CN116975869A - Attack defense method and device based on address processing, electronic equipment and medium - Google Patents

Abstract

The application discloses an attack defense method, an attack defense device, an attack defense electronic device and an attack defense medium based on address processing, which can be applied to various scenes such as data security, application program development, memory management and the like. The method comprises the following steps: acquiring first address information in first data corresponding to a first component; when the first address pointed by the first address information is an address in a storage space corresponding to a second component different from the first component, acquiring a first preset identifier corresponding to the first address; storing the association between the first address and the first preset identifier to a first storage space, wherein the first storage space is a storage space outside the storage space corresponding to the first component; updating the first address information and the access information of the object for accessing the first address according to the first preset identification and the association, so that the object can find the first address according to the updated first address information and the updated access information and the association when accessing the first address. The embodiment of the application improves the safety of the component data.

Description

Address processing-based attack defense method, device, electronic equipment and media

Technical field

The present application relates to the field of computer security, and specifically relates to an attack defense method, device, electronic equipment and medium based on address processing.

Background technique

In related technologies, during the software development process, a large amount of software uses a component-based development model, and daily-used applications contain a large number of open source or self-implemented modular components. Due to the lack of security checks on components when they are developed, or the lack of iterative fixes for disclosed public component vulnerabilities, the software attack surface is further expanded, and attackers can easily exploit the disclosed or unknown component vulnerabilities to target users of these applications. To carry out attacks, the security of software data is poor.

Contents of the invention

Embodiments of the present application provide an attack defense method, device, electronic device, and medium based on address processing, which can improve the security of component data in an application program.

On the one hand, an attack defense method based on address processing is provided, and the method includes:

Obtain the first address information in the first data corresponding to the first component;

When the first address pointed by the first address information is an address in the storage space corresponding to the second component, the first preset identifier corresponding to the first address is obtained, and the second component and the first component different;

Store the first association relationship between the first address and the first preset identification in a first storage space, where the first storage space is a storage space outside the target storage space corresponding to the first component;

The first address information and the first access information of the first object used to access the first address are updated according to the first preset identification and the first association relationship, so that when the first object accesses the first address When the first address is found, the first address is found based on the updated first address information, the updated first access information, and the first association relationship.

On the other hand, an attack defense device based on address processing is provided, including:

The acquisition unit is used to acquire the first address information in the first data corresponding to the first component;

The acquisition unit is configured to acquire the first preset identifier corresponding to the first address when the first address pointed to by the first address information is an address in the storage space corresponding to the second component, and the second The component is different from said first component;

A storage unit configured to store the first association relationship between the first address and the first preset identification in a first storage space, where the first storage space is outside the target storage space corresponding to the first component. storage;

An update unit configured to update the first address information and the first access information for accessing the first object at the first address according to the first preset identification and the first association relationship, so that the first When an object accesses the first address, it searches for the first address based on the updated first address information, the updated first access information, and the first association relationship.

On the other hand, a computer-readable storage medium is provided, the computer-readable storage medium stores a computer program, and the computer program is suitable for loading by a processor to execute the method as described in any of the above embodiments.

On the other hand, a computer device is provided. The computer device includes a processor and a memory. A computer program is stored in the memory. The processor is used to execute the following by calling the computer program stored in the memory. The method described in any of the above embodiments.

On the other hand, a computer program product is provided, including computer instructions. When the computer instructions are executed by a processor, the method as described in any of the above embodiments is implemented.

In this embodiment of the present application, the first address information in the first data corresponding to the first component is obtained; when the first address pointed to by the first address information is an address in the storage space corresponding to the second component, the first address information is obtained. A first preset identification corresponding to an address, the second component is different from the first component; the first association relationship between the first address and the first preset identification is stored in the first storage space, so The first storage space is a storage space outside the target storage space corresponding to the first component; the first address information is updated according to the first preset identification and the first association relationship and is used to access the third The first access information of the first object at an address enables the first object to access the first address according to the updated first address information, the updated first access information, and the third The solution to find the first address through an association relationship can be from the perspective of the component address. When the component data contains address information pointing to the external address of the storage space corresponding to the component, the address pointed by the address information and the predetermined address can be used to find the first address. Assume that the first association relationship of the identifier is stored in an independent storage space outside the storage space corresponding to the component, and the component data is updated, so that when accessing the external address, the preset identifier and the preset in the independent storage space can be accessed. The first association relationship between the identifier and the external address finds the external address, preventing the attacker from finding the component data of other components through the address information contained in the component data pointing to the external address of the storage space corresponding to the component, and attacking other components of the application. Attack the component data, effectively improving the security of the component data.

Description of the drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are only some embodiments of the present application. For those skilled in the art, other drawings can also be obtained based on these drawings without exerting creative efforts.

Figure 1a is a first flow diagram of an attack defense method based on address processing provided by an embodiment of the present application;

Figure 1b is a second flow diagram of an attack defense method based on address processing provided by an embodiment of the present application;

Figure 2 is a third flow diagram of an attack defense method based on address processing provided by an embodiment of the present application;

Figure 3 is a schematic flowchart of transferring first data to the first storage space provided by an embodiment of the present application;

Figure 4 is a schematic diagram of a data processing method for different types of access requests provided by an embodiment of the present application;

Figure 5 is a schematic flowchart of triggering garbage collection on the target storage space provided by an embodiment of the present application;

Figure 6 is a schematic flowchart of the fourth method of attack defense based on address processing provided by an embodiment of the present application;

Figure 7 is a schematic structural diagram of an attack defense device based on address processing provided by an embodiment of the present application;

Figure 8 is a schematic structural diagram of a computer device provided by an embodiment of the present application.

Detailed ways

The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application. Obviously, the described embodiments are only some of the embodiments of the present application, rather than all of the embodiments. Based on the embodiments in this application, all other embodiments obtained by those skilled in the art without making creative efforts fall within the scope of protection of this application.

The embodiments of this application can be applied to various scenarios such as data security, application development, and memory management.

Embodiments of the present application provide an attack defense method, device, electronic device, and medium based on address processing. Specifically, the aforementioned attack defense method based on address processing in the embodiment of the present application can be executed by a computer device, where the computer device can be a device such as a terminal or a server. The terminal can be a smartphone, tablet, laptop, intelligent voice interaction device, smart home appliance, wearable smart device, aircraft, smart vehicle terminal and other devices. The terminal can also include a client, which can be a video client, Browser client or instant messaging client, etc. The server can be an independent physical server, or a server cluster or distributed system composed of multiple physical servers. It can also provide cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communications, and middleware. Cloud servers for basic cloud computing services such as software services, domain name services, security services, Content Delivery Network (CDN), and big data and artificial intelligence platforms.

For example, when this method is run on a terminal, the terminal can download and install the corresponding application program. When the terminal actually runs the foregoing method, it is used to display a graphical user interface and interact with the user through the graphical user interface. Specifically, the terminal may display the graphical user interface to the user in a variety of ways, for example, it may be rendered and displayed on the display screen of the terminal, or the graphical user interface may be presented through holographic projection. For example, the terminal may include a touch display screen and a processor. The touch display screen is used to present a graphical user interface and receive operating instructions generated by the user acting on the graphical user interface. The processor is used to run the aforementioned data processing method and generate a graphical user interface. interface, respond to operating instructions, and control the display of the graphical user interface on the touch display.

First, some nouns or terms that appear in the description of the embodiments of this application are explained as follows:

Componentization: The standardization work of encapsulating certain functions that can be reused. The component contains internal UI (User Interface, user interface) elements, styles and JavaScript logic code, which is convenient

for fast embedding anywhere in the application.

Program instrumentation is to insert some probes (also called "detectors") into the program on the basis of ensuring the original logical integrity of the program under test. They are essentially code segments for information collection, which can be assigned

value statement or function call to collect coverage information), through the execution of the probe and throw out the characteristic data of the program running, through the analysis of these data, the control flow and data flow information of the program can be obtained, and

It is a method to obtain dynamic information such as logic coverage to achieve testing purposes.

Binary vulnerabilities: Binary vulnerabilities are caused by improper coding of executable files, which allows attackers to maliciously modify the execution memory state of the program, change the original normal behavior of the program, and finally execute the attack.

A type of vulnerability caused by the arbitrary command of the user. Common binary vulnerabilities include stack overflow vulnerability (Stack-Overflow), heap overflow vulnerability (Heap-Overflow), and reference-after-free vulnerability.

(Use-After-Free), double-free vulnerability (Double-Free), out-of-bounds access vulnerability

(Out-of-bounds) etc.

Garbage Collection: In computer science, garbage collection (English: Garbage Collection, abbreviated

Written as GC) refers to an automatic memory management mechanism. When a part of the memory space occupied by a program is no longer accessed by the program, the program will use the garbage collection algorithm to return the memory space to the operating system.

part of the memory space. Currently, many languages such as Smalltalk, Java, C#, Go and D language support garbage collectors.

Shellcode is a piece of code used to exploit software vulnerabilities. The shellcode is hexadecimal.

machine code, so named because it often allows attackers to obtain a shell. Shellcode is often written in machine language 5. After controlling the program execution flow, it can insert a piece of machine code that can be executed by the central processing unit (CPU), allowing the victim to execute any instructions of the attacker.

Return-oriented Programming (ROP) is a new type of attack based on code reuse technology. The attacker extracts instruction fragments from existing libraries or executable files to construct malicious code.

0Control-Flow Integrity is a defense method against control flow hijacking attacks.

AddressSanitizer (ASan) is a fast compiler-based detection tool for detecting memory errors in native code. ASan can detect the following issues: heap usage after stack and heap buffer overflow/underflow free, out-of-range stack usage, duplicate free/bad free.

5 Heap spraying is a technical means that makes it easier to obtain arbitrary code execution vulnerabilities (Exploits). The heap spray code attempts to allocate itself in a large area on the process stack and fill the area with commands in the correct way, thereby writing a series of commands to a predetermined location in the target process's memory.

In related technologies, data security management is generally achieved by detecting the state of the memory through instrumentation during the compilation phase when the application is in the development stage. However, the amount of data in the application compiled in this way is very large. Large, from the user's perspective, more disk space is required for storage, and for daily updates and other behaviors, the communication traffic between the server and the client will also increase dramatically. According to the AddressSanitizer solution documentation, storage overhead increases by 0.5 to 2 times. Moreover, a large amount of memory is required to store the memory state when the application is running, and the released memory cannot be reused in time, resulting in an increase in runtime memory overhead. And a large number of additional instructions need to be run for legality checks every time memory is accessed, resulting in an increase in CPU computing resources. According to the AddressSanitizer solution documentation, the CPU overhead and memory overhead are approximately 2 times that of before.

In addition, in related technologies, from the perspective of the principle of general vulnerability defense methods, the memory usage status is mainly updated by detecting the program's default memory allocation and release functions, but some general components use self-implemented allocation and release functions for memory management. , so general vulnerability defense methods cannot be detected, so the defense methods can be bypassed through this part of memory-related vulnerabilities, which has great security risks. Moreover, in the application development process, a large amount of software uses the component development model, and daily-used applications contain a large number of open source or self-implemented modular components. Due to the lack of security checks on components when they are developed, or the lack of iterative fixes for disclosed public component vulnerabilities, the software attack surface is further expanded, and attackers can easily exploit the disclosed or unknown component vulnerabilities to target users of these applications. To carry out attacks, the security of software data is poor.

This application provides a solution that can solve at least one of the aforementioned technical problems, which will be described in detail below. It should be noted that the description order of the following embodiments is not used to limit the priority order of the embodiments.

Each embodiment of the present application provides an attack defense method based on address processing, which can be executed by a terminal or a server. Optionally, the terminal may be specifically a terminal used by relevant personnel when developing corresponding applications.

The main goal of this application is to protect vulnerable modular components in applications. Therefore, it is relatively broad in application scenarios and is suitable for various types of application protection using complex components on various operating system platforms. Take the engine component as an example: The engine component is a sub-module of the browser component. The browser component is often used as a carrier for interface display interaction in application development. It is very common in desktop and mobile applications. Developers add this solution to the browser they use. The program is compiled and published in the browser component. The user starts the program including this application to load the web page by the browser component by entering the URL in the address bar or clicking the link within the application. Solutions for engine components can be applied to many types of applications on Windows and Android. Applications include but are not limited to: computer desktop browsers, mobile browsers, instant messaging tools, conferencing tools, etc.

Figure 1a is a first flow diagram of an attack defense method based on address processing provided by an embodiment of the present application. The method includes S101-S104:

S101. Obtain the first address information in the first data corresponding to the first component;

Optionally, the first data corresponding to the first component may be data in the first component.

Optionally, the first address information may be a pointer.

Optionally, the first address pointed by the first address information may be an address within the target storage space corresponding to the first component, or may be an address outside the target storage space corresponding to the first component. When the first address information is within the impact range of the attacker's vulnerability, and the first address pointed to by the first address information is an address outside the target storage space corresponding to the first component (such as the storage space corresponding to other components), the attacker The first address information (such as a pointer) may be modified to obtain the ability to read and write data in other components, and then attack other components of the target application. Therefore, an attacker can easily use a component containing address information in multiple components of a target application to attack other components.

Optionally, the first component may be a component containing address information among multiple components of the target application. In some optional embodiments provided in this application, for determining the first component, the method further includes S01-S03:

S01. Obtain multiple components of the target application;

S02. Determine at least some of the components that contain address information among the multiple components;

S03. Determine the first component according to at least some of the components.

In this application, only the first component containing address information is specially compiled, which can save defense costs.

Optionally, S03. Determining the first component according to the at least part of the components may include: using any one or each component of at least some of the components as the first component.

In some other optional embodiments provided by this application, for determining the first component, the method further includes: obtaining the user's selection instruction for selecting the first component from multiple components of the target application; The selection instructions determine the first component.

In some scenarios, users can be relevant personnel who operate the above terminals or servers. The above terminals can be installed with relevant risk prediction models. The risk prediction models are used to conduct security assessments on multiple components of the target application and filter out The first component with an attack risk; the user further triggers a selection instruction to select the first component from multiple components of the target application through the terminal.

S102. When the first address pointed by the first address information is an address in the storage space corresponding to the second component, obtain the first preset identifier corresponding to the first address. The second component and the third component One component is different;

Optionally, the second component may be any component among multiple components of the target application except the first component.

Optionally, the storage space corresponding to the second component is used to store data corresponding to the second component.

Optionally, the first preset identification may be preset index information corresponding to the first address, and the index information may be represented by numbers, letters, etc.

Optionally, when the first address pointed to by the first address information is an address in the target storage space, no processing is performed.

S103. Store the first association relationship between the first address and the first preset identification in a first storage space, where the first storage space is a storage space outside the target storage space corresponding to the first component;

Optionally, the first storage space is not only a storage space other than the target storage space corresponding to the first component, but also a storage space other than the storage space corresponding to the second component.

Specifically, the first storage space is located in the remaining space in the storage space corresponding to the application program to which the first component belongs, except for the target storage space and the storage space corresponding to the second component.

Optionally, a hardware-based memory encryption technology may be used to store the first association relationship between the first address and the first preset identification in the relevant chip in the above-mentioned terminal or server.

S104. Update the first address information and the first access information of the first object used to access the first address according to the first preset identification and the first association relationship, so that the first object is in When accessing the first address, the first address is found based on the updated first address information, updated first access information, and the first association relationship.

In some optional embodiments provided by this application, in S104, the first address information and the first address information used to access the first address are updated according to the first preset identification and the first association relationship. The first access information of an object includes: using the first preset identifier to replace the first address, and updating the first address for accessing the first address according to the first preset identifier and the first association relationship. The first access information of the first object.

Optionally, the first object accesses the first address through the first access information to call the data in the first address.

Optionally, the first object may be a calling function.

In some embodiments, updating the first access information for accessing the first object at the first address according to the first preset identification and the first association relationship may include: changing the first preset The code identifying the first association relationship is added to the first access information used to access the first object at the first address, so that after receiving the updated first access information corresponding to the first access information When requesting, the first address is determined according to the first preset identification and the first association relationship; the data in the first address is determined as the access result corresponding to the first access request. The first access information of the first object may be a related access function.

Correspondingly, the method further includes: upon receiving the first access request corresponding to the updated first access information, determining the first access request based on the first preset identification and the first association relationship. Address; determine the data in the first address as the access result corresponding to the first access request.

Specifically, see Figure 1b, which is a second flow diagram of an attack defense method based on address processing provided by an embodiment of the present application. The second data corresponding to the first component includes the first data and components corresponding to the first component. Code segment, the component code segment includes the aforementioned first object, the storage space corresponding to the first component may include a component code segment space used to store the component code segment, and a target storage space used to store the first data corresponding to the first component, The first data corresponding to the first component may be data for calling by the component code segment. When the first address pointed to by the first address information contained in the first data corresponding to the first component is the address in the storage space corresponding to the second component: address A, then the first preset identification corresponding to the first address is " The first association relationship between 1" and address A is stored in the first storage space. And replace "address A" in the first address information with "1", and add the code corresponding to the "1" and the first association relationship to the first object used to access the first address. in the first access information (which may be included in the component code segment), so that when the terminal receives the first access request corresponding to the updated first access information, according to the "1" and the first association relationship Address A is determined; the data in address A is determined as the access result corresponding to the first access request.

In this embodiment of the present application, the first address information in the first data corresponding to the first component is obtained; when the first address pointed to by the first address information is an address in the storage space corresponding to the second component, the first address information is obtained. A first preset identification corresponding to an address, the second component is different from the first component; the first association relationship between the first address and the first preset identification is stored in the first storage space, so The first storage space is a storage space outside the target storage space corresponding to the first component; the first address information is updated according to the first preset identification and the first association relationship and is used to access the third The first access information of the first object at an address enables the first object to access the first address according to the updated first address information, the updated first access information, and the third An association relationship can be used to find the first address. When the component data contains address information pointing to the external address of the storage space corresponding to the component, the first association relationship between the address pointed by the address information and the preset identification can be used. Store it in an independent storage space outside the storage space corresponding to the component, and update the component data so that when accessing the external address, you can use the preset identification and the preset identification in the independent storage space and the first of the external address. The association relationship finds the external address, blocking the attacker's attack path, increasing the difficulty of exploiting the vulnerability, and reducing the attacker's impact on the application by accessing the address information contained in the component data that points to the external address of the storage space corresponding to the component. The possibility of attack on the component data of other components effectively improves the security of component data.

In other optional embodiments provided by this application, the first data corresponding to the first component may also be data transferred from the original storage space corresponding to the first component to a target storage space outside the original storage space, see Figure 2. Figure 2 is a third flow diagram of an attack defense method based on address processing provided by an embodiment of the present application. The method also includes S201-S203:

S201. Obtain the first data corresponding to the first component;

S202. Obtain the preset offset;

S203. Transfer the first data corresponding to the first component from the original storage space corresponding to the first component to the target storage space according to the preset offset. The target storage space is storage outside the original storage space. space.

Optionally, the preset offset may be an offset between the first address of the target storage space and the first address of the original storage space.

Optionally, the preset offset can be set by relevant personnel.

Optionally, the preset offset can also be determined based on the obtained memory application request.

In some optional embodiments provided by this application, referring to the above-mentioned Figure 2, the method also includes S301-S303:

S301. Determine whether the first address pointed to by the first address information is an address in the target storage space;

S302. When the first address pointed by the first address information is an address in the target storage space, obtain the offset of the first address relative to the address of the first address information;

Optionally, the offset of the first address relative to the address of the first address information may be a difference between the first address and the address of the first address information in the target storage space.

S303. Update the first address information according to the offset to obtain updated first address information;

Optionally, in S303, update the first address information according to the offset to obtain updated first address information, including:

Determine the corresponding identifier according to the offset;

Use the identifier to replace the first address pointed by the first address information to obtain updated first address information.

S304. Update the second access information of the second object used to access the first address according to the updated first address information and the address of the first address information, so that the second object accesses the first address when accessing the first address information. When the first address is the first address, the first address is found according to the updated first address information and the updated second access information.

Optionally, S304. Update the second access information for accessing the second object of the first address according to the updated first address information and the address of the first address information, including:

Code corresponding to the second association relationship between the updated first address information and the address of the first address information is added to the second access information for accessing the second object of the first address, so that in When the terminal receives the second access request corresponding to the updated second access information, the terminal determines the first address based on the updated first address information and the second association relationship; The data in the address is determined to be the access result corresponding to the second access request. The second access information of the second object may be related to the access function.

Specifically, see Figure 3, which is another schematic flowchart of an attack defense method based on address processing provided by an embodiment of the present application. When the first address pointed to by the first address information is an address in the target storage space, : When the address is a, obtain the offset of the address a relative to the address of the first address information; update the first address information according to the offset to obtain the updated first address information. For example, when the address of the first address information is 0190 and the address a is 0194, the offset is 4.

Optionally, when the first data corresponding to the first component may include multiple first address information, it may be determined based on whether the first address pointed to by the first address information is located in the target storage space corresponding to the first component or is located in another component. (Second component) perform corresponding processing in the corresponding storage space, such as: when the first address pointed to by the first address information add1 is located in the target storage space, obtain the first address relative to the address of add1. Offset; update the add1 according to the offset to obtain the updated add1; update the second object used to access the second object of the first address according to the updated add1 and the address of the add1. Access information allows the second object to find the first address based on the updated add1 and the updated second access information when accessing the first address. When the first address pointed to by another first address information add2 is located in the address in the storage space corresponding to other components (such as the second component), obtain the first preset identification corresponding to the first address; The first association relationship with the first preset identification is stored in a first storage space, and the first storage space is a storage space outside the target storage space corresponding to the first component; according to the first preset identification Update the add2 and the first access information of the first object used to access the first address with the first association, so that when the first object accesses the first address, the first access information is updated according to the updated The first address is found using add2, the updated first access information, and the first association relationship.

Optionally, the above method also includes: when the first address pointed by the first address information is not an address outside the target storage space, obtain the first preset identification corresponding to the first address, and perform the aforementioned S103 Go to S104. In some optional embodiments provided in this application, the method also includes S501-S502:

S501. When receiving the first access request corresponding to the updated first access information, determine the first address according to the first preset identification and the first association relationship;

Optionally, the first association relationship may include multiple preset identifiers and addresses corresponding to each preset identifier. In S501, after receiving the first access request corresponding to the updated first access information, When, determining the first address according to the first preset identification and the first association relationship includes: corresponding to the preset identification in the first association relationship that is the same as the first preset identification. address as the first address.

S502. Determine the data in the first address as the access result corresponding to the first access request.

Optionally, refer further to Figure 4, which is a schematic diagram of a data processing method for different types of access requests; the above method also includes the following S41-S44:

S41. Obtain the pending access request;

Optionally, the access request can be a request for calling data when executing the function of the first component after the relevant target application is online.

S41. Determine the type of the pending access request;

The type of the access request to be processed may be a first access request for accessing the first address stored in the first storage space outside the target storage space corresponding to the first component, where the first access request is specifically for accessing the first address. An access request corresponding to the first access information of the first object at an address. The first access request may include first access information of the first object, where the first access information may be a relevant access function.

In addition, the type of the access request to be processed may also be a second access request corresponding to the updated second access information.

Optionally, the type of the pending access request may be determined by an identifier in the pending access request that indicates the type of the pending access request. S41. If the type of the access request to be processed is the aforementioned first access request, determine the first address according to the first preset identifier and the first association relationship; add the first address to the first access request. The data is determined to be the access result corresponding to the first access request;

Optionally, a plurality of stored identifiers may be stored in the first association relationship, and the first target address corresponding to each stored identifier; the first target address may be determined based on the first preset identifier and the first association relationship. An address may include: using the first target address corresponding to the existing identifier that is the same as the first preset identifier in the first association relationship as the first address.

S41. If the type of the access request to be processed is the aforementioned second access request, determine the first address according to the updated first address information and the second association relationship; The data in an address is determined to be the access result corresponding to the second access request.

Optionally, the second association relationship may include a plurality of stored address information and a second target address of each stored address information; the determined address is determined based on the updated first address information and the second association relationship. The first address includes: using the second target address corresponding to the stored address information that is the same as the updated first address information in the second association relationship as the first address. In some optional embodiments provided in this application, the method further includes:

When it is determined that the number of memory allocation requests for the target storage space is greater than the first preset number of times, and/or when it is determined that the space size of the occupied storage space in the target storage space is relative to the space size of the target storage space. When the proportion is greater than the first preset proportion, garbage collection is performed on the target storage space.

Optionally, the memory allocation request for the target storage space may be a memory allocation request generated when the first data corresponding to the first component needs to apply for occupying unoccupied memory in the target storage space.

Specifically, with regard to triggering garbage collection on the target storage space, the method further includes S601-S603:

S601. Obtain the first preset number of times;

Optionally, the first preset number of times is the number set by the relevant person.

Optionally, the first preset number of times may also be an automatically generated random number of times.

S602. When receiving a memory allocation request for the target storage space, determine the cumulative number of memory allocation requests;

Optionally, a parameter may be set for recording the number of obtained memory allocation requests for the target storage space, and the value of the parameter is the cumulative number of memory allocation requests. Each time a memory allocation request for the target storage space is received, the cumulative number of memory allocation requests is controlled to increase by one.

Optionally, determining the cumulative number of memory allocation requests may be performed after performing the foregoing incrementing by one.

S603. When the accumulated number is greater than the first preset number, determine that the number of memory allocation requests for the target storage space is greater than the first preset number, and clear the accumulated number of memory allocation requests to zero. Obtain a second preset number of times, use the second preset number of times as a new first preset number of times, and perform garbage collection on the target storage space; wherein the first preset number of times and the second preset number of times are The times are all positive integers.

Optionally, the second preset number of times is the number set by the relevant person.

Optionally, the second preset number of times may also be an automatically generated random number of times. Optionally, the method also includes S604-S606:

S604. Obtain the first preset proportion;

Optionally, the first preset ratio is a ratio set by the relevant person.

Optionally, the first preset ratio may also be an automatically generated random ratio.

S605. Obtain the proportion of the occupied storage space in the target storage space relative to the target storage space;

S606. When it is determined that the proportion of the occupied storage space in the target storage space relative to the space size of the target storage space is not greater than the first preset proportion, no processing is performed; when it is determined that the target storage space is not larger than the first preset proportion. When the proportion of the space size of the occupied storage space relative to the space size of the target storage space is greater than the first preset proportion, the second preset proportion is obtained, and the second preset proportion is used as the new The first preset proportion is to perform garbage collection on the target storage space. Wherein, the second preset proportion is greater than the first preset proportion, and both the first preset proportion and the second preset proportion are greater than 0 and less than 1.

Through the above solution, the data in the target storage space can be cleaned in time, disrupting the logic of the original data storage location, and preventing hackers from attacking the data based on the logic of the original data storage location.

Optionally, the aforementioned S604-S606 can also be executed when the accumulated number of times is not greater than the first preset number of times. The specific process can be seen in Figure 5.

In some optional embodiments provided by this application, garbage collection is performed on the target storage space, including:

For the plurality of address information in the first data, when the addresses of the plurality of address information are not consecutive addresses, the plurality of address information is spliced so that the addresses of the plurality of address information are consecutive addresses.

In some other optional embodiments provided by this application, garbage collection is performed on the target storage space, including:

For each address information in the plurality of address information in the first data, when the address of the address information has not been accessed for a period exceeding a preset period of time, the data in the address of the address information is cleared.

Since the memory allocation in the storage space is sequential cutting and allocation, for the storage space that has not been garbage collected, the attacker may predict the memory allocation of the storage space, and then use attack techniques such as heap spraying to layout the attack object to the range that the vulnerability can affect. within to attack. In the above process, the memory in the target storage space can be spliced and recycled through garbage collection to break the memory layout in the target storage space. The memory layout that the attacker relies on is broken, making it impossible to construct the required layout, or Early errors in garbage collection block the attack path, making it impossible for the attacker to change the memory layout in the target storage space, thereby preventing the vulnerability from expanding the scope of impact and effectively improving the security of component data. Moreover, the solution of this application can also universally solve the security risks caused by the fragmented introduction of unsafe components in various applications, and also has a certain defensive effect on zero-day vulnerability defense.

In some optional embodiments provided in this application, the method also includes S701-S703:

S701. When receiving a data write request for the target storage space, set the permissions of the target storage space to readable and writable permissions;

Optionally, the data writing request may include corresponding data. The data writing request may be triggered by the user using the above terminal or server.

S702. Write corresponding data according to the data writing request;

S703. Set the permissions of the target storage space to readable and executable permissions.

When an attacker obtains the global memory read and write permissions of the target application, he usually tamper with the memory that the target application itself applies for with read, write, and executable permissions. Therefore, the above solution can block the read, write, and executable permissions. Generation of permissions to improve the security of component data in the target application.

In some optional embodiments provided by this application, the method also includes S801-S803:

S801. Obtain the defense instructions input by the user;

Optionally, the user can trigger the aforementioned defense instructions by clicking the corresponding button. Optionally, different buttons can correspond to different target algorithms.

S802. Obtain the target algorithm corresponding to the defense instruction;

S803. Update the second data corresponding to the first component according to the target algorithm.

Optionally, the target algorithm corresponding to the defense instruction may include: the control-flow integrity (Control-Flow Integrity) algorithm of the llvm compilation tool chain and the CFG (ControlFlowGuard, control flow protection) algorithm of the Windows compilation tool chain.

Optionally, when the application system of the application is an Android system or a Linux system, the target algorithm corresponding to the defense instruction is the control flow integrity algorithm of the llvm compilation tool chain; when the application system is a Windows system At this time, the target algorithm corresponding to the defense instruction is CFG of the Windows compilation tool chain.

In some optional embodiments, the aforementioned first association relationship also includes: object information of the access object used to access the first address, and the method further includes: when obtaining the first access request, if it is determined that the If the object information of the first object carried in the first access request is the same as the object information of the access object, it is determined that the first address is determined based on the first preset identifier and the first association relationship.

Further, this application will be described below in conjunction with specific scenarios. Referring to Figure 6, Figure 6 is a fourth schematic flowchart of an attack defense method based on address processing provided by an embodiment of the present application. This program is divided into two stages, namely the compilation stage and the running stage.

Optionally, the first vulnerable component is determined during the compilation phase, i.e. the defense position is determined. Before a product manufacturer develops a new application or releases a new version of the original application, relevant personnel can obtain multiple components of the original application, conduct a security assessment on each of the multiple components, and determine whether the first component exists , please refer to the above content for specific security assessment methods. When the first component does not exist, no processing is performed. When the first component exists, the first component is compiled, that is, only the vulnerable components are defended, and the compiled first component is linked to the original application. , get the target application and publish it.

Optionally, during the running phase, the target application is started. The first component in the target application is a component compiled based on the aforementioned four sub-mechanisms. The four sub-mechanisms are the memory layout blocking mechanism and global memory read and write blocking. mechanism, Shellcode execution condition blocking mechanism and ROP attack blocking mechanism. Among them, the memory layout blocking mechanism is used to execute the above S601-S605; the global memory read and write blocking mechanism is used to execute the above S101-S104, S201-S203, S301-S303 and S501-S502; the Shellcode execution condition blocking mechanism is used Execute the above S701-S703; the ROP attack blocking mechanism is used to execute the above S801-S803. For the specific process, please refer to the above description and will not be repeated here.

All the above technical solutions can be combined in any way to form optional embodiments of the present application, and will not be described again one by one.

In order to facilitate better implementation of the attack defense method based on address processing in the embodiment of the present application, the embodiment of the present application also provides an attack defense device based on address processing. Please refer to Figure 7. Figure 7 shows the attack defense method based on address processing provided in the embodiment of the present application. Structural diagram of the attack defense device for address processing. Wherein, the address processing-based attack defense device 70 may include:

The obtaining unit 71 is used to obtain the first address information in the first data corresponding to the first component;

The obtaining unit 71 is also configured to obtain the first preset identification corresponding to the first address when the first address pointed by the first address information is an address in the storage space corresponding to the second component. a second component that is different from said first component;

The storage unit 72 is configured to store the first association relationship between the first address and the first preset identification in a first storage space, where the first storage space is outside the target storage space corresponding to the first component. storage space;

Update unit 73, configured to update the first address information and the first access information for accessing the first object of the first address according to the first preset identification and the first association relationship, so that the When the first object accesses the first address, it searches for the first address based on the updated first address information, the updated first access information, and the first association relationship.

In some optional embodiments provided by this application, the aforementioned device is used for updating the first address information according to the first preset identification and the first association relationship and for accessing the first address. When the first access information of the first object is used, it is specifically used for:

The first address is replaced with the first preset identifier, and the first access information for accessing the first object of the first address is updated according to the first preset identifier and the first association relationship.

Optionally, the device is used for:

When receiving the first access request corresponding to the updated first access information, determine the first address according to the first preset identification and the first association relationship;

The data in the first address is determined as the access result corresponding to the first access request.

Optionally, the device is also used for:

Obtain the first data corresponding to the first component;

Get the default offset;

Transfer the first data corresponding to the first component from the original storage space corresponding to the first component to the target storage space according to the preset offset, and the target storage space is storage outside the original storage space. space.

Optionally, the device is also used for:

When the first address pointed by the first address information is an address in the target storage space, obtain the offset of the first address relative to the address of the first address information;

Update the first address information according to the offset to obtain updated first address information;

The second access information used to access the second object at the first address is updated according to the updated first address information and the address of the first address information, so that the second object accesses the first address. When searching for an address, the first address is found based on the updated first address information and the updated second access information.

Optionally, the device is also used for:

When it is determined that the number of memory allocation requests for the target storage space is greater than the first preset number of times, and/or when it is determined that the space size of the occupied storage space in the target storage space is relative to the space size of the target storage space. When the proportion is greater than the first preset proportion, garbage collection is performed on the target storage space.

Optionally, the device is also used for:

When receiving a data write request for the target storage space, set the permissions of the target storage space to read and write permissions;

Write corresponding data according to the data writing request;

Set the permissions of the target storage space to readable and executable permissions.

Optionally, the device is also used for:

Get the defense instructions input by the user;

Obtain the target algorithm corresponding to the defense instruction;

The second data corresponding to the first component is updated according to the target algorithm.

Optionally, the device is also used for:

Get multiple components of the target application;

Determine at least some of the components that contain address information among the plurality of components;

The first component is determined based on the at least part of the component.

Optionally, the device is also used for:

Obtaining a user's selection instruction for selecting a first component from multiple components of the target application;

The first component is determined based on the selection instruction.

Each unit of the above-mentioned address processing-based attack defense device may be implemented in whole or in part by software, hardware, or combinations thereof. Each of the above units may be embedded in or independent of the processor of the computer device in the form of hardware, or may be stored in the memory of the computer device in the form of software, so that the processor can call and execute the operations corresponding to each of the above units.

The address processing-based attack defense device 70 may be integrated into a terminal or server that has a memory and is equipped with a processor and has computing capabilities, or the address processing-based attack defense device 70 may be the terminal or server.

Optionally, this application also provides a computer device, including a memory and a processor. A computer program is stored in the memory. When the processor executes the computer program, it implements the steps in the above method embodiments.

Figure 8 is a schematic structural diagram of a computer device provided by an embodiment of the present application. The computer device may be a terminal or a server. As shown in Figure 8, the computer device 800 may include: a communication interface 801, a memory 802, a processor 803 and a communication bus 804. The communication interface 801, the memory 802, and the processor 803 realize communication with each other through the communication bus 804. The communication interface 801 is used for data communication between the computer device 800 and external devices. The memory 802 can be used to store software programs and modules, and the processor 803 runs the software programs and modules stored in the memory 802, such as the software programs for corresponding operations in the foregoing method embodiments.

Optionally, the processor 803 can call software programs and modules stored in the memory 802 to perform the following operations:

Obtain the first address information in the first data corresponding to the first component;

When the first address pointed by the first address information is an address in the storage space corresponding to the second component, the first preset identifier corresponding to the first address is obtained, and the second component and the first component different;

Store the first association relationship between the first address and the first preset identification in a first storage space, where the first storage space is a storage space outside the storage space corresponding to the second component;

The first address information and the access information of the object used to access the first address are updated according to the first preset identification and the first association relationship, so that when the object accesses the first address, The first address is found according to the updated first address information, the updated access information, and the first association relationship.

This application also provides a computer-readable storage medium for storing computer programs. The computer-readable storage medium can be applied to computer equipment, and the computer program causes the computer equipment to execute corresponding processes in the methods in the embodiments of the present application. For the sake of brevity, details will not be described again here.

The application also provides a computer program product, which includes computer instructions stored in a computer-readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, causing the computer device to execute the corresponding processes in the methods in the embodiments of the present application. For the sake of brevity, details will not be repeated here.

The application also provides a computer program, the computer program includes computer instructions, and the computer instructions are stored in a computer-readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, causing the computer device to execute the corresponding processes in the methods in the embodiments of the present application. For the sake of brevity, details will not be repeated here.

It should be understood that the processor in the embodiment of the present application may be an integrated circuit chip and has signal processing capabilities. During the implementation process, each step of the above method embodiment can be completed through an integrated logic circuit of hardware in the processor or instructions in the form of software. The above-mentioned processor can be a general-purpose processor, a digital signal processor (Digital Signal Processor, DSP), an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), an off-the-shelf programmable gate array (Field Programmable Gate Array, FPGA) or other programmable processors. Logic devices, discrete gate or transistor logic devices, discrete hardware components. Each method, step and logical block diagram disclosed in the embodiment of this application can be implemented or executed. A general-purpose processor may be a microprocessor or the processor may be any conventional processor, etc. The steps of the method disclosed in conjunction with the embodiments of the present application can be directly implemented by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor. The software module can be located in random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, registers and other mature storage media in this field. The storage medium is located in the memory, and the processor reads the information in the memory and completes the steps of the above method in combination with its hardware.

It can be understood that the memory in the embodiment of the present application may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memories. Among them, the non-volatile memory can be read-only memory (Read-Only Memory, ROM), programmable read-only memory (Programmable ROM, PROM), erasable programmable read-only memory (Erasable PROM, EPROM), electrically removable memory. Erase programmable read-only memory (Electrically EPROM, EEPROM) or flash memory. The volatile memory may be random access memory (RAM), which is used as an external cache. By way of illustration, but not limitation, many forms of RAM are available, such as static random access memory (SRAM), dynamic random access memory (Dynamic RAM, DRAM), synchronous dynamic random access memory (Synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (Double Data Rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (Enhanced SDRAM, ESDRAM), synchronous link dynamic random access memory (Synchlink DRAM, SLDRAM) and direct memory bus random access memory (DirectRambus RAM, DR RAM). It should be noted that the memory of the systems and methods described herein is intended to include, without limitation, these and any other suitable types of memory.

It should be understood that the above memory is illustrative but not restrictive. For example, the memory in the embodiment of the present application can also be static random access memory (static RAM, SRAM), dynamic random access memory (dynamic RAM, DRAM), Synchronous dynamic random access memory (synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous connection Dynamic random access memory (synch link DRAM, SLDRAM) and direct memory bus random access memory (Direct Rambus RAM, DR RAM) and so on. That is, memories in embodiments of the present application are intended to include, but are not limited to, these and any other suitable types of memories.

Those of ordinary skill in the art will appreciate that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented with electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technology solution. Skilled artisans may implement the described functionality using different methods for each specific application, but such implementations should not be considered beyond the scope of this application.

Those skilled in the art can clearly understand that for the convenience and simplicity of description, the specific working processes of the systems, devices and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be described again here.

In the several embodiments provided in this application, it should be understood that the disclosed systems, devices and methods can be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or can be integrated into another system, or some features can be ignored, or not implemented. On the other hand, the coupling or direct coupling or communication connection between each other shown or discussed may be through some interfaces, and the indirect coupling or communication connection of the devices or units may be in electrical, mechanical or other forms.

The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or they may be distributed to multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in the embodiment of the present application can be integrated into one processing unit, or each unit can exist physically alone, or two or more units can be integrated into one unit.

If the functions are implemented in the form of software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application is essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product. The computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer or a server) to execute all or part of the steps of the methods described in various embodiments of this application. The aforementioned storage media include: U disk, mobile hard disk, ROM, RAM, magnetic disk or optical disk and other media that can store program codes.

The above are only specific embodiments of the present application, but the protection scope of the present application is not limited thereto. Any person familiar with the technical field can easily think of changes or substitutions within the technical scope disclosed in the present application. should be covered by the protection scope of this application. Therefore, the protection scope of this application should be determined by the protection scope of the claims.

Claims (14)

1. An attack defense method based on address processing, which is characterized by including: Obtain the first address information in the first data corresponding to the first component; When the first address pointed by the first address information is an address in the storage space corresponding to the second component, the first preset identifier corresponding to the first address is obtained, and the second component and the first component different; Store the first association relationship between the first address and the first preset identification in a first storage space, where the first storage space is a storage space outside the target storage space corresponding to the first component; The first address information and the first access information of the first object used to access the first address are updated according to the first preset identification and the first association relationship, so that when the first object accesses the first address When the first address is found, the first address is found based on the updated first address information, the updated first access information, and the first association relationship. 2. The method of claim 1, wherein the first address information and the first object used to access the first address are updated according to the first preset identification and the first association relationship. First visit information, including: The first address is replaced with the first preset identifier, and the first access information for accessing the first object of the first address is updated according to the first preset identifier and the first association relationship. 3. The method according to claim 2, characterized in that, the method further comprises: When receiving the first access request corresponding to the updated first access information, determine the first address according to the first preset identification and the first association relationship; The data in the first address is determined as the access result corresponding to the first access request. 4. The method according to claim 1, characterized in that, the method further comprises: Obtain the first data corresponding to the first component; Get the default offset; Transfer the first data corresponding to the first component from the original storage space corresponding to the first component to the target storage space according to the preset offset, and the target storage space is storage outside the original storage space. space. 5. The method according to claim 4, characterized in that, the method further comprises: When the first address pointed by the first address information is an address in the target storage space, obtain the offset of the first address relative to the address of the first address information; Update the first address information according to the offset to obtain updated first address information; The second access information used to access the second object at the first address is updated according to the updated first address information and the address of the first address information, so that the second object accesses the first address. When searching for an address, the first address is found based on the updated first address information and the updated second access information. 6. The method according to claim 1, characterized in that, the method further comprises: When it is determined that the number of memory allocation requests for the target storage space is greater than the first preset number of times, and/or when it is determined that the space size of the occupied storage space in the target storage space is relative to the space size of the target storage space. When the proportion is greater than the first preset proportion, garbage collection is performed on the target storage space. 7. The method according to claim 1, characterized in that, the method further comprises: When receiving a data write request for the target storage space, set the permissions of the target storage space to read and write permissions; Write corresponding data according to the data writing request; Set the permissions of the target storage space to readable and executable permissions. 8. The method according to claim 1, characterized in that, the method further comprises: Get the defense instructions input by the user; Obtain the target algorithm corresponding to the defense instruction; The second data corresponding to the first component is updated according to the target algorithm. 9. The method according to claim 1, characterized in that, the method further comprises: Get multiple components of the target application; Determine at least some of the components that contain address information among the plurality of components; The first component is determined based on the at least part of the component. 10. The method according to claim 1, characterized in that, the method further comprises: Obtaining a user's selection instruction for selecting a first component from multiple components of the target application; The first component is determined based on the selection instruction. 11. An attack defense device based on address processing, characterized in that the device includes: The acquisition unit is used to acquire the first address information in the first data corresponding to the first component; The acquisition unit is configured to acquire the first preset identifier corresponding to the first address when the first address pointed to by the first address information is an address in the storage space corresponding to the second component, and the second The component is different from said first component; A storage unit configured to store the first association relationship between the first address and the first preset identification in a first storage space, where the first storage space is outside the target storage space corresponding to the first component. storage; An update unit configured to update the first address information and the first access information for accessing the first object at the first address according to the first preset identification and the first association relationship, so that the first When an object accesses the first address, it searches for the first address based on the updated first address information, the updated first access information, and the first association relationship. 12. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program, and the computer program is adapted to be loaded by a processor to execute any one of claims 1-10. method. 13. A computer device, characterized in that the computer device includes a processor and a memory, a computer program is stored in the memory, and the processor is used to execute by calling the computer program stored in the memory. The method described in any one of claims 1-10. 14. A computer program product, comprising computer instructions, characterized in that when the computer instructions are executed by a processor, the method of any one of claims 1-10 is implemented.