A Hybrid Analysis to Detect Java Serialisation Vulnerabilities (ASE 2020 - New Ideas and Emerging Results (NIER) track)

Write a Blog >>

Mon 21 - Fri 25 September 2020 Melbourne, Australia

Who

Shawn Rasheed, Jens Dietrich

Track

ASE 2020 NIER track

Time Zone

The program is currently displayed in (UTC) Coordinated Universal Time.

Use conference time zone: (UTC) Coordinated Universal TimeSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Wed 23 Sep 2020 01:50 - 02:00 at Platypus - Software Security and Trust (1) Chair(s): Christoph Csallner

Abstract

Serialisation related security vulnerabilities have recently been reported for numerous Java applications. Since serialisation presents both soundness and precision challenges for static analysis, it can be difficult for analyses to precisely pinpoint serialisation vulnerabilities in a Java library. In this paper, we propose a hybrid approach that extends a static analysis with fuzzing to detect serialisation vulnerabilities. The novelty of our approach is in its use of a heap model to direct fuzzing for vulnerabilities in Java libraries. The advantage is that the analysis guides fuzzing to quickly and effectively produce results, which may also automatically validate static analysis reports.

Shawn Rasheed

Massey University

New Zealand

Jens Dietrich

Victoria University of Wellington