Reflection-guided Java deserialization call chain mining method and system

A technology of deserialization and call chaining, which is applied in the direction of program control devices, platform integrity maintenance, and execution examples, etc. It can solve the problems of difficulty in meeting the requirements of call chain mining accuracy and efficiency, large labor costs, and high false alarm rate of call graphs. problem, to achieve the effect of improving test efficiency and accuracy

Pending Publication Date: 2022-07-08
YANGZHOU UNIV +1
View PDF0 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

However, due to the dynamic characteristics of the Java language, such as reflection, polymorphism, dynamic class loading, etc., the call graph constructed by most static analysis methods has a high false alarm rate, which is difficult to meet the requirements for the accuracy and efficiency of call chain mining in practical applications. Demand, high labor cost

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Reflection-guided Java deserialization call chain mining method and system
  • Reflection-guided Java deserialization call chain mining method and system
  • Reflection-guided Java deserialization call chain mining method and system

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0041] see figure 1 and figure 2 As shown, a reflection-guided Java deserialization call chain mining method provided by the present invention includes the following steps:

[0042] 1) Perform static analysis on the items to be detected, and build a method attribute graph for deserialization awareness;

[0043] 1.1) Soot, an analysis tool based on Java static programs, performs pointer analysis and call relationship analysis on the JAR / WAR / CLASS files of the project to be tested, and constructs a method alias graph and a method call graph;

[0044] 1.2) Integrate the method alias graph and method call graph to construct a deserialization-aware method attribute graph, where the nodes in the deserialization-aware method attribute graph represent various methods in the program, and the compareTo node represents the JAR file to be tested The compareTo method used to compare the size of the two attribute values; similarly, the equals node represents the equals method used to jud...

Embodiment 2

[0057] Corresponding to the reflection-guided Java deserialization call chain mining method in Embodiment 1, this embodiment 2 provides a reflection-guided Java deserialization call chain mining system. Please refer to figure 1 and figure 2 As shown, the system includes a property graph building module, a suspicious call chain mining module, and a vulnerability call chain verification module;

[0058] The property graph building module is used to perform static analysis on the item to be detected, and construct a method property graph for deserialization awareness. The property graph building module includes a compilation unit and a representation unit;

[0059] The compilation unit is used for the analysis tool Soot based on Java static programs, to perform pointer analysis and call relationship analysis on the JAR / WAR / CLASS files of the project to be detected, and to construct a method alias graph and a method call graph;

[0060] The representation unit is used to fuse th...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a reflection-guided Java deserialization call chain mining method, which comprises the following steps of: mining a call relationship in a to-be-detected item through static analysis, constructing a method attribute graph of deserialization perception according to the call relationship, avoiding omission during call chain search caused by Java dynamic characteristics, and simultaneously proposing a Java-based reflection mechanism, and an executable utilization object is generated to verify the identified suspicious call chain, so that the test efficiency and accuracy are improved, and meanwhile, the invention provides a Java deserialization call chain mining system corresponding to reflection guidance.

Description

technical field [0001] The invention relates to the field of software security, in particular to a reflection-guided Java deserialization call chain mining method and system. Background technique [0002] The Java deserialization mechanism is the process of restoring an abstract byte stream into an object, which often leads to a series of vicious vulnerabilities such as remote code execution, expression injection, and system resource access. Therefore, how to accurately and efficiently detect the call chain of potential Java deserialization vulnerabilities has become a challenging task. Existing Java deserialization vulnerability mining work is mostly based on program static analysis technology to model the calling relationship between methods, identify potential magic methods and dangerous call sites in the program, and mine potential vulnerability call chains through depth-first search and other methods. However, due to the dynamic characteristics of the Java language, su...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): G06F21/56G06F9/448
CPCG06F21/563G06F21/566G06F9/449
Inventor 曹思聪孙小兵刘维吴潇雪薄莉莉李斌欧阳瑜何彪李佳佳
Owner YANGZHOU UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap