Research on Detection and Interception System for Unknown PHP Object Injection Exploit

doi:10.3969/j.issn.1671-1122.2018.04.007

Abstract

Abstract:

Most Web applications could not be able to defend the unknown PHP deserialization vulnerabilities attack. The common solution is making some emergency measures after the vulnerabilities have been disclosed. This article studies the PHP deserialization mechanism and takes the sensitive function call stack as a starting point for research. Taking the function call stack of Web application in normal running as the basis of judgment, this article implements an unknown PHP deserialization vulnerabilities dynamic detection and interception system based on the sensitive function call stack. Experimental tests of 6 deserialization vulnerabilities in 4 PHP Web applications show that the system can successfully intercept all current PHP deserialization vulnerabilities attacks and can extract or trace the POP attack chains constructed by the attacks. The system achieves zero false positives with an average performance cost of 3.67%.

Key words: PHP object injection, function call stack, security protection

CLC Number:

TP309

Zhenhang CHEN, Zhangyi WANG, Guojun PENG, Zhijian XIA. Research on Detection and Interception System for Unknown PHP Object Injection Exploit[J]. Netinfo Security, 2018, 18(4): 47-55.

Figures/Tables 10

References 14

[1]	W3Techs.W3Techs - Extensive and Reliable Web Technology Surveys[EB/OL].,2018-1-12.
[2]	LIU Peng, ZHANG Yuqing.PHP Common Security Vulnerabilities Rsearch[J].Netinfo Security,2011(7):33-36.
	刘鹏,张玉清.PHP常见安全漏洞攻防研究[J].信息网络安全,2011(7):33-36.
[3]	dblyf. 2017 Cyber Security Research Report [EB/OL].,2017-12-22.
	dblyf.2017网络安全研究报告[EB/OL].,2017-12-22.
[4]	WEI Kunpeng, GE Zhihui,YANG Bo.Research on Attack-defense of PHP Web Application Upload Vulnerabilities[J].Netinfo Security,2015(10):53-60.
	韦鲲鹏,葛志辉,杨波.PHP Web应用程序上传漏洞的攻防研究[J].信息网络安全,2015(10):53-60.
[5]	Pierluigi Paganini.CVE-2015-8562-16,000 Daily Attacks on vulnerable Joomla Servers [EB/OL].,2015-11-28.
[6]	MEI Rui, MENG Zheng, HUO Wei.Research and Implementation of Typical Document CVE Vulnerabilities Detection Tools[J].Netinfo Security,2014(6):18-22.
	梅瑞,孟正,霍玮.典型文档类CVE漏洞检测工具的研究与实现[J].信息网络安全,2014(6):18-22.
[7]	OWASP. OWASP Top 10 2017 [EB/OL]., 2018-1-12.
[8]	ESSER S. Utilizing Code Reuse Or Return Oriented Programming in PHP Applications[EB/OL]. , 2018-1-12.
[9]	Imperva, Hacker Intelligence Initiative, Monthly Trend Report #17[EB/OL]., 2018-1-12.
[10]	DAHSE J, KREIN N, HOLZ T.Code Reuse Attacks in PHP: Automated POP Chain Generation[C]//ACM. The 2014 ACM Sigsac Conference on Computer and Communications Security, November 3 -7, 2014 , Scottsdale, Arizona, USA. New York: ACM, 2014:42-53.
[11]	SHAHRIAR H, HADDAD H.Object Injection Vulnerability Discovery Based on Latent Semantic Indexing[C]//ACM. The 31st Annual ACM Symposium on Applied Computing, April 4-8, 2016, Pisa, Italy. New York: ACM, 2016:801-807.
[12]	QIAN Jie,LEI Min,ZOU Shihong.The Design of Java Deserialization Vulnerabilities Automatic Detection Script[J].Network Security Technology & Application, 2017(8): 66-68.
	钱劼,雷敏,邹仕洪.Java反序列化漏洞自动检测脚本设计[J].网络安全技术与应用,2017(8):66-68.
[13]	PROKHORENKO V, CHOO K K R, ASHMAN H. Intent-based Extensible Real-time PHP Supervision Framework[J]. IEEE Transactions on Information Forensics & Security, 2016, 11(10):2215-2226.
[14]	CNNVD. Announcement on the Vulnerability of Joomla! Content Management System [EB/OL]. ,2016-11-2.
	CNNVD. 关于Joomla!内容管理系统漏洞情况的通报[EB/OL].,2016-11-2.