[go: up one dir, main page]

CN115292707A - Credibility judgment method and device based on dynamic class call sequence - Google Patents

Credibility judgment method and device based on dynamic class call sequence Download PDF

Info

Publication number
CN115292707A
CN115292707A CN202210771541.9A CN202210771541A CN115292707A CN 115292707 A CN115292707 A CN 115292707A CN 202210771541 A CN202210771541 A CN 202210771541A CN 115292707 A CN115292707 A CN 115292707A
Authority
CN
China
Prior art keywords
class
dynamic
target
target class
dynamic class
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210771541.9A
Other languages
Chinese (zh)
Inventor
慕逍寒
龙良
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qianxin Safety Technology Zhuhai Co Ltd
Qax Technology Group Inc
Original Assignee
Qianxin Safety Technology Zhuhai Co Ltd
Qax Technology Group Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qianxin Safety Technology Zhuhai Co Ltd, Qax Technology Group Inc filed Critical Qianxin Safety Technology Zhuhai Co Ltd
Priority to CN202210771541.9A priority Critical patent/CN115292707A/en
Publication of CN115292707A publication Critical patent/CN115292707A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

本发明实施例提供一种基于动态类调用序列的可信度判断方法及装置。其中方法应用于基于Java语言开发的业务系统,包括:响应于Java虚拟机加载目标类,判断所述目标类是否为动态类;若所述目标类为动态类,判断所述动态类对应的堆栈信息中所述目标类的调用序列是否包含在动态类调用序列白名单中;若所述动态类对应的堆栈信息中所述目标类的调用序列未包含在动态类调用序列白名单中,则确定所述目标类不可信,拦截所述目标类的加载,并生成告警信息。本发明实施例可以防止攻击者通过构造恶意的动态类来实施攻击,达到安全防护的目的。

Figure 202210771541

Embodiments of the present invention provide a method and device for judging credibility based on a dynamic class call sequence. The method is applied to a business system developed based on the Java language, including: in response to the Java virtual machine loading a target class, judging whether the target class is a dynamic class; if the target class is a dynamic class, judging the stack corresponding to the dynamic class Whether the call sequence of the target class in the information is included in the dynamic class call sequence whitelist; if the call sequence of the target class in the stack information corresponding to the dynamic class is not included in the dynamic class call sequence whitelist, determine If the target class is untrustworthy, the loading of the target class is intercepted, and alarm information is generated. The embodiments of the present invention can prevent attackers from attacking by constructing malicious dynamic classes, so as to achieve the purpose of security protection.

Figure 202210771541

Description

基于动态类调用序列的可信度判断方法及装置Credibility Judgment Method and Device Based on Dynamic Class Call Sequence

技术领域technical field

本发明涉及JAVA服务器安全技术领域,尤其涉及一种基于动态类调用序列的可信度判断方法及装置。The invention relates to the technical field of JAVA server security, in particular to a reliability judgment method and device based on a dynamic class calling sequence.

背景技术Background technique

在Java程序运行过程中,会产生很多class类对象,根据class文件是否在Java虚拟机(JavaVirtualMachine,简称JVM)运行前就存在,可以分为静态类和动态类。很多Java攻击使用的恶意类都是攻击者自己精心构造的,是JVM运行后才加载的,属于动态类。通常对于恶意的动态类可以通过设置监控点,进行黑规则匹配,在执行命令时对命中黑规则的攻击行为进行告警。然而基于黑规则匹配只能够针对已知的漏洞进行防护,并且是在触发恶意命令执行的时候才进行判断,监控点设置量大会对系统的性能造成影响。其中,黑规则是指已经被发现的、具有危害性的、可以被利用发起攻击的规则。漏洞是基于规则产生的,通过分析已知漏洞的原理,把产生已知漏洞的原理规则认为是危险的、不可信任的黑规则。在现有的防护中只要触发了黑规则,就会被认为正在利用这些已知漏洞发起攻击。During the running of a Java program, many class objects will be generated. According to whether the class file exists before the Java Virtual Machine (JavaVirtualMachine, JVM for short) runs, it can be divided into static classes and dynamic classes. Many malicious classes used in Java attacks are carefully constructed by the attackers themselves, loaded after the JVM runs, and belong to dynamic classes. Usually, for malicious dynamic classes, monitoring points can be set to match black rules, and the attack behavior that hits the black rules will be alerted when the command is executed. However, based on black rule matching, only known vulnerabilities can be protected, and the judgment is only made when the execution of malicious commands is triggered. The number of monitoring points set will greatly affect the performance of the system. Among them, black rules refer to rules that have been discovered, are harmful, and can be used to launch attacks. Vulnerabilities are generated based on rules. By analyzing the principles of known vulnerabilities, the principles and rules that generate known vulnerabilities are considered as dangerous and untrustworthy black rules. As long as black rules are triggered in the existing protection, it will be considered that these known vulnerabilities are being used to launch attacks.

发明内容Contents of the invention

针对现有技术中的问题,本发明实施例提供一种基于动态类调用序列的可信度判断方法及装置。Aiming at the problems in the prior art, the embodiment of the present invention provides a reliability judgment method and device based on a dynamic class calling sequence.

具体地,本发明实施例提供了以下技术方案:Specifically, the embodiments of the present invention provide the following technical solutions:

第一方面,本发明实施例提供了一种基于动态类调用序列的可信度判断方法,应用于基于Java语言开发的业务系统,包括:In the first aspect, the embodiment of the present invention provides a method for judging credibility based on a dynamic class call sequence, which is applied to a business system developed based on the Java language, including:

响应于Java虚拟机加载目标类,判断所述目标类是否为动态类;In response to the Java virtual machine loading the target class, it is determined whether the target class is a dynamic class;

若所述目标类为动态类,判断所述动态类对应的堆栈信息中所述目标类的调用序列是否包含在动态类调用序列白名单中;If the target class is a dynamic class, determine whether the call sequence of the target class in the stack information corresponding to the dynamic class is included in the dynamic class call sequence whitelist;

若所述动态类对应的堆栈信息中所述目标类的调用序列未包含在动态类调用序列白名单中,则确定所述目标类不可信,拦截所述目标类的加载,并生成告警信息。If the calling sequence of the target class in the stack information corresponding to the dynamic class is not included in the dynamic class calling sequence whitelist, then determine that the target class is untrustworthy, intercept the loading of the target class, and generate an alarm message.

进一步地,所述响应于Java虚拟机加载目标类,判断所述目标类是否为动态类之前,还包括:Further, before the loading of the target class in response to the Java virtual machine, before judging whether the target class is a dynamic class, it also includes:

对所述业务系统的源代码进行模拟执行,触发各种动态类生成;Simulate the execution of the source code of the business system to trigger the generation of various dynamic classes;

获取每一个动态类生成时在相应堆栈信息中产生的调用序列,生成所述动态类调用序列白名单,每个所述动态类对应一条堆栈信息。Obtain the call sequence generated in the corresponding stack information when each dynamic class is generated, generate a white list of the dynamic class call sequence, and each dynamic class corresponds to a piece of stack information.

进一步地,每条所述堆栈信息中包含多个类方法,所述获取每一个动态类生成时在相应堆栈信息中产生的调用序列,生成所述动态类调用序列白名单,包括:Further, each piece of stack information contains a plurality of class methods, and the acquisition of the call sequence generated in the corresponding stack information when each dynamic class is generated generates a whitelist of the dynamic class call sequence, including:

从对应堆栈信息的末尾开始向上逐个分析每一个类方法;Analyze each class method one by one from the end of the corresponding stack information;

将满足动态类调用序列封闭原则的一组类方法,确定为一个动态类生成时产生的调用序列;Determine a group of class methods that satisfy the closed principle of dynamic class call sequence as a call sequence generated when a dynamic class is generated;

对所确定的动态类生成时产生的调用序列进行记录,得到所述动态类调用序列白名单。The determined call sequence generated when the dynamic class is generated is recorded to obtain a white list of the call sequence of the dynamic class.

进一步地,所述动态类调用序列封闭原则为:属于一类框架、与业务无关、模板化、内容固定、不受参数和调用类方法的对象影响。Further, the closure principle of the dynamic class call sequence is: belonging to a class framework, irrelevant to business, templated, fixed content, and not affected by parameters and objects calling class methods.

进一步地,所述响应于Java虚拟机加载目标类,判断所述目标类是否为动态类,包括:Further, in response to loading the target class by the Java virtual machine, judging whether the target class is a dynamic class includes:

响应于Java虚拟机加载目标类,判断所述目标类的名称是否为所述业务系统的源代码中类的名称;In response to the Java virtual machine loading the target class, determine whether the name of the target class is the name of the class in the source code of the business system;

若所述目标类的名称为所述业务系统的源代码中类的名称,则确定所述目标类为静态类;If the name of the target class is the name of the class in the source code of the business system, then determine that the target class is a static class;

若所述目标类的名称不为所述业务系统的源代码中类的名称,则确定所述目标类为动态类。If the name of the target class is not the name of a class in the source code of the business system, then determine that the target class is a dynamic class.

进一步地,所述响应于Java虚拟机加载目标类,判断所述目标类是否为动态类之前,还包括:Further, before the loading of the target class in response to the Java virtual machine, before judging whether the target class is a dynamic class, it also includes:

对所述业务系统的源代码进行扫描,记录所述业务系统的源代码中类的名称。The source code of the business system is scanned, and the name of the class in the source code of the business system is recorded.

进一步地,所述若所述目标类为动态类,判断堆栈信息中所述目标类的调用序列是否包含在动态类调用序列白名单中之后,还包括:Further, if the target class is a dynamic class, after judging whether the call sequence of the target class in the stack information is included in the dynamic class call sequence whitelist, it also includes:

若所述动态类对应的堆栈信息中所述目标类的调用序列包含在动态类调用序列白名单中,则确定所述目标类可信,执行所述目标类的加载。If the calling sequence of the target class in the stack information corresponding to the dynamic class is included in the dynamic class calling sequence whitelist, it is determined that the target class is credible, and the loading of the target class is executed.

第二方面,本发明实施例还提供了一种基于动态类调用序列的可信度判断装置,应用于基于Java语言开发的业务系统,包括:In the second aspect, the embodiment of the present invention also provides a reliability judgment device based on a dynamic class call sequence, which is applied to a business system developed based on the Java language, including:

动态类判断模块,用于响应于Java虚拟机加载目标类,判断所述目标类是否为动态类;A dynamic class judging module, configured to load a target class in response to a Java virtual machine, and judge whether the target class is a dynamic class;

可信度判断模块,用于若所述目标类为动态类,判断所述动态类对应的堆栈信息中所述目标类的调用序列是否包含在动态类调用序列白名单中;The credibility judging module is used to judge whether the call sequence of the target class in the stack information corresponding to the dynamic class is included in the dynamic class call sequence whitelist if the target class is a dynamic class;

拦截告警模块,用于若所述动态类对应的堆栈信息中所述目标类的调用序列未包含在动态类调用序列白名单中,则确定所述目标类不可信,拦截所述目标类的加载,并生成告警信息。An interception alarm module, configured to determine that the target class is not credible if the call sequence of the target class in the stack information corresponding to the dynamic class is not included in the dynamic class call sequence whitelist, and intercept the loading of the target class , and generate an alarm message.

第三方面,本发明实施例还提供了一种电子设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现如第一方面所述基于动态类调用序列的可信度判断方法的步骤。In the third aspect, the embodiment of the present invention also provides an electronic device, including a memory, a processor, and a computer program stored in the memory and operable on the processor. When the processor executes the program, the first The steps of the reliability judging method based on the dynamic class calling sequence described in the aspect.

第四方面,本发明实施例还提供了一种非暂态计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现如第一方面所述基于动态类调用序列的可信度判断方法的步骤。In the fourth aspect, the embodiment of the present invention also provides a non-transitory computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the dynamic class call sequence based on the first aspect is implemented. The steps of the reliability judgment method.

第五方面,本发明实施例还提供了一种计算机程序产品,其上存储有可执行指令,该指令被处理器执行时使处理器实现第一方面所述基于动态类调用序列的可信度判断方法的步骤。In the fifth aspect, the embodiment of the present invention also provides a computer program product, on which executable instructions are stored, and when the instructions are executed by the processor, the processor can realize the reliability based on the dynamic class call sequence described in the first aspect. steps in the judgment method.

本发明实施例提供的基于动态类调用序列的可信度判断方法及装置,应用于基于Java语言开发的业务系统,通过响应于Java虚拟机加载目标类,判断目标类是否为动态类,若目标类为动态类,判断动态类对应的堆栈信息中目标类的调用序列是否包含在动态类调用序列白名单中,若动态类对应的堆栈信息中目标类的调用序列未包含在动态类调用序列白名单中,则确定目标类不可信,拦截目标类的加载,并生成告警信息;利用在Java虚拟机加载动态类时,根据动态类调用序列白名单,判断所加载的动态类在堆栈信息中产生的调用序列是否为可信的调用序列,在所加载的动态类在堆栈信息中产生的调用序列为不可信的调用序列时,对动态类的加载实施拦截和告警,可以防止攻击者通过构造恶意的动态类来实施攻击,达到安全防护的目的,由于对恶意的动态类的拦截是在虚拟机加载时进行,可以阻止恶意的动态类进入虚拟机中触发恶意命令的执行,由于是根据动态类调用序列白名单对动态类的调用序列进行判断,可以起到对未知漏洞防护的作用,可以有效应对java脚本攻击。The method and device for judging credibility based on dynamic class calling sequences provided by the embodiments of the present invention are applied to business systems developed based on the Java language. By loading the target class in response to the Java virtual machine, it is judged whether the target class is a dynamic class. If the class is a dynamic class, determine whether the calling sequence of the target class in the stack information corresponding to the dynamic class is included in the dynamic class calling sequence white list, if the calling sequence of the target class in the stack information corresponding to the dynamic class is not included in the dynamic class calling sequence white list list, determine that the target class is untrustworthy, intercept the loading of the target class, and generate an alarm message; when the Java virtual machine loads a dynamic class, according to the white list of the dynamic class call sequence, it is judged that the loaded dynamic class is generated in the stack information Whether the call sequence of the loaded dynamic class is a credible call sequence. When the call sequence generated by the loaded dynamic class in the stack information is an untrusted call sequence, the loading of the dynamic class is intercepted and alerted, which can prevent attackers from constructing malicious The malicious dynamic class is used to implement the attack to achieve the purpose of security protection. Since the interception of the malicious dynamic class is carried out when the virtual machine is loaded, it can prevent the malicious dynamic class from entering the virtual machine and triggering the execution of malicious commands. Because it is based on the dynamic class The call sequence whitelist judges the call sequence of dynamic classes, which can protect against unknown vulnerabilities and effectively deal with java script attacks.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作一简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description These are some embodiments of the present invention. Those skilled in the art can also obtain other drawings based on these drawings without creative work.

图1是本发明实施例提供的基于动态类调用序列的可信度判断方法的流程示意图;Fig. 1 is a schematic flowchart of a method for judging credibility based on a dynamic class calling sequence provided by an embodiment of the present invention;

图2是本发明实施例提供的生成动态类调用序列白名单的流程示意图;FIG. 2 is a schematic flow diagram of generating a dynamic class call sequence whitelist provided by an embodiment of the present invention;

图3是本发明实施例提供的另一基于动态类调用序列的可信度判断方法的流程示意图;Fig. 3 is a schematic flowchart of another method for judging credibility based on a dynamic class calling sequence provided by an embodiment of the present invention;

图4是本发明提供的基于字节码分析执行权限的方法一应用场景的流程示意图;Fig. 4 is a schematic flowchart of an application scenario of a method for analyzing execution permissions based on bytecode provided by the present invention;

图5是本发明实施例提供的基于动态类调用序列的可信度判断装置的结构示意图;Fig. 5 is a schematic structural diagram of a reliability judging device based on a dynamic class calling sequence provided by an embodiment of the present invention;

图6为本发明实施例提供的电子设备的实体结构示意图。FIG. 6 is a schematic diagram of a physical structure of an electronic device provided by an embodiment of the present invention.

具体实施方式Detailed ways

为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purpose, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments It is a part of embodiments of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without creative efforts fall within the protection scope of the present invention.

下面将结合图1-图4描述本发明实施例提供的基于动态类调用序列的可信度判断方法。The method for judging credibility based on the dynamic class calling sequence provided by the embodiment of the present invention will be described below with reference to FIGS. 1-4 .

请参阅图1,图1是本发明实施例提供的基于动态类调用序列的可信度判断方法的流程示意图,图1所示的基于动态类调用序列的可信度判断方法可以应用于基于Java语言开发的业务系统,可以由基于动态类调用序列的可信度判断装置执行,基于动态类调用序列的可信度判断装置可以设置于业务系统的服务器,本发明实施例对业务系统的类型和服务器的类型不作限定,例如,业务系统可以为金融业务系统等,服务器可以为包含独立主机的物理服务器、主机集群承载的虚拟服务器、云服务器等。如图1所示,该基于动态类调用序列的可信度判断方法至少包括:Please refer to Fig. 1, Fig. 1 is the schematic flow chart of the reliability judgment method based on the dynamic class calling sequence provided by the embodiment of the present invention, the reliability judging method based on the dynamic class calling sequence shown in Fig. 1 can be applied to Java-based The business system developed by language can be executed by the reliability judgment device based on the dynamic class call sequence, and the reliability judgment device based on the dynamic class call sequence can be set on the server of the business system. The type of server is not limited. For example, the business system may be a financial business system, etc., and the server may be a physical server including an independent host, a virtual server hosted by a host cluster, or a cloud server. As shown in Figure 1, the credibility judgment method based on the dynamic class call sequence at least includes:

101,响应于Java虚拟机加载目标类,判断目标类是否为动态类。101. In response to loading a target class by the Java virtual machine, determine whether the target class is a dynamic class.

在本发明实施例中,静态类是指在Java虚拟机运行前就存在的,能够在操作系统的存储内存中找到后缀名为.class的文件的类,动态类是指在Java虚拟机运行过程中生成的,Java虚拟机不运行就不会生成的,一般存在于操作系统的运行内存中,不落地形成class文件的类。在业务系统的服务器通过Java虚拟机加载目标类时,可以首先判断所加载的目标类是否为动态类,例如,可以根据业务系统的源代码,判断所加载的目标类是否为动态类,若目标类的名称在业务系统的源代码中,则可以确定目标类为静态类,若目标类的名称不在业务系统的源代码中,则可以确定目标类为动态类。In the embodiment of the present invention, a static class refers to a class that exists before the Java virtual machine runs, and a file with a suffix of .class can be found in the storage memory of the operating system. Generated in the Java virtual machine, it will not be generated if the Java virtual machine is not running. Generally, it exists in the running memory of the operating system and does not form a class file. When the server of the business system loads the target class through the Java virtual machine, it can first judge whether the loaded target class is a dynamic class. For example, it can be judged whether the loaded target class is a dynamic class according to the source code of the business system. If the target If the name of the class is in the source code of the business system, it can be determined that the target class is a static class; if the name of the target class is not in the source code of the business system, it can be determined that the target class is a dynamic class.

本发明实施例对响应于Java虚拟机加载目标类,判断目标类是否为动态类的实现方法不作限定,例如,在响应于Java虚拟机加载目标类时,可以通过Hook函数获取目标类的名称,根据预先记录的业务系统的源代码中类的名称来判断目标类是否为动态类。The embodiment of the present invention does not limit the implementation method of judging whether the target class is a dynamic class in response to the Java virtual machine loading the target class. For example, when loading the target class in response to the Java virtual machine, the name of the target class can be obtained through the Hook function. Whether the target class is a dynamic class is judged according to the name of the class in the source code of the pre-recorded business system.

102,若目标类为动态类,判断动态类对应的堆栈信息中目标类的调用序列是否包含在动态类调用序列白名单中。102. If the target class is a dynamic class, determine whether the call sequence of the target class in the stack information corresponding to the dynamic class is included in the dynamic class call sequence whitelist.

在本发明实施例中,由于每个动态类生成时会产生一条堆栈信息,在这条堆栈信息中包含动态类的多个类方法,可以将由动态类的多个类方法组成的,对动态类运行过程信息的记录,称为动态类的调用序列。因此在判定目标类为动态类之后,可以进一步获取堆栈信息,根据动态类调用序列白名单,判断动态类对应的堆栈信息中目标类的调用序列是否包含在动态类调用序列白名单中。其中,动态类调用序列白名单是由对应的业务系统的动态类生成时产生的可信的调用序列组成,每一个业务系统具有自身的动态类调用序列白名单。In the embodiment of the present invention, since each dynamic class will generate a stack information, which contains multiple class methods of the dynamic class, it can be composed of multiple class methods of the dynamic class. The record of the running process information is called the calling sequence of the dynamic class. Therefore, after determining that the target class is a dynamic class, the stack information can be further obtained, and according to the dynamic class call sequence whitelist, it can be judged whether the call sequence of the target class in the stack information corresponding to the dynamic class is included in the dynamic class call sequence whitelist. Wherein, the dynamic class call sequence whitelist is composed of credible call sequences generated when the dynamic class of the corresponding business system is generated, and each business system has its own dynamic class call sequence whitelist.

例如,名称为com.jvm.work.agentaop.JDKProxy的动态类生成时,在堆栈信息中产生的调用序列为:For example, when a dynamic class named com.jvm.work.agentaop.JDKProxy is generated, the call sequence generated in the stack information is:

java.lang.reflect.Proxy.newProxyInstance->java.lang.reflect.Proxy.newProxyInstance ->

java.lang.reflect.Proxy.getProxyClass0->java.lang.reflect.Proxy.getProxyClass0 ->

java.lang.reflect.WeakCache.get->java.lang.reflect.WeakCache.get ->

java.lang.reflect.WeakCache$Factory.get->java.lang.reflect.WeakCache$Factory.get->

java.lang.reflect.Proxy$ProxyClassFactory.apply->java.lang.reflect.Proxy$ProxyClassFactory.apply->

java.lang.reflect.Proxy$ProxyClassFactory.apply->java.lang.reflect.Proxy$ProxyClassFactory.apply->

java.lang.reflect.Proxy.access$300->java.lang.reflect.Proxy.access$300->

java.lang.reflect.Proxy.defineClass0->java.lang.reflect.Proxy.defineClass0 ->

其中,newProxyInstance、getProxyClass0、WeakCache.get、……、defineClass0为类方法的名称。Among them, newProxyInstance, getProxyClass0, WeakCache.get, ..., defineClass0 are the names of the class methods.

103,若动态类对应的堆栈信息中目标类的调用序列未包含在动态类调用序列白名单中,则确定目标类不可信,拦截目标类的加载,并生成告警信息。103. If the calling sequence of the target class in the stack information corresponding to the dynamic class is not included in the dynamic class calling sequence whitelist, determine that the target class is untrustworthy, intercept loading of the target class, and generate an alarm message.

在本发明实施例中,在根据目标类为动态类,进一步判定动态类对应的堆栈信息中目标类的调用序列未包含在动态类调用序列白名单中,可以确定目标类的调用序列不可信,表明目标类为恶意类,可以进一步对目标类的加载进行拦截,以阻止目标类进入Java虚拟机中执行,并生成告警信息。In the embodiment of the present invention, according to the fact that the target class is a dynamic class, it is further determined that the call sequence of the target class in the stack information corresponding to the dynamic class is not included in the dynamic class call sequence whitelist, and it can be determined that the call sequence of the target class is not credible. Indicating that the target class is a malicious class, the loading of the target class can be further intercepted to prevent the target class from entering the Java virtual machine for execution and generate an alarm message.

本发明实施例提供的基于动态类调用序列的可信度判断方法,应用于基于Java语言开发的业务系统,通过响应于Java虚拟机加载目标类,判断目标类是否为动态类,若目标类为动态类,判断动态类对应的堆栈信息中目标类的调用序列是否包含在动态类调用序列白名单中,若动态类对应的堆栈信息中目标类的调用序列未包含在动态类调用序列白名单中,则确定目标类不可信,拦截目标类的加载,并生成告警信息;利用在Java虚拟机加载动态类时,根据动态类调用序列白名单,判断所加载的动态类在堆栈信息中产生的调用序列是否为可信的调用序列,在所加载的动态类在堆栈信息中产生的调用序列为不可信的调用序列时,对动态类的加载实施拦截和告警,可以防止攻击者通过构造恶意的动态类来实施攻击,达到安全防护的目的,由于对恶意的动态类的拦截是在虚拟机加载时进行,可以阻止恶意的动态类进入虚拟机中触发恶意命令的执行,由于是根据动态类调用序列白名单对动态类的调用序列进行判断,可以起到对未知漏洞防护的作用,可以有效应对java脚本攻击。The credibility judgment method based on the dynamic class calling sequence provided by the embodiment of the present invention is applied to a business system developed based on the Java language. By loading the target class in response to the Java virtual machine, it is judged whether the target class is a dynamic class. If the target class is Dynamic class, to determine whether the calling sequence of the target class in the stack information corresponding to the dynamic class is included in the dynamic class calling sequence white list, if the calling sequence of the target class in the stack information corresponding to the dynamic class is not included in the dynamic class calling sequence white list , then determine that the target class is untrustworthy, intercept the loading of the target class, and generate an alarm message; when the Java virtual machine loads the dynamic class, according to the dynamic class call sequence whitelist, judge the call generated by the loaded dynamic class in the stack information Whether the sequence is a credible call sequence. When the call sequence generated by the loaded dynamic class in the stack information is an untrusted call sequence, the loading of the dynamic class is intercepted and alerted, which can prevent attackers from constructing malicious dynamic classes to implement attacks to achieve the purpose of security protection, because the interception of malicious dynamic classes is carried out when the virtual machine is loaded, it can prevent malicious dynamic classes from entering the virtual machine to trigger the execution of malicious commands, because it is based on the dynamic class call sequence The white list judges the calling sequence of dynamic classes, which can protect against unknown vulnerabilities and effectively deal with java script attacks.

请参阅图2,图2是本发明实施例提供的生成动态类调用序列白名单的流程示意图,如图2所示,响应于Java虚拟机加载目标类,判断目标类是否为动态类之前,至少还包括:Please refer to FIG. 2. FIG. 2 is a schematic flow diagram of generating a dynamic class call sequence whitelist provided by an embodiment of the present invention. As shown in FIG. Also includes:

201,对业务系统的源代码进行模拟执行,触发各种动态类生成。201. Simulate and execute the source code of the business system to trigger generation of various dynamic classes.

在本发明实施例中,业务系统的源代码可以包括Java语言的软件开发工具包(Java Development Kit,简称JDK)和业务工程源代码,业务工程源代码可以是基于常用的第三方框架,例如,tomcat、spring、springboot、weblogic等,为了特定的需求开发的源代码。可以利用asm、javassist等工具对业务系统源代码进行模拟执行,使业务工程源代码基于JDK运行,触发各种动态类生成,例如,基于Spring AOP、Hibernate和Cglib等的动态代理类。In the embodiment of the present invention, the source code of the business system may include a Java language software development kit (Java Development Kit, referred to as JDK) and business engineering source code, and the business engineering source code may be based on a commonly used third-party framework, for example, Tomcat, spring, springboot, weblogic, etc., are source codes developed for specific needs. Tools such as asm and javassist can be used to simulate and execute the source code of the business system, so that the source code of the business project can run based on JDK, triggering the generation of various dynamic classes, for example, dynamic proxy classes based on Spring AOP, Hibernate and Cglib.

202,获取每一个动态类生成时在相应堆栈信息中产生的调用序列,生成动态类调用序列白名单,每个动态类对应一条堆栈信息。202. Obtain the call sequence generated in the corresponding stack information when each dynamic class is generated, and generate a dynamic class call sequence whitelist, and each dynamic class corresponds to a stack information.

在本发明实施例中,在对业务系统的源代码进行模拟执行时,可以获取每个动态类生成时产生的一条堆栈信息,每条堆栈信息对应一个动态类产生的可信的调用序列,根据所获得的可信的调用序列构建业务系统的动态类调用序列白名单。在一些可选的例子中,由于每条堆栈信息中包含多个类方法,因此可以从对应堆栈信息的末尾开始向上逐个分析每一个类方法,将满足动态类调用序列封闭原则的一组类方法,确定为一个动态类生成时产生的调用序列,然后对所确定的动态类生成时产生的调用序列进行记录,得到动态类调用序列白名单。可选地,动态类调用序列封闭原则为:属于一类框架、与业务无关、模板化、内容固定、不受参数和调用类方法的对象两个外部因素影响。在一些可选的例子中,可以将每一个动态类产生的可信的调用序列写入指定的文件,将这个文件作为动态类调用序列白名单。In the embodiment of the present invention, when the source code of the business system is simulated and executed, a piece of stack information generated when each dynamic class is generated can be obtained, and each piece of stack information corresponds to a credible call sequence generated by a dynamic class. The obtained credible call sequence builds a white list of dynamic class call sequences of the business system. In some optional examples, since each stack information contains multiple class methods, each class method can be analyzed one by one starting from the end of the corresponding stack information, and a group of class methods that satisfy the dynamic class call sequence closure principle , determine a call sequence generated when a dynamic class is generated, and then record the determined call sequence generated when the dynamic class is generated, to obtain a white list of dynamic class call sequences. Optionally, the closure principle of the dynamic class call sequence is as follows: belonging to a class framework, irrelevant to business, templated, fixed content, and not affected by two external factors of parameters and objects calling class methods. In some optional examples, the trusted calling sequence generated by each dynamic class can be written into a designated file, and this file can be used as a dynamic class calling sequence whitelist.

例如,堆栈信息为:For example, the stack info is:

com.jvm.work.agentaop.JDKProxy.getProxyInstance->com.jvm.work.agentaop.JDKProxy.getProxyInstance->

java.lang.reflect.Proxy.newProxyInstance->java.lang.reflect.Proxy.newProxyInstance ->

java.lang.reflect.Proxy.getProxyClass0->java.lang.reflect.Proxy.getProxyClass0 ->

java.lang.reflect.WeakCache.get->java.lang.reflect.WeakCache.get ->

java.lang.reflect.WeakCache$Factory.get->java.lang.reflect.WeakCache$Factory.get->

java.lang.reflect.Proxy$ProxyClassFactory.apply->java.lang.reflect.Proxy$ProxyClassFactory.apply->

java.lang.reflect.Proxy$ProxyClassFactory.apply->java.lang.reflect.Proxy$ProxyClassFactory.apply->

java.lang.reflect.Proxy.access$300->java.lang.reflect.Proxy.access$300->

java.lang.reflect.Proxy.defineClass0->java.lang.reflect.Proxy.defineClass0 ->

sun.instrument.InstrumentationImpl.transform->sun.instrument.InstrumentationImpl.transform ->

sun.instrument.TransformerManager.transform->sun.instrument.TransformerManager.transform ->

com.jvm.work.agent.MyMonitorTransformer.transform->com.jvm.work.agent.MyMonitorTransformer.transform ->

java.lang.Thread.getStackTrace->……java.lang.Thread.getStackTrace->…

从堆栈信息的末尾开始向上逐个分析每一个类方法,从类方法java.lang.reflect.Proxy.defineClass0开始向上追溯,看类方法的参数和调用类方法的对象,以及代码的具体实现内容,发现Proxy这个框架生成的动态类都是由类方法java.lang.reflect.Proxy.newProxyInstance开始,并且生成的动态类的内容是固定的、模板化的、不受参数和调用类方法的对象两个外部因素影响,那么由这些类方法构成的这个流程就满足动态类调用序列封闭原则,可以认为是可信的调用序列,记录到白名单中。其中从堆栈信息中获取的可信的调用序列为:Analyze each class method one by one from the end of the stack information, trace upwards from the class method java.lang.reflect.Proxy.defineClass0, look at the parameters of the class method, the object calling the class method, and the specific implementation content of the code, and find that The dynamic classes generated by the Proxy framework start with the class method java.lang.reflect.Proxy.newProxyInstance, and the content of the generated dynamic classes is fixed, templated, and not subject to parameters and objects that call class methods. Influenced by factors, the process composed of these class methods satisfies the closed principle of dynamic class call sequence, and can be considered as a credible call sequence, which is recorded in the whitelist. The credible call sequence obtained from the stack information is:

java.lang.reflect.Proxy.newProxyInstance->java.lang.reflect.Proxy.newProxyInstance ->

java.lang.reflect.Proxy.getProxyClass0->java.lang.reflect.Proxy.getProxyClass0 ->

java.lang.reflect.WeakCache.get->java.lang.reflect.WeakCache.get ->

java.lang.reflect.WeakCache$Factory.get->java.lang.reflect.WeakCache$Factory.get->

java.lang.reflect.Proxy$ProxyClassFactory.apply->java.lang.reflect.Proxy$ProxyClassFactory.apply->

java.lang.reflect.Proxy$ProxyClassFactory.apply->java.lang.reflect.Proxy$ProxyClassFactory.apply->

java.lang.reflect.Proxy.access$300->java.lang.reflect.Proxy.access$300->

java.lang.reflect.Proxy.defineClass0->。java.lang.reflect.Proxy.defineClass0->.

本实施例通过对业务系统的源代码进行模拟执行,触发各种动态类生成,通过获取每一个动态类生成时在堆栈信息中产生的可信的调用序列,生成动态类调用序列白名单,可以使所生成的动态类调用序列白名单中包含业务系统中所有动态类生成时产生的可信的调用序列,可以为根据动态类调用序列白名单对Java虚拟机加载的目标类的可信性判断提供依据。This embodiment triggers the generation of various dynamic classes by simulating the execution of the source code of the business system, and generates a whitelist of dynamic class call sequences by obtaining the credible call sequence generated in the stack information when each dynamic class is generated. Make the generated dynamic class call sequence whitelist include credible call sequences generated when all dynamic classes in the business system are generated, which can be used to judge the credibility of the target class loaded by the Java virtual machine according to the dynamic class call sequence whitelist Provide evidence.

请参阅图3,图3是本发明实施例提供的另一基于动态类调用序列的可信度判断的流程示意图,如图3所示,该基于字节码分析执行权限的方法至少包括:Please refer to FIG. 3. FIG. 3 is a schematic flowchart of another credibility judgment based on a dynamic class call sequence provided by an embodiment of the present invention. As shown in FIG. 3, the method for analyzing execution permissions based on bytecode at least includes:

301,响应于Java虚拟机加载目标类,判断目标类的名称是否为业务系统的源代码中类的名称。301. In response to loading a target class by the Java virtual machine, determine whether the name of the target class is the name of a class in the source code of the business system.

若目标类的名称为业务系统的源代码中类的名称,则确定目标类为静态类;若目标类的名称不为业务系统的源代码中类的名称,则执行302。If the name of the target class is the name of the class in the source code of the business system, then determine that the target class is a static class; if the name of the target class is not the name of the class in the source code of the business system, go to 302 .

302,确定目标类为动态,判断动态类对应的堆栈信息中目标类的调用序列是否包含在动态类调用序列白名单中。302. Determine that the target class is dynamic, and determine whether the call sequence of the target class in the stack information corresponding to the dynamic class is included in the dynamic class call sequence whitelist.

在一些可选的例子中,当Java虚拟机加载某一个目标类时,Java虚拟机可以通过回调通知到Hook函数,由Hook函数获取所加载的目标类的名称,根据业务系统的源代码中类的名称,判断目标类的名称是否为业务系统的源代码中类的名称,若目标类的名称不为业务系统的源代码中类的名称,则表明目标类的名称不在业务系统的源代码中,可以确定目标类为动态类,并且可以进一步判断动态类对应的堆栈信息中目标类的调用序列是否包含在动态类调用序列白名单中,若目标类的名称为业务系统的源代码中类的名称,则表明目标类的名称在业务系统的源代码中,可以确定目标类为静态类。可选地,在确定目标类为静态类之后,可以表明目标类为安全类,返回Java虚拟机执行目标类的加载,或者也可以通过其他对静态类可信性的判断方法,进一步判断目标类的可信性,本发明实施例对此不作限定。In some optional examples, when the Java virtual machine loads a certain target class, the Java virtual machine can notify the Hook function through a callback, and the Hook function can obtain the name of the loaded target class, according to the class in the source code of the business system to determine whether the name of the target class is the name of the class in the source code of the business system, if the name of the target class is not the name of the class in the source code of the business system, it indicates that the name of the target class is not in the source code of the business system , it can be determined that the target class is a dynamic class, and it can be further judged whether the calling sequence of the target class in the stack information corresponding to the dynamic class is included in the dynamic class calling sequence white list, if the name of the target class is the class in the source code of the business system name, it indicates that the name of the target class is in the source code of the business system, and it can be determined that the target class is a static class. Optionally, after determining that the target class is a static class, it can be indicated that the target class is a safe class, and the Java virtual machine is returned to execute the loading of the target class, or the target class can be further judged by other methods for judging the credibility of the static class The credibility of this is not limited in this embodiment of the present invention.

在一些可选的例子中,在响应于Java虚拟机加载目标类,判断目标类的名称是否为业务系统的源代码中类的名称之前,可以通过对业务系统的源代码进行扫描,记录业务系统的源代码中类的名称,为根据业务系统的源代码中类的名称,判断目标类是否为动态类提供依据。In some optional examples, before judging whether the name of the target class is the name of a class in the source code of the business system in response to the Java virtual machine loading the target class, the source code of the business system can be scanned to record the business system The name of the class in the source code of the business system provides a basis for judging whether the target class is a dynamic class based on the name of the class in the source code of the business system.

若动态类对应的堆栈信息中目标类的调用序列未包含在动态类调用序列白名单中,则执行303;若动态类对应的堆栈信息中目标类的调用序列包含在动态类调用序列白名单中,则执行304。If the calling sequence of the target class in the stack information corresponding to the dynamic class is not included in the dynamic class calling sequence whitelist, execute 303; if the calling sequence of the target class in the stack information corresponding to the dynamic class is included in the dynamic class calling sequence whitelist , execute 304.

303,确定目标类不可信,拦截目标类的加载,并生成告警信息。303. Determine that the target class is untrustworthy, intercept loading of the target class, and generate alarm information.

304,确定目标类可信,执行目标类的加载。304. Determine that the target class is credible, and execute loading of the target class.

在一些可选的例子中,在Hook函数进一步判断动态类对应的堆栈信息中目标类的调用序列是否包含在动态类调用序列白名单中之后,若动态类对应的堆栈信息中目标类的调用序列未包含在动态类调用序列白名单中,则表明目标类的调用序列不可信,目标类为恶意类,可以对目标类的加载进行拦截,以阻止目标类进入Java虚拟机中执行,并生成告警信息,若动态类对应的堆栈信息中目标类的调用序列包含在动态类调用序列白名单中,则表明目标类的调用序列可信,目标类为安全类,可以返回Java虚拟机执行目标类的加载,目标类进入Java虚拟机中执行。In some optional examples, after the Hook function further determines whether the calling sequence of the target class in the stack information corresponding to the dynamic class is included in the dynamic class calling sequence whitelist, if the calling sequence of the target class in the stack information corresponding to the dynamic class If it is not included in the dynamic class call sequence whitelist, it indicates that the call sequence of the target class is untrustworthy, and the target class is a malicious class. The loading of the target class can be intercepted to prevent the target class from entering the Java virtual machine for execution and generate an alarm. information, if the calling sequence of the target class in the stack information corresponding to the dynamic class is included in the dynamic class calling sequence whitelist, it indicates that the calling sequence of the target class is credible, the target class is a safe class, and the Java virtual machine can return to execute the target class. Loading, the target class enters the Java virtual machine for execution.

本实施例在Java虚拟机加载目标类时,根据业务系统的源代码中类的名称,对目标类是否为动态类进行判断,在确定目标类为动态类后,再根据动态类调用序列白名单,对动态类的调用序列是否为可信的调用序列进行判断,可以准确区分出动态类和静态类,从而可以针对动态类根据堆栈信息中的调用序列进行可信性判断,可以简化保证对类的可信性判断的准确性。In this embodiment, when the Java virtual machine loads the target class, it is judged whether the target class is a dynamic class according to the name of the class in the source code of the business system, and after the target class is determined to be a dynamic class, the sequence whitelist is called according to the dynamic class , to judge whether the call sequence of the dynamic class is a credible call sequence, it can accurately distinguish the dynamic class from the static class, so that the credibility of the dynamic class can be judged according to the call sequence in the stack information, which can simplify the guarantee for the class The accuracy of the credibility judgment.

请参阅图4,图4是本发明实施例提供的基于动态类调用序列的可信度判断方法的一应用场景的示意图,如图4所示,该基于动态类调用序列的可信度判断方法至少包括:Please refer to FIG. 4. FIG. 4 is a schematic diagram of an application scenario of a method for judging credibility based on a dynamic class calling sequence provided by an embodiment of the present invention. As shown in FIG. 4, the method for judging credibility based on a dynamic class calling sequence Include at least:

1、对JDK和业务工程源代码进行采集和分析,触发各种动态类生成,例如,基于Spring AOP、Hibernate和Cglib等的动态代理类。1. Collect and analyze the source code of JDK and business engineering, and trigger the generation of various dynamic classes, for example, dynamic proxy classes based on Spring AOP, Hibernate, and Cglib.

2、获取动态类产生时的堆栈信息,每个动态类对应一条堆栈信息,一条堆栈信息包括多个类方法,由动态类的多个类方法组成的,对动态类运行过程信息的记录,可以被称为动态类产生的可信的调用序列。2. Obtain the stack information when the dynamic class is generated. Each dynamic class corresponds to a stack information. A stack information includes multiple class methods, which are composed of multiple class methods of the dynamic class. The record of the running process information of the dynamic class can be The authentic call sequence generated by the called dynamic class.

从堆栈信息的末尾开始向上逐个分析每一个类方法,直到确认一组类方法,满足动态类调用序列封闭原则,那么将这组类方法法作为一个动态类产生的可信的调用序列。Starting from the end of the stack information, analyze each class method one by one, until a group of class methods are confirmed, satisfying the dynamic class call sequence closure principle, then this group of class method methods can be regarded as a credible call sequence generated by a dynamic class.

动态类调用序列封闭原则:属于一类框架、与业务无关、模板化、内容固定、不受参数和调用类方法的对象两个外部因素影响。The closed principle of the dynamic class call sequence: belongs to a class of framework, has nothing to do with business, templates, fixed content, and is not affected by the two external factors of parameters and objects calling class methods.

3、将每一个动态类产生的可信的调用序列写入指定的文件,将这个文件作为动态类调用序列白名单。3. Write the credible call sequence generated by each dynamic class into a specified file, and use this file as a white list of dynamic class call sequences.

4、在JVM加载类的时候,先确认类是动态类,再判断堆栈信息中动态类的调用序列是否包含在动态类调用序列白名单中,如果包含在动态类调用序列白名单中,则说明该动态类是可信的,如果没有包含在动态类调用序列白名单中,则说明该动态类是不可信的,是恶意类,对其加载进行拦截,不让它加载到JVM中,并生成告警信息。4. When the JVM loads a class, first confirm that the class is a dynamic class, and then judge whether the dynamic class call sequence in the stack information is included in the dynamic class call sequence whitelist. If it is included in the dynamic class call sequence whitelist, it means The dynamic class is credible. If it is not included in the dynamic class call sequence whitelist, it means that the dynamic class is untrustworthy and malicious. Intercept its loading, prevent it from being loaded into the JVM, and generate Warning message.

下面对本发明提供的基于动态类调用序列的可信度判断装置进行描述,下文描述的基于动态类调用序列的可信度判断装置与上文描述的基于动态类调用序列的可信度判断方法可相互对应参照。The credibility judging device based on the dynamic class calling sequence provided by the present invention is described below. The credibility judging device based on the dynamic class calling sequence described below can be compared with the credibility judging method based on the dynamic class calling sequence described above. refer to each other.

请参阅图5,图5是本发明实施例提供的基于动态类调用序列的可信度判断装置的结构示意图,图5所示的基于动态类调用序列的可信度判断装置可以应用于基于Java语言开发的业务系统,可用来执行图1的基于动态类调用序列的可信度判断方法,基于动态类调用序列的可信度判断装置可以设置于业务系统的服务器,本发明实施例对业务系统的类型和服务器的类型不作限定,例如,业务系统可以为金融业务系统等,服务器可以为包含独立主机的物理服务器、主机集群承载的虚拟服务器、云服务器等。如图5所示,该基于动态类调用序列的可信度判断装置至少包括:Please refer to FIG. 5. FIG. 5 is a schematic structural diagram of a reliability judgment device based on a dynamic class call sequence provided by an embodiment of the present invention. The reliability judgment device based on a dynamic class call sequence shown in FIG. 5 can be applied to a Java-based The business system developed by the language can be used to execute the reliability judgment method based on the dynamic class call sequence of Figure 1, and the reliability judgment device based on the dynamic class call sequence can be set in the server of the business system. There are no limitations on the type of the server and the type of the server. For example, the business system can be a financial business system, etc., and the server can be a physical server including an independent host, a virtual server hosted by a host cluster, or a cloud server. As shown in Figure 5, the reliability judging device based on the dynamic class calling sequence at least includes:

动态类判断模块510,用于响应于Java虚拟机加载目标类,判断目标类是否为动态类。The dynamic class judging module 510 is configured to judge whether the target class is a dynamic class in response to the loading of the target class by the Java virtual machine.

可信度判断模块520,用于若目标类为动态类,判断动态类对应的堆栈信息中目标类的调用序列是否包含在动态类调用序列白名单中。The credibility judging module 520 is configured to judge whether the call sequence of the target class in the stack information corresponding to the dynamic class is included in the dynamic class call sequence whitelist if the target class is a dynamic class.

拦截告警模块530,用于若动态类对应的堆栈信息中目标类的调用序列未包含在动态类调用序列白名单中,则确定目标类不可信,拦截目标类的加载,并生成告警信息。The interception alarm module 530 is configured to determine that the target class is untrustworthy if the call sequence of the target class in the stack information corresponding to the dynamic class is not included in the dynamic class call sequence whitelist, intercept the loading of the target class, and generate an alarm message.

可选地,该基于动态类调用序列的可信度判断装置还包括:Optionally, the device for judging the reliability based on the dynamic class calling sequence also includes:

模拟执行模块,用于对业务系统的源代码进行模拟执行,触发各种动态类生成。The simulation execution module is used to simulate the execution of the source code of the business system and trigger the generation of various dynamic classes.

白名单生成模块,用于获取每一个动态类生成时在相应堆栈信息中产生的调用序列,生成动态类调用序列白名单,每个动态类对应一条堆栈信息。The whitelist generation module is used to obtain the call sequence generated in the corresponding stack information when each dynamic class is generated, and generate a dynamic class call sequence whitelist, and each dynamic class corresponds to a stack information.

可选地,每条堆栈信息中包含多个类方法,白名单生成模块包括:Optionally, each stack message contains multiple class methods, and the whitelist generation module includes:

类方法分析单元,用于从对应堆栈信息的末尾开始向上逐个分析每一个类方法。The class method analysis unit is configured to analyze each class method one by one starting from the end of the corresponding stack information.

调用序列确定单元,用于将满足动态类调用序列封闭原则的一组类方法,确定为一个动态类生成时产生的调用序列。The call sequence determination unit is used to determine a group of class methods satisfying the closed principle of dynamic class call sequence as a call sequence generated when a dynamic class is generated.

白名单生成单元,用于对所确定的动态类生成时产生的调用序列进行记录,得到动态类调用序列白名单。The white list generating unit is configured to record the calling sequence generated when the determined dynamic class is generated, and obtain a white list of the calling sequence of the dynamic class.

可选地,动态类调用序列封闭原则为:属于一类框架、与业务无关、模板化、内容固定、不受参数和调用类方法的对象影响。Optionally, the closure principle of the dynamic class call sequence is: belonging to a class framework, irrelevant to business, templated, fixed content, and not affected by parameters and objects calling class methods.

可选地,动态类判断模块510用于:Optionally, the dynamic class judgment module 510 is used for:

响应于Java虚拟机加载目标类,判断目标类的名称是否为业务系统的源代码中类的名称;In response to the Java virtual machine loading the target class, determine whether the name of the target class is the name of the class in the source code of the business system;

若目标类的名称为业务系统的源代码中类的名称,则确定目标类为静态类;If the name of the target class is the name of the class in the source code of the business system, it is determined that the target class is a static class;

若目标类的名称不为业务系统的源代码中类的名称,则确定目标类为动态类。If the name of the target class is not the name of the class in the source code of the business system, it is determined that the target class is a dynamic class.

可选地,该基于动态类调用序列的可信度判断装置还包括:Optionally, the device for judging the reliability based on the dynamic class calling sequence also includes:

源代码扫描模块,用于对业务系统的源代码进行扫描,记录业务系统的源代码中类的名称。The source code scanning module is used to scan the source code of the business system and record the name of the class in the source code of the business system.

可选地,该基于动态类调用序列的可信度判断装置还包括:Optionally, the device for judging the reliability based on the dynamic class calling sequence also includes:

加载执行模块,用于若动态类对应的堆栈信息中目标类的调用序列包含在动态类调用序列白名单中,则确定目标类可信,执行目标类的加载。The loading execution module is used to determine that the target class is credible and execute the loading of the target class if the calling sequence of the target class in the stack information corresponding to the dynamic class is included in the dynamic class calling sequence white list.

图6示例了一种电子设备的实体结构示意图,如图6所示,该电子设备可以包括:处理器(processor)610、通信接口(Communications Interface)620、存储器(memory)630和通信总线640,其中,处理器610,通信接口620,存储器630通过通信总线640完成相互间的通信。处理器610可以调用存储器630中的逻辑指令,以执行如下方法:响应于Java虚拟机加载目标类,判断所述目标类是否为动态类;若所述目标类为动态类,判断所述动态类对应的堆栈信息中所述目标类的调用序列是否包含在动态类调用序列白名单中;若所述动态类对应的堆栈信息中所述目标类的调用序列未包含在动态类调用序列白名单中,则确定所述目标类不可信,拦截所述目标类的加载,并生成告警信息。FIG. 6 illustrates a schematic diagram of the physical structure of an electronic device. As shown in FIG. 6, the electronic device may include: a processor (processor) 610, a communication interface (Communications Interface) 620, a memory (memory) 630 and a communication bus 640, Wherein, the processor 610 , the communication interface 620 , and the memory 630 communicate with each other through the communication bus 640 . The processor 610 can call the logical instructions in the memory 630 to perform the following method: in response to the loading of the target class by the Java virtual machine, determine whether the target class is a dynamic class; if the target class is a dynamic class, determine whether the dynamic class Whether the calling sequence of the target class in the corresponding stack information is included in the dynamic class calling sequence whitelist; if the calling sequence of the target class in the stack information corresponding to the dynamic class is not included in the dynamic class calling sequence whitelist , then it is determined that the target class is untrustworthy, intercepting the loading of the target class, and generating an alarm message.

此外,上述的存储器630中的逻辑指令可以通过软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。In addition, the logic instructions in the above-mentioned memory 630 may be implemented in the form of software functional units and when sold or used as an independent product, may be stored in a computer-readable storage medium. Based on this understanding, the essence of the technical solution of the present invention or the part that contributes to the prior art or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in various embodiments of the present invention. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes. .

另一方面,本发明实施例还提供一种非暂态计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现以执行上述各实施例提供的方法,例如包括:响应于Java虚拟机加载目标类,判断所述目标类是否为动态类;若所述目标类为动态类,判断所述动态类对应的堆栈信息中所述目标类的调用序列是否包含在动态类调用序列白名单中;若所述动态类对应的堆栈信息中所述目标类的调用序列未包含在动态类调用序列白名单中,则确定所述目标类不可信,拦截所述目标类的加载,并生成告警信息。On the other hand, an embodiment of the present invention also provides a non-transitory computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, it is implemented to perform the methods provided by the above-mentioned embodiments, for example, including: In response to the loading of the target class by the Java virtual machine, it is judged whether the target class is a dynamic class; if the target class is a dynamic class, it is judged whether the call sequence of the target class in the stack information corresponding to the dynamic class is included in the dynamic class In the call sequence whitelist; if the call sequence of the target class in the stack information corresponding to the dynamic class is not included in the dynamic class call sequence whitelist, then determine that the target class is not credible, and intercept the loading of the target class , and generate an alarm message.

以上所描述的装置实施例仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。本领域普通技术人员在不付出创造性的劳动的情况下,即可以理解并实施。The device embodiments described above are only illustrative, and the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in One place, or it can be distributed to multiple network elements. Part or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment. It can be understood and implemented by those skilled in the art without any creative efforts.

通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到各实施方式可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件。基于这样的理解,上述技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品可以存储在计算机可读存储介质中,如ROM/RAM、磁碟、光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行各个实施例或者实施例的某些部分所述的方法。Through the above description of the implementations, those skilled in the art can clearly understand that each implementation can be implemented by means of software plus a necessary general-purpose hardware platform, and of course also by hardware. Based on this understanding, the essence of the above technical solution or the part that contributes to the prior art can be embodied in the form of software products, and the computer software products can be stored in computer-readable storage media, such as ROM/RAM, magnetic discs, optical discs, etc., including several instructions to make a computer device (which may be a personal computer, server, or network device, etc.) execute the methods described in various embodiments or some parts of the embodiments.

最后应说明的是:以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, rather than to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it can still be Modifications are made to the technical solutions described in the foregoing embodiments, or equivalent replacements are made to some of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the various embodiments of the present invention.

Claims (10)

1. A reliability judging method based on dynamic class calling sequence is characterized in that the reliability judging method is applied to a service system developed based on Java language and comprises the following steps:
responding to a Java virtual machine to load a target class, and judging whether the target class is a dynamic class or not;
if the target class is a dynamic class, judging whether a calling sequence of the target class in stack information corresponding to the dynamic class is contained in a dynamic class calling sequence white list or not;
if the calling sequence of the target class in the stack information corresponding to the dynamic class is not included in a dynamic class calling sequence white list, determining that the target class is not trusted, intercepting the loading of the target class, and generating alarm information.
2. The method according to claim 1, wherein the determining whether the target class is a dynamic class in response to the target class being loaded by the Java virtual machine further comprises:
performing simulation execution on a source code of the service system, and triggering generation of various dynamic classes;
and acquiring a calling sequence generated in corresponding stack information when each dynamic class is generated, and generating a dynamic class calling sequence white list, wherein each dynamic class corresponds to one piece of stack information.
3. The method according to claim 2, wherein each piece of stack information includes a plurality of class methods, and the obtaining a call sequence generated in the corresponding stack information when each dynamic class is generated to generate the dynamic class call sequence white list includes:
analyzing each class method one by one from the end of the corresponding stack information;
determining a group of class methods meeting the dynamic class calling sequence sealing principle as a calling sequence generated when a dynamic class is generated;
and recording the call sequence generated when the determined dynamic class is generated to obtain the white list of the call sequence of the dynamic class.
4. The method for judging the credibility of the dynamic class calling sequence according to claim 3, wherein the dynamic class calling sequence closing principle is as follows: the method belongs to a class of framework, is irrelevant to service, is templated, has fixed content and is not influenced by parameters and objects calling class methods.
5. The method according to any one of claims 1 to 4, wherein the determining whether the target class is a dynamic class in response to the target class being loaded by the Java virtual machine includes:
responding to a Java virtual machine to load a target class, and judging whether the name of the target class is the name of a class in a source code of the service system;
if the name of the target class is the name of a class in a source code of the service system, determining that the target class is a static class;
and if the name of the target class is not the name of the class in the source code of the service system, determining that the target class is a dynamic class.
6. The method according to claim 5, wherein the determining whether the target class is a dynamic class according to the target class loaded by the Java virtual machine further comprises:
and scanning the source code of the service system, and recording the name of the class in the source code of the service system.
7. The method according to claim 1, wherein if the target class is a dynamic class, after determining whether the call sequence of the target class in the stack information is included in a white list of call sequences of the dynamic class, the method further comprises:
and if the call sequence of the target class in the stack information corresponding to the dynamic class is contained in a dynamic class call sequence white list, determining that the target class is trusted, and executing the loading of the target class.
8. A reliability judging device based on a dynamic class calling sequence is characterized by being applied to a service system developed based on Java language, and comprising:
the dynamic class judgment module is used for responding to the loading of a target class by the Java virtual machine and judging whether the target class is a dynamic class;
the credibility judging module is used for judging whether the calling sequence of the target class in the stack information corresponding to the dynamic class is contained in a dynamic class calling sequence white list or not if the target class is the dynamic class;
and the interception warning module is used for determining that the target class is not trusted, intercepting the loading of the target class and generating warning information if the calling sequence of the target class in the stack information corresponding to the dynamic class is not included in a dynamic class calling sequence white list.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of the method for determining a trustworthiness based on a dynamic class call sequence according to any of claims 1 to 7 when executing the program.
10. A non-transitory computer readable storage medium, having stored thereon a computer program, wherein the computer program, when being executed by a processor, implements the steps of the method for reliability determination based on dynamic class call sequences according to any one of claims 1 to 7.
CN202210771541.9A 2022-06-30 2022-06-30 Credibility judgment method and device based on dynamic class call sequence Pending CN115292707A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210771541.9A CN115292707A (en) 2022-06-30 2022-06-30 Credibility judgment method and device based on dynamic class call sequence

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210771541.9A CN115292707A (en) 2022-06-30 2022-06-30 Credibility judgment method and device based on dynamic class call sequence

Publications (1)

Publication Number Publication Date
CN115292707A true CN115292707A (en) 2022-11-04

Family

ID=83821920

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210771541.9A Pending CN115292707A (en) 2022-06-30 2022-06-30 Credibility judgment method and device based on dynamic class call sequence

Country Status (1)

Country Link
CN (1) CN115292707A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118260750A (en) * 2024-05-27 2024-06-28 北京升鑫网络科技有限公司 Attack behavior detection method and device, and attack behavior blocking method and device

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118260750A (en) * 2024-05-27 2024-06-28 北京升鑫网络科技有限公司 Attack behavior detection method and device, and attack behavior blocking method and device

Similar Documents

Publication Publication Date Title
US11176247B2 (en) System and method for container assessment using sandboxing
US10581879B1 (en) Enhanced malware detection for generated objects
US11409862B2 (en) Intrusion detection and prevention for unknown software vulnerabilities using live patching
US10055585B2 (en) Hardware and software execution profiling
US9438617B2 (en) Application security testing
US9507933B2 (en) Program execution apparatus and program analysis apparatus
CN114091031B (en) Class loading protection method and device based on white rule
US20240143739A1 (en) Intelligent obfuscation of mobile applications
RU2724790C1 (en) System and method of generating log when executing file with vulnerabilities in virtual machine
EP3028211A1 (en) Determining malware based on signal tokens
US11620129B1 (en) Agent-based detection of fuzzing activity associated with a target program
US10645099B1 (en) Malware detection facilitated by copying a memory range from an emulator for analysis and signature generation
US11170103B2 (en) Method of detecting malicious files resisting analysis in an isolated environment
US11397812B2 (en) System and method for categorization of .NET applications
CN110909349A (en) Detection method and system for rebound shell in docker container
CN116488872A (en) Method and device for identifying and defending attack behaviors of Java Web application
CN115292707A (en) Credibility judgment method and device based on dynamic class call sequence
CN115292708A (en) Execution permission analysis method and device based on bytecode
CN117032894A (en) Container security state detection method and device, electronic equipment and storage medium
CN114070580B (en) Anti-serialization attack detection method, device, electronic equipment, medium and program
EP3588346B1 (en) Method of detecting malicious files resisting analysis in an isolated environment
CN114417341A (en) Non-invasive system safety protection method and safety protection device
US12386980B1 (en) Software testing system for detecting code injection vulnerabilities
EP3674940B1 (en) System and method of forming a log when executing a file with vulnerabilities in a virtual machine
Wattamwar Optimizing FIM System Using YARA Rules

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination