基于模糊测试的Java反序列化漏洞挖掘

doi:10.3969/j.issn.1671-1122.2025.01.001

信息网络安全 ›› 2025, Vol. 25 ›› Issue (1): 1-12.doi: 10.3969/j.issn.1671-1122.2025.01.001

基于模糊测试的Java反序列化漏洞挖掘

王鹃¹^,²(), 张勃显¹^,², 张志杰¹^,², 谢海宁¹^,², 付金涛³, 王洋³

1.武汉大学国家网络安全学院，武汉 430072
2.空天信息安全与可信计算教育部重点实验室，武汉 430072
3.山东浪潮科学研究院有限公司，济南 250013

收稿日期:2024-05-15 出版日期:2025-01-10 发布日期:2025-02-14
通讯作者: 王鹃 E-mail:jwang@whu.edu.cn
作者简介:王鹃（1976—），女，湖北，教授，博士，CCF高级会员，主要研究方向为系统与可信计算、人工智能安全与漏洞挖掘|张勃显（1999—），男，安徽，硕士研究生，主要研究方向为软件安全、可信计算|张志杰（1998—），男，山东，硕士，主要研究方向为软件安全、漏洞挖掘|谢海宁（2001—），男，浙江，硕士研究生，主要研究方向为可信计算、系统安全|付金涛（1979—），男，山东，高级工程师，硕士，主要研究方向为数据安全、工业互联网|王洋（1987—），男，山东，高级工程师，硕士，主要研究方向为隐私计算、零信任和数据安全架构
基金资助:
国家自然科学基金(61872430)

Java Deserialization Vulnerability Mining Based on Fuzzing

WANG Juan¹^,²(), ZHANG Boxian¹^,², ZHANG Zhijie¹^,², XIE Haining¹^,², FU Jintao³, WANG Yang³

1. School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China
2. Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, Wuhan 430072, China
3. Shandong Inspur Science Research Institute Co., Ltd., Jinan 250013, China

Received:2024-05-15 Online:2025-01-10 Published:2025-02-14
Contact: WANG Juan E-mail:jwang@whu.edu.cn

摘要/Abstract

摘要：

随着反序列化技术在Java Web应用开发中的广泛应用，针对Java反序列化机制的攻击也日益增多，已严重威胁Java Web应用的安全性。当前主流的黑名单防范机制无法有效防御未知的反序列化漏洞利用，而现有的Java反序列化漏洞挖掘工具大多依赖静态分析方法，检测精确度较低。文章提出一种基于模糊测试的Java反序列化漏洞挖掘工具DSM-Fuzz，该工具首先通过对字节码进行双向追踪污点分析，提取所有可能与反序列化相关的函数调用链。然后，利用基于TrustRank算法的函数权值分配策略，评估函数与反序列化调用链的关联性，并根据相关性权值对模糊测试种子分配能量。为进一步优化测试用例的语法结构和语义特征，文章设计并实现了一种基于反序列化特征的种子变异算法。该算法利用反序列化的Java对象内部特征优化种子变异过程，并引导模糊测试策略对反序列化漏洞调用链进行路径突破。实验结果表明，DSM-Fuzz在漏洞相关代码覆盖量方面较其他工具提高了约90%。此外，该工具还在多个主流Java库中成功检测出50%的已知反序列化漏洞，检测精确度显著优于其他漏洞检测工具。因此，DSM-Fuzz可有效辅助Java反序列化漏洞的检测和防护。

关键词: Java反序列化漏洞, 模糊测试, 污点分析, 漏洞挖掘, 程序调用图

Abstract:

With the widespread adoption of deserialization technology in Java Web application development, attacks exploiting the Java deserialization mechanism have also increased significantly, posing severe threats to the security of Java Web applications. Current mainstream blacklisting defense mechanisms cannot defend against unknown deserialization vulnerabilities, and most existing Java deserialization vulnerability mining tools have low accuracy as they rely on static analysis. This paper proposed a Java deserialization vulnerability mining tool based on fuzzing called DSM-Fuzz. Firstly, DSM-Fuzz performed bidirectional taint analysis on bytecode to extract potential deserialization-related function call chains. Then a TrustRank algorithm-based strategy was used to evaluate relevance between functions and call chains, and allocated energy to seeds accordingly. To optimize syntax and semantics of test cases, this paper designed and implemented a seed mutation algorithm based on deserialization features, utilizing internal Java object information to guide fuzzing strategy to breakthrough vulnerability call chain paths. Experiments show that DSM-Fuzz achieves 90% higher vulnerability code coverage with 50% more detected vulnerabilities in several Java libraries, outperforming other tools. Thus, it can effectively facilitate Java deserialization vulnerability detection.

Key words: Java deserialization vulnerability, fuzzing, taint analysis, vulnerability mining, program call graph

中图分类号:

TP309

王鹃, 张勃显, 张志杰, 谢海宁, 付金涛, 王洋. 基于模糊测试的Java反序列化漏洞挖掘[J]. 信息网络安全, 2025, 25(1): 1-12.

WANG Juan, ZHANG Boxian, ZHANG Zhijie, XIE Haining, FU Jintao, WANG Yang. Java Deserialization Vulnerability Mining Based on Fuzzing[J]. Netinfo Security, 2025, 25(1): 1-12.

图/表 9

图1

图2

图3

图4

图5

图6

表1

表2

表3

参考文献 21

[1]	YSoSerial. A Proof-of-Concept Tool for Generating Payloads that Exploit Unsafe Java Object Deserialization[EB/OL]. (2022-10-29)[2024-04-06]. https://github.com/frohoff/ysoserial.
[2]	HAKEN I. Automated Discovery of Deserialization Gadget Chains[EB/OL]. (2020-04-29)[2024-04-06]. https://i.blackhat.com/us-18/Thu-August-9/us-18-Haken-Automated-Discovery-of-Deserialization-Gadget-Chains-wp.pdf.
[3]	Alibaba. Fastjson 2.0[EB/OL]. (2022-06-13)[2024-04-06]. https://github.com/alibaba/fastjson.
[4]	Google. Gson: A Java Serialization/Deserialization Library to Convert Java Objects into JSON and Back[EB/OL]. (2023-01-12)[2024-04-06]. https://github.com/google/gson.
[5]	XStream. About XStream[EB/OL]. (2022-12-24)[2024-04-06]. https://x-stream.github.io/index.html.
[6]	Oracle. Class XMLDecoder[EB/OL]. (2023-03-03)[2024-04-06]. https://docs.oracle.com/javase/8/docs/api/java/beans/XMLDecoder.html.
[7]	XU Wenyuan. The Design and Implementation of Static Code Analysis System Based on Machine Learning for Java[D]. Nanjing: Nanjing University, 2020.
	徐文远. 基于机器学习的Java静态漏洞扫描系统的设计与实现[D]. 南京: 南京大学, 2020.
[8]	ALHUZALI A, GJOMEMO R, ESHETE B, et al. NAVEX: Precise and Scalable Exploit Generation for Dynamic Web Applications[C]// USENIX. 27th USENIX Security Symposium (USENIX Security 18). Berlin:USENIX, 2018: 377-392.
[9]	DOS S J P R, DA S K P, GONCALVES B P, et al. Selenium as a Free Tool to Test for Java Web Application[J]. International Journal of Advanced Engineering Research and Science, 2020, 7(4): 135-139.
[10]	KERSTEN R, LUCKOW K, PĂSĂREANU C S. POSTER: AFL-Based Fuzzing for Java with Kelinci[C]// ACM. Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2017: 2511-2513.
[11]	MICHAL Z. American Fuzzy Lop[EB/OL]. (2014-06-12)[2024-04-06]. http://lcamtuf.coredump.cx/afl.
[12]	ZHU Hong. JFuzz: A Tool for Automated Java Unit Testing Based on Data Mutation and Metamorphic Testing Methods[C]// IEEE. 2015 Second International Conference on Trustworthy Systems and Their Applications. New York: IEEE, 2015: 8-15.
[13]	PADHYE R, LEMIEUX C, SEN K. JQF: Coverage-Guided Property-Based Testing in Java[C]// ACM. Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis. New York: ACM, 2019: 398-401.
[14]	SPI Dynamics. Pentest: Web Application Testing with SPI Fuzzer White Paper[EB/OL]. (2005-04-07)[2024-04-06]. https://seclists.org/pen-test/2005/Apr/25.
[15]	XU Ling. Web Software Vulnerability Test of WebFuzz[J]. Software Guide(Educational Technology), 2012, 11(8): 84-85.
	徐玲. WebFuzz的Web软件漏洞测试[J]. 软件导刊(教育技术), 2012, 11(8): 84-85.
[16]	LAWRENCE G. Marshalling Pickles[EB/OL]. (2020-04-29)[2024-04-06]. http://frohoff.github.io/appseccali-marshalling-pickles.
[17]	MUNOZ A. Friday the 13th: JSON Attacks[EB/OL]. (2017-06-12)[2024-04-06]. https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf.
[18]	QChiLan. Soserial[EB/OL]. (2019-03-19)[2024-04-06]. https://github.com/QChiLan/soserial.
[19]	Mbechler. Marshalsec[EB/OL]. (2017-03-22)[2024-04-06]. https://github.com/mbechler/marshalsec.
[20]	CARETTONI L. Defending against Java Deserialization Vulnerabi-lities[EB/OL]. (2016-03-21)[2024-04-06]. https://www.ikkisoft.com/stuff/Defending_against_Java_Deserialization_Vulnerabilities.pdf.
[21]	DU Xiaoyu, YE He, WEN Weiping. Java Deserialization Vulnerability Gadget Chain Discovery Method Based on Bytecode Search[J]. Netinfo Security, 2020, 20(7): 19-29.
	杜笑宇, 叶何, 文伟平. 基于字节码搜索的Java反序列化漏洞调用链挖掘方法[J]. 信息网络安全, 2020, 20(7): 19-29.

Java库	已知调用链	DSM-Fuzz		Kelinci		GadgetInspect
Java库	已知调用链	正确数/个	报告数/个	正确数/个	报告数 /个	正确数 /个	报告数/个
Commons-collections	3	2	5	0	0	1	4
Fastjson	3	2	2	0	0	0	2
XStream	10	4	7	1	1	1	2
Shiro	3	1	2	0	0	0	2
漏洞总数/个	18	9	16	1	1	2	10
准确率	—	56.3%		100%		20.0%
漏报率	—	50.0%		94.4%		88.9%

入口函数	危险函数	调用链深度	DSM-Fuzz	Kelinci
org/apache/log4j/pattern/LogEvent.readObject	java/lang/reflect/Method.invoke	3	4	1
org/apache/log4j/spi/LoggingEvent.readObject	java/lang/reflect/Method.invoke	3	5	1
com/alibaba/fastjson/parser/DefaultJSONParser.parseObject	java/lang/Runtime.exec	6	3	2

测试对象	执行速度（个/s）
测试对象	DSM-Fuzz	Kelinci
Commons-collections	281.2	254.1
Fastjson	246.7	210.3
XStream	314.5	275.6
Shiro	237.7	193.5

基于模糊测试的Java反序列化漏洞挖掘

Java Deserialization Vulnerability Mining Based on Fuzzing

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 9

参考文献 21

相关文章 15

编辑推荐

Metrics

本文评价

[1]	陈昊然, 刘宇, 陈平. 基于大语言模型的内生安全异构体生成方法[J]. 信息网络安全, 2024, 24(8): 1231-1240.
[2]	张立强, 路梦君, 严飞. 一种基于函数依赖的跨合约模糊测试方案[J]. 信息网络安全, 2024, 24(7): 1038-1049.
[3]	王鹃, 龚家新, 蔺子卿, 张晓娟. 多维深度导向的Java Web模糊测试方法[J]. 信息网络安全, 2024, 24(2): 282-292.
[4]	张子涵, 赖清楠, 周昌令. 深度学习框架模糊测试研究综述[J]. 信息网络安全, 2024, 24(10): 1528-1536.
[5]	张展鹏, 王鹃, 张冲, 王杰, 胡宇义. 基于图同构网络的高效Web模糊测试技术研究[J]. 信息网络安全, 2024, 24(10): 1544-1552.
[6]	洪玄泉, 贾鹏, 刘嘉勇. AFLNeTrans：状态间关系感知的网络协议模糊测试[J]. 信息网络安全, 2024, 24(1): 121-132.
[7]	王鹃, 张冲, 龚家新, 李俊娥. 基于机器学习的模糊测试研究综述[J]. 信息网络安全, 2023, 23(8): 1-16.
[8]	钟远鑫, 刘嘉勇, 贾鹏. 基于动态时间切片和高效变异的定向模糊测试[J]. 信息网络安全, 2023, 23(8): 99-108.
[9]	吴佳明, 熊焰, 黄文超, 武建双. 一种基于距离导向的模糊测试变异方法[J]. 信息网络安全, 2021, 21(10): 63-68.
[10]	杜笑宇, 叶何, 文伟平. 基于字节码搜索的Java反序列化漏洞调用链挖掘方法[J]. 信息网络安全, 2020, 20(7): 19-29.
[11]	李明磊, 黄晖, 陆余良. 面向漏洞挖掘的基于符号分治区的测试用例生成技术[J]. 信息网络安全, 2020, 20(5): 39-46.
[12]	段斌, 李兰, 赖俊, 詹俊. 基于动态污点分析的工控设备硬件漏洞挖掘方法研究[J]. 信息网络安全, 2019, 19(4): 47-54.
[13]	胡建伟, 赵伟, 闫峥, 章芮. 基于机器学习的SQL注入漏洞挖掘技术的分析与实现[J]. 信息网络安全, 2019, 19(11): 36-42.
[14]	达小文, 毛俐旻, 吴明杰, 郭敏. 一种基于补丁比对和静态污点分析的漏洞定位技术研究[J]. 信息网络安全, 2017, 17(9): 5-5.
[15]	王夏菁, 胡昌振, 马锐, 高欣竺. 二进制程序漏洞挖掘关键技术研究综述[J]. 信息网络安全, 2017, 17(8): 1-13.