论文标题
对Java避免遥控执行的深入研究的深入研究
An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities
论文作者
论文摘要
如今,越来越多的应用程序正在使用避难所化。该技术基于从序列化字节流重建对象的实例,这可能是危险的,因为如果要进行的数据源自不受信任的源,则可以打开攻击的应用程序,例如远程代码执行(RCE)。避难所漏洞非常关键,以至于它们位于OWASP的Web应用程序中十大安全风险列表中。这主要是由于应用程序的开发过程中的故障以及其依赖性缺陷(即这些应用程序使用的库中的缺陷)引起的。以前没有研究深入研究避难所攻击:它们如何执行?如何介绍和修补弱点?代码库中存在多长时间?为了深入了解这种重要的漏洞,我们执行了两个主要分析:一个对攻击小工具,即可剥削的代码部分,存在于Java库中,另一种是Java应用程序中存在的漏洞。为了进行首次分析,我们通过运行256515实验进行了探索性的大规模研究,其中我们为19个公开可用的利用中的每一个都改变了库的版本。这种攻击依赖于一个或多个Java库中存在的小工具的组合。小工具是一种使用可以攻击者控制的对象或字段的方法。我们的目标是精确识别包含小工具的库版本,并了解如何引入小工具以及如何修补它们。我们观察到,班级中一个看起来无辜的细节的修改(例如公开)已经可以引入小工具。此外,我们注意到在所研究的库中,没有修补37.5%,而小工具可用于将来的攻击。为了进行第二次分析,我们手动分析104个挑战漏洞CVES了解如何在现实生活中的Java应用程序中引入和修补脆弱性。结果表明,漏洞并不总是完全修补,或者提出了解决解决方案。使用解决方案,由于代码本身没有变化,因此应用程序仍然很脆弱。
Nowadays, an increasing number of applications uses deserialization. This technique, based on rebuilding the instance of objects from serialized byte streams, can be dangerous since it can open the application to attacks such as remote code execution (RCE) if the data to deserialize is originating from an untrusted source. Deserialization vulnerabilities are so critical that they are in OWASP's list of top 10 security risks for web applications. This is mainly caused by faults in the development process of applications and by flaws in their dependencies, i.e., flaws in the libraries used by these applications. No previous work has studied deserialization attacks in-depth: How are they performed? How are weaknesses introduced and patched? And for how long are vulnerabilities present in the codebase? To yield a deeper understanding of this important kind of vulnerability, we perform two main analyses: one on attack gadgets, i.e., exploitable pieces of code, present in Java libraries, and one on vulnerabilities present in Java applications. For the first analysis, we conduct an exploratory large-scale study by running 256515 experiments in which we vary the versions of libraries for each of the 19 publicly available exploits. Such attacks rely on a combination of gadgets present in one or multiple Java libraries. A gadget is a method which is using objects or fields that can be attacker-controlled. Our goal is to precisely identify library versions containing gadgets and to understand how gadgets have been introduced and how they have been patched. We observe that the modification of one innocent-looking detail in a class -- such as making it public -- can already introduce a gadget. Furthermore, we noticed that among the studied libraries, 37.5% are not patched, leaving gadgets available for future attacks. For the second analysis, we manually analyze 104 deserialization vulnerabilities CVEs to understand how vulnerabilities are introduced and patched in real-life Java applications. Results indicate that the vulnerabilities are not always completely patched or that a workaround solution is proposed. With a workaround solution, applications are still vulnerable since the code itself is unchanged.
