Improving Precision of Detecting Deserialization Vulnerabilities with Bytecode Analysis

Traditional static taint analysis based on bytecode analysis such as GadgetInspector to detect deserialization vulnerabilities always faced precision problems. For example, missing the fact that taints flowing to members in called methods, type confusion, and chaotic inheritance relationships when d...

Full description

Saved in:
Bibliographic Details
Published inIEEE/ACM ... International Symposium on Quality of Service (Online) pp. 1 - 2
Main Authors Li, Weicheng, Lu, Hui, Sun, Yanbin, Su, Shen, Qiu, Jing, Tian, Zhihong
Format Conference Proceeding
LanguageEnglish
Published IEEE 19.06.2023
Subjects
Java
Program Analysis
Quality of service
Security
Security and Protection
Web Servers
Online AccessGet full text

Cover

More Information
Summary:Traditional static taint analysis based on bytecode analysis such as GadgetInspector to detect deserialization vulnerabilities always faced precision problems. For example, missing the fact that taints flowing to members in called methods, type confusion, and chaotic inheritance relationships when detecting deserialization vulnerabilities, which would lead to many error results. To alleviate these problems, this paper considers three measures of improving precision of detecting deserialization vulnerabilities, including cross-function members data flow tracking, local variables and arguments types inference, and call chain subject inference based on inheritance relationships.
ISSN:2766-8568
DOI:10.1109/IWQoS57198.2023.10188756