Java (de)serialization is prone to causing security-critical vulnerabilities that attackers can invoke existing methods (gadgets) on the application's classpath to construct a gadget chain to perform malicious behaviors. Several techniques have been proposed to statically identify suspicious gadget chains and dynamically generate injection objects for fuzzing. However, due to their incomplete support for dynamic program features (e.g., Java runtime polymorphism) and ineffective injection object generation for fuzzing, the existing techniques are still far from satisfactory. In this paper, we first performed an empirical study to investigate the characteristics of Java deserialization vulnerabilities based on our manually collected 86 publicly known gadget chains. The empirical results show that 1) Java deserialization gadgets are usually exploited by abusing runtime polymorphism, which enables attackers to reuse serializable overridden methods; and 2) attackers usually invoke exploitable overridden methods (gadgets) via dynamic binding to generate injection objects for gadget chain construction. Based on our empirical findings, we propose a novel gadget chain mining approach, \emph{GCMiner}, which captures both explicit and implicit method calls to identify more gadget chains, and adopts an overriding-guided object generation approach to generate valid injection objects for fuzzing. The evaluation results show that \emph{GCMiner} significantly outperforms the state-of-the-art techniques, and discovers 56 unique gadget chains that cannot be identified by the baseline approaches.
翻译:Java(反)序列化容易引发安全性关键漏洞,攻击者可以调用应用程序类路径上现有的方法(小工具)来构建小工具链以执行恶意行为。已经提出了几种技术来静态识别可疑的小工具链并动态生成注射对象以进行模糊测试。然而,由于它们对动态程序特性(例如Java运行时多态性)的不完全支持和对模糊测试的注射对象生成效果不佳,现有技术仍然远远不够令人满意。本文首先进行了实证研究,以我们手动收集的86个公开已知小工具链为基础,调查Java序列化漏洞的特征。经验结果表明,Java序列化小工具通常通过滥用运行时多态性来使用可重用的可序列化重载方法;攻击者通常通过动态绑定调用可攻击的重载方法(小工具)来生成注射对象以构建小工具链。基于我们的经验发现,我们提出了一种新颖的小工具链挖掘方法GCMiner,它捕获显式和隐式方法调用以识别更多的小工具链,并采用基于重载引导的对象生成方法生成有效的注射对象以进行模糊测试。评估结果表明,GCMiner明显优于最先进的技术,并发现了56个基线方法无法识别的独特小工具链。