网络与信息安全学报 (Apr 2024)

Java deserialization vulnerability defense technologybased on run-time detection

  • Yulin LI, Libo CHEN, Yujiang LIU, Wenlong DU, Zhi XUE

DOI
https://doi.org/10.11959/j.issn.2096-109x.2024021
Journal volume & issue
Vol. 10, no. 2
pp. 154 – 164

Abstract

Read online

The discovery of deserialization vulnerabilities has garnered significant attention from cybersecurity researchers, with an increasing number of vulnerabilities being uncovered, posing severe threats to enterprise network security. The Java language's polymorphism and reflection capabilities render its deserialization vulnerability exploitation chains more varied and intricate, amplifying the challenges in defense and detection efforts. Consequently, developing strategies to counter Java deserialization vulnerability attacks has become a critical aspect of network security. Following an examination of numerous publicly known Java deserialization vulnerabilities, a runtime detection-based defense technology solution for Java deserialization vulnerabilities was proposed. Deserialization vulnerabilities were categorized into four types based on the data formats involved: Java native deserialization vulnerability, JSON deserialization vulnerability, XML deserialization vulnerability, and YAML deserialization vulnerability. For each type, the entry function within the exploitation process was identified and summarized. Utilizing Java's runtime protection technology, the solution monitored sensitive behaviors, such as command execution at the Java level, and captured the current runtime context information of the system. By correlating the deserialization entry function with the context information, the system can determine if the current behavior constitutes an exploitation of a deserialization vulnerability. The solution's efficacy was validated through testing on prevalent Java applications, including WebLogic, JBoss, and Jenkins. The results demonstrate that this approach can effectively protect against Java deserialization vulnerability attacks without inflicting a substantial performance penalty on the targeted system. Furthermore, when compared to other mainstream protection solutions, this method exhibits superior protective efficacy.

Keywords