Java序列化与反序列化安全教学文档<\/h1>

一、Java序列化基础概念<\/h2>

1. 序列化与反序列化定义<\/h3>

序列化<\/strong>：将Java对象转换为字节序列的过程，以便存储或传输<\/li>

反序列化<\/strong>：将字节序列恢复为Java对象的过程<\/li> <\/ul>
2. 基本实现方式<\/h3>
要使一个类可序列化，必须实现java.io.Serializable<\/code>接口：<\/p>
public<\/span> class<\/span> Person<\/span> implements<\/span> Serializable {<\/span> <\/span><\/span> \/\/ 类内容 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>二、序列化与反序列化代码实现<\/h2> 1. 序列化示例代码<\/h3> import<\/span> java.io.FileOutputStream;<\/span> <\/span><\/span>import<\/span> java.io.IOException;<\/span> <\/span><\/span>import<\/span> java.io.ObjectOutputStream;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> Serializer<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> serialize<\/span>(<\/span>Object obj)<\/span> throws<\/span> IOException {<\/span> <\/span><\/span> ObjectOutputStream objectOutputStream =<\/span> <\/span><\/span> new<\/span> ObjectOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>"person.ser"<\/span>));<\/span> <\/span><\/span> objectOutputStream.<\/span>writeObject<\/span>(<\/span>obj);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> IOException {<\/span> <\/span><\/span> Person person =<\/span> new<\/span> Person(<\/span>"test"<\/span>,<\/span> "123"<\/span>);<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>person);<\/span> <\/span><\/span> serialize(<\/span>person);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>2. 反序列化示例代码<\/h3> import<\/span> java.io.FileInputStream;<\/span> <\/span><\/span>import<\/span> java.io.ObjectInputStream;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> Deserial<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> Object deserialize<\/span>(<\/span>String filename)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> ObjectInputStream objectInputStream =<\/span> <\/span><\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> FileInputStream(<\/span>filename));<\/span> <\/span><\/span> return<\/span> objectInputStream.<\/span>readObject<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> Object deserialized =<\/span> deserialize(<\/span>"person.ser"<\/span>);<\/span> <\/span><\/span> if<\/span> (<\/span>deserialized instanceof<\/span> Person)<\/span> {<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>((<\/span>Person)<\/span>deserialized);<\/span> <\/span><\/span> }<\/span> else<\/span> {<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>deserialized);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>三、transient关键字<\/h2> 用于标记不需要序列化的字段<\/li> 被标记的字段在反序列化后会变为null<\/li> <\/ul> public<\/span> class<\/span> Person<\/span> implements<\/span> Serializable {<\/span> <\/span><\/span> transient<\/span> String name;<\/span> \/\/ 不会被序列化 <\/span><\/span><\/span><\/span> String age;<\/span> \/\/ 会被序列化 <\/span><\/span><\/span><\/span> \/\/ 其他代码... <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>四、自定义序列化\/反序列化过程<\/h2> 可以通过重写以下方法来自定义序列化行为：<\/p> private<\/span> void<\/span> writeObject<\/span>(<\/span>ObjectOutputStream oos)<\/span> throws<\/span> IOException {<\/span> <\/span><\/span> \/\/ 自定义序列化逻辑 <\/span><\/span><\/span><\/span> oos.<\/span>defaultWriteObject<\/span>();<\/span> \/\/ 调用默认序列化 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>private<\/span> void<\/span> readObject<\/span>(<\/span>ObjectInputStream ois)<\/span> <\/span><\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span> <\/span><\/span> \/\/ 自定义反序列化逻辑 <\/span><\/span><\/span><\/span> ois.<\/span>defaultReadObject<\/span>();<\/span> \/\/ 调用默认反序列化 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>五、反序列化安全问题<\/h2> 1. 安全问题产生原因<\/h3> 当类满足以下条件时可能产生安全问题：<\/p> 实现Serializable<\/code>接口<\/li> 重写readObject<\/code>方法<\/li> 在readObject<\/code>方法中执行危险操作<\/li> <\/ol> 2. 恶意代码示例<\/h3> private<\/span> void<\/span> readObject<\/span>(<\/span>ObjectInputStream ois)<\/span> <\/span><\/span> throws<\/span> IOException,<\/span> ClassNotFoundException,<\/span> InterruptedException {<\/span> <\/span><\/span> \/\/ 调用默认反序列化机制 <\/span><\/span><\/span><\/span> ois.<\/span>defaultReadObject<\/span>();<\/span> <\/span><\/span> <\/span><\/span> \/\/ 恶意代码：执行计算器 <\/span><\/span><\/span><\/span> Runtime runtime =<\/span> Runtime.<\/span>getRuntime<\/span>();<\/span> <\/span><\/span> Process calc =<\/span> runtime.<\/span>exec<\/span>(<\/span>"calc"<\/span>);<\/span> <\/span><\/span> calc.<\/span>waitFor<\/span>();<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3. 利用链三要素<\/h3> 入口类(Source)<\/strong>：<\/p> 重写readObject<\/code>方法<\/li> 实现Serializable<\/code>接口<\/li> 调用常见方法<\/li> 参数类型宽泛<\/li> Java自带类（如HashMap<\/code>）<\/li> <\/ul> <\/li> 执行链(Gadget Chain)<\/strong>：<\/p> 互相依赖的对象链<\/li> <\/ul> <\/li> 执行类(Sink)<\/strong>：<\/p> 实际执行攻击的位置（如Runtime.exec()<\/code>）<\/li> <\/ul> <\/li> <\/ol> 4. HashMap作为入口类的分析<\/h3> 实现了Serializable<\/code>接口<\/li> 接受Object<\/code>类型参数（K,V可以是任何类型）<\/li> 重写了readObject<\/code>方法<\/li> 在readObject<\/code>中调用了hashCode()<\/code>方法<\/li> <\/ul> 六、安全实践建议<\/h2> 避免反序列化不可信数据<\/li> 使用白名单验证反序列化的类<\/li> 考虑使用替代方案如JSON\/XML序列化<\/li> 对敏感字段使用transient<\/code>关键字<\/li> 更新Java环境，修复已知漏洞<\/li> <\/ol> 七、扩展思考<\/h2> 研究Object#hashCode()<\/code>、Object#toString()<\/code>和Object#equals()<\/code>方法的重写可能带来的安全问题<\/li> 分析常见Java反序列化漏洞利用链（如Apache Commons Collections）<\/li> 了解Java 9引入的过滤器机制（ObjectInputFilter<\/code>）<\/li> <\/ol>