practical application, or improvements made to the technology in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.

Claims

1. A detection method for an authorization vulnerability attack is characterized by comprising the following steps:

running the target program in a test environment, and acquiring standard attribute information of a process corresponding to the running of the target program, wherein the standard attribute information comprises standard authority attribute information, and a library function and a system call set which are possibly called by the process;

2. The method of claim 1, further comprising:

3. The method of claim 1, wherein the account comprises a primary account and a premium account, wherein the premium account has a higher privilege than the primary account, and wherein the determining that the privilege of the account or the attribute information of all files owned by the account is modified comprises:

4. The method of claim 1, wherein the target program comprises a service program of a server.

5. An apparatus for detecting a privilege vulnerability attack, the apparatus comprising:

a second obtaining module to: running the target program in a test environment, and acquiring standard attribute information of a process corresponding to the running of the target program, wherein the standard attribute information comprises standard authority attribute information, and a library function and a system call set which are possibly called by the process;

6. The apparatus of claim 5, further comprising a first obtaining module configured to:

7. The apparatus of claim 6, wherein the account comprises a primary account and a senior account, wherein the senior account has a higher privilege than the primary account, and wherein the determining that the privilege of the account or the attribute information of all files owned by the account is modified comprises:

8. An electronic device, comprising:

a processor;

a memory for storing processor-executable instructions;

wherein the processor is configured to invoke the memory-stored instructions to perform the method of any of claims 1 to 4.