引用本文
  • 冯薪澄,刘奇旭,王柏柱,陈星辰,陈文岗.基于变量可控性搜索的Java反序列化漏洞检测方法[J].信息安全学报,已采用    [点击复制]
  • fengxincheng,liuqixu,wangbaizhu,chenxingchen,chenwengang.Java Deserialization Vulnerability Detection Method Based on Variable Controllability Search[J].Journal of Cyber Security,Accept   [点击复制]
【打印本页】 【下载PDF全文】 查看/发表评论下载PDF阅读器关闭

过刊浏览    高级检索

本文已被:浏览 2061次   下载 214  
基于变量可控性搜索的Java反序列化漏洞检测方法
冯薪澄1, 刘奇旭1, 王柏柱2, 陈星辰1, 陈文岗1
0
(1.中国科学院信息工程研究所;2.蚂蚁集团网商银行)
摘要:
近些年来,越来越多的Java组件爆出反序列化漏洞,由于该类型漏洞较难通过人工审计的方式进行高效、精确地检测,这类安全隐患至今仍潜藏于大量组件中。本文在深入研究Java反序列化漏洞的基础上,提出检测该类型漏洞的核心为针对利用链的检测;通过梳理、总结实际利用链中常见的入口函数和危险函数,构建先验知识库用于检测未知利用链;提出基于变量可控性搜索的Java反序列化漏洞检测模型,结合自底向上的变量可控性搜索算法,实现了面向Java反序列化漏洞的自动化检测系统DeSerialKiller4J。实验结果表明,本系统检测性能相比gadgetinspector工具提升60.6%,在107个开源组件中检测出19条已知利用链,23条未知利用链,其中一条未知利用链已被CVE收录(CVE-2021-39148)。
关键词:  Java反序列化漏洞检测  变量可控性搜索  静态程序分析
DOI:10.19363/J.cnki.cn10-1380/tn.2023.08.42
投稿时间:2021-09-04修订日期:2021-11-16
基金项目:国家自然科学基金项目(面上项目,重点项目,重大项目)
Java Deserialization Vulnerability Detection Method Based on Variable Controllability Search
fengxincheng1, liuqixu1, wangbaizhu2, chenxingchen1, chenwengang1
(1.Institute of Information Engineering,CAS;2.MYBank, Ant Group)
Abstract:
In recent years, more and more Java components have been exposed to deserialization vulnerabilities. Since this type of vulnerability is difficult to be detected efficiently and accurately by means of manual auditing, this type of security vul-nerability is still lurking in a large number of components. In this paper, based on the in-depth study of Java deserialization vulnerabilities, we propose that the core of detecting this type of vulnerability is the detection of exploit chains; By sorting out and summarizing the common entry functions and dangerous functions in actual exploit chains, we construct an a priori knowledge base for detecting unknown exploit chains; we propose a Java deserialization vulnerability detection model based on variable controllability search, combined with a bottom-up variable controllability search algorithm . Experimental results show that the detection performance of this system is 60.6% better than that of the gadgetinspector tool, with 19 known exploit chains and 23 unknown exploit chains detected in 107 open source components, one of which has been included in CVE (CVE-2021-39148).
Key words:  Java deserialization vulnerability detection  variable controllability search  static program analysis