基于运行时检测的Java反序列化漏洞防御技术  被引量：1

作　　者：李玉林 陈力波 刘宇江 杜文龙 薛质[1] LI Yulin;CHEN Libo;LIU Yujiang;DU Wenlong;XUE Zhi(School of Cyber Science and Engineering,Shanghai Jiao Tong University,Shanghai 200240,China;Ant Group Company,Limited,Hangzhou 310063,China)

机构地区：[1]上海交通大学网络空间安全学院,上海200240 [2]蚂蚁科技集团股份有限公司,浙江杭州310063

出　　处：《网络与信息安全学报》2024年第2期154-164,共11页Chinese Journal of Network and Information Security

基　　金：国家自然科学基金(No.62372297,No.62272306);国家广播电视总局实验室项目(No.FYY20230001ZSB011)。

摘　　要：反序列化漏洞自被发现以来,便受到安全研究者的广泛关注,越来越多的漏洞被爆出,给企业的网络安全带来严重挑战。Java语言多态、反射等特性,导致其反序列化漏洞利用链更加多变和复杂,带来了更大的防御和检测难度。因此,研究如何防御Java反序列化漏洞攻击,成为网络防御的重要环节。通过对公开的众多Java反序列化漏洞进行研究,提出了基于运行时检测的Java反序列化漏洞防御技术方案。根据反序列化数据类型,将反序列化漏洞分为Java原生反序列化漏洞、JSON反序列化漏洞、XML反序列化漏洞、YAML反序列化漏洞4种类型,并针对每种类型的反序列化漏洞、归纳其漏洞利用过程中的反序列化入口函数;通过Java的运行时保护技术,对Java底层的敏感行为如命令执行进行监控,获取系统当前的运行时上下文信息;通过在上下文信息中匹配漏洞利用中的反序列化入口函数,来判断当前行为是否为反序列化漏洞的利用行为。在多个Java应用(如WebLogic、JBoss、Jenkins等)的测试结果表明,该方案能有效地对Java反序列化漏洞攻击行为进行防御,且不会对目标系统性能产生较大的影响。同时,在与其他主流防护方案的比较中,该方法显示出更好防护效果。The discovery of deserialization vulnerabilities has garnered significant attention from cybersecurity researchers,with an increasing number of vulnerabilities being uncovered,posing severe threats to enterprise network security.The Java language’s polymorphism and reflection capabilities render its deserialization vulnerability exploitation chains more varied and intricate,amplifying the challenges in defense and detection efforts.Consequently,developing strategies to counter Java deserialization vulnerability attacks has become a critical aspect of network security.Following an examination of numerous publicly known Java deserialization vulnerabilities,a runtime detection based defense technology solution for Java deserialization vulnerabilities was proposed.Deserialization vulnerabilities were categorized into four types based on the data formats involved:Java native deserialization vulnerability,JSON deserialization vulnerability,XML deserialization vulnerability,and YAML deserialization vulnerability.For each type,the entry function within the exploitation process was identified and summarized.Utilizing Java’s runtime protection technology,the solution monitored sensitive behaviors,such as command execution at the Java level,and captured the current runtime context information of the system.By correlating the deserialization entry function with the context information,the system can determine if the current behavior constitutes an exploitation of a deserialization vulnerability.The solution’s efficacy was validated through testing on prevalent Java applications,including WebLogic,JBoss,and Jenkins.The results demonstrate that this approach can effectively protect against Java deserialization vulnerability attacks without inflicting a substantial performance penalty on the targeted system.Furthermore,when compared to other mainstream protection solutions,this method exhibits superior protective efficacy.

关 键 词：反序列化漏洞 运行时保护 利用链 漏洞防御 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]