Vulnerability mining method and device

A vulnerability mining and vulnerability technology, applied in the field of application security, can solve the problems of high-risk vulnerabilities that are hard to find, hard to find, and no solution is proposed, and achieve the effect of solving the low efficiency of vulnerability mining

Active Publication Date: 2020-05-15
ALIBABA GRP HLDG LTD
View PDF7 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

This kind of vulnerability mainly has the following characteristics: it is strongly coupled with specific logic, making it difficult for automated detection tools to locate, and it must be found through manual mining
Even manual mining requires the vulnerability digging personnel to be able to clearly understand the operating logic of the App, which is very difficult to rely on reverse analysis without the source code
In addition, high-risk vulnerabilities are often logical loopholes, because the closer they are to specific logic, the harder it is to find, and usually the more serious the problem, so high-risk vulnerabilities are difficult to find
[0003] For the above problems, no effective solution has been proposed

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Vulnerability mining method and device
  • Vulnerability mining method and device
  • Vulnerability mining method and device

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0020] According to the embodiment of the present application, an embodiment of a vulnerability mining method is also provided. It should be noted that the steps shown in the flow chart of the accompanying drawings can be executed in a computer system such as a set of computer-executable instructions, and, although A logical order is shown in the flowcharts, but in some cases the steps shown or described may be performed in an order different from that shown or described herein.

[0021] The method embodiment provided in Embodiment 1 of the present application may be executed in a mobile terminal, a computer terminal, or a similar computing device. Take running on a computer terminal as an example, figure 1 It is a block diagram of the hardware structure of a computer terminal of a vulnerability mining method according to the embodiment of this application. Such as figure 1 As shown, the computer terminal 10 may include one or more (only one is shown in the figure) processor...

Embodiment 2

[0083] According to an embodiment of the present invention, a device for implementing the above-mentioned method for automatically mining logic vulnerabilities of application programs is also provided, Image 6 is the structural frame of the vulnerability mining device according to the embodiment of the present application Figure 1 ,Such as Image 6 As shown, the device includes:

[0084] An acquisition module 62, configured to acquire the key actions required by the application under test to perform specified tasks;

[0085] It should be noted that the above key actions may include: a function called when the application under test executes a specified task, the function may only include system functions, may only include non-system functions, or may include both system functions and non-system functions, The content contained in this function varies according to the specific situation. The above-mentioned system function refers to a function that has nothing to do with th...

Embodiment 3

[0119] Embodiments of the present invention may provide a computer terminal, and the computer terminal may be any computer terminal device in a group of computer terminals. Optionally, in this embodiment, the foregoing computer terminal may also be replaced with a terminal device such as a mobile terminal.

[0120] Optionally, in this embodiment, the foregoing computer terminal may be located in at least one network device among multiple network devices of the computer network.

[0121] In this embodiment, the above-mentioned computer terminal can execute the program code of the following steps in the vulnerability mining method: obtain the key actions required by the application under test to perform the specified task; compare the key actions with the pre-stored feature files; and according to the comparison As a result, it is determined whether there is a logical loophole in the application to be tested; wherein, the feature file is a file composed of a subset of actions th...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a vulnerability mining method and device. The method comprises the following steps: acquiring key actions needed for executing an appointed task by an application to be detected; comparing the key actions with a pre-stored characteristic file; determining whether a logic vulnerability exists in the application to be detected or not according to a comparison result, wherein the characteristic file is a file composed of subsets of actions which need to be executed when a first standard application without the logic vulnerability executes the appointed task.

Description

technical field [0001] The present invention relates to the field of application security, in particular to a method and device for mining vulnerabilities. Background technique [0002] Logical vulnerabilities refer to vulnerabilities related to the running logic of the application itself. This kind of vulnerability mainly has the following characteristics: it is strongly coupled with specific logic, making it difficult for automated detection tools to locate it, and it must be found through manual mining. Even manual mining requires the vulnerability digger to clearly understand the operating logic of the app, which is very difficult to reverse-analyze without the source code. In addition, high-risk vulnerabilities are often logical loopholes, because the closer the connection with specific logic, the harder it is to find, and usually the more serious the problem, so it is difficult to find high-risk vulnerabilities. [0003] For the above problems, no effective solution ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Patents(China)
IPC IPC(8): G06F21/57
CPCG06F21/577G06F2221/033
Inventor 陈晋福
Owner ALIBABA GRP HLDG LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap