Tabby静态分析实践指南<\/h1>

0x01 Tabby测试<\/h2>

1a 工具印象<\/h3>

Tabby是一个基于代码属性图的Java静态分析工具，主要特点包括：<\/p>

支持分析编译后的War包、Jar包等形式<\/li>

工作流程分为两个阶段：

代码属性图生成阶段：由tabby.core负责生成带污点信息的代码属性图<\/li>

漏洞发现阶段：使用neo4j扩展tabby path finder查询source-sink语句寻找调用链路<\/li> <\/ul> <\/li> <\/ul>

1b 安装和运行<\/h3>

环境准备：<\/strong><\/p>

下载Neo4j 5.12.0<\/li>
下载apoc-5.12.0-core.jar和apoc-5.12.0-extended.jar<\/li>
下载tabby-path-finder-1.0.jar或1.1版本<\/li> <\/ol>
配置：<\/strong><\/p>
# 允许apoc扩展 dbms.security.procedures.unrestricted=jwt.security.*,apoc.*,tabby.* <\/code><\/pre> 启动数据库后执行：<\/strong><\/p> CREATE CONSTRAINT c1 IF NOT EXISTS FOR (c:Class) REQUIRE c.ID IS UNIQUE; CREATE CONSTRAINT c2 IF NOT EXISTS FOR (c:Class) REQUIRE c.NAME IS UNIQUE; CREATE CONSTRAINT c3 IF NOT EXISTS FOR (m:Method) REQUIRE m.ID IS UNIQUE; CREATE CONSTRAINT c4 IF NOT EXISTS FOR (m:Method) REQUIRE m.SIGNATURE IS UNIQUE; CREATE INDEX index1 IF NOT EXISTS FOR (m:Method) ON (m.NAME); CREATE INDEX index2 IF NOT EXISTS FOR (m:Method) ON (m.CLASSNAME); CREATE INDEX index3 IF NOT EXISTS FOR (m:Method) ON (m.NAME, m.CLASSNAME); CREATE INDEX index4 IF NOT EXISTS FOR (m:Method) ON (m.NAME, m.NAME0); CREATE INDEX index5 IF NOT EXISTS FOR (m:Method) ON (m.SIGNATURE); CREATE INDEX index6 IF NOT EXISTS FOR (m:Method) ON (m.NAME0); CREATE INDEX index7 IF NOT EXISTS FOR (m:Method) ON (m.NAME0, m.CLASSNAME); <\/code><\/pre> 运行Tabby：<\/strong><\/p> java -Xmx8g -jar tabby.jar <\/span><\/span><\/code><\/pre>1c 运行配置<\/h3> 推荐配置config\/settings.properties<\/code>：<\/p> tabby.debug.details = true tabby.build.target = cases\/java-sec-code-1.0.0.jar tabby.build.libraries = libs tabby.build.mode = web # 或gadget <\/code><\/pre> 1d 测试结果<\/h3> 254MB Jar包分析：16w classes，耗时极长<\/li> 31MB业务代码：2w+ classes，耗时约7分钟<\/li> <\/ul> 1e 踩坑记录<\/h3> 大Jar包分析需要足够内存：建议至少8G<\/li> 分析时间可能很长，需耐心等待<\/li> <\/ul> 0x02 图数据库Neo4j<\/h2> 2a 入门介绍<\/h3> Neo4j属性图模型由节点和关系组成，使用Cypher查询语言。<\/p> 节点表示：<\/strong><\/p> ()<\/code> - 匿名节点<\/li> (p:Person)<\/code> - 带变量和标签的节点<\/li> (:Technology)<\/code> - 只有标签的节点<\/li> (work:Company)<\/code> - 带变量和标签的节点<\/li> <\/ul> 关系表示：<\/strong><\/p> [:Likes]<\/code> - 关系类型<\/li> -[rel:Is_Friends_With {since: 2018}]-><\/code> - 带属性和变量的关系<\/li> <\/ul> 2b 概念指南<\/h3> 属性图基本概念：<\/p> 节点(nodes)：表示实体<\/li> 标签(labels)：对节点分组<\/li> 关系(relationships)：连接节点<\/li> 属性(properties)：节点和关系的键值对<\/li> <\/ul> 2c Cypher指南<\/h3> 基本Cypher操作：<\/p> -- 创建节点 CREATE (ee:Person {name: 'Emil', from: 'Sweden', kloutScore: 99}) -- 查找节点 MATCH (ee:Person) WHERE ee.name = 'Emil' RETURN ee; -- 创建关系和节点 MATCH (ee:Person) CREATE (js:Person), (ee)-[:KNOWS {since: 2001}]->(js) -- 查询所有Person节点 match (any:Person) return any <\/code><\/pre> 2d 查询代码属性图<\/h3> 常用查询：<\/strong><\/p> -- 查看图结构 call db.schema.visualization -- 获取所有标签 call db.labels -- 获取所有关系类型 call db.relationshipTypes -- 获取所有节点属性 match (n) unwind keys(n) as allkeys return distinct allkeys <\/code><\/pre> 0x03 Tabby实践<\/h2> 3a 查询方法<\/h3> 基本查询模板：<\/p> match (source:Method) match (sink:Method {IS_SINK:true}) call apoc.algo.allSimplePaths(m1, source, "ALIAS>|CALL>", 12) yield path return * limit 20 <\/code><\/pre> 3b 静态分析技术问题<\/h3> Tabby的污点分析特点：<\/p> 对class\/method节点建模<\/li> call edge会添加pollution_positions保存污点信息<\/li> 主要关注method->method的数据流追踪<\/li> <\/ul> 3c 端点识别<\/h3> Tabby内置端点识别：<\/p> Struts类型<\/li> Servlet类型<\/li> JSP类型<\/li> 注释类型<\/li> <\/ul> 查询模板：<\/p> match (source:Method {IS_ENDPOINT:true}) with collect(source) as sources match (sink:Method {IS_SINK: true, VUL:"FILE_WRITE"}) with sources, collect(sink) as sinks call tabby.algo.findPath(sources, "forward", sinks, 8, false) yield path where none(n in nodes(path) where n.NAME0 in ["java.io.OutputStream.flush","java.io.Writer.flush", "java.util.Iterator.hasNext", "java.lang.Object.toString", "java.io.ObjectOutputStream.<init>", "java.io.PrintWriter.write"]) return path limit 10 <\/code><\/pre> 3d 查找危险方法<\/h3> 文件上传漏洞检测：<\/strong><\/p> -- 查找顶层service方法 match (source:Method {NAME:"service", CLASSNAME:"com.sun.jersey.spi.container.servlet.ServletContainer"}) -- 查找FileOutputStream构造方法 match (sink:Method {SIGNATURE:"<java.io.FileOutputStream: void <init>(java.lang.String)>",CLASSNAME:"java.io.FileOutputStream"}) -- 查找调用路径 call tabby.algo.findPath(source, ">", sink, 15, false) YIELD path return path <\/code><\/pre> 请求输入流检测：<\/strong><\/p> MATCH path=(source:Method)-[:CALL]->(sink:Method {NAME:"getInputStream"}) where source.CLASSNAME starts with "com.esafenet.servlet" return path <\/code><\/pre> 0x04 实践小结<\/h2> 4a 数据流分析对象<\/h3> Tabby 1.2版本分析特点：<\/p> 以class、method作为图节点建模<\/li> 节点关系类型： class->class: Interface、Extends<\/li> class->method: Has<\/li> method->method: Call、Alias<\/li> <\/ul> <\/li> <\/ul> 4b 整体感知<\/h3> 优势：<\/strong><\/p> 基于Soot生成的字节码分析，支持Jar、classes等文件<\/li> 对反序列化等有明确触发点方法的漏洞检测效果好<\/li> 在查找特定类、Controller\/Servlet及其方法方面有优势<\/li> <\/ul> 劣势：<\/strong><\/p> 污点流(taint flow)信息较少<\/li> 默认全量分析，难以对大Jar包进行选择性分析<\/li> 数据流调试资料较少<\/li> <\/ul> 理想污点分析：<\/strong><\/p> 标记request对象中所有外部可控的数据流<\/li> 追踪这些数据流是否经过指定的危险函数<\/li> 减少底层方法追踪，关注如new FileOutputStream(path)等高层次方法<\/li> <\/ul>