EASE 2024
Tue 18 - Fri 21 June 2024 Salerno, Italy
Thu 20 Jun 2024 14:00 - 14:12 at Room Vietri - Security (1) Chair(s): Giuseppe Scanniello

We analyze known deserialization exploits targeting applications developed in the Java programming language. As previous research implies, fully comprehending this type of vulnerability is no easy task due to the complexity of exploitation, mostly relying on so-called gadget chains. Even considering known gadget chains, knowledge about their prerequisites is rather limited. In particular, the full range of external library versions, adding exploitable gadgets to the Java classpath was formerly only partially examined. We contribute an in-depth analysis of publicly available Java deserialization vulnerabilities. Specifically, we experimentally assess the prerequisites for exploitation, using 46 different gadget chains on 244 JDK and 5,455 Java dependency versions. Previous research only covered 19 of these gadget chains. Furthermore, we develop a command line tool, Gadgecy, for lightweight detection of whether a given Java project contains dependency combinations that enable gadget chains. Using this tool, we conduct an analysis of 2,211 projects from the Apache Distribution directory and 400 well-known Github repositories. The outcome reveals that (1) deserialization exploits apply to recent JDK and library versions, (2) these gadget chains are not being fully reported, and (3) are frequently present in popular Java projects (such as Apache Kafka or Hadoop).

Thu 20 Jun

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

14:00 - 15:30
14:00
12m
Talk
Analyzing Prerequisites of known Deserialization Vulnerabilities on Java Applications
Research Papers
Bruno Kreyssig Umeå University, Alexandre Bartel Umeå University
14:12
12m
Talk
An Extensive Comparison of Static Application Security Testing Tools
Research Papers
Matteo Esposito University of Rome Tor Vergata, Valentina Falaschi University of Rome Tor Vergata, Davide Falessi University of Rome Tor Vergata, Italy
Pre-print
14:25
12m
Talk
Detecting Security Fixes in Open-Source Repositories using Static Code Analyzers
Industry
Therese Fehrer JADS, Tilburg University صs-Hertogenbosch, Rocio Cabrera Lozoya SAP Security Research, Antonino Sabetta SAP Labs, Dario Di Nucci University of Salerno, Damian Andrew Tamburri TU/e
14:38
12m
Talk
Analyzing the Accessibility of GitHub Repositories for PyPI and NPM Libraries
Short Papers, Vision and Emerging Results
DOI Pre-print
14:51
12m
Talk
Unveiling iOS Scamwares through Crowdturfing Reviews
Short Papers, Vision and Emerging Results
Zhipeng Xu Shanghai Jiao Tong University
15:04
12m
Talk
Mining REST APIs for Potential Mass Assignment Vulnerabilities
Short Papers, Vision and Emerging Results
Arash Mazidi , Davide Corradini University of Verona, Mohammad Ghafari TU Clausthal
15:17
12m
Talk
Negative Complement of a Set of Vulnerability-Fixing Commits: Method and Dataset
Industry
Rocio Cabrera Lozoya SAP Security Research, Antonino Sabetta SAP Labs, Tommaso Aiello SAP Security Research