2021-11-9: An In-depth Study of Java Deserialization Exploits and Vulnerabilities

Abstract:
Deserialization, a technique based on rebuilding instances of objects from a byte streams, is dangerous since it can open an application to attacks such as remote code execution (RCE) if the data to deserialize
originates from an untrusted source. Deserialization vulnerabilities are so critical that they are in OWASP’s list of top 10 security risks for web applications. This is mainly caused by faults in the development process of applications and by flaws in their dependencies such as flaws in libraries used by these applications. In this talk we dissect Java deserialization vulnerabilities and discuss (1) the analysis of gadgets based on 19 publicly known exploits and (2) the analysis of 104 CVEs to understand how vulnerabilities are introduced and patched in real world Java applications. We observe that the modification of one innocent-looking detail in a class – such as making it public – can already introduce a gadget. Furthermore, 37.5% of the gadgets are not patched, leaving them available for future attacks. Results also indicate that vulnerabilities are not always completely patched and that workaround solutions are often put in place.

Bio:
Alexandre Bartel is a Professor in the Department of Computing Science at Umeå University. His research interests are in the area of software engineering and computer security. His work as helped to find and fix
security weaknesses in Android applications, open-source projects, the Java Virtual Machine, and software operated by the industry.