Deserialization of untrusted data is an issue in many programming languages. In particular, deserialization of untrusted data in Java can lead to Remote Code Execution attacks. Conditions for this type of attack exist, but vulnerabilities are hard to detect. In this paper, we propose a novel sandboxing approach for protecting Java applications based on trusted execution path used for defining the deserialization behavior. We test our defensive mechanism on two main Java Framework JBoss and Jenkins and we show the effectiveness and efficiency of our system. We also discuss the limitations of our current system on newer attacks strategies.
Trusted execution path for protecting java applications against deserialization of untrusted data / S. Cristalli, E. Vignati, D. Bruschi, A. Lanzi (LECTURE NOTES IN COMPUTER SCIENCE). - In: Research in Attacks, Intrusions, and Defenses / [a cura di] M. Bailey, T. Holz, M. Stamatogiannakis, S. Ioannidis. - [s.l] : Springer Verlag, 2018. - ISBN 9783030004699. - pp. 445-464 (( Intervento presentato al 21. convegno International Symposium on Research in Attacks, Intrusions and Defenses tenutosi a Heraklion nel 2018 [10.1007/978-3-030-00470-5_21].
Trusted execution path for protecting java applications against deserialization of untrusted data
S. Cristalli
;D. Bruschi
;A. Lanzi
2018
Abstract
Deserialization of untrusted data is an issue in many programming languages. In particular, deserialization of untrusted data in Java can lead to Remote Code Execution attacks. Conditions for this type of attack exist, but vulnerabilities are hard to detect. In this paper, we propose a novel sandboxing approach for protecting Java applications based on trusted execution path used for defining the deserialization behavior. We test our defensive mechanism on two main Java Framework JBoss and Jenkins and we show the effectiveness and efficiency of our system. We also discuss the limitations of our current system on newer attacks strategies.File | Dimensione | Formato | |
---|---|---|---|
Cristalli2018_Chapter_TrustedExecutionPathForProtect.pdf
accesso riservato
Tipologia:
Publisher's version/PDF
Dimensione
303.06 kB
Formato
Adobe PDF
|
303.06 kB | Adobe PDF | Visualizza/Apri Richiedi una copia |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.