| Title: |
An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities |
| Authors: |
Sayar, Imen; Bartel, Alexandre; Bodden, Eric; Le Traon, Yves |
| Contributors: |
Université du Luxembourg = University of Luxembourg = Universität Luxemburg (uni.lu); Smart Modeling for softw@re Research and Technology (IRIT-SM@RT); Institut de recherche en informatique de Toulouse (IRIT); Université Toulouse Capitole (UT Capitole); Communauté d'universités et établissements de Toulouse (Comue de Toulouse)-Communauté d'universités et établissements de Toulouse (Comue de Toulouse)-Université Toulouse - Jean Jaurès (UT2J); Communauté d'universités et établissements de Toulouse (Comue de Toulouse)-Communauté d'universités et établissements de Toulouse (Comue de Toulouse)-Université Toulouse III - Paul Sabatier (UT3); Communauté d'universités et établissements de Toulouse (Comue de Toulouse)-Centre National de la Recherche Scientifique (CNRS)-Institut National Polytechnique (Toulouse) (Toulouse INP); Communauté d'universités et établissements de Toulouse (Comue de Toulouse)-Toulouse Mind & Brain Institut (TMBI); Université Toulouse - Jean Jaurès (UT2J); Communauté d'universités et établissements de Toulouse (Comue de Toulouse)-Université Toulouse III - Paul Sabatier (UT3); Communauté d'universités et établissements de Toulouse (Comue de Toulouse)-Université Toulouse Capitole (UT Capitole); Communauté d'universités et établissements de Toulouse (Comue de Toulouse); Umeå University = Umeå Universitet; Universität Paderborn (UPB); Luxembourg National Research Fund (FNR) ONNIVA Project, ref. 12696663; Wallenberg AI, Autonomous Systems and Software Program (WASP) funded by the Knut and Alice Wallenberg Foundation |
| Source: |
ISSN: 1049-331X ; ACM Transactions on Software Engineering and Methodology ; https://hal.science/hal-03747004 ; ACM Transactions on Software Engineering and Methodology, In press, 32 (1), pp.Pages 1 - 45. ⟨10.1145/3554732⟩ ; https://dl.acm.org/doi/10.1145/3554732. |
| Publisher Information: |
CCSD; Association for Computing Machinery |
| Publication Year: |
2022 |
| Collection: |
Université Toulouse III - Paul Sabatier: HAL-UPS |
| Subject Terms: |
remote code execution RCE; gadget; vulnerabilities; deserialization; serialization; [INFO.INFO-SE]Computer Science [cs]/Software Engineering [cs.SE]; [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR] |
| Description: |
International audience ; Nowadays, an increasing number of applications uses deserialization. This technique, based on rebuilding the instance of objects from serialized byte streams, can be dangerous since it can open the application to attacks such as remote code execution (RCE) if the data to deserialize is originating from an untrusted source. Deserialization vulnerabilities are so critical that they are in OWASP’s list of top 10 security risks for web applications. This is mainly caused by faults in the development process of applications and by flaws in their dependencies, i.e., flaws in the libraries used by these applications. No previous work has studied deserialization attacks in-depth: How are they performed? How are weaknesses introduced and patched? And for how long are vulnerabilities present in the codebase? To yield a deeper understanding of this important kind of vulnerability, we perform two main analyses: one on attack gadgets, i.e., exploitable pieces of code, present in Java libraries, and one on vulnerabilities present in Java applications. For the first analysis, we conduct an exploratory large-scale study by running 256 515 experiments in which we vary the versions of libraries for each of the 19 publicly available exploits. Such attacks rely on a combination of gadgets present in one or multiple Java libraries. A gadget is a method which is using objects or fields that can be attacker-controlled. Our goal is to precisely identify library versions containing gadgets and to understand how gadgets have been introduced and how they have been patched. We observe that the modification of one innocent-looking detail in a class – such as making it public – can already introduce a gadget. Furthermore, we noticed that among the studied libraries, 37.5% are not patched, leaving gadgets available for future attacks. For the second analysis, we manually analyze 104 deserialization vulnerabilities CVEs to understand how vulnerabilities are introduced and patched in real-life Java applications. Results ... |
| Document Type: |
article in journal/newspaper |
| Language: |
English |
| Relation: |
info:eu-repo/semantics/altIdentifier/arxiv/2208.08173; ARXIV: 2208.08173 |
| DOI: |
10.1145/3554732 |
| Availability: |
https://hal.science/hal-03747004; https://hal.science/hal-03747004v1/document; https://hal.science/hal-03747004v1/file/papier.pdf; https://doi.org/10.1145/3554732 |
| Rights: |
info:eu-repo/semantics/OpenAccess |
| Accession Number: |
edsbas.2F0AC3BE |
| Database: |
BASE |