CN118734310A

CN118734310A - Vulnerability shielding method, engine, electronic device, storage medium and program product

Info

Publication number: CN118734310A
Application number: CN202310377332.0A
Authority: CN
Inventors: 蒋仲伯; 史磊; 荣平
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2023-03-31
Filing date: 2023-03-31
Publication date: 2024-10-01

Abstract

The application relates to a vulnerability shielding method, an engine, electronic equipment, a storage medium and a program product, wherein the method comprises the following steps: receiving a vulnerability shielding plug-in, wherein the vulnerability shielding plug-in comprises relevant information of a vulnerability function and relevant information of a shielding function, and the shielding function is used for detecting whether the vulnerability function is attacked or used for repairing the vulnerability function; generating a template function according to the vulnerability shielding plug-in, wherein when the shielding function is used for repairing the vulnerability function, the template function is used for calling the shielding function to repair the vulnerability function when being executed; and replacing the attribute of the backup function with the attribute of the loophole function, replacing the attribute of the loophole function with the attribute of the template function, wherein the backup function is the backup of the loophole function. According to the vulnerability shielding method provided by the embodiment of the application, the Python application program has the capability of executing the template function to repair the vulnerability function when the application program runs to the vulnerability function, so that dynamic instrumentation can be realized on the vulnerability of the running Python application program to shield the vulnerability.

Description

Vulnerability shielding method, engine, electronic device, storage medium and program product

Technical Field

The present application relates to the field of computer technologies, and in particular, to a vulnerability shielding method, an engine, an electronic device, a storage medium, and a program product.

Background

Vulnerabilities are flaws in the specific implementation of hardware, software, protocols, or system security policies that may enable an attacker to access or destroy the system without authorization. The international organization for standardization (international organization for standardization ISO) and the international electrotechnical commission (international electrotechnical commission, IEC) have jointly established standards for the collection, investigation, repair and disclosure of vulnerabilities. From the standard, for the loopholes of any application, the repair measures in the loophole processing flow mainly refer to the updating of patches, repair documents or configurations released by authorities at present. The standards also state that in cases where vulnerabilities pose a high risk to applications, temporary intermediate remedial measures may be required, which is necessary for high-risk vulnerabilities.

The period of time from when the vulnerability is revealed to when the vulnerability patch formally takes effect may be referred to as the vulnerability exposure period. When the loopholes are in the period of loophole exposure for a long time, a large attack window is provided for an attacker. In the existing scheme, a pile insertion point is required to be preset, or vulnerability shielding is realized only for a C application program, and dynamic pile insertion for the vulnerability of the running Python application cannot be realized so as to shield the vulnerability.

Disclosure of Invention

In view of this, a vulnerability shielding method, an engine, an electronic device, a storage medium and a program product are provided, and according to the vulnerability shielding method of the embodiment of the application, a template function is automatically generated based on a vulnerability shielding plug-in, and when the template function is executed, the template function can be called to repair the vulnerability function, and the attribute of the vulnerability function is replaced by the attribute of the template function, so that a Python application program has the capability of executing the template function to repair the vulnerability function when running to the vulnerability function, and thus dynamic instrumentation can be realized for the vulnerability of a running Python application to shield the vulnerability.

In a first aspect, an embodiment of the present application provides a vulnerability shielding method, where the method is applied to a vulnerability shielding engine, and the vulnerability shielding engine is integrated in a Python application program of a client, and the method includes: receiving a vulnerability shielding plug-in, wherein the vulnerability shielding plug-in comprises relevant information of a vulnerability function and relevant information of a shielding function, and the shielding function is used for detecting whether the vulnerability function is attacked or used for repairing the vulnerability function; generating a template function according to the vulnerability shielding plug-in, wherein the template function is used for calling the shielding function to repair the vulnerability function when being executed when the shielding function is used for repairing the vulnerability function; and replacing the attribute of the backup function with the attribute of the loophole function, and replacing the attribute of the loophole function with the attribute of the template function, wherein the backup function is a backup of the loophole function.

According to the vulnerability shielding method provided by the embodiment of the application, the relevant information of the vulnerability function and the relevant information of the shielding function included in the vulnerability shielding plug-in can be obtained by receiving the vulnerability shielding plug-in; generating a template function according to the vulnerability shielding plug-in, and manually writing the template function is not needed, so that the operation difficulty of safety maintenance personnel is reduced; because the vulnerability shielding engine is integrated in the Python application program, the attributes of the functions can be replaced based on the capabilities of the Python language, and the attributes of the vulnerability functions are replaced by the attributes of the template functions, so that the Python application program has the capability of executing the template functions instead when executing the vulnerability functions, and the instrumentation points do not need to be preset for different vulnerability functions, thereby completing the dynamic instrumentation of the vulnerability functions. The mask function is used for detecting whether the bug function is attacked or used for repairing the bug function, when the mask function is used for repairing the bug function, the template function is used for calling the mask function to repair the bug function when the mask function is executed, so that the execution of the template function can realize the bug mask function, the mask function is loaded in a hot patch-like manner, the Python application program does not need to be restarted each time, and service codes do not need to be recompiled, so that the service is not interrupted. The backup function is a backup of the vulnerability function, and the attribute of the backup function is replaced by the attribute of the vulnerability function, so that the same effect can be realized in a mode of executing the backup function when the Python application program hopes to execute the vulnerability function. In summary, the vulnerability shielding method provided by the embodiment of the application can realize dynamic instrumentation on the vulnerability of the running Python application to shield the vulnerability. The application program is not restarted, the service is not interrupted, the vulnerability exposure period can be reduced, and the vulnerability shielding effect can be improved.

In a first possible implementation manner of the vulnerability shielding method according to the first aspect, when the shielding function is used to detect whether the vulnerability function is attacked, the template function is used to: and calling the shielding function when the vulnerability function is executed, outputting detected information when the vulnerability function is detected to be attacked, and calling the backup function when the vulnerability function is detected to be not attacked.

By the method, the vulnerability shielding can be realized in an attack detection mode, so that the vulnerability shielding mode is more flexible.

In a second possible implementation manner of the vulnerability shielding method according to the first aspect or the first possible implementation manner of the first aspect, the method further includes: executing the template function when the Python application program runs to the vulnerability function under the condition that the vulnerability shielding plug-in is enabled; and under the condition that the vulnerability shielding plug-in is not enabled, executing the backup function when the Python application program runs to the vulnerability function.

By the method, the vulnerability shielding engine can complete the shielding work of the vulnerability function more pertinently, and the working mode of the vulnerability shielding engine is more flexible.

In a third possible implementation manner of the vulnerability shielding method according to the first aspect or any one of the possible implementation manners of the first aspect, the relevant information of the vulnerability function includes a module, a class, a function name, a parameter, a shielding position and a shielding manner of the vulnerability function; the related information of the shielding function comprises a module, a class, a function name and a parameter of the shielding function; the masking positions comprise one of a starting position, an ending position and an exception handling position of the vulnerability function, and the masking modes comprise one of a function integral replacement mode, a regular matching detection mode, a keyword matching detection mode and a script function detection mode.

According to a third possible implementation manner of the first aspect, in a fourth possible implementation manner of the vulnerability shielding method, when a shielding manner of the vulnerability function is an integral replacement manner of the function, the shielding function is used for repairing the vulnerability function, and a shielding position field of the vulnerability function is invalid; the shielding mode of the vulnerability function is one of the regular matching detection mode, the keyword matching detection mode and the script function detection mode, the shielding function is used for detecting whether the vulnerability function is attacked or not, and a shielding position field of the vulnerability function is effective; the mask location field is valid and includes one of an end location and an exception handling location of the vulnerability function, and a parameter field of the vulnerability function is invalid.

In this way, the information that needs to be processed to perform the vulnerability mask can be further reduced.

In a fifth possible implementation manner of the vulnerability shielding method according to any one of the first to fourth possible implementation manners of the first aspect, the generating a template function according to the vulnerability shielding plug-in includes: selecting a matched template function from a preset template function library according to the shielding position and shielding mode of the vulnerability function; the template function comprises an outer layer function and an inner layer function, the relevant information of the vulnerability function and the relevant information of the shielding function are used as inputs of the outer layer function, and a return value of the inner layer function is used as a return value of the outer layer function; and taking the parameters of the loophole function, the related information of the loophole function and the related information of the shielding function as the input of the inner layer function, and taking the calling result of the shielding function as the return value of the inner layer function.

In this way, the transfer of parameters can be accomplished.

In a sixth possible implementation manner of the vulnerability shielding method according to any one of the second to fifth possible implementation manners of the first aspect, the executing the template function when the Python application is running to the vulnerability function under the condition that the vulnerability shielding plug-in is enabled includes: under the condition that the vulnerability shielding plug-in is enabled, inquiring whether the vulnerability function is occupied or not when the Python application program runs to the vulnerability function; and occupying the loophole function when the loophole function is not occupied, and executing the template function.

In this way, thread conflicts of the Python application can be avoided.

In a seventh possible implementation manner of the vulnerability shielding method according to the first aspect or any one of the possible implementation manners of the first aspect, the attribute is stored in a C-structure form, and the attribute includes at least a function code, a global variable used in the function, a closure relationship, and a method code.

In this way, the vulnerability shielding method can support various flexible use modes of Python language.

In an eighth possible implementation manner of the vulnerability shielding method according to the first aspect or any one of the possible implementation manners of the first aspect, the method further includes: and respectively storing the vulnerability function, the shielding function, the backup function and the template function into the memory of the Python application program, and carrying out address space management by the Python application program.

By uniformly managing the address space of the loophole function, the mask function, the backup function and the template function (object), the automatic address recovery mechanism of the Python application program can avoid address reassignment, so that address conflict of the function (object) can occur.

In a second aspect, an embodiment of the present application provides a vulnerability mask engine, where the vulnerability mask engine is integrated in a Python application of a client, and the vulnerability mask engine includes: the plug-in receiving module is used for receiving a vulnerability shielding plug-in, the vulnerability shielding plug-in comprises relevant information of a vulnerability function and relevant information of a shielding function, and the shielding function is used for detecting whether the vulnerability function is attacked or used for repairing the vulnerability function; the function generation module is used for generating a template function according to the vulnerability shielding plug-in, and when the shielding function is used for repairing the vulnerability function, the template function is used for calling the shielding function to repair the vulnerability function when being executed; and the attribute replacement module is used for replacing the attribute of the backup function with the attribute of the vulnerability function, replacing the attribute of the vulnerability function with the attribute of the template function, and the backup function is a backup of the vulnerability function.

In a first possible implementation manner of the vulnerability mask engine according to the second aspect, when the mask function is used to detect whether the vulnerability function is attacked, the template function is used to: and calling the shielding function when the vulnerability function is executed, outputting detected information when the vulnerability function is detected to be attacked, and calling the backup function when the vulnerability function is detected to be not attacked.

In a second possible implementation manner of the vulnerability mask engine according to the second aspect or the first possible implementation manner of the second aspect, the vulnerability mask engine further comprises: a masking module, configured to execute the template function when the Python application runs to the vulnerability function under a condition that the vulnerability mask plug-in is enabled; and under the condition that the vulnerability shielding plug-in is not enabled, executing the backup function when the Python application program runs to the vulnerability function.

In a third possible implementation manner of the vulnerability mask engine according to the second aspect or any one of the possible implementation manners of the second aspect, the relevant information of the vulnerability function includes a module, a class, a function name, a parameter, a mask position and a mask manner of the vulnerability function; the related information of the shielding function comprises a module, a class, a function name and a parameter of the shielding function; the masking positions comprise one of a starting position, an ending position and an exception handling position of the vulnerability function, and the masking modes comprise one of a function integral replacement mode, a regular matching detection mode, a keyword matching detection mode and a script function detection mode.

According to a third possible implementation manner of the second aspect, in a fourth possible implementation manner of the vulnerability mask engine, when a masking manner of the vulnerability function is a whole function replacement manner, the masking function is used for repairing the vulnerability function, and a masking position field of the vulnerability function is invalid; the shielding mode of the vulnerability function is one of the regular matching detection mode, the keyword matching detection mode and the script function detection mode, the shielding function is used for detecting whether the vulnerability function is attacked or not, and a shielding position field of the vulnerability function is effective; the mask location field is valid and includes one of an end location and an exception handling location of the vulnerability function, and a parameter field of the vulnerability function is invalid.

In a fifth possible implementation manner of the vulnerability mask engine according to any one of the first to fourth possible implementation manners of the second aspect, the generating a template function according to the vulnerability mask plug-in includes: selecting a matched template function from a preset template function library according to the shielding position and shielding mode of the vulnerability function; the template function comprises an outer layer function and an inner layer function, the relevant information of the vulnerability function and the relevant information of the shielding function are used as inputs of the outer layer function, and a return value of the inner layer function is used as a return value of the outer layer function; and taking the parameters of the loophole function, the related information of the loophole function and the related information of the shielding function as the input of the inner layer function, and taking the calling result of the shielding function as the return value of the inner layer function.

In a sixth possible implementation manner of the vulnerability mask engine according to any one of the second to fifth possible implementation manners of the second aspect, the executing the template function when the Python application runs to the vulnerability function under a condition that the vulnerability mask plug-in is enabled includes: under the condition that the vulnerability shielding plug-in is enabled, inquiring whether the vulnerability function is occupied or not when the Python application program runs to the vulnerability function; and occupying the loophole function when the loophole function is not occupied, and executing the template function.

In a seventh possible implementation manner of the vulnerability mask engine according to the second aspect or any one of the possible implementation manners of the second aspect, the attribute is stored in a C-structure form, and the attribute includes at least function code, global variables used in the function, closure relationships, and method code.

In an eighth possible implementation manner of the vulnerability mask engine according to the second aspect or any one of the possible implementation manners of the second aspect, the vulnerability mask engine further comprises: and the address management module is used for respectively storing the vulnerability function, the shielding function, the backup function and the template function into the memory of the Python application program, and carrying out address space management by the Python application program.

In a third aspect, an embodiment of the present application provides an electronic device, including: a processor; a memory for storing processor-executable instructions; wherein the processor is configured to implement the vulnerability shielding method of the first aspect or one or several of the plurality of possible implementations of the first aspect when executing the instructions.

In a fourth aspect, embodiments of the present application provide a non-transitory computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the vulnerability screening method of the first aspect or one or more of the possible implementations of the first aspect.

In a fifth aspect, embodiments of the present application provide a computer program product comprising computer readable code, or a non-transitory computer readable storage medium carrying computer readable code, which when run in an electronic device, a processor in the electronic device performs the vulnerability screening method of the first aspect or one or more of the possible implementations of the first aspect.

These and other aspects of the application will be apparent from and elucidated with reference to the embodiment(s) described hereinafter.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate exemplary embodiments, features and aspects of the application and together with the description, serve to explain the principles of the application.

Fig. 1 illustrates an exemplary application scenario of a vulnerability shielding method according to an embodiment of the present application.

Fig. 2 shows a schematic diagram of the relationship between functional modules in a Python application according to an embodiment of the present application.

Fig. 3 shows a schematic diagram of a flow of a vulnerability shielding method according to an embodiment of the application.

Fig. 4 illustrates one example of a vulnerability shield plug-in accordance with an embodiment of the present application.

FIG. 5 shows a schematic diagram of replacing function attributes according to an embodiment of the application.

FIG. 6a shows a schematic diagram of a library of template functions according to an embodiment of the application.

Fig. 6b shows a schematic representation of the form of a template function according to an embodiment of the application.

FIG. 7 illustrates a schematic diagram of executing a template function when a Python application runs into a vulnerability function, according to an embodiment of the application.

Fig. 8 illustrates an exemplary architectural diagram of a vulnerability mask engine in accordance with an embodiment of the present application.

Fig. 9 shows an exemplary structural diagram of an electronic device according to an embodiment of the present application.

Detailed Description

Various exemplary embodiments, features and aspects of the application will be described in detail below with reference to the drawings. In the drawings, like reference numbers indicate identical or functionally similar elements. Although various aspects of the embodiments are illustrated in the accompanying drawings, the drawings are not necessarily drawn to scale unless specifically indicated.

The word "exemplary" is used herein to mean "serving as an example, embodiment, or illustration. Any embodiment described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments.

In addition, numerous specific details are set forth in the following description in order to provide a better illustration of the application. It will be understood by those skilled in the art that the present application may be practiced without some of these specific details. In some instances, well known methods, procedures, components, and circuits have not been described in detail so as not to obscure the present application.

Terms that may appear in this document are described below.

Zero-day vulnerability (zero-day): also called zero-time difference attack, refers to a security vulnerability that is exploited immediately after being discovered. Colloquially, i.e., within the same day that the security patch is revealed as the vulnerability, the associated malicious program appears. Such attacks tend to be very bursty and damaging.

Period of vulnerability exposure: the period of time from zero-day vulnerability discovery to the validity of the vulnerability formal patch is referred to as the vulnerability exposure period.

Exception handling statement (try-exception): the Python language may be used, which defines a piece of code for exception monitoring and provides a mechanism for handling exceptions. Consists of try blocks and accept blocks (try_suite and accept_suite), and there may also be an optional error cause. First try to execute the try clause, if there is no error, ignore all exception clauses to continue execution, if an exception occurs, the interpreter will look up the matching exception in the string of processors (exception clauses).

Pile insertion: the method is to insert a probe into a program on the basis of ensuring the logic integrity of the original program, and collect information (a method, a method parameter value, a return value and the like) in codes through the probe, so as to collect dynamic context information when the program runs.

Runtime Application Self Protection (RASP): the method is a security technology, prevents the input which possibly allows attack by monitoring the input of the software, protects the environment from unnecessary alteration and tampering during running, and improves the security of the software.

In the current vulnerability processing flow in the industry, main measures for coping with the vulnerability are mainly to repair the vulnerability, and a systematic/procedural reduction scheme for high-risk vulnerabilities is lacking to reduce the influence of attacks on the system. The main problems are as follows:

incomplete repair at the ground version: the vulnerability perception is incomplete, the distribution chain is low in efficiency, the self-checking efficiency is low, the interception probability is low, and part of the versions are marketed to contain known vulnerabilities.

Stock version lacks pipeline planning: lacking lifecycle bug fix rules, stock versions lack pipeline planning, and a large number of bugs are fixed in the next version.

A large number of vulnerabilities leave behind the network: most clients do not sense the loopholes explicitly, and the loopholes leave the existing network to generate potential safety hazards.

The problems in the process cause that a large number of application programs are in a fragile state in a period of vulnerability exposure before the vulnerability is revealed until the vulnerability formal patch takes effect, and are extremely vulnerable to external attacks. From the current vulnerability processing flow, the vulnerability exposure period is usually more than one month, which provides a very large attack window for an attacker. The vulnerability shielding is realized in the vulnerability exposure period, so that the influence on an application program caused by attacks in the vulnerability exposure period is relieved.

Two prior art schemes for implementing vulnerability masks during vulnerability exposure are described below.

The first prior art proposes a vulnerability shielding scheme based on a runtime application self-protection RASP technique. The RASP technology realizes internal operation when an application program runs, and realizes blocking of network programs and APIs for automatic and high-risk attacks on vulnerabilities by analyzing specific behaviors such as data transmitted to a designated application program programming interface (application programming interface, APIs), potential structured query language (structured query language, SQL) query, command prompt (cmd) and the like.

The first disadvantage of the prior art is that the RASP technology cannot realize the capability of dynamic instrumentation to mask vulnerabilities, needs to pre-embed instrumentation points for API method calls such as command execution, file access, network access, and the like, and needs to have corresponding detection logic and processing methods respectively. This presents significant programming difficulties to the programmer.

In the second prior art, a scheme of generating temporary patches in an automatic mode is provided to cope with the situation that the vulnerability exposure period is attacked.

The scheme is divided into the following modules in total:

1. and a data collection and target identification module.

The module is divided into two sub-modules, namely unknown vulnerability discovery and future threat prediction, wherein the unknown vulnerability discovery is mainly achieved through a vulnerability mining method. The future threat prediction sub-module is mainly used for identifying future attack targets, such as predicting safety events through deep learning, and has high prediction accuracy.

2. And (5) a real-time patch module.

The real-time patch mainly completes two functions of selective reinforcement and isolation. Once the vulnerability is discovered, the real-time patch module needs to respond immediately, providing an automated patch (optional reinforcement function) implemented by instrumentation/reinforcement techniques. The selective reinforcement is mainly to implant patch codes to the bug positions of binary codes by binary instrumentation technology and the like, wherein the patch codes are used for performing anomaly detection on the bug codes. If a vulnerability is found to have been attacked, the host on which the vulnerability is located is already infected, and the real-time patch module needs to isolate the host on which the vulnerability is located from other hosts in the network (isolation function) immediately. The isolation technology is divided into two parts, namely host detection and host isolation, wherein the host detection is mainly used for identifying an infected host, and the host isolation is mainly used for isolating the infected host from other hosts in a network isolation mode.

3. And a evidence obtaining preparation module.

Forensic preparation modules are mainly used for implanting forensic codes at key positions so as to facilitate subsequent forensic analysis.

In the scheme of the second prior art, the temporary patch is generated, so that the influence of the vulnerability can be eliminated briefly until the formal patch is installed. The disadvantage of this solution is that firstly, the application source code is required, and the application needs to be recompiled and restarted, so that the vulnerability can not be masked when the application is in a running state. Secondly, the scheme is a vulnerability shielding scheme for the C application program, and support for the Python application program is absent.

In summary, the existing solution cannot implement dynamic instrumentation of the vulnerability or the vulnerability shielding solution for the C application, which lacks support to the Python application, and cannot perform vulnerability shielding when the application is in a running state. Therefore, how to implement dynamic instrumentation on vulnerabilities of running Python applications to shield vulnerabilities becomes a research hotspot in the field.

As shown in fig. 1, the vulnerability shielding method of the embodiment of the application can be applied to a vulnerability shielding engine, and the vulnerability shielding engine can be used as a software development kit (software development kit, SDK) provided for a Python application program or used as a unit module of a system service and integrated in the Python application program to shield and protect vulnerability attack behaviors. The Python application may be located in a host, virtual Machine (VM), or container (dock) of the client.

The client may be used by a user. For example, the client of the present application may be a smart phone, a netbook, a tablet, a notebook, a wearable electronic device (e.g., a smart bracelet, a smart watch, etc.), a TV, a virtual reality device, a sound, electronic ink, etc. The application is not limited to the specific type of client.

The application scenario may also be provided with a server, for example, a server, corresponding to the client. The server may be used by application security maintenance personnel. When the loopholes are disclosed, security maintenance personnel analyze the loopholes, write scripts (including relevant information of the mask functions) and configuration files (including relevant information of the loophole functions), and package the loophole tasks into the loophole mask plug-in a compressed package mode. The vulnerability function may be a function of vulnerabilities occurring in the business code of the Python application, and the masking function may be used to detect whether the vulnerability function is attacked or to fix the vulnerability function. Examples of relevant information for the vulnerability function and relevant information for the masking function are given further below.

Before the Python application program is started, the vulnerability shielding engine can be written into the Python environment variable or introduced into the Python application program, so that the vulnerability shielding engine can be started at the same time when the Python application program is started. The server may also issue configuration management information (e.g., processor, memory, etc.) of the vulnerability mask engine to the Python application of the client. In this case, when the user starts the Python application, the vulnerability mask engine is also started at the same time, and the Python application can initialize the vulnerability mask engine based on the configuration management information, so that the vulnerability mask engine can work normally.

After the Python application is started, a possible vulnerability is revealed. The server may issue a corresponding vulnerability shielding plug-in. After the client receives the vulnerability shielding plugin, the security of the vulnerability shielding plugin can be checked, and the checking mode can be realized based on the prior art and is not described herein. After the verification is passed, the vulnerability shielding engine executes the vulnerability shielding method, and can generate a template function with the vulnerability shielding capability and complete attribute replacement of the template function, so that the Python application program has the capability of executing the template function to repair the vulnerability function when the application program runs to the vulnerability function.

The client can feed back loading information of the vulnerability shielding plug-in to the server, and the loading information of the vulnerability shielding plug-in can indicate the generation condition of the template function. The server may then choose whether to enable the vulnerability mask plug-in of the client, and the different effects corresponding to the different choices may be described further below. When enabling the vulnerability shielding plug-in of the client, if the client detects that the vulnerability is attacked, the client can report detected information (such as attack positions, attack modes and the like) to the server.

Since the service end in the application scenario shown in fig. 1 can provide cloud service, the adaptability to the distributed scenario where multiple clients exist is stronger.

As shown in FIG. 2, on the client, the vulnerability mask engine acts as a software development kit provided to the Python application for vulnerability masking. The client is also provided with another software development kit that serves the vulnerability mask plug-in. The Python application program is located in a language virtual machine of the client, and a business component and a plurality of open source components (API 1 and the like) exist in the Python application program, and a vulnerability shielding engine is integrated.

A plurality of functional modules can be arranged in the language virtual machine, and the functional modules comprise a configuration management module, an alarm processing module, a plug-in management module, a shielding strategy module, a pile inserting module and a shielding module. The configuration management module can initialize the vulnerability shielding engine according to configuration management information issued by the server, the alarm processing module can be used for reporting information of attacked vulnerabilities to the server, the plug-in management module can be responsible for enabling the vulnerability shielding plug-in, and the shielding strategy module can be responsible for recording information recorded by the vulnerability shielding plug-in. The instrumentation module executes the template function generation and attribute replacement part in the vulnerability shielding method of the embodiment of the application to instrumentation the open source component related to the vulnerability in the Python application program; the masking module may execute a template function to implement the vulnerability mask. The alarm processing module, the instrumentation module and the shielding module may be disposed in the vulnerability shielding engine. The remaining modules may be implemented by other engines in the language virtual machine, as the application is not limited in this regard.

It will be appreciated by those skilled in the art that each of the functional modules described above is a logical module, not an entity module, and that a plurality of functional modules may be integrated or further decomposed into more detailed modules, which the present application is not limited to.

In another exemplary application scenario of the vulnerability shielding method of the embodiment of the present application, the difference between the vulnerability shielding method and the application scenario shown in fig. 1 is that there may be no server, and the client may be used by a security maintainer. When the loopholes are disclosed, security maintenance personnel can operate a system of the client to analyze the loopholes, write scripts and configuration files and pack the loopholes into the loophole shielding plug-in a compressed package mode. The vulnerability mask plug-in may be stored in the system memory of the client.

Configuration management information of the vulnerability mask engine may be output from the system memory and received by the vulnerability mask engine in the Python application. After the Python application is started, a possible vulnerability is revealed. The system of the client may output the corresponding vulnerability mask plug-in to the vulnerability mask engine in the Python application. At this time, the vulnerability shielding plug-in is already a local vulnerability shielding plug-in, has certain security, and can be verified without setting a vulnerability shielding engine. The vulnerability shielding engine executes the vulnerability shielding method, and can dynamically instrumentation the vulnerability of the running Python application to shield the vulnerability.

Those skilled in the art will understand that, in addition to using the system, the security maintainer may also operate other operable objects of the client to implement functions completed by the server in the application scenario of fig. 1, such as outputting configuration management information, outputting a vulnerability mask plug-in, receiving information that a vulnerability is attacked, and the like, for example, other application programs, which embodiments of the present application are not limited in this respect.

Because the server does not exist, the configuration management information, the vulnerability shielding plug-in and the attacked information in the application scene do not need network transmission, and the vulnerability shielding engine is simpler to deploy.

The vulnerability shielding method of the embodiment of the application not only can be used for the vulnerability shielding of Python application programs, but also can be used for detecting, alarming, intercepting and repairing the vulnerability by using various scenes such as network services based on Python on windows, linux platforms, the vulnerability shielding of resident application processes and the like.

As shown in fig. 3, in one possible implementation manner, the present application provides a vulnerability shielding method, where the method is applied to a vulnerability shielding engine, and the vulnerability shielding engine is integrated in a Python application program of a client, and the method includes steps S31-S33:

step S31, receiving a vulnerability shielding plug-in, wherein the vulnerability shielding plug-in comprises relevant information of a vulnerability function and relevant information of a shielding function, and the shielding function is used for detecting whether the vulnerability function is attacked or used for repairing the vulnerability function;

Step S32, generating a template function according to the vulnerability mask plug-in, wherein the template function is used for calling the mask function to repair the vulnerability function when the mask function is executed when the mask function is used for repairing the vulnerability function;

step S33, replacing the attribute of the backup function with the attribute of the vulnerability function, replacing the attribute of the vulnerability function with the attribute of the template function, wherein the backup function is the backup of the vulnerability function.

For example, the vulnerability shielding method of the embodiment of the application can be executed in the vulnerability exposure period of the Python application program. First, in step S31, the vulnerability mask engine receives a vulnerability mask plug-in. The source and manner of generation of the vulnerability shield plug-in is described above and will not be described in detail herein.

As shown in FIG. 4, the vulnerability mask plug-in may include a configuration file (policy) that describes the relevant information of the vulnerability function and a script (script) that describes the relevant information of the mask function. The relevant information of the vulnerability function comprises modules, classes, function names, parameters, shielding positions and shielding modes of the vulnerability function; the related information of the mask function comprises a module, a class, a function name and a parameter of the mask function; the masking positions comprise one of a starting position, an ending position and an exception handling position of the vulnerability function, and the masking modes comprise one of a function integral replacement mode, a regular matching detection mode, a keyword matching detection mode and a script function detection mode.

The modules, classes, function names, parameters are all common probes in the Python language, and will not be described in detail here. The shielding position and the shielding mode determine a shielding strategy, and the shielding position can be a position where whether the vulnerability function is attacked or not can be detected, for example, the attack usually occurs in a parameter form, and the position where the parameter enters the vulnerability function is a starting position; if the parameter with attack enters the loophole function, the return value of the loophole function is abnormal, and the position of the return value of the loophole function is the end position; the Python application may use an exception handling statement (try-exception), the location of which is the exception handling location. Since the above positions can detect whether the vulnerability function is attacked, the masking position may include one of the relevant information of the vulnerability function.

The masking manner is divided into two ideas, one is an idea of repairing a bug function, and the masking manner under the one is an integral function replacement manner, namely, the masking function is a bug-free function, and the masking function is used for directly replacing the bug function with the bug, so that the masking function has no bug even if the masking function is attacked, and the security of an application program is not influenced.

The other is a thought of detecting whether the vulnerability function is attacked, and the shielding modes under the thought can comprise a regular matching detection mode, a keyword matching detection mode and a script function detection mode. The regular matching detection mode can specify a regular expression (a code of a shielding position in the embodiment of the application), a character string to be processed (a code of a loophole function in the embodiment of the application), and a specified matching mode (all matching modes of the prior art such as multi-row matching can be used), namely the character string positioned at the corresponding shielding position in the loophole function can be determined whether to be attacked or not by comparing the character string with an expected value. The keyword matching detection mode may provide keywords (in the embodiment of the present application, the code may be a code at a shielding position) and detected objects (in the embodiment of the present application, the code may be a bug function code), that is, a character string located at a corresponding shielding position from a bug function may be determined by comparing with an expected value. The script function detection mode may be to provide an address to be detected (in the embodiment of the present application, the address may be an address of a masking position), and use the address to locate a character string at a corresponding masking position from the vulnerability function, and determine whether to be attacked by comparing with an expected value.

It should be understood by those skilled in the art that the above-listed shielding positions and shielding manners are only examples, as long as the shielding positions are positions where whether the vulnerability function is attacked can be detected, and the shielding manners indicate the policy of the vulnerability shielding, and the embodiments of the present application do not limit the specific contents of the shielding positions and the shielding manners.

Because the information included in the vulnerability shielding plug-in the embodiment of the application is usually fixed in different open source component versions, each open source component version is not required to write a shielding function and determine a vulnerability shielding strategy, and the writing difficulty of the vulnerability shielding plug-in is greatly reduced.

According to the vulnerability mask plug-in, the vulnerability mask engine may create a hash (hash) queue in memory to store all information included by the vulnerability mask plug-in as a string. The vulnerability shielding engine can also create a priority queue, and respectively store the shielding position, the shielding mode and the like of the vulnerability function by taking each related vulnerability function as an object. If a loophole function relates to a plurality of shielding positions, each shielding position and a shielding mode corresponding to the shielding position can be stored in a priority queue according to the priority of the shielding position.

In step S32, the template function may be generated according to the vulnerability mask plug-in, which may be automatically completed by the vulnerability mask engine, so as to realize automatic generation of the template function, so that manual writing of the template function is not required, and the operation difficulty of security maintenance personnel is reduced. The template function may be, for example, a hook function (hook), which may enable a correlation to be made between the vulnerability function and the template function, and the correlation between the vulnerability function and the template function may be different when the purpose of the mask function is different. For example, when a mask function is used to patch a bug function, a template function may be used to call the mask function to patch the bug function when executed. Other ways of associating the vulnerability function with the template function are described further below.

Since everything is an object in the Python language, the function is also an object, supporting modification and replacement of properties. Thus, when the vulnerability mask engine is integrated in the Python application, the vulnerability mask engine may replace the properties of the function in step S33. FIG. 5 shows a schematic diagram of replacing function attributes according to an embodiment of the application.

As shown in fig. 5, the attribute of the backup function may be replaced with the attribute of the vulnerability function, the attribute of the vulnerability function is replaced with the attribute of the template function, and the backup function is a backup of the vulnerability function. The attribute replacement of the backup function may be completed first, and the attribute replacement of the vulnerability function may be completed later. After the attribute of the vulnerability function is replaced by the attribute of the template function, the Python application program can have the capability of executing the template function when executing the vulnerability function, that is, the original parameters of the vulnerability function can be transmitted into the template function. When the mask function is used for repairing the bug function, the template function completes the function and can be called to repair the bug function, so that the bug mask capability is achieved. Whether this vulnerability mask capability is enabled may be determined by whether the vulnerability mask plug-in is enabled. Examples of which may be found in the related description below.

Since the properties of the vulnerability function are replaced with those of the template function, the vulnerability function itself cannot be executed even if the vulnerability mask capability is not enabled. In this regard, the attribute of the backup function may be replaced with the attribute of the vulnerability function, so that the backup function becomes a backup of the vulnerability function, and when it is hoped to execute the vulnerability function and not jump to the place where the template function is executed (i.e., execute the vulnerability function itself), the backup function may be directly executed, and the effect of executing the backup function may be the same as the effect of executing the vulnerability function itself. Examples of which may be found in the related description below.

Further, in one example, for a universal vulnerability scoring system (common vulnerability scoring system, CVSS) scoring vulnerabilities of Python application open source components above 7 points during month 9 of 2019-2021, vulnerability screening can be implemented for more frequent occurrence of class 10 attacks (cross-site scripting attack (XSS) SITE SCRIPT ATTACK), structured query language SQL injection, lack of input verification, system OS command injection, directory traversal, dangerous file upload, anti-serialization, command injection, server-side request forging (server-side request forgery, SSRF), code injection) using a vulnerability screening engine.

In one example, after performance testing, the performance overhead increase of the client after loading the vulnerability mask plug-in is smaller than before loading, and the client central processing unit CPU occupation overhead increase is less than 2%.

In one possible implementation, when the mask function is used to detect whether the vulnerability function is attacked, the template function is used to:

And calling a shielding function when the vulnerability function is executed, outputting detected information when the vulnerability function is detected to be attacked, and calling a backup function when the vulnerability function is detected to be not attacked.

For example, in addition to the use of the patch bug function mentioned above, another use of the mask function may be to detect whether the bug function is attacked, where a correlation between the bug function and the template function may be a way that the template function is used to call the mask function when executed, and to output detected information when the bug function is detected to be attacked. When the attack of the vulnerability function is detected, the vulnerability function is not safe to execute, at the moment, the Python application program can pause the execution of the service code, and can execute the next function in the service code, and the application is not limited to the above.

When the vulnerability function is detected not to be attacked, the vulnerability function is safe to execute, but the attribute of the vulnerability function is replaced and can not be called any more, and in order to achieve the same effect, the backup function can be called instead. That is, when the mask function is used to detect whether the vulnerability function is attacked, the template function is also used to call the backup function when the vulnerability function is detected not to be attacked.

In one possible implementation, the method further includes:

under the condition that the vulnerability shielding plug-in is enabled, when the Python application program runs to the vulnerability function, executing a template function;

And under the condition that the vulnerability shielding plug-in is not enabled, executing a backup function when the Python application program runs to the vulnerability function.

For example, the masking of one or several loopholes based on the loophole masking plug-in is mainly performed during the loophole exposure period of the loophole function, and after the loophole exposure period of the loophole function is finished, the masking of the one or several loophole functions based on the loophole masking plug-in may not be performed any more. Or there may be situations where it is desirable to execute the vulnerability function without jumping to execution at the template function (i.e., executing the vulnerability function itself).

In this regard, whether to mask the vulnerability function based on the vulnerability mask plug-in may be represented by whether the vulnerability mask plug-in is enabled. For example, under the condition that the vulnerability mask plug-in is enabled, when the Python application runs to the vulnerability function, a template function may be executed to mask the vulnerability; under the condition that the vulnerability shielding plug-in is not enabled, when the Python application program runs to the vulnerability function, the backup function is directly executed. The backup function is used as the backup of the loophole function and has the same attribute as the loophole function, so that the execution effect is not changed.

In one possible implementation manner, when the masking mode of the loophole function is a function integral replacement mode, the masking function is used for repairing the loophole function, and a masking position field of the loophole function is invalid;

The masking mode of the vulnerability function is one of a regular matching detection mode, a keyword matching detection mode and a script function detection mode, the masking function is used for detecting whether the vulnerability function is attacked or not, and a masking position field of the vulnerability function is effective;

the mask location field is valid and includes one of an end location and an exception handling location of the vulnerability function, the parameter field of the vulnerability function is invalid.

For example, modules, classes, function names, parameters, mask locations, mask patterns, and modules, classes, function names, parameters of mask functions may each have corresponding fields in the vulnerability mask plug-in. Not all fields in a vulnerability mask plug-in need be valid. Which fields are valid and which fields are invalid are related to the masking manner of the vulnerability function.

For example, when the masking mode of the vulnerability function is a function whole replacement mode, the operation mode at a specific masking position may not be focused any more. The mask location field of the vulnerability function may be invalid and the remaining fields may be valid.

For another example, the masking mode of the vulnerability function is one of a regular matching detection mode, a keyword matching detection mode and a script function detection mode, and the masking function is used for detecting whether the vulnerability function is attacked, and at this time, it is necessary to pay attention to a specific masking position. The mask position field of the vulnerability function may be valid.

Further, when the mask location field is valid and includes the start location of the vulnerability function, the parameter field indicating that the mask policy focuses on the parameters of the vulnerability function, and thus the parameter field of the vulnerability function may be valid. When the mask location field is valid and includes the end location of the vulnerability function, the parameter field representing the masking policy focuses on the return value of the vulnerability function and not on the parameters of the vulnerability function, so the parameter field of the vulnerability function may be invalid. When the mask location field is valid and includes an exception handling location for the vulnerability function, the mask policy is represented as focusing on exception handling statements for the vulnerability function and not on parameters of the vulnerability function, so the parameter field of the vulnerability function may be invalidated.

In one possible implementation, step S32 includes:

Selecting a matched template function from a preset template function library according to the shielding position and shielding mode of the vulnerability function;

the template function comprises an outer layer function and an inner layer function, wherein the relevant information of the vulnerability function and the relevant information of the shielding function are used as inputs of the outer layer function, and the return value of the inner layer function is used as the return value of the outer layer function;

The parameters of the loophole function, the related information of the loophole function and the related information of the mask function are used as the input of the inner function, and the calling result of the mask function is used as the return value of the inner function.

For example, there are many possible masking positions and many possible masking ways of the vulnerability function, and the matching template functions may be different for different combinations of masking positions and masking ways. For this, a library of template functions may be preset according to the different shielding positions and possible combinations of shielding modes allowed by the shielding strategy. FIG. 6a shows a schematic diagram of a library of template functions according to an embodiment of the application.

As shown in fig. 6a, the masking positions include one of a starting position, an ending position and an exception handling position of the bug function, the masking modes include one of a function integral replacement mode, a regular match detection mode, a keyword match detection mode and a script function detection mode, each masking position can be combined with one of the regular match detection mode, the keyword match detection mode and the script function detection mode, corresponding to 9 masking strategies, the function integral replacement mode corresponds to 1 masking strategy, so that 10 template functions (template function 1-template function 10) can be preset in the template function library, and each template function corresponds to 1 masking strategy. During selection, a corresponding template function is selected according to the shielding position and the shielding mode.

The use of the template function has been described above and will not be described in detail here. Possible forms of template functions are described below. Fig. 6b shows a schematic representation of the form of a template function according to an embodiment of the application.

As shown in fig. 6b, the template function may include an outer layer function and an inner layer function, wherein the relevant information of the vulnerability function and the relevant information of the mask function are taken as inputs of the outer layer function, and the return value of the inner layer function is taken as the return value of the outer layer function. When the relevant information of the loophole function and the relevant information of the mask function are input as the outer layer function, the relevant information and the relevant information of the mask function can be input as a whole as a character string (equivalent to a function identifier), and in the outer layer function, the character string can be decomposed to obtain the relevant information of the mask function and the relevant information of the loophole function (namely, two character strings are separated from one character string) and transferred to the inner layer function. The return value of the inner layer function is also the return value of the outer layer function because it is in the form of a composite function.

The parameters of the loophole function, the related information of the loophole function and the related information of the mask function are used as the input of the inner function, and the calling result of the mask function is used as the return value of the inner function. A parameter dictionary may be provided in the inner function, the parameter dictionary indicating each parameter and its type, possible types including location parameters, key parameters, extended location parameters (args), extended key parameters (kwargs), and blend parameters, among others. The parameter dictionary can split the parameters by identifying the parameter types and transfer the parameters to the called mask parameters. There are three possible call results for the mask parameter, one is that when the mask parameter is used to patch the bug function, the execution result of the mask parameter itself may be the call result. And secondly, when the masking parameter is used for detecting whether the vulnerability function is attacked, if the vulnerability function is detected to be attacked, the detected information can be a calling result of the masking parameter. And thirdly, when the masking parameter is used for detecting whether the vulnerability function is attacked, if the vulnerability function is not detected to be attacked and the backup function is called, the calling result of the backup function can be the calling result of the masking parameter.

In this way, the transfer of parameters can be accomplished.

In one possible implementation, under the condition that the vulnerability mask plug-in is enabled, when the Python application runs to the vulnerability function, executing the template function includes:

under the condition that the vulnerability shielding plug-in is enabled, inquiring whether the vulnerability function is occupied or not when the Python application program runs to the vulnerability function;

And when the loophole function is not occupied, occupying the loophole function and executing the template function.

For example, as shown in FIG. 7, the Python application may include a business thread, and after integrating the vulnerability mask engine, may also include an engine thread. The business thread may itself be a loop execution function, e.g., loop execution function a, function B, function C, function D, which is occupied when executing a function. The vulnerability mask engine performs vulnerability mask on a certain vulnerability function, and also occupies the vulnerability function (object). It may be set that the same function (object) can only be occupied by one thread at a time.

On the basis, under the condition that the vulnerability shielding plug-in is enabled, when the Python application program runs to the vulnerability function, whether the vulnerability function is occupied or not can be inquired first. And when the loophole function is not occupied, occupying the loophole function and executing the template function. Before the template function is executed, the business thread cannot occupy the vulnerability function again.

In this way, thread conflicts of the Python application can be avoided.

In one possible implementation, the attributes are stored in the form of a C-structure, and include at least function code, global variables used within the function, closure relationships, and method code.

For example, currently mainstream Python applications are mostly implemented based on the C language. Thus, the function (object) of Python can be described using the C-structure and replaced with another function (object). The attributes may include at least function code, global variables used within the function (func globals), closure relationships (func closure), method code (func code). Those skilled in the art will appreciate that the attributes may include more as long as they are related to functions, and the embodiments of the present application are not limited to the specific contents of the attributes.

In one possible implementation, the method further includes:

and respectively storing the vulnerability function, the shielding function, the backup function and the template function into the memory of the Python application program, and carrying out address space management by the Python application program.

For example, the addresses of the vulnerability function may be stored to memory for address management upon receipt of the vulnerability mask plug-in. The mask function, the backup function and the template function are all generated in the process of executing the vulnerability mask method, and the vulnerability mask method is executed by a vulnerability mask engine in the Python application program, so that the newly generated functions can be respectively stored into the memory of the Python application program, and address management is carried out on the address management mode of the object by using the Python language.

The application further provides a vulnerability shielding engine, and fig. 8 shows an exemplary structural schematic diagram of the vulnerability shielding engine according to an embodiment of the application.

As shown in fig. 8, the vulnerability mask engine is integrated in a Python application program of a client, and the vulnerability mask engine includes:

A plug-in receiving module 80, configured to receive a vulnerability mask plug-in, where the vulnerability mask plug-in includes relevant information of a vulnerability function and relevant information of a mask function, where the mask function is used to detect whether the vulnerability function is attacked or to patch the vulnerability function;

A function generating module 81, configured to generate a template function according to the vulnerability mask plug-in, where the mask function is used to patch the vulnerability function, and the template function is used to call the mask function to patch the vulnerability function when executed;

And the attribute replacing module 82 is configured to replace an attribute of a backup function with an attribute of the vulnerability function, and replace the attribute of the vulnerability function with an attribute of the template function, where the backup function is a backup of the vulnerability function.

The functions performed by the plug-in receiving module, the function generating module and the attribute replacing module may be the same as those of the pile inserting module in the related description of fig. 2.

In one possible implementation manner, when the mask function is used to detect whether the vulnerability function is attacked, the template function is used to:

And calling the shielding function when the vulnerability function is executed, outputting detected information when the vulnerability function is detected to be attacked, and calling the backup function when the vulnerability function is detected to be not attacked.

In one possible implementation, the vulnerability mask engine further includes:

A masking module, configured to execute the template function when the Python application runs to the vulnerability function under a condition that the vulnerability mask plug-in is enabled; and under the condition that the vulnerability shielding plug-in is not enabled, executing the backup function when the Python application program runs to the vulnerability function.

The function performed by the shielding module may be the same as the function of the shielding module described in relation to fig. 2 above.

In one possible implementation manner, the relevant information of the vulnerability function includes a module, a class, a function name, a parameter, a shielding position and a shielding manner of the vulnerability function; the related information of the shielding function comprises a module, a class, a function name and a parameter of the shielding function; the masking positions comprise one of a starting position, an ending position and an exception handling position of the vulnerability function, and the masking modes comprise one of a function integral replacement mode, a regular matching detection mode, a keyword matching detection mode and a script function detection mode.

In one possible implementation manner, when the masking manner of the vulnerability function is the overall replacement manner of the function, the masking function is used for repairing the vulnerability function, and a masking position field of the vulnerability function is invalid; the shielding mode of the vulnerability function is one of the regular matching detection mode, the keyword matching detection mode and the script function detection mode, the shielding function is used for detecting whether the vulnerability function is attacked or not, and a shielding position field of the vulnerability function is effective; the mask location field is valid and includes one of an end location and an exception handling location of the vulnerability function, and a parameter field of the vulnerability function is invalid.

In one possible implementation manner, the generating a template function according to the vulnerability mask plugin includes:

The template function comprises an outer layer function and an inner layer function, the relevant information of the vulnerability function and the relevant information of the shielding function are used as inputs of the outer layer function, and a return value of the inner layer function is used as a return value of the outer layer function;

And taking the parameters of the loophole function, the related information of the loophole function and the related information of the shielding function as the input of the inner layer function, and taking the calling result of the shielding function as the return value of the inner layer function.

In one possible implementation, under a condition that the vulnerability mask plug-in is enabled, when the Python application runs to the vulnerability function, executing the template function includes:

And occupying the loophole function when the loophole function is not occupied, and executing the template function.

In one possible implementation, the attributes are stored in a C-structure form, and include at least function code, global variables used within the function, closure relationships, and method code.

In one possible implementation, the vulnerability mask engine further includes:

and the address management module is used for respectively storing the vulnerability function, the shielding function, the backup function and the template function into the memory of the Python application program, and carrying out address space management by the Python application program.

Those skilled in the art will appreciate that the vulnerability mask engine may also include further modules, such as the alarm processing module described above in connection with FIG. 2, etc., as embodiments of the present application are not limited in this regard.

An embodiment of the present application provides an electronic apparatus including: a processor and a memory for storing processor-executable instructions; wherein the processor is configured to implement the above-described method when executing the instructions.

As shown in fig. 9, the electronic device may include at least one of a mobile phone, a foldable electronic device, a tablet computer, a desktop computer, a laptop computer, a handheld computer, a notebook computer, a on-screen speaker, an ultra-mobile personal computer (UMPC), a netbook, an augmented reality (augmented reality, AR) device, a Virtual Reality (VR) device, an artificial intelligence (ARTIFICIAL INTELLIGENCE, AI) device, an unmanned aerial vehicle, a vehicle-mounted device, an intelligent home device, or a smart city device as a client. The embodiment of the application does not limit the specific type of the electronic device.

The electronic device may include a processor 110, an internal memory 121, a communication module 160, and the like.

The processor 110 may include one or more processing units, such as: the processor 110 may include an application processor (application processor, AP), a modem processor, a graphics processor (graphics processing unit, GPU), an image signal processor (IMAGE SIGNAL processor, ISP), a controller, a video codec, a digital signal processor (DIGITAL SIGNAL processor, DSP), a baseband processor, and/or a neural-Network Processor (NPU), etc. Wherein the different processing units may be separate devices or may be integrated in one or more processors. For example, the processor 110 may execute a template function or the like of an embodiment of the present application to implement the vulnerability screening method of an embodiment of the present application.

A memory may also be provided in the processor 110 for storing instructions and data. In some embodiments, the memory in the processor 110 may be a cache memory. The memory may hold instructions or data that are used or used by the processor 110 at a higher frequency, such as a masking position, masking pattern, etc. in embodiments of the present application. If the processor 110 needs to use the instruction or data, it can be called directly from the memory. Repeated accesses are avoided and the latency of the processor 110 is reduced, thereby improving the efficiency of the system.

In some embodiments, the processor 110 may include one or more interfaces. The interfaces may include an integrated circuit (inter-INTEGRATED CIRCUIT, I2C) interface, a universal asynchronous receiver transmitter (universal asynchronous receiver/transmitter, UART) interface, a general-purpose input/output (GPIO) interface, and the like. The processor 110 may be connected to the wireless communication module, the display, the camera, etc. module through at least one of the above interfaces.

Memory 121 may be used to store computer-executable program code that includes instructions. The memory 121 may include a stored program area and a stored data area. The storage program area may store, among other things, an application program (e.g., python application program, etc.) required for at least one function of the operating system. The storage data area may store data created during use of the electronic device (e.g., template functions, backup functions, etc.), and so on. In addition, the memory 121 may include a high-speed random access memory, and may also include a nonvolatile memory such as at least one magnetic disk storage device, a flash memory device, a universal flash memory (universal flash storage, UFS), and the like. The processor 110 performs various functional methods or data processing of the electronic device by executing instructions stored in the memory 121 and/or instructions stored in a memory provided in the processor.

The communication module 160 may be configured to receive data from other devices or apparatuses (e.g., a server in an embodiment of the present application) through wired communication or wireless communication. Solutions for wireless communication including WLAN (e.g., wi-Fi network), bluetooth (BT), global navigation satellite system (global navigation SATELLITE SYSTEM, GNSS), frequency modulation (frequency modulation, FM), near Field Communication (NFC), infrared (IR), etc. may be provided for application on electronic devices, for example. The communication module 160 may also use a wired communication scheme when the electronic device is connected to other apparatus or devices.

It should be understood that the architecture illustrated by embodiments of the present application is not intended to constitute a particular limitation of computing devices. In other embodiments of the application, the computing device may include more or less components than illustrated, or certain components may be combined, or certain components may be split, or different arrangements of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.

Embodiments of the present application provide a non-transitory computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the above-described method.

Embodiments of the present application provide a computer program product comprising a computer readable code, or a non-transitory computer readable storage medium carrying computer readable code, which when run in a processor of an electronic device, performs the above method.

The computer readable storage medium may be a tangible device that can hold and store instructions for use by an instruction execution device. The computer readable storage medium may be, for example, but not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium would include the following: portable computer disk, hard disk, random Access Memory (Random Access Memory, RAM), read Only Memory (ROM), erasable programmable Read Only Memory (ELECTRICALLY PROGRAMMABLE READ-Only-Memory, EPROM or flash Memory), static Random Access Memory (SRAM), portable compact disk Read Only Memory (Compact Disc Read-Only Memory, CD-ROM), digital versatile disk (Digital Video Disc, DVD), memory stick, floppy disk, mechanical coding devices, punch cards or in-groove bump structures such as instructions stored thereon, and any suitable combination of the foregoing.

The computer readable program instructions or code described herein may be downloaded from a computer readable storage medium to a respective computing/processing device or to an external computer or external storage device over a network, such as the internet, a local area network, a wide area network, and/or a wireless network. The network may include copper transmission cables, fiber optic transmissions, wireless transmissions, routers, firewalls, switches, gateway computers and/or edge servers. The network interface card or network interface in each computing/processing device receives computer readable program instructions from the network and forwards the computer readable program instructions for storage in a computer readable storage medium in the respective computing/processing device.

The computer program instructions for carrying out operations of the present application may be assembler instructions, instruction set architecture (Instruction Set Architecture, ISA) instructions, machine-related instructions, microcode, firmware instructions, state setting data, or source or object code written in any combination of one or more programming languages, including an object oriented programming language such as SMALLTALK, C ++ or the like and conventional procedural programming languages, such as the "C" language or similar programming languages. The computer readable program instructions may be executed entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a local area network (Local Area Network, LAN) or a wide area network (Wide Area Network, WAN), or may be connected to an external computer (e.g., through the internet using an internet service provider). In some embodiments, aspects of the application are implemented by personalizing electronic circuitry, such as Programmable logic circuitry, field-Programmable gate arrays (GATE ARRAY, FPGA), or Programmable logic arrays (Programmable Logic Array, PLA), with state information for computer-readable program instructions.

Various aspects of the present application are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer-readable program instructions.

These computer readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer readable program instructions may also be stored in a computer readable storage medium that can direct a computer, programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer readable medium having the instructions stored therein includes an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.

The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer, other programmable apparatus or other devices implement the functions/acts specified in the flowchart and/or block diagram block or blocks.

The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.

It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by hardware, such as circuits or ASIC (Application SPECIFIC INTEGRATED circuits) which perform the corresponding functions or acts, or combinations of hardware and software, such as firmware and the like.

Although the invention is described herein in connection with various embodiments, other variations to the disclosed embodiments can be understood and effected by those skilled in the art in practicing the claimed invention, from a study of the drawings, the disclosure, and the appended claims. In the claims, the word "comprising" does not exclude other elements or steps, and the "a" or "an" does not exclude a plurality. A single processor or other unit may fulfill the functions of several items recited in the claims. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.

The foregoing description of embodiments of the application has been presented for purposes of illustration and description, and is not intended to be exhaustive or limited to the embodiments disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope of the various embodiments described. The terminology used herein was chosen in order to best explain the principles of the embodiments, the practical application, or the improvement of technology in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.

Claims

1. A vulnerability shielding method, wherein the method is applied to a vulnerability shielding engine, the vulnerability shielding engine is integrated in a Python application program of a client, and the method comprises:

Receiving a vulnerability shielding plug-in, wherein the vulnerability shielding plug-in comprises relevant information of a vulnerability function and relevant information of a shielding function, and the shielding function is used for detecting whether the vulnerability function is attacked or used for repairing the vulnerability function;

generating a template function according to the vulnerability shielding plug-in, wherein the template function is used for calling the shielding function to repair the vulnerability function when being executed when the shielding function is used for repairing the vulnerability function;

And replacing the attribute of the backup function with the attribute of the loophole function, and replacing the attribute of the loophole function with the attribute of the template function, wherein the backup function is a backup of the loophole function.

2. The method of claim 1, wherein when the masking function is used to detect whether the vulnerability function is attacked, the template function is used to:

3. The method according to claim 1 or 2, characterized in that the method further comprises:

executing the template function when the Python application program runs to the vulnerability function under the condition that the vulnerability shielding plug-in is enabled;

And under the condition that the vulnerability shielding plug-in is not enabled, executing the backup function when the Python application program runs to the vulnerability function.

4. A method according to any of claims 1-3, wherein the relevant information of the vulnerability function comprises a module, class, function name, parameter, masking position, masking mode of the vulnerability function;

The related information of the shielding function comprises a module, a class, a function name and a parameter of the shielding function;

The masking positions comprise one of a starting position, an ending position and an exception handling position of the vulnerability function, and the masking modes comprise one of a function integral replacement mode, a regular matching detection mode, a keyword matching detection mode and a script function detection mode.

5. The method of claim 4, wherein when the masking mode of the vulnerability function is the whole function replacement mode, the masking function is used for patching the vulnerability function, and a masking position field of the vulnerability function is invalid;

The shielding mode of the vulnerability function is one of the regular matching detection mode, the keyword matching detection mode and the script function detection mode, the shielding function is used for detecting whether the vulnerability function is attacked or not, and a shielding position field of the vulnerability function is effective;

The mask location field is valid and includes one of an end location and an exception handling location of the vulnerability function, and a parameter field of the vulnerability function is invalid.

6. The method of any of claims 2-5, wherein the generating a template function from the vulnerability mask plug-in comprises:

7. The method of any of claims 3-6, wherein executing the template function when the Python application is running to the vulnerability function, with the vulnerability mask plug-in enabled, comprises:

8. The method according to any of claims 1-7, wherein the attributes are stored in a C-structure form, the attributes comprising at least function code, global variables used within a function, closure relationships, method code.

9. The method according to any one of claims 1-8, further comprising:

10. A vulnerability shielding engine integrated in a Python application of a client, the vulnerability shielding engine comprising:

The plug-in receiving module is used for receiving a vulnerability shielding plug-in, the vulnerability shielding plug-in comprises relevant information of a vulnerability function and relevant information of a shielding function, and the shielding function is used for detecting whether the vulnerability function is attacked or used for repairing the vulnerability function;

the function generation module is used for generating a template function according to the vulnerability shielding plug-in, and when the shielding function is used for repairing the vulnerability function, the template function is used for calling the shielding function to repair the vulnerability function when being executed;

And the attribute replacement module is used for replacing the attribute of the backup function with the attribute of the vulnerability function, replacing the attribute of the vulnerability function with the attribute of the template function, and the backup function is a backup of the vulnerability function.

11. An electronic device, comprising:

A processor;

a memory for storing processor-executable instructions;

Wherein the processor is configured to implement the method of any of claims 1-9 when executing the instructions.

12. A non-transitory computer readable storage medium having stored thereon computer program instructions, which when executed by a processor, implement the method of any of claims 1-9.

13. A computer program product comprising computer readable code, or a non-transitory computer readable storage medium carrying computer readable code, characterized in that a processor in an electronic device performs the method of any one of claims 1-9 when the computer readable code is run in the electronic device.