An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities
Nowadays, an increasing number of applications uses deserialization. This technique, based on rebuilding the instance of objects from serialized byte streams, can be dangerous since it can open the application to attacks such as remote code execution (RCE) if the data to deserialize is originating from an untrusted source. Deserialization vulnerabilities are so critical that they are in OWASP’s list of top 10 security risks for web applications. This is mainly caused by faults in the development process of applications and by flaws in their dependencies, \textit{i.e.,} flaws in the libraries used by these applications. No previous work has studied deserialization attacks in-depth: How are they performed? How are weaknesses introduced and patched? And for how long are vulnerabilities present in the codebase? To yield a deeper understanding of this important kind of vulnerability, we perform two main analyses: one on attack gadgets, i.e., exploitable pieces of code, present in Java libraries, and one on vulnerabilities present in Java applications. For the first analysis, we conduct an exploratory large-scale study by running 256515 experiments in which we vary the versions of libraries for each of the 19 publicly available exploits. Such attacks rely on a combination of gadgets present in one or multiple Java libraries. A gadget is a method which is using objects or fields that can be attacker-controlled. Our goal is to precisely identify library versions containing gadgets and to understand how gadgets have been introduced and how they have been patched. We observe that the modification of one innocent-looking detail in a class such as making it public can already introduce a gadget. Furthermore, we noticed that among the studied libraries, 37.5% are not patched, leaving gadgets available for future attacks.
For the second analysis, we manually analyze 104 deserialization vulnerabilities CVEs to understand how vulnerabilities are introduced and patched in real-life Java applications. Results indicate that the vulnerabilities are not always completely patched or that a workaround solution is proposed. With a workaround solution, applications are still vulnerable since the code itself is unchanged.
Wed 17 MayDisplayed time zone: Hobart change
15:45 - 17:15 | Vulnerability analysis and assessmentTechnical Track / Journal-First Papers / DEMO - Demonstrations at Meeting Room 105 Chair(s): Xiaoyin Wang University of Texas at San Antonio | ||
15:45 15mTalk | Chronos: Time-Aware Zero-Shot Identification of Libraries from Vulnerability Reports Technical Track Yunbo Lyu Singapore Management University, Le-Cong Thanh The University of Melbourne, Hong Jin Kang UCLA, Ratnadira Widyasari Singapore Management University, Singapore, Zhipeng Zhao Singapore Management University, Xuan-Bach D. Le University of Melbourne, Ming Li Nanjing University, David Lo Singapore Management University Pre-print | ||
16:00 15mTalk | Understanding the Threats of Upstream Vulnerabilities to Downstream Projects in the Maven Ecosystem Technical Track Yulun Wu Huazhong University of Science and Technology, Zeliang Yu Huazhong University of Science and Technology, Ming Wen Huazhong University of Science and Technology, Qiang Li Huazhong University of Science and Technology, Deqing Zou Huazhong University of Science and Technology, Hai Jin Huazhong University of Science and Technology Pre-print | ||
16:15 15mTalk | SecBench.js: An Executable Security Benchmark Suite for Server-Side JavaScript Technical Track Masudul Hasan Masud Bhuiyan CISPA Helmholtz Center for Information Security, Adithya Srinivas Parthasarathy Indian Institute of Information Technology, Design and Manufacturing, Kancheepuram, Nikos Vasilakis Massachusetts Institute of Technology, Michael Pradel University of Stuttgart, Cristian-Alexandru Staicu CISPA Helmholtz Center for Information Security Pre-print | ||
16:30 15mTalk | On Privacy Weaknesses and Vulnerabilities in Software Systems Technical Track Pattaraporn Sangaroonsilp University of Wollongong, Hoa Khanh Dam University of Wollongong, Aditya Ghose University of Wollongong | ||
16:45 7mTalk | A Multi-faceted Vulnerability Searching Website Powered by Aspect-level Vulnerability Knowledge Graph DEMO - Demonstrations Jiamou Sun CSIRO's Data61, Zhenchang Xing CSIRO’s Data61; Australian National University, Qinghua Lu CSIRO’s Data61, Xiwei (Sherry) Xu CSIRO’s Data61, Liming Zhu CSIRO’s Data61 | ||
16:52 7mTalk | An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities Journal-First Papers Imen Sayar IRIT, University of Toulouse, IUT Blagnac Toulouse II, 1 Place Georges Brassens, Blagnac Cedex, France, 31703, Alexandre Bartel Umeå University, Eric Bodden Heinz Nixdorf Institut, Paderborn University and Fraunhofer IEM, Yves Le Traon University of Luxembourg, Luxembourg | ||
17:00 7mTalk | Blindspots in Python and Java APIs Result in Vulnerable Code Journal-First Papers Yuriy Brun University of Massachusetts, Tian Lin University of Florida, Jessie Elise Somerville University of Florida, Elisha M. Myers Florida Atlantic University, Natalie C. Ebner University of Florida Link to publication DOI Pre-print Media Attached | ||