一种基于双向推理的固件接口变量追踪方法
本发明涉及一种基于双向推理的固件接口变量追踪方法,从对源代码的分析推理、以及程序执行的真实结果推理两个方向,实现了对固件web接口中使用变量执行路径的追踪,进而获得了可被访问者实际控制的用户输入参数、传播路径、对应的取值范围、以及最后的输出内容;方案设计不仅可以通过追踪在前端中自执行的参数,检测反射型跨站脚本漏洞等前端过滤不严导致的安全问题,提高web漏洞挖掘的效率,还可以为后续的二进制污点分析工作提供有效支撑,降低污点分析的误报率等,进而提升信息安全工作者对固件的分析能力。 The invention relates to a firmware interface variable trac...
Saved in:
Format | Patent |
---|---|
Language | Chinese |
Published |
14.06.2024
|
Subjects | |
Online Access | Get full text |
Cover
Summary: | 本发明涉及一种基于双向推理的固件接口变量追踪方法,从对源代码的分析推理、以及程序执行的真实结果推理两个方向,实现了对固件web接口中使用变量执行路径的追踪,进而获得了可被访问者实际控制的用户输入参数、传播路径、对应的取值范围、以及最后的输出内容;方案设计不仅可以通过追踪在前端中自执行的参数,检测反射型跨站脚本漏洞等前端过滤不严导致的安全问题,提高web漏洞挖掘的效率,还可以为后续的二进制污点分析工作提供有效支撑,降低污点分析的误报率等,进而提升信息安全工作者对固件的分析能力。
The invention relates to a firmware interface variable tracking method based on bidirectional reasoning, which realizes tracking of a variable execution path used in a firmware web interface from two directions of analysis and reasoning of source codes and reasoning of a real result of program execution. The user input parameter, the propagation path, the corresponding value range and the final output content which can be actually controlled by the visited person are obtained; the scheme design not only can improve the efficiency of web vulnerability mining by tracking self-executed parameters in the front end and detecting security problems caused by untight front-end filtering such as reflection type cross-site script vulnerabilities, but also can provide effective suppo |
---|---|
Bibliography: | Application Number: CN202210594344 |