A vulnerability construction method and device, electronic equipment and storage medium
By sending multiple data packets to the target program to obtain physical characteristic information and determining the time node for fault injection, the problem of low efficiency in traditional vulnerability construction is solved, and efficient vulnerability construction and bypassing software verification are achieved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- BEIJING CEC HUADA ELECTRONIC DESIGN CO LTD
- Filing Date
- 2026-02-04
- Publication Date
- 2026-06-05
AI Technical Summary
Traditional vulnerability construction methods are inefficient and difficult to bypass strict data verification or defense mechanisms in programs, making it difficult to successfully construct target vulnerabilities.
By sending multiple data packets with different values for verification parameters to the target program, the physical characteristic information of the hardware carrier is obtained, the time node of the verification parameters is determined, and fault injection is performed at that node to interfere with the parameter verification logic at the hardware level.
It improves the efficiency and success rate of vulnerability construction, and can effectively bypass software-level verification mechanisms to achieve vulnerability construction in target programs.
Smart Images

Figure CN122153898A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of fault injection technology, and in particular to a vulnerability construction method, apparatus, electronic device and storage medium. Background Technology
[0002] As research on integrated circuit security continues to deepen, the construction of vulnerabilities and security assessments targeting hardware carriers and their running programs are becoming increasingly important. Currently, in order to effectively verify the robustness and security of programs when processing external input, it is usually necessary to construct vulnerabilities specifically targeting certain types of vulnerabilities (such as buffer overflow vulnerabilities).
[0003] Traditional vulnerability construction methods primarily rely on fuzzy search, which involves constructing a large amount of erroneous data as input to attempt to trigger potential vulnerabilities in a program. However, this method often requires covering a vast number of test cases, resulting in low vulnerability construction efficiency. Furthermore, when the program has strict data validation or other defense mechanisms in place, relying solely on externally inputted data is often insufficient to effectively bypass these defenses, making it difficult to successfully construct the target vulnerability. Summary of the Invention
[0004] In view of this, this application provides a vulnerability construction method, apparatus, electronic device, and storage medium to solve the above-mentioned technical problems.
[0005] In a first aspect of this application, a vulnerability construction method is provided, the method comprising: Multiple first data packets are sent to the target program, and physical feature information generated by the hardware carrier executing the target program when the target program processes each first data packet is obtained respectively, wherein the values of the verification parameters in the multiple first data packets are not completely the same; Based on the correlation between the value sequence of the verification parameters in the plurality of first data packets and the physical feature information sequence corresponding to the plurality of first data packets, the time node for the target program to verify the verification parameters is determined; A second data packet is sent to the target program, and a fault injection is performed on the hardware carrier at the time node based on the acquired attack parameters, wherein the value of the verification parameter in the second data packet does not meet the preset verification conditions of the target program. Obtain the execution result returned by the target program for the second data packet, and determine whether the vulnerability construction was successful based on the execution result.
[0006] In some embodiments, the physical characteristic information corresponding to each first data packet includes the physical characteristic trajectory of the hardware carrier within a set time window after the first data packet is sent to the target program, wherein the physical characteristic trajectory includes a power consumption trajectory or an electromagnetic radiation trajectory.
[0007] In some embodiments, determining the time point at which the target program verifies the verification parameters based on the correlation between the value sequence of the verification parameters in the plurality of first data packets and the physical feature information sequence corresponding to the plurality of first data packets includes: For each sampling moment within the set time window, based on the value of the physical feature trajectory corresponding to each first data packet at that sampling moment, a sequence of physical feature values corresponding to that sampling moment is obtained; Calculate the correlation coefficient between the sequence of physical feature values corresponding to each sampling time and the sequence of values of the verification parameter; The sampling time when the correlation coefficient meets the set requirements is determined as the time node when the target program verifies the verification parameters.
[0008] In some embodiments, the fault injection into the hardware carrier based on the acquired attack parameters at the specified time point includes: Randomly generate attack parameters for this fault injection; After sending the second data packet to the target program, in response to the arrival of the time node, the attack parameters are used to inject faults into the hardware carrier.
[0009] In some embodiments, the attack parameters include at least a first parameter and a second parameter, wherein the first parameter is used to control the duration of the fault injection, and the second parameter is used to control the intensity of the fault injection.
[0010] In some embodiments, the method further includes: If the execution result indicates that the vulnerability construction was unsuccessful, the parameter iteration steps are repeated until the vulnerability construction is determined to be successful. The parameter iteration step includes: Update the attack parameters and resend the second data packet to the target program; After resending the second data packet to the target program, in response to the arrival of the time node, the hardware carrier is injected with faults using the updated attack parameters; Obtain the execution result returned by the target program for the resent second data packet, and determine whether the vulnerability construction was successful based on the execution result.
[0011] In some embodiments, the verification parameters include fields in the data packet used to characterize data length information.
[0012] In some embodiments, the fault injection includes any one of voltage glitch injection, electromagnetic pulse injection, and laser injection.
[0013] In a second aspect of this application, a vulnerability construction apparatus is provided, the apparatus comprising: The acquisition unit is used to send multiple first data packets to the target program and acquire the physical feature information generated by the hardware carrier executing the target program when the target program processes each first data packet, wherein the values of the verification parameters in the multiple first data packets are not completely the same. The first determining unit is used to determine the time node when the target program verifies the verification parameters based on the correlation between the value sequence of the verification parameters in the plurality of first data packets and the physical feature information sequence corresponding to the plurality of first data packets. The fault injection unit is used to send a second data packet to the target program and perform fault injection on the hardware carrier at the time node based on the acquired attack parameters, wherein the value of the verification parameter in the second data packet does not meet the preset verification conditions of the target program. The second determining unit is used to obtain the execution result returned by the target program for the second data packet, and to determine whether the vulnerability construction was successful based on the execution result.
[0014] In a third aspect of this application, an electronic device is provided, including a processor and a memory, the memory storing machine-executable instructions executable by the processor, the processor executing the machine-executable instructions to implement the steps of the method proposed in the above embodiments.
[0015] In a fourth aspect of this application, a machine-readable storage medium is provided, wherein machine-executable instructions are stored therein, and when executed by a processor, the machine-executable instructions implement the steps of the method proposed in the above embodiments.
[0016] As can be seen from the above technical solution, multiple first data packets with different verification parameter values are sent to the target program, and the physical feature information generated by the hardware carrier when processing each first data packet is obtained. Then, based on the correlation between the sequence of verification parameter values and the sequence of physical feature information, the time node when the target program verifies the verification parameters is determined. This application accurately locates the time node when the target program verifies parameters by using the physical feature information of the hardware carrier, avoiding blind searching in the time dimension and improving the efficiency of vulnerability construction.
[0017] This application sends a second data packet to the target program whose verification parameter values do not meet its preset verification conditions. Based on the acquired attack parameters, it directly injects faults into the hardware carrier at the identified time point. By interfering with the target program's parameter verification logic at the hardware level at the identified time point when the target program performs parameter verification, this application effectively bypasses the software-level verification mechanism, thus increasing the success rate of vulnerability exploitation.
[0018] It should be understood that the above general description and the following detailed description are exemplary and explanatory only, and do not limit this application. Attached Figure Description
[0019] Figure 1 This is a flowchart illustrating a vulnerability construction method provided in an embodiment of this application; Figure 2 This is a schematic diagram of an electromagnetic radiation trajectory provided in an embodiment of this application; Figure 3 This is a schematic diagram of a correlation coefficient curve provided in an embodiment of this application; Figure 4 This is a schematic diagram of a vulnerability construction device provided in an embodiment of this application; Figure 5 This is a schematic diagram of the hardware structure of an electronic device illustrated in an exemplary embodiment of this application. Detailed Implementation
[0020] Exemplary embodiments will now be described in detail, examples of which are illustrated in the accompanying drawings. When the following description relates to the drawings, unless otherwise indicated, the same numbers in different drawings denote the same or similar elements. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with this application. Rather, they are merely examples of apparatuses and methods consistent with some aspects of this application as detailed in the appended claims.
[0021] The terminology used in this application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. The singular forms “a,” “the,” and “the” used in this application and the appended claims are also intended to include the plural forms unless the context clearly indicates otherwise.
[0022] To enable those skilled in the art to better understand the technical solutions provided in the embodiments of this application, and to make the above-mentioned objectives, features and advantages of the embodiments of this application more apparent and understandable, the technical solutions in the embodiments of this application will be further described in detail below with reference to the accompanying drawings.
[0023] As research into integrated circuit security continues to deepen, the construction and security assessment of vulnerabilities targeting hardware carriers and their running programs are becoming increasingly important. Among numerous security threats, buffer overflows are a highly representative vulnerability.
[0024] The main principle behind buffer overflows is that programs lack strict validation of the length or address boundaries of input data, causing overflowing data to overwrite adjacent memory areas, thus triggering a series of memory errors. For example, in the event of a stack overflow, the program's return address or program counter (PC) pointer may be maliciously overwritten, causing the program to jump to a pre-set illegal code segment. Therefore, in order to effectively verify the robustness and security of a target program when processing external input, it is urgent to construct efficient and precise mechanisms to address such vulnerabilities.
[0025] Traditional methods for constructing buffer overflow vulnerabilities primarily rely on fuzzing, which involves constructing a large amount of erroneous data as input to attempt to trigger a buffer overflow. However, this method often requires covering a vast number of test cases, resulting in low vulnerability construction efficiency. Furthermore, if the program has strict checks on length and address, relying solely on externally inputted data often fails to effectively bypass these defense mechanisms, making it difficult to successfully construct a vulnerability.
[0026] In view of this, this application discloses a vulnerability construction method to solve the above-mentioned technical problems.
[0027] like Figure 1 As shown, Figure 1 This is a flowchart illustrating a vulnerability construction method provided in an embodiment of this application. It should be noted that all acts of constructing vulnerabilities in the target program involved in all embodiments of this application are legal acts performed with explicit authorization from the target program owner or relevant rights holder, or with full authorization from all parties within the scope permitted by law, and do not involve any unauthorized network attacks or illegal activities.
[0028] The method for exploiting this vulnerability may include the following steps: S101: Send multiple first data packets to the target program, and obtain the physical characteristic information generated by the hardware carrier executing the target program when the target program processes each first data packet.
[0029] In this application, the target program runs on a specific hardware platform. The hardware platform includes at least one dedicated or general-purpose microprocessor, such as a central processing unit (CPU), a graphics processing unit (GPU), a field-programmable gate array (FPGA), or a complex programmable logic device (CPLD), etc., and this application does not specifically limit it.
[0030] The first data packet is a probe data packet constructed according to the communication protocol of the target program. In this application, each first data packet contains at least one verification parameter. In order to enable subsequent correlation calculation, this application requires that the values of the verification parameters in the plurality of first data packets are not completely identical.
[0031] In some examples, N first data packets (N being a positive integer greater than 1) can be generated. The verification parameters in each first data packet can follow a random distribution, a linearly increasing distribution, or a specific pseudo-random sequence distribution. This application does not impose any specific limitations on this.
[0032] When the target program running on the hardware carrier processes data packets with different values of these verification parameters, the switching state of the internal logic circuit of the hardware carrier will change accordingly, so that the physical characteristic information generated by the hardware carrier will produce observable statistical differences as the value of the verification parameter changes.
[0033] The verification parameters refer to key fields that the target program needs to perform logical judgments, verifications, or checks during the processing of received data packets. These verification parameters can directly affect whether the target program receives data, executes subsequent processes, or triggers exception handling.
[0034] In some examples, the verification parameter can be a field in the data packet that represents the data length information. For example, if the verification parameter of a buffer processing function is the "data length" field in the data packet, then a first data packet with different values for the "data length" field, such as 100 bytes, 150 bytes, and 200 bytes, can be constructed and sent sequentially.
[0035] In other examples, the verification parameter may also be a checksum field, a starting address field, or a serial number field, etc., which are not specifically limited in this application.
[0036] In some embodiments, multiple first data packets can be sent sequentially to the target program at preset time intervals. Using a pre-set data acquisition device (such as an oscilloscope, data acquisition card, electromagnetic sensor, etc.), the physical characteristic information generated by the hardware carrier executing the target program within a set time window after each first data packet is sent is monitored, and the physical characteristic information corresponding to each first data packet recorded by the data acquisition device is obtained.
[0037] In some examples, the power consumption information generated by the hardware carrier executing the target program within a set time window after each first data packet is sent to the target program can be monitored and recorded by connecting a current probe or voltage probe to the power supply circuit of the hardware carrier.
[0038] In other examples, electromagnetic near-field probes can be placed above the hardware carrier package or in a specific electromagnetic radiation area to monitor and record electromagnetic radiation information generated by the hardware carrier executing the target program within a set time window after each first data packet is sent to the target program.
[0039] In some embodiments, the physical feature information corresponding to each first data packet includes the physical feature trajectory generated by the hardware carrier within a set time window after the first data packet is sent to the target program.
[0040] A physical feature trajectory is a sequence of physical feature values that change over time. The data acquisition device samples and quantizes the physical features of the hardware carrier at a preset sampling rate, thus forming a sequence of physical feature values composed of multiple sampling moments. Each physical feature trajectory records the changes in the physical features of the hardware carrier on the time axis when processing a specific first data packet.
[0041] In some examples, the physical feature trajectory can be a power consumption trajectory, with each first data packet corresponding to a power consumption trajectory that reflects the change in power consumption of the hardware carrier over time within a set time window after the first data packet is sent to the target program.
[0042] In other examples, the physical feature trajectory can be an electromagnetic radiation trajectory, with each first data packet corresponding to one electromagnetic radiation trajectory. For example... Figure 2 As shown, Figure 2 This is a schematic diagram of an electromagnetic radiation trajectory provided in an embodiment of this application. Figure 2 In the figure, the horizontal axis represents time and the vertical axis represents electromagnetic radiation intensity. This electromagnetic radiation trajectory reflects the change of electromagnetic radiation intensity of the hardware carrier over time within a set time window after a first data packet is sent to the target program.
[0043] It should be noted that all physical feature trajectories should be aligned on the timeline, meaning that the starting point of each physical feature trajectory corresponds to the trigger moment of "sending the first data packet to the target program". In this way, the numerical differences between different physical feature trajectories at the same sampling moment can be directly correlated with the different values of the verification parameters, thus providing a consistent time reference for correlation analysis in subsequent steps.
[0044] S102: Based on the correlation between the value sequence of the verification parameters in the plurality of first data packets and the physical feature information sequence corresponding to the plurality of first data packets, determine the time node at which the target program verifies the verification parameters.
[0045] Construct a sequence of values for the verification parameter. For example, assume that N first data packets are sent, and let the value of the verification parameter in the i-th first data packet be d. i Then, the sequence D of values for the verification parameters in the plurality of first data packets can be obtained, D=[d1, d2,..., d...]. N ].
[0046] Construct a sequence of physical feature information corresponding to the plurality of first data packets. For example, let p be the physical feature information corresponding to the i-th first data packet. i Then, the physical feature information sequence P corresponding to the multiple first data packets can be obtained, P=[p1, p2,..., p...]. N ].
[0047] The correlation between the value sequence D of the verification parameter and the physical feature information sequence P corresponding to the plurality of first data packets is calculated, and the time node for the target program to verify the verification parameter is determined accordingly.
[0048] In some embodiments, the physical feature information corresponding to each first data packet includes the physical feature trajectory of the hardware carrier within a set time window T after the first data packet is sent to the target program.
[0049] For each sampling time t within the set time window T, the sequence of physical feature values corresponding to each sampling time t can be obtained based on the value of the physical feature trajectory corresponding to each first data packet at sampling time t. For example, let p be the value of the physical feature trajectory corresponding to the i-th first data packet at sampling time t. i,t Then the physical feature value sequence P corresponding to the sampling time t t =[p 1,t , p 2,t ,..., p N,t ].
[0050] Calculate the correlation coefficient between the physical feature value sequence corresponding to each sampling time t and the value sequence of the verification parameter. In some examples, for each sampling time t, the physical feature value sequence P corresponding to sampling time t can be calculated. t The Pearson correlation coefficient between the value sequence D of the verification parameter and the physical characteristics of the hardware carrier at sampling time t reflects the degree of linear correlation between the physical characteristics of the hardware carrier at sampling time t and the value of the verification parameter.
[0051] The sampling time at which the correlation coefficient meets the set requirements is determined as the time node for the target program to verify the verification parameter. After the correlation coefficients at all sampling times t are calculated, the following can be obtained: Figure 3 The correlation coefficient curve shown is a correlation trajectory, representing the correlation coefficient changing with sampling time t. Figure 3 In the diagram, the horizontal axis represents the sampling time, and the vertical axis represents the correlation coefficient. The larger the absolute value of the correlation coefficient, the more significantly the physical characteristics of the hardware carrier are affected by the value of the verification parameter at the corresponding sampling time; that is, the higher the probability that the target program will process the verification parameter at that sampling time.
[0052] In some examples, the setting requirement may include a peak requirement, which means determining the sampling time when the absolute value of the correlation coefficient is the largest as the time node. In other examples, the setting requirement may include a threshold requirement, which means determining the sampling time when the absolute value of the correlation coefficient exceeds a preset threshold as the time node.
[0053] S103: Send a second data packet to the target program, and inject faults into the hardware carrier at the time node based on the acquired attack parameters.
[0054] The preset verification conditions of the target program can be obtained in several ways. In some examples, the firmware of the target program can be disassembled and analyzed to extract condition judgment instructions (such as comparison instructions or jump instructions), and the parameter boundary values in its preset verification conditions can be determined accordingly. In other examples, a series of data packets with different verification parameter values can be sent to the target program, and the return results of the target program (such as error messages or response timeouts) can be obtained, thereby inferring the parameter boundary values in its preset verification conditions in reverse.
[0055] After obtaining the preset verification conditions of the target program, a second data packet that does not meet the preset verification conditions can be constructed. For example, if the maximum allowed data length preset by the target program is 200 bytes, the data length field in the second data packet can be set to 300 bytes or a larger value. Under normal execution flow, this second data packet will fail the parameter verification logic of the target program because the value of the verification parameter does not meet the preset verification conditions of the target program.
[0056] This application overcomes software-level logic limitations by implementing fault injection at the hardware level. Specifically, based on acquired attack parameters, a fault injection device can be used to inject faults into the hardware carrier at the time point after the second data packet is sent to the target program. By applying physical interference matching the attack parameters at the hardware level, temporary bit flips or instruction execution errors can occur in the internal logic circuits of the hardware carrier. This causes the second data packet, which should have failed the parameter verification of the target program, to pass the parameter verification logic of the target program because the verification result is forcibly changed or the verification instruction is skipped.
[0057] In some embodiments, attack parameters for this fault injection can be randomly generated. For example, for this fault injection, a set of attack parameters can be randomly generated within a preset attack parameter space. After sending the second data packet to the target program, in response to the arrival of the time node, fault injection is performed on the hardware carrier using the attack parameters.
[0058] In some examples, fault injection can be categorized into voltage spike injection, electromagnetic pulse injection, and laser injection. Voltage spike injection refers to the generation of momentary voltage drops or overshoots on the power supply curve, interfering with the logic operations of the hardware. Electromagnetic pulse injection involves emitting pulses to a specific area of the hardware using a high-energy electromagnetic probe, generating momentary current interference within the hardware through electromagnetic induction. Laser injection involves irradiating a specific transistor area of the hardware with a laser beam, inducing bit flips through the photoelectric effect.
[0059] In some examples, the attack parameters include at least a first parameter and a second parameter. The first parameter controls the duration of the fault injection, such as the pulse width of a voltage spike or the duration of laser irradiation; the second parameter controls the intensity of the fault injection, such as the amplitude offset of a voltage spike, the power of an electromagnetic pulse, or the energy density of a laser.
[0060] In some embodiments, the type of fault injection can be determined first based on the characteristics of the hardware carrier (such as process, packaging type, etc.). For example, voltage glitches can be selected for well-packaged hardware carriers, while laser injection can be selected for opened hardware carriers, and so on. Then, attack parameters matching the fault injection type are obtained, and based on the attack parameters matching the fault injection type, fault injection is performed on the hardware carrier at the stated time point, thereby achieving efficient vulnerability construction.
[0061] S104: Obtain the execution result returned by the target program for the second data packet, and determine whether the vulnerability construction was successful based on the execution result.
[0062] Based on the execution result returned by the target program after fault injection, it is determined whether the hardware-level interference successfully penetrated the software verification logic of the target program.
[0063] The execution result may include the status code returned by the target program, the output data content, the state changes of the registers, or whether the target program generates the expected abnormal interrupt, etc. This application does not specifically limit this.
[0064] In one example, taking data length field validation as an example: if the target program determines that the data length meets the preset validation conditions, it will continue to execute subsequent business processing logic (such as data copying, memory allocation, etc.) and return a return value indicating that the execution is correct (such as status code 0x9000); if it determines that the data length does not meet the preset validation conditions, it will terminate the operation and return a return value indicating that the execution is incorrect (such as error code 0x6F01).
[0065] Since the second data packet sent to the target program does not meet the target program's preset verification conditions, if the obtained execution result is a return value indicating an execution error, it means that the fault injection failed to interfere with the target program's parameter verification logic, and the vulnerability construction was unsuccessful; if the obtained execution result is a return value indicating correct execution, it means that the fault injection successfully induced a logic jump, causing the target program to execute subsequent business processing logic even though the second data packet itself does not meet the target program's preset verification conditions, and the vulnerability construction was successful.
[0066] In some embodiments, if it is determined from the execution result that the vulnerability construction was unsuccessful, the parameter iteration step is repeated until it is determined that the vulnerability construction was successful.
[0067] The parameter iteration step includes the following steps: The attack parameters are updated; for example, for this fault injection, a new set of attack parameters can be randomly generated within a preset attack parameter space. The second data packet is then resent to the target program.
[0068] After resending the second data packet to the target program, in response to the arrival of the time node, a fault injection is performed on the hardware carrier using the updated attack parameters.
[0069] Obtain the execution result returned by the target program for the resent second data packet, and determine whether the vulnerability construction was successful based on the execution result.
[0070] In some embodiments, if it is determined from the execution result that the vulnerability construction was unsuccessful, the type iteration step is repeated until it is determined that the vulnerability construction was successful.
[0071] The type iteration step includes the following steps: Update the type of fault injection, for example, change it from voltage glitch injection to laser injection.
[0072] After determining the new fault injection type, obtain the attack parameters that match the fault injection type, and resend the second data packet to the target program.
[0073] After resending the second data packet to the target program, in response to the arrival of the time node, the hardware carrier is subjected to fault injection of the fault injection type using attack parameters that match the fault injection type.
[0074] Obtain the execution result returned by the target program for the resent second data packet, and determine whether the vulnerability construction was successful based on the execution result.
[0075] In some embodiments, a combined strategy of updating attack parameters first and then updating the type of fault injection can be adopted. Specifically, an initial fault injection type can be determined first, and attack parameters can be iterated under this initial fault injection type. If the number of times the attack parameters are updated reaches a preset threshold, it indicates that the initial fault injection type may not be able to construct a vulnerability in the current hardware environment. In this case, the fault injection type is updated, and the attack parameters are iterated again under the updated fault injection type until it is determined that the vulnerability has been successfully constructed.
[0076] By employing this hierarchical search strategy, this application can automatically find the optimal attack combination in complex hardware evaluation environments, thereby improving the success rate of vulnerability exploitation.
[0077] In some embodiments, the vulnerability to be constructed may be a buffer overflow vulnerability. If the execution result determines that the buffer overflow vulnerability has been successfully constructed, a buffer overflow attack can then be performed on the buffer overflow vulnerability. Buffer overflow attacks are a standard and common attack method, which can be understood and fully implemented by those skilled in the art with reference to relevant technologies, and will not be described in detail here.
[0078] It should be noted that the vulnerability construction of the target program involved in all embodiments of this application can, under the premise of obtaining legal authorization, proactively discover potential security flaws in the target program and verify the effectiveness of relevant defense mechanisms, thereby strengthening the system before a real attack occurs and achieving "defense through offense".
[0079] Furthermore, it can provide technical support for the development of more advanced cybersecurity protection products. By constructing realistic vulnerability samples, the detection and response capabilities of cybersecurity protection products can be effectively trained and tested, thereby promoting the continuous evolution of security technologies and improving the overall level of cybersecurity.
[0080] In the embodiments of this application, multiple first data packets with different values for verification parameters are sent to the target program, and physical feature information generated by the hardware carrier when processing each first data packet is obtained. Then, based on the correlation between the sequence of verification parameter values and the sequence of physical feature information, the time node at which the target program verifies the verification parameters is determined. This application accurately locates the time node at which the target program verifies parameters by using the physical feature information of the hardware carrier, avoiding blind searching in the time dimension and improving the efficiency of vulnerability construction.
[0081] This application sends a second data packet to the target program whose verification parameter values do not meet its preset verification conditions. Based on the acquired attack parameters, it directly injects faults into the hardware carrier at the identified time point. By interfering with the target program's parameter verification logic at the hardware level at the identified time point when the target program performs parameter verification, this application effectively bypasses the software-level verification mechanism, thus increasing the success rate of vulnerability exploitation.
[0082] The above description describes the method provided in this application. The following description describes the apparatus provided in this application: Please see Figure 4 This is a schematic diagram of a vulnerability construction device provided in an embodiment of this application.
[0083] like Figure 4 As shown, the device may include: The acquisition unit 410 is used to send multiple first data packets to the target program and acquire the physical feature information generated by the hardware carrier executing the target program when the target program processes each first data packet, wherein the values of the verification parameters in the multiple first data packets are not completely the same. The first determining unit 420 is used to determine the time node when the target program verifies the verification parameters based on the correlation between the value sequence of the verification parameters in the plurality of first data packets and the physical feature information sequence corresponding to the plurality of first data packets. The fault injection unit 430 is used to send a second data packet to the target program and perform fault injection on the hardware carrier at the time node based on the acquired attack parameters, wherein the value of the verification parameter in the second data packet does not meet the preset verification conditions of the target program. The second determining unit 440 is used to obtain the execution result returned by the target program for the second data packet, and determine whether the vulnerability construction is successful based on the execution result.
[0084] Optionally, the physical characteristic information corresponding to each first data packet includes the physical characteristic trajectory of the hardware carrier within a set time window after the first data packet is sent to the target program, wherein the physical characteristic trajectory includes a power consumption trajectory or an electromagnetic radiation trajectory.
[0085] Optionally, the first determining unit 420 is specifically used for: For each sampling moment within the set time window, based on the value of the physical feature trajectory corresponding to each first data packet at that sampling moment, a sequence of physical feature values corresponding to that sampling moment is obtained; Calculate the correlation coefficient between the sequence of physical feature values corresponding to each sampling time and the sequence of values of the verification parameter; The sampling time when the correlation coefficient meets the set requirements is determined as the time node when the target program verifies the verification parameters.
[0086] Optionally, the fault injection unit 430 is specifically used for: Randomly generate attack parameters for this fault injection; After sending the second data packet to the target program, in response to the arrival of the time node, the attack parameters are used to inject faults into the hardware carrier.
[0087] Optionally, the attack parameters include at least a first parameter and a second parameter, wherein the first parameter is used to control the duration of the fault injection, and the second parameter is used to control the intensity of the fault injection.
[0088] Optionally, the second determining unit 440 is further configured to: If the execution result indicates that the vulnerability construction was unsuccessful, the parameter iteration steps are repeated until the vulnerability construction is determined to be successful. The parameter iteration step includes: Update the attack parameters and resend the second data packet to the target program; After resending the second data packet to the target program, in response to the arrival of the time node, the hardware carrier is injected with faults using the updated attack parameters; Obtain the execution result returned by the target program for the resent second data packet, and determine whether the vulnerability construction was successful based on the execution result.
[0089] Optionally, the verification parameters include fields in the data packet used to characterize data length information.
[0090] Optionally, the fault injection includes any one of voltage glitch injection, electromagnetic pulse injection, and laser injection.
[0091] The specific implementation process of the functions and roles of each unit in the above device can be found in the implementation process of the corresponding steps in the above method, and will not be repeated here.
[0092] This application also provides a hardware structure. See [link to relevant documentation]. Figure 5 , Figure 5 This is a structural diagram of an electronic device provided in an embodiment of this application. Figure 5 As shown, the hardware structure may include: a processor 510 and a machine-readable storage medium 520, the machine-readable storage medium 520 storing machine-executable instructions 521 that can be executed by the processor; the processor 510 is used to execute the machine-executable instructions 521 to implement the method disclosed in the above example of this application.
[0093] Based on the same application concept as the above method, this application embodiment also provides a machine-readable storage medium storing a plurality of computer instructions, which, when executed by a processor, can implement the method disclosed in the above examples of this application.
[0094] For example, the aforementioned machine-readable storage medium can be any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, etc. For instance, machine-readable storage media can be: RAM (Random Access Memory), volatile memory, non-volatile memory, flash memory, storage drives (such as hard disk drives), solid-state drives, any type of storage disk (such as optical discs, DVDs, etc.), or similar storage media, or combinations thereof.
[0095] It should be noted that, in this document, relational terms such as "objective" and "target" are used merely to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.
[0096] The above description is merely a preferred embodiment of this application and is not intended to limit this application. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the scope of protection of this application.
Claims
1. A vulnerability construction method, characterized in that, The method includes: Multiple first data packets are sent to the target program, and physical feature information generated by the hardware carrier executing the target program when the target program processes each first data packet is obtained respectively, wherein the values of the verification parameters in the multiple first data packets are not completely the same; Based on the correlation between the value sequence of the verification parameters in the plurality of first data packets and the physical feature information sequence corresponding to the plurality of first data packets, the time node for the target program to verify the verification parameters is determined; A second data packet is sent to the target program, and a fault injection is performed on the hardware carrier at the time node based on the acquired attack parameters, wherein the value of the verification parameter in the second data packet does not meet the preset verification conditions of the target program. Obtain the execution result returned by the target program for the second data packet, and determine whether the vulnerability construction was successful based on the execution result.
2. The method according to claim 1, characterized in that, The physical characteristic information corresponding to each first data packet includes the physical characteristic trajectory of the hardware carrier within a set time window after the first data packet is sent to the target program, wherein the physical characteristic trajectory includes a power consumption trajectory or an electromagnetic radiation trajectory.
3. The method according to claim 2, characterized in that, The step of determining the time point for the target program to verify the verification parameters based on the correlation between the value sequence of the verification parameters in the plurality of first data packets and the physical feature information sequence corresponding to the plurality of first data packets includes: For each sampling moment within the set time window, based on the value of the physical feature trajectory corresponding to each first data packet at that sampling moment, a sequence of physical feature values corresponding to that sampling moment is obtained; Calculate the correlation coefficient between the sequence of physical feature values corresponding to each sampling time and the sequence of values of the verification parameter; The sampling time when the correlation coefficient meets the set requirements is determined as the time node when the target program verifies the verification parameters.
4. The method according to claim 1, characterized in that, The fault injection into the hardware carrier based on the acquired attack parameters at the specified time point includes: Randomly generate attack parameters for this fault injection; After sending the second data packet to the target program, in response to the arrival of the time node, the attack parameters are used to inject faults into the hardware carrier.
5. The method according to claim 1 or 4, characterized in that, The attack parameters include at least a first parameter and a second parameter, wherein the first parameter is used to control the duration of the fault injection, and the second parameter is used to control the strength of the fault injection.
6. The method according to claim 1, characterized in that, The method further includes: If the execution result indicates that the vulnerability construction was unsuccessful, the parameter iteration steps are repeated until the vulnerability construction is determined to be successful. The parameter iteration step includes: Update the attack parameters and resend the second data packet to the target program; After resending the second data packet to the target program, in response to the arrival of the time node, the hardware carrier is injected with faults using the updated attack parameters; Obtain the execution result returned by the target program for the resent second data packet, and determine whether the vulnerability construction was successful based on the execution result.
7. The method according to claim 1, characterized in that, The verification parameters include fields in the data packet used to characterize data length information.
8. The method according to claim 1, characterized in that, The fault injection includes any one of voltage glitch injection, electromagnetic pulse injection, and laser injection.
9. A vulnerability construction device, characterized in that, The device includes: The acquisition unit is used to send multiple first data packets to the target program and acquire the physical feature information generated by the hardware carrier executing the target program when the target program processes each first data packet, wherein the values of the verification parameters in the multiple first data packets are not completely the same. The first determining unit is used to determine the time node when the target program verifies the verification parameters based on the correlation between the value sequence of the verification parameters in the plurality of first data packets and the physical feature information sequence corresponding to the plurality of first data packets. The fault injection unit is used to send a second data packet to the target program and perform fault injection on the hardware carrier at the time node based on the acquired attack parameters, wherein the value of the verification parameter in the second data packet does not meet the preset verification conditions of the target program. The second determining unit is used to obtain the execution result returned by the target program for the second data packet, and to determine whether the vulnerability construction was successful based on the execution result.
10. An electronic device, characterized in that, It includes a processor and a memory, the memory storing machine-executable instructions that can be executed by the processor, the processor being used to execute the machine-executable instructions to implement the method as described in any one of claims 1-8.
11. A machine-readable storage medium, characterized in that, The machine-readable storage medium stores machine-executable instructions, which, when executed by a processor, implement the method as described in any one of claims 1-8.