网络与信息安全学报2024,Vol.10Issue(2):154-164,11.DOI:10.11959/j.issn.2096-109x.2024021
基于运行时检测的Java反序列化漏洞防御技术
Java deserialization vulnerability defense technologybased on run-time detection
摘要
Abstract
The discovery of deserialization vulnerabilities has garnered significant attention from cybersecurity researchers,with an increasing number of vulnerabilities being uncovered,posing severe threats to enterprise network security.The Java language's polymorphism and reflection capabilities render its deserialization vulnerability exploitation chains more varied and intricate,amplifying the challenges in defense and detection efforts.Consequently,developing strategies to counter Java deserialization vulnerability attacks has become a critical aspect of network security.Following an examination of numerous publicly known Java deserialization vulnerabilities,a runtime detection-based defense technology solution for Java deserialization vulnerabilities was proposed.Deserialization vulnerabilities were categorized into four types based on the data formats involved:Java native deserialization vulnerability,JSON deserialization vulnerability,XML deserialization vulnerability,and YAML deserialization vulnerability.For each type,the entry function within the exploitation process was identified and summarized.Utilizing Java's runtime protection technology,the solution monitored sensitive behaviors,such as command execution at the Java level,and captured the current runtime context information of the system.By correlating the deserialization entry function with the context information,the system can determine if the current behavior constitutes an exploitation of a deserialization vulnerability.The solution's efficacy was validated through testing on prevalent Java applications,including WebLogic,JBoss,and Jenkins.The results demonstrate that this approach can effectively protect against Java deserialization vulnerability attacks without inflicting a substantial performance penalty on the targeted system.Furthermore,when compared to other mainstream protection solutions,this method exhibits superior protective efficacy.关键词
反序列化漏洞/运行时保护/利用链/漏洞防御Key words
deserialization vulnerability/run-time application self-protection/gadget chains/vulnerability defense分类
信息技术与安全科学引用本文复制引用
李玉林,陈力波,刘宇江,杜文龙,薛质..基于运行时检测的Java反序列化漏洞防御技术[J].网络与信息安全学报,2024,10(2):154-164,11.基金项目
国家自然科学基金(No.62372297,No.62272306) (No.62372297,No.62272306)
国家广播电视总局实验室项目(No.FYY20230001ZSB011)The National Natural Science Foundation of China(No.62372297,No.62272306),The National Radio and Television Administration Laboratory Program(No.FYY20230001ZSB011) (No.FYY20230001ZSB011)
