Heapspray detection method based on intermediate command dynamic instrumentation

A technology of intermediate instructions and detection methods, applied in computer security devices, instruments, calculations, etc., can solve the problems of low accuracy and large system overhead, and achieve the effect of improving accuracy and reducing system overhead.

Inactive Publication Date: 2010-06-02
PEKING UNIV
View PDF0 Cites 11 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

High system overhe

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Heapspray detection method based on intermediate command dynamic instrumentation
  • Heapspray detection method based on intermediate command dynamic instrumentation
  • Heapspray detection method based on intermediate command dynamic instrumentation

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0023] The following takes the most widely used JavaScript execution engine in web pages as an example to describe the detection method in detail.

[0024] The specific implementation process of a Heapspray detection method based on dynamic intermediate instruction instrumentation is as follows:

[0025] 1. Switch the JavaScript virtual machine to the single-step tracking state, and register a Handler function at the same time, so that the single-step virtual machine will call this Handler function before executing an intermediate instruction every time. (correspond figure 1 Step 1) in

[0026] 2. Make the global variable hasShellcode=lowEntropy=0, and input the JavaScript script in the web page into the JavaScript virtual machine for execution;

[0027] 3. Since the Handler function is registered in advance, in each step of the virtual machine execution process, we can use the Handler function to complete the acquisition and inspection of the instructions to be executed; (c...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a Heapspray detection method based on intermediate command dynamic instrumentation, belonging to the technical field of computer security. The method comprises the following steps of: (1) setting a virtual machine used for explaining and implementing webpage dynamic script into a single-step operating state; (2) judging whether an intermediate command to be implemented currently is an assignment type intermediate command or not; (3) if so, then judging whether a rvalue parameter type in command parameters is a alphabetic string type or not; if the rvalue parameter is the alphabetic string type and a value thereof is less than a set threshold value P, then checking whether shellcode exists or not; if the rvalue parameter is larger than the set threshold value P, then calculating an information entropy value thereof; and (4) taking a next intermediate command and repeating the step (2) and the step (3); if a rvalue parameter of an assignment type intermediate command has the shellcode and an entropy value of a rvalue parameter of the other assignment type intermediate command is less than the set threshold value, then judging the script to have a Heapspray action. The invention can reduce system overhead and improve the accuracy rate of detection.

Description

technical field [0001] The invention belongs to the technical field of computer security, and in particular relates to a Heapspray detection method based on intermediate command dynamic insertion. Background technique [0002] A web page Trojan horse (drive-by download) usually refers to a malicious code that exists in a web page and exploits security holes in the client browser and plug-ins to attack the computer browsing the web page. In recent years, the attacks on client-side mainly based on webpage Trojan horses have gradually increased, and accounted for a large proportion of all attack cases. Therefore, how to effectively detect and prevent webpage Trojans has become an important issue of common concern and research in academia and industry. [0003] In the attack process of web page Trojan horses, in order to improve the versatility and success rate of the attack, the attacker often uses the attack method called Heapspray (see Pincus J, Baker B.Beyond stack smashing...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): G06F21/00G06F21/56
Inventor 诸葛建伟陈志杰韩心慧龚晓锐宋程昱
Owner PEKING UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap