Object serialization and deserialization is widely used for storing and preserving objects in files, memory, or database as well as for transporting them across machines, enabling remote interaction among processes and many more. This mechanism relies on reflection, a dynamic language that introduces serious challenges for static analyses. Current state-of-the-art call graph construction algorithms does not fully support object serialization/deserialization, i.e., they are unable to uncover the callback methods that are invoked when objects are serialized and deserialized. Since call graphs are a core data structure for multiple type of analysis (e.g., vulnerability detection), an appropriate analysis cannot be performed since the call graph does not capture hidden (vulnerable) paths that occur via callback methods. In this paper, we present Seneca, an approach for handling serialization with improved soundness in the context of call graph construction. Our approach relies on taint analysis and API modeling to construct sound call graphs. We evaluated our approach with respect to soundness, precision, performance, and usefulness in detecting untrusted object deserialization vulnerabilities. Our results show that Seneca can create sound call graphs with respect to serialization features. The resulting call graphs do not incur significant overhead and were shown to be useful for performing identification of vulnerable paths caused by untrusted object deserialization.

翻译：对象序列化与反序列化被广泛应用于文件、内存或数据库中对象的存储与持久化，以及跨机器传输，从而支持进程间的远程交互等功能。该机制依赖于反射这一动态语言特性，给静态分析带来了严峻挑战。当前最先进的调用图构建算法未能完全支持对象序列化/反序列化，即无法揭示对象在序列化与反序列化过程中被调用的回调方法。由于调用图是多种分析类型（如漏洞检测）的核心数据结构，若调用图未能捕获通过回调方法产生的隐藏（脆弱）路径，则无法执行恰当的分析。本文提出了Seneca方法，在调用图构建的上下文中以改进的健全性处理序列化问题。我们的方法依赖污点分析与API建模来构建健全的调用图。我们从健全性、精度、性能及检测不可信对象反序列化漏洞的有效性方面对方法进行了评估。结果表明，Seneca能够针对序列化特性构建出健全的调用图，且生成的调用图不会引入显著开销，并已被证明有助于识别由不可信对象反序列化导致的脆弱路径。