SlideShare una empresa de Scribd logo

Fixing the Java Serialization Mess

Salesforce Engineering
Salesforce Engineering

This document discusses Java serialization vulnerabilities and mitigations. It introduces Java serialization, attack vectors like serialization gadgets and deserialization endpoints, and demonstrates denial of service attacks. It covers mitigations such as validating class names during deserialization, but notes this approach can be bypassed. It proposes a new concept of also validating methods during deserialization. The goal is to help fix issues with the Java serialization process.

Ingeniería
1 de 46
Fixing the Java Serialization mess Pierre Ernst, HackFest.ca 2016
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Agenda Fixing the Java Serialization mess
https://goo.gl/rOpF0u Software development background Secure Code Review Found security vulnerabilities in applications made by: Pierre Ernst linkedin.com/in/pernst @e_rnst Source: http://www.wordle.net
https://goo.gl/rOpF0u https://research.trust.salesforce.com/ Salesforce is hiring application security engineers for: • Enterprise Security (Vendor applications) • Product Security (Salesforce web applications) • Infrastructure Security (Salesforce network and Linux environment). Contact: James Sale, Principal Technical Recruiter jsale@salesforce.com 415-633-6059 Trust team Salesforce linkedin.com/in/jamesgsale
https://goo.gl/rOpF0u The Big Picture Java Serialization 101 00000000 AC ED 00 05 73 72 00 11 62 6F 6E 68 6F 6D 6D 65 ....sr..bonhomme 00000010 2E 43 61 72 6E 61 76 61 6C 20 51 75 65 62 65 63 .Carnaval Quebec 00000020 20 02 00 00 78 70 ...xp serialize deserialize
https://goo.gl/rOpF0u Java Serialization 101 Convert Java instance to/from a binary stream • Used for persistence (file, database blob) • Used for transmission (RMI: Remote Method Invocation) Java API: • ObjectOutputStream: to serialize (write) • ObjectInputStream: to deserialize (read) • JVM knows how to (de)serialize primitive types • JVM uses reflection and Unsafe to (de)serialize members of any given class. • Must implements interface java.io.Serializable
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u What could possibly go wrong? Some classes require special handling • writeObject() and readObject() methods • e.g.: java.math.BigDecimal An application is vulnerable if: • deserializing untrusted input, • and existing classes on the classpath have “unsecure” readObject() method The readObject() methods can be chained, abused • “gadget” in reference to ROP gadgets • Similarly, some other methods can also be abused (TBD later): “Magic Methods”
https://goo.gl/rOpF0u Prior Art (pre-2016) Date Type Product Researcher(s) Reference Apr 2005 DOS JRE Marc Schönefeld CVE-2004-2540 Aug 2008 Applet->RCE JRE Sami Koivu CVE-2008-5353 Apr 2010 Applet->RCE JRE Sami Koivu CVE-2010-0094 Mar 2010 DOS Sun Java Web Console Luca Carettoni Source Code Sept 2011 RCE Spring Framework Wouter Coekaerts CVE-2011-2894 Oct 2012 RCE IBM Cognos BI Pierre Ernst CVE-2012-4858 Feb 2013 File Write->RCE Apache OpenJPA Pierre Ernst CVE-2013-1768 Mar 2013 File Write->RCE Apache Tomcat Pierre Ernst CVE-2013-2185 July 2015 RCE Apache Groovy "cpnrodzc7" CVE-2015-3253 Aug 2015 Buffer Overflow->RCE Android Or Peles & Roee Hay CVE-2015-3837 Nov 2015 RCE Apache Commons Collections Chris Frohoff & Gabriel Lawrence CVE-2015-7450 Nov 2015 DOS JRE Wouter Coekaerts Source Code
https://goo.gl/rOpF0u Attack Surfaces: Endpoints Vs. Gadgets Attacker Vulnerable Service Malicious serialized input (Vulnerable.class) JVM Deserialization (bonhomme.Carnaval. class) classpath Vulnerable bonhomme.Carnaval instance = (bonhomme.Carnaval)in.readObject(); Calls “magic” method private void readObject (ObjectInputStream in) { } 1 2
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u What are the “Magic” methods? • readObject() • readResolve() • validateObject() • readObjectNoData() • readExternal() • finalize() It has a “magic” method that can be abused Class is vulnerable if: • <init>()
https://goo.gl/rOpF0u File I/O Network I/O Code injection Denial of service … Any side effect with security impact How can magic methods be abused?
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u Pervasive problem • com.sun.xml.internal.ws.protocol.xml.XMLMessageException • java.util.concurrent.CopyOnWriteArrayList • java.util.logging.LogRecord • java.util.PriorityQueue • org.apache.catalina.tribes.membership.MemberImpl Java Memory Exhaustion private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException { int len = in.readInt(); this.parameters = new Object[len]; // ... } Controlled by attacker Memory exhaustion
https://goo.gl/rOpF0u
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u java.io.ObjectInputStream ois = new java.io.ObjectInputStream(/* contains user’s input */) ois.readObject(); /* OR */ ois.readUnshared(); It deserializes user’s input Endpoint is vulnerable if:
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u Fixed in Java 8 Update 91 (April 2016) JMX = Java Management eXtensions • API for managing/monitoring resources • Client-Server on TCP/IP • Optional features: • TLS socket • Authentication JMX untrusted deserialization CVE-2016-3427 !
https://goo.gl/rOpF0u Tomcat JMX Retrieving all the session ids Abusing Existing Features Prior JMX vulnerabilities
https://goo.gl/rOpF0u Only vulnerable when authentication is not enabled Source: • Exploiting JMX RMI • Class MLet RCE with MLet Prior JMX vulnerabilities evil.org victim.com JMX connect createMBean javax.management.loading.MLet load evil bean invoke
https://goo.gl/rOpF0u How many times did you read “RMI” ? • JMX connection strings is future-proof • Might use some other transport technologies in the future • But it relies on RMI for now. We can use RMI directly to connect to a JMX server a.k.a JMX “URLs” JMX Connection Strings service:jmx:rmi://bonhomme.local:10002/jndi/rmi://bonhomme.local:10001/jmxrmi rmi://bonhomme.local:10002 rmi://bonhomme.local:10001/jmxrmi JMX endpoint Naming Registry
https://goo.gl/rOpF0u Registry registry = LocateRegistry.getRegistry("bonhomme.local", 10001); RMIServer rmiServer = (RMIServer) registry.lookup("jmxrmi"); RMIConnection rmiConnection = rmiServer.newClient(new String[]{ "tomcat", "secret"}); (directly) Connecting to JMX with RMI service:jmx:rmi://bonhomme.local:10002/jndi/rmi://bonhomme.local:10001/jmxrmi
https://goo.gl/rOpF0u RMI: Client-Server network protocol RPC-style Uses serialization What is RMI again? 00000000 50 AC ED 00 05 77 22 A1 F2 A2 CB 82 19 D4 02 D0 P....w"......... 00000010 70 E5 1A 00 00 01 57 52 A7 43 A2 80 01 FF FF FF p.....WR.C...... 00000020 FF F0 E0 74 EA AD 0C AE A8 75 72 00 13 5B 4C 6A ...t.....ur..[Lj 00000030 61 76 61 2E 6C 61 6E 67 2E 53 74 72 69 6E 67 3B ava.lang.String; 00000040 AD D2 56 E7 E9 1D 7B 47 02 00 00 70 78 70 00 00 ..V...{G...pxp.. 00000050 00 02 74 00 06 74 6F 6D 63 61 74 74 00 06 73 65 ..t..tomcatt..se 00000060 63 72 65 74 cret RMI Call
https://goo.gl/rOpF0u https://docs.oracle.com/javase/8/docs/api/javax/management/remote/rmi/RMIServer.html RMIServer API Deserialization happens before authentication can even take place
https://goo.gl/rOpF0u
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u The Blame Game Where do we fix it? “Applications should never deserialize untrusted input” 1 2 “3rd party libraries should only have secure magic methods” vs .
https://goo.gl/rOpF0u In both places! Defense in Depth
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u Does the class really need to be serializable? Can we add input validation? • Prevent path traversal • Prevent resource exhaustion • … Making “magic” methods more secure
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u bonhomme.Carnaval obj = (bonhomme.Carnaval)ois.readObject(); Fix: Java API change today bonhomme.Carnaval obj = ois.readObject(bonhomme.Carnaval.class); tomorrow?
https://goo.gl/rOpF0u Mitigation: Sandboxing Deserialization inside a block protected by a Security Manager Could prevent “malicious” calls • File R/W access • Process creation • Network access • … Not recommended: • Hard to fine-tune: what is legitimately required? • Known to be broken e.g. CVE-2013-4444 code inside finalize() can be abused
https://goo.gl/rOpF0u Mitigation: Class Name Input Validation Look-ahead Java deserialization, Jan 2013, Pierre Ernst Concept used by various validation libraries • SerialKiller, by Luca Carettoni • contrast-rO0 by Contrast Security • JDK enhancement proposal #290 and CERT Secure Coding SER12-J We want to validate which classes get deserialized Object Serialization Stream Protocol defines a class description 00000000 AC ED 00 05 73 72 00 11 62 6F 6E 68 6F 6D 6D 65 ....sr..bonhomme 00000010 2E 43 61 72 6E 61 76 61 6C 20 51 75 65 62 65 63 .Carnaval Quebec 00000020 20 02 00 00 78 70 ...xp So we could use our own binary parser to decide whether we should stop reading … … or use existing Java API that allows us to add our own validation hook. TC_NULL STREAM_MAGICSTREAM_VERSIONTC_OBJECTTC_CLASSDESC className serialVersionUID classDescFlagsfieldsTC_ENDBLOCKDATA className
https://goo.gl/rOpF0u Callback provided by Java Normally used for custom class loading Adding your own validation hook Look-ahead Java deserialization public class LookAheadObjectInputStream extends ObjectInputStream { @Override protected Class<?> resolveClass(ObjectStreamClass desc) { if ( ! desc.getName().equals("bonhomme.Carnaval") ) { throw new InvalidClassException( "Unauthorized deserialization attempt", desc.getName()); } return super.resolveClass(desc); } }
https://goo.gl/rOpF0u • White-listing classes that are OK to deserialize • Tedious, Impossible in real life scenario? • Black-listing classes known to have “bad” “magic” methods • a.k.a. Whack-a-mole • Known to be broken RSA conference 2016-03-04 Alvaro Muñoz Christian Schneider Two ways of validating class names Look-ahead Java deserialization public class NestedProblems implements Serializable{ private void readObject(ObjectInputStream in) { ObjectInputStream ois = new ObjectInputStream( /* attacker controlled input */); ois.readObject(); } }
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u org.apache.webbeans.inject.impl.InjectionPointImpl org.apache.webbeans.inject.instance.InstanceImpl org.apache.webbeans.event.EventImpl • Fixed in Apache TomEE 7.0.1 (June 2016) • Fixed in Apache OpenWebBeans 1.5.0 (October 2015) Only an issue if using the black list mode Black List mode Class Name Input Validation Bypass new
https://goo.gl/rOpF0u
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u Mitigation: Look-ahead Method Blacklist Input Validation Black List • method1 • method2 Magic methods? Class x.y.z accept reject blacklisted methods? yes yes no no Called methods • methodA • methodB Analyze Magic method
https://goo.gl/rOpF0u Check it out Source code with POC implementation published
https://goo.gl/rOpF0u Mitigation Putting everything together Security Manager Look-ahead Class name validation • Whitelisting • Blacklisting Look-ahead Method blacklisting P !
https://goo.gl/rOpF0u Serialization: 1.Don’t use it 2.Class name whitelisting 3.Method blacklisting

Recomendados

OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassCODE WHITE GmbH
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization VulnerabilitiesLuca Carettoni
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Christian Schneider
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaCODE WHITE GmbH
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)CODE WHITE GmbH
 
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...joaomatosf_
 

Recomendados

OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassCODE WHITE GmbH
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization VulnerabilitiesLuca Carettoni
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Christian Schneider
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaCODE WHITE GmbH
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)CODE WHITE GmbH
 
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...joaomatosf_
 
Java Serialization Deep Dive
Java Serialization Deep DiveJava Serialization Deep Dive
Java Serialization Deep DiveMartijn Dashorst
 
Black Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized CommunicationBlack Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized Communicationmsaindane
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)CODE WHITE GmbH
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Christian Schneider
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017
Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017
Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017Nicky Bloor
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?Sam Thomas
 
Java Threads and Concurrency
Java Threads and ConcurrencyJava Threads and Concurrency
Java Threads and ConcurrencySunil OS
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
Insecure Java Deserialization
Insecure Java DeserializationInsecure Java Deserialization
Insecure Java DeserializationShiv Sahni
 
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...ufpb
 
Mitre Attack - Credential Dumping - updated.pptx
Mitre Attack - Credential Dumping - updated.pptxMitre Attack - Credential Dumping - updated.pptx
Mitre Attack - Credential Dumping - updated.pptxwaizuq
 
날로 먹는 Django admin 활용
날로 먹는 Django admin 활용날로 먹는 Django admin 활용
날로 먹는 Django admin 활용KyeongMook "Kay" Cha
 
Java Spring Framework
Java Spring FrameworkJava Spring Framework
Java Spring FrameworkMehul Jariwala
 
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Abraham Aranguren
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Lambda Expressions in Java | Java Lambda Tutorial | Java Certification Traini...
Lambda Expressions in Java | Java Lambda Tutorial | Java Certification Traini...Lambda Expressions in Java | Java Lambda Tutorial | Java Certification Traini...
Lambda Expressions in Java | Java Lambda Tutorial | Java Certification Traini...Edureka!
 
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Yulia Tsisyk
 
powershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonnettitude_labs
 

Más contenido relacionado

La actualidad más candente

Java Serialization Deep Dive
Java Serialization Deep DiveJava Serialization Deep Dive
Java Serialization Deep DiveMartijn Dashorst
 
Black Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized CommunicationBlack Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized Communicationmsaindane
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)CODE WHITE GmbH
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Christian Schneider
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017
Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017
Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017Nicky Bloor
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?Sam Thomas
 
Java Threads and Concurrency
Java Threads and ConcurrencyJava Threads and Concurrency
Java Threads and ConcurrencySunil OS
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
Insecure Java Deserialization
Insecure Java DeserializationInsecure Java Deserialization
Insecure Java DeserializationShiv Sahni
 
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...ufpb
 
Mitre Attack - Credential Dumping - updated.pptx
Mitre Attack - Credential Dumping - updated.pptxMitre Attack - Credential Dumping - updated.pptx
Mitre Attack - Credential Dumping - updated.pptxwaizuq
 
날로 먹는 Django admin 활용
날로 먹는 Django admin 활용날로 먹는 Django admin 활용
날로 먹는 Django admin 활용KyeongMook "Kay" Cha
 
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Abraham Aranguren
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Lambda Expressions in Java | Java Lambda Tutorial | Java Certification Traini...
Lambda Expressions in Java | Java Lambda Tutorial | Java Certification Traini...Lambda Expressions in Java | Java Lambda Tutorial | Java Certification Traini...
Lambda Expressions in Java | Java Lambda Tutorial | Java Certification Traini...Edureka!
 

La actualidad más candente (20)

Java Serialization Deep Dive
Java Serialization Deep DiveJava Serialization Deep Dive
Java Serialization Deep Dive
 
Black Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized CommunicationBlack Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized Communication
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
 
Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017
Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017
Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?
 
Java Threads and Concurrency
Java Threads and ConcurrencyJava Threads and Concurrency
Java Threads and Concurrency
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
 
Insecure Java Deserialization
Insecure Java DeserializationInsecure Java Deserialization
Insecure Java Deserialization
 
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
 
Mitre Attack - Credential Dumping - updated.pptx
Mitre Attack - Credential Dumping - updated.pptxMitre Attack - Credential Dumping - updated.pptx
Mitre Attack - Credential Dumping - updated.pptx
 
날로 먹는 Django admin 활용
날로 먹는 Django admin 활용날로 먹는 Django admin 활용
날로 먹는 Django admin 활용
 
Java Spring Framework
Java Spring FrameworkJava Spring Framework
Java Spring Framework
 
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
Lambda Expressions in Java | Java Lambda Tutorial | Java Certification Traini...
Lambda Expressions in Java | Java Lambda Tutorial | Java Certification Traini...Lambda Expressions in Java | Java Lambda Tutorial | Java Certification Traini...
Lambda Expressions in Java | Java Lambda Tutorial | Java Certification Traini...
 

Similar a Fixing the Java Serialization Mess

Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Yulia Tsisyk
 
powershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonnettitude_labs
 
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!Priyanka Aash
 
Jdk Tools For Performance Diagnostics
Jdk Tools For Performance DiagnosticsJdk Tools For Performance Diagnostics
Jdk Tools For Performance DiagnosticsDror Bereznitsky
 
Spring framework
Spring frameworkSpring framework
Spring frameworksrmelody
 
香港六合彩 &raquo; SlideShare
香港六合彩 &raquo; SlideShare香港六合彩 &raquo; SlideShare
香港六合彩 &raquo; SlideShareyayao
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysqqlan
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security ClassRich Helton
 
Monitoring distributed (micro-)services
Monitoring distributed (micro-)servicesMonitoring distributed (micro-)services
Monitoring distributed (micro-)servicesRafael Winterhalter
 
DotNet Introduction
DotNet IntroductionDotNet Introduction
DotNet IntroductionWei Sun
 
Google App Engine for Java v0.0.2
Google App Engine for Java v0.0.2Google App Engine for Java v0.0.2
Google App Engine for Java v0.0.2Matthew McCullough
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousFrancis Alexander
 
PyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application securePyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application secureIMMUNIO
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9sumsid1234
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfGiorgiRcheulishvili
 
iPhone development from a Java perspective (Jazoon '09)
iPhone development from a Java perspective (Jazoon '09)iPhone development from a Java perspective (Jazoon '09)
iPhone development from a Java perspective (Jazoon '09)Netcetera
 
soft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.jssoft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.jssoft-shake.ch
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaoladrewz lin
 
Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisAndrey Karpov
 

Similar a Fixing the Java Serialization Mess (20)

Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
 
powershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-london
 
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
 
Jdk Tools For Performance Diagnostics
Jdk Tools For Performance DiagnosticsJdk Tools For Performance Diagnostics
Jdk Tools For Performance Diagnostics
 
Spring framework
Spring frameworkSpring framework
Spring framework
 
香港六合彩 &raquo; SlideShare
香港六合彩 &raquo; SlideShare香港六合彩 &raquo; SlideShare
香港六合彩 &raquo; SlideShare
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
 
Monitoring distributed (micro-)services
Monitoring distributed (micro-)servicesMonitoring distributed (micro-)services
Monitoring distributed (micro-)services
 
DotNet Introduction
DotNet IntroductionDotNet Introduction
DotNet Introduction
 
Google App Engine for Java v0.0.2
Google App Engine for Java v0.0.2Google App Engine for Java v0.0.2
Google App Engine for Java v0.0.2
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life Scenarious
 
PyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application securePyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application secure
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
 
iPhone development from a Java perspective (Jazoon '09)
iPhone development from a Java perspective (Jazoon '09)iPhone development from a Java perspective (Jazoon '09)
iPhone development from a Java perspective (Jazoon '09)
 
soft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.jssoft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.js
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaola
 
Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code Analysis
 

Más de Salesforce Engineering

Locker Service Ready Lightning Components With Webpack
Locker Service Ready Lightning Components With WebpackLocker Service Ready Lightning Components With Webpack
Locker Service Ready Lightning Components With WebpackSalesforce Engineering
 
Techniques to Effectively Monitor the Performance of Customers in the Cloud
Techniques to Effectively Monitor the Performance of Customers in the CloudTechniques to Effectively Monitor the Performance of Customers in the Cloud
Techniques to Effectively Monitor the Performance of Customers in the CloudSalesforce Engineering
 
Predictive System Performance Data Analysis
Predictive System Performance Data AnalysisPredictive System Performance Data Analysis
Predictive System Performance Data AnalysisSalesforce Engineering
 
Aspect Oriented Programming: Hidden Toolkit That You Already Have
Aspect Oriented Programming: Hidden Toolkit That You Already HaveAspect Oriented Programming: Hidden Toolkit That You Already Have
Aspect Oriented Programming: Hidden Toolkit That You Already HaveSalesforce Engineering
 
A Smarter Pig: Building a SQL interface to Pig using Apache Calcite
A Smarter Pig: Building a SQL interface to Pig using Apache CalciteA Smarter Pig: Building a SQL interface to Pig using Apache Calcite
A Smarter Pig: Building a SQL interface to Pig using Apache CalciteSalesforce Engineering
 
Implementing a Content Strategy Is Like Running 100 Miles
Implementing a Content Strategy Is Like Running 100 MilesImplementing a Content Strategy Is Like Running 100 Miles
Implementing a Content Strategy Is Like Running 100 MilesSalesforce Engineering
 
Salesforce Cloud Infrastructure and Challenges - A Brief Overview
Salesforce Cloud Infrastructure and Challenges - A Brief OverviewSalesforce Cloud Infrastructure and Challenges - A Brief Overview
Salesforce Cloud Infrastructure and Challenges - A Brief OverviewSalesforce Engineering
 
Global State Management of Micro Services
Global State Management of Micro ServicesGlobal State Management of Micro Services
Global State Management of Micro ServicesSalesforce Engineering
 

Más de Salesforce Engineering (20)

Locker Service Ready Lightning Components With Webpack
Locker Service Ready Lightning Components With WebpackLocker Service Ready Lightning Components With Webpack
Locker Service Ready Lightning Components With Webpack
 
Scaling HBase for Big Data
Scaling HBase for Big DataScaling HBase for Big Data
Scaling HBase for Big Data
 
Techniques to Effectively Monitor the Performance of Customers in the Cloud
Techniques to Effectively Monitor the Performance of Customers in the CloudTechniques to Effectively Monitor the Performance of Customers in the Cloud
Techniques to Effectively Monitor the Performance of Customers in the Cloud
 
Predictive System Performance Data Analysis
Predictive System Performance Data AnalysisPredictive System Performance Data Analysis
Predictive System Performance Data Analysis
 
Apache HBase State of the Project
Apache HBase State of the ProjectApache HBase State of the Project
Apache HBase State of the Project
 
Hit the Trail with Trailhead
Hit the Trail with TrailheadHit the Trail with Trailhead
Hit the Trail with Trailhead
 
HBase/PHOENIX @ Scale
HBase/PHOENIX @ ScaleHBase/PHOENIX @ Scale
HBase/PHOENIX @ Scale
 
Scaling up data science applications
Scaling up data science applicationsScaling up data science applications
Scaling up data science applications
 
Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOps
 
Aspect Oriented Programming: Hidden Toolkit That You Already Have
Aspect Oriented Programming: Hidden Toolkit That You Already HaveAspect Oriented Programming: Hidden Toolkit That You Already Have
Aspect Oriented Programming: Hidden Toolkit That You Already Have
 
Monitoring @ Scale in Salesforce
Monitoring @ Scale in SalesforceMonitoring @ Scale in Salesforce
Monitoring @ Scale in Salesforce
 
Performance Tuning with XHProf
Performance Tuning with XHProfPerformance Tuning with XHProf
Performance Tuning with XHProf
 
A Smarter Pig: Building a SQL interface to Pig using Apache Calcite
A Smarter Pig: Building a SQL interface to Pig using Apache CalciteA Smarter Pig: Building a SQL interface to Pig using Apache Calcite
A Smarter Pig: Building a SQL interface to Pig using Apache Calcite
 
Implementing a Content Strategy Is Like Running 100 Miles
Implementing a Content Strategy Is Like Running 100 MilesImplementing a Content Strategy Is Like Running 100 Miles
Implementing a Content Strategy Is Like Running 100 Miles
 
Salesforce Cloud Infrastructure and Challenges - A Brief Overview
Salesforce Cloud Infrastructure and Challenges - A Brief OverviewSalesforce Cloud Infrastructure and Challenges - A Brief Overview
Salesforce Cloud Infrastructure and Challenges - A Brief Overview
 
Koober Preduction IO Presentation
Koober Preduction IO PresentationKoober Preduction IO Presentation
Koober Preduction IO Presentation
 
Finding Security Issues Fast!
Finding Security Issues Fast!Finding Security Issues Fast!
Finding Security Issues Fast!
 
Microservices
MicroservicesMicroservices
Microservices
 
Global State Management of Micro Services
Global State Management of Micro ServicesGlobal State Management of Micro Services
Global State Management of Micro Services
 
The Future of Hbase
The Future of HbaseThe Future of Hbase
The Future of Hbase
 

Último

Indian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.pptIndian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.pptMadan Karki
 
Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...121011101441
 
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)Dr SOUNDIRARAJ N
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AIabhishek36461
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024Mark Billinghurst
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort servicejennyeacort
 
Transport layer issues and challenges - Guide
Transport layer issues and challenges - GuideTransport layer issues and challenges - Guide
Transport layer issues and challenges - GuideGOPINATHS437943
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girlsssuser7cb4ff
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxk795866
 
8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitter8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitterShivangiSharma879191
 
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionDr.Costas Sachpazis
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile servicerehmti665
 
Solving The Right Triangles PowerPoint 2.ppt
Solving The Right Triangles PowerPoint 2.pptSolving The Right Triangles PowerPoint 2.ppt
Solving The Right Triangles PowerPoint 2.pptJasonTagapanGulla
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.eptoze12
 
lifi-technology with integration of IOT.pptx
lifi-technology with integration of IOT.pptxlifi-technology with integration of IOT.pptx
lifi-technology with integration of IOT.pptxsomshekarkn64
 
Correctly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleCorrectly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleAlluxio, Inc.
 
Risk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfRisk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfROCENODodongVILLACER
 
Electronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfElectronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfme23b1001
 

Último (20)

🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
 
Indian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.pptIndian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.ppt
 
Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...
 
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AI
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
 
Transport layer issues and challenges - Guide
Transport layer issues and challenges - GuideTransport layer issues and challenges - Guide
Transport layer issues and challenges - Guide
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girls
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptx
 
8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitter8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitter
 
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile service
 
Solving The Right Triangles PowerPoint 2.ppt
Solving The Right Triangles PowerPoint 2.pptSolving The Right Triangles PowerPoint 2.ppt
Solving The Right Triangles PowerPoint 2.ppt
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.
 
Design and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdfDesign and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdf
 
lifi-technology with integration of IOT.pptx
lifi-technology with integration of IOT.pptxlifi-technology with integration of IOT.pptx
lifi-technology with integration of IOT.pptx
 
Correctly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleCorrectly Loading Incremental Data at Scale
Correctly Loading Incremental Data at Scale
 
Risk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfRisk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdf
 
Electronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfElectronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdf
 

Fixing the Java Serialization Mess

  • 1. Fixing the Java Serialization mess Pierre Ernst, HackFest.ca 2016
  • 2. https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Agenda Fixing the Java Serialization mess
  • 3. https://goo.gl/rOpF0u Software development background Secure Code Review Found security vulnerabilities in applications made by: Pierre Ernst linkedin.com/in/pernst @e_rnst Source: http://www.wordle.net
  • 4. https://goo.gl/rOpF0u https://research.trust.salesforce.com/ Salesforce is hiring application security engineers for: • Enterprise Security (Vendor applications) • Product Security (Salesforce web applications) • Infrastructure Security (Salesforce network and Linux environment). Contact: James Sale, Principal Technical Recruiter jsale@salesforce.com 415-633-6059 Trust team Salesforce linkedin.com/in/jamesgsale
  • 5. https://goo.gl/rOpF0u The Big Picture Java Serialization 101 00000000 AC ED 00 05 73 72 00 11 62 6F 6E 68 6F 6D 6D 65 ....sr..bonhomme 00000010 2E 43 61 72 6E 61 76 61 6C 20 51 75 65 62 65 63 .Carnaval Quebec 00000020 20 02 00 00 78 70 ...xp serialize deserialize
  • 6. https://goo.gl/rOpF0u Java Serialization 101 Convert Java instance to/from a binary stream • Used for persistence (file, database blob) • Used for transmission (RMI: Remote Method Invocation) Java API: • ObjectOutputStream: to serialize (write) • ObjectInputStream: to deserialize (read) • JVM knows how to (de)serialize primitive types • JVM uses reflection and Unsafe to (de)serialize members of any given class. • Must implements interface java.io.Serializable
  • 7. https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 8. https://goo.gl/rOpF0u What could possibly go wrong? Some classes require special handling • writeObject() and readObject() methods • e.g.: java.math.BigDecimal An application is vulnerable if: • deserializing untrusted input, • and existing classes on the classpath have “unsecure” readObject() method The readObject() methods can be chained, abused • “gadget” in reference to ROP gadgets • Similarly, some other methods can also be abused (TBD later): “Magic Methods”
  • 9. https://goo.gl/rOpF0u Prior Art (pre-2016) Date Type Product Researcher(s) Reference Apr 2005 DOS JRE Marc Schönefeld CVE-2004-2540 Aug 2008 Applet->RCE JRE Sami Koivu CVE-2008-5353 Apr 2010 Applet->RCE JRE Sami Koivu CVE-2010-0094 Mar 2010 DOS Sun Java Web Console Luca Carettoni Source Code Sept 2011 RCE Spring Framework Wouter Coekaerts CVE-2011-2894 Oct 2012 RCE IBM Cognos BI Pierre Ernst CVE-2012-4858 Feb 2013 File Write->RCE Apache OpenJPA Pierre Ernst CVE-2013-1768 Mar 2013 File Write->RCE Apache Tomcat Pierre Ernst CVE-2013-2185 July 2015 RCE Apache Groovy "cpnrodzc7" CVE-2015-3253 Aug 2015 Buffer Overflow->RCE Android Or Peles & Roee Hay CVE-2015-3837 Nov 2015 RCE Apache Commons Collections Chris Frohoff & Gabriel Lawrence CVE-2015-7450 Nov 2015 DOS JRE Wouter Coekaerts Source Code
  • 10. https://goo.gl/rOpF0u Attack Surfaces: Endpoints Vs. Gadgets Attacker Vulnerable Service Malicious serialized input (Vulnerable.class) JVM Deserialization (bonhomme.Carnaval. class) classpath Vulnerable bonhomme.Carnaval instance = (bonhomme.Carnaval)in.readObject(); Calls “magic” method private void readObject (ObjectInputStream in) { } 1 2
  • 11. https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 12. https://goo.gl/rOpF0u What are the “Magic” methods? • readObject() • readResolve() • validateObject() • readObjectNoData() • readExternal() • finalize() It has a “magic” method that can be abused Class is vulnerable if: • <init>()
  • 13. https://goo.gl/rOpF0u File I/O Network I/O Code injection Denial of service … Any side effect with security impact How can magic methods be abused?
  • 14. https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 15. https://goo.gl/rOpF0u Pervasive problem • com.sun.xml.internal.ws.protocol.xml.XMLMessageException • java.util.concurrent.CopyOnWriteArrayList • java.util.logging.LogRecord • java.util.PriorityQueue • org.apache.catalina.tribes.membership.MemberImpl Java Memory Exhaustion private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException { int len = in.readInt(); this.parameters = new Object[len]; // ... } Controlled by attacker Memory exhaustion
  • 17. https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 18. https://goo.gl/rOpF0u java.io.ObjectInputStream ois = new java.io.ObjectInputStream(/* contains user’s input */) ois.readObject(); /* OR */ ois.readUnshared(); It deserializes user’s input Endpoint is vulnerable if:
  • 19. https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 20. https://goo.gl/rOpF0u Fixed in Java 8 Update 91 (April 2016) JMX = Java Management eXtensions • API for managing/monitoring resources • Client-Server on TCP/IP • Optional features: • TLS socket • Authentication JMX untrusted deserialization CVE-2016-3427 !
  • 21. https://goo.gl/rOpF0u Tomcat JMX Retrieving all the session ids Abusing Existing Features Prior JMX vulnerabilities
  • 22. https://goo.gl/rOpF0u Only vulnerable when authentication is not enabled Source: • Exploiting JMX RMI • Class MLet RCE with MLet Prior JMX vulnerabilities evil.org victim.com JMX connect createMBean javax.management.loading.MLet load evil bean invoke
  • 23. https://goo.gl/rOpF0u How many times did you read “RMI” ? • JMX connection strings is future-proof • Might use some other transport technologies in the future • But it relies on RMI for now. We can use RMI directly to connect to a JMX server a.k.a JMX “URLs” JMX Connection Strings service:jmx:rmi://bonhomme.local:10002/jndi/rmi://bonhomme.local:10001/jmxrmi rmi://bonhomme.local:10002 rmi://bonhomme.local:10001/jmxrmi JMX endpoint Naming Registry
  • 24. https://goo.gl/rOpF0u Registry registry = LocateRegistry.getRegistry("bonhomme.local", 10001); RMIServer rmiServer = (RMIServer) registry.lookup("jmxrmi"); RMIConnection rmiConnection = rmiServer.newClient(new String[]{ "tomcat", "secret"}); (directly) Connecting to JMX with RMI service:jmx:rmi://bonhomme.local:10002/jndi/rmi://bonhomme.local:10001/jmxrmi
  • 25. https://goo.gl/rOpF0u RMI: Client-Server network protocol RPC-style Uses serialization What is RMI again? 00000000 50 AC ED 00 05 77 22 A1 F2 A2 CB 82 19 D4 02 D0 P....w"......... 00000010 70 E5 1A 00 00 01 57 52 A7 43 A2 80 01 FF FF FF p.....WR.C...... 00000020 FF F0 E0 74 EA AD 0C AE A8 75 72 00 13 5B 4C 6A ...t.....ur..[Lj 00000030 61 76 61 2E 6C 61 6E 67 2E 53 74 72 69 6E 67 3B ava.lang.String; 00000040 AD D2 56 E7 E9 1D 7B 47 02 00 00 70 78 70 00 00 ..V...{G...pxp.. 00000050 00 02 74 00 06 74 6F 6D 63 61 74 74 00 06 73 65 ..t..tomcatt..se 00000060 63 72 65 74 cret RMI Call
  • 28. https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 29. https://goo.gl/rOpF0u The Blame Game Where do we fix it? “Applications should never deserialize untrusted input” 1 2 “3rd party libraries should only have secure magic methods” vs .
  • 31. https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 32. https://goo.gl/rOpF0u Does the class really need to be serializable? Can we add input validation? • Prevent path traversal • Prevent resource exhaustion • … Making “magic” methods more secure
  • 33. https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 34. https://goo.gl/rOpF0u bonhomme.Carnaval obj = (bonhomme.Carnaval)ois.readObject(); Fix: Java API change today bonhomme.Carnaval obj = ois.readObject(bonhomme.Carnaval.class); tomorrow?
  • 35. https://goo.gl/rOpF0u Mitigation: Sandboxing Deserialization inside a block protected by a Security Manager Could prevent “malicious” calls • File R/W access • Process creation • Network access • … Not recommended: • Hard to fine-tune: what is legitimately required? • Known to be broken e.g. CVE-2013-4444 code inside finalize() can be abused
  • 36. https://goo.gl/rOpF0u Mitigation: Class Name Input Validation Look-ahead Java deserialization, Jan 2013, Pierre Ernst Concept used by various validation libraries • SerialKiller, by Luca Carettoni • contrast-rO0 by Contrast Security • JDK enhancement proposal #290 and CERT Secure Coding SER12-J We want to validate which classes get deserialized Object Serialization Stream Protocol defines a class description 00000000 AC ED 00 05 73 72 00 11 62 6F 6E 68 6F 6D 6D 65 ....sr..bonhomme 00000010 2E 43 61 72 6E 61 76 61 6C 20 51 75 65 62 65 63 .Carnaval Quebec 00000020 20 02 00 00 78 70 ...xp So we could use our own binary parser to decide whether we should stop reading … … or use existing Java API that allows us to add our own validation hook. TC_NULL STREAM_MAGICSTREAM_VERSIONTC_OBJECTTC_CLASSDESC className serialVersionUID classDescFlagsfieldsTC_ENDBLOCKDATA className
  • 37. https://goo.gl/rOpF0u Callback provided by Java Normally used for custom class loading Adding your own validation hook Look-ahead Java deserialization public class LookAheadObjectInputStream extends ObjectInputStream { @Override protected Class<?> resolveClass(ObjectStreamClass desc) { if ( ! desc.getName().equals("bonhomme.Carnaval") ) { throw new InvalidClassException( "Unauthorized deserialization attempt", desc.getName()); } return super.resolveClass(desc); } }
  • 38. https://goo.gl/rOpF0u • White-listing classes that are OK to deserialize • Tedious, Impossible in real life scenario? • Black-listing classes known to have “bad” “magic” methods • a.k.a. Whack-a-mole • Known to be broken RSA conference 2016-03-04 Alvaro Muñoz Christian Schneider Two ways of validating class names Look-ahead Java deserialization public class NestedProblems implements Serializable{ private void readObject(ObjectInputStream in) { ObjectInputStream ois = new ObjectInputStream( /* attacker controlled input */); ois.readObject(); } }
  • 39. https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 40. https://goo.gl/rOpF0u org.apache.webbeans.inject.impl.InjectionPointImpl org.apache.webbeans.inject.instance.InstanceImpl org.apache.webbeans.event.EventImpl • Fixed in Apache TomEE 7.0.1 (June 2016) • Fixed in Apache OpenWebBeans 1.5.0 (October 2015) Only an issue if using the black list mode Black List mode Class Name Input Validation Bypass new
  • 42. https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 43. https://goo.gl/rOpF0u Mitigation: Look-ahead Method Blacklist Input Validation Black List • method1 • method2 Magic methods? Class x.y.z accept reject blacklisted methods? yes yes no no Called methods • methodA • methodB Analyze Magic method
  • 44. https://goo.gl/rOpF0u Check it out Source code with POC implementation published
  • 45. https://goo.gl/rOpF0u Mitigation Putting everything together Security Manager Look-ahead Class name validation • Whitelisting • Blacklisting Look-ahead Method blacklisting P !
  • 46. https://goo.gl/rOpF0u Serialization: 1.Don’t use it 2.Class name whitelisting 3.Method blacklisting

Notas del editor

  1. AC ED 00 05: Remember this
  2. Root cause is *NOT* weak boundary between data & code Magic methods not always present
  3. Successful exploitation requires both attack surfaces
  4. The attacker can control anything that has been read from the stream, or any member that has been deserialized with the default behavior
  5. It would be nice if we could send something else than String[]…
  6. Vulnerable even if authentication is enabled (happens before) Tomcat used as an example
  7. New Argument: Class or Class[]
  8. Strongly encourage to stop using deserialization altogether
  9. For lack of a better name…
  10. Security Manager is not enough, but it still adds value