Java (de)serialization is prone to causing security-critical vulnerabilities that attackers can invoke existing methods (gadgets) on the application's classpath to construct a gadget chain to perform malicious behaviors. Several techniques have been proposed to statically identify suspicious gadget chains and dynamically generate injection objects for fuzzing. However, due to their incomplete support for dynamic program features (e.g., Java runtime polymorphism) and ineffective injection object generation for fuzzing, the existing techniques are still far from satisfactory. In this paper, we first performed an empirical study to investigate the characteristics of Java deserialization vulnerabilities based on our manually collected 86 publicly known gadget chains. The empirical results show that 1) Java deserialization gadgets are usually exploited by abusing runtime polymorphism, which enables attackers to reuse serializable overridden methods; and 2) attackers usually invoke exploitable overridden methods (gadgets) via dynamic binding to generate injection objects for gadget chain construction. Based on our empirical findings, we propose a novel gadget chain mining approach, \emph{GCMiner}, which captures both explicit and implicit method calls to identify more gadget chains, and adopts an overriding-guided object generation approach to generate valid injection objects for fuzzing. The evaluation results show that \emph{GCMiner} significantly outperforms the state-of-the-art techniques, and discovers 56 unique gadget chains that cannot be identified by the baseline approaches.

翻译：Java（反）序列化极易导致严重的安全漏洞，攻击者可利用应用程序类路径上的现有方法（Gadget）构建Gadget链以实施恶意行为。已有多种技术被提出用于静态识别可疑Gadget链，并动态生成注入对象进行模糊测试。然而，由于这些技术对动态程序特性（如Java运行时多态性）支持不完全，且生成的模糊测试注入对象有效性不足，现有方法仍远未达到理想效果。本文首先基于手动收集的86条公开已知Gadget链开展实证研究，分析Java反序列化漏洞的特征。实证结果表明：1）Java反序列化Gadget通常通过滥用运行时多态性被利用，这使得攻击者能够重用可序列化的覆盖方法；2）攻击者通常通过动态绑定调用可利用的覆盖方法（Gadget）来生成注入对象，从而构建Gadget链。基于实证发现，我们提出了一种新颖的Gadget链挖掘方法——GCMiner，该方法通过捕获显式与隐式方法调用以识别更多Gadget链，并采用覆盖引导的对象生成方法为模糊测试生成有效的注入对象。评估结果显示，GCMiner显著优于现有最先进技术，并发现了基线方法无法识别的56条独特Gadget链。