基于混合分析的Java反序列化利用链挖掘方法

doi:10.11959/j.issn.2096-109x.2022009

Abstract

Abstract:

Java deserialization vulnerabilities have become a common threat to Java application security nowadays.Finding out the gadget chain determines whether this type of vulnerability can be exploited.Due to the large code space of Java applications and dependent libraries and the polymorphism of Java itself, manual analysis of Java deserialization gadget chains consumes a lot of time and effort and it is highly dependent on the experienced knowledge.Therefore, it is crucial to study how to efficiently and accurately automate the discovery of gadget chains.Java deserialization gadget chain discovery method based on hybrid analysis was proposed.Call graph based on the variable declaration type was constructed, and then the deserialization entry functions that may reach the dangerous functions were screened using the call graph analysis.The screened entry functions were used as the entry point of the hybrid information flow analysis.The hybrid information flow analysis was carried out for both pointer and tainted variables.The tainted objects created implicitly were marked.The tainted information and the pointer information were propagated simultaneously to construct the hybrid information flow graph.The reachability of external taint data propagation to the dangerous function was judged based on the hybrid information flow graph.The corresponding deserialization gadget chain was constructed according to the taint propagation path.The hybrid analysis took into account the efficiency of call graph analysis and the accuracy of hybrid information flow analysis.The corresponding static analysis tool, namely GadgetSearch, was implemented based on the proposed hybrid analysis method.In the experimental evaluation, GadgetSearch had lower false positive and lower false negative than the existing tool GadgetInspector on four datasets of Ysoserial, Marshalsec, Jackson historical CVE, and XStream historical CVE.Additionally, GadgetSearch also found multiple undisclosed gadget chains.The experimental results show that the proposed method can efficiently and accurately discover the Java deserialization gadget chain in multiple practical Java applications.

Key words: deserialization vulnerability, pointer analysis, taint analysis, hybrid analysis

CLC Number:

TP393

Yongxing WU, Libo CHEN, Kaida JIANG. Java deserialization gadget chain discovery method based on hybrid analysis[J]. Chinese Journal of Network and Information Security, 2022, 8(2): 160-174.

Figures/Tables 19

References 21

[1]	ANDERSEN L O . Program analysis and specialization for the C programming language[D]. University of Cophenhagen, 1994.
[2]	LHOTáK O , HENDREN L . Scaling Java points-to analysis using Spark[C]// International Conference on Compiler Construction. Springer,Berlin,Heidelberg, 2003: 153-169.
[3]	BERNDL M , LHOTáK O , QIAN F ,et al. Points-to analysis using BDDs[J]. ACM SIGPLAN Notices, 2003,38(5): 103-114.
[4]	黄波, 臧斌宇, 韦俊银 ,等. 上下文敏感的过程间指针分析[J]. 计算机学报, 2000,23(5): 477-485.
	HUANG B , ZANG B Y , WEI J Y ,et al. Context sensitive interprocedural pointer analysis[J]. Chinese Journal of Computers, 2000,23(5): 477-485.
[5]	BRAVENBOER M , SMARAGDAKIS Y . Strictly declarative specification of sophisticated points-to analyses[C]// Proceedings of the 24th ACM SIGPLAN Conference on Object Oriented Programming Systems Languages and Applications. 2009: 243-262.
[6]	ANTONIADIS T , TRIANTAFYLLOU K , SMARAGDAKIS Y . Porting doop to Soufflé:a tale of inter-engine portability for datalog-based analyses[C]// Proceedings of the 6th ACM SIGPLAN International Workshop on State of the Art in Program Analysis. 2017: 25-30.
[7]	TRIPP O , PISTOIA M , FINK S J ,et al. TAJ:effective taint analysis of web applications[J]. ACM Sigplan Notices, 2009,44(6): 87-97.
[8]	SRIDHARAN M , ARTZI S , PISTOIA M ,et al. F4F:taint analysis of framework-based web applications[C]// Proceedings of the 2011 ACM International Conference on Object Oriented Programming Systems Languages and Applications. 2011: 1053-1068.
[9]	HUANG W , DONG Y , MILANOVA A . Type-based taint analysis for Java web applications[C]// International Conference on Fundamental Approaches to Software Engineering. Springer,Berlin,Heidelberg, 2014: 140-154.
[10]	LERCH J , HERMANN B , BODDEN E ,et al. FlowTwist:efficient context-sensitive inside-out taint analysis for large codebases[C]// Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering. 2014: 98-108.
[11]	王蕾, 李丰, 李炼 ,等. 污点分析技术的原理和实践应用[J]. 软件学报, 2017,28(4): 860-882.
	WANG L , LI F , LI L ,et al. Principle and practice of taint analysis[J]. Journal of Software, 2017,28(4): 860-882.
[12]	LIVSHITS B . Improving software security with precise static and runtime analysis[D]. Stanford University, 2006.
[13]	TRIPP O , PISTOIA M , COUSOT P ,et al. Andromeda:accurate and scalable security analysis of web applications[C]// Fundamental Approaches to Software Engineering. 2013: 210-225.
[14]	ARZT S , RASTHOFER S , FRITZ C ,et al. Flowdroid:precise context,flow,field,object-sensitive and lifecycle-aware taint analysis for android Apps[J]. Acm Sigplan Notices, 2014,49(6): 259-269.
[15]	JOHNSON A , WAYE L , MOORE S ,et al. Exploring and enforcing security guarantees via program dependence graphs[J]. ACM SIGPLAN Notices, 2015,50(6): 291-302.
[16]	HUANG W , DONG Y , MILANOVA A ,et al. Scalable and precise taint analysis for Android[C]// Proceedings of the 2015 International Symposium on Software Testing and Analysis. 2015: 106-117.
[17]	GRECH N , SMARAGDAKIS Y . P/Taint:unified points to and taint analysis[J]. Proceedings of the ACM on Programming Languages, 2017: 1-28.
[18]	DAHSE J , KREIN N , HOLZ T . Figurer euse attacks in PHP:automated POP chain generation[C]// Proceedings of CCS '14:Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 2014: 42-53.
[19]	SHCHERBAKOV M , BALLIU M . SerialDetector:principled and practical exploration of object injection vulnerabilities for the web[C]// Proceedings 2021 Network and Distributed System Security Symposium. Reston,VA:Internet Society, 2021.
[20]	HAKEN I . Automated discovery of deserialization gadget chains[R]. 2018.
[21]	杜笑宇, 叶何, 文伟平 . 基于字节码搜索的 Java 反序列化漏洞调用链挖掘方法[J]. 信息网络安全, 2020,20(7): 19-29.
	DU X Y , YE H , WEN W P . Java deserialization vulnerability gadget chain discovery method based on bytecode search[J]. Netinfo Security, 2020,20(7): 19-29.

Metrics

Recommended 0

No Suggested Reading articles found!

CVE/CNVD	反序列化器	依赖	危害
CNVD-2021-44381	Jackson	datanucleusrdbms-5.1.7.jar	JNDI注入
CVE-2021-39141	XStream	仅JDK	代码执行
CVE-2021-39144	XStream	仅JDK	代码执行
CVE-2021-39146	XStream	仅JDK	代码执行
CVE-2021-39153	XStream	仅JDK	代码执行
CVE-2021-43297	Hessian	仅JDK	代码执行

缩写	Jar	Class	Method	Jackson	Fastjson	XStream	Hessian
cb	commons-beanutils-1.9.2.jar	6 050	66 404	0		1	0
rome	rome-1.0.jar	5 984	65 439	0		1	1
resin	resin-4.0.65.jar	12 850	139 930	0		1	1
xbean	xbean-naming-4.5.jar	3 274	35 098	0		1	1
c3p0	c3p0-0.9.5.2.jar	6 608	73 687	2		0	0
ccfg	commons-configuration-1.10.jar	6 191	67 883	0		1	0

缩写	JGadgetInspector		TGadgetInspector			GadgetSearch
缩写	时间/s	结果（有效链数/利用链总数）	时间	结果（有效链数/利用链总数）	时间/s	结果（有效链数/利用链总数）
cb	49.13	0/1	60.79	0/1	9.12	0/0
rome	51.13	0/1	59.82	0/1	6.28	0/0
resin	58.68	0/3	75.40	0/4	9.37	0/0
xbean	48.79	0/1	63.53	0/1	4.45	0/0
c3p0	50.03	0/1	62.31	0/1	16.43	18/18
ccfg	52.45	0/1	63.70	0/1	33.07	0/0
总计	310.21	0/8	385.55	0/9	78.72	18/18

缩写	JGadgetInspector		TGadgetInspector		GadgetSearch
缩写	时间/s	结果（有效链数/利用链总数）	时间/s	结果（有效链数/利用链总数）	时间/s	结果（有效链数/利用链总数）
cb			60.79	0/101	7.18	0/0
rome			59.82	0/96	9.04	0/0
resin			75.40	0/96	1085.32	67/67
xbean			63.53	0/101	3.81	0/0
c3p0			62.31	0/97	22.51	10/10
ccfg			63.70	0/142	60.01	8/8
总计			385.55	0/633	1187.87	85/85

缩写	JGadgetInspector		TGadgetInspector		GadgetSearch
缩写	时间/s	结果（有效链数/利用链总数）	时间/s	结果（有效链数/利用链总数）	时间/s	结果（有效链数/利用链总数）
cb	51.26	2/12	60.79	2/32	20.95	20/20
rome	52.29	2/12	59.82	2/27	7.71	60/60
resin	60.69	4/40	75.40	2/107	206.91	19/19
xbean	51.12	2/12	63.53	2/30	3.27	0/0
c3p0	52.67	2/12	62.31	2/27	9.12	1/1
ccfg	52.83	2/13	63.70	2/46	8.67	26/26
总计	320.86	14/101	385.55	12/269	256.63	126/126

Java deserialization gadget chain discovery method based on hybrid analysis

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 19

References 21

Related Articles 1

Metrics

Recommended 0

Jar	Class	Method	yso-serial	JGadgetInspector		TGadgetInspector		GadgetSearch
Jar	Class	Method	yso-serial	时间/s	结果（有效链数/利用链总数）	时间/s	结果（有效链数/利用链总数）	时间/s	结果（有效链数/利用链总数）
bsh-2.0b5.jar	6033	65696	1	49.18	0/2	57.37	0/2	6.59	0/0
c3p0-0.9.5.2.jar	6608	73687	1	51.78	0/2	58.54	0/2	12.66	6/6
click-nodeps-2.3.0.jar	3394	36764	1	49.04	0/4	58.08	0/4	4.33	1/1
commons-beanutils-1.9.2.jar	6050	66404	1	49.36	0/2	57.67	0/2	10.08	1/2
commons-collections-3.1.jar	6290	67873	5	51.46	0/4	57.67	0/4	50.02	20/20
js-1.7R2.jar	6178	68039	2	51.63	0/3	59.59	0/3	10.16	13/13
rome-1.0.jar	5984	65439	1	48.76	0/2	56.48	0/3	7.91	60/60
vaadin-server-7.7.14.jar	7005	74987	1	52.18	0/5	58.94	0/6	32.51	18/18
总计	47542	518889	13	403.39	0/24	464.34	0/26	134.26	118/118

分析	运行时间/s	节点	边	有效链	总共链
简单调用图分析	25.01	4 102	72 729	392	38 680
混合信息流分析	N/A	N/A	N/A	N/A	N/A
混合分析	7 978.44	630	2060	392	398
注：N/A表示不适用。

CVE	Class	JGadgetInspector	TGadgetInspector	GadgetSearch
CVE-2018-7489	com.mchange.v2.c3p0.ComboPooledDataSource	×	×	√
CVE-2019-17267	net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup	×	×	√
CVE-2019-20330	net.sf.ehcache.transaction.manager.selector.GenericJndiSelector	×	×	√
CVE-2019-20330	net.sf.ehcache.transaction.manager.selector.GlassfishSelector	×	×	√
CVE-2020-14062	com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool	×	×	√
CVE-2020-14195	org.jsecurity.realm.jndi.JndiRealmFactory	×	×	√
CVE-2020-24750	com.pastdev.httpcomponents	×	×	√
CVE-2020-35490	org.apache.commons.dbcp2.datasources.PerUserPoolDataSource	×	×	√
CVE-2020-35491	org.apache.commons.dbcp2.datasources.SharedPoolDataSource	×	×	√
CVE-2020-36179	org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS	×	×	√
CVE-2020-36180	org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS	×	×	√
CVE-2020-36181	org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS	×	×	√
CVE-2020-36182	org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS	×	×	√
CVE-2020-36186	org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource	×	×	√
CVE-2020-36187	org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource	×	×	√
总计	15	0	0	15
注：“√”表示工具检测出相应的CVE，“×”表示未检测出。

CVE	class	JGadgetInspector	TGadgetInspector	GadgetSearch
CVE-2013-7285	Java.beans.EventHandler	×	×	√
CVE-2020-26217	Javax.imageio.ImageIO$ContainsFilter	×	×	√
CVE-2021-21344	com.sun.xml.internal.bind.v2.runtime.reflect.Accessor $Getter-SetterReflection	×	×	×
CVE-2021-21345	com.sun.xml.internal.bind.v2.runtime.reflect.Accessor $Getter-SetterReflection	×	×	×
CVE-2021-21346	sun.swing.SwingLazyValue	√	√	√
CVE-2021-21347	com.sun.tools.Javac.processing.JavacProcessingEnvironment$NameProcessIterator.NameProcessIterator	×	×	√
CVE-2021-21350	com.sun.tools.Javac.processing.JavacProcessingEnvironment$NameProcessIterator.NameProcessIterator	×	×	√
CVE-2021-21351	com.sun.org.apache.xml.internal.dtm.ref.IncrementalSAXSource_Xerces	×	×	√
CVE-2021-39141	com.sun.xml.internal.ws.client.sei.SEIStub	×	×	√
CVE-2021-39144	sun.tracing.ProviderSkeleton	√	√	√
CVE-2021-39146	Javax.swing.UIDefaults$ProxyLazyValue	×	×	√
CVE-2021-39149	sun.tracing.ProviderSkeleton	√	√	√
CVE-2021-39153	com.sun.Javafx.fxml.BeanAdapter	×	×	√
CVE-2021-39154	Javax.swing.UIDefaults$ProxyLazyValue	×	×	√
总计	14	3	3	12
注：“√”表示工具检测出相应的CVE，“×”表示未检测出。