摘要
反序列化漏洞是近年来应用安全研究的热点之一。随着Java类库的功能不断更新和扩展,反序列化漏洞的潜在范围更加广泛。手工进行反序列化漏洞挖掘需要大量的时间和人力对调用链进行筛查和构造。文章介绍了Java反序列化漏洞的原理、常见场景和反序列化漏洞调用链的构造方法,并结合常见的漏洞挖掘方法,提出一种调用链挖掘方法,同时将该方法实现为调用链挖掘工具Zero Gadget。文章方法采用污点分析与符号执行技术生成从反序列化漏洞入口点到危险函数的调用树,利用深度优先搜索算法搜索调用树并生成相关调用链。文章选取常见的Java基础库进行调用链挖掘效果的测试。实验结果表明,文章方法可成功挖掘潜在调用链并具有较高的准确率,对于反序列化漏洞调用链的自动化挖掘有着积极的意义。
Deserialization vulnerability is one of the hotspots of application security research in recent years.As the functions of Java class library are constantly updated and expanded,the potential scope of deserialization vulnerability is more extensive.Discovering deserialization vulnerability through manpower requires a lot of time to screen and construct the gadget chain.This paper introduces the Java deserialization vulnerability principle,common scenarios and deserialization vulnerability gadget chain construction method,and combining with the common vulnerability discovery methods,proposes a method to discover gadget chain,which is implemented as a gadget chain discovering tool Zero Gadget.The method uses the stain analysis and symbol execution technologies to generate the gadget tree from the deserialization vulnerability entry point to the dangerous function,and uses the depth-first search algorithm to search the gadget tree and generate the relevant gadget chain.This paper selects common Java basic libraries to test the effect of gadget chain discovery.The experimental results show that this method can successfully discover the potential gadget chains and have a high accuracy rate,which has positive significance for automatic discovery of deserialization vulnerability gadget chain.
作者
杜笑宇
叶何
文伟平
DU Xiaoyu;YE He;WEN Weiping(School of Software and Microelectronics,Peking University,Beijing 100080,China)
出处
《信息网络安全》
CSCD
北大核心
2020年第7期19-29,共11页
Netinfo Security
基金
国家自然科学基金[61872011]。
关键词
反序列化漏洞
调用链
Java漏洞挖掘
deserialization vulnerability
gadget chain
Java vulnerability discovery
