Java (de)serialization is prone to causing security-critical vulnerabilities that attackers can invoke existing methods (gadgets) on the application's classpath to construct a gadget chain to perform malicious behaviors. Several techniques have been proposed to statically identify suspicious gadget chains and dynamically generate injection objects for fuzzing. However, due to their incomplete support for dynamic program features (e.g., Java runtime polymorphism) and ineffective injection object generation for fuzzing, the existing techniques are still far from satisfactory. In this paper, we first performed an empirical study to investigate the characteristics of Java deserialization vulnerabilities based on our manually collected 86 publicly known gadget chains. The empirical results show that 1) Java deserialization gadgets are usually exploited by abusing runtime polymorphism, which enables attackers to reuse serializable overridden methods; and 2) attackers usually invoke exploitable overridden methods (gadgets) via dynamic binding to generate injection objects for gadget chain construction. Based on our empirical findings, we propose a novel gadget chain mining approach, \emph{GCMiner}, which captures both explicit and implicit method calls to identify more gadget chains, and adopts an overriding-guided object generation approach to generate valid injection objects for fuzzing. The evaluation results show that \emph{GCMiner} significantly outperforms the state-of-the-art techniques, and discovers 56 unique gadget chains that cannot be identified by the baseline approaches.
翻译:Java (de) 种子化容易造成攻击者在应用程序的分类路径上援引现有方法(gadgets) 来构建一个工具链以实施恶意行为。 已经提出若干技术来静态地识别可疑的小工具链和动态地生成喷射物体以进行模糊。 但是,由于这些技术对动态程序特性( 如 Java 运行时多形态学) 的支持不完全,而且注射对象生成效率低下,因此现有技术仍然远远不能令人满意。 在本文中,我们首先进行了一项实验性研究,以根据我们手动收集的86个已知小工具链来调查爪哇消蚀脆弱性的特性。 实验结果显示:(1) Java 脱胎化小工具通常被滥用运行时多形态学来利用,使攻击者能够再利用可重复的多形态方法;(2) 攻击者通常通过动态捆绑来生成合成链条的投射对象。 根据我们的经验发现,我们首先提出一个新型的Gadgget 链式采矿方法, emph{GCMiner} 实验结果表明, 无法通过一个清晰和隐含式的生成的系统, 来采集一个清晰的变式的方法。</s>