Research On Java Deserialization Vulnerability Discovery And Attack Detection

With the development of software technology,the complexity of software increases gradually,however due to the negligence of developers,there may be some vulnerabilities in the software.By using these vulnerabilities,attackers can cause adverse effects such as user privacy data disclosure,server crash and so on.Due to the important position of Java language in programming language and the serious impact of Java deserialization vulnerability,therefore,this thesis studies the detection and attack detection methods of Java deserialization vulnerabilities.Because the deserialization vulnerability discover needs to find the relevant gadget chain,this thesis firstly studies Java deserialization vulnerability gadget chain mining.In order to solve three deficiencies of Gadget Inspector which is a gadget chain mining tool:the influence of branch statements on subsequent statements is not considered;the analysis of the value of instance variables in objects is lacking;the one-way search algorithm used in passthrough callgraph cause the omission of the gadget chain.This thesis optimizes the algorithm of Gadget Inspector.The optimized algorithm uses the flow-sensitive data flow analysis based on the control flow graph to obtain the passthrough callgraph of the program,and then mines the gadget chain from the two directions of the magic method and the dangerous method in the passthrough callgraph.In addition,this thesis studies the deserialization vulnerability attack detection.In order to solve the problem that the use of blacklist for deserialization vulnerability attack detection is easy to be bypassed,this thesis proposes a dynamic and static combination of deserialization vulnerability attack detection method.The method first uses the gadget chain mining algorithm to analyze the program for obtaining the passthrough callgraph of the program,and combine passthrough callgraph and Runtime application self-protection(RASP)technology to determine whether a gadget chain is triggered.If a gadget chain is triggered,the program is under deserialization vulnerability attacking.On this basis,this thesis builds the gadget chain mining tool named DE_Gadget and the deserialization vulnerability attack detection tool named DE_RASP,and tests these two tools respectively.According to the test results,the false positive rate of DE_Gadget is significantly lower than that of Gadget Inspector,and can find more gadget chains.DE_RASP can detect deserialization vulnerability attacks in different test environments,and can detect deserialization vulnerability attacks caused by different test cases.Compared with Baidu’s open source tool OpenRasp,DE_RASP can identify deserialization vulnerability attacks more accurately.