CN115270131A - Java anti-serialization vulnerability detection method and system - Google Patents

Java anti-serialization vulnerability detection method and system Download PDF

Info

Publication number
CN115270131A
CN115270131A CN202210672646.9A CN202210672646A CN115270131A CN 115270131 A CN115270131 A CN 115270131A CN 202210672646 A CN202210672646 A CN 202210672646A CN 115270131 A CN115270131 A CN 115270131A
Authority
CN
China
Prior art keywords
java
function
function call
call chain
dynamic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210672646.9A
Other languages
Chinese (zh)
Inventor
刘奇旭
冯薪澄
刘玉岭
曹雅琴
陈星辰
李香龙
刘清越
刘潮歌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN202210672646.9A priority Critical patent/CN115270131A/en
Publication of CN115270131A publication Critical patent/CN115270131A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/362Software debugging
    • G06F11/3644Software debugging by instrumenting at runtime
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Quality & Reliability (AREA)
  • Computing Systems (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a method and a system for detecting Java deserialization bugs, which relate to the field of computer network security, combine a code attribute graph technology, a static analysis technology and a dynamic instrumentation technology, select a source code level to perform static analysis, and extract program semantic information; by designing three subgraphs with different dimensions, the Java project source code is converted into linear intermediate representation, a code attribute graph is constructed together, taint analysis is carried out on the basis, and a Java deserialization vulnerability utilization chain is automatically mined; and selecting and combining a Java dynamic instrumentation technology to carry out secondary detection in dynamic dimension in a mode of implanting a detection probe, and carrying out real-time monitoring by assisting the dynamic instrumentation technology. The method and the device solve the problems that the potential Java deserialization vulnerability in the Java Web application component cannot be detected and the detection efficiency is low in the prior art.

Description

Java anti-serialization vulnerability detection method and system
Technical Field
The invention relates to the field of computer network security, in particular to a method and a system for detecting Java deserialization vulnerabilities based on a function call chain.
Background
With the development of the internet, the position of Java Web application becomes more and more important, and has become a main driving force of online services in many fields such as finance, medical treatment, education and the like. However, as the functional interfaces of the applications become more and more complicated, the coverage of security maintenance for Java Web applications by many enterprises gradually decreases, resulting in more and more potential security holes in the application components. In recent years, more and more Java Web application components explode serious Java deserialization vulnerabilities, which are one of hot spots in the field of security research in recent years, and each explosion affects key services of many industries.
A key cause of Java deserialization vulnerabilities is the chain of potentially sensitive function calls within the application. When an attacker exploits this type of vulnerability, a segment of the attack load is injected. The attack load can be received by the applied service interface, and the deserialization operation is automatically executed. The attack load can participate in function calling layer by layer along the sensitive function calling chain, and the direct current reaches the sensitive function, so that the attack effect is achieved. An attacker can utilize the loopholes to construct a specific attack load, so that the attack effects of remote code execution and the like are achieved.
Such vulnerabilities are difficult to effectively detect in a manual audit manner. Safety testers need to carefully and thoroughly audit the source code of the application component to check the existence of the bugs, but because Java language has characteristics of polymorphism and the like, very complex program semantic information exists in the source code, the safety testers are difficult to master the calling relation of a large number of functions in a short time, the completeness of code audit cannot be guaranteed, the efficiency is low, and the effect is poor. Meanwhile, for the loopholes of this type, the existing detection methods and tools are few, and relatively considerable results cannot be obtained in an actual detection scene, so that the practicability is relatively poor.
In the prior art, patent CN104778413A discloses a software vulnerability detection method based on simulation attack, which obtains function information related to sensitive operations through a static disassembling tool, and utilizes a dynamic instrumentation platform to realize processes such as monitoring, simulation attack, attack influence analysis and the like. Although the patent relates to static analysis and dynamic analysis, the method of the patent is used for reinforcing and protecting the elf file, the input is the elf file, a program is subjected to simulation attack through symbolic link attack, the corresponding vulnerability type is a type of file access vulnerability, and the method cannot be used for code security detection of Jar package files.
Patent CN104794401A discloses a static analysis assisted symbolic execution vulnerability detection method, which restricts a symbolic execution process on a vulnerability related path through a scoring mechanism, and detects more vulnerabilities under the condition of limited time and resources. The input of the method is symbolic expression of a program, and simulation attack is executed through symbols at the level of the middle representation form of an LLVM (markup language) framework through a KLEE tool.
The patent CN109829312A discloses a JAVA vulnerability detection method and system based on a call chain, which generates a function call relationship diagram by processing a JAR package; the method comprises the steps that a rule base is collected and generated, and various software sensitive calling point Sink methods are configured in corresponding vulnerability auditing modules; and establishing a calling chain by using a depth-first search algorithm, and displaying the obtained calling chain to an auditor for screening, so that the auditor can analyze and reproduce the loopholes conveniently. The patent method only excavates a sensitive function call chain on the level of a control flow graph, and has large space-time overhead; and the excavated sensitive function call chain is printed only by adopting a static analysis technology and is handed to security personnel for auditing, so that the manual auditing cost is high.
Patent CN109992970A discloses a JAVA deserialization vulnerability detection system and method, which generate deserialization vulnerability reports in three different ways, namely a black box, a white box and a gray box, and have the disadvantages that only by scanning the configuration file of the item to be detected, the attack load is selected from the gadget mode database prepared in advance for attack, once the attack is successful, it is indicated that the item to be detected has JAVA deserialization vulnerability, and the method depends on the timeliness of the gadget mode database and requires higher manual maintenance cost.
The patent CN111859388A discloses a multi-level mixed vulnerability automatic mining method, which utilizes a pointer analysis to obtain a pointer allocation and assignment process in a program through a static analysis technology, and records memory address positions pointed by all pointers; obtaining a destination operand of a CMP instruction by using an alias analysis technology to clarify a jump address of a target program; s2: and (4) implementing the instrumentation of the monitoring codes to the key positions of the target program by using an intermediate code static instrumentation technology. The method of the patent is used for analyzing the binary executable file, and adopts an intermediate code static instrumentation technology to implement instrumentation of detection codes to key positions of a target program, so that the method is not suitable for Java anti-serialization vulnerability detection.
Patent CN113010899A discloses a PHP deserialization vulnerability exploitation chain detection method, which obtains source code information from a PHP file to be detected through a predefined rule; and the detection of the deserialized vulnerability utilization chain is carried out according to various rules, so that the detection accuracy of the PHP deserialized vulnerability utilization chain can be improved, and the labor force of manual audit can be reduced. The method of the patent is to analyze PHP files, recursively detect the utilization chain of a magic method and a self-defined function of a class at a source code level, detect the deserialization utilization chain of PHP language only through static analysis, do not adopt a dynamic analysis technology, and cannot be applied to Java deserialization vulnerability detection.
Patent CN113139184A discloses a method for detecting a Binder communication overload vulnerability based on static analysis, which determines a transmission object by establishing a data inclusion relationship of the whole application by means of static program analysis, so as to achieve the technical effect of detecting the Binder communication overload vulnerability. The method disclosed by the patent is used for analyzing the android frame Binder, and for detecting the android application Binder communication overload vulnerability, hook is carried out on open interfaces provided by part of android frames, so that the method cannot be used for detecting Java anti-serialization vulnerabilities.
CN113360915A discloses an intelligent contract multi-vulnerability detection method and system based on source code graph representation learning, wherein an abstract syntax tree and semantic information of an intelligent contract are combined, and a function granularity code attribute graph is used for representing an intelligent contract source code; and defining a slicing criterion according to grammatical features of different types of vulnerabilities of the intelligent contract, denoising the intelligent contract graph representation by using a program slicing technology, extracting features by combining a gated graph neural network, and predicting the vulnerabilities based on the extracted features. The method of the patent analyzes the intelligent contract source code, and constructs the code attribute graph with function granularity on an abstract syntax tree, wherein the method for constructing the attribute graph is different and cannot be used for detecting the anti-serialization vulnerabilities of Java.
As can be seen from the above, at present, there is no method for detecting a Java deserialization vulnerability with high efficiency and strong usability, and the problem needs to be solved urgently.
Disclosure of Invention
Aiming at the problems, the invention provides a method and a system for detecting Java anti-serialization loopholes based on a function call chain, which aim to solve the problems that the prior art cannot detect potential Java anti-serialization loopholes in a Java Web application component and has low detection efficiency.
In order to achieve the purpose, the invention adopts the specific technical scheme that:
a Java deserialization vulnerability detection method comprises the following steps:
1) Acquiring a Java Web component source code to be analyzed, extracting program semantic information in the source code to obtain semantic nodes and relationship edges, and constructing a code attribute graph;
2) Constructing a rule base, mining a sensitive function call chain in a source code on a code attribute graph by adopting a taint analysis technology based on static analysis, and storing the sensitive function call chain;
3) Compiling a Java dynamic proxy plug-in, implanting a detection probe to a sensitive function point in a sensitive function call chain by using a Java dynamic instrumentation technology, and capturing the call chain in an actual service scene;
4) And (3) carrying out real-time detection on an attack load constructed by an attacker through dynamic detection of the Java anti-serialization loophole, comparing the function call chain captured in the step 3) with the sensitive function call chain mined in the step 2), proving that the Java anti-serialization loophole exists in the currently analyzed component once hit, and intercepting and alarming the attack in time.
Furthermore, the method for extracting the semantic information of the program is to convert the source code into an intermediate representation form of the Jimple language through the Soot framework, and extract the semantic nodes and the relational edges in the intermediate representation form.
Further, the semantic nodes include two types, namely class nodes and method nodes;
the relationship edges include the following five types:
possess relationship edge: the method comprises the steps of representing fields and function nodes owned by class nodes, and emphasizing the affiliation;
instances relationship edges: representing the implementation relation between the class and the interface in the source code;
extendis relationship edge: representing the inheritance relationship between the subclasses and the parent classes in the source code;
alias relationship edge: the alias relation between functions in the source code is expressed (the polymorphic characteristic of the Java language can cause the alias relation between the functions);
call relationship edge: and expressing the calling relation between functions in the source code.
Further, the code attribute graph comprises three different dimensional subgraphs as follows:
a semantic node graph: inducing the self semantic information of all semantic nodes and the semantic information among the nodes in the Java language;
an alias function graph: on the basis of a semantic node diagram, analyzing polymorphic behaviors in a program in a key mode, and capturing alias relationships among function nodes;
function call graph: the semantic information of the program is generated during extraction of semantic information of the program and represents the calling relationship among functions.
Further, the rule base includes three components: the method comprises the following steps that an entry function library Source, a sensitive function library Sink and an experience function library Known are all from disclosed vulnerability information in the current Java security field; wherein, the first and the second end of the pipe are connected with each other,
the entry function library Source is a first component of the rule library, and for conventional Java Web applications, the entry function is often an interface for receiving user transfer data, such as a function point (entry function) for processing GET request parameters, a function point for receiving POST data, a function point for verifying contents of HTTP data packet Cookie parameters, and the like;
the sensitive function library Sink is a key component of a rule library, and is used for classifying sensitive functions by combining common vulnerability categories of Java language, and specifically comprises five types of sensitive functions, namely a code injection type, a command execution type, a file operation type, a protocol injection type and a remote connection type;
the empirical function library Known is a special component of a rule library, is used for improving the analysis efficiency of a subsequent static analysis link, and consists of a class of tool functions which are usually appeared in a program, are usually from Java native functions and often participate in data stream transfer, and have a fixed behavior pattern, for example, a getHeader method of an HttpServletRequest class fixedly returns the Header field information of an Http data packet, and the subsequent analysis efficiency can be obviously improved by storing the behavior pattern of the class of functions in advance.
Further, the taint analysis technology is a program safety analysis technology in the field of data flow analysis, and is used for capturing a propagation path of taint data in a program statement; the core form of taint analysis can be represented as an abstract triple, which consists of Source, sink and Sanitizer; wherein, source represents a taint introduction Source and represents that controllable and untrusted data of a user are directly introduced into a program, and the introduced data are regarded as taint data; sink represents a taint convergence point and represents a sensitive function, and once taint data flow through the Sink, the potential safety hazard is possibly brought; the Sanitizer represents data decontamination processing and represents the propagation behavior of eliminating taint data by means of cutting, transferring and the like. In the Java deserialization vulnerability model, the attack load uploaded by an attacker can be regarded as the taint data, and the flow behavior of the taint data in the program can be accurately and completely captured through the taint analysis technology.
Because the Source function has large difference among various components, the time-space cost of mining the sensitive function call chain from the Source function to the Sink function is large, and the efficiency is low. Therefore, the method provided by the invention selects a mode of searching from the Sink function to the Source function to mine the sensitive function call chain. Specifically, each Sink function in the rule base has function abstract information which represents the available condition of the current sensitive function, the upper-layer function which meets the available condition is searched for layer by layer in an iteration mode in a heuristic search mode, and the available condition is updated until the Source function is searched, namely, the sensitive function calling chain is found.
Further, the Java dynamic proxy plug-in utilizes a Java dynamic instrumentation technology to detect the byte code level; compiling a Java dynamic proxy plug-in by combining a JVM (Java virtual machine interface) interface, and running on a specific JVM by acquiring a process id of a target application; the method can capture the key data in the target virtual machine and store the key data in various ways.
Further, the implantation method of the detection probe comprises the following steps: and writing a detection probe by combining a mainstream bytecode operation tool, wherein the detection probe is injected into a specific JVM by a Java dynamic proxy plug-in and then injected into a specific program by a callback mechanism in a JVM interface. The whole implantation process only realizes implantation at the JVM level and does not realize invasion to the source code of the application program.
Further, the attack load constructed by the attacker is detected in real time, namely after the application program to be detected runs, the Java dynamic proxy plug-in captures the process id of the application to be analyzed and injects the process id into the target JVM; then, once an attacker carries out Java anti-serialization vulnerability attack on the application, a function call chain generated by the injected attack load in the application is automatically captured by a Java dynamic proxy plug-in; by matching the function call chain captured in the dynamic phase with the result obtained by the static analysis, once the result obtained by the static analysis contains the function call chain captured in the dynamic phase in a centralized manner, the situation that the current application has Java deserialization vulnerability is demonstrated, the sensitive function call chain is being used by an attacker, and corresponding attack behaviors are taken in an intercepting and alarming manner.
A Java deserialization vulnerability detection system, comprising:
the code attribute graph generating module is used for converting the application source code to be analyzed into an intermediate representation form of a Jimple language by using a Soot framework, extracting program semantic information in the intermediate representation form and constructing a code attribute graph;
an automatic mining module of the sensitive function call chain summarizes the existing knowledge in the Java security field to construct a rule base, on the basis, a static taint analysis technology is selected to perform backward taint analysis on the intermediate representation level, and the sensitive function call chain which possibly has security risks is searched;
the detection probe implantation module is used for compiling a Java dynamic proxy plug-in by combining a JVM interface, injecting a detection probe with an information collection function into a target JVM and capturing a function call chain in a dynamic dimension;
and the pattern matching module is used for detecting the hidden Java anti-serialization loophole in the application by comparing the sensitive function call chain captured by the dynamic dimension with the static analysis result.
The invention has the following beneficial effects:
the invention provides a detection method combining static and dynamic dimensions, fully considers the characteristics of Java language and the characteristics of Java anti-serialization loopholes, increases the characteristic comparison aiming at the Java anti-serialization loopholes, and makes up the defect that the existing detection mode cannot effectively and efficiently detect the loopholes of the type. With the rapid development of Java Web application technology, more and more applications and their components face security risks. The method combines a code attribute graph technology, a static analysis technology and a dynamic instrumentation technology, firstly selects a source code level to perform static analysis, and extracts program semantic information; three subgraphs (a semantic node graph, an alias function graph and a function call graph) with different dimensions are designed, a Java project source code is converted into linear intermediate representation, a code attribute graph is constructed together, the three subgraphs can efficiently and intuitively embody a flow path of data flow among source code statements, and on the basis, taint analysis is carried out to automatically mine a Java anti-serialization vulnerability utilization chain; and finally, secondary detection is carried out in dynamic dimensions by combining a Java dynamic pile inserting technology and implanting a detection probe, and real-time monitoring is carried out by assisting the dynamic pile inserting technology, so that the labor cost and the time cost are reduced.
Drawings
Fig. 1 is a flow chart of the overall structure of the scheme of the invention.
FIG. 2 is a flow chart of the construction of an alias function map.
FIG. 3 is a core flow diagram of taint analysis.
Fig. 4 is a dynamic detection core flow diagram.
FIG. 5 is an exemplary diagram of a Java deserialization bug.
Detailed Description
In order to make the technical solutions in the embodiments of the present invention better understood and make the objects, features, and advantages of the present invention more comprehensible, the technical core of the present invention is described in further detail below with reference to the accompanying drawings and examples.
This embodiment provides a method for detecting a Java deserialization bug, which specifically includes the following steps, as shown in fig. 1:
step 100: and acquiring a Java Web application source code to be detected, configuring a Soot framework, and generating an intermediate expression form code of the Jimple language.
Step 200: extracting program semantic information of the Java Web application source code to be detected, and summarizing the program semantic information into two semantic nodes and five relation edges, wherein the two semantic nodes comprise class nodes and method nodes, and the five relation edges comprise Possess, annotations, extensions, alias and Call relation edges. On the basis, three code attribute graphs with different dimensions are constructed, namely a semantic node graph, an alias function graph and a function call graph.
Step 300: and introducing a rule base related to the security detection of the Java code. In method node bonding. And marking the function corresponding to the Source of the initial function library as an entry function, marking the function corresponding to the Sink of the sensitive function library as a sensitive function, and marking the function corresponding to the Known of the empirical function library as a harmless function.
Step 400: and (3) performing backward taint analysis by taking the Sink function as a starting point and the Source function as an end point, and automatically deducing the function call between processes according with the taint propagation rule. And iterating and searching between adjacent layers in a heuristic searching mode until the Source function is reached. The captured chain of sensitive function calls is stored.
Step 500: and (3) writing a Java dynamic proxy plug-in by combining a JVM interface, implanting a detection probe into a JVM in which an application program is running, and realizing dynamic detection on a bytecode level.
Step 600: when an attacker carries out Java anti-serialization vulnerability attack on the application, the detection probe collects a function call chain of dynamic dimensionality, and the detection probe carries out mode matching with the static analysis result set, so that once hit, the current application is proved to have the Java anti-serialization vulnerability.
FIG. 2 is a flow chart showing the construction of an alias function map, which is described in detail below:
step 210: each function in Java language has all classes, and the mapping form in the invention is that each method node has a corresponding class node, which is embodied by a Possess relationship edge. And acquiring a corresponding class node in the code semantic graph according to the function node obtained by traversing.
Step 220: if the current class object inherits the parent class or realizes the interface, whether the functions with the same mode exist in the corresponding class nodes or not needs to be acquired from the semantic nodes.
Step 230: if the function with the same method signature exists in the parent class or in the interface, the alias function exists in the function currently analyzed, and the function participates in the construction of a subsequent alias function graph. If the alias function is not found, whether inheritance behaviors exist in the parent class or not needs to be continuously searched, and the alias function is continuously searched.
Step 240: for two function nodes in an Alias relationship with each other, an Alias relationship edge is constructed between the two function nodes and is used as a part of an Alias function graph.
FIG. 3 shows a core flow diagram of taint analysis, as follows:
step 310: and traversing the Sink set of the sensitive function library, acquiring the function summary information of the current Sink function, and acquiring the function set calling the current Sink function.
Step 320: for the function that meets the effective taint propagation rule in the result obtained in step 310, the effective taint propagation rule of the current function needs to be derived for continuing to find to the Source function by taking the function as the starting point next time.
Step 330: if the current function has the condition of being called, the analysis needs to be continued, and the next round of search is participated. And if the called condition does not exist, judging whether the Source function is reached.
Step 340: and storing the sensitive function call chain obtained by mining for matching a subsequent call mode.
Fig. 4 is a core flow chart of dynamic detection, which includes the following specific flows:
step 410: and writing a Java dynamic proxy plug-in by combining a JVMTI interface for the implantation of a subsequent detection probe.
Step 420: and implanting the detection probe into a JVM (Java virtual machine) of a target application program, performing byte code conversion on the detection probe, and adding an information collection function to the detection probe.
Step 430: and comparing the function call chain captured in the dynamic stage with the result set obtained in the static analysis stage. Each feature is compared in turn. And (3) proving that a Java anti-serialization bug is hidden in the program to be detected by the successfully matched function call chain.
Step 440: and for the condition of successful matching, the data packet received by the application is a malicious attack load, the interception and the alarm of the attack are carried out, and the detection result is output.
FIG. 5 illustrates an example of a Java deserialization vulnerability, wherein the Source function is a taint import point, in this example a readObject function; the Sink function is a stain convergence point, and in the example, the Sink function is an invoke function; the propagation path of taint data during the function call can be clearly seen through the graph.
Finally, it should be noted that the above embodiments are only used for illustrating the technical solutions of the present invention and not for limiting, and although the present invention is described in detail by using examples, it should be understood by those skilled in the art that modifications or equivalent substitutions can be made to the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention, which should be covered by the claims of the present invention.

Claims (10)

1. A Java deserialization vulnerability detection method is characterized by comprising the following steps:
1) Acquiring a Java Web component source code to be analyzed, extracting program semantic information in the source code to obtain semantic nodes and relationship edges, and constructing a code attribute graph;
2) Constructing a rule base, mining a sensitive function call chain in a source code on a code attribute graph by adopting a taint analysis technology based on static analysis, and storing the sensitive function call chain;
3) Compiling a Java dynamic proxy plug-in, implanting a detection probe to a sensitive function point in a sensitive function call chain by using a Java dynamic instrumentation technology, and capturing the call chain in an actual service scene;
4) And (3) carrying out real-time detection on an attack load constructed by an attacker through dynamic detection of the Java anti-serialization loophole, comparing the function call chain captured in the step 3) with the sensitive function call chain mined in the step 2), proving that the Java anti-serialization loophole exists in the currently analyzed component once hit, and intercepting and alarming the attack in time.
2. The method of claim 1, wherein the semantic information of the program is extracted by converting the source code into an intermediate representation form of a Jimple language through a sot framework, and extracting semantic nodes and relational edges in the intermediate representation form.
3. The method of claim 1, wherein the semantic nodes comprise class nodes and method nodes; the relationship edges comprise a messages relationship edge, an instances relationship edge, an extensions relationship edge, an Alias relationship edge and a Call relationship edge; the sides of the Possess relationship represent fields and function nodes owned by class nodes, and the affiliated relationship is emphasized; the instances relation side represents the implementation relation between the class and the interface in the source code; the extensions relationship edge represents the inheritance relationship between the subclass and the parent in the source code; the Alias relation edge represents the Alias relation between functions in the source code; the Call relation edge represents the calling relation between functions in the source code.
4. The method of claim 1, wherein the code attribute map comprises three sub-maps, a semantic node map, an alias function map, and a function call map: the semantic node graph summarizes the semantic information of all semantic nodes in the Java language and the semantic information among the nodes; analyzing polymorphic behaviors in a program on the basis of the semantic node diagram by the aid of the alias function diagram, and capturing alias relations among function nodes; the function call graph is generated when extracting program semantic information and represents the call relation between functions.
5. The method of claim 1, wherein the rule base comprises a portal function base Source, a sensitive function base Sink, and an empirical function base Known.
6. The method of claim 5, wherein the taint analysis technique is used to capture the propagation path of taint data in program statements in the form of triples consisting of Source, sink, and Sanitizer; wherein, source represents a taint introduction Source and represents that controllable and untrusted data of a user are directly introduced into a program, and the introduced data are regarded as taint data; sink represents a stain convergence point and represents a sensitive function; the Sanitizer represents data decontamination treatment and represents the propagation behavior of eliminating stain data by means of cutting, transferring and the like; and mining the sensitive function call chain in a mode of searching from the Sink function to the Source function.
7. The method of claim 1, wherein the Java dynamic proxy plugin utilizes Java dynamic instrumentation techniques for bytecode level detection; and compiling a Java dynamic proxy plug-in by combining a JVM (Java virtual machine interface) interface, and capturing key data in a target virtual machine by acquiring the process id of a target application and running the process id on a specific JVM.
8. The method of claim 7, wherein the detection probe is implanted by: the detection probe is written by a bytecode operation tool, injected into a specific JVM by a Java dynamic proxy plug-in and then injected into a specific program by a callback mechanism in a JVM interface.
9. The method according to claim 8, wherein the real-time detection of the attack load constructed by the attacker means that after the application program to be analyzed runs, the Java dynamic proxy plug-in captures the process id of the application to be analyzed and injects itself into the target JVM; if an attacker carries out Java anti-serialization vulnerability attack on the application, a function call chain generated by the injected attack load in the application is automatically captured by the Java dynamic proxy plug-in; by matching the function call chain captured in the dynamic stage with the result obtained by static analysis, if the result obtained by static analysis contains the function call chain captured in the dynamic stage in a centralized manner, that is, the situation that the current application has Java deserialization loopholes is explained, and the sensitive function call chain is being used by an attacker, the corresponding attack behavior in a mode of interception and alarm is adopted.
10. A Java deserialization vulnerability detection system for implementing the method of any of claims 1-9, comprising:
the code attribute graph generating module is used for converting the application source code to be analyzed into an intermediate representation form of a Jimple language based on a Soot framework, extracting program semantic information in the intermediate representation form and constructing a code attribute graph;
the automatic mining module of the sensitive function call chain is used for summarizing the existing knowledge in the Java security field to construct a rule base, performing backward taint analysis on the intermediate representation level by using a static taint analysis technology based on the rule base, and searching the sensitive function call chain with security risk;
the detection probe implantation module is used for compiling a Java dynamic proxy plug-in by combining a JVM (Java virtual machine interface) interface, injecting a detection probe with an information collection function into a target JVM (Java virtual machine), and capturing a function call chain in a dynamic dimension;
and the pattern matching module is used for comparing the sensitive function call chain captured by the dynamic dimension with the sensitive function call chain searched by the static taint analysis technology, and detecting the hidden Java anti-serialization vulnerability in the application.
CN202210672646.9A 2022-06-14 2022-06-14 Java anti-serialization vulnerability detection method and system Pending CN115270131A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210672646.9A CN115270131A (en) 2022-06-14 2022-06-14 Java anti-serialization vulnerability detection method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210672646.9A CN115270131A (en) 2022-06-14 2022-06-14 Java anti-serialization vulnerability detection method and system

Publications (1)

Publication Number Publication Date
CN115270131A true CN115270131A (en) 2022-11-01

Family

ID=83761347

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210672646.9A Pending CN115270131A (en) 2022-06-14 2022-06-14 Java anti-serialization vulnerability detection method and system

Country Status (1)

Country Link
CN (1) CN115270131A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116360752A (en) * 2023-06-02 2023-06-30 钱塘科技创新中心 Function programming method oriented to java, intelligent terminal and storage medium
CN116451228A (en) * 2023-04-23 2023-07-18 北京安普诺信息技术有限公司 Dynamic taint tracking method, device and related online taint propagation analysis system
CN116467712A (en) * 2023-04-23 2023-07-21 北京安普诺信息技术有限公司 Dynamic taint tracking method, device and related taint propagation analysis system
CN116628694A (en) * 2023-07-25 2023-08-22 杭州海康威视数字技术股份有限公司 Anti-serialization 0day security risk defense method, device and equipment
CN117574393A (en) * 2024-01-16 2024-02-20 国网浙江省电力有限公司 Method, device, equipment and storage medium for mining loopholes of information terminal

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116451228A (en) * 2023-04-23 2023-07-18 北京安普诺信息技术有限公司 Dynamic taint tracking method, device and related online taint propagation analysis system
CN116467712A (en) * 2023-04-23 2023-07-21 北京安普诺信息技术有限公司 Dynamic taint tracking method, device and related taint propagation analysis system
CN116451228B (en) * 2023-04-23 2023-10-17 北京安普诺信息技术有限公司 Dynamic taint tracking method, device and related online taint propagation analysis system
CN116467712B (en) * 2023-04-23 2023-12-01 北京安普诺信息技术有限公司 Dynamic taint tracking method, device and related taint propagation analysis system
CN116360752A (en) * 2023-06-02 2023-06-30 钱塘科技创新中心 Function programming method oriented to java, intelligent terminal and storage medium
CN116360752B (en) * 2023-06-02 2023-08-22 钱塘科技创新中心 Function programming method oriented to java, intelligent terminal and storage medium
CN116628694A (en) * 2023-07-25 2023-08-22 杭州海康威视数字技术股份有限公司 Anti-serialization 0day security risk defense method, device and equipment
CN116628694B (en) * 2023-07-25 2023-11-21 杭州海康威视数字技术股份有限公司 Anti-serialization 0day security risk defense method, device and equipment
CN117574393A (en) * 2024-01-16 2024-02-20 国网浙江省电力有限公司 Method, device, equipment and storage medium for mining loopholes of information terminal
CN117574393B (en) * 2024-01-16 2024-03-29 国网浙江省电力有限公司 Method, device, equipment and storage medium for mining loopholes of information terminal

Similar Documents

Publication Publication Date Title
CN107832619B (en) Automatic application program vulnerability mining system and method under Android platform
CN115270131A (en) Java anti-serialization vulnerability detection method and system
CN114996126B (en) Vulnerability detection method and system for EOSIO intelligent contracts
CN113139192B (en) Third party library security risk analysis method and system based on knowledge graph
KR101640479B1 (en) Software vulnerability attack behavior analysis system based on the source code
Ezzati-Jivan et al. A stateful approach to generate synthetic events from kernel traces
Liao et al. SmartDagger: a bytecode-based static analysis approach for detecting cross-contract vulnerability
CN105808430A (en) Multi-semantic dynamic taint analysis method
Pérez et al. Lapse+ static analysis security software: Vulnerabilities detection in java ee applications
CN113190330A (en) Block chain threat sensing system and method
CN114707152A (en) Security vulnerability detection method and device for alliance chain intelligent contract
Auricchio et al. An automated approach to web offensive security
Homaei et al. Athena: A framework to automatically generate security test oracle via extracting policies from source code and intended software behaviour
Cao et al. Improving java deserialization gadget chain mining via overriding-guided object generation
CN114491513A (en) Knowledge graph-based block chain intelligent contract reentry attack detection system and method
CN111291377A (en) Application vulnerability detection method and system
CN111190813B (en) Android application network behavior information extraction system and method based on automatic testing
CN113849817B (en) Detection method and device for pollution loopholes of JavaScript prototype chain
CN115828264A (en) Intelligent contract vulnerability detection method and system and electronic equipment
CN114880672A (en) Binary taint type vulnerability detection method and system based on static taint analysis
CN114637664A (en) Detection method and device for android application program properties
Tiwari et al. Demand-driven Information Flow Analysis of WebView in Android Hybrid Apps
CN114282226B (en) Single multi-vulnerability code detection method and system
CN117708813B (en) Security detection method and system for software development environment
US20240045955A1 (en) Identifying security events in programming code for logging

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination