基于图网络的Java反序列化漏洞检测方法  被引量：1

作　　者：胡飞 陈昊[2] 王媛 弋雯 胡颖 刘宝英 HU Fei;CHEN Hao;WANG Yuan;YI Wen;HU Ying;LIU Bao-ying(School of Information Science&Technology,Northwest University,Xi’an 710100,China;China University of Labor Relations,Beijing 100048,China;Technical Bureau of Xinhua News Agency,Beijing 100803,China)

机构地区：[1]西北大学信息科学与技术学院,陕西西安710100 [2]中国劳动关系学院,北京100048 [3]新华社技术通信局,北京100803

出　　处：《计算机技术与发展》2023年第5期122-129,共8页Computer Technology and Development

基　　金：陕西省国际合作计划重点项目(2020KWZ-013);中国劳动关系学院一般项目(20XYJS007)。

摘　　要：Java反序列化漏洞由于其很容易被非法利用,已经成为目前最具威胁的软件漏洞之一。在开发过程中,事先对软件所使用的第三方公共组件库进行检测,提前发现并防御潜在的反序列化漏洞尤为重要。目前已有的反序列化漏洞检测,主要有基于规则匹配和基于污点分析两种检测方法,前者采用白名单或者黑名单的方法无法发现未知的反序列化漏洞,而后者因其对漏洞调用链检测能力有限,故漏报和误报率高。为了弥补已有方法的缺陷,提出了一种基于图网络的Java反序列化漏洞调用链检测方法SerialFinder,该方法利用图结构充分表达反序列化漏洞调用链的语义信息,训练图同构网络模型,进而可以检测潜在的反序列化漏洞调用链。SerialFinder在多个第三方组件库进行验证,与业界最先进的Java反序列化漏洞调用链检测方法Gadget Inspector进行对比,结果表明,SerialFinder在三个公共组件库上的平均命中率为64%,比Gadget Inspector高31%。The Java deserialization vulnerability has become one of the most threatening software vulnerabilities due to its easy exploitation.During the development process,it is particularly important to detect the third-party public component library used by the software in advance,and to detect and defend against potential deserialization vulnerabilities in advance.At present,the existing deserialization vulnerability detection mainly includes two detection methods based on rule matching and based on taint analysis.The former cannot find unknown deserialization vulnerabilities by using whitelist or blacklist methods,while the latter has a high rate of false negatives and false positives due to its limited ability to detect vulnerability call chains.In order to make up for the shortcomings of existing methods,we propose a call chain detection method SerialFinder based on graph network for Java deserialization vulnerabilities.The method uses the graph structure to fully express the semantic information of the deserialization vulnerability call chain,trains the graph isomorphic network model,and then can detect the potential deserialization vulnerability call chain.SerialFinder is verified in multiple third-party component libraries and compared with Gadget Inspector,the industry's most advanced Java deserialization vulnerability call chain detection method.The results show that SerialFinder has an average hit rate of 64%on the three public component libraries,which is 31%higher than Gadget Inspector.

关 键 词：漏洞检测 图数据库 Java反序列化 图神经网络 调用链 

分 类 号：TP391[自动化与计算机技术—计算机应用技术]