基于混合分析的Java反序列化漏洞检测方法  被引量：3

作　　者：郑鹏 沙乐天 ZHENG Peng;SHA Letian(School of Computer Science,Nanjing University of Posts and Telecommunications,Nanjing 210003,China)

机构地区：[1]南京邮电大学计算机学院、软件学院、网络空间安全学院,南京210003

出　　处：《计算机工程》2023年第12期136-145,共10页Computer Engineering

基　　金：国家自然科学基金面上项目(62072253)。

摘　　要：随着Java的类库越来越多,反序列化漏洞的类型和数量都急剧上升。Java反序列化漏洞中存在利用链,攻击者通常将其与任意命令漏洞结合控制服务器。人工检测反序列化链需要花费大量的精力,且依赖代码审计人员的专业知识。基于符号执行和污点分析提出一种自动检测方法,实现调用链检测工具Taint Gadget。通过解析字节码收集继承信息、传参信息和调用信息进行污点标记,筛选出入口函数和危险函数以生成控制流图。基于反序列化漏洞的传播特征并结合符号执行技术扩展控制流图,定义污点传播规则,对污染传播的显示流路径和隐式流路径进行约束,记录传播过程中调用链的类和敏感变量,通过动态的方法还原污染路径并进行验证。方法的实现基于ASM、Neo4j、Z3等工具,包括污点标记模块、污点传播模块和污点验证模块。在ysoserial数据集上的实验结果表明,Taint Gadget的静态命中率和运行时间分别为70.3%和78.4 s,动态命中率和运行时间分别为90.6%和20.8 s,相对T-Gadget Inspector和Gadget Inspector有效提高了静态和动态命中率,缩短了动态运行时间。Java deserialization vulnerabilities exploit chains that attackers usually combine with arbitrary command vulnerabilities to control the servers.Manual detection of the deserialization chain requires considerable effort and depends on the expertise of code auditors.This study proposes an automatic detection method based on symbolic execution and taint analysis to implement the call chain detection tool,Taint Gadget.A parsing bytecode is adopted to collect inheritance information,pass reference information,and call information for taint marking,filtering out entry and dangerous functions to generate control flow graphs.This method extends the control flow graph based on the propagation characteristics of deserialization vulnerabilities combined with symbolic execution techniques,defines taint propagation rules,and constrains the display and implicit flow paths for taint propagation.Meanwhile,the classes and sensitive variables of the call chain can be recorded during propagation,restored,and taint paths verified using dynamic methods.The implementation of the method is based on tools such as ASM,Neo4j,and Z3,including a taint-marking module,taint propagation module,and taint verification module.Based on the aerial dataset,the static and dynamic analysis results show that Taint Gadget exhibits the static hit rate of 70.3%with the static run time of 78.4 s,dynamic hit rate of 90.6%with the run time of 20.8 s,and it has higher static and dynamic hit rate and shorter dynamic run time than T-Gadget Inspector and Gadget Inspector.

关 键 词：污点分析 Java反序列化漏洞 静态分析 动态验证 符号执行 约束构建 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]