基于混合分析的Java反序列化利用链挖掘方法

doi:10.11959/j.issn.2096-109x.2022009

摘要/Abstract

摘要：

Java 反序列化漏洞已经成为当下 Java 应用安全的常见威胁，其中能够找到反序列化利用链是该类型漏洞能否利用的关键。由于Java应用及依赖库的代码空间大和Java本身多态的问题，人工分析Java反序列化利用链，需消耗大量的时间和精力，且高度依赖分析人员的经验知识。因此，研究如何高效且准确地自动化挖掘反序列化利用链至关重要。提出了基于混合分析的 Java 反序列化利用链挖掘方法。根据变量声明类型构造调用图，通过调用图分析筛选可能到达危险函数的反序列化入口函数。将筛选出的入口函数作为混合信息流分析的入口，开展同时面向指针和污点变量的混合信息流分析，对隐式创建的对象标记污点，在传播指针信息的同时传播污点信息，构建混合信息流图。基于混合信息流图判断外部污点数据传播到危险函数的可达性。根据污点传播路径构造相应的反序列化利用链。混合分析兼顾了调用图分析的速度和混合信息流分析的精度。基于提出的混合分析方法，实现相应的静态分析工具——GadgetSearch。GadgetSearch在Ysoserial、Marshalsec、Jackson历史CVE、XStream历史CVE4个数据集上的误报率和漏报率比现有的工具GadgetInspector低，并且发现多条未公开利用链。实验结果证明，所提方法能够在多个实际Java应用中高效且准确地挖掘Java反序列化利用链。

关键词: 反序列化漏洞, 指针分析, 污点分析, 混合分析

Abstract:

Java deserialization vulnerabilities have become a common threat to Java application security nowadays.Finding out the gadget chain determines whether this type of vulnerability can be exploited.Due to the large code space of Java applications and dependent libraries and the polymorphism of Java itself, manual analysis of Java deserialization gadget chains consumes a lot of time and effort and it is highly dependent on the experienced knowledge.Therefore, it is crucial to study how to efficiently and accurately automate the discovery of gadget chains.Java deserialization gadget chain discovery method based on hybrid analysis was proposed.Call graph based on the variable declaration type was constructed, and then the deserialization entry functions that may reach the dangerous functions were screened using the call graph analysis.The screened entry functions were used as the entry point of the hybrid information flow analysis.The hybrid information flow analysis was carried out for both pointer and tainted variables.The tainted objects created implicitly were marked.The tainted information and the pointer information were propagated simultaneously to construct the hybrid information flow graph.The reachability of external taint data propagation to the dangerous function was judged based on the hybrid information flow graph.The corresponding deserialization gadget chain was constructed according to the taint propagation path.The hybrid analysis took into account the efficiency of call graph analysis and the accuracy of hybrid information flow analysis.The corresponding static analysis tool, namely GadgetSearch, was implemented based on the proposed hybrid analysis method.In the experimental evaluation, GadgetSearch had lower false positive and lower false negative than the existing tool GadgetInspector on four datasets of Ysoserial, Marshalsec, Jackson historical CVE, and XStream historical CVE.Additionally, GadgetSearch also found multiple undisclosed gadget chains.The experimental results show that the proposed method can efficiently and accurately discover the Java deserialization gadget chain in multiple practical Java applications.

Key words: deserialization vulnerability, pointer analysis, taint analysis, hybrid analysis

中图分类号:

TP393

武永兴, 陈力波, 姜开达. 基于混合分析的Java反序列化利用链挖掘方法[J]. 网络与信息安全学报, 2022, 8(2): 160-174.

Yongxing WU, Libo CHEN, Kaida JIANG. Java deserialization gadget chain discovery method based on hybrid analysis[J]. Chinese Journal of Network and Information Security, 2022, 8(2): 160-174.

图/表 19

图1

图2

图3

图4

图5

表1

表2

表3

表4

表5

表6

表7

图6

图7

表8

表9

表10

图8

图9

参考文献 21

[1]	ANDERSEN L O . Program analysis and specialization for the C programming language[D]. University of Cophenhagen, 1994.
[2]	LHOTáK O , HENDREN L . Scaling Java points-to analysis using Spark[C]// International Conference on Compiler Construction. Springer,Berlin,Heidelberg, 2003: 153-169.
[3]	BERNDL M , LHOTáK O , QIAN F ,et al. Points-to analysis using BDDs[J]. ACM SIGPLAN Notices, 2003,38(5): 103-114.
[4]	黄波, 臧斌宇, 韦俊银 ,等. 上下文敏感的过程间指针分析[J]. 计算机学报, 2000,23(5): 477-485.
	HUANG B , ZANG B Y , WEI J Y ,et al. Context sensitive interprocedural pointer analysis[J]. Chinese Journal of Computers, 2000,23(5): 477-485.
[5]	BRAVENBOER M , SMARAGDAKIS Y . Strictly declarative specification of sophisticated points-to analyses[C]// Proceedings of the 24th ACM SIGPLAN Conference on Object Oriented Programming Systems Languages and Applications. 2009: 243-262.
[6]	ANTONIADIS T , TRIANTAFYLLOU K , SMARAGDAKIS Y . Porting doop to Soufflé:a tale of inter-engine portability for datalog-based analyses[C]// Proceedings of the 6th ACM SIGPLAN International Workshop on State of the Art in Program Analysis. 2017: 25-30.
[7]	TRIPP O , PISTOIA M , FINK S J ,et al. TAJ:effective taint analysis of web applications[J]. ACM Sigplan Notices, 2009,44(6): 87-97.
[8]	SRIDHARAN M , ARTZI S , PISTOIA M ,et al. F4F:taint analysis of framework-based web applications[C]// Proceedings of the 2011 ACM International Conference on Object Oriented Programming Systems Languages and Applications. 2011: 1053-1068.
[9]	HUANG W , DONG Y , MILANOVA A . Type-based taint analysis for Java web applications[C]// International Conference on Fundamental Approaches to Software Engineering. Springer,Berlin,Heidelberg, 2014: 140-154.
[10]	LERCH J , HERMANN B , BODDEN E ,et al. FlowTwist:efficient context-sensitive inside-out taint analysis for large codebases[C]// Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering. 2014: 98-108.
[11]	王蕾, 李丰, 李炼 ,等. 污点分析技术的原理和实践应用[J]. 软件学报, 2017,28(4): 860-882.
	WANG L , LI F , LI L ,et al. Principle and practice of taint analysis[J]. Journal of Software, 2017,28(4): 860-882.
[12]	LIVSHITS B . Improving software security with precise static and runtime analysis[D]. Stanford University, 2006.
[13]	TRIPP O , PISTOIA M , COUSOT P ,et al. Andromeda:accurate and scalable security analysis of web applications[C]// Fundamental Approaches to Software Engineering. 2013: 210-225.
[14]	ARZT S , RASTHOFER S , FRITZ C ,et al. Flowdroid:precise context,flow,field,object-sensitive and lifecycle-aware taint analysis for android Apps[J]. Acm Sigplan Notices, 2014,49(6): 259-269.
[15]	JOHNSON A , WAYE L , MOORE S ,et al. Exploring and enforcing security guarantees via program dependence graphs[J]. ACM SIGPLAN Notices, 2015,50(6): 291-302.
[16]	HUANG W , DONG Y , MILANOVA A ,et al. Scalable and precise taint analysis for Android[C]// Proceedings of the 2015 International Symposium on Software Testing and Analysis. 2015: 106-117.
[17]	GRECH N , SMARAGDAKIS Y . P/Taint:unified points to and taint analysis[J]. Proceedings of the ACM on Programming Languages, 2017: 1-28.
[18]	DAHSE J , KREIN N , HOLZ T . Figurer euse attacks in PHP:automated POP chain generation[C]// Proceedings of CCS '14:Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 2014: 42-53.
[19]	SHCHERBAKOV M , BALLIU M . SerialDetector:principled and practical exploration of object injection vulnerabilities for the web[C]// Proceedings 2021 Network and Distributed System Security Symposium. Reston,VA:Internet Society, 2021.
[20]	HAKEN I . Automated discovery of deserialization gadget chains[R]. 2018.
[21]	杜笑宇, 叶何, 文伟平 . 基于字节码搜索的 Java 反序列化漏洞调用链挖掘方法[J]. 信息网络安全, 2020,20(7): 19-29.
	DU X Y , YE H , WEN W P . Java deserialization vulnerability gadget chain discovery method based on bytecode search[J]. Netinfo Security, 2020,20(7): 19-29.

CVE/CNVD	反序列化器	依赖	危害
CNVD-2021-44381	Jackson	datanucleusrdbms-5.1.7.jar	JNDI注入
CVE-2021-39141	XStream	仅JDK	代码执行
CVE-2021-39144	XStream	仅JDK	代码执行
CVE-2021-39146	XStream	仅JDK	代码执行
CVE-2021-39153	XStream	仅JDK	代码执行
CVE-2021-43297	Hessian	仅JDK	代码执行

缩写	Jar	Class	Method	Jackson	Fastjson	XStream	Hessian
cb	commons-beanutils-1.9.2.jar	6 050	66 404	0		1	0
rome	rome-1.0.jar	5 984	65 439	0		1	1
resin	resin-4.0.65.jar	12 850	139 930	0		1	1
xbean	xbean-naming-4.5.jar	3 274	35 098	0		1	1
c3p0	c3p0-0.9.5.2.jar	6 608	73 687	2		0	0
ccfg	commons-configuration-1.10.jar	6 191	67 883	0		1	0

缩写	JGadgetInspector		TGadgetInspector			GadgetSearch
缩写	时间/s	结果（有效链数/利用链总数）	时间	结果（有效链数/利用链总数）	时间/s	结果（有效链数/利用链总数）
cb	49.13	0/1	60.79	0/1	9.12	0/0
rome	51.13	0/1	59.82	0/1	6.28	0/0
resin	58.68	0/3	75.40	0/4	9.37	0/0
xbean	48.79	0/1	63.53	0/1	4.45	0/0
c3p0	50.03	0/1	62.31	0/1	16.43	18/18
ccfg	52.45	0/1	63.70	0/1	33.07	0/0
总计	310.21	0/8	385.55	0/9	78.72	18/18

缩写	JGadgetInspector		TGadgetInspector		GadgetSearch
缩写	时间/s	结果（有效链数/利用链总数）	时间/s	结果（有效链数/利用链总数）	时间/s	结果（有效链数/利用链总数）
cb			60.79	0/101	7.18	0/0
rome			59.82	0/96	9.04	0/0
resin			75.40	0/96	1085.32	67/67
xbean			63.53	0/101	3.81	0/0
c3p0			62.31	0/97	22.51	10/10
ccfg			63.70	0/142	60.01	8/8
总计			385.55	0/633	1187.87	85/85

缩写	JGadgetInspector		TGadgetInspector		GadgetSearch
缩写	时间/s	结果（有效链数/利用链总数）	时间/s	结果（有效链数/利用链总数）	时间/s	结果（有效链数/利用链总数）
cb	51.26	2/12	60.79	2/32	20.95	20/20
rome	52.29	2/12	59.82	2/27	7.71	60/60
resin	60.69	4/40	75.40	2/107	206.91	19/19
xbean	51.12	2/12	63.53	2/30	3.27	0/0
c3p0	52.67	2/12	62.31	2/27	9.12	1/1
ccfg	52.83	2/13	63.70	2/46	8.67	26/26
总计	320.86	14/101	385.55	12/269	256.63	126/126