Research And Implementation Of Static Analysis And Dynamic Verification Of Java Deserialization Vulnerabilities

With the rise of Internet applications,the growing number of class libraries for Java has led to a dramatic increase in the type and number of deserialisation vulnerabilities.Exploit chains exist in Java deserialisation vulnerabilities,which attackers often combine with arbitrary command vulnerabilities to compromise servers.Manual detection of deserialisation chains requires significant effort and relies on the expertise of code auditors.The article proposes a static detection and dynamic verification approach based on taint analysis to implement the call chain detection tool Taint Gadget.The main research of this paper is as follows:(1)The static detection method collects conditional statement information,pass reference information and invocation information for taint marking by parsing bytecode,and generates an interprocess propagation control flow graph.Based on inter-process propagation control flow graph,the entry functions and dangerous functions are filtered out.The inter-process propagation control flow graph is extended based on the propagation characteristics of deserialisation vulnerabilities combined with symbolic execution techniques,based on which taint propagation rules are defined,the display flow path and implicit flow path of taint propagation are constrained,and the classes and sensitive variables of the call chain during propagation are recorded.(2)The dynamic verification method in this paper first constructs test cases for deserialisation chains using reflection methods based on the constraint solving results of static analysis to address the problem that current dynamic methods cannot obtain specific information about the propagation classes.Then dynamic method intercepts the class loading before the program starts,and performs bytecode enhancement using dynamic staking for the dynamic propagation characteristics of the deserialisation chains.Finally dynamic method observes the propagation process of the deserialisation call chains using dynamic monitoring methods to filter out the deserialisation chains that meet the definition of dynamic propagation.(3)The tool is based on ASM,Neo4 j and Z3 frameworks.The tool includes static and dynamic propagation modules.Based on the ysoserial dataset and the deserialisation vulnerabilities exploded by the XStream framework in the past two years,the experiments were conducted in terms of static analysis comparison,dynamic analysis comparison and timeliness comparison.The static hit rate of Taint Gadget is 78.9%,with an average static running time of 78.7s.And the dynamic detection rate is 90.6%,with an average dynamic running time of 21.2s.The experiments show that Taint Gadget has a higher static and dynamic hit rate,a higher overall time efficiency and a higher timeliness than other existing deserialisation vulnerability detection tools.