Affiliation:
1. University of Toulouse, Blagnac Cedex, France
2. Umeå University, MIT-Huset, Umeå, Sweden
3. Paderborn University, Paderborn, Germany
4. University of Luxembourg, Kirchberg Campus, Luxembourg
Abstract
Nowadays, an increasing number of applications use deserialization. This technique, based on rebuilding the instance of objects from serialized byte streams, can be dangerous since it can open the application to attacks such as
remote code execution (RCE)
if the data to deserialize is originating from an untrusted source. Deserialization vulnerabilities are so critical that they are in OWASP’s list of top 10 security risks for web applications. This is mainly caused by faults in the development process of applications and by flaws in their dependencies, i.e., flaws in the libraries used by these applications. No previous work has studied deserialization attacks in-depth: How are they performed? How are weaknesses introduced and patched? And for how long are vulnerabilities present in the codebase? To yield a deeper understanding of this important kind of vulnerability, we perform two main analyses: one on attack gadgets, i.e., exploitable pieces of code, present in Java libraries, and one on vulnerabilities present in Java applications. For the first analysis, we conduct an exploratory large-scale study by running 256515 experiments in which we vary the versions of libraries for each of the 19 publicly available exploits. Such attacks rely on a combination of
gadgets
present in one or multiple Java libraries. A gadget is a method which is using objects or fields that can be attacker-controlled. Our goal is to precisely identify library versions containing gadgets and to understand how gadgets have been introduced and how they have been patched. We observe that the modification of one innocent-looking detail in a class – such as making it
public
– can already introduce a gadget. Furthermore, we noticed that among the studied libraries, 37.5% are not patched, leaving gadgets available for future attacks.
For the second analysis, we manually analyze 104 deserialization vulnerabilities CVEs to understand how vulnerabilities are introduced and patched in real-life Java applications. Results indicate that the vulnerabilities are not always completely patched or that a workaround solution is proposed. With a workaround solution, applications are still vulnerable since the code itself is unchanged.
Funder
Luxembourg National Research Fund (FNR) ONNIVA
Publisher
Association for Computing Machinery (ACM)
Reference70 articles.
1. The tip of the iceberg: On the merits of finding security bugs;Alexopoulos Nikolaos;ACM Trans. Priv. Secur.,2020
2. Davide Balzarotti, Marco Cova, Viktoria Felmetsger, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. 2008. Saner: Composing static and dynamic analysis to validate sanitization in web applications. In 2008 IEEE Symposium on Security and Privacy (S&P). IEEE Computer Society, 387–401.
3. Musti: Dynamic Prevention of Invalid Object Initialization Attacks
4. Daniel Blazquez. 2020. Insecure Deserialization: Attack examples Mitigation and Prevention. Retrieved 2022 from https://hdivsecurity.com/bornsecure/insecure-deserialization-attack-examples-mitigation/.
5. Nicky Bloor. [n. d.]. DeserLab. Retrieved 2022 from https://github.com/NickstaDB/DeserLab.
Cited by
3 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献
1. Intelligent System for Providing Migration Through Dynamic Data Deserialization;Proceedings of the Southwest State University. Series: IT Management, Computer Science, Computer Engineering. Medical Equipment Engineering;2024-01-27
2. An Extensive Study on Adversarial Attack against Pre-trained Models of Code;Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering;2023-11-30
3. An In-Depth Analysis of Android’s Java Class Library: its Evolution and Security Impact;2023 IEEE Secure Development Conference (SecDev);2023-10-18