CN118734310A - Vulnerability shielding method, engine, electronic device, storage medium and program product - Google Patents
Vulnerability shielding method, engine, electronic device, storage medium and program product Download PDFInfo
- Publication number
- CN118734310A CN118734310A CN202310377332.0A CN202310377332A CN118734310A CN 118734310 A CN118734310 A CN 118734310A CN 202310377332 A CN202310377332 A CN 202310377332A CN 118734310 A CN118734310 A CN 118734310A
- Authority
- CN
- China
- Prior art keywords
- function
- vulnerability
- shielding
- vulnerable
- template
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 160
- 230000006870 function Effects 0.000 claims description 769
- 238000001514 detection method Methods 0.000 claims description 52
- 238000013515 script Methods 0.000 claims description 21
- 238000004590 computer program Methods 0.000 claims description 11
- 230000008439 repair process Effects 0.000 abstract description 7
- 238000010586 diagram Methods 0.000 description 28
- 238000007726 management method Methods 0.000 description 18
- 238000012545 processing Methods 0.000 description 18
- 239000000243 solution Substances 0.000 description 13
- 230000000694 effects Effects 0.000 description 11
- 238000005516 engineering process Methods 0.000 description 10
- 230000008569 process Effects 0.000 description 10
- 238000004891 communication Methods 0.000 description 9
- 238000012423 maintenance Methods 0.000 description 8
- 238000003780 insertion Methods 0.000 description 7
- 230000037431 insertion Effects 0.000 description 7
- 238000002955 isolation Methods 0.000 description 6
- 101001121408 Homo sapiens L-amino-acid oxidase Proteins 0.000 description 5
- 102100026388 L-amino-acid oxidase Human genes 0.000 description 5
- 230000009471 action Effects 0.000 description 4
- 238000002347 injection Methods 0.000 description 4
- 239000007924 injection Substances 0.000 description 4
- 230000002787 reinforcement Effects 0.000 description 4
- 101100233916 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) KAR5 gene Proteins 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 239000000523 sample Substances 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 239000007943 implant Substances 0.000 description 2
- 230000009191 jumping Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000002360 preparation method Methods 0.000 description 2
- 238000004064 recycling Methods 0.000 description 2
- 239000003826 tablet Substances 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- SPBWHPXCWJLQRU-FITJORAGSA-N 4-amino-8-[(2r,3r,4s,5r)-3,4-dihydroxy-5-(hydroxymethyl)oxolan-2-yl]-5-oxopyrido[2,3-d]pyrimidine-6-carboxamide Chemical compound C12=NC=NC(N)=C2C(=O)C(C(=O)N)=CN1[C@@H]1O[C@H](CO)[C@@H](O)[C@H]1O SPBWHPXCWJLQRU-FITJORAGSA-N 0.000 description 1
- 102100021677 Baculoviral IAP repeat-containing protein 2 Human genes 0.000 description 1
- RYGMFSIKBFXOCR-UHFFFAOYSA-N Copper Chemical compound [Cu] RYGMFSIKBFXOCR-UHFFFAOYSA-N 0.000 description 1
- 101000896157 Homo sapiens Baculoviral IAP repeat-containing protein 2 Proteins 0.000 description 1
- 101100012902 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) FIG2 gene Proteins 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000013528 artificial neural network Methods 0.000 description 1
- 230000003190 augmentative effect Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 239000002131 composite material Substances 0.000 description 1
- 229910052802 copper Inorganic materials 0.000 description 1
- 239000010949 copper Substances 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 238000013135 deep learning Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000001066 destructive effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000004374 forensic analysis Methods 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 230000000116 mitigating effect Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 230000000246 remedial effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000009897 systematic effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/54—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/30—Creation or generation of source code
- G06F8/31—Programming languages or programming paradigms
- G06F8/315—Object-oriented languages
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/30—Creation or generation of source code
- G06F8/36—Software reuse
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Stored Programmes (AREA)
Abstract
Description
技术领域Technical Field
本申请涉及计算机技术领域,尤其涉及一种漏洞屏蔽方法、引擎、电子设备、存储介质及程序产品。The present application relates to the field of computer technology, and in particular to a vulnerability shielding method, engine, electronic device, storage medium and program product.
背景技术Background Art
漏洞是在硬件、软件、协议的具体实现或系统安全策略上存在的缺陷,从而可以使攻击者能够在未授权的情况下访问或破坏系统。国际标准化组织(internationalorganization for standardization ISO)及国际电工委员会(internationalelectrotechnical commission,IEC)联合制定了有关漏洞的收集、调查、修复和披露的标准。从标准来看,对于任意应用的漏洞,在漏洞处理流程的修复措施,目前主要是指官方发布的补丁、修复文档或配置的更新等。但标准同时指出,在漏洞对应用造成高风险的情况下,可能需要临时的中间补救措施,这对高危漏洞非常必要。A vulnerability is a defect in the specific implementation of hardware, software, or a protocol, or in the system security policy, which can allow an attacker to access or damage the system without authorization. The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have jointly developed standards for the collection, investigation, repair, and disclosure of vulnerabilities. From the perspective of the standards, for any application vulnerability, the repair measures in the vulnerability handling process currently mainly refer to officially released patches, repair documents, or configuration updates. However, the standards also point out that in the case of a high risk of a vulnerability to an application, temporary intermediate remedial measures may be required, which is very necessary for high-risk vulnerabilities.
漏洞从被披露到漏洞补丁正式生效这段时间周期可称为漏洞暴露期。漏洞长时间处于漏洞暴露期时,为攻击者提供了极大的攻击窗口。现有方案或需要预置插桩点,或仅针对C应用程序实现漏洞屏蔽,尚无法实现对运行态的Python应用的漏洞实现动态插桩以屏蔽漏洞。The period from when a vulnerability is disclosed to when the vulnerability patch takes effect is called the vulnerability exposure period. When a vulnerability is in the vulnerability exposure period for a long time, it provides a large attack window for attackers. Existing solutions either require pre-setting of instrumentation points or only implement vulnerability shielding for C applications. It is not possible to implement dynamic instrumentation to shield vulnerabilities in running Python applications.
发明内容Summary of the invention
有鉴于此,提出了一种漏洞屏蔽方法、引擎、电子设备、存储介质及程序产品,根据本申请实施例的漏洞屏蔽方法,通过基于漏洞屏蔽插件自动生成模板函数,模板函数在被执行时可调用屏蔽函数修补漏洞函数,并将漏洞函数的属性替换为模板函数的属性,使得Python应用程序具备在运行到漏洞函数时执行模板函数修补漏洞函数的能力,从而能够对运行态的Python应用的漏洞实现动态插桩以屏蔽漏洞。In view of this, a vulnerability shielding method, engine, electronic device, storage medium and program product are proposed. According to the vulnerability shielding method of the embodiment of the present application, a template function is automatically generated based on a vulnerability shielding plug-in. When the template function is executed, the shielding function can be called to patch the vulnerable function, and the attributes of the vulnerable function are replaced with the attributes of the template function. This enables the Python application to execute the template function to patch the vulnerable function when running to the vulnerable function, thereby being able to dynamically insert vulnerabilities in the running Python application to shield the vulnerabilities.
第一方面,本申请的实施例提供了一种漏洞屏蔽方法,所述方法应用于漏洞屏蔽引擎,所述漏洞屏蔽引擎集成在客户端的Python应用程序中,所述方法包括:接收漏洞屏蔽插件,所述漏洞屏蔽插件包括漏洞函数的相关信息以及屏蔽函数的相关信息,所述屏蔽函数用于检测所述漏洞函数是否被攻击或用于修补所述漏洞函数;根据所述漏洞屏蔽插件生成模板函数,所述屏蔽函数用于修补所述漏洞函数时,所述模板函数用于在被执行时调用所述屏蔽函数修补所述漏洞函数;将备份函数的属性替换为所述漏洞函数的属性,将所述漏洞函数的属性替换为所述模板函数的属性,所述备份函数是所述漏洞函数的备份。In a first aspect, an embodiment of the present application provides a vulnerability shielding method, which is applied to a vulnerability shielding engine, and the vulnerability shielding engine is integrated in a Python application of a client, and the method comprises: receiving a vulnerability shielding plug-in, the vulnerability shielding plug-in comprising relevant information of a vulnerability function and relevant information of a shielding function, the shielding function being used to detect whether the vulnerability function is attacked or to patch the vulnerability function; generating a template function according to the vulnerability shielding plug-in, when the shielding function is used to patch the vulnerability function, the template function is used to call the shielding function to patch the vulnerability function when executed; replacing the attributes of a backup function with the attributes of the vulnerability function, and replacing the attributes of the vulnerability function with the attributes of the template function, the backup function being a backup of the vulnerability function.
根据本申请实施例的漏洞屏蔽方法,通过接收漏洞屏蔽插件,可以获取到漏洞屏蔽插件包括的漏洞函数的相关信息以及屏蔽函数的相关信息;根据漏洞屏蔽插件生成模板函数,不需要手动编写模板函数,降低了安全维护人员的操作难度;由于漏洞屏蔽引擎集成在Python应用程序中,因此可以基于Python语言的能力对函数的属性进行替换,将漏洞函数的属性替换为模板函数的属性,使得Python应用程序具备在执行到漏洞函数时,转而执行模板函数的能力,针对不同漏洞函数,不需要预置插桩点,从而完成漏洞函数的动态插桩。屏蔽函数用于检测漏洞函数是否被攻击或用于修补漏洞函数,屏蔽函数用于修补漏洞函数时,模板函数用于在被执行时调用屏蔽函数修补漏洞函数,使得执行模板函数可实现漏洞屏蔽功能,且屏蔽函数以类似热补丁的方式加载,不需要每次重启Python应用程序,也无需对业务代码重新编译,因此业务也不会中断。备份函数是漏洞函数的备份,将备份函数的属性替换为漏洞函数的属性,使得Python应用程序希望执行漏洞函数本身时还能够以执行备份函数的方式实现相同的效果。综上所述,本申请实施例的漏洞屏蔽方法,能够对运行态的Python应用的漏洞实现动态插桩以屏蔽漏洞。应用程序不重启、业务不中断,可减小漏洞暴露期、提升漏洞屏蔽效果。According to the vulnerability shielding method of the embodiment of the present application, by receiving the vulnerability shielding plug-in, the relevant information of the vulnerability function included in the vulnerability shielding plug-in and the relevant information of the shielding function can be obtained; the template function is generated according to the vulnerability shielding plug-in, and there is no need to manually write the template function, which reduces the difficulty of operation for security maintenance personnel; because the vulnerability shielding engine is integrated in the Python application, the attributes of the function can be replaced based on the ability of the Python language, and the attributes of the vulnerability function are replaced with the attributes of the template function, so that the Python application has the ability to execute the template function when the vulnerability function is executed, and there is no need to preset the insertion point for different vulnerability functions, thereby completing the dynamic insertion of the vulnerability function. The shielding function is used to detect whether the vulnerability function is attacked or used to patch the vulnerability function. When the shielding function is used to patch the vulnerability function, the template function is used to call the shielding function to patch the vulnerability function when it is executed, so that the execution of the template function can realize the vulnerability shielding function, and the shielding function is loaded in a similar way to a hot patch, and there is no need to restart the Python application every time, and there is no need to recompile the business code, so the business will not be interrupted. The backup function is a backup of the vulnerability function, and the attributes of the backup function are replaced with the attributes of the vulnerability function, so that when the Python application wants to execute the vulnerability function itself, it can also achieve the same effect by executing the backup function. In summary, the vulnerability shielding method of the embodiment of the present application can implement dynamic plugging of vulnerabilities in running Python applications to shield vulnerabilities. The application program does not need to be restarted and the business is not interrupted, which can reduce the vulnerability exposure period and improve the vulnerability shielding effect.
根据第一方面,在所述漏洞屏蔽方法的第一种可能的实现方式中,所述屏蔽函数用于检测所述漏洞函数是否被攻击时,所述模板函数用于:在被执行时调用所述屏蔽函数,在检测到所述漏洞函数被攻击时输出检测到的信息,在检测到所述漏洞函数未被攻击时调用所述备份函数。According to the first aspect, in a first possible implementation of the vulnerability shielding method, when the shielding function is used to detect whether the vulnerable function is attacked, the template function is used to: call the shielding function when being executed, output the detected information when it is detected that the vulnerable function is attacked, and call the backup function when it is detected that the vulnerable function is not attacked.
通过这种方式,可以以攻击检测形式实现漏洞屏蔽,使漏洞屏蔽方式更灵活。In this way, vulnerability shielding can be implemented in the form of attack detection, making the vulnerability shielding method more flexible.
根据第一方面或第一方面的第一种可能的实现方式,在所述漏洞屏蔽方法的第二种可能的实现方式中,所述方法还包括:所述漏洞屏蔽插件被使能的条件下,当所述Python应用程序运行到所述漏洞函数时,执行所述模板函数;所述漏洞屏蔽插件未被使能的条件下,当所述Python应用程序运行到所述漏洞函数时,执行所述备份函数。According to the first aspect or the first possible implementation of the first aspect, in a second possible implementation of the vulnerability shielding method, the method further includes: under the condition that the vulnerability shielding plug-in is enabled, when the Python application runs to the vulnerable function, executing the template function; under the condition that the vulnerability shielding plug-in is not enabled, when the Python application runs to the vulnerable function, executing the backup function.
通过这种方式,可使得漏洞屏蔽引擎可以更有针对性地完成漏洞函数的屏蔽工作,使漏洞屏蔽引擎的工作方式更灵活。In this way, the vulnerability shielding engine can more specifically complete the shielding work of the vulnerability function, making the working mode of the vulnerability shielding engine more flexible.
根据第一方面或以上第一方面的任意一种可能的实现方式,在所述漏洞屏蔽方法的第三种可能的实现方式中,所述漏洞函数的相关信息包括所述漏洞函数的模块、类、函数名、参数、屏蔽位置、屏蔽方式;所述屏蔽函数的相关信息包括所述屏蔽函数的模块、类、函数名、参数;其中,所述屏蔽位置包括所述漏洞函数的开始位置、结束位置和异常处理位置之一,所述屏蔽方式包括函数整体替换方式、正则匹配检测方式、关键词匹配检测方式、脚本函数检测方式之一。According to the first aspect or any possible implementation of the first aspect above, in a third possible implementation of the vulnerability shielding method, the relevant information of the vulnerability function includes the module, class, function name, parameters, shielding position, and shielding method of the vulnerability function; the relevant information of the shielding function includes the module, class, function name, and parameters of the shielding function; wherein the shielding position includes one of the starting position, the ending position, and the exception handling position of the vulnerability function, and the shielding method includes one of the function overall replacement method, the regular matching detection method, the keyword matching detection method, and the script function detection method.
根据第一方面的第三种可能的实现方式,在所述漏洞屏蔽方法的第四种可能的实现方式中,所述漏洞函数的屏蔽方式为所述函数整体替换方式时,所述屏蔽函数用于修补所述漏洞函数,所述漏洞函数的屏蔽位置字段无效;所述漏洞函数的屏蔽方式为所述正则匹配检测方式、所述关键词匹配检测方式、所述脚本函数检测方式之一时,所述屏蔽函数用于检测所述漏洞函数是否被攻击,所述漏洞函数的屏蔽位置字段有效;所述屏蔽位置字段有效且包括所述漏洞函数的结束位置和异常处理位置之一时,所述漏洞函数的参数字段无效。According to the third possible implementation method of the first aspect, in the fourth possible implementation method of the vulnerability shielding method, when the shielding method of the vulnerability function is the function overall replacement method, the shielding function is used to patch the vulnerability function, and the shielding position field of the vulnerability function is invalid; when the shielding method of the vulnerability function is one of the regular matching detection method, the keyword matching detection method, and the script function detection method, the shielding function is used to detect whether the vulnerability function is attacked, and the shielding position field of the vulnerability function is valid; when the shielding position field is valid and includes one of the end position and exception handling position of the vulnerability function, the parameter field of the vulnerability function is invalid.
通过这种方式,可以进一步减少进行漏洞屏蔽所需要处理的信息。In this way, the information that needs to be processed for vulnerability shielding can be further reduced.
根据第一方面的第一种至第四种可能的实现方式中的任意一种可能的实现方式,在所述漏洞屏蔽方法的第五种可能的实现方式中,所述根据所述漏洞屏蔽插件生成模板函数,包括:根据所述漏洞函数的屏蔽位置和屏蔽方式,从预设的模板函数库中选择相匹配的模板函数;所述模板函数包括外层函数和内层函数,所述漏洞函数的相关信息以及所述屏蔽函数的相关信息作为所述外层函数的输入,所述内层函数的返回值作为所述外层函数的返回值;所述漏洞函数的参数、所述漏洞函数的相关信息、所述屏蔽函数的相关信息作为所述内层函数的输入,所述屏蔽函数的调用结果作为所述内层函数的返回值。According to any one of the first to fourth possible implementations of the first aspect, in a fifth possible implementation of the vulnerability shielding method, generating a template function based on the vulnerability shielding plug-in includes: selecting a matching template function from a preset template function library based on the shielding position and shielding method of the vulnerability function; the template function includes an outer function and an inner function, the relevant information of the vulnerability function and the relevant information of the shielding function serve as inputs of the outer function, and the return value of the inner function serves as the return value of the outer function; the parameters of the vulnerability function, the relevant information of the vulnerability function, and the relevant information of the shielding function serve as inputs of the inner function, and the call result of the shielding function serves as the return value of the inner function.
通过这种方式,可以完成参数的传递。In this way, parameter passing can be completed.
根据第一方面的第二种至第五种可能的实现方式中的任意一种可能的实现方式,在所述漏洞屏蔽方法的第六种可能的实现方式中,所述漏洞屏蔽插件被使能的条件下,当所述Python应用程序运行到所述漏洞函数时,执行所述模板函数,包括:所述漏洞屏蔽插件被使能的条件下,当所述Python应用程序运行到所述漏洞函数时,查询所述漏洞函数是否被占用;在所述漏洞函数未被占用时,占用所述漏洞函数,并执行所述模板函数。According to any one of the second to fifth possible implementations of the first aspect, in a sixth possible implementation of the vulnerability shielding method, under the condition that the vulnerability shielding plug-in is enabled, when the Python application runs to the vulnerable function, the template function is executed, including: under the condition that the vulnerability shielding plug-in is enabled, when the Python application runs to the vulnerable function, querying whether the vulnerable function is occupied; when the vulnerable function is not occupied, occupying the vulnerable function and executing the template function.
通过这种方式,可以避免Python应用程序出现线程冲突。In this way, thread conflicts in Python applications can be avoided.
根据第一方面或以上第一方面的任意一种可能的实现方式,在所述漏洞屏蔽方法的第七种可能的实现方式中,所述属性以C结构体形式存储,所述属性至少包括函数代码、函数内使用的全局变量、闭包关系、方法代码。According to the first aspect or any possible implementation of the first aspect above, in a seventh possible implementation of the vulnerability shielding method, the attributes are stored in the form of a C structure, and the attributes include at least function code, global variables used in the function, closure relationships, and method code.
通过这种方式,使得漏洞屏蔽方法可支持Python语言的多种灵活使用方式。In this way, the vulnerability shielding method can support multiple flexible uses of the Python language.
根据第一方面或以上第一方面的任意一种可能的实现方式,在所述漏洞屏蔽方法的第八种可能的实现方式中,所述方法还包括:将所述漏洞函数、所述屏蔽函数、所述备份函数、所述模板函数分别存储至所述Python应用程序的内存,由所述Python应用程序进行地址空间管理。According to the first aspect or any possible implementation of the first aspect above, in an eighth possible implementation of the vulnerability shielding method, the method also includes: storing the vulnerability function, the shielding function, the backup function, and the template function in the memory of the Python application, respectively, and performing address space management by the Python application.
通过统一管理漏洞函数、屏蔽函数、备份函数、模板函数(对象)的地址空间,可以避免Python应用程序的自动地址回收机制造成地址重新分配,使得函数(对象)出现地址冲突。By uniformly managing the address space of vulnerable functions, shielded functions, backup functions, and template functions (objects), it is possible to avoid address reallocation caused by the automatic address recycling mechanism of Python applications, which may lead to address conflicts in functions (objects).
第二方面,本申请的实施例提供了一种漏洞屏蔽引擎,所述漏洞屏蔽引擎集成在客户端的Python应用程序中,所述漏洞屏蔽引擎包括:插件接收模块,用于接收漏洞屏蔽插件,所述漏洞屏蔽插件包括漏洞函数的相关信息以及屏蔽函数的相关信息,所述屏蔽函数用于检测所述漏洞函数是否被攻击或用于修补所述漏洞函数;函数生成模块,用于根据所述漏洞屏蔽插件生成模板函数,所述屏蔽函数用于修补所述漏洞函数时,所述模板函数用于在被执行时调用所述屏蔽函数修补所述漏洞函数;属性替换模块,用于将备份函数的属性替换为所述漏洞函数的属性,将所述漏洞函数的属性替换为所述模板函数的属性,所述备份函数是所述漏洞函数的备份。In the second aspect, an embodiment of the present application provides a vulnerability shielding engine, which is integrated in a Python application of a client, and the vulnerability shielding engine includes: a plug-in receiving module, used to receive a vulnerability shielding plug-in, the vulnerability shielding plug-in includes relevant information of a vulnerability function and relevant information of a shielding function, the shielding function is used to detect whether the vulnerability function is attacked or is used to patch the vulnerability function; a function generation module, used to generate a template function according to the vulnerability shielding plug-in, when the shielding function is used to patch the vulnerability function, the template function is used to call the shielding function to patch the vulnerability function when executed; an attribute replacement module, used to replace the attributes of a backup function with the attributes of the vulnerability function, and replace the attributes of the vulnerability function with the attributes of the template function, the backup function is a backup of the vulnerability function.
根据第二方面,在所述漏洞屏蔽引擎的第一种可能的实现方式中,所述屏蔽函数用于检测所述漏洞函数是否被攻击时,所述模板函数用于:在被执行时调用所述屏蔽函数,在检测到所述漏洞函数被攻击时输出检测到的信息,在检测到所述漏洞函数未被攻击时调用所述备份函数。According to the second aspect, in a first possible implementation of the vulnerability shielding engine, when the shielding function is used to detect whether the vulnerability function has been attacked, the template function is used to: call the shielding function when being executed, output the detected information when it is detected that the vulnerability function has been attacked, and call the backup function when it is detected that the vulnerability function has not been attacked.
根据第二方面或第二方面的第一种可能的实现方式,在所述漏洞屏蔽引擎的第二种可能的实现方式中,所述漏洞屏蔽引擎还包括:屏蔽模块,用于在所述漏洞屏蔽插件被使能的条件下,当所述Python应用程序运行到所述漏洞函数时,执行所述模板函数;所述漏洞屏蔽插件未被使能的条件下,当所述Python应用程序运行到所述漏洞函数时,执行所述备份函数。According to the second aspect or the first possible implementation of the second aspect, in the second possible implementation of the vulnerability shielding engine, the vulnerability shielding engine also includes: a shielding module, which is used to execute the template function when the Python application runs to the vulnerability function under the condition that the vulnerability shielding plug-in is enabled; and execute the backup function when the Python application runs to the vulnerability function under the condition that the vulnerability shielding plug-in is not enabled.
根据第二方面或以上第二方面的任意一种可能的实现方式,在所述漏洞屏蔽引擎的第三种可能的实现方式中,所述漏洞函数的相关信息包括所述漏洞函数的模块、类、函数名、参数、屏蔽位置、屏蔽方式;所述屏蔽函数的相关信息包括所述屏蔽函数的模块、类、函数名、参数;其中,所述屏蔽位置包括所述漏洞函数的开始位置、结束位置和异常处理位置之一,所述屏蔽方式包括函数整体替换方式、正则匹配检测方式、关键词匹配检测方式、脚本函数检测方式之一。According to the second aspect or any possible implementation of the second aspect above, in a third possible implementation of the vulnerability shielding engine, the relevant information of the vulnerability function includes the module, class, function name, parameters, shielding position, and shielding method of the vulnerability function; the relevant information of the shielding function includes the module, class, function name, and parameters of the shielding function; wherein the shielding position includes one of the starting position, the ending position, and the exception handling position of the vulnerability function, and the shielding method includes one of the function overall replacement method, the regular matching detection method, the keyword matching detection method, and the script function detection method.
根据第二方面的第三种可能的实现方式,在所述漏洞屏蔽引擎的第四种可能的实现方式中,所述漏洞函数的屏蔽方式为所述函数整体替换方式时,所述屏蔽函数用于修补所述漏洞函数,所述漏洞函数的屏蔽位置字段无效;所述漏洞函数的屏蔽方式为所述正则匹配检测方式、所述关键词匹配检测方式、所述脚本函数检测方式之一时,所述屏蔽函数用于检测所述漏洞函数是否被攻击,所述漏洞函数的屏蔽位置字段有效;所述屏蔽位置字段有效且包括所述漏洞函数的结束位置和异常处理位置之一时,所述漏洞函数的参数字段无效。According to the third possible implementation method of the second aspect, in the fourth possible implementation method of the vulnerability shielding engine, when the shielding method of the vulnerability function is the overall function replacement method, the shielding function is used to patch the vulnerability function, and the shielding position field of the vulnerability function is invalid; when the shielding method of the vulnerability function is one of the regular matching detection method, the keyword matching detection method, and the script function detection method, the shielding function is used to detect whether the vulnerability function is attacked, and the shielding position field of the vulnerability function is valid; when the shielding position field is valid and includes one of the end position and exception handling position of the vulnerability function, the parameter field of the vulnerability function is invalid.
根据第二方面的第一种至第四种可能的实现方式中的任意一种可能的实现方式,在所述漏洞屏蔽引擎的第五种可能的实现方式中,所述根据所述漏洞屏蔽插件生成模板函数,包括:根据所述漏洞函数的屏蔽位置和屏蔽方式,从预设的模板函数库中选择相匹配的模板函数;所述模板函数包括外层函数和内层函数,所述漏洞函数的相关信息以及所述屏蔽函数的相关信息作为所述外层函数的输入,所述内层函数的返回值作为所述外层函数的返回值;所述漏洞函数的参数、所述漏洞函数的相关信息、所述屏蔽函数的相关信息作为所述内层函数的输入,所述屏蔽函数的调用结果作为所述内层函数的返回值。According to any one of the first to fourth possible implementations of the second aspect, in a fifth possible implementation of the vulnerability shielding engine, generating a template function based on the vulnerability shielding plug-in includes: selecting a matching template function from a preset template function library based on the shielding position and shielding method of the vulnerability function; the template function includes an outer function and an inner function, and the relevant information of the vulnerability function and the relevant information of the shielding function serve as inputs of the outer function, and the return value of the inner function serves as the return value of the outer function; the parameters of the vulnerability function, the relevant information of the vulnerability function, and the relevant information of the shielding function serve as inputs of the inner function, and the calling result of the shielding function serves as the return value of the inner function.
根据第二方面的第二种至第五种可能的实现方式中的任意一种可能的实现方式,在所述漏洞屏蔽引擎的第六种可能的实现方式中,所述漏洞屏蔽插件被使能的条件下,当所述Python应用程序运行到所述漏洞函数时,执行所述模板函数,包括:所述漏洞屏蔽插件被使能的条件下,当所述Python应用程序运行到所述漏洞函数时,查询所述漏洞函数是否被占用;在所述漏洞函数未被占用时,占用所述漏洞函数,并执行所述模板函数。According to any one of the second to fifth possible implementations of the second aspect, in a sixth possible implementation of the vulnerability shielding engine, under the condition that the vulnerability shielding plug-in is enabled, when the Python application runs to the vulnerable function, the template function is executed, including: under the condition that the vulnerability shielding plug-in is enabled, when the Python application runs to the vulnerable function, querying whether the vulnerable function is occupied; when the vulnerable function is not occupied, occupying the vulnerable function and executing the template function.
根据第二方面或以上第二方面的任意一种可能的实现方式,在所述漏洞屏蔽引擎的第七种可能的实现方式中,所述属性以C结构体形式存储,所述属性至少包括函数代码、函数内使用的全局变量、闭包关系、方法代码。According to the second aspect or any possible implementation of the second aspect above, in a seventh possible implementation of the vulnerability shielding engine, the attributes are stored in the form of a C structure, and the attributes include at least function code, global variables used in the function, closure relationships, and method codes.
根据第二方面或以上第二方面的任意一种可能的实现方式,在所述漏洞屏蔽引擎的第八种可能的实现方式中,所述漏洞屏蔽引擎还包括:地址管理模块,用于将所述漏洞函数、所述屏蔽函数、所述备份函数、所述模板函数分别存储至所述Python应用程序的内存,由所述Python应用程序进行地址空间管理。According to the second aspect or any possible implementation of the second aspect above, in an eighth possible implementation of the vulnerability shielding engine, the vulnerability shielding engine also includes: an address management module, used to store the vulnerability function, the shielding function, the backup function, and the template function in the memory of the Python application, respectively, and the Python application performs address space management.
第三方面,本申请的实施例提供了一种电子设备,包括:处理器;用于存储处理器可执行指令的存储器;其中,所述处理器被配置为执行所述指令时实现上述第一方面或者第一方面的多种可能的实现方式中的一种或几种的漏洞屏蔽方法。In a third aspect, an embodiment of the present application provides an electronic device, comprising: a processor; a memory for storing processor executable instructions; wherein the processor is configured to implement the vulnerability shielding method of the above-mentioned first aspect or one or more of the multiple possible implementation methods of the first aspect when executing the instructions.
第四方面,本申请的实施例提供了一种非易失性计算机可读存储介质,其上存储有计算机程序指令,所述计算机程序指令被处理器执行时实现上述第一方面或者第一方面的多种可能的实现方式中的一种或几种的漏洞屏蔽方法。In a fourth aspect, an embodiment of the present application provides a non-volatile computer-readable storage medium having computer program instructions stored thereon, which, when executed by a processor, implement the vulnerability shielding method of the above-mentioned first aspect or one or more of the multiple possible implementation methods of the first aspect.
第五方面,本申请的实施例提供了一种计算机程序产品,包括计算机可读代码,或者承载有计算机可读代码的非易失性计算机可读存储介质,当所述计算机可读代码在电子设备中运行时,所述电子设备中的处理器执行上述第一方面或者第一方面的多种可能的实现方式中的一种或几种的漏洞屏蔽方法。In a fifth aspect, an embodiment of the present application provides a computer program product, comprising a computer-readable code, or a non-volatile computer-readable storage medium carrying a computer-readable code. When the computer-readable code runs in an electronic device, the processor in the electronic device executes the vulnerability shielding method of the above-mentioned first aspect or one or several of the multiple possible implementation methods of the first aspect.
本申请的这些和其他方面在以下(多个)实施例的描述中会更加简明易懂。These and other aspects of the present application will become more apparent from the following description of the embodiment(s).
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
包含在说明书中并且构成说明书的一部分的附图与说明书一起示出了本申请的示例性实施例、特征和方面,并且用于解释本申请的原理。The accompanying drawings, which are incorporated in and constitute a part of the specification, illustrate exemplary embodiments, features, and aspects of the present application and, together with the description, serve to explain the principles of the present application.
图1示出根据本申请实施例的漏洞屏蔽方法的一个示例性应用场景。FIG1 shows an exemplary application scenario of a vulnerability shielding method according to an embodiment of the present application.
图2示出根据本申请实施例的Python应用程序中各功能模块之间的关系的示意图。FIG. 2 is a schematic diagram showing the relationship between various functional modules in a Python application according to an embodiment of the present application.
图3示出根据本申请实施例的漏洞屏蔽方法的流程的示意图。FIG3 is a schematic diagram showing a process of a vulnerability shielding method according to an embodiment of the present application.
图4示出根据本申请实施例的漏洞屏蔽插件的一个示例。FIG. 4 shows an example of a vulnerability shielding plug-in according to an embodiment of the present application.
图5示出根据本申请实施例对函数属性进行替换的示意图。FIG. 5 is a schematic diagram showing replacement of function attributes according to an embodiment of the present application.
图6a示出根据本申请实施例的模板函数库的示意图。FIG6 a shows a schematic diagram of a template function library according to an embodiment of the present application.
图6b示出根据本申请实施例的模板函数的形式的示意图。FIG. 6 b is a schematic diagram showing the form of a template function according to an embodiment of the present application.
图7示出根据本申请实施例在Python应用程序运行到漏洞函数时执行模板函数的示意图。FIG. 7 is a schematic diagram showing a schematic diagram of executing a template function when a Python application runs to a vulnerable function according to an embodiment of the present application.
图8示出根据本申请实施例的漏洞屏蔽引擎的示例性结构示意图。FIG8 shows an exemplary structural diagram of a vulnerability shielding engine according to an embodiment of the present application.
图9示出根据本申请实施例的电子设备的示例性结构示意图。FIG. 9 is a schematic diagram showing an exemplary structure of an electronic device according to an embodiment of the present application.
具体实施方式DETAILED DESCRIPTION
以下将参考附图详细说明本申请的各种示例性实施例、特征和方面。附图中相同的附图标记表示功能相同或相似的元件。尽管在附图中示出了实施例的各种方面,但是除非特别指出,不必按比例绘制附图。Various exemplary embodiments, features and aspects of the present application will be described in detail below with reference to the accompanying drawings. The same reference numerals in the accompanying drawings represent elements with the same or similar functions. Although various aspects of the embodiments are shown in the accompanying drawings, the drawings are not necessarily drawn to scale unless otherwise specified.
在这里专用的词“示例性”意为“用作例子、实施例或说明性”。这里作为“示例性”所说明的任何实施例不必解释为优于或好于其它实施例。The word “exemplary” is used exclusively herein to mean “serving as an example, example, or illustration.” Any embodiment described herein as “exemplary” is not necessarily to be construed as preferred or advantageous over other embodiments.
另外,为了更好的说明本申请,在下文的具体实施方式中给出了众多的具体细节。本领域技术人员应当理解,没有某些具体细节,本申请同样可以实施。在一些实例中,对于本领域技术人员熟知的方法、手段、元件和电路未作详细描述,以便于凸显本申请的主旨。In addition, in order to better illustrate the present application, numerous specific details are provided in the following specific embodiments. It should be understood by those skilled in the art that the present application can also be implemented without certain specific details. In some examples, methods, means, components and circuits well known to those skilled in the art are not described in detail in order to highlight the subject matter of the present application.
下面介绍本文中可能出现的术语。The following are terms that may appear in this article.
零日漏洞(zero-day):又叫零时差攻击,是指被发现后立即被恶意利用的安全漏洞。通俗地讲,即安全补丁与漏洞披露的同一日内,相关的恶意程序就出现。这种攻击往往具有很大的突发性与破坏性。Zero-day vulnerability: also known as zero-time attack, refers to a security vulnerability that is immediately exploited after being discovered. In layman's terms, the related malicious program appears on the same day that the security patch and vulnerability are disclosed. This type of attack is often very sudden and destructive.
漏洞暴露期:零日漏洞被发现到漏洞正式补丁生效这段时间周期我们称之为漏洞暴露期。Vulnerability exposure period: The period from when a zero-day vulnerability is discovered to when the official vulnerability patch takes effect is called the vulnerability exposure period.
异常处理语句(try-except):Python语言可使用,其定义了进行异常监控的一段代码,并且提供了处理异常的机制。由try块和except块(try_suite和except_suite)组成,也可以有一个可选的错误原因。首先尝试执行try子句,如果没有错误,忽略所有的except从句继续执行,如果发生异常,解释器将在这一串处理器(except从句)中查找匹配的异常。Exception handling statement (try-except): It can be used in Python language. It defines a section of code for exception monitoring and provides a mechanism for handling exceptions. It consists of a try block and an except block (try_suite and except_suite), and can also have an optional error reason. First try to execute the try clause. If there is no error, ignore all except clauses and continue to execute. If an exception occurs, the interpreter will look for a matching exception in this string of handlers (except clauses).
插桩:指在保证原有程序逻辑完整性的基础上,在程序中插入探针,通过探针采集代码中的信息(方法本身、方法参数值、返回值等),从而收集程序运行时的动态上下文信息。Instrumentation: It refers to inserting probes into the program on the basis of ensuring the logical integrity of the original program. The probes collect information in the code (the method itself, method parameter values, return values, etc.), thereby collecting dynamic context information when the program is running.
运行时应用程序自我保护(runtime application self-protection,RASP):是一种安全技术,它通过监控软件的输入,阻止可能允许攻击的输入,同时保护运行时环境免受不必要的更改和篡改,提高了软件的安全性。Runtime application self-protection (RASP): is a security technology that improves the security of software by monitoring inputs to the software and blocking inputs that could allow attacks while protecting the runtime environment from unwanted changes and tampering.
业界目前漏洞处理流程中,应对漏洞的主要措施仍以修复漏洞为主,缺乏针对高危漏洞系统化/流程化的消减方案,以消减攻击对系统造成的影响。主要问题如下:In the current vulnerability handling process in the industry, the main measure to deal with vulnerabilities is still to repair the vulnerabilities, and there is a lack of systematic/process-based mitigation solutions for high-risk vulnerabilities to reduce the impact of attacks on the system. The main problems are as follows:
在研版本未全量修复:漏洞感知不全和分发链条低效,自检效率低,拦截概率低,部分版本上市就包含已知漏洞。The versions under development have not been fully fixed: vulnerability perception is incomplete and the distribution chain is inefficient, self-checking efficiency is low, and the interception probability is low. Some versions on the market contain known vulnerabilities.
存量版本缺乏管道规划:缺乏生命周期漏洞修补规则,存量版本缺乏管道规划,大量漏洞在下一个版本中修补。Existing versions lack pipeline planning: There is a lack of lifecycle vulnerability patching rules. Existing versions lack pipeline planning, and a large number of vulnerabilities are patched in the next version.
大量漏洞遗留现网:多数客户对漏洞不显性感知,漏洞遗留现网产生安全隐患。A large number of vulnerabilities remain in the existing network: Most customers are not aware of the vulnerabilities, and the vulnerabilities left in the existing network pose a security risk.
流程中存在的以上问题,造成了大量的应用程序在零日漏洞被披露到漏洞正式补丁生效之前的漏洞暴露期内处于脆弱态,极易遭受外部攻击。从目前的漏洞处理流程来看,漏洞暴露期通常在一个月以上,这为攻击者提供了极大的攻击窗口。在漏洞暴露期实现漏洞屏蔽,以减轻漏洞暴露期受到的攻击对应用程序带来的影响迫在眉睫。The above problems in the process have caused a large number of applications to be vulnerable during the vulnerability exposure period from the disclosure of the zero-day vulnerability to the effectiveness of the official vulnerability patch, making them extremely vulnerable to external attacks. From the current vulnerability handling process, the vulnerability exposure period is usually more than one month, which provides a large attack window for attackers. It is urgent to implement vulnerability shielding during the vulnerability exposure period to reduce the impact of attacks on applications during the vulnerability exposure period.
下面介绍在漏洞暴露期实现漏洞屏蔽的两种现有技术方案。Two existing technical solutions for implementing vulnerability shielding during the vulnerability exposure period are introduced below.
现有技术一提出基于运行时应用程序自我保护RASP技术的漏洞屏蔽方案。RASP技术实现了在应用程序运行时内部运行,通过分析对于指定应用程序编程接口(applicationprogramming interface,API)传入的数据、潜在结构化查询语言(structured querylanguage,SQL)查询、命令提示符(cmd)等特定行为,实现对漏洞进行自动化、高危攻击的网络程序和API的阻断。Prior art 1 proposes a vulnerability shielding solution based on runtime application self-protection RASP technology. RASP technology runs inside the application runtime, and blocks network programs and APIs that automate and attack high-risk vulnerabilities by analyzing data passed in through a specified application programming interface (API), potential structured query language (SQL) queries, command prompts (cmd), and other specific behaviors.
现有技术一的缺点在于,RASP技术无法实现动态插桩屏蔽漏洞的能力,需要提前预埋对于命令执行、文件访问、网络访问等API方法调用的插桩点,并需要分别有对应的检测逻辑和处理方法。这对编程人员来说带来极大编写难度。The disadvantage of the first prior art is that the RASP technology cannot realize the ability to dynamically insert plug-ins to shield vulnerabilities. It is necessary to pre-embed plug-in points for API method calls such as command execution, file access, and network access, and to have corresponding detection logic and processing methods. This brings great difficulty to programmers.
现有技术二提出通过自动化方式生成临时补丁的方案,以应对漏洞暴露期被攻击的场景。The second prior art proposes a solution of automatically generating a temporary patch to cope with the scenario of being attacked during the vulnerability exposure period.
该方案总共分为以下几个模块:The program is divided into the following modules:
1、数据收集和目标识别模块。1. Data collection and target identification module.
该模块又分为未知漏洞发现和预测未来威胁两个子模块,其中未知漏洞发现主要是通过漏洞挖掘的方法发现漏洞。预测未来威胁子模块,主要用于识别未来的攻击目标,如通过深度学习预测安全事件,预测精度较高。This module is divided into two sub-modules: unknown vulnerability discovery and prediction of future threats. Unknown vulnerability discovery mainly discovers vulnerabilities through vulnerability mining. The prediction of future threats sub-module is mainly used to identify future attack targets, such as predicting security events through deep learning, with high prediction accuracy.
2、实时补丁模块。2. Real-time patch module.
实时补丁主要完成选择性加固和隔离两项功能。一旦漏洞被发现,实时补丁模块需要立即响应,提供通过插桩/加固技术实现的自动化补丁(选择性加固功能)。选择性加固主要是通过二进制插桩技术等,对二进制代码的漏洞位置植入补丁代码,其补丁代码是对漏洞代码做异常检测。如果发现漏洞时该漏洞已经被攻击,该漏洞所在的主机已经被感染,实时补丁模块需要立即将该漏洞所在的主机与网络中的其他主机隔离(隔离功能)。隔离技术又分为主机检测和主机隔离两部分,主机检测主要用于识别受感染的主机,主机隔离主要用于通过网络隔离的方式将感染主机与网络中的其他主机隔离。The real-time patch mainly performs two functions: selective reinforcement and isolation. Once a vulnerability is discovered, the real-time patch module needs to respond immediately and provide automated patches (selective reinforcement function) implemented through plugging/reinforcement technology. Selective reinforcement mainly uses binary plugging technology, etc. to implant patch code into the vulnerability location of the binary code. The patch code performs anomaly detection on the vulnerability code. If the vulnerability has been attacked when the vulnerability is discovered, and the host where the vulnerability is located has been infected, the real-time patch module needs to immediately isolate the host where the vulnerability is located from other hosts in the network (isolation function). Isolation technology is divided into two parts: host detection and host isolation. Host detection is mainly used to identify infected hosts, and host isolation is mainly used to isolate infected hosts from other hosts in the network through network isolation.
3、取证准备模块。3. Evidence preparation module.
取证准备模块主要是在一些关键位置植入取证代码,以便后续取证分析。The forensic preparation module mainly implants forensic codes in some key locations for subsequent forensic analysis.
现有技术二的方案通过生成临时补丁,可以短暂消除漏洞影响,直到安装正式补丁。该方案的缺点在于,一是需要应用程序源码并且需要对应用程序重新编译、重启应用程序,无法在应用程序处于运行态时进行漏洞屏蔽。二是该方案是针对C应用程序的漏洞屏蔽方案,缺少对Python应用程序的支持。The solution of the second prior art can temporarily eliminate the impact of the vulnerability by generating a temporary patch until the official patch is installed. The disadvantages of this solution are that, first, the application source code is required and the application needs to be recompiled and restarted, and the vulnerability cannot be shielded when the application is in the running state. Second, this solution is a vulnerability shielding solution for C applications and lacks support for Python applications.
综上所述,现有方案或无法实现漏洞的动态插桩,或是针对C应用程序的漏洞屏蔽方案,缺少对Python应用程序的支持,也无法在应用程序处于运行态时进行漏洞屏蔽。因此,如何对运行态的Python应用的漏洞实现动态插桩以屏蔽漏洞,成为本领域的研究热点。In summary, existing solutions either cannot implement dynamic instrumentation of vulnerabilities, or are vulnerability shielding solutions for C applications, lack support for Python applications, and cannot shield vulnerabilities when the application is in the running state. Therefore, how to implement dynamic instrumentation of vulnerabilities in running Python applications to shield vulnerabilities has become a research hotspot in this field.
有鉴于此,提出了一种漏洞屏蔽方法、引擎、电子设备、存储介质及程序产品,根据本申请实施例的漏洞屏蔽方法,通过基于漏洞屏蔽插件自动生成模板函数,模板函数在被执行时可调用屏蔽函数修补漏洞函数,并将漏洞函数的属性替换为模板函数的属性,使得Python应用程序具备在运行到漏洞函数时执行模板函数修补漏洞函数的能力,从而能够对运行态的Python应用的漏洞实现动态插桩以屏蔽漏洞。In view of this, a vulnerability shielding method, engine, electronic device, storage medium and program product are proposed. According to the vulnerability shielding method of the embodiment of the present application, a template function is automatically generated based on a vulnerability shielding plug-in. When the template function is executed, the shielding function can be called to patch the vulnerable function, and the attributes of the vulnerable function are replaced with the attributes of the template function. This enables the Python application to execute the template function to patch the vulnerable function when running to the vulnerable function, thereby being able to dynamically insert vulnerabilities in the running Python application to shield the vulnerabilities.
图1示出根据本申请实施例的漏洞屏蔽方法的一个示例性应用场景。FIG1 shows an exemplary application scenario of a vulnerability shielding method according to an embodiment of the present application.
如图1所示,本申请实施例的漏洞屏蔽方法可以应用于漏洞屏蔽引擎,漏洞屏蔽引擎可以作为提供给Python应用程序的软件开发工具包(software development kit,SDK),或者作为系统服务的单元模块,集成在Python应用程序中,以对漏洞攻击行为进行屏蔽防护。Python应用程序可位于客户端的主机、虚拟机(virtual machine,VM)或者容器(docker)中。As shown in FIG1 , the vulnerability shielding method of the embodiment of the present application can be applied to a vulnerability shielding engine, which can be provided as a software development kit (SDK) for Python applications, or as a unit module of system services, integrated in Python applications to shield and protect vulnerability attack behaviors. The Python application can be located in a client's host, virtual machine (VM) or container (docker).
客户端可由用户使用。举例来说,本申请的客户端可以是智能手机、上网本、平板电脑、笔记本电脑、可穿戴电子设备(如智能手环、智能手表等)、TV、虚拟现实设备、音响、电子墨水,等等。本申请对于客户端的具体类型不作限制。The client can be used by the user. For example, the client of the present application can be a smart phone, a netbook, a tablet computer, a laptop computer, a wearable electronic device (such as a smart bracelet, a smart watch, etc.), a TV, a virtual reality device, a speaker, an electronic ink, etc. The present application does not limit the specific type of the client.
该应用场景中还可设置有与客户端相对应的服务端,例如是服务器。服务端可由应用程序安全维护人员使用。在漏洞已经披露时,由安全维护人员分析漏洞并编写脚本(包括屏蔽函数的相关信息)及配置文件(包括漏洞函数的相关信息),以压缩包方式打包成漏洞屏蔽插件。漏洞函数可以是Python应用程序的业务代码中出现漏洞的函数,屏蔽函数可用于检测漏洞函数是否被攻击或用于修补漏洞函数。漏洞函数的相关信息以及屏蔽函数的相关信息的示例在下文中进一步给出。A service end corresponding to the client, such as a server, may also be provided in the application scenario. The service end may be used by application security maintenance personnel. When the vulnerability has been disclosed, the security maintenance personnel analyze the vulnerability and write scripts (including relevant information of the shielding function) and configuration files (including relevant information of the vulnerable function), which are packaged into a vulnerability shielding plug-in in the form of a compressed package. The vulnerable function may be a function in the business code of a Python application where a vulnerability occurs, and the shielding function may be used to detect whether the vulnerable function has been attacked or to patch the vulnerable function. Examples of relevant information of the vulnerable function and relevant information of the shielding function are further given below.
在Python应用程序启动之前,可先将漏洞屏蔽引擎写入Python环境变量或者引入Python应用程序中,以保证在Python应用程序启动时,也同时会启动漏洞屏蔽引擎。服务端可将漏洞屏蔽引擎的配置管理信息(例如处理器、内存等)也下发至客户端的Python应用程序。在此情况下,在用户启动Python应用程序时,漏洞屏蔽引擎也同时启动,Python应用程序可基于配置管理信息对漏洞屏蔽引擎进行初始化,使得漏洞屏蔽引擎可以正常工作。Before the Python application is started, the vulnerability shielding engine can be written into the Python environment variable or introduced into the Python application to ensure that the vulnerability shielding engine is started when the Python application is started. The server can also send the configuration management information (such as processor, memory, etc.) of the vulnerability shielding engine to the client's Python application. In this case, when the user starts the Python application, the vulnerability shielding engine is also started at the same time. The Python application can initialize the vulnerability shielding engine based on the configuration management information so that the vulnerability shielding engine can work normally.
在Python应用程序启动之后,可能有漏洞被披露。服务端可下发对应的漏洞屏蔽插件。客户端接收到漏洞屏蔽插件后,可对漏洞屏蔽插件的安全性进行校验,校验的方式可以基于现有技术实现,在此不再赘述。在校验通过后,漏洞屏蔽引擎执行漏洞屏蔽方法,可生成具备漏洞屏蔽能力的模板函数并完成模板函数的属性替换,使得Python应用程序具备在运行到漏洞函数时执行模板函数修补漏洞函数的能力。After the Python application is started, a vulnerability may be disclosed. The server can issue a corresponding vulnerability shielding plug-in. After the client receives the vulnerability shielding plug-in, it can verify the security of the vulnerability shielding plug-in. The verification method can be implemented based on existing technologies and will not be described here. After the verification is passed, the vulnerability shielding engine executes the vulnerability shielding method, which can generate a template function with vulnerability shielding capabilities and complete the attribute replacement of the template function, so that the Python application has the ability to execute the template function to patch the vulnerable function when running to the vulnerable function.
客户端可反馈漏洞屏蔽插件的加载信息给服务端,漏洞屏蔽插件的加载信息可指示模板函数的生成情况。之后服务端可选择是否使能客户端的漏洞屏蔽插件,不同的选择对应的不同效果可以参见下文的进一步描述。其中使能客户端的漏洞屏蔽插件时,客户端若检测到漏洞被攻击,可以将检测得到的信息(例如攻击位置、攻击方式等)上报给服务端。The client can feed back the loading information of the vulnerability shielding plug-in to the server, and the loading information of the vulnerability shielding plug-in can indicate the generation status of the template function. After that, the server can choose whether to enable the vulnerability shielding plug-in of the client. The different effects corresponding to different choices can be further described below. When the vulnerability shielding plug-in of the client is enabled, if the client detects that the vulnerability has been attacked, the detected information (such as the attack location, attack method, etc.) can be reported to the server.
由于图1所示的应用场景中服务端可提供云服务,因此对于存在多个客户端的分布式场景的适应性更强。Since the server in the application scenario shown in FIG1 can provide cloud services, it is more adaptable to distributed scenarios with multiple clients.
图2示出根据本申请实施例的Python应用程序中各功能模块之间的关系的示意图。FIG. 2 is a schematic diagram showing the relationship between various functional modules in a Python application according to an embodiment of the present application.
如图2所示,客户端上,漏洞屏蔽引擎作为提供给Python应用程序的软件开发工具包,用于进行漏洞屏蔽。客户端还设置有服务于漏洞屏蔽插件的另一软件开发工具包。Python应用程序位于客户端的语言虚拟机中,Python应用程序中存在业务组件以及多个开源组件(API1等),且集成有漏洞屏蔽引擎。As shown in FIG2 , on the client, the vulnerability shielding engine is used as a software development kit provided to the Python application for vulnerability shielding. The client is also provided with another software development kit serving the vulnerability shielding plug-in. The Python application is located in the client's language virtual machine. The Python application contains business components and multiple open source components (API1, etc.), and is integrated with the vulnerability shielding engine.
语言虚拟机中还可设置多个功能模块,包括配置管理模块、告警处理模块、插件管理模块、屏蔽策略模块、插桩模块以及屏蔽模块。其中,配置管理模块可以根据服务端下发的配置管理信息对漏洞屏蔽引擎进行初始化,告警处理模块可以用于将漏洞被攻击的信息上报至服务端,插件管理模块可以负责使能漏洞屏蔽插件,屏蔽策略模块可以负责记录漏洞屏蔽插件所记载的信息。插桩模块执行本申请实施例的漏洞屏蔽方法中的模板函数生成以及属性替换的部分,对Python应用程序中涉及漏洞的开源组件进行插桩;屏蔽模块可执行模板函数以实现漏洞屏蔽。其中,告警处理模块、插桩模块以及屏蔽模块可以设置在漏洞屏蔽引擎中。其余各模块可以由语言虚拟机中的其他引擎实现,本申请对此不作限制。A plurality of functional modules may also be provided in the language virtual machine, including a configuration management module, an alarm processing module, a plug-in management module, a shielding strategy module, an insertion module and a shielding module. Among them, the configuration management module may initialize the vulnerability shielding engine according to the configuration management information issued by the server, the alarm processing module may be used to report the information of the vulnerability being attacked to the server, the plug-in management module may be responsible for enabling the vulnerability shielding plug-in, and the shielding strategy module may be responsible for recording the information recorded by the vulnerability shielding plug-in. The insertion module executes the template function generation and attribute replacement part in the vulnerability shielding method of the embodiment of the present application, and inserts the open source components involved in the vulnerability in the Python application; the shielding module may execute the template function to realize the vulnerability shielding. Among them, the alarm processing module, the insertion module and the shielding module may be provided in the vulnerability shielding engine. The remaining modules may be implemented by other engines in the language virtual machine, and the present application does not limit this.
本领域技术人员应理解,以上所述的各功能模块是逻辑上的模块,并非实体模块,多个功能模块也可以集成或者进一步分解成更细节的模块,本申请对此不作限制。Those skilled in the art should understand that the functional modules described above are logical modules rather than physical modules, and multiple functional modules may also be integrated or further decomposed into more detailed modules, which is not limited in this application.
在本申请实施例的漏洞屏蔽方法的另一个示例性应用场景中,与图1所示的应用场景的区别在于,也可以不存在服务端,此时客户端也可由安全维护人员使用。在漏洞已经披露时,安全维护人员可操作客户端的系统分析漏洞并编写脚本及配置文件,以压缩包方式打包成漏洞屏蔽插件。该漏洞屏蔽插件可存储在客户端的系统内存中。In another exemplary application scenario of the vulnerability shielding method of the embodiment of the present application, the difference from the application scenario shown in FIG1 is that the server may not exist, and the client may also be used by security maintenance personnel. When the vulnerability has been disclosed, the security maintenance personnel can operate the client's system to analyze the vulnerability and write scripts and configuration files, which are packaged into a vulnerability shielding plug-in in a compressed package. The vulnerability shielding plug-in can be stored in the client's system memory.
漏洞屏蔽引擎的配置管理信息可以是从系统内存中输出,并由Python应用程序中的漏洞屏蔽引擎接收。在Python应用程序启动之后,可能有漏洞被披露。客户端的系统可将对应的漏洞屏蔽插件输出给Python应用程序中的漏洞屏蔽引擎。此时漏洞屏蔽插件已经是本地的漏洞屏蔽插件,具备一定的安全性,可以不设置漏洞屏蔽引擎对漏洞屏蔽插件进行校验。漏洞屏蔽引擎执行漏洞屏蔽方法,可对运行态的Python应用的漏洞实现动态插桩以屏蔽漏洞。The configuration management information of the vulnerability shielding engine can be output from the system memory and received by the vulnerability shielding engine in the Python application. After the Python application is started, a vulnerability may be disclosed. The client system can output the corresponding vulnerability shielding plug-in to the vulnerability shielding engine in the Python application. At this time, the vulnerability shielding plug-in is already a local vulnerability shielding plug-in with a certain degree of security, and the vulnerability shielding engine can be set to verify the vulnerability shielding plug-in. The vulnerability shielding engine executes the vulnerability shielding method and can implement dynamic plugging of the vulnerabilities of the running Python application to shield the vulnerabilities.
本领域技术人员应理解,除使用系统之外,安全维护人员也可操作客户端的其他可操作对象实现输出配置管理信息、输出漏洞屏蔽插件、接收漏洞被攻击的信息等由图1的应用场景中的服务端所完成的功能,例如其他应用程序等,本申请实施例对此不作限制。Those skilled in the art should understand that in addition to using the system, security maintenance personnel may also operate other operable objects of the client to implement functions performed by the server in the application scenario of Figure 1, such as outputting configuration management information, outputting vulnerability shielding plug-ins, receiving information on vulnerability attacks, etc., such as other applications, etc. The embodiments of the present application do not limit this.
由于不存在服务端,因此应用场景中配置管理信息、漏洞屏蔽插件、漏洞被攻击的信息不需要网络传输,漏洞屏蔽引擎部署起来更加简单。Since there is no server, the configuration management information, vulnerability shielding plug-ins, and vulnerability attack information in the application scenario do not need to be transmitted over the network, making the vulnerability shielding engine easier to deploy.
本申请实施例的漏洞屏蔽方法不仅可用于Python应用程序的漏洞屏蔽,还可使用在windows、Linux平台上基于Python的网络服务、常驻应用进程的漏洞屏蔽等多种场景,实现对漏洞的检测、报警、拦截和修补能力。The vulnerability shielding method of the embodiment of the present application can not only be used for vulnerability shielding of Python applications, but can also be used in various scenarios such as vulnerability shielding of Python-based network services and resident application processes on Windows and Linux platforms, to achieve vulnerability detection, alarm, interception and patching capabilities.
图3示出根据本申请实施例的漏洞屏蔽方法的流程的示意图。FIG3 is a schematic diagram showing a process of a vulnerability shielding method according to an embodiment of the present application.
如图3所示,在一种可能的实现方式中,本申请提供一种漏洞屏蔽方法,所述方法应用于漏洞屏蔽引擎,漏洞屏蔽引擎集成在客户端的Python应用程序中,所述方法包括步骤S31-S33:As shown in FIG3 , in a possible implementation, the present application provides a vulnerability shielding method, which is applied to a vulnerability shielding engine, and the vulnerability shielding engine is integrated in a Python application of a client, and the method includes steps S31-S33:
步骤S31,接收漏洞屏蔽插件,漏洞屏蔽插件包括漏洞函数的相关信息以及屏蔽函数的相关信息,屏蔽函数用于检测漏洞函数是否被攻击或用于修补漏洞函数;Step S31, receiving a vulnerability shielding plug-in, the vulnerability shielding plug-in includes relevant information of the vulnerability function and relevant information of the shielding function, the shielding function is used to detect whether the vulnerability function is attacked or to repair the vulnerability function;
步骤S32,根据漏洞屏蔽插件生成模板函数,屏蔽函数用于修补漏洞函数时,模板函数用于在被执行时调用屏蔽函数修补漏洞函数;Step S32, generating a template function according to the vulnerability shielding plug-in, when the shielding function is used to patch the vulnerability function, the template function is used to call the shielding function to patch the vulnerability function when being executed;
步骤S33,将备份函数的属性替换为漏洞函数的属性,将漏洞函数的属性替换为模板函数的属性,备份函数是漏洞函数的备份。Step S33, replacing the attributes of the backup function with the attributes of the vulnerable function, and replacing the attributes of the vulnerable function with the attributes of the template function, the backup function is a backup of the vulnerable function.
举例来说,本申请实施例的漏洞屏蔽方法可以在Python应用程序的漏洞暴露期执行。首先在步骤S31中,漏洞屏蔽引擎先接收漏洞屏蔽插件。漏洞屏蔽插件的来源以及产生方式在上文已经描述过,在此不再赘述。For example, the vulnerability shielding method of the embodiment of the present application can be executed during the vulnerability exposure period of the Python application. First, in step S31, the vulnerability shielding engine first receives the vulnerability shielding plug-in. The source and generation method of the vulnerability shielding plug-in have been described above and will not be repeated here.
图4示出根据本申请实施例的漏洞屏蔽插件的一个示例。FIG. 4 shows an example of a vulnerability shielding plug-in according to an embodiment of the present application.
如图4所示,漏洞屏蔽插件可包括配置文件(policy)以及脚本(script),其中配置文件记载漏洞函数的相关信息,脚本记载屏蔽函数的相关信息。漏洞函数的相关信息包括漏洞函数的模块、类、函数名、参数、屏蔽位置、屏蔽方式;屏蔽函数的相关信息包括屏蔽函数的模块、类、函数名、参数;其中,屏蔽位置包括漏洞函数的开始位置、结束位置和异常处理位置之一,屏蔽方式包括函数整体替换方式、正则匹配检测方式、关键词匹配检测方式、脚本函数检测方式之一。As shown in Figure 4, the vulnerability shielding plug-in may include a configuration file (policy) and a script (script), wherein the configuration file records the relevant information of the vulnerability function, and the script records the relevant information of the shielding function. The relevant information of the vulnerability function includes the module, class, function name, parameters, shielding position, and shielding method of the vulnerability function; the relevant information of the shielding function includes the module, class, function name, and parameters of the shielding function; wherein the shielding position includes one of the starting position, the ending position, and the exception handling position of the vulnerability function, and the shielding method includes one of the function overall replacement method, the regular matching detection method, the keyword matching detection method, and the script function detection method.
模块、类、函数名、参数均是Python语言的常见探针,在此不再对其多做介绍。屏蔽位置和屏蔽方式决定屏蔽策略,屏蔽位置可以是能够检测到漏洞函数是否被攻击的位置,比如攻击常以参数的形式出现,参数进入漏洞函数的位置即开始位置;带有攻击的参数如果已经进入漏洞函数,则漏洞函数的返回值必然会出现异常,漏洞函数的返回值的位置即结束位置;Python应用程序可使用异常处理语句(try-except),异常处理语句的位置即异常处理位置。由于上述位置都可以检测到漏洞函数是否被攻击,因此,漏洞函数的相关信息中,屏蔽位置包括其中之一即可。Modules, classes, function names, and parameters are all common probes of the Python language, and we will not introduce them in detail here. The shielding position and shielding method determine the shielding strategy. The shielding position can be a position that can detect whether the vulnerable function has been attacked. For example, attacks often appear in the form of parameters, and the position where the parameters enter the vulnerable function is the starting position; if the parameters with attacks have entered the vulnerable function, the return value of the vulnerable function will inevitably be abnormal, and the position of the return value of the vulnerable function is the end position; Python applications can use exception handling statements (try-except), and the position of the exception handling statement is the exception handling position. Since the above positions can detect whether the vulnerable function has been attacked, the shielding position can include one of them in the relevant information of the vulnerable function.
屏蔽方式大致分为两种思路,一种是修补漏洞函数的思路,该思路下的屏蔽方式可以包括函数整体替换方式,即屏蔽函数是无漏洞的函数,使用屏蔽函数直接替换有漏洞的漏洞函数,即使受到攻击,但因屏蔽函数没有漏洞,因此也不会对应用程序的安全性造成影响。There are roughly two shielding methods. One is to patch the vulnerable function. The shielding method under this method can include replacing the entire function, that is, the shielding function is a function without vulnerabilities. The shielding function is used to directly replace the vulnerable function with vulnerabilities. Even if it is attacked, it will not affect the security of the application because the shielding function has no vulnerabilities.
另一种是检测到漏洞函数是否被攻击的思路,该思路下的屏蔽方式可以包括正则匹配检测方式、关键词匹配检测方式、脚本函数检测方式。其中正则匹配检测方式可以指定需要匹配的正则表达式(本申请实施例中可以是屏蔽位置的代码)、待处理的字符串(本申请实施例中可以是漏洞函数代码)、指定匹配模式(多行匹配等现有技术已有的匹配模式均可),即可从漏洞函数中定位到对应的屏蔽位置处的字符串,通过与预期值进行比对即可确定是否被攻击。关键词匹配检测方式可以提供关键词(本申请实施例中可以是屏蔽位置处的代码)以及被检测的对象(本申请实施例中可以是漏洞函数代码),即可从漏洞函数中定位到对应的屏蔽位置处的字符串,通过与预期值进行比对即可确定是否被攻击。脚本函数检测方式可以是提供要检测的地址(本申请实施例中可以是屏蔽位置的地址),使用该地址从漏洞函数中定位到对应的屏蔽位置处的字符串,通过与预期值进行比对即可确定是否被攻击。Another is to detect whether the vulnerability function is attacked. The shielding method under this idea may include a regular matching detection method, a keyword matching detection method, and a script function detection method. Among them, the regular matching detection method can specify the regular expression to be matched (in the embodiment of the present application, it can be the code of the shielding position), the string to be processed (in the embodiment of the present application, it can be the vulnerability function code), and the specified matching mode (multi-line matching and other existing matching modes in the prior art can be used), that is, the string at the corresponding shielding position can be located from the vulnerability function, and it can be determined whether it is attacked by comparing it with the expected value. The keyword matching detection method can provide keywords (in the embodiment of the present application, it can be the code at the shielding position) and the object to be detected (in the embodiment of the present application, it can be the vulnerability function code), that is, the string at the corresponding shielding position can be located from the vulnerability function, and it can be determined whether it is attacked by comparing it with the expected value. The script function detection method can be to provide the address to be detected (in the embodiment of the present application, it can be the address of the shielding position), and use the address to locate the string at the corresponding shielding position from the vulnerability function, and it can be determined whether it is attacked by comparing it with the expected value.
本领域技术人员应理解,以上所列出的屏蔽位置和屏蔽方式仅为示例,只要屏蔽位置是能够检测到漏洞函数是否被攻击的位置,屏蔽方式指示漏洞屏蔽的策略即可,本申请实施例对于屏蔽位置和屏蔽方式的具体内容不做限制。Those skilled in the art should understand that the shielding positions and shielding methods listed above are only examples. As long as the shielding position is a position that can detect whether the vulnerable function is attacked, and the shielding method indicates the vulnerability shielding strategy, the embodiments of the present application do not limit the specific contents of the shielding position and the shielding method.
由于本申请实施例的漏洞屏蔽插件所包括的信息在不同开源组件版本中通常是固定不变的,因此无需每个开源组件版本分别编写屏蔽函数、确定漏洞屏蔽策略,极大地降低了漏洞屏蔽插件的编写难度。Since the information included in the vulnerability shielding plug-in of the embodiment of the present application is usually fixed in different open source component versions, there is no need to write shielding functions and determine vulnerability shielding strategies for each open source component version, which greatly reduces the difficulty of writing the vulnerability shielding plug-in.
根据漏洞屏蔽插件,漏洞屏蔽引擎可以在内存中创建一个哈希(hash)队列,以将漏洞屏蔽插件包括的所有信息存储为一个字符串。漏洞屏蔽引擎还可以创建一个优先级队列,将涉及的每个漏洞函数作为对象,分别存储漏洞函数的屏蔽位置、屏蔽方式等。如果一个漏洞函数涉及多个屏蔽位置,则在优先级队列中可按照屏蔽位置的优先级分别存储每个屏蔽位置及该屏蔽位置对应的屏蔽方式。According to the vulnerability shielding plug-in, the vulnerability shielding engine can create a hash queue in memory to store all the information included in the vulnerability shielding plug-in as a string. The vulnerability shielding engine can also create a priority queue, taking each vulnerability function involved as an object, and storing the shielding position, shielding method, etc. of the vulnerability function respectively. If a vulnerability function involves multiple shielding positions, each shielding position and the corresponding shielding method of the shielding position can be stored in the priority queue according to the priority of the shielding position.
在步骤S32中,可以根据漏洞屏蔽插件生成模板函数,这一步骤可以是漏洞屏蔽引擎自动完成,实现模板函数的自动生成,因此不需要手动编写模板函数,降低了安全维护人员的操作难度。模板函数例如可以是钩子函数(hook),可以使漏洞函数和模板函数之间产生关联,在屏蔽函数用途不同时,漏洞函数和模板函数之间的关联方式可以不同。例如屏蔽函数用于修补漏洞函数时,模板函数可用于在被执行时调用屏蔽函数修补漏洞函数。漏洞函数和模板函数之间的其他关联方式在下文中再做介绍。In step S32, a template function can be generated according to the vulnerability shielding plug-in. This step can be automatically completed by the vulnerability shielding engine to realize the automatic generation of the template function. Therefore, there is no need to manually write the template function, which reduces the difficulty of operation for security maintenance personnel. The template function can be, for example, a hook function, which can associate the vulnerability function with the template function. When the shielding function is used for different purposes, the association method between the vulnerability function and the template function can be different. For example, when the shielding function is used to patch the vulnerability function, the template function can be used to call the shielding function to patch the vulnerability function when it is executed. Other association methods between the vulnerability function and the template function will be introduced below.
由于在Python语言中一切皆对象,因此函数也是对象,支持属性的修改和替换。因此漏洞屏蔽引擎集成在Python应用程序中时,在步骤S33中,漏洞屏蔽引擎可以对函数的属性进行替换。图5示出根据本申请实施例对函数属性进行替换的示意图。Since everything is an object in Python, functions are also objects, supporting modification and replacement of attributes. Therefore, when the vulnerability shielding engine is integrated into a Python application, in step S33, the vulnerability shielding engine can replace the attributes of the function. FIG5 shows a schematic diagram of replacing function attributes according to an embodiment of the present application.
如图5所示,可以将备份函数的属性替换为漏洞函数的属性,将漏洞函数的属性替换为模板函数的属性,备份函数是漏洞函数的备份。其中,备份函数的属性替换可以先完成,漏洞函数的属性替换可以后完成。将漏洞函数的属性替换为模板函数的属性后,可使得Python应用程序具备在执行到漏洞函数时,转而执行模板函数的能力,也就是说,漏洞函数原本的参数可传入模板函数中。屏蔽函数用于修补漏洞函数时,模板函数完成其功能,可调用屏蔽函数修补漏洞函数,从而具备漏洞屏蔽能力。这一漏洞屏蔽能力是否被启用可以由漏洞屏蔽插件是否使能来决定。其示例可以参见下文的相关描述。As shown in FIG5 , the attributes of the backup function can be replaced with the attributes of the vulnerability function, and the attributes of the vulnerability function can be replaced with the attributes of the template function. The backup function is a backup of the vulnerability function. Among them, the attribute replacement of the backup function can be completed first, and the attribute replacement of the vulnerability function can be completed later. After replacing the attributes of the vulnerability function with the attributes of the template function, the Python application can have the ability to execute the template function when executing the vulnerability function, that is, the original parameters of the vulnerability function can be passed into the template function. When the shielding function is used to patch the vulnerability function, the template function completes its function and can call the shielding function to patch the vulnerability function, thereby having the vulnerability shielding capability. Whether this vulnerability shielding capability is enabled can be determined by whether the vulnerability shielding plug-in is enabled. For an example, see the relevant description below.
由于漏洞函数的属性替换为模板函数的属性,因此即便漏洞屏蔽能力未被启用,漏洞函数本身也是无法执行的。对此,可以将备份函数的属性替换为漏洞函数的属性,使得备份函数成为漏洞函数的备份,希望执行漏洞函数且不跳转至模板函数处执行(即执行漏洞函数本身)时,直接执行备份函数即可,执行备份函数的效果与执行漏洞函数本身的效果可以相同。其示例可以参见下文的相关描述。Since the properties of the vulnerable function are replaced with the properties of the template function, the vulnerable function itself cannot be executed even if the vulnerability shielding capability is not enabled. To this end, the properties of the backup function can be replaced with the properties of the vulnerable function, so that the backup function becomes the backup of the vulnerable function. When you want to execute the vulnerable function without jumping to the template function (i.e., executing the vulnerable function itself), you can directly execute the backup function. The effect of executing the backup function can be the same as the effect of executing the vulnerable function itself. For an example, see the relevant description below.
根据本申请实施例的漏洞屏蔽方法,通过接收漏洞屏蔽插件,可以获取到漏洞屏蔽插件包括的漏洞函数的相关信息以及屏蔽函数的相关信息;根据漏洞屏蔽插件生成模板函数,不需要手动编写模板函数,降低了安全维护人员的操作难度;由于漏洞屏蔽引擎集成在Python应用程序中,因此可以基于Python语言的能力对函数的属性进行替换,将漏洞函数的属性替换为模板函数的属性,使得Python应用程序具备在执行到漏洞函数时,转而执行模板函数的能力,针对不同漏洞函数,不需要预置插桩点,从而完成漏洞函数的动态插桩。屏蔽函数用于检测漏洞函数是否被攻击或用于修补漏洞函数,屏蔽函数用于修补漏洞函数时,模板函数用于在被执行时调用屏蔽函数修补漏洞函数,使得执行模板函数可实现漏洞屏蔽功能,且屏蔽函数以类似热补丁的方式加载,不需要每次重启Python应用程序,也无需对业务代码重新编译,因此业务也不会中断。备份函数是漏洞函数的备份,将备份函数的属性替换为漏洞函数的属性,使得Python应用程序希望执行漏洞函数本身时还能够以执行备份函数的方式实现相同的效果。综上所述,本申请实施例的漏洞屏蔽方法,能够对运行态的Python应用的漏洞实现动态插桩以屏蔽漏洞。应用程序不重启、业务不中断,可减小漏洞暴露期、提升漏洞屏蔽效果。According to the vulnerability shielding method of the embodiment of the present application, by receiving the vulnerability shielding plug-in, the relevant information of the vulnerability function included in the vulnerability shielding plug-in and the relevant information of the shielding function can be obtained; the template function is generated according to the vulnerability shielding plug-in, and there is no need to manually write the template function, which reduces the difficulty of operation for security maintenance personnel; because the vulnerability shielding engine is integrated in the Python application, the attributes of the function can be replaced based on the ability of the Python language, and the attributes of the vulnerability function are replaced with the attributes of the template function, so that the Python application has the ability to execute the template function when the vulnerability function is executed, and there is no need to preset the insertion point for different vulnerability functions, thereby completing the dynamic insertion of the vulnerability function. The shielding function is used to detect whether the vulnerability function is attacked or used to patch the vulnerability function. When the shielding function is used to patch the vulnerability function, the template function is used to call the shielding function to patch the vulnerability function when it is executed, so that the execution of the template function can realize the vulnerability shielding function, and the shielding function is loaded in a similar way to a hot patch, and there is no need to restart the Python application every time, and there is no need to recompile the business code, so the business will not be interrupted. The backup function is a backup of the vulnerability function, and the attributes of the backup function are replaced with the attributes of the vulnerability function, so that when the Python application wants to execute the vulnerability function itself, it can also achieve the same effect by executing the backup function. In summary, the vulnerability shielding method of the embodiment of the present application can implement dynamic plugging of vulnerabilities in running Python applications to shield vulnerabilities. The application program does not need to be restarted and the business is not interrupted, which can reduce the vulnerability exposure period and improve the vulnerability shielding effect.
进一步地,在一个示例中,对于2019年-2021年9月期间通用漏洞评分系统(commonvulnerability scoring system,CVSS)打分在7分以上的Python应用程序开源组件的漏洞,使用漏洞屏蔽引擎可对出现频次较高的10类攻击(跨站脚本攻击(cross site scriptattack,XSS)、结构化查询语言SQL注入、缺少输入校验、系统OS命令注入、目录遍历、危险文件上传、反序列化、命令注入、服务器端请求伪造(server-side request forgery,SSRF)、代码注入)实现漏洞屏蔽。Furthermore, in one example, for the vulnerabilities of open source components of Python applications with a common vulnerability scoring system (CVSS) score of 7 or above from 2019 to September 2021, the vulnerability shielding engine can be used to shield the 10 most common types of attacks (cross site script attack (XSS), structured query language SQL injection, lack of input validation, system OS command injection, directory traversal, dangerous file upload, deserialization, command injection, server-side request forgery (SSRF), code injection) that occur frequently.
在一个示例中,经过性能测试,客户端加载漏洞屏蔽插件之后和加载之前相比的性能开销增加较小,客户端中央处理器CPU占用开销增加小于2%。In one example, after performance testing, the performance overhead of the client after loading the vulnerability shielding plug-in increased slightly compared to before loading, and the client central processing unit CPU usage overhead increased by less than 2%.
在一种可能的实现方式中,屏蔽函数用于检测漏洞函数是否被攻击时,模板函数用于:In a possible implementation, when the shielding function is used to detect whether the vulnerable function is attacked, the template function is used to:
在被执行时调用屏蔽函数,在检测到漏洞函数被攻击时输出检测到的信息,在检测到漏洞函数未被攻击时调用备份函数。The shielding function is called when it is executed, the detected information is output when it is detected that the vulnerable function is attacked, and the backup function is called when it is detected that the vulnerable function is not attacked.
举例来说,除上文提到的修补漏洞函数用途之外,屏蔽函数的另一种用途可以是检测漏洞函数是否被攻击,此时漏洞函数和模板函数之间的关联方式,可以是模板函数用于在被执行时调用屏蔽函数,在检测到漏洞函数被攻击时输出检测到的信息。在检测到漏洞函数被攻击时,表示执行漏洞函数不安全,此时Python应用程序可以暂停对业务代码的执行,也可以执行业务代码中的下一函数,具体如何选择可以预先设置,本申请对此不作限制。For example, in addition to the use of patching the vulnerability function mentioned above, another use of the shielding function can be to detect whether the vulnerable function has been attacked. In this case, the association between the vulnerable function and the template function can be that the template function is used to call the shielding function when it is executed, and output the detected information when the vulnerable function is detected to be attacked. When it is detected that the vulnerable function has been attacked, it means that it is unsafe to execute the vulnerable function. At this time, the Python application can suspend the execution of the business code or execute the next function in the business code. The specific selection can be preset, and this application does not limit this.
在检测到漏洞函数未被攻击时,表示执行漏洞函数是安全的,但漏洞函数的属性已经被替换过,不能再调用,为实现相同效果,可以转而调用备份函数。也即,屏蔽函数用于检测漏洞函数是否被攻击时,模板函数还用于在检测到漏洞函数未被攻击时调用备份函数。When it is detected that the vulnerable function has not been attacked, it means that it is safe to execute the vulnerable function, but the properties of the vulnerable function have been replaced and cannot be called again. To achieve the same effect, the backup function can be called instead. That is, when the shielding function is used to detect whether the vulnerable function has been attacked, the template function is also used to call the backup function when it is detected that the vulnerable function has not been attacked.
通过这种方式,可以以攻击检测形式实现漏洞屏蔽,使漏洞屏蔽方式更灵活。In this way, vulnerability shielding can be implemented in the form of attack detection, making the vulnerability shielding method more flexible.
在一种可能的实现方式中,所述方法还包括:In a possible implementation, the method further includes:
漏洞屏蔽插件被使能的条件下,当Python应用程序运行到漏洞函数时,执行模板函数;When the vulnerability shielding plug-in is enabled, the template function is executed when the Python application runs to the vulnerable function;
漏洞屏蔽插件未被使能的条件下,当Python应用程序运行到漏洞函数时,执行备份函数。When the vulnerability shielding plug-in is not enabled, when the Python application runs to the vulnerable function, the backup function is executed.
举例来说,基于漏洞屏蔽插件对某一个或某几个漏洞函数进行屏蔽主要是在该漏洞函数的漏洞暴露期内进行,在该漏洞函数的漏洞暴露期结束后,可不再基于漏洞屏蔽插件对该一个或该几个漏洞函数进行屏蔽。或者,也可能存在希望执行漏洞函数且不跳转至模板函数处执行(即执行漏洞函数本身)的情况。For example, the shielding of one or several vulnerable functions based on the vulnerability shielding plug-in is mainly performed during the vulnerability exposure period of the vulnerable function. After the vulnerability exposure period of the vulnerable function ends, the shielding of one or several vulnerable functions based on the vulnerability shielding plug-in may no longer be performed. Alternatively, there may be a situation where you want to execute the vulnerable function without jumping to the template function for execution (i.e., execute the vulnerable function itself).
对此,可以通过漏洞屏蔽插件是否使能来表示是否基于该漏洞屏蔽插件对漏洞函数进行屏蔽。例如,漏洞屏蔽插件被使能的条件下,当Python应用程序运行到漏洞函数时,可以执行模板函数以屏蔽漏洞;漏洞屏蔽插件未被使能的条件下,当Python应用程序运行到漏洞函数时,直接执行备份函数即可。备份函数作为漏洞函数的备份,具备与漏洞函数相同的属性,因此不会改变执行效果。In this regard, whether the vulnerability shielding plug-in is enabled can be used to indicate whether the vulnerable function is shielded based on the vulnerability shielding plug-in. For example, if the vulnerability shielding plug-in is enabled, when the Python application runs to the vulnerable function, the template function can be executed to shield the vulnerability; if the vulnerability shielding plug-in is not enabled, when the Python application runs to the vulnerable function, the backup function can be directly executed. As a backup of the vulnerable function, the backup function has the same properties as the vulnerable function, so it will not change the execution effect.
通过这种方式,可使得漏洞屏蔽引擎可以更有针对性地完成漏洞函数的屏蔽工作,使漏洞屏蔽引擎的工作方式更灵活。In this way, the vulnerability shielding engine can more specifically complete the shielding work of the vulnerability function, making the working mode of the vulnerability shielding engine more flexible.
在一种可能的实现方式中,漏洞函数的屏蔽方式为函数整体替换方式时,屏蔽函数用于修补漏洞函数,漏洞函数的屏蔽位置字段无效;In a possible implementation, when the shielding method of the vulnerable function is the overall function replacement method, the shielding function is used to patch the vulnerable function, and the shielding position field of the vulnerable function is invalid;
漏洞函数的屏蔽方式为正则匹配检测方式、关键词匹配检测方式、脚本函数检测方式之一时,屏蔽函数用于检测漏洞函数是否被攻击,漏洞函数的屏蔽位置字段有效;When the shielding method of the vulnerability function is one of the regular matching detection method, keyword matching detection method, and script function detection method, the shielding function is used to detect whether the vulnerability function is attacked, and the shielding position field of the vulnerability function is valid;
屏蔽位置字段有效且包括漏洞函数的结束位置和异常处理位置之一时,漏洞函数的参数字段无效。When the mask position field is valid and includes one of the end position and exception handling position of the vulnerable function, the parameter field of the vulnerable function is invalid.
举例来说,漏洞函数的模块、类、函数名、参数、屏蔽位置、屏蔽方式以及屏蔽函数的模块、类、函数名、参数在漏洞屏蔽插件中可分别有对应的字段。一个漏洞屏蔽插件中,不是所有的字段都必须有效。具体哪些字段有效、哪些字段无效与漏洞函数的屏蔽方式有关。For example, the module, class, function name, parameter, shielding position, shielding method of the vulnerability function and the module, class, function name, parameter of the shielding function can have corresponding fields in the vulnerability shielding plug-in. Not all fields in a vulnerability shielding plug-in must be valid. Which fields are valid and which fields are invalid depends on the shielding method of the vulnerability function.
例如,漏洞函数的屏蔽方式为函数整体替换方式时,此时可不再关注具体的某个屏蔽位置处的操作方式。因此漏洞函数的屏蔽位置字段可以无效,其余字段可以有效。For example, when the shielding method of the vulnerability function is to replace the entire function, the operation method at a specific shielding position may no longer be concerned. Therefore, the shielding position field of the vulnerability function may be invalid, and the remaining fields may be valid.
又例如,漏洞函数的屏蔽方式为正则匹配检测方式、关键词匹配检测方式、脚本函数检测方式之一时,屏蔽函数用于检测漏洞函数是否被攻击,此时关注具体的屏蔽位置是必要的。因此漏洞函数的屏蔽位置字段可以有效。For another example, when the shielding method of the vulnerability function is one of the regular matching detection method, the keyword matching detection method, and the script function detection method, the shielding function is used to detect whether the vulnerability function is attacked. At this time, it is necessary to pay attention to the specific shielding position. Therefore, the shielding position field of the vulnerability function can be effective.
更进一步地,屏蔽位置字段有效且包括漏洞函数的开始位置时,表示屏蔽策略关注漏洞函数的参数,因此漏洞函数的参数字段可以有效。屏蔽位置字段有效且包括漏洞函数的结束位置时,表示屏蔽策略关注漏洞函数的返回值而不关注漏洞函数的参数,因此漏洞函数的参数字段可以无效。屏蔽位置字段有效且包括漏洞函数的异常处理位置时,表示屏蔽策略关注漏洞函数的异常处理语句而不关注漏洞函数的参数,因此漏洞函数的参数字段可以无效。Furthermore, when the shielding position field is valid and includes the start position of the vulnerable function, it means that the shielding strategy focuses on the parameters of the vulnerable function, so the parameter field of the vulnerable function can be valid. When the shielding position field is valid and includes the end position of the vulnerable function, it means that the shielding strategy focuses on the return value of the vulnerable function but not the parameters of the vulnerable function, so the parameter field of the vulnerable function can be invalid. When the shielding position field is valid and includes the exception handling position of the vulnerable function, it means that the shielding strategy focuses on the exception handling statement of the vulnerable function but not the parameters of the vulnerable function, so the parameter field of the vulnerable function can be invalid.
通过这种方式,可以进一步减少进行漏洞屏蔽所需要处理的信息。In this way, the information that needs to be processed for vulnerability shielding can be further reduced.
在一种可能的实现方式中,步骤S32包括:In a possible implementation, step S32 includes:
根据漏洞函数的屏蔽位置和屏蔽方式,从预设的模板函数库中选择相匹配的模板函数;According to the shielding position and shielding method of the vulnerable function, a matching template function is selected from the preset template function library;
模板函数包括外层函数和内层函数,漏洞函数的相关信息以及屏蔽函数的相关信息作为外层函数的输入,内层函数的返回值作为外层函数的返回值;The template function includes an outer function and an inner function. The relevant information of the vulnerability function and the relevant information of the shielding function are used as the input of the outer function, and the return value of the inner function is used as the return value of the outer function.
漏洞函数的参数、漏洞函数的相关信息、屏蔽函数的相关信息作为内层函数的输入,屏蔽函数的调用结果作为内层函数的返回值。The parameters of the vulnerable function, the related information of the vulnerable function, and the related information of the shielding function are used as the input of the inner function, and the call result of the shielding function is used as the return value of the inner function.
举例来说,漏洞函数有多种可能的屏蔽位置和多种可能的屏蔽方式,不同的屏蔽位置和屏蔽方式的组合下,相匹配的模板函数可能不同。对此,可以根据屏蔽策略允许的不同的屏蔽位置和屏蔽方式的可能的组合,预先设置模板函数库。图6a示出根据本申请实施例的模板函数库的示意图。For example, there are multiple possible shielding positions and multiple possible shielding methods for a vulnerability function. Under different combinations of shielding positions and shielding methods, the matching template functions may be different. In this regard, a template function library can be pre-set according to different possible combinations of shielding positions and shielding methods allowed by the shielding strategy. FIG6a shows a schematic diagram of a template function library according to an embodiment of the present application.
如图6a所示,屏蔽位置包括漏洞函数的开始位置、结束位置和异常处理位置之一,屏蔽方式包括函数整体替换方式、正则匹配检测方式、关键词匹配检测方式、脚本函数检测方式之一时,每一屏蔽位置都可以与正则匹配检测方式、关键词匹配检测方式、脚本函数检测方式中的一个进行组合,对应9种屏蔽策略,函数整体替换方式本身对应1种屏蔽策略,因此模板函数库可预设有10种模板函数(模板函数1-模板函数10),每种模板函数对应1种屏蔽策略。在选择时,根据屏蔽位置和屏蔽方式的指示,选择对应的一个模板函数即可。As shown in FIG6a, the shielding position includes the start position, the end position and one of the exception handling positions of the vulnerability function, and the shielding method includes one of the function overall replacement method, the regular matching detection method, the keyword matching detection method, and the script function detection method. Each shielding position can be combined with one of the regular matching detection method, the keyword matching detection method, and the script function detection method, corresponding to 9 shielding strategies, and the function overall replacement method itself corresponds to 1 shielding strategy. Therefore, the template function library can be preset with 10 template functions (template function 1-template function 10), and each template function corresponds to 1 shielding strategy. When selecting, select a corresponding template function according to the instructions of the shielding position and the shielding method.
模板函数的用途在上文中已经描述过,在此不再赘述。下面介绍模板函数的可能形式。图6b示出根据本申请实施例的模板函数的形式的示意图。The purpose of the template function has been described above and will not be repeated here. The following introduces possible forms of the template function. FIG6 b shows a schematic diagram of the form of a template function according to an embodiment of the present application.
如图6b所示,模板函数可包括外层函数和内层函数,其中漏洞函数的相关信息以及屏蔽函数的相关信息作为外层函数的输入,内层函数的返回值作为外层函数的返回值。漏洞函数的相关信息以及屏蔽函数的相关信息作为外层函数的输入时,可以是整体作为一个字符串(相当于函数标识)输入,在外层函数中,可对该字符串进行分解得到屏蔽函数的相关信息和漏洞函数的相关信息(即从一个字符串中拆出两个字符串),并传递至内层函数。由于是复合函数形式,因此内层函数的返回值也是外层函数的返回值。As shown in FIG6b, the template function may include an outer function and an inner function, wherein the relevant information of the vulnerability function and the relevant information of the shielding function are used as inputs of the outer function, and the return value of the inner function is used as the return value of the outer function. When the relevant information of the vulnerability function and the relevant information of the shielding function are used as inputs of the outer function, they can be input as a string (equivalent to the function identifier) as a whole. In the outer function, the string can be decomposed to obtain the relevant information of the shielding function and the relevant information of the vulnerability function (i.e., two strings are separated from one string), and passed to the inner function. Since it is a composite function, the return value of the inner function is also the return value of the outer function.
漏洞函数的参数、漏洞函数的相关信息、屏蔽函数的相关信息作为内层函数的输入,屏蔽函数的调用结果作为内层函数的返回值。内层函数中可提供参数字典,参数字典指示每种参数及其类型,可能的类型包括位置参数、键参数、扩展位置参数(*args)、扩展键参数(**kwargs)及混合参数等等。参数字典可以通过识别参数类型,将参数拆分出来,传递给调用的屏蔽参数。屏蔽参数有三种可能的调用结果,一是屏蔽参数用于修补漏洞函数时,该屏蔽参数本身的执行结果可以是调用结果。二是屏蔽参数用于检测漏洞函数是否被攻击时,如果检测到漏洞函数被攻击,则检测到的信息可以是屏蔽参数的调用结果。三是屏蔽参数用于检测漏洞函数是否被攻击时,如果未检测到漏洞函数被攻击转而调用备份函数,则备份函数的调用结果可以是屏蔽参数的调用结果。The parameters of the vulnerable function, the related information of the vulnerable function, and the related information of the shielding function are used as the input of the inner function, and the call result of the shielding function is used as the return value of the inner function. A parameter dictionary can be provided in the inner function, and the parameter dictionary indicates each parameter and its type. Possible types include positional parameters, key parameters, extended positional parameters (*args), extended key parameters (**kwargs), and mixed parameters, etc. The parameter dictionary can separate the parameters by identifying the parameter type and pass them to the called shielding parameters. There are three possible call results of the shielding parameter. First, when the shielding parameter is used to patch the vulnerable function, the execution result of the shielding parameter itself can be the call result. Second, when the shielding parameter is used to detect whether the vulnerable function is attacked, if the vulnerable function is detected to be attacked, the detected information can be the call result of the shielding parameter. Third, when the shielding parameter is used to detect whether the vulnerable function is attacked, if the vulnerable function is not detected to be attacked and the backup function is called instead, the call result of the backup function can be the call result of the shielding parameter.
通过这种方式,可以完成参数的传递。In this way, parameter passing can be completed.
在一种可能的实现方式中,漏洞屏蔽插件被使能的条件下,当Python应用程序运行到漏洞函数时,执行模板函数,包括:In a possible implementation, when the vulnerability shielding plug-in is enabled, when the Python application runs to the vulnerable function, the template function is executed, including:
漏洞屏蔽插件被使能的条件下,当Python应用程序运行到所述漏洞函数时,查询漏洞函数是否被占用;Under the condition that the vulnerability shielding plug-in is enabled, when the Python application runs to the vulnerability function, it queries whether the vulnerability function is occupied;
在漏洞函数未被占用时,占用漏洞函数,并执行模板函数。When the vulnerable function is not occupied, occupy the vulnerable function and execute the template function.
图7示出根据本申请实施例在Python应用程序运行到漏洞函数时执行模板函数的示意图。FIG. 7 is a schematic diagram showing a schematic diagram of executing a template function when a Python application runs to a vulnerable function according to an embodiment of the present application.
举例来说,如图7所示,Python应用程序可以包括业务线程,在集成了漏洞屏蔽引擎之后,还可以包括引擎线程。业务线程可能本身是循环执行函数的,例如循环执行函数A、函数B、函数C、函数D,执行某函数时会占用该函数(对象)。漏洞屏蔽引擎对某漏洞函数进行漏洞屏蔽时,也会占用该漏洞函数(对象)。可以设置为同一个函数(对象)只能同时被一个线程所占用。For example, as shown in FIG. 7 , a Python application may include a business thread, and after the vulnerability shielding engine is integrated, it may also include an engine thread. The business thread itself may execute functions in a loop, such as looping through functions A, B, C, and D. When a function is executed, the function (object) is occupied. When the vulnerability shielding engine shields a vulnerability function, the vulnerability function (object) is also occupied. It can be set so that the same function (object) can only be occupied by one thread at a time.
在此基础上,漏洞屏蔽插件被使能的条件下,当Python应用程序运行到漏洞函数时,可以先查询漏洞函数是否被占用。在漏洞函数未被占用时,占用漏洞函数,并执行模板函数。在模板函数执行完毕前,业务线程将无法再次占用该漏洞函数。On this basis, when the vulnerability shielding plug-in is enabled, when the Python application runs to the vulnerable function, it can first check whether the vulnerable function is occupied. If the vulnerable function is not occupied, occupy the vulnerable function and execute the template function. Before the template function is executed, the business thread will not be able to occupy the vulnerable function again.
通过这种方式,可以避免Python应用程序出现线程冲突。In this way, thread conflicts in Python applications can be avoided.
在一种可能的实现方式中,属性以C结构体形式存储,属性至少包括函数代码、函数内使用的全局变量、闭包关系、方法代码。In a possible implementation, the attributes are stored in the form of a C structure, and the attributes include at least function code, global variables used in the function, closure relationships, and method code.
举例来说,现在主流Python应用程序大都是基于C语言实现的。因此,可以使用C结构体描述Python的函数(对象)并替换为另外的函数(对象)。属性至少可包括函数代码、函数内使用的全局变量(func_globals)、闭包关系(func_closure)、方法代码(func_code)。本领域技术人员应理解,属性还可包括更多内容,只要是与函数相关即可,本申请实施例对于属性的具体内容不做限制。For example, now mainstream Python applications are mostly implemented based on C language. Therefore, Python functions (objects) can be described using C structures and replaced with other functions (objects). Attributes may at least include function codes, global variables (func_globals) used in functions, closure relationships (func_closure), and method codes (func_code). Those skilled in the art will appreciate that attributes may also include more content, as long as they are related to functions, and the embodiments of the present application do not limit the specific content of attributes.
通过这种方式,使得漏洞屏蔽方法可支持Python语言的多种灵活使用方式。In this way, the vulnerability shielding method can support multiple flexible uses of the Python language.
在一种可能的实现方式中,所述方法还包括:In a possible implementation, the method further includes:
将漏洞函数、屏蔽函数、备份函数、模板函数分别存储至Python应用程序的内存,由Python应用程序进行地址空间管理。The vulnerable function, shielding function, backup function, and template function are stored in the memory of the Python application respectively, and the address space is managed by the Python application.
举例来说,漏洞函数的地址可以是接收到漏洞屏蔽插件后就存储到内存进行地址管理的。屏蔽函数、备份函数、模板函数都是在执行漏洞屏蔽方法过程中生成的,且漏洞屏蔽方法由Python应用程序中的漏洞屏蔽引擎执行,因此,对于新生成的函数,也可以分别存储至Python应用程序的内存,使用Python语言对于对象的地址管理方式进行地址管理。For example, the address of the vulnerability function can be stored in the memory for address management after receiving the vulnerability shielding plug-in. The shielding function, backup function, and template function are all generated during the execution of the vulnerability shielding method, and the vulnerability shielding method is executed by the vulnerability shielding engine in the Python application. Therefore, for the newly generated functions, they can also be stored in the memory of the Python application respectively, and the address management method of the Python language for the object is used for address management.
通过统一管理漏洞函数、屏蔽函数、备份函数、模板函数(对象)的地址空间,可以避免Python应用程序的自动地址回收机制造成地址重新分配,使得函数(对象)出现地址冲突。By uniformly managing the address space of vulnerable functions, shielded functions, backup functions, and template functions (objects), it is possible to avoid address reallocation caused by the automatic address recycling mechanism of Python applications, which may lead to address conflicts in functions (objects).
本申请还提供一种漏洞屏蔽引擎,图8示出根据本申请实施例的漏洞屏蔽引擎的示例性结构示意图。The present application also provides a vulnerability shielding engine. FIG8 shows an exemplary structural diagram of a vulnerability shielding engine according to an embodiment of the present application.
如图8所示,所述漏洞屏蔽引擎集成在客户端的Python应用程序中,所述漏洞屏蔽引擎包括:As shown in FIG8 , the vulnerability shielding engine is integrated in the Python application of the client, and the vulnerability shielding engine includes:
插件接收模块80,用于接收漏洞屏蔽插件,所述漏洞屏蔽插件包括漏洞函数的相关信息以及屏蔽函数的相关信息,所述屏蔽函数用于检测所述漏洞函数是否被攻击或用于修补所述漏洞函数;A plug-in receiving module 80 is used to receive a vulnerability shielding plug-in, wherein the vulnerability shielding plug-in includes information related to a vulnerability function and information related to a shielding function, wherein the shielding function is used to detect whether the vulnerability function is attacked or to patch the vulnerability function;
函数生成模块81,用于根据所述漏洞屏蔽插件生成模板函数,所述屏蔽函数用于修补所述漏洞函数时,所述模板函数用于在被执行时调用所述屏蔽函数修补所述漏洞函数;A function generation module 81, used to generate a template function according to the vulnerability shielding plug-in, when the shielding function is used to patch the vulnerability function, the template function is used to call the shielding function to patch the vulnerability function when executed;
属性替换模块82,用于将备份函数的属性替换为所述漏洞函数的属性,将所述漏洞函数的属性替换为所述模板函数的属性,所述备份函数是所述漏洞函数的备份。The attribute replacement module 82 is used to replace the attributes of the backup function with the attributes of the vulnerable function, and replace the attributes of the vulnerable function with the attributes of the template function, wherein the backup function is a backup of the vulnerable function.
其中,插件接收模块、函数生成模块、属性替换模块所完成的功能与上文图2的相关描述中的插桩模块的功能可以相同。Among them, the functions performed by the plug-in receiving module, the function generating module, and the attribute replacing module may be the same as the function of the plug-in module in the relevant description of FIG. 2 above.
在一种可能的实现方式中,所述屏蔽函数用于检测所述漏洞函数是否被攻击时,所述模板函数用于:In a possible implementation, when the shielding function is used to detect whether the vulnerable function is attacked, the template function is used to:
在被执行时调用所述屏蔽函数,在检测到所述漏洞函数被攻击时输出检测到的信息,在检测到所述漏洞函数未被攻击时调用所述备份函数。The shielding function is called when being executed, the detected information is output when it is detected that the vulnerable function is attacked, and the backup function is called when it is detected that the vulnerable function is not attacked.
在一种可能的实现方式中,所述漏洞屏蔽引擎还包括:In a possible implementation, the vulnerability shielding engine further includes:
屏蔽模块,用于在所述漏洞屏蔽插件被使能的条件下,当所述Python应用程序运行到所述漏洞函数时,执行所述模板函数;所述漏洞屏蔽插件未被使能的条件下,当所述Python应用程序运行到所述漏洞函数时,执行所述备份函数。The shielding module is used to execute the template function when the Python application runs to the vulnerable function under the condition that the vulnerability shielding plug-in is enabled; and to execute the backup function when the Python application runs to the vulnerable function under the condition that the vulnerability shielding plug-in is not enabled.
该屏蔽模块所完成的功能与上文图2的相关描述中的屏蔽模块的功能可以相同。The function performed by the shielding module may be the same as the function of the shielding module in the relevant description of FIG. 2 above.
在一种可能的实现方式中,所述漏洞函数的相关信息包括所述漏洞函数的模块、类、函数名、参数、屏蔽位置、屏蔽方式;所述屏蔽函数的相关信息包括所述屏蔽函数的模块、类、函数名、参数;其中,所述屏蔽位置包括所述漏洞函数的开始位置、结束位置和异常处理位置之一,所述屏蔽方式包括函数整体替换方式、正则匹配检测方式、关键词匹配检测方式、脚本函数检测方式之一。In a possible implementation, the relevant information of the vulnerable function includes the module, class, function name, parameters, shielding position, and shielding method of the vulnerable function; the relevant information of the shielded function includes the module, class, function name, and parameters of the shielded function; wherein the shielding position includes one of the starting position, the ending position, and the exception handling position of the vulnerable function, and the shielding method includes one of the function overall replacement method, the regular matching detection method, the keyword matching detection method, and the script function detection method.
在一种可能的实现方式中,所述漏洞函数的屏蔽方式为所述函数整体替换方式时,所述屏蔽函数用于修补所述漏洞函数,所述漏洞函数的屏蔽位置字段无效;所述漏洞函数的屏蔽方式为所述正则匹配检测方式、所述关键词匹配检测方式、所述脚本函数检测方式之一时,所述屏蔽函数用于检测所述漏洞函数是否被攻击,所述漏洞函数的屏蔽位置字段有效;所述屏蔽位置字段有效且包括所述漏洞函数的结束位置和异常处理位置之一时,所述漏洞函数的参数字段无效。In a possible implementation, when the shielding method of the vulnerable function is the overall function replacement method, the shielding function is used to patch the vulnerable function, and the shielding position field of the vulnerable function is invalid; when the shielding method of the vulnerable function is one of the regular matching detection method, the keyword matching detection method, and the script function detection method, the shielding function is used to detect whether the vulnerable function is attacked, and the shielding position field of the vulnerable function is valid; when the shielding position field is valid and includes one of the end position and exception handling position of the vulnerable function, the parameter field of the vulnerable function is invalid.
在一种可能的实现方式中,所述根据所述漏洞屏蔽插件生成模板函数,包括:In a possible implementation, generating a template function according to the vulnerability shielding plug-in includes:
根据所述漏洞函数的屏蔽位置和屏蔽方式,从预设的模板函数库中选择相匹配的模板函数;According to the shielding position and shielding method of the vulnerability function, a matching template function is selected from a preset template function library;
所述模板函数包括外层函数和内层函数,所述漏洞函数的相关信息以及所述屏蔽函数的相关信息作为所述外层函数的输入,所述内层函数的返回值作为所述外层函数的返回值;The template function includes an outer function and an inner function, the relevant information of the vulnerability function and the relevant information of the shielding function are used as inputs of the outer function, and the return value of the inner function is used as the return value of the outer function;
所述漏洞函数的参数、所述漏洞函数的相关信息、所述屏蔽函数的相关信息作为所述内层函数的输入,所述屏蔽函数的调用结果作为所述内层函数的返回值。The parameters of the vulnerability function, the related information of the vulnerability function, and the related information of the shielding function are used as inputs of the inner function, and the calling result of the shielding function is used as the return value of the inner function.
在一种可能的实现方式中,所述漏洞屏蔽插件被使能的条件下,当所述Python应用程序运行到所述漏洞函数时,执行所述模板函数,包括:In a possible implementation, when the vulnerability shielding plug-in is enabled, when the Python application runs to the vulnerable function, executing the template function includes:
所述漏洞屏蔽插件被使能的条件下,当所述Python应用程序运行到所述漏洞函数时,查询所述漏洞函数是否被占用;Under the condition that the vulnerability shielding plug-in is enabled, when the Python application runs to the vulnerable function, query whether the vulnerable function is occupied;
在所述漏洞函数未被占用时,占用所述漏洞函数,并执行所述模板函数。When the vulnerability function is not occupied, the vulnerability function is occupied and the template function is executed.
在一种可能的实现方式中,所述属性以C结构体形式存储,所述属性至少包括函数代码、函数内使用的全局变量、闭包关系、方法代码。In a possible implementation, the attributes are stored in a C structure, and the attributes include at least function code, global variables used in the function, closure relationships, and method code.
在一种可能的实现方式中,所述漏洞屏蔽引擎还包括:In a possible implementation, the vulnerability shielding engine further includes:
地址管理模块,用于将所述漏洞函数、所述屏蔽函数、所述备份函数、所述模板函数分别存储至所述Python应用程序的内存,由所述Python应用程序进行地址空间管理。The address management module is used to store the vulnerability function, the shielding function, the backup function, and the template function in the memory of the Python application respectively, and the Python application performs address space management.
本领域技术人员应理解,漏洞屏蔽引擎还可包括更多的模块,例如上文图2的相关描述中的告警处理模块等等,本申请实施例对此不作限制。Those skilled in the art should understand that the vulnerability shielding engine may also include more modules, such as the alarm processing module in the relevant description of FIG. 2 above, etc., and the embodiments of the present application are not limited to this.
本申请的实施例提供了一种电子设备,包括:处理器以及用于存储处理器可执行指令的存储器;其中,所述处理器被配置为执行所述指令时实现上述方法。An embodiment of the present application provides an electronic device, comprising: a processor and a memory for storing processor-executable instructions; wherein the processor is configured to implement the above method when executing the instructions.
图9示出根据本申请实施例的电子设备的示例性结构示意图。FIG. 9 is a schematic diagram showing an exemplary structure of an electronic device according to an embodiment of the present application.
如图9所示,电子设备作为客户端,可以包括手机、可折叠电子设备、平板电脑、桌面型计算机、膝上型计算机、手持计算机、笔记本电脑、有屏音箱、超级移动个人计算机(ultra-mobile personal computer,UMPC)、上网本、增强现实(augmented reality,AR)设备、虚拟现实(virtual reality,VR)设备、人工智能(artificial intelligence,AI)设备、无人机、车载设备、智能家居设备、或智慧城市设备中的至少一种。本申请实施例对该电子设备的具体类型不作特殊限制。As shown in FIG9 , the electronic device as a client may include at least one of a mobile phone, a foldable electronic device, a tablet computer, a desktop computer, a laptop computer, a handheld computer, a notebook computer, a screen speaker, an ultra-mobile personal computer (UMPC), a netbook, an augmented reality (AR) device, a virtual reality (VR) device, an artificial intelligence (AI) device, a drone, a vehicle-mounted device, a smart home device, or a smart city device. The embodiment of the present application does not impose any special restrictions on the specific type of the electronic device.
电子设备可以包括处理器110,内部存储器121,通信模块160等。The electronic device may include a processor 110, an internal memory 121, a communication module 160, and the like.
处理器110可以包括一个或多个处理单元,例如:处理器110可以包括应用处理器(application processor,AP),调制解调处理器,图形处理器(graphics processingunit,GPU),图像信号处理器(image signal processor,ISP),控制器,视频编解码器,数字信号处理器(digital signal processor,DSP),基带处理器,和/或神经网络处理器(neural-network processing unit,NPU)等。其中,不同的处理单元可以是独立的器件,也可以集成在一个或多个处理器中。例如,处理器110可执行本申请实施例的模板函数等,以实现本申请实施例的漏洞屏蔽方法。The processor 110 may include one or more processing units, for example, the processor 110 may include an application processor (AP), a modem processor, a graphics processor (GPU), an image signal processor (ISP), a controller, a video codec, a digital signal processor (DSP), a baseband processor, and/or a neural-network processing unit (NPU), etc. Among them, different processing units may be independent devices or integrated into one or more processors. For example, the processor 110 may execute the template function of the embodiment of the present application, etc., to implement the vulnerability shielding method of the embodiment of the present application.
处理器110中还可以设置存储器,用于存储指令和数据。在一些实施例中,处理器110中的存储器可以为高速缓冲存储器。该存储器可以保存处理器110用过或使用频率较高的指令或数据,例如本申请实施例中的屏蔽位置、屏蔽方式等。如果处理器110需要使用该指令或数据,可从该存储器中直接调用。避免了重复存取,减少了处理器110的等待时间,因而提高了系统的效率。A memory may also be provided in the processor 110 for storing instructions and data. In some embodiments, the memory in the processor 110 may be a cache memory. The memory may store instructions or data that have been used or are frequently used by the processor 110, such as the shielding position and shielding method in the embodiments of the present application. If the processor 110 needs to use the instruction or data, it may be directly called from the memory. This avoids repeated access, reduces the waiting time of the processor 110, and thus improves the efficiency of the system.
在一些实施例中,处理器110可以包括一个或多个接口。接口可以包括集成电路(inter-integrated circuit,I2C)接口,通用异步收发传输器(universal asynchronousreceiver/transmitter,UART)接口,通用输入输出(general-purpose input/output,GPIO)接口等。处理器110可以通过以上至少一种接口连接无线通信模块、显示器、摄像头等模块。In some embodiments, the processor 110 may include one or more interfaces. The interface may include an inter-integrated circuit (I2C) interface, a universal asynchronous receiver/transmitter (UART) interface, a general-purpose input/output (GPIO) interface, etc. The processor 110 may be connected to a wireless communication module, a display, a camera, and other modules through at least one of the above interfaces.
存储器121可以用于存储计算机可执行程序代码,该可执行程序代码包括指令。存储器121可以包括存储程序区和存储数据区。其中,存储程序区可存储操作系统,至少一个功能所需的应用程序(比如Python应用程序等)等。存储数据区可存储电子设备的使用过程中所创建的数据(比如模板函数、备份函数等)等。此外,存储器121可以包括高速随机存取存储器,还可以包括非易失性存储器,例如至少一个磁盘存储器件,闪存器件,通用闪存存储器(universal flash storage,UFS)等。处理器110通过运行存储在存储器121的指令,和/或存储在设置于处理器中的存储器的指令,执行电子设备的各种功能方法或数据处理。The memory 121 can be used to store computer executable program codes, which include instructions. The memory 121 may include a program storage area and a data storage area. Among them, the program storage area may store an operating system, an application required for at least one function (such as a Python application, etc.), etc. The data storage area may store data created during the use of the electronic device (such as template functions, backup functions, etc.), etc. In addition, the memory 121 may include a high-speed random access memory, and may also include a non-volatile memory, such as at least one disk storage device, a flash memory device, a universal flash storage (UFS), etc. The processor 110 executes various functional methods or data processing of the electronic device by running instructions stored in the memory 121, and/or instructions stored in a memory provided in the processor.
通信模块160可以用于通过有线通信或者无线通信的方式接收来自其他装置或设备(例如本申请实施例中的服务端)的数据。例如可以提供应用在电子设备上的包括WLAN(如Wi-Fi网络)、蓝牙(Bluetooth,BT)、全球导航卫星系统(global navigation satellitesystem,GNSS)、调频(frequency modulation,FM)、近距离无线通信技术(near fieldcommunication,NFC)、红外技术(infrared,IR)等无线通信的解决方案。在电子设备连接其他装置或设备时,通信模块160也可以使用有线通信方案。The communication module 160 can be used to receive data from other devices or equipment (such as the server in the embodiment of the present application) through wired communication or wireless communication. For example, wireless communication solutions including WLAN (such as Wi-Fi network), Bluetooth (BT), global navigation satellite system (GNSS), frequency modulation (FM), near field communication (NFC), infrared (IR), etc. can be provided for application in electronic devices. When the electronic device is connected to other devices or equipment, the communication module 160 can also use a wired communication solution.
可以理解的是,本申请实施例示意的结构并不构成对计算设备的具体限定。在本申请另一些实施例中,计算设备可以包括比图示更多或更少的部件,或者组合某些部件,或者拆分某些部件,或者不同的部件布置。图示的部件可以以硬件,软件或软件和硬件的组合实现。It is to be understood that the structure illustrated in the embodiments of the present application does not constitute a specific limitation on the computing device. In other embodiments of the present application, the computing device may include more or fewer components than shown in the figure, or combine certain components, or split certain components, or arrange the components differently. The components shown in the figure may be implemented in hardware, software, or a combination of software and hardware.
本申请的实施例提供了一种非易失性计算机可读存储介质,其上存储有计算机程序指令,所述计算机程序指令被处理器执行时实现上述方法。An embodiment of the present application provides a non-volatile computer-readable storage medium on which computer program instructions are stored. When the computer program instructions are executed by a processor, the above method is implemented.
本申请的实施例提供了一种计算机程序产品,包括计算机可读代码,或者承载有计算机可读代码的非易失性计算机可读存储介质,当所述计算机可读代码在电子设备的处理器中运行时,所述电子设备中的处理器执行上述方法。An embodiment of the present application provides a computer program product, including a computer-readable code, or a non-volatile computer-readable storage medium carrying the computer-readable code. When the computer-readable code runs in a processor of an electronic device, the processor in the electronic device executes the above method.
计算机可读存储介质可以是可以保持和存储由指令执行设备使用的指令的有形设备。计算机可读存储介质例如可以是――但不限于――电存储设备、磁存储设备、光存储设备、电磁存储设备、半导体存储设备或者上述的任意合适的组合。计算机可读存储介质的更具体的例子(非穷举的列表)包括:便携式计算机盘、硬盘、随机存取存储器(RandomAccess Memory,RAM)、只读存储器(Read Only Memory,ROM)、可擦式可编程只读存储器(Electrically Programmable Read-Only-Memory,EPROM或闪存)、静态随机存取存储器(Static Random-Access Memory,SRAM)、便携式压缩盘只读存储器(Compact Disc Read-Only Memory,CD-ROM)、数字多功能盘(Digital Video Disc,DVD)、记忆棒、软盘、机械编码设备、例如其上存储有指令的打孔卡或凹槽内凸起结构、以及上述的任意合适的组合。A computer-readable storage medium may be a tangible device that can hold and store instructions used by an instruction execution device. A computer-readable storage medium may be, for example, but not limited to, an electrical storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. More specific examples of computer-readable storage media (a non-exhaustive list) include: a portable computer disk, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a static random access memory (SRAM), a portable compact disc read-only memory (CD-ROM), a digital versatile disc (DVD), a memory stick, a floppy disk, a mechanical encoding device, such as a punch card or a raised structure in a groove on which instructions are stored, and any suitable combination of the foregoing.
这里所描述的计算机可读程序指令或代码可以从计算机可读存储介质下载到各个计算/处理设备,或者通过网络、例如因特网、局域网、广域网和/或无线网下载到外部计算机或外部存储设备。网络可以包括铜传输电缆、光纤传输、无线传输、路由器、防火墙、交换机、网关计算机和/或边缘服务器。每个计算/处理设备中的网络适配卡或者网络接口从网络接收计算机可读程序指令,并转发该计算机可读程序指令,以供存储在各个计算/处理设备中的计算机可读存储介质中。The computer-readable program instructions or codes described herein can be downloaded from a computer-readable storage medium to each computing/processing device, or downloaded to an external computer or external storage device via a network, such as the Internet, a local area network, a wide area network, and/or a wireless network. The network can include copper transmission cables, optical fiber transmissions, wireless transmissions, routers, firewalls, switches, gateway computers, and/or edge servers. The network adapter card or network interface in each computing/processing device receives the computer-readable program instructions from the network and forwards the computer-readable program instructions for storage in the computer-readable storage medium in each computing/processing device.
用于执行本申请操作的计算机程序指令可以是汇编指令、指令集架构(Instruction Set Architecture,ISA)指令、机器指令、机器相关指令、微代码、固件指令、状态设置数据、或者以一种或多种编程语言的任意组合编写的源代码或目标代码,所述编程语言包括面向对象的编程语言—诸如Smalltalk、C++等,以及常规的过程式编程语言—诸如“C”语言或类似的编程语言。计算机可读程序指令可以完全地在用户计算机上执行、部分地在用户计算机上执行、作为一个独立的软件包执行、部分在用户计算机上部分在远程计算机上执行、或者完全在远程计算机或服务器上执行。在涉及远程计算机的情形中,远程计算机可以通过任意种类的网络—包括局域网(Local Area Network,LAN)或广域网(WideArea Network,WAN)—连接到用户计算机,或者,可以连接到外部计算机(例如利用因特网服务提供商来通过因特网连接)。在一些实施例中,通过利用计算机可读程序指令的状态信息来个性化定制电子电路,例如可编程逻辑电路、现场可编程门阵列(Field-ProgrammableGate Array,FPGA)或可编程逻辑阵列(Programmable Logic Array,PLA),该电子电路可以执行计算机可读程序指令,从而实现本申请的各个方面。The computer program instructions for performing the operation of the present application can be assembly instructions, instruction set architecture (Instruction Set Architecture, ISA) instructions, machine instructions, machine-related instructions, microcode, firmware instructions, state setting data, or source code or object code written in any combination of one or more programming languages, including object-oriented programming languages-such as Smalltalk, C++, etc., and conventional procedural programming languages-such as "C" language or similar programming languages. Computer-readable program instructions can be executed completely on the user's computer, partially on the user's computer, as an independent software package, partially on the user's computer, partially on the remote computer, or completely on the remote computer or server. In the case of a remote computer, the remote computer can be connected to the user's computer through any type of network-including a local area network (Local Area Network, LAN) or a wide area network (WideArea Network, WAN), or it can be connected to an external computer (for example, using an Internet service provider to connect through the Internet). In some embodiments, by utilizing the state information of computer-readable program instructions to personalize an electronic circuit, such as a programmable logic circuit, a field programmable gate array (FPGA) or a programmable logic array (PLA), the electronic circuit can execute the computer-readable program instructions to implement various aspects of the present application.
这里参照根据本申请实施例的方法、装置(系统)和计算机程序产品的流程图和/或框图描述了本申请的各个方面。应当理解,流程图和/或框图的每个方框以及流程图和/或框图中各方框的组合,都可以由计算机可读程序指令实现。Various aspects of the present application are described herein with reference to the flowcharts and/or block diagrams of the methods, devices (systems) and computer program products according to the embodiments of the present application. It should be understood that each box in the flowchart and/or block diagram and the combination of each box in the flowchart and/or block diagram can be implemented by computer-readable program instructions.
这些计算机可读程序指令可以提供给通用计算机、专用计算机或其它可编程数据处理装置的处理器,从而生产出一种机器,使得这些指令在通过计算机或其它可编程数据处理装置的处理器执行时,产生了实现流程图和/或框图中的一个或多个方框中规定的功能/动作的装置。也可以把这些计算机可读程序指令存储在计算机可读存储介质中,这些指令使得计算机、可编程数据处理装置和/或其他设备以特定方式工作,从而,存储有指令的计算机可读介质则包括一个制造品,其包括实现流程图和/或框图中的一个或多个方框中规定的功能/动作的各个方面的指令。These computer-readable program instructions can be provided to a processor of a general-purpose computer, a special-purpose computer, or other programmable data processing device, thereby producing a machine, so that when these instructions are executed by the processor of the computer or other programmable data processing device, a device that implements the functions/actions specified in one or more boxes in the flowchart and/or block diagram is generated. These computer-readable program instructions can also be stored in a computer-readable storage medium, and these instructions cause the computer, programmable data processing device, and/or other equipment to work in a specific manner, so that the computer-readable medium storing the instructions includes a manufactured product, which includes instructions for implementing various aspects of the functions/actions specified in one or more boxes in the flowchart and/or block diagram.
也可以把计算机可读程序指令加载到计算机、其它可编程数据处理装置、或其它设备上,使得在计算机、其它可编程数据处理装置或其它设备上执行一系列操作步骤,以产生计算机实现的过程,从而使得在计算机、其它可编程数据处理装置、或其它设备上执行的指令实现流程图和/或框图中的一个或多个方框中规定的功能/动作。Computer-readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other device so that a series of operating steps are performed on the computer, other programmable data processing apparatus, or other device to produce a computer-implemented process, thereby causing the instructions executed on the computer, other programmable data processing apparatus, or other device to implement the functions/actions specified in one or more boxes in the flowchart and/or block diagram.
附图中的流程图和框图显示了根据本申请的多个实施例的装置、系统、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个模块、程序段或指令的一部分,所述模块、程序段或指令的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。在有些作为替换的实现中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个连续的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。The flow chart and block diagram in the accompanying drawings show the possible architecture, function and operation of the device, system, method and computer program product according to multiple embodiments of the present application. In this regard, each square frame in the flow chart or block diagram can represent a part of a module, program segment or instruction, and a part of the module, program segment or instruction includes one or more executable instructions for realizing the logical function of the specification. In some alternative implementations, the functions marked in the square frame can also occur in a sequence different from that marked in the accompanying drawings. For example, two continuous square frames can actually be executed substantially in parallel, and they can also be executed in reverse order sometimes, depending on the functions involved.
也要注意的是,框图和/或流程图中的每个方框、以及框图和/或流程图中的方框的组合,可以用执行相应的功能或动作的硬件(例如电路或ASIC(Application SpecificIntegrated Circuit,专用集成电路))来实现,或者可以用硬件和软件的组合,如固件等来实现。It should also be noted that each box in the block diagram and/or flowchart, and the combination of boxes in the block diagram and/or flowchart, can be implemented by hardware (such as a circuit or ASIC (Application Specific Integrated Circuit)) that performs the corresponding function or action, or can be implemented by a combination of hardware and software, such as firmware.
尽管在此结合各实施例对本发明进行了描述,然而,在实施所要求保护的本发明过程中,本领域技术人员通过查看所述附图、公开内容、以及所附权利要求书,可理解并实现所述公开实施例的其它变化。在权利要求中,“包括”(comprising)一词不排除其他组成部分或步骤,“一”或“一个”不排除多个的情况。单个处理器或其它单元可以实现权利要求中列举的若干项功能。相互不同的从属权利要求中记载了某些措施,但这并不表示这些措施不能组合起来产生良好的效果。Although the present invention is described herein in conjunction with various embodiments, in the process of implementing the claimed invention, those skilled in the art may understand and implement other variations of the disclosed embodiments by viewing the drawings, the disclosure, and the appended claims. In the claims, the word "comprising" does not exclude other components or steps, and "one" or "an" does not exclude multiple situations. A single processor or other unit may implement several functions listed in the claims. Certain measures are recorded in different dependent claims, but this does not mean that these measures cannot be combined to produce good results.
以上已经描述了本申请的各实施例,上述说明是示例性的,并非穷尽性的,并且也不限于所披露的各实施例。在不偏离所说明的各实施例的范围的情况下,对于本技术领域的普通技术人员来说许多修改和变更都是显而易见的。本文中所用术语的选择,旨在最好地解释各实施例的原理、实际应用或对市场中的技术的改进,或者使本技术领域的其它普通技术人员能理解本文披露的各实施例。The embodiments of the present application have been described above, and the above description is exemplary, not exhaustive, and is not limited to the disclosed embodiments. Many modifications and changes will be apparent to those of ordinary skill in the art without departing from the scope of the described embodiments. The selection of terms used herein is intended to best explain the principles of the embodiments, practical applications, or improvements to the technology in the market, or to enable other persons of ordinary skill in the art to understand the embodiments disclosed herein.
Claims (13)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310377332.0A CN118734310A (en) | 2023-03-31 | 2023-03-31 | Vulnerability shielding method, engine, electronic device, storage medium and program product |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310377332.0A CN118734310A (en) | 2023-03-31 | 2023-03-31 | Vulnerability shielding method, engine, electronic device, storage medium and program product |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118734310A true CN118734310A (en) | 2024-10-01 |
Family
ID=92862836
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310377332.0A Pending CN118734310A (en) | 2023-03-31 | 2023-03-31 | Vulnerability shielding method, engine, electronic device, storage medium and program product |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118734310A (en) |
-
2023
- 2023-03-31 CN CN202310377332.0A patent/CN118734310A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11687645B2 (en) | Security control method and computer system | |
| US8316448B2 (en) | Automatic filter generation and generalization | |
| US10839085B1 (en) | Detection and healing of vulnerabilities in computer code | |
| CN102902919B (en) | A kind of identifying processing methods, devices and systems of suspicious operation | |
| US8117660B2 (en) | Secure control flows by monitoring control transfers | |
| RU2531861C1 (en) | System and method of assessment of harmfullness of code executed in addressing space of confidential process | |
| US9953162B2 (en) | Rapid malware inspection of mobile applications | |
| US20230185921A1 (en) | Prioritizing vulnerabilities | |
| EP2807598B1 (en) | Identifying trojanized applications for mobile environments | |
| CN110929264B (en) | Vulnerability detection method and device, electronic equipment and readable storage medium | |
| US20210390182A1 (en) | Automatic mitigation of corrupted or compromised compute resources | |
| US10216934B2 (en) | Inferential exploit attempt detection | |
| RU2606559C1 (en) | System and method for optimizing of files antivirus checking | |
| CN115062309B (en) | Vulnerability mining method based on equipment firmware simulation in novel power system and storage medium | |
| WO2021243555A1 (en) | Quick application test method and apparatus, device, and storage medium | |
| US20190102279A1 (en) | Generating an instrumented software package and executing an instance thereof | |
| CN108959936A (en) | An Automatic Exploitation Method of Buffer Overflow Vulnerabilities Based on Path Analysis | |
| Yin et al. | Automatic malware analysis: an emulator based approach | |
| JP2021111384A (en) | System and method for protecting against unauthorized memory dump modification | |
| US20230141948A1 (en) | Analysis and Testing of Embedded Code | |
| CN118734310A (en) | Vulnerability shielding method, engine, electronic device, storage medium and program product | |
| CN117032894A (en) | Container security state detection method and device, electronic equipment and storage medium | |
| Bu et al. | When program analysis meets mobile security: an industrial study of misusing android internet sockets | |
| CN112733157B (en) | A file upload method, system and medium based on non-executable directory | |
| EP3692456A1 (en) | Binary image stack cookie protection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |