1 |
SEACORD R C. Java deserialization vulnerabilities and mitigations[C]//Proceedings of IEEE Cybersecurity Development. Washington D. C., USA: IEEE Press, 2017: 6-7.
|
2 |
CRISTALLI S, VIGNATI E, BRUSCHI D, et al. Trusted execution path for protecting Java applications against deserialization of untrusted data[C]//Proceedings of International Symposium on Research in Attacks, Intrusions, and Defenses. Berlin, Germany: Springer, 2018: 445-464.
|
3 |
任玉柱, 张有为, 艾成炜. 污点分析技术研究综述. 计算机应用, 2019, 39 (8): 2302- 2309.
URL
|
|
REN Y Z, ZHANG Y W, AI C W. Survey on taint analysis technology. Journal of Computer Applications, 2019, 39 (8): 2302- 2309.
URL
|
4 |
GRECH N, SMARAGDAKIS Y. P/Taint: unified points-to and taint analysis. Proceedings of the ACM on Programming Languages, 2017, 1 (OOPSLA): 1- 28.
|
5 |
任泽众, 郑晗, 张嘉元, 等. 模糊测试技术综述. 计算机研究与发展, 2021, 58 (5): 944- 963.
URL
|
|
REN Z Z, ZHENG H, ZHANG J Y, et al. A review of fuzzing techniques. Journal of Computer Research and Development, 2021, 58 (5): 944- 963.
URL
|
6 |
KERSTEN R, LUCKOW K, PĂSĂREANU C S. POSTER: AFL-based fuzzing for Java with Kelinci[C]//Proceedings of 2017 ACM SIGSAC Conference on Computer and Communications Security. New York, USA: ACM Press, 2017: 2511-2513. (in Chinese)
|
7 |
秦彪, 郭帆, 杨晨霞. 一种面向Trace与漏洞验证的污点分析方法. 计算机工程, 2020, 46 (5): 157- 166.
URL
|
|
QIN B, GUO F, YANG C X. A taint analysis approach for trace and vulnerability validation. Computer Engineering, 2020, 46 (5): 157- 166.
URL
|
8 |
刘丽艳, 李丰, 邹燕燕, 等. SiCsFuzzer: 基于稀疏插桩的闭源软件模糊测试方法. 信息安全学报, 2022, 7 (4): 55- 70.
URL
|
|
LIU L Y, LI F, ZOU Y Y, et al. SiCsFuzzer: a sparse-instrumentation-based fuzzing platform for closed source software. Journal of Cyber Security, 2022, 7 (4): 55- 70.
URL
|
9 |
YANG Z M, YANG M. LeakMiner: detect information leakage on Android with static taint analysis[C]//Proceedings of the 3rd World Congress on Software Engineering. Washington D. C., USA: IEEE Press, 2013: 101-104.
|
10 |
张婧, 周安民, 刘亮, 等. 基于动态污点分析的栈溢出Crash判定技术. 计算机工程, 2018, 44 (4): 168-173, 180.
URL
|
|
ZHANG J, ZHOU A M, LIU L, et al. Stack overflow crash judgment technology based on dynamic taint analysis. Computer Engineering, 2018, 44 (4): 168-173, 180.
URL
|
11 |
郭帆, 范威威. 面向Java EE程序的SQLIA漏洞分析和验证方法. 计算机科学与探索, 2021, 15 (2): 270- 283.
URL
|
|
GUO F, FAN W W. Analysis and verification on SQLIA vulnerability for Java EE programs. Journal of Frontiers of Computer Science and Technology, 2021, 15 (2): 270- 283.
URL
|
12 |
ZUO C S, LIN Z Q. SMARTGEN: exposing server URLs of mobile Apps with selective symbolic execution[C]//Proceedings of the 26th International Conference on World Wide Web. New York, USA: ACM Press, 2017: 867-876.
|
13 |
KUANG Y H, MENG X Z, HAN W Y, et al. A vulnerability mining model of Java Json deserialization based on AST[C]//Proceedings of International Conferences on Internet of Things(iThings) and IEEE Green Computing and Communications(GreenCom) and IEEE Cyber, Physical and Social Computing(CPSCom) and IEEE Smart Data(SmartData) and IEEE Congress on Cybermatics(Cybermatics). Washington D. C., USA: IEEE Press, 2020: 623-627.
|
14 |
|
15 |
杜笑宇, 叶何, 文伟平. 基于字节码搜索的Java反序列化漏洞调用链挖掘方法. 信息网络安全, 2020, 20 (7): 19- 29.
URL
|
|
DU X Y, YE H, WEN W P. Java deserialization vulnerability gadget chain discovery method based on bytecode search. Netinfo Security, 2020, 20 (7): 19- 29.
URL
|
16 |
武永兴, 陈力波, 姜开达. 基于混合分析的Java反序列化利用链挖掘方法. 网络与信息安全学报, 2022, 8 (2): 160- 174.
URL
|
|
WU Y X, CHEN L B, JIANG K D. Java deserialization gadget chain discovery method based on hybrid analysis. Chinese Journal of Network and Information Security, 2022, 8 (2): 160- 174.
URL
|
17 |
RASHEED S, DIETRICH J. A hybrid analysis to detect Java serialisation vulnerabilities[C]//Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering. New York, USA: ACM Press, 2020: 1209-1213.
|
18 |
LIVSHITS V B, LAM M S. Finding security vulnerabilities in Java applications with static analysis[C]//Proceedings of the 14th Conference on USENIX Security Symposium. New York, USA: ACM Press, 2005: 18.
|
19 |
王蕾, 周卿, 何冬杰, 等. 面向Android应用隐私泄露检测的多源污点分析技术. 软件学报, 2019, 30 (2): 211- 230.
URL
|
|
WANG L, ZHOU Q, HE D J, et al. Multi-source taint analysis technique for privacy leak detection of Android Apps. Journal of Software, 2019, 30 (2): 211- 230.
URL
|
20 |
LI Y, TAN T, XUE J L. Understanding and analyzing Java reflection. ACM Transactions on Software Engineering and Methodology, 28 (2): 7.
|
21 |
孙基男, 潘克峰, 陈雪峰, 等. 基于符号执行的注入类安全漏洞的分析技术. 北京大学学报(自然科学版), 2018, 54 (1): 1- 13.
URL
|
|
SUN J N, PAN K F, CHEN X F, et al. Static analysis of injection security vulnerabilities based on symbolic execution. Acta Scientiarum Naturalium Universitatis Pekinensis, 2018, 54 (1): 1- 13.
URL
|
22 |
BALZAROTTI D, COVA M, FELMETSGER V, et al. Saner: composing static and dynamic analysis to validate sanitization in Web applications[C]//Proceedings of IEEE Symposium on Security and Privacy. Washington D. C., USA: IEEE Press, 2008: 387-401.
|
23 |
ALHUZALI A, ESHETE B, GJOMEMO R, et al. Chainsaw: chained automated workflow-based exploit generation[C]//Proceedings of 2016 ACM SIGSAC Conference on Computer and Communications Security. New York, USA: ACM Press, 2016: 641-652.
|
24 |
LI Y, ALBARGHOUTHI A, KINCAID Z, et al. Symbolic optimization with SMT solvers. ACM SIGPLAN Notices, 2014, 49 (1): 607- 618.
|
25 |
MCMILLAN K L. Applying SAT methods in unbounded symbolic model checking[C]//Proceedings of International Conference on Computer Aided Verification. Berlin, Germany: Springer, 2002: 250-264.
|
26 |
ZHENG Y H, ZHANG X Y, GANESH V. Z3-str: a z3-based string solver for Web application analysis[C]//Proceedings of the 9th Joint Meeting on Foundations of Software Engineering. New York, USA: ACM Press, 2013: 114-124.
|