  • 冯薪澄,刘奇旭,王柏柱,陈星辰,陈文岗.基于变量可控性搜索的Java反序列化漏洞检测方法[J].信息安全学报,已采用    [点击复制]
  • fengxincheng,liuqixu,wangbaizhu,chenxingchen,chenwengang.Java Deserialization Vulnerability Detection Method Based on Variable Controllability Search[J].Journal of Cyber Security,Accept   [点击复制]
【打印本页】 【下载PDF全文】 查看/发表评论下载PDF阅读器关闭

过刊浏览    高级检索

本文已被:浏览 2502次   下载 272  
冯薪澄1, 刘奇旭1, 王柏柱2, 陈星辰1, 陈文岗1
关键词:  Java反序列化漏洞检测  变量可控性搜索  静态程序分析
Java Deserialization Vulnerability Detection Method Based on Variable Controllability Search
fengxincheng1, liuqixu1, wangbaizhu2, chenxingchen1, chenwengang1
(1.Institute of Information Engineering,CAS;2.MYBank, Ant Group)
In recent years, more and more Java components have been exposed to deserialization vulnerabilities. Since this type of vulnerability is difficult to be detected efficiently and accurately by means of manual auditing, this type of security vul-nerability is still lurking in a large number of components. In this paper, based on the in-depth study of Java deserialization vulnerabilities, we propose that the core of detecting this type of vulnerability is the detection of exploit chains; By sorting out and summarizing the common entry functions and dangerous functions in actual exploit chains, we construct an a priori knowledge base for detecting unknown exploit chains; we propose a Java deserialization vulnerability detection model based on variable controllability search, combined with a bottom-up variable controllability search algorithm . Experimental results show that the detection performance of this system is 60.6% better than that of the gadgetinspector tool, with 19 known exploit chains and 23 unknown exploit chains detected in 107 open source components, one of which has been included in CVE (CVE-2021-39148).
Key words:  Java deserialization vulnerability detection  variable controllability search  static program analysis