Research And Design Of Java Deserialization Vulnerability Detection System Technology Based On Static Analysis And Dynamic Verification

As one of the most popular programming languages at present,Java has a very wide range of applications in software,games,big data technology,Internet of Things,cloud and other fields.Java deserialization vulnerabilities are a common threat to Java application security in recent years.With the update and expansion of Java applications and their dependent libraries,the potential scope of Java deserialization vulnerabilities has become wider.Due to the large code space of Java applications and their dependent libraries,manual deserialization vulnerability mining is not only time-consuming,but also highly dependent on the experience and knowledge of analysts.In order to quickly and effectively find the gadget chains of deserialization vulnerabilities in the application and then mine Java deserialization vulnerabilities,although some static analysis tools can assist analysts to mine deserialization gadget chains,the analysis results still need to be verified manually.In view of the above difficulties,this paper proposes a Java deserialization vulnerability detection system that combines static analysis and dynamic verification,and implement a Java deserialization vulnerability detection system to exploit deserialization vulnerabilities of applications.The deserialization gadget chain mining and verification of the gadget chain have been automated,and at the same time,the efficiency of mining and verifying the Java deserialization gadget chain has been improved.(1)Propose a method call sequence mining technology based on static analysis,including analyzing the existing Java deserialization vulnerabilities,constructing a Java deserialization vulnerability gadget chain knowledge base,as the basis for implementing the system;then analyze the target Java application and its required Java runtime to collect the call relationship and override relationship,in order to construct the method relationship graph,finally,perform the reachable path analysis on the method relationship graph to obtain the deserialization gadget chain mining results.(2)Design a dynamic vulnerability verification technology based on bytecode instrumentation and fuzz testing,including deserialization gadget chain matching,used to detect known Java deserialization vulnerabilities with the help of knowledge base.The bytecode instrumentation technology is used to perform bytecode instrumentation on the target Java application;the dynamic vulnerability verification technology based on fuzz testing is used to automatically construct the method call sequence corresponding to the deserialization gadget chain,and execute to determine whether the instrumented code is triggered,and get the final analysis result according to the statistics.(3)Implement a Java deserialization vulnerability detection system,and selects known Java deserialization vulnerabilities to test the effectiveness of the system,then compares it with the existing Java deserialization vulnerability detection tools GadgetInspector and Zero Gadget.The test results show that this system has a better mining efficiency and coverage rate of the deserialization gadget chain.