In the last decade, we have seen the proliferation of code-reuse attacks that rely on deserialization of untrusted data in the context of web applications. The impact of these attacks is really important since they can be used for exposing private information of the users. In this paper, we design a tool for automatic discovery of deserialization vulnerabilities for the Java language. Our purpose is to devise an automatic methodology that use a set of program analysis techniques and is able to output a deserialization attack chain. We test our techniques against common Java libraries used in web technology. The execution of our tool on such a dataset was able to validate the attack chains for the majority of already known vulnerabilities, and it was also able to discover multiple novel chains that represent new types of attack vectors.
JChainz: Automatic Detection of Deserialization Vulnerabilities for the Java Language / L. Buccioli, S. Cristalli, E. Vignati, L. Nava, D. Badagliacca, D. Bruschi, L. Lu, A. Lanzi (LECTURE NOTES IN COMPUTER SCIENCE). - In: Security and Trust Management (STM 2022)[s.l] : Springer Science and Business Media Deutschland GmbH, 2023. - ISBN 978-3-031-29503-4. - pp. 136-155 (( convegno 18th International Workshop on Security and Trust Management, STM 2022, co-located with the 27th European Symposium on Research in Computer Security, ESORICS 2022 tenutosi a Copenhagen nel 2022 [10.1007/978-3-031-29504-1_8].
JChainz: Automatic Detection of Deserialization Vulnerabilities for the Java Language
L. Buccioli;S. Cristalli;E. Vignati;D. Bruschi;A. Lanzi
2023
Abstract
In the last decade, we have seen the proliferation of code-reuse attacks that rely on deserialization of untrusted data in the context of web applications. The impact of these attacks is really important since they can be used for exposing private information of the users. In this paper, we design a tool for automatic discovery of deserialization vulnerabilities for the Java language. Our purpose is to devise an automatic methodology that use a set of program analysis techniques and is able to output a deserialization attack chain. We test our techniques against common Java libraries used in web technology. The execution of our tool on such a dataset was able to validate the attack chains for the majority of already known vulnerabilities, and it was also able to discover multiple novel chains that represent new types of attack vectors.File | Dimensione | Formato | |
---|---|---|---|
978-3-031-29504-1_8.pdf
accesso riservato
Tipologia:
Publisher's version/PDF
Dimensione
816.25 kB
Formato
Adobe PDF
|
816.25 kB | Adobe PDF | Visualizza/Apri Richiedi una copia |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.