Netinfo Security ›› 2018, Vol. 18 ›› Issue (4): 47-55.doi: 10.3969/j.issn.1671-1122.2018.04.007

• Orginal Article • Previous Articles     Next Articles

Research on Detection and Interception System for Unknown PHP Object Injection Exploit

Zhenhang CHEN1, Zhangyi WANG1(), Guojun PENG1, Zhijian XIA2   

  1. 1. Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Wuhan Hubei 430072, China
    2. Baidu Inc., Beijing 100085, China
  • Received:2018-02-02 Online:2018-04-15 Published:2020-05-11

Abstract:

Most Web applications could not be able to defend the unknown PHP deserialization vulnerabilities attack. The common solution is making some emergency measures after the vulnerabilities have been disclosed. This article studies the PHP deserialization mechanism and takes the sensitive function call stack as a starting point for research. Taking the function call stack of Web application in normal running as the basis of judgment, this article implements an unknown PHP deserialization vulnerabilities dynamic detection and interception system based on the sensitive function call stack. Experimental tests of 6 deserialization vulnerabilities in 4 PHP Web applications show that the system can successfully intercept all current PHP deserialization vulnerabilities attacks and can extract or trace the POP attack chains constructed by the attacks. The system achieves zero false positives with an average performance cost of 3.67%.

Key words: PHP object injection, function call stack, security protection

CLC Number: