CN106295348A - The leak detection method of application program and device - Google Patents

The leak detection method of application program and device Download PDF

Info

Publication number
CN106295348A
CN106295348A CN201510289736.XA CN201510289736A CN106295348A CN 106295348 A CN106295348 A CN 106295348A CN 201510289736 A CN201510289736 A CN 201510289736A CN 106295348 A CN106295348 A CN 106295348A
Authority
CN
China
Prior art keywords
function
cfg
application program
branch
description information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510289736.XA
Other languages
Chinese (zh)
Other versions
CN106295348B (en
Inventor
孙伟超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201510289736.XA priority Critical patent/CN106295348B/en
Publication of CN106295348A publication Critical patent/CN106295348A/en
Application granted granted Critical
Publication of CN106295348B publication Critical patent/CN106295348B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

The invention discloses leak detection method and the device of a kind of application program.Wherein, the method includes: the installation file of application program to be detected is converted to code file;Obtaining the description information of specified function, wherein, described specified function is the function for reflecting appointment behavior;According to described description information, determine in described code file and specify the first kind function describing information matches, and according to described first kind function, the leak of described application program being detected.By technique scheme, solve Hole Detection scheme and have that efficiency is low and the incomplete technical problem of testing result.

Description

应用程序的漏洞检测方法及装置Application program vulnerability detection method and device

技术领域technical field

本发明涉及漏洞检测领域,具体而言,涉及一种应用程序的漏洞检测方法及装置。The present invention relates to the field of loophole detection, in particular to a method and device for loophole detection of application programs.

背景技术Background technique

随着智能移动终端的快速发展,基于移动操作系统的应用程序也层出不穷,但是,由于开发者众多,应用程序中不可避免地存在安全漏洞。例如,在Android应用程序存在的漏洞中,有一类影响面比较广的漏洞就是Java空指针(Null Pointer)拒绝服务(Denial Of Service,简称为DOS)漏洞(以下简称DOS漏洞)。这一类漏洞多是由于程序在调用一些系统API的时候处理参数不当造成的程序崩溃,导致正常功能无法使用从而导致DOS。With the rapid development of smart mobile terminals, applications based on mobile operating systems emerge in endlessly. However, due to the large number of developers, there are inevitably security holes in the applications. For example, among the vulnerabilities in Android applications, there is a kind of vulnerability that has a wide impact and is the Java Null Pointer (Null Pointer) denial of service (Denial Of Service, abbreviated as DOS) vulnerability (hereinafter referred to as DOS vulnerability). This type of vulnerability is mostly caused by the program crash caused by improper handling of parameters when the program calls some system APIs, resulting in the inability to use normal functions and resulting in DOS.

目前检测这类漏洞的主要方式是模糊测试(Fuzz Testing),即通过向目标程序的所有可能入口发送随机数据,并观察程序是否会出现异常。如图1所示,Fuzz监测程序是否存在漏洞的原理如下;At present, the main way to detect such vulnerabilities is fuzz testing (Fuzz Testing), that is, by sending random data to all possible entries of the target program and observing whether the program will appear abnormal. As shown in Figure 1, the principles of Fuzz monitoring programs for vulnerabilities are as follows;

用于做畸变的样本(sample)被读入Fuzz框架(framework),经过分析交给转换模块(mutation)进行随机化的变异,之后通过桥接部分(bridge)传递给目标程序(target),此时目标应用程序运行在自己的平台(Platform runtime)上,Fuzz框架通过监测模块(monitor)监测目标应用程序的运行状态,发现异常时记录到日志(logger)中。The sample used for distortion is read into the Fuzz framework (framework), analyzed and handed over to the transformation module (mutation) for randomized mutation, and then passed to the target program (target) through the bridge part. At this time The target application program runs on its own platform (Platform runtime), and the Fuzz framework monitors the running status of the target application program through the monitoring module (monitor), and records it in the log (logger) when an exception is found.

这种方式由于依赖程序的具体执行情况,不能保证遍历所有程序的代码分支,发现漏洞的效率较低,并且由于每秒可能产生几百甚至上千个Fuzz用例,即使检测到目标程序的异常也需要花费很多的精力重现异常以确定漏洞具体存在的点以及能够产生的影响。而且由于目标程序是在目标平台上执行,有些比较深的程序分支很难被查找到。Because this method depends on the specific execution of the program, it cannot guarantee to traverse all the code branches of the program, and the efficiency of finding vulnerabilities is low, and because hundreds or even thousands of Fuzz use cases may be generated per second, even if the abnormality of the target program is detected It takes a lot of effort to reproduce the anomaly to determine exactly where the vulnerability exists and what impact it can have. And because the target program is executed on the target platform, some relatively deep program branches are difficult to be found.

针对上述的问题,目前尚未提出有效的解决方案。For the above problems, no effective solution has been proposed yet.

发明内容Contents of the invention

本发明实施例提供了一种应用程序的漏洞检测方法及装置,以至少解决漏洞检测方案存在效率低、且检测结果不全面等技术问题。Embodiments of the present invention provide a method and device for detecting a vulnerability of an application program, so as to at least solve technical problems such as low efficiency and incomplete detection results in the vulnerability detection scheme.

根据本发明实施例的一个方面,提供了一种应用程序的漏洞检测方法,包括:将待检测应用程序的安装文件转换为代码文件;获取指定函数的描述信息,其中,所述指定函数为用于反映指定行为的函数;依据所述描述信息,在所述代码文件中确定与指定描述信息匹配的第一类函数,并依据所述第一类函数对所述应用程序的漏洞进行检测。According to an aspect of the embodiments of the present invention, a method for detecting application vulnerabilities is provided, including: converting the installation file of the application to be detected into a code file; obtaining description information of a specified function, wherein the specified function is A function reflecting the specified behavior; according to the description information, determine a first type of function matching the specified description information in the code file, and detect the loopholes of the application program according to the first type of function.

根据本发明实施例的另一方面,还提供了一种应用程序的漏洞检测装置,包括:转换模块,用于将待检测应用程序的安装文件转换为代码文件;获取模块,用于获取指定函数的描述信息,其中,所述指定函数为用于反映指定行为的函数;检测模块,用于依据所述描述信息,在所述代码文件中确定与指定描述信息匹配的第一类函数,并依据所述第一类函数对所述应用程序的漏洞进行检测。According to another aspect of the embodiments of the present invention, there is also provided an application program vulnerability detection device, including: a conversion module, which is used to convert the installation file of the application program to be tested into a code file; an acquisition module, which is used to acquire the specified function The description information, wherein, the specified function is a function used to reflect the specified behavior; the detection module is used to determine the first type of function matching the specified description information in the code file according to the description information, and according to the description information The first type of function detects the vulnerability of the application program.

在本发明实施例中,采用将应用程序的安装文件转换为代码文件并从该代码文件中查找用于反映指定行为的函数,以及依据描述信息与指定描述信息匹配的第一类函数对应用程序的漏洞进行检测的方式,达到了通过静态分析的方式进行漏洞检测的目的,同时,由于是以应用程序的代码文件为基础进行检测,可以对代码文件中的各个分支进行遍历检测,因此,可以使得检测结果更加全面,进而解决了漏洞检测方案存在的效率低且检测结果不全面等技术问题。In the embodiment of the present invention, the installation file of the application program is converted into a code file and the function used to reflect the specified behavior is searched from the code file, and the application program is processed according to the first type of function that matches the description information with the specified description information. The method of detecting the loopholes of the system achieves the purpose of loophole detection through static analysis. At the same time, because the detection is based on the code file of the application program, each branch in the code file can be traversed and detected. Therefore, it is possible to The detection result is more comprehensive, and then technical problems such as low efficiency and incomplete detection results of the vulnerability detection scheme are solved.

附图说明Description of drawings

此处所说明的附图用来提供对本发明的进一步理解,构成本申请的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:The accompanying drawings described here are used to provide a further understanding of the present invention and constitute a part of the application. The schematic embodiments of the present invention and their descriptions are used to explain the present invention and do not constitute improper limitations to the present invention. In the attached picture:

图1是根据相关技术的一种利用Fuzz监测应用程序的原理示意图;Fig. 1 is a schematic diagram of the principle of using Fuzz to monitor an application program according to related technologies;

图2是本发明实施例的一种用于实现应用程序的漏洞检测方法的计算机终端的硬件结构框图;FIG. 2 is a block diagram of the hardware structure of a computer terminal for implementing a method for detecting vulnerabilities of application programs according to an embodiment of the present invention;

图3是根据本发明实施例的一种可选的应用程序的漏洞检测方法的示意图;FIG. 3 is a schematic diagram of an optional application program vulnerability detection method according to an embodiment of the present invention;

图4是根据本发明实施例的一种可选的第一CFG的生成过程示意图;FIG. 4 is a schematic diagram of an optional first CFG generation process according to an embodiment of the present invention;

图5是根据本发明实施例的一种CFG的示意图;Fig. 5 is a schematic diagram of a CFG according to an embodiment of the present invention;

图6是根据本发明实施例的一种可选的应用程序的漏洞检测方法的另一示意图;FIG. 6 is another schematic diagram of an optional application vulnerability detection method according to an embodiment of the present invention;

图7是根据本发明实施例的一种可选的应用程序的漏洞检测装置的示意图;FIG. 7 is a schematic diagram of an optional application program vulnerability detection device according to an embodiment of the present invention;

图8是根据本发明实施例的一种可选的应用程序的漏洞检测装置的另一示意图;FIG. 8 is another schematic diagram of an optional application program vulnerability detection device according to an embodiment of the present invention;

图9是根据本发明实施例的一种计算机终端的结构框图。Fig. 9 is a structural block diagram of a computer terminal according to an embodiment of the present invention.

具体实施方式detailed description

为了使本技术领域的人员更好地理解本发明方案,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分的实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都应当属于本发明保护的范围。In order to enable those skilled in the art to better understand the solutions of the present invention, the following will clearly and completely describe the technical solutions in the embodiments of the present invention in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments are only It is an embodiment of a part of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts shall fall within the protection scope of the present invention.

需要说明的是,本发明的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的本发明的实施例能够以除了在这里图示或描述的那些以外的顺序实施。此外,术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法、系统、产品或设备不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。It should be noted that the terms "first" and "second" in the description and claims of the present invention and the above drawings are used to distinguish similar objects, but not necessarily used to describe a specific sequence or sequence. It is to be understood that the data so used are interchangeable under appropriate circumstances such that the embodiments of the invention described herein can be practiced in sequences other than those illustrated or described herein. Furthermore, the terms "comprising" and "having", as well as any variations thereof, are intended to cover a non-exclusive inclusion, for example, a process, method, system, product or device comprising a sequence of steps or elements is not necessarily limited to the expressly listed instead, may include other steps or elements not explicitly listed or inherent to the process, method, product or apparatus.

实施例1Example 1

根据本发明实施例,还提供了一种应用程序的漏洞检测方法的方法实施例,需要说明的是,在附图的流程图示出的步骤可以在诸如一组计算机可执行指令的计算机系统中执行,并且,虽然在流程图中示出了逻辑顺序,但是在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤。According to an embodiment of the present invention, a method embodiment of a vulnerability detection method for an application program is also provided. It should be noted that the steps shown in the flow chart of the accompanying drawings can be implemented in a computer system such as a set of computer-executable instructions and, although a logical order is shown in the flowcharts, in some cases the steps shown or described may be performed in an order different from that shown or described herein.

本申请实施例一所提供的方法实施例可以在移动终端、计算机终端或者类似的运算装置中执行。以运行在计算机终端上为例,图2是本发明实施例的一种用于实现应用程序的漏洞检测方法的计算机终端的硬件结构框图。如图2所示,计算机终端20可以包括一个或多个(图中仅示出一个)处理器202(处理器202可以包括但不限于微处理器MCU或可编程逻辑器件FPGA等的处理装置)、用于存储数据的存储器204、以及用于通信功能的传输装置206。本领域普通技术人员可以理解,图2所示的结构仅为示意,其并不对上述电子装置的结构造成限定。例如,计算机终端20还可包括比图2中所示更多或者更少的组件,或者具有与图2所示不同的配置。The method embodiment provided in Embodiment 1 of the present application may be executed in a mobile terminal, a computer terminal, or a similar computing device. Taking running on a computer terminal as an example, FIG. 2 is a block diagram of a hardware structure of a computer terminal for implementing a method for detecting a vulnerability of an application program according to an embodiment of the present invention. As shown in Figure 2, the computer terminal 20 may include one or more (only one is shown in the figure) processors 202 (the processor 202 may include but not limited to processing devices such as microprocessor MCU or programmable logic device FPGA, etc.) , a memory 204 for storing data, and a transmission device 206 for a communication function. Those of ordinary skill in the art can understand that the structure shown in FIG. 2 is only a schematic diagram, which does not limit the structure of the above-mentioned electronic device. For example, computer terminal 20 may also include more or fewer components than shown in FIG. 2 , or have a different configuration than that shown in FIG. 2 .

存储器204可用于存储应用软件的软件程序以及模块,如本发明实施例中的应用程序的漏洞检测方法对应的程序指令/模块,处理器202通过运行存储在存储器204内的软件程序以及模块,从而执行各种功能应用以及数据处理,即实现上述的应用程序的漏洞检测方法。存储器204可包括高速随机存储器,还可包括非易失性存储器,如一个或者多个磁性存储装置、闪存、或者其他非易失性固态存储器。在一些实例中,存储器204可进一步包括相对于处理器202远程设置的存储器,这些远程存储器可以通过网络连接至计算机终端20。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。The memory 204 can be used to store software programs and modules of application software, such as program instructions/modules corresponding to the application program vulnerability detection method in the embodiment of the present invention, and the processor 202 runs the software programs and modules stored in the memory 204, thereby Executing various functional applications and data processing, that is, realizing the above-mentioned vulnerability detection method of the application program. The memory 204 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 204 may further include a memory that is remotely located relative to the processor 202 , and these remote memories may be connected to the computer terminal 20 through a network. Examples of the aforementioned networks include, but are not limited to, the Internet, intranets, local area networks, mobile communication networks, and combinations thereof.

传输装置206用于经由一个网络接收或者发送数据。上述的网络具体实例可包括计算机终端20的通信供应商提供的无线网络。在一个实例中,传输装置206包括一个网络适配器(Network Interface Controller,NIC),其可通过基站与其他网络设备相连从而可与互联网进行通讯。在一个实例中,传输装置206可以为射频(RadioFrequency,RF)模块,其用于通过无线方式与互联网进行通讯。The transmission device 206 is used to receive or transmit data via a network. The specific example of the above-mentioned network may include a wireless network provided by the communication provider of the computer terminal 20 . In one example, the transmission device 206 includes a network adapter (Network Interface Controller, NIC), which can be connected to other network devices through a base station so as to communicate with the Internet. In one example, the transmission device 206 may be a radio frequency (Radio Frequency, RF) module, which is used to communicate with the Internet in a wireless manner.

在上述运行环境下,本申请提供了如图3所示的应用程序的漏洞检测方法。图3是根据本发明实施例一的应用程序的漏洞检测方法的流程图。如图3所示,该方法包括:Under the above operating environment, the present application provides a vulnerability detection method for an application program as shown in FIG. 3 . FIG. 3 is a flowchart of a method for detecting application vulnerabilities according to Embodiment 1 of the present invention. As shown in Figure 3, the method includes:

步骤S302,将待检测应用程序的安装文件转换为代码文件;Step S302, converting the installation file of the application program to be detected into a code file;

对于该处理步骤,可以通过相关技术中的解决方案实现,例如,对于安卓应用程序的安装包文件,可以通过APKTool将应用程序的安装包(Android Package,简称为APK)文件转换成smali代码;其中,APKTool是谷歌(GOOGLE)提供的APK编译工具,能够反编译及回编译apk,同时安装反编译系统apk所需要的framework-res框架,清理反编译文件等功能,smali为安卓系统中Java虚拟机(Dalvik)所使用的一种.dex格式文件的汇编器。通过步骤S302,实现了将安装包文件转换为代码文件,为后续的静态分析提供了依据。For this processing step, it can be realized by solutions in related technologies. For example, for the installation package file of the Android application program, the installation package (Android Package, referred to as APK) file of the application program can be converted into smali code by APKTool; , APKTool is an APK compilation tool provided by Google (GOOGLE), which can decompile and recompile apk, and at the same time install the framework-res framework required by the decompilation system apk, clean up decompiled files and other functions, smali is the Java virtual machine in the Android system An assembler for .dex format files used by (Dalvik). Through step S302, the installation package file is converted into a code file, which provides a basis for subsequent static analysis.

需要说明的是,上述代码文件并不限于汇编文件,还可以表现为源代码文件等底层代码文件(即可执行的代码文件)。在实际应用中,由于源代码文件不易获取,可以优先转换为汇编代码文件等。It should be noted that the above-mentioned code files are not limited to assembly files, and may also appear as low-level code files (ie, executable code files) such as source code files. In practical applications, since source code files are not easy to obtain, they can be converted to assembly code files first.

步骤S304,获取指定函数的描述信息,其中,该指定函数为用于反映指定行为的函数。Step S304, obtaining description information of a designated function, wherein the designated function is a function used to reflect a designated behavior.

可选地,在执行步骤S304的过程中,可以包括一个查找上述指定函数的步骤,即可以从上述代码文件中查找用于反映指定行为的函数;当然也可以在具体的漏洞检测过程中不执行该查找步骤。Optionally, in the process of executing step S304, a step of searching for the above-mentioned specified function may be included, that is, the function for reflecting the specified behavior may be searched from the above-mentioned code file; of course, it may not be executed in the specific vulnerability detection process The lookup step.

此处的指定行为可以表现为函数所执行的功能类型,即函数类型。对于该处理步骤,针对不同类型的漏洞检测,可以使用用于反映不同行为的函数,例如在检测dos漏洞时,可以在利用应用程序安装包转换得到的汇编文件中的API函数进行检测。The specified behavior here can be expressed as the type of function performed by the function, that is, the function type. For this processing step, for different types of vulnerability detection, functions for reflecting different behaviors can be used. For example, when detecting dos vulnerabilities, API functions in the assembly file converted from the application installation package can be used for detection.

可选地,对于上述指定函数的描述信息的获取方式有多种,例如可以从网络侧的开源文档中获取上述函数的描述信息,具体可以通过网络爬虫的方式从上述开源文档中爬取上述描述信息。为便于理解,以下以利用安卓应用程序中的API函数检测dos漏洞为例进行说明:Optionally, there are many ways to obtain the description information of the above specified function. For example, the description information of the above function can be obtained from the open source document on the network side. Specifically, the above description can be crawled from the above open source document by means of a web crawler. information. For ease of understanding, the following uses the API function in the Android application to detect DOS vulnerabilities as an example:

在Google Android API文档中找出可能返回空值(NULL)的API。由于GoogleAndroid的API文档是公开的,并且格式统一,描述规范,因此,可以通过抓取这些文档并分析其中的内容来找出可能返回NULL的API。Find APIs that may return NULL in the Google Android API documentation. Since GoogleAndroid's API documents are public, with a uniform format and standardized descriptions, APIs that may return NULL can be found by crawling these documents and analyzing their contents.

例如:利用以下程序中的返回值描述信息确定所需要的API:For example: Use the return value description information in the following program to determine the required API:

public Bundle getBundleExtra(String name)public Bundle getBundleExtra(String name)

Retrieve extended data from the intent.Retrieve extended data from the intent.

ParametersParameters

name The name of the des ired item.name The name of the des ired item.

Returnsreturns

the value of an item that previous ly added wi th putExtra()or null if no Bundle value was found. the value of an item that previously ly added with putExtra() or null if no Bundle value was found .

See AlsoSee Also

putextra(String,Bundle)putextra(String, Bundle)

以上是一段Google API文档的中的程序,文档中描述了getBundleExtra这一函数的参数、功能以及返回值。其中返回值部分(划线部分)明确指出此函数可能返回null,由于Google的API文档格式是比较标准和规范的,所有可能返回null的API都会在返回值描述中说明(见上述程序代码中的划线部分),因此,可以通过简单的文本搜索方式找出可能返回null的API,以用于后续验证是否存在DOS漏洞。The above is a program in the Google API documentation, which describes the parameters, functions, and return values of the getBundleExtra function. The return value part (underlined part) clearly indicates that this function may return null. Since Google's API document format is relatively standard and standardized, all APIs that may return null will be described in the return value description (see the above program code. The underlined part), therefore, the API that may return null can be found out through a simple text search, for subsequent verification whether there is a DOS vulnerability.

在确定完使用的开源文档后,可选地,可以通过以下步骤确定可能返回null的API函数:1.通过爬虫抓取Android API文档;2.分析每个API的返回值,找到可能返回NULL的API。After determining the open source documents used, optionally, the API functions that may return null can be determined through the following steps: 1. Grab the Android API documents through crawlers; 2. Analyze the return value of each API to find the ones that may return NULL APIs.

步骤S306,依据上述描述信息,在代码文件中确定与指定描述信息匹配的第一类函数,并依据上述第一类函数对上述应用程序的漏洞进行检测。Step S306, according to the description information, determine the first type of function matching the specified description information in the code file, and detect the loopholes of the above application program according to the above first type of function.

仍然以步骤S304中识别dos漏洞为例进行说明,在该步骤S306中的指定描述信息可以表现为返回值为null,上述第一类函数可以表现为返回值可能为null的API函数,但不限于此。Still taking the identification of dos vulnerabilities in step S304 as an example for illustration, the specified description information in step S306 can be expressed as a return value of null, and the above-mentioned first type of function can be expressed as an API function that may return a value of null, but is not limited to this.

可选地,在步骤S306中,依据上述第一类函数对上述应用程序的漏洞进行检测可以通过以下方式实现,但不限于此:构建上述第一类函数所在分支的第一控制流图CFG(简称:第一CFG),并统计所有上述第一类函数中具有指定特征值的第二类函数;在上述第一CFG中查找上述第二类函数所在的分支,并判断上述分支是否进行了异常处理,在判断结果为是时,则确定上述应用程序不存在漏洞;在上述判断结果为否时,则确定上述应用程序存在漏洞。可选地,上述异常处理可以表现为以下形式,但不限于此:设置用于指示当前指令异常时,跳转至其他指令的跳转指令或者调用指令。Optionally, in step S306, the detection of the vulnerability of the above-mentioned application program according to the above-mentioned first-type function can be realized in the following manner, but not limited thereto: constructing the first control flow graph CFG( Abbreviation: the first CFG), and count all the second-type functions with specified eigenvalues in the above-mentioned first-type functions; find the branch where the above-mentioned second-type functions are located in the above-mentioned first CFG, and judge whether the above-mentioned branch is abnormal Processing, if the determination result is yes, it is determined that there is no loophole in the application program; when the determination result is no, it is determined that the application program has a loophole. Optionally, the above exception handling may be in the following form, but not limited thereto: setting a jump instruction or call instruction used to indicate that the current instruction is abnormal and jump to other instructions.

需要说明的是,上述指定特征值可以表现为同一类函数所具有的相同特征值,例如函数的返回值,例如可以通过查找返回值有可能为空的特征值确定上述第二类函数,但不限于此种表现形式。It should be noted that the above-mentioned specified characteristic value can be expressed as the same characteristic value of the same type of function, such as the return value of the function. For example, the above-mentioned second type of function can be determined by looking for the characteristic value whose return value may be empty, but not limited to this form of expression.

在一个可选实施例中,第一CFG的生成过程为:将Android应用程序安装包(APK)转化成Smali代码,并通过静态代码分析生成应用程序的CFG。其中,CFG是一个以应用程序代码为节点的有向图,边的方向代表调用方向,即程序的执行方向。如图4所示,包括以下步骤:In an optional embodiment, the generating process of the first CFG is: converting the Android application installation package (APK) into Smali code, and generating the CFG of the application through static code analysis. Among them, CFG is a directed graph with the application code as the node, and the direction of the edge represents the calling direction, that is, the execution direction of the program. As shown in Figure 4, the following steps are included:

步骤S402.通过apktool解出APK中的smali代码;Step S402. Solve the smali code in the APK by apktool;

步骤S404.基于Smali中的函数调用关系以及代码的分支逻辑生成CFG。具体地,该步骤可以通过以下过程实现:Step S404. Generate a CFG based on the function call relationship in Smali and the branching logic of the code. Specifically, this step can be achieved through the following process:

1.将smali代码打碎成很多个块(chunk)。一个chunk是代码被顺序执行的最大单元。即代码中遇到分支跳转(循环也是条件分支跳转的一种),函数调用等能够改变程序执行流程的指令时即结束当前chunk,并开始下一个chunk。每一个chunk都有一个唯一的id,也是它们的入口点,是一个相对于函数起始地址的偏移。对于跳转指令或函数调用指令可以通过分析指令的操作数来计算出当前chunk在执行时可能的后续chunk id。1. Break the smali code into many chunks. A chunk is the largest unit in which code is executed sequentially. That is, when the code encounters a branch jump (loop is also a kind of conditional branch jump), function call and other instructions that can change the program execution flow, the current chunk will end and the next chunk will start. Each chunk has a unique id, which is also their entry point, which is an offset relative to the starting address of the function. For jump instructions or function call instructions, possible follow-up chunk ids of the current chunk during execution can be calculated by analyzing the operands of the instructions.

2.将这些chunk通过自身id和后续chunk id的值对接在一起,即构造出CFG。2. Connect these chunks through their own id and the value of the subsequent chunk id to construct a CFG.

其中,基于上述处理过程,可以构建的一个CFG的示意图,需要说明的是,此处为便于理解,以下CFG的各个分支采用了自然语言的描述,并未用代码表示,在实际应用时,各个步骤可以表现为实现以下功能的代码。如图5所示:Among them, based on the above process, a schematic diagram of a CFG can be constructed. It should be noted that, for the sake of easy understanding, the following branches of the CFG are described in natural language instead of expressed in code. In actual application, each Steps can be represented as code that implements the following functions. As shown in Figure 5:

1、获取传入的intent,检查intent是否包含参数,如果是,转步骤2,否则转步骤4;1. Obtain the incoming intent, check whether the intent contains parameters, if yes, go to step 2, otherwise go to step 4;

2、从intent中获取参数,强制转换或自定义类;2. Obtain parameters from intent, cast or customize classes;

3、调用类的方法;3. Call the method of the class;

4、结束程序。4. End the program.

在一个可选实施例中,在上述第一CFG中查找上述第二类函数所在的分支时,可以通过以下过程实现,但不限于此:按照预设规则对上述第一CFG中的分支进行过滤,得到第二CFG;在上述第二CFG中查找上述第二类函数所在的分支。其中,上述预设规则可以根据实际情况灵活设定,例如可以按照以下方式上述第一CFG中的分支进行过滤:删除上述第一CFG中的指定节点以及仅能被该指定节点连通的节点,其中,该指定节点所对应的函数为仅有出度且没有入度的函数。以基于安卓系统的应用程序为例进行说明。In an optional embodiment, when searching for the branch of the above-mentioned second type of function in the above-mentioned first CFG, it can be realized through the following process, but not limited thereto: filter the branches in the above-mentioned first CFG according to preset rules , to obtain the second CFG; find the branch where the above-mentioned second type of function is located in the above-mentioned second CFG. Wherein, the aforementioned preset rules can be flexibly set according to the actual situation. For example, the branches in the aforementioned first CFG can be filtered in the following way: delete the specified node in the aforementioned first CFG and the nodes that can only be connected by the specified node, wherein , the function corresponding to the specified node is a function with only out-degree and no in-degree. An application program based on the Android system is used as an example for illustration.

对分支进行过滤,又称为CFG剪枝。Android系统上的应用程序都有特定的函数入口,需要找出CFG中只有出度没有入度的节点。如果这个节点的函数不是已知的程序入口,就将所有只能被这个节点连通的点去除。这样就能够保证CFG中剩下的节点都是可以被外部程序(如攻击者的程序)调用到的。具体可以通过以下步骤实现:Filtering branches is also called CFG pruning. Applications on the Android system have specific function entries, and it is necessary to find out the nodes in the CFG that have only out-degree but no in-degree. If the function of this node is not a known program entry, all the points that can only be connected by this node are removed. In this way, it can be guaranteed that the remaining nodes in the CFG can be called by external programs (such as the attacker's program). Specifically, it can be achieved through the following steps:

1.总结Android系统的应用程序入口函数1. Summarize the application entry function of the Android system

2.找出CFG中只有出度没有入度的点2. Find the points in the CFG that have only out-degree but no in-degree

3.判断这个点是不是入口函数3. Determine whether this point is an entry function

4.遍历当前节点的所有子结点,删除所有只能被这个节点连通的点4. Traverse all child nodes of the current node and delete all points that can only be connected by this node

在一个可选实施例中,判断CFG的分支是否做了异常处理可以通过以下方式实现:遍历所有CFG中的分支;查找包含了可能返回NULL的分支;判断这个分支是否做了异常处理。In an optional embodiment, judging whether exception handling is performed on a branch of the CFG may be implemented in the following manner: traversing all branches in the CFG; finding a branch that may return NULL; and judging whether the branch has exception handling.

通过上述实施例可以看出,本发明实施例提供的应用程序的漏洞检测方法可以用于检测DOS漏洞,此时,本发明实施例中用于反映指定行为的函数可以为API函数。It can be seen from the above embodiments that the application vulnerability detection method provided by the embodiments of the present invention can be used to detect DOS vulnerabilities. At this time, the function used to reflect the specified behavior in the embodiments of the present invention can be an API function.

需要说明的是,本发明实施例提供的技术方案可以运行于不同的移动终端操作系统,即可以用于检测基于不同操作系统的应用程序的漏洞,该操作系统包括但不限于:安卓(Android)操作系统、iOS操作系统、Symbian、Windows Phone操作系统以及BlackBerry OS操作系统等。It should be noted that the technical solutions provided by the embodiments of the present invention can run on different mobile terminal operating systems, that is, they can be used to detect loopholes in application programs based on different operating systems, the operating systems include but are not limited to: Android (Android) operating system, iOS operating system, Symbian, Windows Phone operating system and BlackBerry OS operating system, etc.

在本实施例中,采用将应用程序的安装文件转换为代码文件并从该代码文件中查找用于反映指定行为的函数,以及依据描述信息与指定描述信息匹配的第一类函数对应用程序的漏洞进行检测的方式,达到了通过静态分析的方式进行漏洞检测的目的,同时,由于可以对上述代码文件中的各个分支进行遍历检测,因此,可以使得检测结果更加全面,进而解决了漏洞检测方案存在效率低、且检测结果不全面等技术问题。In this embodiment, the installation file of the application program is converted into a code file and the function used to reflect the specified behavior is searched from the code file, and the function of the application program is adjusted according to the first type of function whose description information matches the specified description information. The method of vulnerability detection achieves the purpose of vulnerability detection through static analysis. At the same time, since each branch in the above code file can be traversed and detected, the detection results can be made more comprehensive, and then the vulnerability detection solution is solved. There are technical problems such as low efficiency and incomplete test results.

需要说明的是,对于前述的各方法实施例,为了简单描述,故将其都表述为一系列的动作组合,但是本领域技术人员应该知悉,本发明并不受所描述的动作顺序的限制,因为依据本发明,某些步骤可以采用其他顺序或者同时进行。其次,本领域技术人员也应该知悉,说明书中所描述的实施例均属于优选实施例,所涉及的动作和模块并不一定是本发明所必须的。It should be noted that for the foregoing method embodiments, for the sake of simple description, they are expressed as a series of action combinations, but those skilled in the art should know that the present invention is not limited by the described action sequence. Because of the present invention, certain steps may be performed in other orders or simultaneously. Secondly, those skilled in the art should also know that the embodiments described in the specification belong to preferred embodiments, and the actions and modules involved are not necessarily required by the present invention.

通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到根据上述实施例的方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,或者网络设备等)执行本发明各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by means of software plus a necessary general-purpose hardware platform, and of course also by hardware, but in many cases the former is better implementation. Based on such an understanding, the essence of the technical solution of the present invention or the part that contributes to the prior art can be embodied in the form of software products, and the computer software products are stored in a storage medium (such as ROM/RAM, disk, CD) contains several instructions to enable a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to execute the methods described in various embodiments of the present invention.

实施例2Example 2

本实施例以检测基于安卓操作系统的应用程序的DOS漏洞为例进行说明,但是需要说明的是,本实施例中的方案并不限于应用于安卓操作系统的应用检测,也不限于DOS漏洞。本实施例的主要设计思想在于,通过官方文档(即开源文档)来过滤出特定API,并以此作为检测DOS漏洞的依据,即对于开源的操作系统,根据开源文档中描述的系统API的行为来找出感兴趣的特定API,基于这些API结合一些其它方法实现特定的功能(如本实施例中的DOS漏洞检测)。主要包括以下过程:1.基于静态代码产生CFG(Controll Flow Graph);2.通过静态分析剪枝,过滤出可能被外界调用到的API分支;3.结合Google Android API文档识别潜在导致DOS漏洞的API;4.判断分支是否进行了异常处理。具体地,如图6所示,本发明实施例提供的应用程序的漏洞检测方法包括以下处理步骤:This embodiment is described by taking the detection of DOS vulnerabilities of applications based on the Android operating system as an example. However, it should be noted that the solution in this embodiment is not limited to application detection of the Android operating system, nor is it limited to DOS vulnerabilities. The main design idea of this embodiment is to filter out specific APIs through official documents (that is, open source documents), and use this as the basis for detecting DOS vulnerabilities, that is, for open source operating systems, according to the behavior of the system API described in open source documents To find specific APIs of interest, based on these APIs combined with some other methods to achieve specific functions (such as DOS vulnerability detection in this embodiment). It mainly includes the following processes: 1. Generate CFG (Controll Flow Graph) based on static code; 2. Prune through static analysis to filter out API branches that may be called by the outside world; 3. Combine Google Android API documents to identify potential DOS vulnerabilities API; 4. Judging whether the branch has performed exception handling. Specifically, as shown in FIG. 6, the application vulnerability detection method provided by the embodiment of the present invention includes the following processing steps:

步骤S602,使用apktool将apk转换成smali代码;Step S602, using apktool to convert apk into smali code;

步骤S604,通过分析smali代码构建CFG。该步骤主要将Android应用程序(APK)转化成Smali代码,并通过静态代码分析生成应用程序的CFG。CFG是一个以应用程序代码为节点的有向图,边的方向代表调用方向,即程序的执行方向。具体实现过程如下:1、将smali代码打碎成很多个chunk。一个chunk是代码被顺序执行的最大单元。即代码中遇到分支跳转(循环也是条件分支跳转的一种),函数调用等能够改变程序执行流程的指令时即结束当前chunk,并开始下一个chunk。每一个chunk都有一个唯一的id,也是入口点,是一个相对于函数起始地址的偏移。对于跳转指令或函数调用指令可以通过分析指令的操作数来计算出当前chunk在执行时可能的后续chunk id。2.将这些chunk通过自身id和后续chunk id的值对接在一起,即构造出CFG。Step S604, constructing a CFG by analyzing the smali code. This step mainly converts the Android application program (APK) into Smali code, and generates the CFG of the application program through static code analysis. CFG is a directed graph with the application code as the node, and the direction of the edge represents the calling direction, that is, the execution direction of the program. The specific implementation process is as follows: 1. Break the smali code into many chunks. A chunk is the largest unit in which code is executed sequentially. That is, when the code encounters a branch jump (loop is also a kind of conditional branch jump), function call and other instructions that can change the program execution flow, the current chunk will end and the next chunk will start. Each chunk has a unique id, which is also the entry point, which is an offset relative to the starting address of the function. For jump instructions or function call instructions, possible follow-up chunk ids of the current chunk during execution can be calculated by analyzing the operands of the instructions. 2. Connect these chunks through their own id and the value of the subsequent chunk id to construct a CFG.

步骤S606,抽取出所有入口函数所在的分支,组成新的CFG。Android系统上的应用程序都有特定的函数入口,找出CFG中只有出度没有入度的节点。如果这个节点的函数不是已知的程序入口,就将所有只能被这个节点连通的点去除。这样就能够保证CFG中剩下的节点都是可以被外部程序(如攻击者的程序)调用到的。Step S606, extracting branches where all entry functions are located to form a new CFG. Applications on the Android system have specific function entries to find out the nodes in the CFG that have only out-degree but no in-degree. If the function of this node is not a known program entry, all the points that can only be connected by this node are removed. In this way, it can be guaranteed that the remaining nodes in the CFG can be called by external programs (such as the attacker's program).

步骤S608,通过HTTP请求爬取Google的Android API文档。这部分主要从GoogleAndroid API文档中找出可能返回NULL的API。由于Google Android的API文档是公开的,并且格式统一,描述规范,所以可以通过抓取这些文档并分析其中的内容来找出可能返回NULL的API,例如可以通过文档中的返回值描述信息来确定返回NULL的API函数。Step S608, crawling Google's Android API documents through an HTTP request. This part mainly finds APIs that may return NULL from the GoogleAndroid API documentation. Since Google Android's API documents are public, with a uniform format and standardized descriptions, APIs that may return NULL can be found by crawling these documents and analyzing their contents, for example, through the return value description information in the documents. API functions that return NULL.

步骤S610,将文档存入本地数据库(可以简单以文件形式存储)。该步骤也可以通过缓存的形式实现,即将文档存入缓存中,并设置文档的存活时间等。In step S610, the document is stored in the local database (it can simply be stored in the form of a file). This step can also be implemented in the form of caching, that is, storing the document in the cache and setting the survival time of the document.

步骤S612,通过字符串搜索找出可能返回NULL的API。Step S612, searching for APIs that may return NULL through a character string search.

步骤S614,找出目标API列表(target API list),即利用这些API构建出可能导致DOS漏洞的API列表。Step S614, find out a target API list (target API list), that is, use these APIs to construct an API list that may cause DOS vulnerabilities.

步骤S616,进行分支过滤(branch filter),即在CFG中找出包含危险API的分支。Step S616, perform branch filter (branch filter), that is, find out the branch containing the dangerous API in the CFG.

步骤S618,进行try/catch parser处理,即判断此分支是否做了异常处理。In step S618, try/catch parser processing is performed, that is, it is judged whether exception processing has been performed on this branch.

本发明实施例通过静态的方式结合Google API文档发现存在漏洞的入口点。由于是静态分析,所以可以保证遍历到所有的应用程序分支,并且相对于Fuzz方式,静态分析拥有更高的效率,检测到的漏洞可以精确定位。本发明实施例的每一步的运算都是确定的,相对于Fuzz依赖程序的具体运行状况,本发明可以保证找到所有可能产生DOS漏洞的点。The embodiment of the present invention discovers the entry points with vulnerabilities in a static manner combined with Google API documents. Because it is a static analysis, it is guaranteed to traverse all application branches. Compared with the Fuzz method, static analysis has higher efficiency, and the detected vulnerabilities can be precisely located. The operation of each step in the embodiment of the present invention is definite, and the present invention can guarantee to find all points that may generate DOS loopholes with respect to the specific operating conditions of Fuzz dependent programs.

实施例3Example 3

根据本发明实施例,还提供了一种用于实施上述方法的应用程序的漏洞检测装置,该装置可以运行于实施例1中所述的移动终端、计算机终端或者类似的运算装置中,但不限于实施例1中上述运算装置的功能或结构。如图7所示,该装置包括:According to an embodiment of the present invention, there is also provided a vulnerability detection device for an application program implementing the above method, which can run in the mobile terminal, computer terminal or similar computing device described in Embodiment 1, but does not It is limited to the function or structure of the above-mentioned computing device in Embodiment 1. As shown in Figure 7, the device includes:

转换模块70,用于将待检测应用程序的安装文件转换为代码文件。对于该模块实现的功能,可以通过相关技术中的解决方案实现,例如,对于安卓应用程序的安装包文件,可以通过APKTool将应用程序的安装包(Android Package,简称为APK)文件转换成smali代码,但不限于该种实现方式。The conversion module 70 is configured to convert the installation file of the application program to be detected into a code file. The functions realized by this module can be realized through solutions in related technologies. For example, for the installation package file of an Android application, the installation package (Android Package, APK for short) file of the application can be converted into smali code by APKTool , but not limited to this implementation.

获取模块72,连接至转换模块70,用于获取指定函数的描述信息。此处的指定行为可以表现为函数所执行的功能类型,即函数类型。对于该处理步骤,针对不同类型的漏洞检测,可以使用用于反映不同行为的函数,例如在检测dos漏洞时,可以在利用应用程序安装包转换得到的汇编文件中的API函数进行检测。可选地,获取模块72获取上述指定函数的描述信息的有多种,例如可以从网络侧的开源文档中获取上述函数的描述信息,具体可以通过网络爬虫的方式从上述开源文档中爬取上述描述信息,此时,为便于抓取上述描述信息,可以利用描述信息比较标准和规范的文档。The obtaining module 72 is connected to the conversion module 70 and is used for obtaining the description information of the specified function. The specified behavior here can be expressed as the type of function performed by the function, that is, the function type. For this processing step, for different types of vulnerability detection, functions for reflecting different behaviors can be used. For example, when detecting dos vulnerabilities, API functions in the assembly file converted from the application installation package can be used for detection. Optionally, the acquiring module 72 can acquire the description information of the above-mentioned specified function in many ways, for example, the description information of the above-mentioned function can be obtained from the open source document on the network side, specifically, the above-mentioned information can be crawled from the above-mentioned open source document by means of a web crawler. Description information. At this time, in order to facilitate the capture of the above description information, you can use the description information to compare standard and normative documents.

检测模块74,连接至获取模块72,用于依据上述描述信息,在上述代码文件中确定与指定描述信息匹配的第一类函数,并依据上述第一类函数对上述应用程序的漏洞进行检测。The detection module 74 is connected to the acquisition module 72, and is used to determine the first type of function matching the specified description information in the above code file according to the above description information, and detect the loopholes of the above application program according to the above first type of function.

可选地,如图8所示,检测模块74,还可以包括以下处理单元,但不限于此:Optionally, as shown in FIG. 8, the detection module 74 may also include the following processing units, but is not limited thereto:

构建单元740,构建上述第一类函数所在分支的第一控制流图CFG;The construction unit 740, constructs the first control flow graph CFG of the branch where the above-mentioned first type of function is located;

以基于安卓操作系统的应用程序为例进行说明,在一个可选实施例中,第一CFG的构建过程为:将Android应用程序安装包(APK)转化成Smali代码,并通过静态代码分析生成应用程序的CFG。其中,CFG是一个以应用程序代码为节点的有向图,边的方向代表调用方向,即程序的执行方向。具体可以表现为以下处理步骤,但不限于此:通过apktool解出APK中的smali代码;基于Smali中的函数调用关系以及代码的分支逻辑生成CFG。具体地,该步骤可以通过以下过程实现:Taking the application program based on the Android operating system as an example, in an optional embodiment, the construction process of the first CFG is: converting the Android application installation package (APK) into Smali code, and generating the application program through static code analysis CFG of the program. Among them, CFG is a directed graph with the application code as the node, and the direction of the edge represents the calling direction, that is, the execution direction of the program. Specifically, the processing steps may be as follows, but not limited thereto: use apktool to solve the smali code in the APK; generate a CFG based on the function call relationship in the Smali and the branching logic of the code. Specifically, this step can be achieved through the following process:

1.将smali代码打碎成很多个块(chunk)。一个chunk是代码被顺序执行的最大单元。即代码中遇到分支跳转(循环也是条件分支跳转的一种),函数调用等能够改变程序执行流程的指令时即结束当前chunk,并开始下一个chunk。每一个chunk都有一个唯一的id,也是它们的入口点,是一个相对于函数起始地址的偏移。对于跳转指令或函数调用指令可以通过分析指令的操作数来计算出当前chunk在执行时可能的后续chunk id。2.将这些chunk通过自身id和后续chunk id的值对接在一起,即构造出CFG。1. Break the smali code into many chunks. A chunk is the largest unit in which code is executed sequentially. That is, when the code encounters a branch jump (loop is also a kind of conditional branch jump), function call and other instructions that can change the program execution flow, the current chunk will end and the next chunk will start. Each chunk has a unique id, which is also their entry point, which is an offset relative to the starting address of the function. For jump instructions or function call instructions, possible follow-up chunk ids of the current chunk during execution can be calculated by analyzing the operands of the instructions. 2. Connect these chunks through their own id and the value of the subsequent chunk id to construct a CFG.

统计单元742,用于统计所有上述第一类函数中具有指定特征值的第二类函数;可选地,上述指定特征值可以表现为同一类函数所具有的相同特征值,例如函数的返回值,例如可以通过查找返回值有可能为空的特征值确定上述第二类函数,但不限于此种表现形式。Statistical unit 742, configured to count all the functions of the second type with specified characteristic values in the functions of the first type; optionally, the specified characteristic values may be expressed as the same characteristic values of functions of the same type, such as the return value of the function , for example, the above-mentioned second type of function can be determined by looking for the characteristic value whose return value may be empty, but it is not limited to this form of expression.

检测单元744,连接至构建单元740和统计单元742,用于在上述第一CFG中查找上述第二类函数所在的分支,并判断上述第二类函数所在的分支是否进行了异常处理,在判断结果为是时,则确定上述应用程序不存在漏洞;在上述判断结果为否时,则确定上述应用程序存在漏洞。可选的,上述异常处理可以表现为以下形式,但不限于此:设置用于指示在当前指令异常时,跳转至其他指令的跳转指令或者调用指令。The detection unit 744 is connected to the construction unit 740 and the statistical unit 742, and is used to search for the branch where the second type of function is located in the above-mentioned first CFG, and judge whether the branch where the above-mentioned second type of function is located has been abnormally handled. When the result is yes, it is determined that the above application program does not have a loophole; when the above determination result is no, it is determined that the above application program has a loophole. Optionally, the above exception handling may be expressed in the following form, but not limited thereto: setting a jump instruction or a call instruction used to indicate to jump to other instructions when the current instruction is abnormal.

对于检测单元744在第一CFG中查找第二类函数所在分支,为了提高效率和检测的准确性,检测单元744,还用于按照预设规则对上述第一CFG中的分支进行过滤,得到第二CFG;以及在上述第二CFG中查找上述第二类函数所在的分支。以下以基于安卓系统的应用程序为例进行说明。For the detection unit 744 to search for the branch of the second type of function in the first CFG, in order to improve the efficiency and detection accuracy, the detection unit 744 is also used to filter the branches in the above-mentioned first CFG according to the preset rules to obtain the first CFG Two CFGs; and searching the branch where the above-mentioned second type of function is located in the above-mentioned second CFG. The following uses an application program based on the Android system as an example for description.

对分支进行过滤,又称为CFG剪枝。Android系统上的应用程序都有特定的函数入口,需要找出CFG中只有出度没有入度的节点。如果这个节点的函数不是已知的程序入口,就将所有只能被这个节点连通的点去除。这样就能够保证CFG中剩下的节点都是可以被外部程序(如攻击者的程序)调用到的。具体可以通过以下步骤实现:Filtering branches is also called CFG pruning. Applications on the Android system have specific function entries, and it is necessary to find out the nodes in the CFG that have only out-degree but no in-degree. If the function of this node is not a known program entry, all the points that can only be connected by this node are removed. In this way, it can be guaranteed that the remaining nodes in the CFG can be called by external programs (such as the attacker's program). Specifically, it can be achieved through the following steps:

1.总结Android系统的应用程序入口函数;1. Summarize the application entry functions of the Android system;

2.找出CFG中只有出度没有入度的点;2. Find the points in the CFG that have only out-degree but no in-degree;

3.判断这个点是不是入口函数;3. Determine whether this point is an entry function;

4.遍历当前节点的所有子结点,删除所有只能被这个节点连通的点。4. Traverse all child nodes of the current node and delete all nodes that can only be connected by this node.

在一个可选实施例中,判断CFG的分支是否做了异常处理可以通过以下方式实现:遍历所有CFG中的分支;查找包含了可能返回NULL的分支;判断这个分支是否做了异常处理。In an optional embodiment, judging whether exception handling is performed on a branch of the CFG may be implemented in the following manner: traversing all branches in the CFG; finding a branch that may return NULL; and judging whether the branch has exception handling.

例如,检测单元744,还用于删除上述第一CFG中的指定节点以及仅能被该指定节点连通的节点,其中,该指定节点所对应的函数为仅有出度且没有入度的函数。这样,便对第一CFG进行了剪枝处理,提高了检索效率和准确性。For example, the detection unit 744 is further configured to delete the specified node in the first CFG and the nodes that can only be connected by the specified node, wherein the function corresponding to the specified node is a function with only out-degree and no in-degree. In this way, the first CFG is pruned to improve retrieval efficiency and accuracy.

在一个可选实施例中,获取模块72,还用于从网络侧的开源文档中获取指定函数的描述信息。In an optional embodiment, the acquiring module 72 is further configured to acquire the description information of the specified function from an open source document on the network side.

本实施例中所涉及的各个模块是可以通过相应地软件或硬件来实现的,对于后者,例如可以采用以下方式实现,但不限于此:转换模块70、获取模块72和检测模块74均位于同一处理器中;或者,转换模块70、获取模块72和检测模块74分别位于第一处理器、第二处理器和第三处理器中;或者,转换模块70和获取模块72位于同一处理器中,检测模块74位于另一处理器中;或者,获取模块72和检测模块74位于同一处理器中,而转换模块70位于另一处理器中,但不限于上述组合方式。The various modules involved in this embodiment can be realized by corresponding software or hardware. For the latter, for example, the following methods can be used to realize, but not limited to this: the conversion module 70, the acquisition module 72 and the detection module 74 are all located at In the same processor; or, the conversion module 70, the acquisition module 72 and the detection module 74 are respectively located in the first processor, the second processor and the third processor; or, the conversion module 70 and the acquisition module 72 are located in the same processor , the detection module 74 is located in another processor; or, the acquisition module 72 and the detection module 74 are located in the same processor, and the conversion module 70 is located in another processor, but not limited to the above combination.

通过本发明实施例提供的应用程序的漏洞检测装置,同样可以达到通过静态分析的方式进行漏洞检测的目的,同时,由于每一步均是确定的,因此,可以使得检测结果更加全面,进而解决了漏洞检测方案存在效率低、且检测结果不全面等技术问题。The application loophole detection device provided by the embodiment of the present invention can also achieve the purpose of loophole detection through static analysis, and at the same time, because each step is determined, the detection result can be made more comprehensive, and then solve the problem of The vulnerability detection scheme has technical problems such as low efficiency and incomplete detection results.

实施例4Example 4

本发明的实施例可以提供一种计算机终端,该计算机终端可以是计算机终端群中的任意一个计算机终端设备。可选地,在本实施例中,上述计算机终端也可以替换为移动终端等终端设备。Embodiments of the present invention may provide a computer terminal, and the computer terminal may be any computer terminal device in a group of computer terminals. Optionally, in this embodiment, the foregoing computer terminal may also be replaced with a terminal device such as a mobile terminal.

可选地,在本实施例中,上述计算机终端可以位于计算机网络的多个网络设备中的至少一个网络设备。Optionally, in this embodiment, the foregoing computer terminal may be located in at least one network device among multiple network devices of the computer network.

在本实施例中,上述计算机终端可以执行应用程序的漏洞检测方法中以下步骤的程序代码:将待检测应用程序的安装文件转换为代码文件;获取指定函数的描述信息,其中,上述指定函数为用于反映指定行为的函数;依据上述描述信息,在上述代码文件中确定与指定描述信息匹配的第一类函数,并依据上述第一类函数对上述应用程序的漏洞进行检测。In this embodiment, the above-mentioned computer terminal can execute the program code of the following steps in the application program vulnerability detection method: convert the installation file of the application program to be detected into a code file; obtain the description information of the specified function, wherein the above-mentioned specified function is A function used to reflect the specified behavior; according to the above-mentioned description information, determine the first type of function matching the specified description information in the above-mentioned code file, and detect the vulnerability of the above-mentioned application program according to the above-mentioned first type of function.

可选地,图9是根据本发明实施例的一种计算机终端的结构框图。如图9所示,该计算机终端A可以包括:一个或多个(图中仅示出一个)处理器91、存储器93、以及传输装置95。Optionally, FIG. 9 is a structural block diagram of a computer terminal according to an embodiment of the present invention. As shown in FIG. 9 , the computer terminal A may include: one or more (only one is shown in the figure) processors 91 , a memory 93 , and a transmission device 95 .

其中,存储器93可用于存储软件程序以及模块,如本发明实施例中的安全漏洞检测方法和装置对应的程序指令/模块,处理器91通过运行存储在存储器93内的软件程序以及模块,从而执行各种功能应用以及数据处理,即实现上述的系统漏洞攻击的检测方法。存储器93可包括高速随机存储器,还可以包括非易失性存储器,如一个或者多个磁性存储装置、闪存、或者其他非易失性固态存储器。在一些实例中,存储器93可进一步包括相对于处理器91远程设置的存储器,这些远程存储器可以通过网络连接至终端A。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。Wherein, the memory 93 can be used to store software programs and modules, such as the program instructions/modules corresponding to the security hole detection method and device in the embodiment of the present invention, and the processor 91 runs the software programs and modules stored in the memory 93 to execute Various functional applications and data processing, that is, to realize the detection method of the above-mentioned system vulnerability attack. The memory 93 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 93 may further include a memory that is remotely located relative to the processor 91, and these remote memories may be connected to the terminal A through a network. Examples of the aforementioned networks include, but are not limited to, the Internet, intranets, local area networks, mobile communication networks, and combinations thereof.

上述的传输装置95用于经由一个网络接收或者发送数据。上述的网络具体实例可包括有线网络及无线网络。在一个实例中,传输装置95包括一个网络适配器(NetworkInterface Controller,NIC),其可通过网线与其他网络设备与路由器相连从而可与互联网或局域网进行通讯。在一个实例中,传输装置95为射频(Radio Frequency,RF)模块,其用于通过无线方式与互联网进行通讯。The aforementioned transmission device 95 is used to receive or transmit data via a network. The specific examples of the above-mentioned network may include a wired network and a wireless network. In one example, the transmission device 95 includes a network adapter (Network Interface Controller, NIC), which can be connected with other network devices and a router through a network cable so as to communicate with the Internet or a local area network. In one example, the transmission device 95 is a radio frequency (Radio Frequency, RF) module, which is used to communicate with the Internet in a wireless manner.

其中,具体地,存储器93用于存储预设动作条件和预设权限用户的信息、以及应用程序。Wherein, specifically, the memory 93 is used for storing preset action conditions and preset authority user information, as well as application programs.

处理器91可以通过传输装置调用存储器93存储的信息及应用程序,以执行下述步骤:将待检测应用程序的安装文件转换为代码文件;获取指定函数的描述信息,其中,上述指定函数为用于反映指定行为的函数;依据上述描述信息,在上述代码文件中确定与指定描述信息匹配的第一类函数,并依据上述第一类函数对上述应用程序的漏洞进行检测。The processor 91 can call the information and the application program stored in the memory 93 through the transmission device to perform the following steps: convert the installation file of the application program to be detected into a code file; obtain the description information of the specified function, wherein the specified function is used A function that reflects the specified behavior; according to the above description information, determine the first type of function that matches the specified description information in the above code file, and detect the loopholes of the above application program according to the above first type of function.

可选的,上述处理器91还可以执行如下步骤的程序代码:构建上述第一类函数所在分支的第一控制流图CFG,并统计所有上述第一类函数中具有指定特征值的第二类函数;在上述第一CFG中查找上述第二类函数所在的分支,并判断上述第二类函数所在的分支是否进行了异常处理,在判断结果为是时,则确定上述应用程序不存在漏洞;在上述判断结果为否时,则确定上述应用程序存在漏洞。可选地,此处的“异常处理”可以表现为:设置用于指示在当前指令异常时,跳转至其他指令的跳转指令或者调用指令。Optionally, the above-mentioned processor 91 can also execute the program code of the following steps: constructing the first control flow graph CFG of the branch where the above-mentioned first-type functions are located, and counting all the above-mentioned first-type functions with the specified eigenvalues of the second-type function; search the branch where the above-mentioned second-type function is located in the above-mentioned first CFG, and judge whether the branch where the above-mentioned second-type function is located has performed abnormal processing, and when the judgment result is yes, then determine that there is no loophole in the above-mentioned application program; When the above judgment result is no, it is determined that the above application program has a vulnerability. Optionally, the "exception handling" here may be expressed as: setting a jump instruction or a call instruction for indicating to jump to other instructions when the current instruction is abnormal.

可选的,上述处理器91还可以执行如下步骤的程序代码:按照预设规则对上述第一CFG中的分支进行过滤,得到第二CFG;在上述第二CFG中查找上述第二类函数所在的分支。Optionally, the above-mentioned processor 91 can also execute the program code of the following steps: filter the branches in the above-mentioned first CFG according to the preset rules to obtain the second CFG; find the location of the above-mentioned second type of function in the above-mentioned second CFG branch.

可选的,上述处理器91还可以执行如下步骤的程序代码:删除上述第一CFG中的指定节点以及仅能被该指定节点连通的节点,其中,该指定节点所对应的函数为仅有出度且没有入度的函数。Optionally, the above-mentioned processor 91 may also execute the program code of the following steps: delete the specified node in the above-mentioned first CFG and the nodes that can only be connected by the specified node, wherein the function corresponding to the specified node is degree and no in-degree function.

可选的,上述处理器91还可以执行如下步骤的程序代码:从网络侧的开源文档中获取上述指定函数的描述信息,例如可以通过网络爬虫的方式从开源文档中爬取上述描述信息。Optionally, the above-mentioned processor 91 may also execute the program code of the following steps: Obtain the description information of the above-mentioned specified function from the open-source document on the network side, for example, crawl the above-mentioned description information from the open-source document by means of a web crawler.

采用本发明实施例,提供了一种利用静态代码结合其中所涉及函数的描述信息检测应用程序的漏洞的方案。解决了漏洞检测方案存在效率低、且检测结果不全面的技术问题。By adopting the embodiment of the present invention, a solution is provided for detecting the loophole of the application program by using the static code combined with the description information of the functions involved therein. The technical problems of low efficiency and incomplete detection results in the vulnerability detection scheme are solved.

本领域普通技术人员可以理解,图9所示的结构仅为示意,计算机终端也可以是智能手机(如Android手机、iOS手机等)、平板电脑、掌声电脑以及移动互联网设备(Mobile Internet Devices,MID)、PAD等终端设备。图9其并不对上述电子装置的结构造成限定。例如,计算机终端A还可包括比图9中所示更多或者更少的组件(如网络接口、显示装置等),或者具有与图9所示不同的配置。Those of ordinary skill in the art can understand that the structure shown in Figure 9 is only schematic, and the computer terminal can also be a smart phone (such as an Android phone, an iOS phone, etc.), a tablet computer, an applause computer, and a mobile Internet device (Mobile Internet Devices, MID ), PAD and other terminal equipment. FIG. 9 does not limit the structure of the above-mentioned electronic device. For example, the computer terminal A may also include more or less components than those shown in FIG. 9 (such as a network interface, a display device, etc.), or have a configuration different from that shown in FIG. 9 .

本领域普通技术人员可以理解上述实施例的各种方法中的全部或部分步骤是可以通过程序来指令终端设备相关的硬件来完成,该程序可以存储于一计算机可读存储介质中,存储介质可以包括:闪存盘、只读存储器(Read-Only Memory,ROM)、随机存取器(Random Access Memory,RAM)、磁盘或光盘等。Those of ordinary skill in the art can understand that all or part of the steps in the various methods of the above embodiments can be completed by instructing hardware related to the terminal device through a program, and the program can be stored in a computer-readable storage medium, and the storage medium can be Including: a flash disk, a read-only memory (Read-Only Memory, ROM), a random access device (Random Access Memory, RAM), a magnetic disk or an optical disk, and the like.

实施例4Example 4

本发明的实施例还提供了一种存储介质。可选地,在本实施例中,上述存储介质可以用于保存上述实施例一所提供的应用程序的漏洞检测方法所执行的程序代码。The embodiment of the invention also provides a storage medium. Optionally, in this embodiment, the above-mentioned storage medium may be used to store the program code executed by the application program vulnerability detection method provided in the first embodiment above.

可选地,在本实施例中,上述存储介质可以位于计算机网络中计算机终端群中的任意一个计算机终端中,或者位于移动终端群中的任意一个移动终端中。Optionally, in this embodiment, the above-mentioned storage medium may be located in any computer terminal in the group of computer terminals in the computer network, or in any mobile terminal in the group of mobile terminals.

可选地,在本实施例中,存储介质被设置为存储用于执行以下步骤的程序代码:将待检测应用程序的安装文件转换为代码文件;获取指定函数的描述信息,其中,上述指定函数为用于反映指定行为的函数;依据上述描述信息,在上述代码文件中确定与指定描述信息匹配的第一类函数,并依据上述第一类函数对上述应用程序的漏洞进行检测。Optionally, in this embodiment, the storage medium is configured to store program codes for performing the following steps: converting the installation file of the application to be detected into a code file; obtaining description information of a specified function, wherein the specified function It is a function used to reflect the specified behavior; according to the above-mentioned description information, determine the first type of function matching the specified description information in the above-mentioned code file, and detect the vulnerability of the above-mentioned application program according to the above-mentioned first type of function.

可选的,上述存储介质还可以执行如下步骤的程序代码:构建上述第一类函数所在分支的第一控制流图CFG,并统计所有上述第一类函数中具有指定特征值的第二类函数;在上述第一CFG中查找上述第二类函数所在的分支,并判断上述第二类函数所在的分支是否进行了异常处理,在判断结果为是时,则确定上述应用程序不存在漏洞;在上述判断结果为否时,则确定上述应用程序存在漏洞。可选地,此处的“异常处理”可以表现为:设置用于指示在当前指令异常时,跳转至其他指令的跳转指令或者调用指令。Optionally, the above-mentioned storage medium can also execute the program code of the following steps: constructing the first control flow graph CFG of the branch where the above-mentioned first-type functions are located, and counting all the above-mentioned first-type functions with specified eigenvalues of the second-type functions ; Find the branch where the above-mentioned second type of function is located in the above-mentioned first CFG, and judge whether the branch where the above-mentioned second type of function is located has carried out abnormal processing, and when the judgment result is yes, then determine that there is no loophole in the above-mentioned application program; When the above judgment result is no, it is determined that the above application program has a vulnerability. Optionally, the "exception handling" here may be expressed as: setting a jump instruction or a call instruction for indicating to jump to other instructions when the current instruction is abnormal.

可选的,上述存储介质还可以执行如下步骤的程序代码:按照预设规则对上述第一CFG中的分支进行过滤,得到第二CFG;在上述第二CFG中查找上述第二类函数所在的分支。Optionally, the above-mentioned storage medium can also execute the program code of the following steps: filter the branches in the above-mentioned first CFG according to preset rules to obtain the second CFG; search the above-mentioned second CFG for the location where the above-mentioned second type of function is located. branch.

可选的,上述存储介质还可以执行如下步骤的程序代码:删除上述第一CFG中的指定节点以及仅能被该指定节点连通的节点,其中,该指定节点所对应的函数为仅有出度且没有入度的函数。Optionally, the above-mentioned storage medium can also execute the program code of the following steps: delete the specified node in the above-mentioned first CFG and the nodes that can only be connected by the specified node, wherein the function corresponding to the specified node is only out-degree And there is no in-degree function.

可选的,上述存储介质还可以执行如下步骤的程序代码:从网络侧的开源文档中获取上述指定函数的描述信息,例如可以通过网络爬虫的方式从开源文档中爬取上述描述信息。Optionally, the above-mentioned storage medium may also execute the program code of the following steps: Obtain the description information of the above-mentioned specified function from the open-source document on the network side, for example, crawl the above-mentioned description information from the open-source document by means of a web crawler.

此处需要说明的是,上述计算机终端群中的任意一个可以与网站服务器和扫描器建立通信关系,扫描器可以扫描计算机终端上php执行的web应用程序的值命令。It should be noted here that any one of the above computer terminal groups can establish a communication relationship with the website server and the scanner, and the scanner can scan the value commands of the web application program executed by php on the computer terminal.

上述本发明实施例序号仅仅为了描述,不代表实施例的优劣。The serial numbers of the above embodiments of the present invention are for description only, and do not represent the advantages and disadvantages of the embodiments.

在本发明的上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详述的部分,可以参见其他实施例的相关描述。In the above-mentioned embodiments of the present invention, the descriptions of each embodiment have their own emphases, and for parts not described in detail in a certain embodiment, reference may be made to relevant descriptions of other embodiments.

在本申请所提供的几个实施例中,应该理解到,所揭露的实体设备,可通过其它的方式实现。其中,以上所描述的装置实施例仅仅是示意性的,例如所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,单元或模块的间接耦合或通信连接,可以是电性或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed entity device may be implemented in other ways. Wherein, the device embodiments described above are only illustrative, for example, the division of the units is only a logical function division, and there may be other division methods in actual implementation, for example, multiple units or components can be combined or can be Integrate into another system, or some features may be ignored, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of units or modules may be in electrical or other forms.

所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit. The above-mentioned integrated units can be implemented in the form of hardware or in the form of software functional units.

所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可为个人计算机、服务器或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、只读存储器(ROM,Read-OnlyMemory)、随机存取存储器(RAM,Random Acces s Memory)、移动硬盘、磁碟或者光盘等各种可以存储程序代码的介质。If the integrated unit is realized in the form of a software function unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on such an understanding, the essence of the technical solution of the present invention or the part that contributes to the prior art or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , including several instructions to make a computer device (which may be a personal computer, server or network device, etc.) execute all or part of the steps of the method described in each embodiment of the present invention. And aforementioned storage medium comprises: U disk, read-only memory (ROM, Read-OnlyMemory), random access memory (RAM, Random Access s Memory), mobile hard disk, magnetic disk or CD etc. various mediums that can store program codes .

以上所述仅是本发明的优选实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以做出若干改进和润饰,这些改进和润饰也应视为本发明的保护范围。The above is only a preferred embodiment of the present invention, it should be pointed out that, for those of ordinary skill in the art, without departing from the principle of the present invention, some improvements and modifications can also be made, and these improvements and modifications can also be made. It should be regarded as the protection scope of the present invention.

Claims (15)

1. the leak detection method of an application program, it is characterised in that including:
The installation file of application program to be detected is converted to code file;
Obtaining the description information of specified function, wherein, described specified function is the function for reflecting appointment behavior;
According to described description information, determine in described code file and specify the first kind letter describing information matches Number, and according to described first kind function, the leak of described application program is detected.
Method the most according to claim 1, it is characterised in that according to described first kind function to described application program Leak detect, including:
Build the first controlling stream graph CFG of described first kind function place branch, and add up all described first kind Function has the Equations of The Second Kind function of specific characteristic value;
In a described CFG, search the branch at described Equations of The Second Kind function place, and judge described Equations of The Second Kind function Whether the branch at place has carried out abnormality processing, when judged result is for being, it is determined that described application program is not deposited At leak;When described judged result is no, it is determined that described application program exists leak.
Method the most according to claim 2, it is characterised in that described abnormality processing includes:
It is provided for indicating when present instruction exception, jumps to jump instruction or the call instruction of other instructions.
Method the most according to claim 2, it is characterised in that search described Equations of The Second Kind letter in a described CFG The branch at number place, including:
According to preset rules, the branch in a described CFG is filtered, obtain the 2nd CFG;
The branch at described Equations of The Second Kind function place is searched in described 2nd CFG.
Method the most according to claim 4, it is characterised in that according to preset rules to dividing in a described CFG Zhi Jinhang filters, including:
Delete the appointment node in a described CFG and be only capable of by the node of this appointment node connection, wherein, This function corresponding to appointment node is only out-degree and do not have the function of in-degree.
Method the most according to claim 2, it is characterised in that described specific characteristic value includes: described first kind letter The return value of number.
Method the most according to claim 1, it is characterised in that obtain the description information of specified function, including:
The description information of described specified function is obtained from the document of increasing income of network side.
Method the most according to claim 7, it is characterised in that obtain described appointment from the document of increasing income of network side The description information of function, including:
From described document of increasing income, described description information is obtained by the way of web crawlers.
Method the most according to any one of claim 1 to 8, it is characterised in that described for reflecting appointment behavior Function be api function, and/or described leak for refusal service DOS leak.
10. the Hole Detection device of an application program, it is characterised in that including:
Modular converter, for being converted to code file by the installation file of application program to be detected;
Acquisition module, for obtaining the description information of specified function, wherein, described specified function is for being used for reflecting The function of appointment behavior;
Detection module, for according to described description information, determines in described code file and specifies description information The first kind function of coupling, and according to described first kind function, the leak of described application program is detected.
11. devices according to claim 10, it is characterised in that described detection module, including:
Construction unit, builds the first controlling stream graph CFG of described first kind function place branch;
Statistic unit, for adding up the Equations of The Second Kind function in all described first kind functions with specific characteristic value;
Detector unit, for searching the branch at described Equations of The Second Kind function place in a described CFG, and judges Whether the branch at described Equations of The Second Kind function place has carried out abnormality processing, when judged result is for being, it is determined that institute State application program and there is not leak;When described judged result is no, it is determined that described application program exists leak.
12. devices according to claim 11, it is characterised in that described abnormality processing includes: be provided for indicating During present instruction exception, jump to jump instruction or the call instruction of other instructions.
13. devices according to claim 11, it is characterised in that described detector unit, are additionally operable to according to preset rules Branch in a described CFG is filtered, obtains the 2nd CFG;And search in described 2nd CFG The branch at described Equations of The Second Kind function place.
14. devices according to claim 13, it is characterised in that described detector unit, are used for deleting described first Specifying node and being only capable of by the node of this appointment node connection, wherein, corresponding to this appointment node in CFG Function be only out-degree and do not have the function of in-degree.
15. devices according to claim 10, it is characterised in that described acquisition module, are additionally operable to opening from network side Source document obtains the description information of specified function.
CN201510289736.XA 2015-05-29 2015-05-29 Vulnerability detection method and device for application program Active CN106295348B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510289736.XA CN106295348B (en) 2015-05-29 2015-05-29 Vulnerability detection method and device for application program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510289736.XA CN106295348B (en) 2015-05-29 2015-05-29 Vulnerability detection method and device for application program

Publications (2)

Publication Number Publication Date
CN106295348A true CN106295348A (en) 2017-01-04
CN106295348B CN106295348B (en) 2020-04-10

Family

ID=57656070

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510289736.XA Active CN106295348B (en) 2015-05-29 2015-05-29 Vulnerability detection method and device for application program

Country Status (1)

Country Link
CN (1) CN106295348B (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108959931A (en) * 2017-05-24 2018-12-07 阿里巴巴集团控股有限公司 Leak detection method and device, information interacting method and equipment
CN110378107A (en) * 2019-07-25 2019-10-25 腾讯科技(深圳)有限公司 A kind of method and relevant apparatus of installation kit detection
CN110471662A (en) * 2019-08-21 2019-11-19 北京百度网讯科技有限公司 Program conversion method, device and device
CN110581849A (en) * 2019-09-06 2019-12-17 中国平安人寿保险股份有限公司 method, device, equipment and storage medium for monitoring historical repaired bugs
CN111104671A (en) * 2018-10-25 2020-05-05 阿里巴巴集团控股有限公司 Application identification method and application detection method
CN111428238A (en) * 2020-03-17 2020-07-17 成都国信安信息产业基地有限公司 Android component-based denial of service test method, detection terminal and medium
CN112131573A (en) * 2020-09-14 2020-12-25 深信服科技股份有限公司 Method and device for detecting security vulnerability and storage medium
CN112527302A (en) * 2019-09-19 2021-03-19 北京字节跳动网络技术有限公司 Error detection method and device, terminal and storage medium
CN112540787A (en) * 2020-12-14 2021-03-23 北京知道未来信息技术有限公司 Program reverse analysis method and device and electronic equipment
CN113204498A (en) * 2021-06-07 2021-08-03 支付宝(杭州)信息技术有限公司 Method and apparatus for generating fuzzy test driver for closed source function library
CN113626820A (en) * 2021-06-25 2021-11-09 中国科学院信息工程研究所 Known vulnerability positioning method and device for network equipment
CN115544511A (en) * 2021-06-30 2022-12-30 北京字跳网络技术有限公司 Vulnerability detection method, device and electronic device
CN115859292A (en) * 2023-02-20 2023-03-28 卓望数码技术(深圳)有限公司 Fraud-related APP detection system, judgment method and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101359352A (en) * 2008-09-25 2009-02-04 中国人民解放军信息工程大学 Obfuscated API Call Behavior Discovery and Malicious Judgment Method Based on Layered Collaboration
US7849509B2 (en) * 2005-10-07 2010-12-07 Microsoft Corporation Detection of security vulnerabilities in computer programs
CN102779255A (en) * 2012-07-16 2012-11-14 腾讯科技(深圳)有限公司 Method and device for judging malicious program
CN103793650A (en) * 2013-12-02 2014-05-14 北京邮电大学 Static analysis method and device for Android application program

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7849509B2 (en) * 2005-10-07 2010-12-07 Microsoft Corporation Detection of security vulnerabilities in computer programs
CN101359352A (en) * 2008-09-25 2009-02-04 中国人民解放军信息工程大学 Obfuscated API Call Behavior Discovery and Malicious Judgment Method Based on Layered Collaboration
CN102779255A (en) * 2012-07-16 2012-11-14 腾讯科技(深圳)有限公司 Method and device for judging malicious program
CN103793650A (en) * 2013-12-02 2014-05-14 北京邮电大学 Static analysis method and device for Android application program

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108959931A (en) * 2017-05-24 2018-12-07 阿里巴巴集团控股有限公司 Leak detection method and device, information interacting method and equipment
CN111104671B (en) * 2018-10-25 2023-05-30 阿里巴巴集团控股有限公司 Application identification determining method and application detection method
CN111104671A (en) * 2018-10-25 2020-05-05 阿里巴巴集团控股有限公司 Application identification method and application detection method
CN110378107A (en) * 2019-07-25 2019-10-25 腾讯科技(深圳)有限公司 A kind of method and relevant apparatus of installation kit detection
CN110378107B (en) * 2019-07-25 2024-05-10 腾讯科技(深圳)有限公司 Method and related device for detecting installation package
CN110471662A (en) * 2019-08-21 2019-11-19 北京百度网讯科技有限公司 Program conversion method, device and device
CN110581849A (en) * 2019-09-06 2019-12-17 中国平安人寿保险股份有限公司 method, device, equipment and storage medium for monitoring historical repaired bugs
CN110581849B (en) * 2019-09-06 2022-11-11 中国平安人寿保险股份有限公司 Method, device, equipment and storage medium for monitoring historical repaired bugs
CN112527302A (en) * 2019-09-19 2021-03-19 北京字节跳动网络技术有限公司 Error detection method and device, terminal and storage medium
CN112527302B (en) * 2019-09-19 2024-03-01 北京字节跳动网络技术有限公司 Error detection method and device, terminal and storage medium
CN111428238A (en) * 2020-03-17 2020-07-17 成都国信安信息产业基地有限公司 Android component-based denial of service test method, detection terminal and medium
CN111428238B (en) * 2020-03-17 2023-11-07 成都国信安信息产业基地有限公司 Android component-based service rejection testing method, detection terminal and medium
CN112131573A (en) * 2020-09-14 2020-12-25 深信服科技股份有限公司 Method and device for detecting security vulnerability and storage medium
CN112540787A (en) * 2020-12-14 2021-03-23 北京知道未来信息技术有限公司 Program reverse analysis method and device and electronic equipment
CN113204498A (en) * 2021-06-07 2021-08-03 支付宝(杭州)信息技术有限公司 Method and apparatus for generating fuzzy test driver for closed source function library
CN113626820A (en) * 2021-06-25 2021-11-09 中国科学院信息工程研究所 Known vulnerability positioning method and device for network equipment
CN115544511A (en) * 2021-06-30 2022-12-30 北京字跳网络技术有限公司 Vulnerability detection method, device and electronic device
CN115859292A (en) * 2023-02-20 2023-03-28 卓望数码技术(深圳)有限公司 Fraud-related APP detection system, judgment method and storage medium

Also Published As

Publication number Publication date
CN106295348B (en) 2020-04-10

Similar Documents

Publication Publication Date Title
CN106295348A (en) The leak detection method of application program and device
Xu et al. Iccdetector: Icc-based malware detection on android
Dumitraş et al. Toward a standard benchmark for computer security research: The Worldwide Intelligence Network Environment (WINE)
CN112685737A (en) APP detection method, device, equipment and storage medium
CN113158197B (en) SQL injection vulnerability detection method and system based on active IAST
US20130167236A1 (en) Method and system for automatically generating virus descriptions
KR101582601B1 (en) Method for detecting malignant code of android by activity string analysis
KR101851233B1 (en) Apparatus and method for detection of malicious threats included in file, recording medium thereof
Shabtai et al. F-sign: Automatic, function-based signature generation for malware
CN104331663B (en) Detection method of web shell and web server
WO2018017498A1 (en) Inferential exploit attempt detection
CN103793649A (en) Method and device for cloud-based safety scanning of files
CN114386032A (en) Firmware detection system and method for power Internet of things equipment
CN103581185A (en) Cloud searching and killing method, device and system for resisting anti-antivirus test
CN116155519A (en) Threat warning information processing method, device, computer equipment and storage medium
CN103902900A (en) External extraction type detecting device and method for mobile terminal malicious code
CN117220957A (en) An attack behavior response method and system based on threat intelligence
CN112182569A (en) File identification method, device, equipment and storage medium
CN111291377A (en) Application vulnerability detection method and system
CN105306467A (en) Method and device for analyzing webpage data tampering
CN115168847A (en) Application patch generation method and device, computer equipment and readable storage medium
US11003772B2 (en) System and method for adapting patterns of malicious program behavior from groups of computer systems
JP5613000B2 (en) Application characteristic analysis apparatus and program
CN117610001A (en) Automatic analysis method for fine-grained malicious behaviors in Internet of things malicious software
CN110287722A (en) Sensitive Permission Extraction Method for Privacy Policy Check in iOS Apps

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant