Java Deserialization Gadget Chain Mining Method

In recent years,security incidents about Java deserialization vulnerabilities have emerged in an endless stream,and OWASP TOP10^[1]also believes that insecure deserialization has serious risks to web applications.As the complexity of web applications increases,the number of third-party components that are relied on in development continues to increase,and the number of deserialization vulnerabilities implicit in the code also increases.Deserialization exploits not only require users to deserialize untrusted data,but also require a deserialization gadget chain available locally.In the actual attack and defense game,the gadget chain has become the core element of vulnerability exploitation.However,the construction of the gadget chain needs to study the characteristics of the serialization mechanism of different components in order to mine the available link points in a targeted manner.At present,the rapid expansion of the number of lines of software code makes it difficult to quickly mine through manual code auditing,and the current automated gadget chain mining tools have problems of high false negative rate and single type of component scanning.Efficient mining to intercept them in advance has become an urgent problem to be solved.Based on the research on the construction principles of gadget chains corresponding to the deserialization mechanisms of different components,this paper proposes a mining method for Java deserialization gadget chains,including the following research contents:（1）Aiming at the premise that classes and methods need to be fully analyzed in the construction process of Java deserialization gadget chain,a source code information extraction method based on static analysis is proposed.The method collects all class and method description information,inheritance and implementation information,and uses the ASM mechanism combined with the designed taint analysis model to simulate the JVM（Java Virtual Machine）stack frame on the basis of the information collection to analyze the data flow of the method to be analyzed.Finally,the calling edge is constructed through the hierarchical form combining CHA（Class Hierarchy Analysis）and pointer analysis technology.The experimental results show that the method can accurately and comprehensively extract the information of the test components,and the accuracy of the constructed call edge set is improved to 75%,which is better than the existing methods.（2）By studying the principle of deserialization vulnerability of different types of components,and aiming at the link point construction and splicing characteristics of Java deserialization vulnerability gadget chain,a hybrid analysis-based deserialization link point mining and integration method is proposed.In the first stage of the method,the different vulnerability type matching patterns designed in this paper mine and cache the entry point of the gadget chain,and then mine the gadget chain through the gadget chain search method in the segmented link mode,and optimize and integrate it;In the stage,through the graph model designed in this paper for deserialization vulnerabilities,the information such as classes and methods and their inheritance and implementation are abstracted into nodes and relationships,and the graph-based link point search is implemented to mine the gadget chain.The experimental results show that the method can use chains to mine different components,and the accuracy is increased by 70%compared with the existing methods.（3）Based on the above method,the prototype system of Java deserialization using chain mining method is designed and implemented.In this paper,the overall architecture of the system is given,and the data flow analysis module,call flow analysis module,utilization chain search module and interface display module of the system are designed and implemented in detail,and finally the implemented system is tested and verified.