CN104751056A - Vulnerability verification system and method based on attack library - Google Patents
Vulnerability verification system and method based on attack library Download PDFInfo
- Publication number
- CN104751056A CN104751056A CN201410804844.1A CN201410804844A CN104751056A CN 104751056 A CN104751056 A CN 104751056A CN 201410804844 A CN201410804844 A CN 201410804844A CN 104751056 A CN104751056 A CN 104751056A
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- sample
- verification
- software
- samples
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012795 verification Methods 0.000 title claims abstract description 93
- 238000000034 method Methods 0.000 title claims abstract description 46
- 238000013515 script Methods 0.000 claims abstract description 33
- 238000012360 testing method Methods 0.000 claims abstract description 33
- 238000000354 decomposition reaction Methods 0.000 claims abstract description 10
- 238000010276 construction Methods 0.000 claims abstract description 3
- 238000012545 processing Methods 0.000 claims description 13
- 238000001514 detection method Methods 0.000 claims description 9
- 230000002159 abnormal effect Effects 0.000 claims description 8
- 238000012216 screening Methods 0.000 claims description 6
- 238000012544 monitoring process Methods 0.000 claims description 5
- 238000011160 research Methods 0.000 claims description 5
- 238000004088 simulation Methods 0.000 claims description 2
- 230000001131 transforming effect Effects 0.000 claims description 2
- 230000001960 triggered effect Effects 0.000 claims description 2
- 230000005856 abnormality Effects 0.000 claims 1
- 230000015572 biosynthetic process Effects 0.000 claims 1
- 230000010354 integration Effects 0.000 abstract 1
- 238000010586 diagram Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 238000012038 vulnerability analysis Methods 0.000 description 1
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention belongs to the technical field of network safety, and relates to a vulnerability verification system and method based on an attack library. The system comprises a vulnerability classifier, a virtual processor, a result analyzer and the finally formed attack library. Firstly the system is applied to conduct vulnerability sample construction on collected vulnerability samples, element vulnerability generated after sample decomposition is conducted is processed by the virtual processor, the processed result is analyzed by the result analyzer, the available vulnerability samples generated after integration is conducted form the attack library, and a vulnerability verification script is compiled for each element vulnerability and stored into the attack library. New vulnerability samples are analyzed, processed and matched with the verification scripts in the attack library to conduct vulnerability verification. By means of the vulnerability verification system and method, the corresponding verification scripts can be called automatically to conduct vulnerability verification, the manpower in manually analyzing and verifying the vulnerability of the test personnel is lowered, and vulnerability verification efficiency is improved.
Description
Technical Field
The invention belongs to the technical field of network security, and relates to a vulnerability verification system and method based on an attack library.
Background
The software is inevitably provided with security holes due to the defects of the software in the function design and the coding realization, the holes become the primary factors influencing the software security along with the continuous development of the attack technology, and the existence of the holes is a convenient door for the malicious invasion of attackers and becomes an entrance and a way for the arbitrary propagation of malicious codes such as Trojan horses, viruses and the like. In order to improve software security, vulnerability inspection is carried out on software to reduce software security risks, and vulnerability scanning results need to be verified because software vulnerability scanning is prone to false alarm.
The vulnerability verification is that according to the specific situation of the security vulnerability obtained in vulnerability detection, a corresponding contextual environment is constructed to show the existence of the vulnerability and the risk of the vulnerability. The scenario environment is simulated attack demonstration in a controlled environment, corresponding utilization is carried out according to the vulnerability, and the existence and the danger of the vulnerability are explained under the condition that the system safety is not damaged.
The vulnerability verification is based on vulnerability scanning results, a verification method is designed aiming at the individual characteristics of a vulnerability bearing platform, vulnerability types, trigger conditions and the like, a vulnerability verification utilization script is manually written by a tester, and the real existence of the target object vulnerability and the harmfulness of the vulnerability being utilized are verified. The existing vulnerability verification method needs to be specially designed according to different vulnerabilities of different targets and different vulnerability forming reasons. By looking up vulnerability verification documents and technical blogs, researchers can research different types of vulnerabilities, for example, in the paper of xu-qie of Shanghai traffic university, "vulnerability mining and vulnerability exploitation technical research based on Win32 platform", overflow vulnerabilities based on Win32 platform are analyzed and verified. In the paper "vulnerability analysis and automatic verification tool of security protocol" published by zhouxin of shanghai university of transportation, a vulnerability detection method for security protocol is provided, a security protocol correctness analysis tool based on a model detection method is designed, and the functions of detecting a given security protocol and outputting possible security vulnerabilities are realized. Analyzing the existing data and technology, there are verification means and methods for various vulnerabilities, including various targets such as software, protocol, operating system, etc., but from the practical point of view, the existing vulnerability verification has the following disadvantages:
due to the fact that target bearing platforms, causes and the like of different vulnerabilities are different, verification methods for different vulnerabilities are different, testers need to have high quality and know targets of various platforms, software and the like, various programming languages and implementation technologies need to be mastered, and high requirements are provided for abilities of researchers. This situation makes vulnerability verification efforts difficult to implement.
An effective vulnerability verification method is lacked, verification personnel need to write verification scripts or design methods manually, the manual participation degree is high, and the requirement of autonomous vulnerability verification cannot be met.
Disclosure of Invention
Aiming at the problems of the existing verification method, the invention provides a vulnerability verification system and a vulnerability verification method based on an attack library.
In order to achieve the purpose, the invention adopts the following technical scheme:
a system for verifying vulnerability based on an attack library is characterized by comprising a vulnerability classifier, a virtual processor, a result analyzer and a finally formed attack library. Wherein,
a separator: and receiving the vulnerability sample and being responsible for screening and classifying the sample. The device comprises a type judgment module, a parameter configuration module and a distribution module. The type judgment module is used for analyzing the type of the running environment of the sample; the parameter configuration module is used for controlling or configuring the vulnerability operation parameters; and the distribution module is responsible for distributing the vulnerability samples subjected to type judgment and parameter configuration to corresponding virtual machines.
A virtual processor: the system consists of a unified processing module, a virtual machine and a virtual machine agent module. The unified processing module receives the vulnerability samples and distributes the vulnerability samples to corresponding virtual machines; the virtual machine is a virtual environment in which a vulnerability sample runs, different virtual machines are provided with different operating systems, and corresponding application software is installed; the virtual machine agent module is built in each virtual machine and is responsible for processing software vulnerability samples and collecting results and feeding the results back to the result analyzer.
The virtual machine agent includes:
the environment information collection submodule: the installed application information in the current system is collected.
An environment verification submodule: and acquiring software list information in the testing environment from the environment information collecting submodule, and verifying that the testing target software and the related version number thereof required by the vulnerability sample are not in the corresponding testing environment.
A sample detection submodule: and monitoring the operation of the vulnerability sample and giving a test result.
An abnormal information collecting submodule: and collecting abnormal information in the sample operation for analyzing the sample behavior.
The environment information control submodule: if new software is installed in the test environment, the sub-module is responsible for sending a request to the environment verification sub-module, and then the environment information collection sub-module is required to obtain the system software list information again.
A result analyzer: and analyzing the vulnerability sample reported by the virtual machine agent module, and analyzing the specific content of the vulnerability according to vulnerability influence targets, causes, positions and the like.
And (3) attacking the library: and after the vulnerability sample is verified to be effective, storing vulnerability related information and the compiled verification script together to form an attack library.
The method for verifying the vulnerability by using the system is characterized by comprising the following steps:
step 1: and collecting a vulnerability sample.
Vulnerability samples are collected through secure websites or forums, autonomous research or other channels. And constructing the collected vulnerability samples which cannot be directly utilized to form usable vulnerability samples. And uniformly naming the collected and transformed vulnerability samples.
Step 2: and (5) vulnerability decomposition processing.
And screening the vulnerability samples through a classifier and delivering the vulnerability samples to a virtual processor for vulnerability decomposition processing to form a meta-vulnerability sample, wherein the meta-vulnerability sample is a certain basic type vulnerability.
And step 3: and (6) analyzing results.
And the virtual processor gives the decomposition result of the vulnerability sample to the result analyzer. The available meta-samples that pass the test will be stored in the attack repository.
And 4, step 4: and analyzing the meta-sample in the attack library, compiling a verification script and storing the verification script in the attack library.
And 5: and decomposing the vulnerability sample to be verified through the virtual processor to form a sub-sample, and matching the sub-sample with the meta-sample in the attack library so as to select a corresponding verification script for vulnerability verification.
Compared with the prior art, the invention has the following advantages:
(1) and verifying the validity of the vulnerability sample, and manually analyzing the vulnerability information to form an attack library according to the vulnerability condition aiming at the available vulnerability sample, so that an expert knowledge library can be formed for vulnerability verification work.
(2) The vulnerability to be verified is subjected to behavior analysis through the virtual processor and is compared and matched with the meta vulnerability in the attack library, so that the corresponding verification script is automatically called to verify the vulnerability, the labor force of testers for manually analyzing and verifying the vulnerability is reduced, and the vulnerability verification efficiency is improved.
Drawings
FIG. 1 is a block diagram of the system of the present invention;
FIG. 2 is a block diagram of an attack library according to the present invention;
FIG. 3 is a block diagram of a virtual machine agent module;
FIG. 4 is a flow chart of the method of the present invention.
Detailed Description
The invention is further described with reference to the following figures and detailed description.
Fig. 1 is a block diagram of the vulnerability verification system of the present invention, which includes a sorter 1, a virtual processor 2, a result analyzer 3, and a final attack library 4. Wherein,
the separator 1: and receiving the vulnerability sample and being responsible for screening and classifying the sample. The system is composed of a type judging module 11, a parameter configuration module 12 and a distribution module 13. The type judging module 11 is used for analyzing the type of the environment in which the sample operates; the parameter configuration module 12 is used for controlling or configuring vulnerability operation parameters; the distribution module 13 is responsible for distributing the vulnerability sample passing through the type judgment and the parameter configuration to the corresponding virtual machine.
The virtual processor 2: the system is composed of a unified processing module 21, a virtual machine 22 and a virtual machine agent module 23. The unified processing module 21 receives the vulnerability sample and distributes the vulnerability sample to the corresponding virtual machine 22; the virtual machine 22 is a virtual environment in which the vulnerability sample runs, and different virtual machines are provided with different operating systems and corresponding application software; the virtual machine agent module 23 is built in each virtual machine 22, and is responsible for processing software vulnerability samples and collecting results to feed back to the result analyzer 1.
The composition of the virtual machine agent module 23 is shown in fig. 3, and includes:
the environmental information collection submodule 231: the installed application information in the current system is collected.
Environment verification submodule 232: and acquiring software list information in the testing environment from the environment information collecting submodule, and verifying that the testing target software and the related version number thereof required by the vulnerability sample are not in the corresponding testing environment.
Sample detection submodule 233: and monitoring the operation of the vulnerability sample and giving a test result.
The anomaly information collecting sub-module 234: and collecting abnormal information in the sample operation for analyzing the sample behavior.
The environment information control sub-module 235: if new software is installed in the test environment, the sub-module is responsible for sending a request to the environment verification sub-module 232, and further requires the environment information collection sub-module 231 to obtain the system software list information again.
The result analyzer 3: and analyzing the vulnerability sample reported by the virtual machine agent module 23, and analyzing the specific content of the vulnerability according to vulnerability influence targets, causes, positions and the like.
The attack library 4: and after the vulnerability sample is verified to be effective, storing vulnerability related information and the compiled verification script together to form an attack library 4. Fig. 2 is a structural diagram of the attack library 4. The attack library 4 includes basic information and detailed information of the meta-vulnerability and a verification script for the meta-vulnerability. The meta-vulnerability is a minimum vulnerability sample formed after the vulnerability sample is decomposed by the classifier, and the uniqueness of the vulnerability is recorded by the basic information and the detailed information of the meta-vulnerability and is a main basis for distinguishing during vulnerability verification.
A flowchart of a method for verifying vulnerabilities by using the system is shown in fig. 4, and specifically includes the following steps:
step 1: and (4) collecting vulnerability samples.
Step 1.1: and collecting vulnerability samples through a security website, a related forum, colleges and universities and research institutions or other channels, wherein the sample types can be known vulnerabilities or 0day vulnerabilities.
Step 1.2: analyzing the availability of the vulnerability, and transforming unavailable individuals in the collected samples to form available vulnerability samples.
Step 1.3: uniformly naming the collected and transformed vulnerability samples, wherein the sample naming rule follows the following format: [ date ] - [ person ] - [ source ] - [ type ]. Wherein the date represents the time of sample collection; the personnel represents the personnel for analyzing the sample, and the mode of 1 personnel and 2 personnel is adopted for processing by a plurality of personnel; the source represents the channel of sample collection; the type indicates a sample type, which is prepared for a sample decomposition process.
Step 2: and decomposing the vulnerability sample.
And screening the vulnerability samples by the classifier 1 and delivering the vulnerability samples to the virtual processor 2 for vulnerability decomposition processing to form a meta-vulnerability sample, wherein the meta-vulnerability sample is a certain basic type vulnerability.
Step 2.1: and judging the environment type of the operation and dependence of the vulnerability sample, including the vulnerability influence environment and the software type. The type judgment comprises the judgment of the aspects of the category, the name, the version and the like of the target, wherein the category is divided into an operating system, application software and the like.
Step 2.2: and configuring vulnerability sample operation parameters.
Parameters of most vulnerability samples during operation are default to be null, and corresponding parameters need to be configured for some vulnerabilities. This step operates on vulnerability samples that require configuration of operational parameters.
Step 2.3: and the vulnerability sample after type judgment and parameter configuration is a vulnerability meta-sample, and the meta-sample is sent to the virtual processor 2 for the next operation.
And step 3: the virtual processor 2 receives the sample information, processes the vulnerability of the sample, analyzes the vulnerability by the analyzer 1, and finally stores the sample in the attack library 4.
Step 3.1: first, the type of the sample is determined, and the sample is processed by different virtual machines 22 according to whether the sample is an os type or an application software type.
Step 3.2: aiming at the vulnerability sample of the operating system, the virtual processor 2 virtualizes various operating systems as test environments to test the vulnerability sample.
Aiming at application software, virtual environment construction is carried out according to software classification, and the application software is divided into office software, browser software, chatting tool software, media tool software, downloading tool software and the like. The same kind of software can be installed in the same virtual machine.
Step 3.3: the agent in the virtual machine 22 is responsible for analyzing the vulnerability sample.
First, information of application SOFTWARE installed in the current system is collected, and for example, a Windows operating system can read related information from a registry, such as a key value under the enumerated registry "softward \ Microsoft \ Windows \ currentversion \ Uninstall". And judging whether the test target software and the related version number thereof required by the vulnerability sample exist in the test environment according to the acquired software list information in the test environment.
Step 3.4: and loading the vulnerability sample into the virtual machine 22 for running, monitoring the running condition of the vulnerability sample, and analyzing the test result of the sample.
And detecting whether the sample detection stage is finished or not in the sample running process, if so, exiting, otherwise, starting a debugging process, starting the target program in a debugging mode, and loading the vulnerability sample by the target program. The whole running process of the sample in the target program is monitored by the debugging process, and whether an exception occurs is monitored. And when the debugging process monitors the running condition of the target process loading sample bugs, if capturing abnormal information, analyzing the abnormal information.
Step 3.5: through the loading operation and analysis of the vulnerability sample, the operation related information of the vulnerability can be known, including a vulnerability bearing platform, a hazard target, a trigger condition and the like. And storing the vulnerability sample and the information into an attack library 4.
And 4, step 4: and analyzing the meta-sample in the attack library 4, compiling a verification script and storing the verification script in the attack library 4.
And analyzing the vulnerability sample by a tester, simulating vulnerability triggering conditions by taking the bearing platform as basic content according to the vulnerability forming reason, and writing a verification script or designing a method for vulnerability attack verification. And after confirming that the vulnerability verification is successful, storing the vulnerability verification script or method into the attack library 4. Thereby forming a vulnerability verification attack knowledge base.
And 5: after receiving an attack sample to be verified, the system carries out sample decomposition on the vulnerability sample to be verified through the sorter 1, the formed sample is loaded to the virtual processor 2 for simulation operation, a sample test result is judged, vulnerabilities which are the same as or similar to the meta-sample information in the attack library 4 are matched, and therefore a corresponding verification script is selected for vulnerability verification.
After the vulnerability is verified based on the attack library 4, the verification result needs to be analyzed, and whether the vulnerability verification method in the attack library 4 can support the vulnerability to be verified or not is judged. If the vulnerability is successfully triggered and the result is returned, the vulnerability sample to be verified can be added into the attack library 4. If errors occur or abnormity is detected in the verification process, the verification personnel analyzes the bugs and the verification scripts, modifies the script content or rewrites the scripts and perfects the attack library 4.
An example of the application of the present invention is given below.
And according to the steps, a certain vulnerability sample is sent to a vulnerability verification system for verification. The samples were processed and named [20141104] _[ ht ] _[ extensions-db ] _[ aM _ Yahoo! Player _1.0]. m3 u. And judging the type field in the name through type judgment in the sorter, and then sending the sample to a virtual machine test environment of the media tool cluster. And the software meeting the target in the test environment can be known through the analysis of the corresponding virtual machine environment.
The sample is then tested and analyzed. Under the default condition, the module starts a corresponding target program according to the type of the sample, automatically calls the command code 'g' after the sample is loaded, and automatically analyzes the operation result by calling the command code 'an' after the operation of the sample to be detected is finished. After the analysis of the analysis module, the system gives the register information and the preliminary reason analysis information after the sample detection: when an "analysis command is entered, the return address record is analyzed to determine whether any modified return address is garbage data (such as" AAAA "," 0x909090 "and the like which are commonly used in the sample), and then which return address is modified is given. On the basis that the verification platform gives an analysis result, manual analysis can be carried out to carry out accurate positioning, and finally, a point causing stack overflow is determined.
After the forming reason and the loophole point of the loophole are determined, loophole verification matching is carried out, and finally, a verification script of a loophole [20140819] _[ ht ] _[ extensions-db ] _[ QitoPlayer _1.0]. m3u sample is found for verification, so that the verification loophole overflow is successfully caused.
The vulnerability verification platform monitors and analyzes the running condition of the target program after the target program is loaded with the sample, can give a preliminary analysis result, finally determines a vulnerability code segment by combining manual analysis, and realizes the verification of the vulnerability by using a verification script in an attack library. If only manual analysis is carried out, the type and the location of the vulnerability cannot be quickly judged, and even a vulnerability verification script needs to be manually written. Therefore, the vulnerability verification platform can improve the analysis efficiency of researchers, and is greatly helpful for vulnerability judgment and verification.
Claims (7)
1. A vulnerability verification system based on an attack library, the system comprising: a sorter (1), a virtual processor (2), a result analyzer (3) and a finally formed attack library (4); wherein,
classifier (1): the vulnerability sample receiving method comprises the steps of receiving vulnerability samples, taking charge of screening and classifying the samples, and being composed of a type judging module (11), a parameter configuration module (12) and a distribution module (13); the type judgment module (11) is used for analyzing the type of the environment in which the sample operates; the parameter configuration module (12) is used for controlling or configuring the vulnerability operation parameters; the distribution module (13) is responsible for distributing the vulnerability samples subjected to type judgment and parameter configuration to corresponding virtual machines;
virtual processor (2): the system is composed of a unified processing module (21), a virtual machine (22) and a virtual machine agent module (23); the unified processing module (21) receives the vulnerability samples and distributes the vulnerability samples to corresponding virtual machines (22); the virtual machine (22) is a virtual environment for operating the vulnerability sample, different virtual machines are provided with different operating systems, and corresponding application software is installed; the virtual machine agent module (23) is arranged in each virtual machine (22) and is responsible for processing software vulnerability samples and feeding back collected results to the result analyzer (3);
results analyzer (3): analyzing vulnerability samples reported by a virtual machine agent module (23), and analyzing specific contents of the vulnerability according to vulnerability influence targets, causes, positions and the like;
attack library (4): after the vulnerability sample is verified to be effective, storing vulnerability related information and the compiled verification script together to form an attack library (4); the attack library (4) comprises basic information and detailed information of the meta-vulnerability and a verification script aiming at the meta-vulnerability; the meta-vulnerability is a minimum vulnerability sample formed after the vulnerability sample is decomposed by the classifier, and the uniqueness of the vulnerability is recorded by the basic information and the detailed information of the meta-vulnerability and is a main basis for distinguishing during vulnerability verification.
2. The vulnerability verification system based on an attack library according to claim 1, wherein the virtual machine agent module (23) further comprises:
an environment information collection submodule (231): collecting information of the installed application software in the current system;
environment verification submodule (232): acquiring software list information in the test environment from an environment information collection submodule (231), and verifying whether test target software and relevant version numbers thereof required by the vulnerability sample are in the corresponding test environment;
a sample detection submodule (233): monitoring the operation of the vulnerability sample and giving a test result;
an anomaly information collection sub-module (234): collecting abnormal information in the running of the sample, and analyzing the behavior of the sample;
context information control submodule (235): if new software is installed in the test environment, the sub-module is responsible for sending a request to the environment verification sub-module (232), and then the environment information collection sub-module (231) is required to obtain the system software list information again.
3. A method for vulnerability verification using the system of claim 1, comprising the steps of:
step 1: collecting vulnerability samples;
step 2: decomposing a vulnerability sample;
screening the vulnerability samples through a classifier (1) and transferring the vulnerability samples to a virtual processor (2) for vulnerability decomposition processing to form a meta-vulnerability sample, wherein the meta-vulnerability sample is a certain basic type vulnerability;
and step 3: analyzing results;
the virtual processor (2) receives the sample information, processes the vulnerability of the sample, analyzes the vulnerability by the analyzer 1, and finally stores the sample in the attack library (4);
and 4, step 4: analyzing the meta-sample in the attack library (4), compiling a verification script and storing the verification script in the attack library (4);
analyzing a vulnerability sample by a tester, simulating vulnerability triggering conditions by taking a bearing platform as basic content according to the cause of vulnerability formation, and writing a verification script or designing a method for vulnerability attack verification; after confirming that the vulnerability verification is successful, storing the vulnerability verification script or method into an attack library (4); thereby forming a vulnerability verification attack knowledge base;
and 5: verifying the vulnerability based on the attack library (4);
after receiving an attack sample to be verified, the system carries out sample decomposition on the vulnerability sample to be verified through the classifier (1), the formed sample is loaded to the virtual processor (2) for simulation operation, a sample test result is judged, vulnerabilities which are the same as or similar to the meta-sample information in the attack library (4) are matched, and therefore a corresponding verification script is selected for vulnerability verification.
4. The method of claim 3, wherein the vulnerability sample collection of step 1 further comprises the steps of:
step 1.1: collecting vulnerability samples through a security website, a related forum, a college and research institution or other channels, wherein the sample types are known vulnerabilities or 0day vulnerabilities;
step 1.2: analyzing the available condition of the vulnerability, and transforming unavailable individuals in the collected samples to form available vulnerability samples;
step 1.3: uniformly naming the collected and transformed vulnerability samples, wherein the sample naming rule follows the following format: [ date ] - [ person ] - [ source ] - [ type ]; wherein the date represents the time of sample collection; the personnel represents the personnel for analyzing the sample, and the mode of 1 personnel and 2 personnel is adopted for processing by a plurality of personnel; the source represents the channel of sample collection; the type indicates a sample type, which is prepared for a sample decomposition process.
5. The method of claim 3, wherein decomposing the vulnerability sample at step 2 further comprises:
step 2.1: judging the environment type of the operation and dependence of the vulnerability sample, and the type of the vulnerability influencing environment and software; the type judgment comprises the judgment of the aspects of the category, the name, the version and the like of the target, wherein the category is divided into an operating system, application software and the like;
step 2.2: configuring vulnerability sample operation parameters;
the parameters of most vulnerability samples during operation are default to be null, and corresponding parameters are required to be configured for some vulnerabilities; the step is to operate for the vulnerability sample needing to configure the operation parameters;
step 2.3: and the vulnerability sample after type judgment and parameter configuration is a vulnerability meta-sample, and the meta-sample is sent to the virtual processor (2) for the next operation.
6. The method of claim 3, wherein the step 3 of analyzing the results further comprises the steps of:
step 3.1: firstly, judging the type of a sample, and processing the sample by different virtual machines (22) according to the difference that the sample is of an operating system type or an application software type;
step 3.2: aiming at a vulnerability sample of an operating system, a virtual processor (2) virtualizes various operating systems as test environments to test the vulnerability sample; aiming at application software, virtual environment construction is carried out according to software classification, and the application software is divided into office software, browser software, chatting tool software, media tool software and downloading tool software; the similar software is installed in the same virtual machine;
step 3.3: analyzing the vulnerability sample by a virtual machine agent module (23) in the virtual machine (22);
firstly, collecting information of application software installed in a current system, and then judging whether test target software and relevant version numbers thereof needed by a vulnerability sample exist in a test environment according to acquired software list information in the test environment;
step 3.4: loading the vulnerability sample into a virtual machine (22) for running, monitoring the running condition of the vulnerability sample, and analyzing the test result of the sample;
detecting whether the sample detection stage is finished or not in the sample running process, if so, exiting, otherwise, starting a debugging process, starting a target program in a debugging mode, and loading a vulnerability sample by the target program; the whole running process of the sample in the target program is monitored by the debugging process, and whether an abnormality occurs is monitored; when the debugging process monitors the running condition of the target process loading sample vulnerability, if capturing abnormal information, analyzing the abnormal information;
step 3.5: obtaining operation related information of the vulnerability through loading, operation and analysis of the vulnerability sample, wherein the operation related information comprises a vulnerability bearing platform, a hazard target and a trigger condition; and storing the vulnerability sample and the information into an attack library (4).
7. The method according to claim 3, wherein, after the vulnerability is verified based on the attack library (4) in the step 4, the verification result is analyzed to judge whether the vulnerability verification method in the attack library (4) can support the vulnerability to be verified; if the vulnerability is successfully triggered and the result is returned, adding the vulnerability sample to be verified into the attack library (4); if errors occur or abnormity is detected in the verification process, a verifier analyzes the bugs and the verification script, modifies the script content or rewrites the script, and perfects an attack library (4).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410804844.1A CN104751056A (en) | 2014-12-19 | 2014-12-19 | Vulnerability verification system and method based on attack library |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410804844.1A CN104751056A (en) | 2014-12-19 | 2014-12-19 | Vulnerability verification system and method based on attack library |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104751056A true CN104751056A (en) | 2015-07-01 |
Family
ID=53590728
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410804844.1A Pending CN104751056A (en) | 2014-12-19 | 2014-12-19 | Vulnerability verification system and method based on attack library |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104751056A (en) |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105630672A (en) * | 2015-12-16 | 2016-06-01 | 北京奇虎科技有限公司 | Automatic application monitoring method and device |
| CN105718303A (en) * | 2016-01-20 | 2016-06-29 | 国家电网公司 | Virtual machine anomaly detecting method, device and system |
| CN106203126A (en) * | 2016-07-15 | 2016-12-07 | 国家计算机网络与信息安全管理中心 | A kind of validating vulnerability method and system based on simulated environment |
| CN106685900A (en) * | 2015-11-10 | 2017-05-17 | 中国电信股份有限公司 | Loophole prevention method and apparatus |
| CN107454081A (en) * | 2017-08-07 | 2017-12-08 | 四川长虹电器股份有限公司 | The method for automatically generating POC scripts |
| CN107480531A (en) * | 2017-07-18 | 2017-12-15 | 北京计算机技术及应用研究所 | Automated software validating vulnerability system and method based on vulnerability database |
| CN108718293A (en) * | 2018-04-08 | 2018-10-30 | 安徽展航信息科技发展有限公司 | A kind of information security network security laboratories system |
| CN108924159A (en) * | 2018-07-31 | 2018-11-30 | 杭州迪普科技股份有限公司 | The verification method and device in a kind of message characteristic identification library |
| CN109325351A (en) * | 2018-08-23 | 2019-02-12 | 中通服咨询设计研究院有限公司 | A kind of security breaches automatic Verification systems based on many survey platforms |
| CN110348210A (en) * | 2018-04-08 | 2019-10-18 | 腾讯科技(深圳)有限公司 | Safety protecting method and device |
| CN110659504A (en) * | 2019-09-23 | 2020-01-07 | 北京智游网安科技有限公司 | Vulnerability attack verification method, vulnerability attack verification system and storage medium |
| CN111884989A (en) * | 2020-06-02 | 2020-11-03 | 全球能源互联网研究院有限公司 | Vulnerability detection method and system for power web system |
| CN113127884A (en) * | 2021-04-28 | 2021-07-16 | 国家信息技术安全研究中心 | Virtualization-based vulnerability parallel verification method and device |
| CN114785574A (en) * | 2022-04-07 | 2022-07-22 | 国网浙江省电力有限公司宁波供电公司 | AI-assisted-based remote vulnerability accurate verification method |
| CN117896175A (en) * | 2024-03-04 | 2024-04-16 | 北京浩瀚深度信息技术股份有限公司 | Capturing method of malicious sample propagated through loopholes |
| CN113127884B (en) * | 2021-04-28 | 2024-11-15 | 国家信息技术安全研究中心 | Vulnerability parallel verification method and device based on virtualization |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101645119A (en) * | 2008-08-07 | 2010-02-10 | 中国科学院软件研究所 | Method and system for automatically analyzing malicious codes based on virtual hardware environment |
| CN103532793A (en) * | 2013-10-28 | 2014-01-22 | 中国航天科工集团第二研究院七〇六所 | Automatic penetration testing method for information system security |
| US20140283081A1 (en) * | 2013-03-14 | 2014-09-18 | Whitehat Security, Inc. | Techniques for correlating vulnerabilities across an evolving codebase |
-
2014
- 2014-12-19 CN CN201410804844.1A patent/CN104751056A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101645119A (en) * | 2008-08-07 | 2010-02-10 | 中国科学院软件研究所 | Method and system for automatically analyzing malicious codes based on virtual hardware environment |
| US20140283081A1 (en) * | 2013-03-14 | 2014-09-18 | Whitehat Security, Inc. | Techniques for correlating vulnerabilities across an evolving codebase |
| CN103532793A (en) * | 2013-10-28 | 2014-01-22 | 中国航天科工集团第二研究院七〇六所 | Automatic penetration testing method for information system security |
Non-Patent Citations (1)
| Title |
|---|
| 侯浩俊: "软件漏洞虚拟验证平台的研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106685900A (en) * | 2015-11-10 | 2017-05-17 | 中国电信股份有限公司 | Loophole prevention method and apparatus |
| CN106685900B (en) * | 2015-11-10 | 2020-04-28 | 中国电信股份有限公司 | Vulnerability protection method and device |
| CN105630672A (en) * | 2015-12-16 | 2016-06-01 | 北京奇虎科技有限公司 | Automatic application monitoring method and device |
| CN105718303A (en) * | 2016-01-20 | 2016-06-29 | 国家电网公司 | Virtual machine anomaly detecting method, device and system |
| CN106203126B (en) * | 2016-07-15 | 2019-07-09 | 国家计算机网络与信息安全管理中心 | A kind of validating vulnerability method and system based on simulated environment |
| CN106203126A (en) * | 2016-07-15 | 2016-12-07 | 国家计算机网络与信息安全管理中心 | A kind of validating vulnerability method and system based on simulated environment |
| CN107480531A (en) * | 2017-07-18 | 2017-12-15 | 北京计算机技术及应用研究所 | Automated software validating vulnerability system and method based on vulnerability database |
| CN107454081A (en) * | 2017-08-07 | 2017-12-08 | 四川长虹电器股份有限公司 | The method for automatically generating POC scripts |
| CN110348210A (en) * | 2018-04-08 | 2019-10-18 | 腾讯科技(深圳)有限公司 | Safety protecting method and device |
| CN108718293A (en) * | 2018-04-08 | 2018-10-30 | 安徽展航信息科技发展有限公司 | A kind of information security network security laboratories system |
| CN108924159A (en) * | 2018-07-31 | 2018-11-30 | 杭州迪普科技股份有限公司 | The verification method and device in a kind of message characteristic identification library |
| CN109325351A (en) * | 2018-08-23 | 2019-02-12 | 中通服咨询设计研究院有限公司 | A kind of security breaches automatic Verification systems based on many survey platforms |
| CN110659504A (en) * | 2019-09-23 | 2020-01-07 | 北京智游网安科技有限公司 | Vulnerability attack verification method, vulnerability attack verification system and storage medium |
| CN111884989A (en) * | 2020-06-02 | 2020-11-03 | 全球能源互联网研究院有限公司 | Vulnerability detection method and system for power web system |
| CN111884989B (en) * | 2020-06-02 | 2023-07-21 | 全球能源互联网研究院有限公司 | Vulnerability detection method and system for electric power web system |
| CN113127884A (en) * | 2021-04-28 | 2021-07-16 | 国家信息技术安全研究中心 | Virtualization-based vulnerability parallel verification method and device |
| CN113127884B (en) * | 2021-04-28 | 2024-11-15 | 国家信息技术安全研究中心 | Vulnerability parallel verification method and device based on virtualization |
| CN114785574A (en) * | 2022-04-07 | 2022-07-22 | 国网浙江省电力有限公司宁波供电公司 | AI-assisted-based remote vulnerability accurate verification method |
| CN114785574B (en) * | 2022-04-07 | 2023-09-29 | 国网浙江省电力有限公司宁波供电公司 | AI-assisted remote vulnerability accurate verification method |
| CN117896175A (en) * | 2024-03-04 | 2024-04-16 | 北京浩瀚深度信息技术股份有限公司 | Capturing method of malicious sample propagated through loopholes |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104751056A (en) | Vulnerability verification system and method based on attack library | |
| EP3695338B1 (en) | Security risk identification in a secure software lifecycle | |
| CN105068925B (en) | Software safety defect finds system | |
| Gkortzis et al. | Software reuse cuts both ways: An empirical analysis of its relationship with security vulnerabilities | |
| CN102541729A (en) | Detection device and method for security vulnerability of software | |
| CN102468985A (en) | Method and system for performing penetration test on network security equipment | |
| CN105141647A (en) | Method and system for detecting Web application | |
| CN110278201B (en) | Security policy evaluation method and device, computer readable medium and electronic device | |
| CN113114680B (en) | Detection method and detection device for file uploading vulnerability | |
| CN111597114A (en) | Method, device and equipment for verifying small program and storage medium | |
| CN113158197A (en) | SQL injection vulnerability detection method and system based on active IAST | |
| US20160275000A1 (en) | System and method of automated application screen flow generation for detecting aberration in mobile application | |
| CN103810222A (en) | Sample file processing method and device | |
| Wi et al. | Diffcsp: Finding browser bugs in content security policy enforcement through differential testing | |
| KR101228902B1 (en) | Cloud Computing-Based System for Supporting Analysis of Malicious Code | |
| CN107463493B (en) | Test system and test method for host computer anti-virus product | |
| CN116346456A (en) | Business logic vulnerability attack detection model training method and device | |
| CN105653455B (en) | A kind of detection method and detection system of program bug | |
| KR20160090566A (en) | Apparatus and method for detecting APK malware filter using valid market data | |
| CN107341110B (en) | Tool for modifying and affecting range of software test positioning patch and implementation method | |
| Varenitca et al. | Recommended practices for the analysis of web application vulnerabilities | |
| CN118036009A (en) | Method and device for processing security vulnerabilities and electronic equipment | |
| CN117691733A (en) | Assessment method and device for information security protection of power distribution automation system | |
| CN117493188A (en) | Interface testing method and device, electronic equipment and storage medium | |
| CN117056918A (en) | Code analysis method and related equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150701 |
|
| RJ01 | Rejection of invention patent application after publication |