Runtime Prevention of Deserialization Attacks (ICSE 2022 - NIER - New Ideas and Emerging Results)

Who

François Gauthier, Sora Bae

Track

ICSE 2022 NIER - New Ideas and Emerging Results

Time Zone

The program is currently displayed in (GMT-04:00) Eastern Time (US & Canada).

Use conference time zone: (GMT-04:00) Eastern Time (US & Canada)Select other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Mon 9 May 2022 22:00 - 22:05 at ICSE room 3-even hours - Programming Languages 2 Chair(s): Karim Ali
Thu 12 May 2022 04:00 - 04:05 at ICSE room 5-even hours - Programming Languages 1 Chair(s): Jean-Guy Schneider

Abstract

Untrusted deserialization exploits, where a serialised object graph is used to achieve denial-of-service or arbitrary code execution, have become so prominent that they were introduced in the 2017 OWASP Top 10. In this paper, we present a novel and lightweight approach for runtime prevention of deserialization attacks using Markov chains. The intuition behind our work is that the features and ordering of classes in malicious object graphs make them distinguishable from benign ones. Preliminary results indeed show that our approach achieves an F1-score of 0.94 on a dataset of 264 serialised payloads, collected from an industrial Java EE application server and a repository of deserialization exploits.

Link to Preprint

https://arxiv.org/abs/2204.09388

DOI

https://doi.org/10.1145/3510455.3512786

François Gauthier

Oracle Labs

Australia

Sora Bae

Oracle Labs, Australia

South Korea

Runtime Prevention of Deserialization Attacks

Time Zone

The program is currently displayed in (GMT-04:00) Eastern Time (US & Canada).

Use conference time zone: (GMT-04:00) Eastern Time (US & Canada)Select other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

Display full programSpecify a time band

Save

Session Program

Mon 9 May
Displayed time zone: Eastern Time (US & Canada) change

22:00 - 23:00	Programming Languages 2Technical Track / NIER - New Ideas and Emerging Results / SEIS - Software Engineering in Society at ICSE room 3-even hours Chair(s): Karim Ali University of Alberta

22:00 5m Talk		Runtime Prevention of Deserialization Attacks NIER - New Ideas and Emerging Results François Gauthier Oracle Labs, Sora Bae Oracle Labs, Australia DOI Pre-print Media Attached
22:05 5m Talk		DRESS-ML: A Domain-specific Language for Modelling Exceptional Scenarios and Self-adaptive Behaviours for Drone-based Applications SEIS - Software Engineering in Society Lucas Vieira State University of Ceará, José Davi da Silva Pereira State University of Ceara, Brazil, Natália Aragão State University of Ceara, Brazil, Matheus Chagas State University of Ceará, Paulo Maia State University of Ceará Pre-print Media Attached
22:10 5m Talk		Learning and Programming Challenges of Rust: A Mixed-Methods Study Technical Track Shuofei Zhu The Pennsylvania State University, Ziyi Zhang University of Wisconsin–Madison, Boqin Qin China Telecom Cloud Computing Corporation, Aiping Xiong The Pennsylvania State University, Linhai Song Pennsylvania State University, USA DOI Pre-print Media Attached
22:15 5m Talk		Garbage Collection Makes Rust Easier to Use: A Randomized Controlled Trial of the Bronze Garbage CollectorNominated for Distinguished Paper Technical Track Michael Coblenz University of Maryland at College Park, Michelle Mazurek University of Maryland, Michael Hicks University of Maryland at College Park DOI Pre-print Media Attached

Thu 12 May
Displayed time zone: Eastern Time (US & Canada) change

04:00 - 05:00	Programming Languages 1SEIP - Software Engineering in Practice / NIER - New Ideas and Emerging Results / SEIS - Software Engineering in Society / Technical Track at ICSE room 5-even hours Chair(s): Jean-Guy Schneider Deakin University

04:00 5m Talk		Runtime Prevention of Deserialization Attacks NIER - New Ideas and Emerging Results François Gauthier Oracle Labs, Sora Bae Oracle Labs, Australia DOI Pre-print Media Attached
04:05 5m Talk		Grammars for Free: Toward Grammar Inference for Ad Hoc Parsers NIER - New Ideas and Emerging Results Michael Schröder TU Wien, Jürgen Cito TU Wien and Meta Pre-print Media Attached
04:10 5m Talk		An Asynchronous Call Graph for JavaScript SEIP - Software Engineering in Practice Dominik Seifert National Taiwan University, Michael Wan National Taiwan University, Jane Hsu National Taiwan University, Benson Yeh National Taiwan University DOI Pre-print Media Attached
04:15 5m Talk		Lowering Barriers to Application Development With Cloud-Native Domain-Specific Functions SEIS - Software Engineering in Society José Miguel Pérez-Álvarez NAVER LABS Europe, Adrian Mos NAVER LABS Europe, Benjamin V. Hanrahan Pennsylvania State University, Iyadunni J. Adenuga Pennsylvania State University Pre-print Media Attached
04:20 5m Talk		Towards Bidirectional Live Programming for Incomplete Programs Technical Track Xing Zhang Peking University, Zhenjiang Hu Peking University Pre-print Media Attached
04:25 5m Talk		Imperative versus Declarative Collection Processing: An RCT on the Understandability of Traditional Loops versus the Stream API in Java Technical Track Nils Mehlhorn , Stefan Hanenberg paluno – The Ruhr Institute for Software Technology, University of Duisburg-Essen, Essen Pre-print Media Attached

Information for Participants

Mon 9 May 2022 22:00 - 23:00 at ICSE room 3-even hours - Programming Languages 2 Chair(s): Karim Ali

Info for room ICSE room 3-even hours:

Click here to go to the room on Midspace

Thu 12 May 2022 04:00 - 05:00 at ICSE room 5-even hours - Programming Languages 1 Chair(s): Jean-Guy Schneider

Info for room ICSE room 5-even hours:

Click here to go to the room on Midspace