Bibliographic Details
| Title: |
基于运行时检测的Java反序列化漏洞防御技术. (Chinese) |
| Alternate Title: |
Java deserialization vulnerability defense technologybased on run-time detection. (English) |
| Authors: |
李玉林, 陈力波, 刘宇江, 杜文龙, 薛质 |
| Source: |
Chinese Journal of Network & Information Security; Apr2024, Vol. 10 Issue 2, p154-164, 11p |
| Abstract (English): |
The discovery of deserialization vulnerabilities has garnered significant attention from cybersecurity researchers, with an increasing number of vulnerabilities being uncovered, posing severe threats to enterprise network security. The Java language's polymorphism and reflection capabilities render its deserialization vulnerability exploitation chains more varied and intricate, amplifying the challenges in defense and detection efforts. Consequently, developing strategies to counter Java deserialization vulnerability attacks has become a critical aspect of network security. Following an examination of numerous publicly known Java deserialization vulnerabilities, a runtime detectionbased defense technology solution for Java deserialization vulnerabilities was proposed. Deserialization vulnerabilities were categorized into four types based on the data formats involved: Java native deserialization vulnerability, JSON deserialization vulnerability, XML deserialization vulnerability, and YAML deserialization vulnerability. For each type, the entry function within the exploitation process was identified and summarized. Utilizing Java's runtime protection technology, the solution monitored sensitive behaviors, such as command execution at the Java level, and captured the current runtime context information of the system. By correlating the deserialization entry function with the context information, the system can determine if the current behavior constitutes an exploitation of a deserialization vulnerability. The solution's efficacy was validated through testing on prevalent Java applications, including WebLogic, JBoss, and Jenkins. The results demonstrate that this approach can effectively protect against Java deserialization vulnerability attacks without inflicting a substantial performance penalty on the targeted system. Furthermore, when compared to other mainstream protection solutions, this method exhibits superior protective efficacy. [ABSTRACT FROM AUTHOR] |
| Abstract (Chinese): |
反序列化漏洞自被发现以来,便受到安全研究者的广泛关注,越来越多的漏洞被爆出,给企业的 网络安全带来严重挑战。Java 语言多态、反射等特性,导致其反序列化漏洞利用链更加多变和复杂,带来了 更大的防御和检测难度。因此,研究如何防御Java 反序列化漏洞攻击,成为网络防御的重要环节。通过对 公开的众多Java 反序列化漏洞进行研究,提出了基于运行时检测的Java 反序列化漏洞防御技术方案。根据 反序列化数据类型,将反序列化漏洞分为Java 原生反序列化漏洞、JSON 反序列化漏洞、XML反序列化漏 洞、YAML反序列化漏洞4 种类型,并针对每种类型的反序列化漏洞、归纳其漏洞利用过程中的反序列化入 口函数;通过Java 的运行时保护技术,对Java 底层的敏感行为如命令执行进行监控,获取系统当前的运行 时上下文信息;通过在上下文信息中匹配漏洞利用中的反序列化入口函数,来判断当前行为是否为反序列 化漏洞的利用行为。在多个Java 应用(如WebLogic、JBoss、Jenkins 等)的测试结果表明,该方案能有效地 对Java 反序列化漏洞攻击行为进行防御,且不会对目标系统性能产生较大的影响。同时,在与其他主流防 护方案的比较中,该方法显示出更好防护效果。. [ABSTRACT FROM AUTHOR] |
|
Copyright of Chinese Journal of Network & Information Security is the property of Beijing Xintong Media Co., Ltd. and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.) |
| Database: |
Complementary Index |
Nájsť tento článok vo Web of Science