Book Chapter10.1007/978-3-030-00470-5_21
Trusted Execution Path for Protecting Java Applications Against Deserialization of Untrusted Data
Stefano Cristalli,Edoardo Vignati,Danilo Bruschi,Andrea Lanzi +3 more
- 10 Sep 2018
- Vol. 11050, pp 445-464
15
TL;DR: A novel sandboxing approach for protecting Java applications based on trusted execution path used for defining the deserialization behavior is proposed and the effectiveness and efficiency of this system are shown.
read more
Abstract: Deserialization of untrusted data is an issue in many programming languages. In particular, deserialization of untrusted data in Java can lead to Remote Code Execution attacks. Conditions for this type of attack exist, but vulnerabilities are hard to detect. In this paper, we propose a novel sandboxing approach for protecting Java applications based on trusted execution path used for defining the deserialization behavior. We test our defensive mechanism on two main Java Framework JBoss and Jenkins and we show the effectiveness and efficiency of our system. We also discuss the limitations of our current system on newer attacks strategies.
read more
Chat with Paper
AI Agents for this Paper
Find similar papers on Google Scholar, PubMed and Arxiv
Write a critical review of this paper
Analyze citations of this paper to find unaddressed research gaps
Citations
Improving Java Deserialization Gadget Chain Mining via Overriding-Guided Object Generation
Sicong Cao,Xiaoying Sun,Xiaoxue Wu,Lili Bo,Bin Li,Rongxin Wu,Wei Liu,Bin He,Yu Ouyang,Jiajia Li +9 more
- 01 May 2023
TL;DR: Improving Java Deserialization Gadget Chain Mining via Overriding-Guided Object Generation discovers novel gadget chains and significantly outperforms state-of-the-art techniques.
ODDFuzz: Discovering Java Deserialization Vulnerabilities via Structure-Aware Directed Greybox Fuzzing
Sicong Cao,Bin He,Xiaoying Sun,Yu Ouyang,Chao Zhang,Xiaoxue Wu,Ting Su,Lili Bo,Bin Li,Chuanlei Ma,Jiajia Li,Wei Tao +11 more
- 01 May 2023
TL;DR: ODDFuzz discovers Java deserialization vulnerabilities via structure-aware directed greybox fuzzing, improving the effectiveness and efficiency of existing solutions.
Runtime Prevention of Deserialization Attacks
François Gauthier,Sora Bae +1 more
- 20 Apr 2022
TL;DR: A novel and lightweight approach for runtime prevention of deserialization attacks using Markov chains based on the intuition behind the work is that the features and ordering of classes in malicious object graphs make them distinguishable from benign ones.
Journal Article
A Composite Discover Method for Gadget Chains in Java Deserialization Vulnerability
Zhao Lai,Haipeng Qu,Lingyun Ying +2 more
TL;DR: Wang et al. as mentioned in this paper proposed a new composite discovery method that generates the corresponding byte streams based on the static analysis results and performs deserialization detection, combining serialization protocols and reflection mechanisms to generate objects dynamically and implement attack injection and detection.
2
•Proceedings Article
Abusing hidden properties to attack the node.js ecosystem
Feng Xiao,Jianwei Huang,Yichang Xiong,Guangliang Yang,Hong Hu,Guofei Gu,Wenke Lee +6 more
- 01 Jan 2021
References
CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization
Robert N. M. Watson,Jonathan Woodruff,Peter G. Neumann,Simon W. Moore,Jonathan Anderson,David Chisnall,Nirav Dave,Brooks Davis,Khilan Gudka,Ben Laurie,Steven J. Murdoch,Robert Norton,Michael Roe,Stacey Son,Munraj Vadera +14 more
- 17 May 2015
TL;DR: This work demonstrates multiple orders-of-magnitude improvement in scalability, simplified programmability, and resulting tangible security benefits as compared to compartmentalization based on pure Memory-Management Unit (MMU) designs.
Challenges for static analysis of Java reflection: literature review and empirical study
D. Landman,Alexander Serebrenik,Jurgen Vinju +2 more
- 20 May 2017
TL;DR: It is concluded that the need for unsound assumptions to resolve reflection is widely supported and for Java software engineers prioritizing on robustness, tactics to obtain more easy to analyze reflection code, and for static analysis tool builders a list of opportunities to have significant impact on real Java code are provided.
CODOMs: protecting software with code-centric memory domains
Lluis Vilanova,Muli Ben-Yehuda,Nacho Navarro,Yoav Etsion,Mateo Valero +4 more
- 14 Jun 2014
TL;DR: CODOMs (COde-centric memory DOMains), a novel architecture that can provide finer-grained isolation between software components with effectively zero run-time overhead, all at a fraction of the complexity of other approaches is presented.
Certified Malware: Measuring Breaches of Trust in the Windows Code-Signing PKI
Doowon Kim,Bum Jun Kwon,Tudor Dumitras +2 more
- 30 Oct 2017
TL;DR: This work proposes a threat model that highlights three types of weaknesses in the code-signing PKI and introduces techniques for prioritizing the collection of code signing certificates that are likely abusive, and introduces an algorithm for distinguishing among different types of threats.
57
Hypervisor-based malware protection with AccessMiner
TL;DR: AccessMiner is a system-centric behavioral malware detector that does not require to be trained on malicious samples, and therefore it is able to provide a general detection solution that can be used to protect against both known and unknown malware.
34
Related Papers (5)
Adrian Herrera,Ben Cheney +1 more
- 01 Jan 2015
Jan Gassen,Jonathan P. Chapman +1 more
- 01 Oct 2014
Amerson H Lin
- 01 Jan 2005