Java deserialization vulnerability is a severe threat in practice. Researchers have proposed static analysis solutions to locate candidate vulnerabilities and fuzzing solutions to generate proof-of-concept (PoC) serialized objects to trigger them. However, existing solutions have limited effectiveness and efficiency. In this paper, we propose a novel hybrid solution ODDFUZZ to efficiently discover Java deserialization vulnerabilities. First, ODDFUZZ performs lightweight static taint analysis to identify candidate gadget chains that may cause deserialization vulner-abilities. In this step, ODDFUZZ tries to locate all candidates and avoid false negatives. Then, ODDFUZZ performs directed greybox fuzzing (DGF) to explore those candidates and generate PoC testcases to mitigate false positives. Specifically, ODDFUZZ applies a structure-aware seed generation method to guarantee the validity of the testcases, and adopts a novel hybrid feedback and a step-forward strategy to guide the directed fuzzing. We implemented a prototype of ODDFUZZ and evaluated it on the popular Java deserialization repository ysoserial. Results show that, ODDFUZZ could discover 16 out of 34 known gadget chains, while two state-of-the-art baselines only identify three of them. In addition, we evaluated ODDFUZZ on real-world applications including Oracle WebLogic Server, Apache Dubbo, Sonatype Nexus, and protostuff, and found six previously unreported exploitable gadget chains with five CVEs assigned.

翻译：Java反序列化漏洞在实际环境中构成严重威胁。研究者已提出静态分析方案以定位候选漏洞，以及模糊测试方案以生成触发漏洞的概念验证（PoC）序列化对象。然而，现有方案在有效性和效率方面存在局限。本文提出一种新颖的混合解决方案ODDFUZZ，旨在高效发现Java反序列化漏洞。首先，ODDFUZZ执行轻量级静态污点分析，识别可能引发反序列化漏洞的候选gadget链。此步骤中ODDFUZZ力求定位所有候选链并避免漏报。随后，ODDFUZZ执行定向灰盒测试（DGF）以探索这些候选链，生成PoC测试用例以消除误报。具体而言，ODDFUZZ采用结构感知的种子生成方法确保测试用例的有效性，并引入新颖的混合反馈机制与步进式策略引导定向模糊测试。我们实现了ODDFUZZ原型，并在主流Java反序列化工具库ysoserial上开展评估。结果表明：ODDFUZZ能够发现34条已知gadget链中的16条，而两项最先进基线方案仅识别其中三条。此外，我们在Oracle WebLogic Server、Apache Dubbo、Sonatype Nexus及protostuff等真实应用上评估ODDFUZZ，发现了六条此前未被公开的可利用gadget链，并获分配五个CVE编号。