CN115454856A - Multi-application security detection method, device, medium and electronic equipment - Google Patents

Multi-application security detection method, device, medium and electronic equipment Download PDF

Info

Publication number
CN115454856A
CN115454856A CN202211130378.4A CN202211130378A CN115454856A CN 115454856 A CN115454856 A CN 115454856A CN 202211130378 A CN202211130378 A CN 202211130378A CN 115454856 A CN115454856 A CN 115454856A
Authority
CN
China
Prior art keywords
tested
application process
application
target
processes
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211130378.4A
Other languages
Chinese (zh)
Inventor
肖芫莹
殷铭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202211130378.4A priority Critical patent/CN115454856A/en
Publication of CN115454856A publication Critical patent/CN115454856A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/362Software debugging
    • G06F11/3624Software debugging by performing operations on the source code, e.g. via a compiler
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3664Environments for testing or debugging software
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Quality & Reliability (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The application relates to the field of computer security, and discloses a multi-application security detection method, device, medium and electronic equipment. The method comprises the following steps: after a plurality of application processes to be tested are started, detecting whether the running environments of the application processes to be tested meet a first pile inserting condition; if the operating environment meets the first pile inserting condition, acquiring information related to each application process to be tested, and determining a target application process to be tested meeting a second pile inserting condition in the multiple application processes to be tested according to the information related to each application process to be tested; and establishing corresponding target agent processes for the target application processes to be detected through the instrumentation, so that the target agent processes collect information in the corresponding target application processes to be detected, and send the collected information to a security detection engine for security detection. The method realizes automatic batch pile insertion of a plurality of application processes to be detected, saves time of users, and improves safety detection efficiency.

Description

Multi-application security detection method, device, medium and electronic equipment
Technical Field
The present application relates to the field of computer security technologies, and in particular, to a multi-application security detection method, apparatus, medium, and electronic device.
Background
With the development of the internet and information technology, a large number of computer applications are being generated in order to meet various demands.
The safety detection of the application through the instrumentation is an important means for reducing the safety loophole of the application. However, as more and more computer applications are developed and run, the defects of low efficiency and high cost in the manner of performing instrumentation on the applications one by a user in the conventional scheme become more and more prominent, and the requirement of security detection is difficult to meet.
Disclosure of Invention
In the field of computer security technologies, in order to solve the above technical problems, an object of the present application is to provide a multi-application security detection method, apparatus, medium, and electronic device.
According to an aspect of the present application, there is provided a multi-application security detection method, the method including:
after a plurality of application processes to be tested are started, detecting whether the running environments of the application processes to be tested meet a first pile inserting condition;
if the operating environment meets the first pile inserting condition, acquiring information related to each application process to be tested, and determining a target application process to be tested meeting a second pile inserting condition in the multiple application processes to be tested according to the information related to each application process to be tested, wherein the information related to each application process to be tested comprises at least one of the following items: starting parameter information of the application process to be tested, the version of the application process to be tested, supporting information of the version of the software development kit depended by the application process to be tested on safety detection, user ID of the current user, authority of the current user and agent parameters in the application process to be tested;
and establishing corresponding target agent processes for the target application processes to be detected through the instrumentation, so that the target agent processes collect information in the corresponding target application processes to be detected, and send the collected information to a security detection engine for security detection.
According to another aspect of the present application, there is provided a multi-application security detection apparatus, the apparatus including:
the device comprises a detection module, a first execution module and a second execution module, wherein the detection module is configured to detect whether the running environment of a plurality of application processes to be tested meets a first instrumentation condition after the plurality of application processes to be tested are started;
an obtaining and determining module, configured to obtain information related to each to-be-tested application process if the operating environment meets the first instrumentation condition, and determine a target to-be-tested application process meeting a second instrumentation condition in the to-be-tested application processes according to the information related to each to-be-tested application process, where the information related to each to-be-tested application process includes at least one of: starting parameter information of the application process to be tested, the version of the application process to be tested, supporting information of the version of the software development kit depended by the application process to be tested on safety detection, user ID of the current user, authority of the current user and agent parameters in the application process to be tested;
and the instrumentation module is configured to create corresponding target agent processes for the target application processes to be tested through instrumentation so that the target agent processes collect information in the corresponding target application processes to be tested and send the collected information to the security detection engine for security detection.
According to another aspect of the present application, there is provided a computer readable program medium storing computer program instructions which, when executed by a computer, cause the computer to perform the method as previously described.
According to another aspect of the present application, there is provided an electronic device including:
a processor;
a memory having computer readable instructions stored thereon which, when executed by the processor, implement the method as previously described.
The technical scheme provided by the embodiment of the application can have the following beneficial effects:
the multi-application safety detection method, device, medium and electronic equipment provided by the application comprise the following steps: after a plurality of application processes to be tested are started, detecting whether the running environments of the application processes to be tested meet a first pile inserting condition; if the operating environment meets the first pile inserting condition, acquiring information related to each application process to be tested, and determining a target application process to be tested meeting a second pile inserting condition in the multiple application processes to be tested according to the information related to each application process to be tested, wherein the information related to each application process to be tested comprises at least one of the following items: starting parameter information of the application process to be tested, the version of the application process to be tested, supporting information of the version of the software development kit depended by the application process to be tested on safety detection, user ID of the current user, authority of the current user and agent parameters in the application process to be tested; and establishing corresponding target agent processes for the target application processes to be detected through the instrumentation, so that the target agent processes collect information in the corresponding target application processes to be detected, and send the collected information to a security detection engine for security detection.
According to the method, after the multiple application processes to be tested are started, whether the running environments of the application processes to be tested meet a first pile inserting condition is judged, whether a second pile inserting condition is met is further determined according to information related to the application processes to be tested under the condition that the first pile inserting condition is met, and when the target application processes to be tested also meet the second pile inserting condition, corresponding target agent processes are established for the target application processes to be tested through pile inserting, so that automatic batch pile inserting of the multiple application processes to be tested is achieved, pile inserting of the application processes to be tested can be successfully completed due to the use of the first pile inserting condition and the second pile inserting condition, and time of a user is saved; on the basis, the security detection is carried out based on the information collected by the target agent process, so that the efficiency of the security detection is obviously improved, and a user can put more energy into how to troubleshoot and repair the bugs.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.
FIG. 1 is a system architecture diagram illustrating a multi-application security detection method in accordance with an exemplary embodiment;
FIG. 2 is a flow diagram illustrating a multi-application security detection method in accordance with an exemplary embodiment;
FIG. 3A is a flowchart illustrating a process of checking whether a runtime environment and a process satisfy instrumentation conditions in accordance with an illustrative embodiment;
FIG. 3B is a flowchart illustrating the instrumentation of a process in accordance with an exemplary embodiment;
FIG. 4 is a schematic diagram illustrating an overall flow of security detection for an application process under test according to an illustrative embodiment;
FIG. 5 is a block diagram illustrating a multi-application security detection apparatus in accordance with an exemplary embodiment;
FIG. 6 is a block diagram illustrating an example of an electronic device implementing the multi-application security detection method described above, according to an example embodiment;
fig. 7 is a program product for implementing the multi-application security detection method described above according to an example embodiment.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. The following description refers to the accompanying drawings in which the same numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
Furthermore, the drawings are merely schematic illustrations of the present application and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and a repetitive description thereof will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities.
Interactive application security testing (Interactive application security testing IAST) is a technique for automatically identifying and diagnosing software bugs in applications and APIs. When the application detection is carried out, the network company gradually abandons the static detection with higher false alarm rate, selects the interactive detection with lower false alarm rate and lower false alarm rate, and carries out the investigation of the safety risk. The interactive application security test combines dynamic and static security detection, and achieves the purpose of discovering security vulnerabilities by analyzing and processing requests. The method has the characteristic of high accuracy while tracing the source vulnerability.
Since interactive detection techniques require acquisition of application-related requests, instrumentation is required. In the current interactive security inspection practice, the applications to be inspected are not single, for example, the applications to be inspected in network companies are usually more than two, and therefore, the user needs to manually stake the applications to be inspected one by one. Obviously, this pile insertion method wastes a lot of time, is very inefficient, and has high labor cost.
For this reason, the present application first provides a multi-application security detection method. The multi-application safety detection method can overcome the defects, can realize automatic batch pile insertion, can bring convenience to users, improves safety detection efficiency and reduces cost.
The implementation terminal of the present application may be any device having an operation function, which may be connected to an external device for receiving or sending data, and specifically may be a portable mobile device, such as a smart phone, a tablet computer, a notebook computer, a PDA (Personal Digital Assistant), or the like, or may be a fixed device, such as a computer device, a field terminal, a desktop computer, a server, a workstation, or the like, or may be a set of multiple devices, such as a physical infrastructure of cloud computing or a server cluster.
Optionally, the implementation terminal of the present application may be a server or a workstation.
Fig. 1 is a system architecture diagram illustrating a multi-application security detection method in accordance with an exemplary embodiment. As shown in fig. 1, the system architecture includes a detection server 130, a target server 110, and a plurality of user terminals, where the plurality of user terminals specifically include a first user terminal 121, a second user terminal 122, and a third user terminal 123, and communication connections are established between each user terminal and the target server 110 and between the detection server 130 and the target server 110, and data can be transmitted and received with each other through the communication connections. The detection server 130 is deployed with a detection engine, and the target server 110 is an execution subject of the solution of the embodiment of the present application, and has a plurality of application processes to be detected. When the multi-application security detection method provided by the present application is applied to the system architecture shown in fig. 1, one process may be as follows: firstly, after an application process to be tested is started, each user terminal accesses the application process to be tested through a client; next, detecting whether the operating environments of the multiple application processes to be tested on the target server 110 meet a first instrumentation condition; then, under the condition that the operating environment meets the first pile inserting condition, further acquiring information related to each application process to be tested, and judging whether each application process to be tested meets the second pile inserting condition or not according to the information related to each application process to be tested, so as to find a target application process to be tested which meets the second pile inserting condition; then, the target server 110 automatically generates and executes a instrumentation command for each target application process to be tested, so as to create a corresponding target agent process for each target application process to be tested in the target server 110; finally, each target agent process collects information in the corresponding target application process to be tested, and sends the collected information to the detection engine of the detection server 130 for security detection.
In an embodiment of the application, the client is a browser, and the application process to be tested is a process of a web application.
In an embodiment of the present application, the multi-application security detection method is performed during an idle period of the application process to be tested.
It is worth mentioning that fig. 1 is only one embodiment of the present application. Although the security detection method for executing multiple applications and the terminal device actually performing security detection in the detection engine are both servers in the embodiment of the present application, in other embodiments of the present application, the terminal device executing the terminal and deploying the detection engine may be other types of terminal devices such as a desktop computer; although the application process to be tested is a web application process in the embodiment of the present application, in other embodiments of the present application, the application process to be tested may also be a process of other types of applications, and the types of different application processes to be tested may be different; although in the embodiment of the present application, the deploying of the detection engine and the creating of the target agent process are implemented on different terminal devices, in other embodiments of the present application, the deploying of the detection engine and the creating of the target agent process may be performed on the same terminal device; although in the embodiment of the present application, the number of user terminals is 3 and each user terminal is a terminal device of the same type, in other embodiments of the present application, the number of user terminals may be any other number and each user terminal may be a terminal device of a different type. The present application is not limited in this respect, and the scope of protection of the present application should not be limited thereby.
FIG. 2 is a flow diagram illustrating a method for multi-application security detection in accordance with an example embodiment. The multi-application security detection method provided by this embodiment may be executed by a server, as shown in fig. 2, and includes the following steps:
step 210, after the plurality of application processes to be tested are started, detecting whether the operating environments of the plurality of application processes to be tested meet a first instrumentation condition.
The application processes to be tested can be started on the Linux server, and can be the same type of process or different types of processes. The plurality of application processes to be tested may be web application processes. The multiple application processes to be tested may be specifically application processes constructed based on java language. The running environment of the multiple application processes to be tested is the environment on the server where the application processes to be tested are located.
In an embodiment of the present application, the detecting whether the execution environments of the multiple application processes to be tested satisfy the first instrumentation condition includes at least one of:
detecting whether a root user can be switched to through a su command;
detecting whether an agent file for creating an agent process exists in a specified directory;
detecting whether the current memory occupation ratio does not exceed a preset memory occupation ratio threshold value;
and detecting whether the virtual machine version on which the operation of the application process to be detected depends meets the preset requirement.
Specifically, the first instrumentation condition may include the above four items at the same time, and when the running environment does not satisfy any of the above four items, that is, when it is impossible to switch to a root user through a su command, or an agent file for creating an agent process does not exist in a specified directory, or a current memory usage ratio does not reach a predetermined memory usage ratio threshold, or a virtual machine version on which the running of the application process to be tested depends does not satisfy a predetermined requirement, the process of executing the multi-application security detection method may be exited.
su is an abbreviation of switch user, and in Linux, a su command allows a user to temporarily change the login identity, and when the identity is changed, except for root, the user needs to input a user account number and a password to be changed. If the user can be switched to the root user through the su command, the user can have the authority of the server, and subsequent pile inserting and safety detection are allowed to be carried out at the moment; if the user can not be switched to the root user through the su command, no permission can be prompted, and the whole process is exited.
The agent process is the agent process, and correspondingly, the agent file is the agent file. Whether agent files exist in the root/directory of the server or not can be detected; if not, the user can be prompted to download the agent file to the specified directory first, and then quit.
The predetermined memory usage percentage threshold may be set as required, for example, may be set to 80%; the preset memory occupation ratio threshold value can also be set by monitoring the memory use condition of the server through the deep learning model. If the current memory occupation ratio is not large, the subsequent steps can be continuously executed; if the current memory occupation ratio is large, the application process to be tested occupies a lot of memory resources, and at the moment, the process is quitted, the pile inserting operation is not carried out any more, so that the server breakdown caused by pile inserting is avoided, and the stable operation of the application process to be tested is ensured.
The virtual machine version is a version of jvm (Java virtual machine) which is relied on by the running application process to be tested. Specifically, the version of jvm may be obtained via a java-version command; when the virtual machine version does not meet the preset requirement, the whole process can be directly exited.
The scheme of the embodiment of the present application is further described below with reference to fig. 3A. FIG. 3A is a flowchart illustrating a process of checking whether the runtime environment and process satisfy instrumentation conditions, according to an example embodiment. Please refer to fig. 3A, which includes the following steps:
and step 301, entering a batch pile inserting process.
Step 302 is a step of checking whether the operating environment meets the instrumentation conditions, and specifically includes: checking whether a root authority exists, checking whether an agent file exists, checking whether a memory meets requirements and checking whether a java version meets the requirements. If the requirements are not met, step 303 is performed.
Step 303, exit the process.
Step 220, if the operating environment meets the first instrumentation condition, acquiring information related to each application process to be tested, and determining a target application process to be tested meeting a second instrumentation condition in the multiple application processes to be tested according to the information related to each application process to be tested.
Wherein the information related to each application process to be tested comprises at least one of the following: the method comprises the steps of starting parameter information of an application process to be tested, the version of the application process to be tested, supporting information of the version of a software development kit depended by the application process to be tested on safety detection, user ID of a current user, authority of the current user and agent parameters in the application process to be tested.
Specifically, the security detection object of the embodiment of the application is a web application process constructed based on java; therefore, in the case that the operating environment meets the first instrumentation condition, the application processes to be tested including the parameter "java" may be selected, and information related to the application processes to be tested may be acquired.
After the information related to each application process to be tested is obtained, determining whether the application process to be tested is determined as a target application process to be tested according to whether the information related to the application process to be tested meets a second instrumentation condition or not for each application process to be tested.
In one embodiment of the present application, the second stake insertion condition includes at least one of:
determining process type information in starting parameter information of an application process to be tested as an appointed type;
determining the version of the application process to be detected and the version of the software development kit which the application process to be detected depends on to support the safety detection according to the version of the application process to be detected and the support information of the version of the software development kit which the application process to be detected depends on to the safety detection;
determining a user name of a user capable of acquiring a starting process;
determining that the current user has root authority or the user ID of the current user is consistent with the user ID for starting the application process to be tested;
and determining that the proxy parameters in the application process to be tested do not include the proxy parameters corresponding to the target proxy process.
And each second pile inserting condition corresponds to each information related to each application process to be tested one by one. The second stake insertion condition may include all of the above.
In an embodiment of the present application, the determining, according to the information related to each application process to be tested, a target application process to be tested that meets a second instrumentation condition in the multiple application processes to be tested includes:
and if the current application process to be tested does not meet any second pile inserting condition, ignoring the current application process to be tested and continuously judging the next application process to be tested.
Under the condition that the current application process to be tested does not meet any second instrumentation condition, the current application process to be tested cannot become the target application process to be tested, and at the moment, the next application process to be tested needs to be judged to determine whether the next application process to be tested can be used as the target application process to be tested or not.
A process check is required first. The start parameter information specifically includes process type information. Specifically, the specified type may be a tomcat process, and it may be checked whether the process is the tomcat process according to the start parameter information, and if not, the process is skipped and a next process is checked; if so, then further checks may continue with the process.
Version checking is also required. On the basis of determining that the process is the tomcat process, whether the version of the tomcat process and the version of a software Development Kit (JDK) which the tomcat process depends on support security detection or not can be further checked, if the versions of the tomcat process and the version of the Java Development Kit (JDK) which the tomcat process depends on do not support, the process is skipped, and the next process is checked; if so, then further checks may continue with the process.
A user check is required below. If the user name of the user starting the process cannot be acquired, skipping the process and checking the next process; if the user name of the user who starts the process can be obtained, other checks can be continuously carried out on the process.
The User ID is the UID (User ID) of the real User, which uniquely corresponds to the User name; in the linux system, the system is logged in with a user name.
A permission check is also required. If the current user has root permission or the user ID of the current user is consistent with the user ID for starting the application process to be tested, the current user has the permission required by the process inspection; and if the current user does not have the root permission and the user ID of the current user is inconsistent with the user ID for starting the application process to be tested, the current user does not have the permission required for checking the process, and the process is skipped at the moment and the next process is checked. That is, only when the current user is a user with root authority or a user starting the application process to be tested, the security check of the application process to be tested can be performed.
Furthermore, agent conflict checks need to be performed. Specifically, whether the application process to be tested already contains java agent parameters is checked; if the java agent parameters are contained in one application process to be tested, it indicates that other agent processes corresponding to the application process to be tested exist, the agent processes may not be used for interactive security detection, and if a corresponding agent process for interactive security detection is created for the application process to be tested, a conflict may be generated, which may result in that interactive security detection cannot be completed normally. Therefore, in case the java agent parameter is already contained in the application process to be tested, the process is skipped and the next process is checked.
Continuing with FIG. 3A, if the requirements are met, step 304 is performed.
And step 304, traversing the process and acquiring java process information.
And judging whether the process meets the instrumentation condition or not according to the acquired information of each java process.
Step 305 is a step of checking whether the process satisfies the instrumentation condition, and specifically includes: checking progress, checking version, checking user, checking authority, and checking conflict. If all checks are passed, step 306 is performed.
And step 306, recording information of the processes meeting the instrumentation conditions.
Recorded here are actually the PIDs of the processes that satisfy the instrumentation conditions. The PID (Process Identification) refers to the Process identifier, i.e., the Process identifier, in the operating system.
And step 230, creating a corresponding target agent process for each target application process to be detected through instrumentation, so that the target agent process collects information in the corresponding target application process to be detected, and sends the collected information to a security detection engine for security detection.
The staking may be accomplished by running a stake command. The target agent process sends the collected information to a security detection engine so as to carry out interactive security detection
In an embodiment of the present application, the creating, through instrumentation, a corresponding target agent process for each target application process to be tested includes:
and aiming at each target application process to be detected, establishing a target agent process capable of communicating with the target application process to be detected for the target application to be detected through instrumentation, so that the target agent process collects information in the target application process to be detected and sends the collected information to a safety detection engine for safety detection.
In the embodiment of the application, the purpose that the pile insertion is carried out on each target application process to be tested one by one is achieved.
And installing an agent file for each target application process to be detected through the su command, starting a corresponding target agent process for the target application process to be detected, wherein each target agent process can acquire information in the target application process to be detected corresponding to the target agent process and send the acquired information to the security detection engine.
Specifically, the information acquired by the target agent process from the corresponding target application process to be tested may include information such as a request received by the target application process to be tested and an IP address of a requester sending the request.
During pile insertion, the embodiment of the application further judges whether pile insertion is successful.
In an embodiment of the present application, the multi-application security detection method further includes:
when a target application process to be tested is plugged, traversing other processes except the target application process to be tested so as to judge whether a target agent process corresponding to the target application process to be tested exists;
if not, recording an error log and exiting.
After a target application process to be tested is instrumented, if the instrumentation is successful, a target agent process corresponding to the target application process to be tested is generated; if the target agent process corresponding to the target application process to be tested does not exist, the instrumentation failure is shown, and at the moment, the error reason can be analyzed by recording the error log so as to repair the target agent process.
In an embodiment of the present application, the multi-application security detection method further includes:
when a target application process to be tested is inserted, trying to access a port of the target application process to be tested;
and if the port of the target application process to be tested cannot be accessed, recording an error log, stopping all the established target agent processes, and exiting.
In an embodiment of the present application, if the port of the target application process to be tested cannot be accessed, recording an error log, including: and recording an error log if the port trying to access the target application process to be tested cannot be accessed when the predetermined number of times of access of the port trying to access the target application process to be tested reaches.
The predetermined number may be set according to actual needs, for example, 50. Then, the port of the target application process to be tested can be tried, and 50 times of trials are maximum; if the target agent process cannot be accessed, recording an error log, stopping all the created target agent processes, and exiting.
If the port of the target application process to be tested cannot be accessed through multiple attempts, the target agent process influences the normal operation of the target application process to be tested, at the moment, all the established target agent processes are stopped, influence factors on the normal operation of the target application process to be tested can be eliminated, the normal operation of the target application process to be tested is preferentially ensured, and normal business on the target application process to be tested is prevented from being influenced.
FIG. 3B is a flow diagram illustrating instrumentation of a process according to an exemplary embodiment. Please refer to fig. 3B, which includes the following steps:
at step 310, a screened progress pid array is obtained.
The process pid array stores the process pids meeting the instrumentation conditions.
And step 320, acquiring process information according to the process pid.
Specifically, the process information may be acquired according to the process pid by the following code:
java_path=$(readlink-f/proc/$pid/exe)
tomcat_home=$(strings/proc/$pid/cmdline|awk-F='/-Dcatalina.home/{print$2}')
tomcat_user=$(getent passwd$tomcat_uid|awk-F:'{print$1}');
the instrumentation command may be generated according to the acquired process information. Specifically, the following instrumentation command may be generated according to the acquired process information:
su-"$tomcat_user"-c"$java_path-jar
installAgent.jar$tomcat_home"。
and step 330, executing the instrumentation commands one by one.
And executing the instrumentation commands one by one on the processes indicated by the pids, thereby creating target agent processes capable of communicating with the processes.
Step 340, traversing the process, and judging whether there is an agent process corresponding to the current process.
If so, go to step 360; if not, step 350 is performed.
Step 350, exit the process and record an error log.
Step 360, determine whether the port of the instrumented process can be accessed.
If not, go to step 370; if so, step 380 is executed.
Step 370, exit the process, record error log and stop all agent processes.
And 380, entering an interactive detection process.
And carrying out interactive security detection through the created agent process.
The scheme of the embodiment of the present application is further described below with reference to fig. 4. Fig. 4 is a schematic overall flow chart illustrating security detection of an application process to be detected according to an exemplary embodiment. As shown in fig. 4, the following process may be included:
step 410, starting the application process to be tested.
After the application process to be tested is started, automatic batch pile inserting is executed, and the method comprises the following steps:
step 420, checking whether the environment meets the pile inserting condition.
And checking the environment of the application process to be tested.
Step 430, obtain the process name.
Step 440, analyzing whether the progress meets the instrumentation condition.
Step 450, executing instrumentation commands in batches according to the process ID.
Step 460, checking the stake insertion status.
If the stake insertion fails, go to step 470; if the instrumentation is successful, step 480 is performed.
Step 470, log recording and stop the process.
Step 480, performing interactive detection.
In conclusion, according to the multi-application safety detection method provided by the embodiment of the application, automatic batch pile insertion can be realized, convenience can be brought to users, and the time of the users is saved; on the basis, the security detection is carried out based on the information collected by the target agent process, so that the efficiency of the security detection is obviously improved, and the time required by the whole interactive detection process is shortened, so that a user can put more energy into how to investigate and repair the vulnerability.
The application also provides a multi-application safety detection device, and the following device embodiment of the application is provided.
FIG. 5 is a block diagram illustrating a multi-application security detection apparatus in accordance with an exemplary embodiment. As shown in fig. 5, the apparatus 500 includes:
a detecting module 510 configured to detect whether the running environments of the multiple application processes to be tested satisfy a first instrumentation condition after the multiple application processes to be tested are started;
an obtaining and determining module 520, configured to obtain information related to each to-be-tested application process if the operating environment meets the first instrumentation condition, and determine, according to the information related to each to-be-tested application process, a target to-be-tested application process meeting a second instrumentation condition in the to-be-tested application processes, where the information related to each to-be-tested application process includes at least one of the following: starting parameter information of the application process to be tested, the version of the application process to be tested, supporting information of the version of the software development kit depended by the application process to be tested on safety detection, user ID of the current user, authority of the current user and agent parameters in the application process to be tested;
and the instrumentation module 530 is configured to create a corresponding target agent process for each target application process to be tested through instrumentation, so that the target agent process collects information in the corresponding target application process to be tested, and sends the collected information to the security detection engine for security detection.
According to a third aspect of the present application, there is also provided an electronic device capable of implementing the above method.
As will be appreciated by one skilled in the art, aspects of the present application may be embodied as a system, method or program product. Accordingly, various aspects of the present application may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.), or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.
An electronic device 600 according to this embodiment of the present application is described below with reference to fig. 6. The electronic device 600 shown in fig. 6 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present application.
As shown in fig. 6, the electronic device 600 is embodied in the form of a general purpose computing device. The components of the electronic device 600 may include, but are not limited to: the at least one processing unit 610, the at least one memory unit 620, and a bus 630 that couples the various system components including the memory unit 620 and the processing unit 610.
Wherein the storage unit stores program code that can be executed by the processing unit 610, such that the processing unit 610 performs the steps according to various exemplary embodiments of the present application described in the section "example methods" above in this specification.
The storage unit 620 may include readable media in the form of volatile memory units, such as a random access memory unit (RAM) 621 and/or a cache memory unit 622, and may further include a read only memory unit (ROM) 623.
The storage unit 620 may also include a program/utility 624 having a set (at least one) of program modules 625, such program modules 625 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
Bus 630 may be one or more of several types of bus structures, including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.
The electronic device 600 may also communicate with one or more external devices 800 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 600, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 600 to communicate with one or more other computing devices. Such communication may occur via an input/output (I/O) interface 650, such as with a display unit 640. Also, the electronic device 600 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the Internet) via the network adapter 660. As shown, the network adapter 660 communicates with the other modules of the electronic device 600 over the bus 630. It should be appreciated that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the electronic device 600, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present application can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to make a computing device (which can be a personal computer, a server, a terminal device, or a network device, etc.) execute the method according to the embodiments of the present application.
According to a fourth aspect of the present application, there is also provided a computer-readable storage medium having stored thereon a program product capable of implementing the above-described method of the present specification. In some possible embodiments, the various aspects of the present application may also be implemented in the form of a program product comprising program code for causing a terminal device to perform the steps according to various exemplary embodiments of the present application described in the above section "exemplary method" of this specification, when said program product is run on the terminal device.
Referring to fig. 7, a program product 700 for implementing the above method according to an embodiment of the present application is described, which may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a terminal device, such as a personal computer. However, the program product of the present application is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
A computer readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
Furthermore, the above-described figures are merely schematic illustrations of processes involved in methods according to exemplary embodiments of the present application, and are not intended to be limiting. It will be readily appreciated that the processes illustrated in the above figures are not intended to indicate or limit the temporal order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
It will be understood that the present application is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims (10)

1. A multi-application security detection method, the method comprising:
after a plurality of application processes to be tested are started, detecting whether the running environments of the application processes to be tested meet a first pile inserting condition;
if the operating environment meets the first pile inserting condition, acquiring information related to each application process to be tested, and determining a target application process to be tested meeting a second pile inserting condition in the multiple application processes to be tested according to the information related to each application process to be tested, wherein the information related to each application process to be tested comprises at least one of the following items: starting parameter information of the application process to be tested, the version of the application process to be tested, supporting information of the version of the software development kit depended by the application process to be tested on safety detection, user ID of the current user, authority of the current user and agent parameters in the application process to be tested;
and establishing corresponding target agent processes for the target application processes to be detected through the instrumentation, so that the target agent processes collect information in the corresponding target application processes to be detected, and send the collected information to a security detection engine for security detection.
2. The method according to claim 1, wherein the detecting whether the running environments of the plurality of application processes to be tested satisfy the first instrumentation condition comprises at least one of:
detecting whether the user can be switched to a root user through a su command;
detecting whether an agent file for creating an agent process exists in a specified directory;
detecting whether the current memory occupation ratio reaches a preset memory occupation ratio threshold value or not;
and detecting whether the virtual machine version on which the operation of the application process to be detected depends meets the preset requirement.
3. The method of claim 1, wherein the second stake insertion condition comprises at least one of:
determining process type information in the starting parameter information of the application process to be tested as a specified type;
determining the version of the application process to be detected and the version of the software development kit which the application process to be detected depends on to support the safety detection according to the version of the application process to be detected and the support information of the version of the software development kit which the application process to be detected depends on to the safety detection;
determining a user name of a user capable of acquiring a starting process;
determining that the current user has root authority or the user ID of the current user is consistent with the user ID for starting the application process to be tested;
and determining that the proxy parameters in the application process to be tested do not include the proxy parameters corresponding to the target proxy process.
4. The method according to claim 3, wherein the determining a target application process to be tested among the plurality of application processes to be tested that satisfies the second instrumentation condition according to the information related to each application process to be tested comprises:
and if the current application process to be tested does not meet any second pile inserting condition, ignoring the current application process to be tested and continuously judging the next application process to be tested.
5. The method of claim 1, further comprising:
when a target application process to be tested is plugged, traversing other processes except the target application process to be tested so as to judge whether a target agent process corresponding to the target application process to be tested exists;
if not, recording an error log and exiting.
6. The method according to any one of claims 1-5, further comprising:
when a target application process to be tested is plugged, trying to access a port of the target application process to be tested;
and if the port of the target application process to be tested cannot be accessed, recording an error log, stopping all the established target agent processes, and exiting.
7. The method of claim 1, wherein creating a corresponding target agent process for each target application process to be tested through instrumentation comprises:
and aiming at each target application process to be detected, establishing a target agent process capable of communicating with the target application process to be detected for the target application to be detected through instrumentation, so that the target agent process collects information in the target application process to be detected and sends the collected information to a safety detection engine for safety detection.
8. A multi-application security detection apparatus, the apparatus comprising:
the device comprises a detection module, a first execution module and a second execution module, wherein the detection module is configured to detect whether the running environment of a plurality of application processes to be tested meets a first instrumentation condition after the plurality of application processes to be tested are started;
an obtaining and determining module, configured to obtain information related to each to-be-tested application process if the operating environment meets the first instrumentation condition, and determine a target to-be-tested application process meeting a second instrumentation condition in the to-be-tested application processes according to the information related to each to-be-tested application process, where the information related to each to-be-tested application process includes at least one of: starting parameter information of the application process to be tested, the version of the application process to be tested, supporting information of the version of the software development kit depended by the application process to be tested on safety detection, user ID of the current user, authority of the current user and agent parameters in the application process to be tested;
and the instrumentation module is configured to create corresponding target agent processes for the target application processes to be tested through instrumentation so that the target agent processes collect information in the corresponding target application processes to be tested and send the collected information to the security detection engine for security detection.
9. A computer-readable program medium, characterized in that it stores computer program instructions which, when executed by a computer, cause the computer to perform the method according to any one of claims 1 to 7.
10. An electronic device, characterized in that the electronic device comprises:
a processor;
a memory having stored thereon computer readable instructions which, when executed by the processor, implement the method of any of claims 1 to 7.
CN202211130378.4A 2022-09-16 2022-09-16 Multi-application security detection method, device, medium and electronic equipment Pending CN115454856A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211130378.4A CN115454856A (en) 2022-09-16 2022-09-16 Multi-application security detection method, device, medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211130378.4A CN115454856A (en) 2022-09-16 2022-09-16 Multi-application security detection method, device, medium and electronic equipment

Publications (1)

Publication Number Publication Date
CN115454856A true CN115454856A (en) 2022-12-09

Family

ID=84304377

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211130378.4A Pending CN115454856A (en) 2022-09-16 2022-09-16 Multi-application security detection method, device, medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN115454856A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116226846A (en) * 2022-12-28 2023-06-06 北京火山引擎科技有限公司 Safety detection method, device and equipment for container

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116226846A (en) * 2022-12-28 2023-06-06 北京火山引擎科技有限公司 Safety detection method, device and equipment for container

Similar Documents

Publication Publication Date Title
CN109302522B (en) Test method, test device, computer system, and computer medium
CN108399132B (en) Scheduling test method, device and storage medium
CN108768730B (en) Method and device for operating intelligent network card
CN112019401B (en) Internet of vehicles application safety testing method, device and system and electronic equipment
US8621613B1 (en) Detecting malware in content items
CN109388569B (en) Method for remotely detecting environmental anomaly of client, test server and storage medium
CN111427765B (en) Method and system for automatically starting interface performance test realized based on jmeter
KR20130126251A (en) System and method for web service monitoring
CN107025168B (en) Vulnerability detection method and device
CN112035354B (en) Positioning method, device and equipment of risk codes and storage medium
CN110058998A (en) Method for testing software and device
CN112269697B (en) Equipment storage performance testing method, system and related device
CN113114680A (en) Detection method and detection device for file uploading vulnerability
CN111309570A (en) Pressure testing method, medium, device and computing equipment
CN114253864A (en) Service testing method and device, electronic equipment and storage medium
CN114969760A (en) Vulnerability detection method and device, computer readable medium and electronic equipment
CN107544879A (en) Diagnostic method, device and the machinable medium of server
US8997048B1 (en) Method and apparatus for profiling a virtual machine
CN117493188A (en) Interface testing method and device, electronic equipment and storage medium
CN116431519A (en) Software testing method and device, electronic equipment and computer readable storage medium
CN116541270A (en) Method and device for testing adaptation verification of operating system
CN116166536A (en) Test method, test device, electronic equipment and storage medium
CN115454856A (en) Multi-application security detection method, device, medium and electronic equipment
CN113986263A (en) Code automation test method, device, electronic equipment and storage medium
CN117056918A (en) Code analysis method and related equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination