CN117349846A - Java deserialization vulnerability exploitation chain mining method and device and electronic equipment - Google Patents
Java deserialization vulnerability exploitation chain mining method and device and electronic equipment Download PDFInfo
- Publication number
- CN117349846A CN117349846A CN202311450610.7A CN202311450610A CN117349846A CN 117349846 A CN117349846 A CN 117349846A CN 202311450610 A CN202311450610 A CN 202311450610A CN 117349846 A CN117349846 A CN 117349846A
- Authority
- CN
- China
- Prior art keywords
- chain
- software
- tested
- node
- determining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 117
- 238000005065 mining Methods 0.000 title claims abstract description 54
- 238000004458 analytical method Methods 0.000 claims abstract description 78
- 238000010586 diagram Methods 0.000 claims abstract description 32
- 230000003068 static effect Effects 0.000 claims abstract description 27
- 230000005540 biological transmission Effects 0.000 claims abstract description 21
- 238000012163 sequencing technique Methods 0.000 claims description 8
- 238000012546 transfer Methods 0.000 claims description 6
- 238000012360 testing method Methods 0.000 claims description 5
- 238000000605 extraction Methods 0.000 claims description 4
- 238000012512 characterization method Methods 0.000 claims 1
- 230000000694 effects Effects 0.000 abstract description 15
- 238000012550 audit Methods 0.000 abstract description 7
- 238000004891 communication Methods 0.000 description 6
- 238000004590 computer program Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000011160 research Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/54—Interprogram communication
- G06F9/547—Remote procedure calls [RPC]; Web services
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention provides a Java deserialization exploit chain mining method, a Java deserialization exploit chain mining device and electronic equipment, wherein the Java deserialization exploit chain mining method comprises the following steps: acquiring software to be tested; performing static analysis on the software to be tested to obtain a code attribute diagram of the software to be tested; determining the characteristics of a call chain entry of the software to be tested and the characteristics of a call chain trigger node of the software to be tested according to a preset vulnerability feature portrait and a code attribute map; determining the reverse semantics of a call chain of the software to be tested according to the code attribute graph and the characteristics; determining a taint analysis code according to reverse semantics and taint data transmission characteristics of a Java deserialization exploit chain; and validating the stain analysis codes through preset stain data, and determining the deserialized exploit chain of the software to be tested. The method relieves the technical problems of low efficiency and poor effect of the Java deserialization exploit chain mining method caused by manual audit, and improves the efficiency and effect of the Java deserialization exploit chain mining method.
Description
Technical Field
The invention relates to the technical field of software security, in particular to a Java deserialization exploit chain mining method, a Java deserialization exploit chain mining device and electronic equipment.
Background
At present, the anti-serialization loopholes are important loopholes in Java loopholes. It is a strong threat to the security of software and is therefore the focus of research by security researchers. However, the reverse-serialization utilization chain is deeper in calling chain nesting, the related intermediate flow is very complicated, and the existing Java reverse-serialization vulnerability utilization chain mining method is difficult to find a hidden effective utilization chain through manual audit, single static analysis and single stain analysis, so that the Java reverse-serialization vulnerability utilization chain mining method is low in efficiency and poor in effect.
Disclosure of Invention
The invention aims to provide a Java deserialization exploit chain mining method, a Java deserialization exploit chain mining device and electronic equipment, so as to solve the technical problems of low efficiency and poor effect of the Java deserialization exploit chain mining method caused by manual audit and improve the efficiency and effect of the Java deserialization exploit chain mining method.
In a first aspect, an embodiment of the present invention provides a Java deserialization exploit chain mining method, including: acquiring software to be tested; performing static analysis on the software to be tested to obtain a code attribute diagram of the software to be tested; determining a first node characteristic corresponding to a call chain entry of the software to be tested and a second node characteristic corresponding to a call chain trigger node of the software to be tested according to a preset vulnerability characteristic portrait and the code attribute diagram; the vulnerability characteristic image is used for indicating the vulnerability characteristics of a method of a preset Java deserialization vulnerability exploitation chain; determining the reverse semantics of a call chain of the software to be tested according to the code attribute diagram, the first node characteristic and the second node characteristic; the reverse semantics are used for indicating the reverse expression form of the method node for calling the calling chain trigger node and the reverse expression form of the method node for recursively calling the calling chain trigger node; determining a taint analysis code according to the reverse semantics and the taint data transmission characteristics of the Java deserialization vulnerability exploitation chain; and verifying the stain analysis codes through preset stain data, and determining the anti-sequencing vulnerability exploitation chain of the software to be tested.
In a preferred embodiment of the present invention, the step of performing static analysis on the software to be tested to obtain a code attribute map of the software to be tested includes: and carrying out static analysis on the software to be tested through a codeQL engine to obtain a code attribute diagram of the software to be tested.
In a preferred embodiment of the present invention, before the step of performing static analysis on the software to be tested, the method further includes: acquiring the preset Java deserialization exploit chain; and carrying out feature extraction on the Java deserialization vulnerability exploitation chain based on preset feature parameters to obtain the vulnerability feature image.
In a preferred embodiment of the present invention, the vulnerability feature image includes: the Java deserialization exploit chain entry class, entry method, trigger class, trigger method and taint data transfer characteristic information.
In a preferred embodiment of the present invention, the step of determining the reverse semantics of the call chain of the software under test according to the code attribute map, the first node feature and the second node feature includes: determining a node information query code according to the code attribute diagram, the first node characteristic and the second node characteristic; running the node information query code, and determining call chain entry information and call chain trigger node information of the software to be tested; and determining the reverse semantics of the call chain of the software to be tested according to the code attribute graph, the call chain entry information and the call chain trigger node information.
In a preferred embodiment of the present invention, after the step of determining the reverse semantics of the call chain of the software under test according to the code attribute map, the first node feature and the second node feature, the method further includes: performing reverse search on the reverse semantics through breadth-first search to determine a plurality of call chains of the software to be tested; splitting each call chain of the plurality of call chains among methods to generate split data; determining a taint analysis code according to the reverse semantics and the taint data transmission characteristics of the Java deserialization exploit chain, wherein the method comprises the following steps: and determining the taint analysis code according to the split data and the taint data transmission characteristics of the Java deserialization exploit chain.
In a preferred embodiment of the present invention, the step of determining the taint analysis code according to the split data and the taint data transfer characteristic of the Java deserialized exploit chain includes: analyzing the calling characteristics of each section of method nodes in the split data; and determining the taint analysis code according to the calling characteristic and the taint data transmission characteristic of the Java deserialization exploit chain.
In a preferred embodiment of the present invention, the stain analysis code is a query language.
In a second aspect, an embodiment of the present invention further provides a Java deserialization exploit chain mining apparatus, including: the data acquisition module is used for acquiring software to be tested; the static analysis module is used for carrying out static analysis on the software to be tested to obtain a code attribute diagram of the software to be tested; the feature determining module is used for determining first node features corresponding to the calling chain entry of the software to be tested and second node features corresponding to the calling chain triggering node of the software to be tested according to the preset vulnerability feature portraits and the code attribute diagrams; the vulnerability characteristic image is used for indicating the vulnerability characteristics of a method of a preset Java deserialization vulnerability exploitation chain; the reverse semantic determining module is used for determining the reverse semantics of the call chain of the software to be tested according to the code attribute graph, the first node characteristic and the second node characteristic; the reverse semantics are used for indicating the reverse expression form of the method node for calling the calling chain trigger node and the reverse expression form of the method node for recursively calling the calling chain trigger node; the taint analysis code generation module is used for determining a taint analysis code according to the reverse semantics and the taint data transmission characteristics of the Java deserialization exploit chain; and the anti-serialization exploit chain determining module is used for verifying the stain analysis codes through preset stain data and determining the anti-serialization exploit chain of the software to be tested.
In a third aspect, an embodiment of the present invention further provides an electronic device, where the electronic device includes a processor and a memory, where the memory stores computer executable instructions that can be executed by the processor, and the processor executes the computer executable instructions to implement the Java deserialization exploit chain mining method.
The embodiment of the invention has the following beneficial technical effects:
the embodiment of the invention provides a Java deserialization exploit chain mining method, a Java deserialization exploit chain mining device and electronic equipment, which comprise the following steps: acquiring software to be tested; performing static analysis on the software to be tested to obtain a code attribute diagram of the software to be tested; determining a first node characteristic corresponding to a call chain entry of the software to be tested and a second node characteristic corresponding to a call chain trigger node of the software to be tested according to a preset vulnerability characteristic portrait and the code attribute diagram; the vulnerability characteristic image is used for indicating the vulnerability characteristics of a method of a preset Java deserialization vulnerability exploitation chain; determining the reverse semantics of a call chain of the software to be tested according to the code attribute diagram, the first node characteristic and the second node characteristic; the reverse semantics are used for indicating the reverse expression form of the method node for calling the calling chain trigger node and the reverse expression form of the method node for recursively calling the calling chain trigger node; determining a taint analysis code according to the reverse semantics and the taint data transmission characteristics of the Java deserialization vulnerability exploitation chain; and verifying the stain analysis codes through preset stain data, and determining the anti-sequencing vulnerability exploitation chain of the software to be tested. According to the method, a vulnerability feature image is constructed through preset Java deserialization vulnerability utilization chain method vulnerability features, feature analysis is conducted on a code attribute graph of software to be tested according to the vulnerability feature image, reverse semantics of a calling chain of the software to be tested are determined, and then the deserialization vulnerability utilization chain of the software to be tested is determined based on the reverse semantics, so that the technical problems of low efficiency and poor effect of a Java deserialization vulnerability utilization chain mining method caused by manual audit are solved, and the efficiency and the effect of the Java deserialization vulnerability utilization chain mining method are improved.
Additional features and advantages of the present embodiments will be set forth in the description which follows, or in part will be obvious from the description, or may be learned by practice of the techniques of the present disclosure.
The foregoing objects, features and advantages of the disclosure will be more readily apparent from the following detailed description of the preferred embodiments taken in conjunction with the accompanying drawings.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic flow chart of a Java deserialization exploit chain mining method according to an embodiment of the present invention;
FIG. 2 is a flowchart of another Java deserialization exploit chain mining method according to an embodiment of the present invention;
FIG. 3 is a schematic structural diagram of a Java deserialization exploit chain mining device according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Icon: 11-a data acquisition module; 12-a static analysis module; 13-a feature determination module; 14-a reverse semantic determination module; 15-a stain analysis code generation module; a 16-deserialization exploit chain determination module; 21-a memory; a 22-processor; a 23-bus; 24-communication interface.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. The components of the embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
The deserialization loopholes are important loopholes in Java loopholes. It is a strong threat to the security of software and is therefore the focus of research by security researchers. However, the reverse-serialization utilization chain is deeper in calling chain nesting, the related intermediate flow is very complicated, and the existing Java reverse-serialization vulnerability utilization chain mining method is difficult to find a hidden effective utilization chain through manual audit, single static analysis and single stain analysis, so that the Java reverse-serialization vulnerability utilization chain mining method is low in efficiency and poor in effect.
Based on the above, the embodiment of the invention provides a Java deserialization exploit chain mining method, a Java deserialization exploit chain mining device and electronic equipment. For the convenience of understanding the embodiments of the present invention, a detailed description is first given of a Java deserialization exploit chain mining method disclosed in the embodiments of the present invention.
Example 1
The embodiment of the invention provides an image data set expansion method. Fig. 1 is a flowchart of an image dataset expansion method according to an embodiment of the present invention.
As seen in fig. 1, the above method includes:
step S101: and obtaining the software to be tested.
Step S102: and carrying out static analysis on the software to be tested to obtain a code attribute diagram of the software to be tested.
In this embodiment, static analysis is performed on the software to be tested, so as to obtain a code attribute map of the software to be tested, where the code attribute map is obtained by fusing AST (abstract syntax trees, abstract syntax tree), CFG (control flow graphs, control flow graph), PDG (program dependence graphs, program dependency graph) and CPG (code property graph, code attribute map of data).
Step S103: determining a first node characteristic corresponding to a call chain entry of the software to be tested and a second node characteristic corresponding to a call chain trigger node of the software to be tested according to a preset vulnerability characteristic portrait and the code attribute diagram; the vulnerability feature image is used for indicating the vulnerability feature of a method of a preset Java deserialization vulnerability exploitation chain.
Here, the web crawler technology is used to obtain the call information of the existing Java deserialization exploit chain, so as to obtain the method vulnerability characteristics of the preset Java deserialization exploit chain based on the call information.
Step S104: determining the reverse semantics of a call chain of the software to be tested according to the code attribute diagram, the first node characteristic and the second node characteristic; the reverse semantics are used to indicate a reverse expression of a method node calling the call chain trigger node and a reverse expression of a method node recursively calling the call chain trigger node.
Step S105: and determining a taint analysis code according to the reverse semantics and the taint data transmission characteristics of the Java deserialization exploit chain.
In this embodiment, the stain analysis code is a query language.
Step S106: and verifying the stain analysis codes through preset stain data, and determining the anti-sequencing vulnerability exploitation chain of the software to be tested.
In actual operation, the stain analysis code is run, and whether the stain data can be transmitted is checked, so that the anti-sequencing exploit chain of the software to be tested is determined.
The embodiment of the invention provides a Java deserialization exploit chain mining method, which comprises the following steps: acquiring software to be tested; performing static analysis on the software to be tested to obtain a code attribute diagram of the software to be tested; determining a first node characteristic corresponding to a call chain entry of the software to be tested and a second node characteristic corresponding to a call chain trigger node of the software to be tested according to a preset vulnerability characteristic portrait and the code attribute diagram; the vulnerability characteristic image is used for indicating the vulnerability characteristics of a method of a preset Java deserialization vulnerability exploitation chain; determining the reverse semantics of a call chain of the software to be tested according to the code attribute diagram, the first node characteristic and the second node characteristic; the reverse semantics are used for indicating the reverse expression form of the method node for calling the calling chain trigger node and the reverse expression form of the method node for recursively calling the calling chain trigger node; determining a taint analysis code according to the reverse semantics and the taint data transmission characteristics of the Java deserialization vulnerability exploitation chain; and verifying the stain analysis codes through preset stain data, and determining the anti-sequencing vulnerability exploitation chain of the software to be tested. According to the method, a vulnerability feature image is constructed through preset Java deserialization vulnerability utilization chain method vulnerability features, feature analysis is conducted on a code attribute graph of software to be tested according to the vulnerability feature image, reverse semantics of a calling chain of the software to be tested are determined, and then the deserialization vulnerability utilization chain of the software to be tested is determined based on the reverse semantics, so that the technical problems of low efficiency and poor effect of a Java deserialization vulnerability utilization chain mining method caused by manual audit are solved, and the efficiency and the effect of the Java deserialization vulnerability utilization chain mining method are improved.
Example 2
Based on embodiment 1, fig. 2 is a schematic flow chart of another Java deserialization exploit chain mining method according to an embodiment of the present invention.
As seen in fig. 2, the method comprises:
step S201: and obtaining the software to be tested.
Step S202: and carrying out static analysis on the software to be tested through a codeQL engine to obtain a code attribute diagram of the software to be tested.
Before the step of performing static analysis on the software to be tested, the method further includes: acquiring the preset Java deserialization exploit chain; and carrying out feature extraction on the Java deserialization vulnerability exploitation chain based on preset feature parameters to obtain the vulnerability feature image.
Here, the vulnerability feature image includes: the Java deserialization exploit chain entry class, entry method, trigger class, trigger method and taint data transfer characteristic information.
Step S203: determining a first node characteristic corresponding to a call chain entry of the software to be tested and a second node characteristic corresponding to a call chain trigger node of the software to be tested according to a preset vulnerability characteristic portrait and the code attribute diagram; the vulnerability feature image is used for indicating the vulnerability feature of a method of a preset Java deserialization vulnerability exploitation chain.
And reading the vulnerability feature image through the code attribute graph to determine the first node feature corresponding to the call chain entry of the software to be tested and the second node feature corresponding to the call chain trigger node of the software to be tested according to the vulnerability feature image.
Step S204: determining the reverse semantics of a call chain of the software to be tested according to the code attribute diagram, the first node characteristic and the second node characteristic; the reverse semantics are used to indicate a reverse expression of a method node calling the call chain trigger node and a reverse expression of a method node recursively calling the call chain trigger node.
In actual operation, the step S204 includes the following steps A1-A3:
step A1: and determining a node information query code according to the code attribute graph, the first node characteristic and the second node characteristic.
Step A2: and running the node information query code to determine the call chain entry information and the call chain trigger node information of the software to be tested.
Step A3: and determining the reverse semantics of the call chain of the software to be tested according to the code attribute graph, the call chain entry information and the call chain trigger node information.
Step S205: and determining a taint analysis code according to the reverse semantics and the taint data transmission characteristics of the Java deserialization exploit chain.
Step S206: and verifying the stain analysis codes through preset stain data, and determining the anti-sequencing vulnerability exploitation chain of the software to be tested.
In one embodiment, after the step A3, the method further includes the following steps B1-B2:
step B1: and carrying out reverse search on the reverse semantics through breadth-first search, and determining a plurality of call chains of the software to be tested.
Step B2: and splitting each call chain of the plurality of call chains among methods to generate split data.
Further, the step S205 includes: and determining the taint analysis code according to the split data and the taint data transmission characteristics of the Java deserialization exploit chain.
In this embodiment, the step of determining the taint analysis code according to the split data and the taint data transfer characteristic of the Java deserialization exploit chain includes: analyzing the calling characteristics of each section of method nodes in the split data; and determining the taint analysis code according to the calling characteristic and the taint data transmission characteristic of the Java deserialization exploit chain.
The embodiment of the invention provides a Java deserialization exploit chain mining method, which comprises the following steps: acquiring software to be tested; performing static analysis on the software to be tested through a codeQL engine to obtain a code attribute diagram of the software to be tested; determining a first node characteristic corresponding to a call chain entry of the software to be tested and a second node characteristic corresponding to a call chain trigger node of the software to be tested according to a preset vulnerability characteristic portrait and the code attribute diagram; the vulnerability characteristic image is used for indicating the vulnerability characteristics of a method of a preset Java deserialization vulnerability exploitation chain; determining the reverse semantics of a call chain of the software to be tested according to the code attribute diagram, the first node characteristic and the second node characteristic; the reverse semantics are used for indicating the reverse expression form of the method node for calling the calling chain trigger node and the reverse expression form of the method node for recursively calling the calling chain trigger node; determining a taint analysis code according to the reverse semantics and the taint data transmission characteristics of the Java deserialization vulnerability exploitation chain; and verifying the stain analysis codes through preset stain data, and determining the anti-sequencing vulnerability exploitation chain of the software to be tested. According to the method, a vulnerability feature image is constructed through preset Java deserialization vulnerability utilization chain method vulnerability features, feature analysis is conducted on a code attribute graph of software to be tested according to the vulnerability feature image, reverse semantics of a calling chain of the software to be tested are determined, and then the deserialization vulnerability utilization chain of the software to be tested is determined based on the reverse semantics, so that the technical problems of low efficiency and poor effect of a Java deserialization vulnerability utilization chain mining method caused by manual audit are solved, and the efficiency and the effect of the Java deserialization vulnerability utilization chain mining method are improved.
Example 3
Fig. 3 is a schematic structural diagram of a Java deserialization exploit chain mining apparatus according to an embodiment of the present invention. As can be seen in fig. 3, the device comprises:
the data acquisition module 11 is configured to acquire software to be tested.
The static analysis module 12 performs static analysis on the software to be tested to obtain a code attribute diagram of the software to be tested.
The feature determining module 13 is configured to determine, according to a preset vulnerability feature portrait and the code attribute graph, a first node feature corresponding to a call chain entry of the software to be tested and a second node feature corresponding to a call chain trigger node of the software to be tested; the vulnerability feature image is used for indicating the vulnerability feature of a method of a preset Java deserialization vulnerability exploitation chain.
The reverse semantic determining module 14 is configured to determine a reverse semantic of a call chain of the software to be tested according to the code attribute map, the first node feature, and the second node feature; the reverse semantics are used to indicate a reverse expression of a method node calling the call chain trigger node and a reverse expression of a method node recursively calling the call chain trigger node.
And the taint analysis code generation module 15 is used for determining a taint analysis code according to the reverse semantics and the taint data transmission characteristics of the Java deserialization exploit chain.
And the anti-serialization exploit chain determining module 16 is used for determining the anti-serialization exploit chain of the software to be tested by verifying the taint analysis code through preset taint data.
The data acquisition module 11, the static analysis module 12, the feature determination module 13, the inverse semantic determination module 14, the taint analysis code generation module 15, and the deserialization exploit chain determination module 16 are sequentially connected.
In one embodiment, the static analysis module 12 is further configured to perform static analysis on the software to be tested through a codeQL engine to obtain a code attribute map of the software to be tested.
In one embodiment, the apparatus further comprises a storage module; the storage module is used for acquiring the preset Java deserialization exploit chain; and carrying out feature extraction on the Java deserialization vulnerability exploitation chain based on preset feature parameters to obtain the vulnerability feature image.
In one embodiment, the reverse semantic determining module 14 is further configured to determine a node information query code according to the code attribute map, the first node feature, and the second node feature; running the node information query code, and determining call chain entry information and call chain trigger node information of the software to be tested; and determining the reverse semantics of the call chain of the software to be tested according to the code attribute graph, the call chain entry information and the call chain trigger node information.
In one embodiment, the stain analysis code generating module 15 is further configured to perform reverse search on the reverse semantics through breadth-first search, to determine a plurality of call chains of the software to be tested; splitting each call chain of the plurality of call chains among methods to generate split data; and determining the taint analysis code according to the split data and the taint data transmission characteristics of the Java deserialization exploit chain.
In one embodiment, the stain analysis code generating module 15 is further configured to analyze the calling characteristic of each segment of method node in the split data; and determining the taint analysis code according to the calling characteristic and the taint data transmission characteristic of the Java deserialization exploit chain.
The Java deserialization exploit chain mining device provided by the embodiment of the invention has the same technical characteristics as the Java deserialization exploit chain mining method provided by the embodiment, so that the same technical problems can be solved, and the same technical effects can be achieved. It will be clear to those skilled in the art that, for convenience and brevity of description, reference may be made to the corresponding process in the foregoing method embodiment for the specific working process of the apparatus described above, which is not described herein again.
Example 4
The present embodiment provides an electronic device comprising a processor and a memory storing computer executable instructions executable by the processor to implement the steps of a Java deserialization exploit chain mining method.
The present embodiment provides a computer-readable storage medium in which a computer program is stored which, when executed by a processor, implements the steps of a Java deserialization exploit chain mining method.
Referring to fig. 4, a schematic structural diagram of an electronic device includes: the system comprises a memory 21 and a processor 22, wherein the memory 21 stores a computer program which can be run on the processor 22, and the processor realizes the steps provided by the Java deserialization exploit chain mining method when executing the computer program.
As shown in fig. 4, the apparatus further includes: a bus 23 and a communication interface 24, the processor 22, the communication interface 24 and the memory 21 being connected by the bus 23; the processor 22 is arranged to execute an executable model, such as a computer program, stored in the memory 21.
The memory 21 may include a high-speed random access memory (RAM, random Access Memory), and may further include a non-volatile memory (non-volatile memory), such as at least one magnetic disk memory. The communication connection between the system network element and at least one other network element is implemented via at least one communication interface 24 (which may be wired or wireless), which may use the internet, a wide area network, a local network, a metropolitan area network, etc.
The bus 23 may be an ISA bus, a PCI bus, an EISA bus, or the like. The buses may be divided into address buses, data buses, control buses, etc. For ease of illustration, only one bi-directional arrow is shown in FIG. 4, but not only one bus or type of bus.
The memory 21 is used for storing a program, and the processor 22 executes the program after receiving an execution instruction, so that the method executed by the dual Java deserialization exploit chain mining apparatus according to any of the embodiments of the present invention can be applied to the processor 22 or implemented by the processor 22. The processor 22 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuitry in hardware or instructions in software in the processor 22. The processor 22 may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; but may also be a digital signal processor (Digital Signal Processing, DSP for short), application specific integrated circuit (Application Specific Integrated Circuit, ASIC for short), off-the-shelf programmable gate array (Field-Programmable Gate Array, FPGA for short), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be embodied directly in the execution of a hardware decoding processor, or in the execution of a combination of hardware and software models in a decoding processor. The software model may be located in a state-of-the-art storage medium such as random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, registers, etc. The storage medium is located in the memory 21 and the processor 22 reads the information in the memory 21 and in combination with its hardware performs the steps of the method described above.
Further, embodiments of the present invention provide a machine-readable storage medium storing machine-executable instructions that, when invoked and executed by the processor 22, cause the processor 22 to implement the Java deserialization exploit chain mining method described above.
The electronic equipment and the computer readable storage medium provided by the embodiment of the invention have the same technical characteristics, so that the same technical problems can be solved, and the same technical effects can be achieved.
In addition, in the description of embodiments of the present invention, unless explicitly stated and limited otherwise, the terms "mounted," "connected," and "connected" are to be construed broadly, and may be, for example, fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; can be directly connected or indirectly connected through an intermediate medium, and can be communication between two elements. The specific meaning of the above terms in the present invention will be understood in specific cases by those of ordinary skill in the art.
Claims (10)
1. A Java deserialization exploit chain mining method is characterized by comprising the following steps:
acquiring software to be tested;
performing static analysis on the software to be tested to obtain a code attribute diagram of the software to be tested;
determining a first node characteristic corresponding to a call chain entry of the software to be tested and a second node characteristic corresponding to a call chain trigger node of the software to be tested according to a preset vulnerability characteristic portrait and the code attribute diagram; the vulnerability feature image is used for indicating the vulnerability feature of a method of a preset Java deserialization vulnerability exploitation chain;
determining the reverse semantics of a call chain of the software to be tested according to the code attribute graph, the first node characteristic and the second node characteristic; the reverse semantics are used for indicating a reverse expression form of a method node for calling the call chain trigger node and a reverse expression form of a method node for recursively calling the call chain trigger node;
determining a taint analysis code according to the reverse semantics and the taint data transmission characteristics of the Java deserialization vulnerability exploitation chain;
and verifying the taint analysis code through preset taint data, and determining the anti-sequencing vulnerability exploitation chain of the software to be tested.
2. The Java deserialization exploit chain mining method of claim 1, wherein the step of performing static analysis on the software to be tested to obtain a code attribute map of the software to be tested comprises:
and carrying out static analysis on the software to be tested through a codeQL engine to obtain a code attribute diagram of the software to be tested.
3. The Java deserialization exploit chain mining method of claim 2, wherein prior to the step of statically analyzing the software under test, the method further comprises:
acquiring the preset Java deserialization exploit chain;
and carrying out feature extraction on the Java deserialization vulnerability exploitation chain based on preset feature parameters to obtain the vulnerability feature image.
4. The Java deserialization exploit chain mining method of claim 3, wherein the vulnerability characterization image comprises: the Java deserialization exploit chain entry class, entry method, trigger class, trigger method and taint data transfer characteristic information.
5. The Java deserialization exploit chain mining method of claim 1, wherein determining the reverse semantics of the call chain of the software under test based on the code attribute map, the first node feature, and the second node feature comprises:
determining a node information query code according to the code attribute graph, the first node characteristic and the second node characteristic;
operating the node information query code, and determining call chain entry information and call chain trigger node information of the software to be tested;
and determining the reverse semantics of the call chain of the software to be tested according to the code attribute graph, the call chain entry information and the call chain trigger node information.
6. The Java deserialization exploit chain mining method of claim 1, wherein after the step of determining the reverse semantics of the call chain of the software under test from the code attribute map, the first node feature, and the second node feature, the method further comprises:
performing reverse search on the reverse semantics through breadth-first search to determine a plurality of call chains of the software to be tested;
splitting each call chain of the plurality of call chains among methods to generate split data;
determining a taint analysis code according to the reverse semantics and the taint data transmission characteristics of the Java deserialization exploit chain, wherein the method comprises the following steps:
and determining the taint analysis code according to the split data and the taint data transmission characteristics of the Java deserialization exploit chain.
7. The method of claim 6, wherein determining the taint analysis code based on the split data and taint data transfer characteristics of the Java deserialization exploit chain comprises:
analyzing the calling characteristics of each section of method nodes in the split data;
and determining the taint analysis code according to the calling characteristic and the taint data transmission characteristic of the Java deserialization vulnerability exploitation chain.
8. The Java deserialization exploit chain mining method of claim 7, wherein the taint analysis code is a query language.
9. A Java deserialization exploit chain mining apparatus, comprising:
the data acquisition module is used for acquiring software to be tested;
the static analysis module is used for carrying out static analysis on the software to be tested to obtain a code attribute diagram of the software to be tested;
the feature determining module is used for determining first node features corresponding to call chain entries of the software to be tested and second node features corresponding to call chain trigger nodes of the software to be tested according to the preset vulnerability feature portraits and the code attribute graphs; the vulnerability feature image is used for indicating the vulnerability feature of a method of a preset Java deserialization vulnerability exploitation chain;
the reverse semantic determining module is used for determining the reverse semantics of the call chain of the software to be tested according to the code attribute graph, the first node characteristic and the second node characteristic; the reverse semantics are used for indicating a reverse expression form of a method node for calling the call chain trigger node and a reverse expression form of a method node for recursively calling the call chain trigger node;
the taint analysis code generation module is used for determining a taint analysis code according to the reverse semantics and the taint data transmission characteristics of the Java deserialization vulnerability exploitation chain;
and the anti-serialization exploit chain determining module is used for verifying the taint analysis code through preset taint data and determining the anti-serialization exploit chain of the software to be tested.
10. An electronic device comprising a processor and a memory storing computer executable instructions executable by the processor to implement the Java deserialization exploit chain mining method of any of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311450610.7A CN117349846A (en) | 2023-11-02 | 2023-11-02 | Java deserialization vulnerability exploitation chain mining method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311450610.7A CN117349846A (en) | 2023-11-02 | 2023-11-02 | Java deserialization vulnerability exploitation chain mining method and device and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117349846A true CN117349846A (en) | 2024-01-05 |
Family
ID=89363069
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311450610.7A Pending CN117349846A (en) | 2023-11-02 | 2023-11-02 | Java deserialization vulnerability exploitation chain mining method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117349846A (en) |
-
2023
- 2023-11-02 CN CN202311450610.7A patent/CN117349846A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7865339B2 (en) | Formal methods for test case generation | |
| CN107622015B (en) | Data flow analysis method, device, equipment and medium | |
| US8752029B2 (en) | Computing a symbolic bound for a procedure | |
| CN108694320B (en) | Method and system for measuring sensitive application dynamic under multiple security environments | |
| CN109597618B (en) | Program development method, program development device, computer device, and storage medium | |
| CN110688658B (en) | Unknown virus infection tracing method, device and system | |
| CN111611152B (en) | Test case generation method and device, electronic equipment and readable storage medium | |
| CN104320312A (en) | Network application safety test tool and fuzz test case generation method and system | |
| Sotiropoulos et al. | Static analysis for asynchronous JavaScript programs | |
| CN111338622B (en) | Supply chain code identification method, device, server and readable storage medium | |
| CN112948828A (en) | Binary program malicious code detection method, terminal device and storage medium | |
| US8996922B2 (en) | Mixed numeric and string constraint analysis | |
| CN108920179A (en) | Java reflects implementation method, device and system | |
| CN114389978A (en) | Network protocol side channel detection method and system based on static taint analysis | |
| CN110609703B (en) | Performance detection tool implementation method and device, readable storage medium and terminal equipment | |
| CN117349846A (en) | Java deserialization vulnerability exploitation chain mining method and device and electronic equipment | |
| CN116483888A (en) | Program evaluation method and device, electronic equipment and computer readable storage medium | |
| US20220164277A1 (en) | Analysis and Testing of Embedded Code | |
| CN113139184A (en) | Method for detecting Binder communication overload vulnerability based on static analysis | |
| CN113688403A (en) | Intelligent contract vulnerability detection method and device based on symbolic execution verification | |
| CN109408063B (en) | Instruction pile inserting method and device based on virtual machine | |
| CN116933267B (en) | Intelligent contract vulnerability detection method, system and equipment for symbol execution | |
| Feng et al. | Bintaint: a static taint analysis method for binary vulnerability mining | |
| Joshi et al. | Automatic generation of fault trees from AADL models | |
| Aljifri et al. | Tighten the computation of worst-case execution-time by detecting feasible paths |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |