Java Deserialization Vulnerability Mining Based on Fuzzing

doi:10.3969/j.issn.1671-1122.2025.01.001

Abstract

Abstract:

With the widespread adoption of deserialization technology in Java Web application development, attacks exploiting the Java deserialization mechanism have also increased significantly, posing severe threats to the security of Java Web applications. Current mainstream blacklisting defense mechanisms cannot defend against unknown deserialization vulnerabilities, and most existing Java deserialization vulnerability mining tools have low accuracy as they rely on static analysis. This paper proposed a Java deserialization vulnerability mining tool based on fuzzing called DSM-Fuzz. Firstly, DSM-Fuzz performed bidirectional taint analysis on bytecode to extract potential deserialization-related function call chains. Then a TrustRank algorithm-based strategy was used to evaluate relevance between functions and call chains, and allocated energy to seeds accordingly. To optimize syntax and semantics of test cases, this paper designed and implemented a seed mutation algorithm based on deserialization features, utilizing internal Java object information to guide fuzzing strategy to breakthrough vulnerability call chain paths. Experiments show that DSM-Fuzz achieves 90% higher vulnerability code coverage with 50% more detected vulnerabilities in several Java libraries, outperforming other tools. Thus, it can effectively facilitate Java deserialization vulnerability detection.

Key words: Java deserialization vulnerability, fuzzing, taint analysis, vulnerability mining, program call graph

CLC Number:

TP309

WANG Juan, ZHANG Boxian, ZHANG Zhijie, XIE Haining, FU Jintao, WANG Yang. Java Deserialization Vulnerability Mining Based on Fuzzing[J]. Netinfo Security, 2025, 25(1): 1-12.

Figures/Tables 9

References 21

[1]	YSoSerial. A Proof-of-Concept Tool for Generating Payloads that Exploit Unsafe Java Object Deserialization[EB/OL]. (2022-10-29)[2024-04-06]. https://github.com/frohoff/ysoserial.
[2]	HAKEN I. Automated Discovery of Deserialization Gadget Chains[EB/OL]. (2020-04-29)[2024-04-06]. https://i.blackhat.com/us-18/Thu-August-9/us-18-Haken-Automated-Discovery-of-Deserialization-Gadget-Chains-wp.pdf.
[3]	Alibaba. Fastjson 2.0[EB/OL]. (2022-06-13)[2024-04-06]. https://github.com/alibaba/fastjson.
[4]	Google. Gson: A Java Serialization/Deserialization Library to Convert Java Objects into JSON and Back[EB/OL]. (2023-01-12)[2024-04-06]. https://github.com/google/gson.
[5]	XStream. About XStream[EB/OL]. (2022-12-24)[2024-04-06]. https://x-stream.github.io/index.html.
[6]	Oracle. Class XMLDecoder[EB/OL]. (2023-03-03)[2024-04-06]. https://docs.oracle.com/javase/8/docs/api/java/beans/XMLDecoder.html.
[7]	XU Wenyuan. The Design and Implementation of Static Code Analysis System Based on Machine Learning for Java[D]. Nanjing: Nanjing University, 2020.
	徐文远. 基于机器学习的Java静态漏洞扫描系统的设计与实现[D]. 南京: 南京大学, 2020.
[8]	ALHUZALI A, GJOMEMO R, ESHETE B, et al. NAVEX: Precise and Scalable Exploit Generation for Dynamic Web Applications[C]// USENIX. 27th USENIX Security Symposium (USENIX Security 18). Berlin:USENIX, 2018: 377-392.
[9]	DOS S J P R, DA S K P, GONCALVES B P, et al. Selenium as a Free Tool to Test for Java Web Application[J]. International Journal of Advanced Engineering Research and Science, 2020, 7(4): 135-139.
[10]	KERSTEN R, LUCKOW K, PĂSĂREANU C S. POSTER: AFL-Based Fuzzing for Java with Kelinci[C]// ACM. Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2017: 2511-2513.
[11]	MICHAL Z. American Fuzzy Lop[EB/OL]. (2014-06-12)[2024-04-06]. http://lcamtuf.coredump.cx/afl.
[12]	ZHU Hong. JFuzz: A Tool for Automated Java Unit Testing Based on Data Mutation and Metamorphic Testing Methods[C]// IEEE. 2015 Second International Conference on Trustworthy Systems and Their Applications. New York: IEEE, 2015: 8-15.
[13]	PADHYE R, LEMIEUX C, SEN K. JQF: Coverage-Guided Property-Based Testing in Java[C]// ACM. Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis. New York: ACM, 2019: 398-401.
[14]	SPI Dynamics. Pentest: Web Application Testing with SPI Fuzzer White Paper[EB/OL]. (2005-04-07)[2024-04-06]. https://seclists.org/pen-test/2005/Apr/25.
[15]	XU Ling. Web Software Vulnerability Test of WebFuzz[J]. Software Guide(Educational Technology), 2012, 11(8): 84-85.
	徐玲. WebFuzz的Web软件漏洞测试[J]. 软件导刊(教育技术), 2012, 11(8): 84-85.
[16]	LAWRENCE G. Marshalling Pickles[EB/OL]. (2020-04-29)[2024-04-06]. http://frohoff.github.io/appseccali-marshalling-pickles.
[17]	MUNOZ A. Friday the 13th: JSON Attacks[EB/OL]. (2017-06-12)[2024-04-06]. https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf.
[18]	QChiLan. Soserial[EB/OL]. (2019-03-19)[2024-04-06]. https://github.com/QChiLan/soserial.
[19]	Mbechler. Marshalsec[EB/OL]. (2017-03-22)[2024-04-06]. https://github.com/mbechler/marshalsec.
[20]	CARETTONI L. Defending against Java Deserialization Vulnerabi-lities[EB/OL]. (2016-03-21)[2024-04-06]. https://www.ikkisoft.com/stuff/Defending_against_Java_Deserialization_Vulnerabilities.pdf.
[21]	DU Xiaoyu, YE He, WEN Weiping. Java Deserialization Vulnerability Gadget Chain Discovery Method Based on Bytecode Search[J]. Netinfo Security, 2020, 20(7): 19-29.
	杜笑宇, 叶何, 文伟平. 基于字节码搜索的Java反序列化漏洞调用链挖掘方法[J]. 信息网络安全, 2020, 20(7): 19-29.

Java库	已知调用链	DSM-Fuzz		Kelinci		GadgetInspect
Java库	已知调用链	正确数/个	报告数/个	正确数/个	报告数 /个	正确数 /个	报告数/个
Commons-collections	3	2	5	0	0	1	4
Fastjson	3	2	2	0	0	0	2
XStream	10	4	7	1	1	1	2
Shiro	3	1	2	0	0	0	2
漏洞总数/个	18	9	16	1	1	2	10
准确率	—	56.3%		100%		20.0%
漏报率	—	50.0%		94.4%		88.9%

入口函数	危险函数	调用链深度	DSM-Fuzz	Kelinci
org/apache/log4j/pattern/LogEvent.readObject	java/lang/reflect/Method.invoke	3	4	1
org/apache/log4j/spi/LoggingEvent.readObject	java/lang/reflect/Method.invoke	3	5	1
com/alibaba/fastjson/parser/DefaultJSONParser.parseObject	java/lang/Runtime.exec	6	3	2

测试对象	执行速度（个/s）
测试对象	DSM-Fuzz	Kelinci
Commons-collections	281.2	254.1
Fastjson	246.7	210.3
XStream	314.5	275.6
Shiro	237.7	193.5