摘要: |
随着软件供应链污染的兴起,Java开源组件的安全性正面临着越来越严峻的挑战,近年来也出现了若干起因Java开源组件被植入后门而导致大规模的软件污染的安全事件。为了更好地检测Java开源组件和Java程序的安全性,本文在大量分析Java后门样本的基础上,构建了Java后门的检测模型作为理论基础;在统计分析实际后门常用Java API的基础上,归纳了一系列适用于检测Java后门的规则;提出了基于功能代码片段的后门分析方法,并且结合自底向上的数据流分析方法,实现了首款面向Java源码的后门检测系统JCAT(Java Code Analysis Tool)。以阿里供应链大赛提供的119个样本验证JCAT的检测能力,取得了准确率90.22%的良好效果,并将漏报率和误报率分别控制在较低水平。 |
关键词: Java后门检测 静态检测技术 数据流分析 |
DOI:10.19363/J.cnki.cn10-1380/tn.2019.09.04 |
投稿时间:2019-05-30修订日期:2019-08-15 |
基金项目:本论文获得国家重点研发计划(No.2016YFB0801604),中国科学院青年创新促进会,中国科学院战略先导C类(No.XDC02040100,No.XDC02030200,No.XDC02020200)课题资助;获得中国科学院网络测评技术重点实验室和网络安全防护技术北京市重点实验室资助。 |
|
Java Backdoor Detection Based on Function Code Gadgets |
LIU Qixu,WANG Baizhu,HU Enze,LIU Jingqiang,LIU Chaoge |
Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China |
Abstract: |
With the rise of software supply chain pollutions, the security of Java open source components is increasingly challenged. In recent years, there have also been some large-scale software pollution incidents caused by Java open source components being implanted backdoors. In order to detect the backdoors in the Java open source components and Java programs more effectively, in this paper, we first build Java backdoor detection models based on analyzing a large number of Java backdoor samples. Next, we summarize a series of rules for detecting Java backdoors on basis of statistics of common Java APIs in backdoors, propose a backdoor analysis method based on function code gadget. Combined with the bottom-up data flow analysis method, we develop the first backdoor detection system JCAT(Java Code Analysis Tool). We evaluate the JCAT's detection ability with 119 samples provided by the Ali Supply Chain Competition, and the detection rate reaches 90.22%. Moreover the false positive rate and false negative rate are also controlled at a relatively low level. |
Key words: Java backdoor detection static detection technology data-flow analysis |