基于混合分析的Java反序列化漏洞检测方法

doi:10.19678/j.issn.1000-3428.0066151

摘要/Abstract

摘要：

随着Java的类库越来越多，反序列化漏洞的类型和数量都急剧上升。Java反序列化漏洞中存在利用链，攻击者通常将其与任意命令漏洞结合控制服务器。人工检测反序列化链需要花费大量的精力，且依赖代码审计人员的专业知识。基于符号执行和污点分析提出一种自动检测方法，实现调用链检测工具Taint Gadget。通过解析字节码收集继承信息、传参信息和调用信息进行污点标记，筛选出入口函数和危险函数以生成控制流图。基于反序列化漏洞的传播特征并结合符号执行技术扩展控制流图，定义污点传播规则，对污染传播的显示流路径和隐式流路径进行约束，记录传播过程中调用链的类和敏感变量，通过动态的方法还原污染路径并进行验证。方法的实现基于ASM、Neo4j、Z3等工具，包括污点标记模块、污点传播模块和污点验证模块。在ysoserial数据集上的实验结果表明，Taint Gadget的静态命中率和运行时间分别为70.3%和78.4 s，动态命中率和运行时间分别为90.6%和20.8 s，相对T-Gadget Inspector和Gadget Inspector有效提高了静态和动态命中率，缩短了动态运行时间。

关键词: 污点分析, Java反序列化漏洞, 静态分析, 动态验证, 符号执行, 约束构建

Abstract:

Java deserialization vulnerabilities exploit chains that attackers usually combine with arbitrary command vulnerabilities to control the servers. Manual detection of the deserialization chain requires considerable effort and depends on the expertise of code auditors. This study proposes an automatic detection method based on symbolic execution and taint analysis to implement the call chain detection tool, Taint Gadget. A parsing bytecode is adopted to collect inheritance information, pass reference information, and call information for taint marking, filtering out entry and dangerous functions to generate control flow graphs. This method extends the control flow graph based on the propagation characteristics of deserialization vulnerabilities combined with symbolic execution techniques, defines taint propagation rules, and constrains the display and implicit flow paths for taint propagation. Meanwhile, the classes and sensitive variables of the call chain can be recorded during propagation, restored, and taint paths verified using dynamic methods. The implementation of the method is based on tools such as ASM, Neo4j, and Z3, including a taint-marking module, taint propagation module, and taint verification module. Based on the aerial dataset, the static and dynamic analysis results show that Taint Gadget exhibits the static hit rate of 70.3% with the static run time of 78.4 s, dynamic hit rate of 90.6% with the run time of 20.8 s, and it has higher static and dynamic hit rate and shorter dynamic run time than T-Gadget Inspector and Gadget Inspector.

Key words: taint analysis, Java deserialization vulnerability, static analysis, dynamic verification, symbolic execution, constraint construction

郑鹏, 沙乐天. 基于混合分析的Java反序列化漏洞检测方法[J]. 计算机工程, 2023, 49(12): 136-145.

Peng ZHENG, Letian SHA. Java Deserialization Vulnerability Detection Method Based on Hybrid Analysis[J]. Computer Engineering, 2023, 49(12): 136-145.

http://www.ecice06.com/CN/Y2023/V49/I12/136

图/表 12

图1 污点分析过程

Fig.1 Process of taint analysis

图2 URLDNS反序列化调用链

Fig.2 URLDNS deserialization call chain

图3 符号执行流程

Fig.3 Procedure of symbol execution

图4 反序列化链检测模型

Fig.4 Deserialization chain detection model

图5 扩展的调用图

Fig.5 Extended call graph

图6 扩展函数调用图传播流程

Fig.6 Propagation procedure of extended function call graph

图7 算法实现流程

Fig.7 Implementation procedure of the algorithm

图8 污点分析过程

Fig.8 Process of taint analysis

参考文献 26

1	SEACORD R C. Java deserialization vulnerabilities and mitigations[C]//Proceedings of IEEE Cybersecurity Development. Washington D. C., USA: IEEE Press, 2017: 6-7.
2	CRISTALLI S, VIGNATI E, BRUSCHI D, et al. Trusted execution path for protecting Java applications against deserialization of untrusted data[C]//Proceedings of International Symposium on Research in Attacks, Intrusions, and Defenses. Berlin, Germany: Springer, 2018: 445-464.
3	任玉柱, 张有为, 艾成炜. 污点分析技术研究综述. 计算机应用, 2019, 39 (8): 2302- 2309. URL
	REN Y Z, ZHANG Y W, AI C W. Survey on taint analysis technology. Journal of Computer Applications, 2019, 39 (8): 2302- 2309. URL
4	GRECH N, SMARAGDAKIS Y. P/Taint: unified points-to and taint analysis. Proceedings of the ACM on Programming Languages, 2017, 1 (OOPSLA): 1- 28.
5	任泽众, 郑晗, 张嘉元, 等. 模糊测试技术综述. 计算机研究与发展, 2021, 58 (5): 944- 963. URL
	REN Z Z, ZHENG H, ZHANG J Y, et al. A review of fuzzing techniques. Journal of Computer Research and Development, 2021, 58 (5): 944- 963. URL
6	KERSTEN R, LUCKOW K, PĂSĂREANU C S. POSTER: AFL-based fuzzing for Java with Kelinci[C]//Proceedings of 2017 ACM SIGSAC Conference on Computer and Communications Security. New York, USA: ACM Press, 2017: 2511-2513. (in Chinese)
7	秦彪, 郭帆, 杨晨霞. 一种面向Trace与漏洞验证的污点分析方法. 计算机工程, 2020, 46 (5): 157- 166. URL
	QIN B, GUO F, YANG C X. A taint analysis approach for trace and vulnerability validation. Computer Engineering, 2020, 46 (5): 157- 166. URL
8	刘丽艳, 李丰, 邹燕燕, 等. SiCsFuzzer: 基于稀疏插桩的闭源软件模糊测试方法. 信息安全学报, 2022, 7 (4): 55- 70. URL
	LIU L Y, LI F, ZOU Y Y, et al. SiCsFuzzer: a sparse-instrumentation-based fuzzing platform for closed source software. Journal of Cyber Security, 2022, 7 (4): 55- 70. URL
9	YANG Z M, YANG M. LeakMiner: detect information leakage on Android with static taint analysis[C]//Proceedings of the 3rd World Congress on Software Engineering. Washington D. C., USA: IEEE Press, 2013: 101-104.
10	张婧, 周安民, 刘亮, 等. 基于动态污点分析的栈溢出Crash判定技术. 计算机工程, 2018, 44 (4): 168-173, 180. URL
	ZHANG J, ZHOU A M, LIU L, et al. Stack overflow crash judgment technology based on dynamic taint analysis. Computer Engineering, 2018, 44 (4): 168-173, 180. URL
11	郭帆, 范威威. 面向Java EE程序的SQLIA漏洞分析和验证方法. 计算机科学与探索, 2021, 15 (2): 270- 283. URL
	GUO F, FAN W W. Analysis and verification on SQLIA vulnerability for Java EE programs. Journal of Frontiers of Computer Science and Technology, 2021, 15 (2): 270- 283. URL
12	ZUO C S, LIN Z Q. SMARTGEN: exposing server URLs of mobile Apps with selective symbolic execution[C]//Proceedings of the 26th International Conference on World Wide Web. New York, USA: ACM Press, 2017: 867-876.
13	KUANG Y H, MENG X Z, HAN W Y, et al. A vulnerability mining model of Java Json deserialization based on AST[C]//Proceedings of International Conferences on Internet of Things(iThings) and IEEE Green Computing and Communications(GreenCom) and IEEE Cyber, Physical and Social Computing(CPSCom) and IEEE Smart Data(SmartData) and IEEE Congress on Cybermatics(Cybermatics). Washington D. C., USA: IEEE Press, 2020: 623-627.
14	HAKEN I. Automated discovery of deserialization gadget chains[EB/OL]. [2022-05-10]. https://i.blackhat.com/us-18/Thu-August-9/us-18-Haken-Automated-Discovery-of-Deserialization-Gadget-Chains-wp.pdf.
15	杜笑宇, 叶何, 文伟平. 基于字节码搜索的Java反序列化漏洞调用链挖掘方法. 信息网络安全, 2020, 20 (7): 19- 29. URL
	DU X Y, YE H, WEN W P. Java deserialization vulnerability gadget chain discovery method based on bytecode search. Netinfo Security, 2020, 20 (7): 19- 29. URL
16	武永兴, 陈力波, 姜开达. 基于混合分析的Java反序列化利用链挖掘方法. 网络与信息安全学报, 2022, 8 (2): 160- 174. URL
	WU Y X, CHEN L B, JIANG K D. Java deserialization gadget chain discovery method based on hybrid analysis. Chinese Journal of Network and Information Security, 2022, 8 (2): 160- 174. URL
17	RASHEED S, DIETRICH J. A hybrid analysis to detect Java serialisation vulnerabilities[C]//Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering. New York, USA: ACM Press, 2020: 1209-1213.
18	LIVSHITS V B, LAM M S. Finding security vulnerabilities in Java applications with static analysis[C]//Proceedings of the 14th Conference on USENIX Security Symposium. New York, USA: ACM Press, 2005: 18.
19	王蕾, 周卿, 何冬杰, 等. 面向Android应用隐私泄露检测的多源污点分析技术. 软件学报, 2019, 30 (2): 211- 230. URL
	WANG L, ZHOU Q, HE D J, et al. Multi-source taint analysis technique for privacy leak detection of Android Apps. Journal of Software, 2019, 30 (2): 211- 230. URL
20	LI Y, TAN T, XUE J L. Understanding and analyzing Java reflection. ACM Transactions on Software Engineering and Methodology, 28 (2): 7.
21	孙基男, 潘克峰, 陈雪峰, 等. 基于符号执行的注入类安全漏洞的分析技术. 北京大学学报(自然科学版), 2018, 54 (1): 1- 13. URL
	SUN J N, PAN K F, CHEN X F, et al. Static analysis of injection security vulnerabilities based on symbolic execution. Acta Scientiarum Naturalium Universitatis Pekinensis, 2018, 54 (1): 1- 13. URL
22	BALZAROTTI D, COVA M, FELMETSGER V, et al. Saner: composing static and dynamic analysis to validate sanitization in Web applications[C]//Proceedings of IEEE Symposium on Security and Privacy. Washington D. C., USA: IEEE Press, 2008: 387-401.
23	ALHUZALI A, ESHETE B, GJOMEMO R, et al. Chainsaw: chained automated workflow-based exploit generation[C]//Proceedings of 2016 ACM SIGSAC Conference on Computer and Communications Security. New York, USA: ACM Press, 2016: 641-652.
24	LI Y, ALBARGHOUTHI A, KINCAID Z, et al. Symbolic optimization with SMT solvers. ACM SIGPLAN Notices, 2014, 49 (1): 607- 618.
25	MCMILLAN K L. Applying SAT methods in unbounded symbolic model checking[C]//Proceedings of International Conference on Computer Aided Verification. Berlin, Germany: Springer, 2002: 250-264.
26	ZHENG Y H, ZHANG X Y, GANESH V. Z3-str: a z3-based string solver for Web application analysis[C]//Proceedings of the 9th Joint Meeting on Foundations of Software Engineering. New York, USA: ACM Press, 2013: 114-124.

[1]	张利群, 潘祖烈, 黄晖, 王瑞鹏, 李阳. 基于符号执行的Tcache Poisoning堆漏洞自动验证方法研究[J]. 计算机工程, 2023, 49(6): 24-33.
[2]	戴渭, 陆余良, 朱凯龙. 结合混合符号执行的导向式灰盒模糊测试技术[J]. 计算机工程, 2020, 46(8): 190-196.
[3]	李峰, 舒斐, 李明轩, 王斌, 杨慧婷. 基于深度学习的Linux远控木马检测[J]. 计算机工程, 2020, 46(7): 159-164.
[4]	秦彪, 郭帆, 杨晨霞. 一种面向Trace与漏洞验证的污点分析方法[J]. 计算机工程, 2020, 46(5): 157-166.
[5]	毛向杰, 张品. 云平台数据完整性混合验证方案[J]. 计算机工程, 2020, 46(10): 46-51.
[6]	张超, 潘祖烈, 樊靖. 基于符号执行的堆溢出fastbin攻击检测方法[J]. 计算机工程, 2020, 46(10): 151-158.
[7]	吴颖豪,凌捷. 一种改进的云存储数据完整性验证方法[J]. 计算机工程, 2019, 45(3): 36-40.
[8]	马富天,钱雪忠,宋威. 一种自动化的跨站脚本漏洞发现模型[J]. 计算机工程, 2018, 44(8): 167-173.
[9]	陈政,方勇,刘亮,左政. 基于动态符号执行的勒索软件检测方法[J]. 计算机工程, 2018, 44(6): 104-110.
[10]	张婧,周安民,刘亮,贾鹏,刘露平,贾丽. 基于动态污点分析的栈溢出Crash判定技术[J]. 计算机工程, 2018, 44(4): 168-173,180.
[11]	谢佳筠,伏晓,骆斌. Android防护技术研究进展[J]. 计算机工程, 2018, 44(2): 163-170,176.
[12]	孙贺,吴礼发,洪征,颜慧颖,张亚丰. 一种结合动态与静态分析的函数调用图提取方法[J]. 计算机工程, 2017, 43(3): 154-162.
[13]	郭帆,周轩. 基于依赖的J2EE程序污点分析方法[J]. 计算机工程, 2016, 42(6): 131-138.
[14]	邱洋,王轶骏,薛质. 基于符号执行的Python攻击脚本分析平台[J]. 计算机工程, 2016, 42(11): 139-146.
[15]	肖可君,于海波,陈雨亭,钟浩. Seeker:流敏感的需求驱动指向分析[J]. 计算机工程, 2016, 42(11): 70-75.

选择文件类型/文献管理软件名称

选择包含的内容