research-article

A hybrid analysis to detect Java serialisation vulnerabilities

Authors:

Jens DietrichAuthors Info & Claims

ASE '20: Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering

Pages 1209 - 1213

https://doi.org/10.1145/3324884.3418931

Published: 27 January 2021 Publication History

Abstract

Serialisation related security vulnerabilities have recently been reported for numerous Java applications. Since serialisation presents both soundness and precision challenges for static analysis, it can be difficult for analyses to precisely pinpoint serialisation vulnerabilities in a Java library. In this paper, we propose a hybrid approach that extends a static analysis with fuzzing to detect serialisation vulnerabilities. The novelty of our approach is in its use of a heap abstraction to direct fuzzing for vulnerabilities in Java libraries. This guides fuzzing to produce results quickly and effectively, and it validates static analysis reports automatically. Our approach shows potential as it can detect known serialisation vulnerabilities in the Apache Commons Collections library.

References

[1]

Steven Arzt, Siegfried Rasthofer, and Eric Bodden. 2013. SuSi: A Tool for the Fully Automated Classification and Categorization of Android Sources and Sinks.

[2]

Joshua Bloch. 2008. Effective Java (2nd Edition) (The Java Series) (2 ed.). Prentice Hall PTR, NJ, USA.

Digital Library

[3]

Marcel Böhme, Van-Thuan Pham, Manh-Dung Nguyen, and Abhik Roychoudhury. 2017. Directed Greybox Fuzzing. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (Dallas, Texas, USA) (CCS âĂ&Zacute;17). Association for Computing Machinery, New York, NY, USA, 2329âĂŞ2344.

Digital Library

[4]

Chandrasekhar Boyapati, Sarfraz Khurshid, and Darko Marinov. 2002. Korat: Automated Testing Based on Java Predicates. SIGSOFT Softw. Eng. Notes 27, 4 (July 2002), 123--133.

Digital Library

[5]

Martin Bravenboer and Yannis Smaragdakis. 2009. Strictly Declarative Specification of Sophisticated Points-to Analyses. In Proceedings of the 24th ACM SIGPLAN Conference on Object Oriented Programming Systems Languages and Applications (Orlando, Florida, USA) (OOPSLA '09). ACM, New York, NY, USA, 243--262.

Digital Library

[6]

Cristina Cifuentes, Andrew Gross, and Nathan Keynes. 2015. Understanding Caller-sensitive Method Vulnerabilities: A Class of Access Control Vulnerabilities in the Java Platform. In Proceedings SOAP'15. ACM, 7--12.

Digital Library

[7]

Ilinca Ciupa, Andreas Leitner, Manuel Oriol, and Bertrand Meyer. 2007. Experimental Assessment of Random Testing for Object-oriented Software. In Proceedings of the 2007 International Symposium on Software Testing and Analysis (London, United Kingdom) (ISSTA '07). ACM, New York, NY, USA, 84--94.

Digital Library

[8]

Koen Claessen and John Hughes. 2011. QuickCheck: A Lightweight Tool for Random Testing of Haskell Programs. SIGPLAN Not. 46, 4 (May 2011), 53âĂŞ64.

Digital Library

[9]

Christoph Csallner and Yannis Smaragdakis. 2004. JCrasher: An Automatic Robustness Tester for Java. Softw. Pract. Exper. 34, 11 (Sept. 2004), 1025--1050.

Digital Library

[10]

Christoph Csallner and Yannis Smaragdakis. 2005. Check 'N' Crash: Combining Static Checking and Testing. In Proceedings of the 27th International Conference on Software Engineering (St. Louis, MO, USA) (ICSE '05). ACM, New York, NY, USA, 422--431.

Digital Library

[11]

CVE Details 2015. CVE-2015-3253 (Vulnerability in Groovy). https://www.cvedetails.com/cve/CVE-2015-3253/. [Online; accessed 25-May-2020].

[12]

CVE Details 2015. CVE-2015-4852 (Vulnerability in Oracle WebLogic Server). http://www.cvedetails.com/cve/CVE-2015-4852 [Online; accessed 25-May-2020].

[13]

CVE Details 2016. CVE-2016-1000031 (Vulnerability in Struts). https://www.cvedetails.com/cve/CVE-2016-1000031. [Online; accessed 25-May-2020].

[14]

CVE Details 2016. CVE-2016-4000 (Vulnerability in Jython). https://www.cvedetails.com/cve/CVE-2016-4000/. [Online; accessed 25-May-2020].

[15]

Johannes Dahse, Nikolai Krein, and Thorsten Holz. 2014. Code Reuse Attacks in PHP: Automated POP Chain Generation. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (Scottsdale, Arizona, USA) (CCS '14). ACM, New York, NY, USA, 42--53.

Digital Library

[16]

Jens Dietrich, Kamil Jezek, Shawn Rasheed, Amjed Tahir, and Alex Potanin. 2017. Evil Pickles: DoS Attacks Based on Object-Graph Engineering. In 31st European Conference on Object-Oriented Programming, ECOOP 2017, June 19--23, 2017, Barcelona, Spain (LIPIcs), Peter Müller (Ed.), Vol. 74. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 10:1--10:32.

[17]

Christopher Frohoff and Gabriel Lawrence. 2015. Marshalling Pickles. http://frohoff.github.io/appseccali-marshalling-pickles/ [Online; accessed 25-May-2020].

[18]

Christopher Frohoff and Gabriel Lawrence. 2015. ysoserial (A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.). https://github.com/frohoff/ysoserial [Online; accessed 25-August-2020].

[19]

Ian Haken. 2018. Automated Discovery of Deserialization Gadget Chains. https://i.blackhat.com/us-18/Thu-August-9/us-18-Haken-Automated-Discovery-of-Deserialization-Gadget-Chains-wp.pdf [Online; accessed 25-May-2020].

[20]

Maurice P Herlihy and Barbara Liskov. 1982. A value transmission method for abstract data types. ACM Transactions on Programming Languages and Systems (TOPLAS) 4, 4 (1982), 527--551.

Digital Library

[21]

Philipp Holzinger, Stefan Triller, Alexandre Bartel, and Eric Bodden. 2016. An In-Depth Study of More Than Ten Years of Java Exploitation. In Proceedings CCS'16. ACM.

Digital Library

[22]

Karthick Jayaraman, David Harvison, Vijay Ganesh, and Adam Kiezun. 2009. jFuzz: A Concolic Whitebox Fuzzer for Java. In NASA Formal Methods.

[23]

Vini Kanvar and Uday P. Khedker. 2016. Heap Abstractions for Static Analysis. ACM Comput. Surv. 49, 2, Article 29 (June 2016), 47 pages.

Digital Library

[24]

Rody Kersten, Kasper Luckow, and Corina S. Păsăreanu. 2017. POSTER: AFL-based Fuzzing for Java with Kelinci. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (Dallas, Texas, USA) (CCS '17). ACM, New York, NY, USA, 2511--2513.

Digital Library

[25]

Benjamin Livshits, Manu Sridharan, Yannis Smaragdakis, Ondřej Lhoták, J. Nelson Amaral, Bor-Yuh Evan Chang, Samuel Z. Guyer, Uday P. Khedker, Anders Moller, and Dimitrios Vardoulakis. 2015. In Defense of Soundiness: A Manifesto. Commun. ACM 58, 2 (Jan. 2015), 44--46.

Digital Library

[26]

Valentin J. M. Manès, HyungSeok Han, Choongwoo Han, Sang Kil Cha, Manuel Egele, Edward J. Schwartz, and Maverick Woo. 2018. Fuzzing: Art, Science, and Engineering. CoRR abs/1812.00140 (2018). arXiv:1812.00140 http://arxiv.org/abs/1812.00140

[27]

Barton P. Miller, Louis Fredriksen, and Bryan So. 1990. An Empirical Study of the Reliability of UNIX Utilities. Commun. ACM 33, 12 (Dec. 1990), 32--44.

Digital Library

[28]

A. Muñoz and C. Schneider. 2016. The Perils of Java Deserialization. https://community.hpe.com/t5/Security-Research/The-perils-of-Java-deserialization/ba-p/6838995#.WECzUsJ96cY [Online; accessed 25-May-2020].

[29]

Carlos Pacheco and Michael D. Ernst. 2007. Randoop: Feedback-directed Random Testing for Java. In Companion to the 22Nd ACM SIGPLAN Conference on Object-oriented Programming Systems and Applications Companion (Montreal, Quebec, Canada) (OOPSLA '07). ACM, New York, NY, USA, 815--816.

Digital Library

[30]

Rohan Padhye, Caroline Lemieux, Koushik Sen, Mike Papadakis, and Yves Le Traon. 2019. Semantic Fuzzing with Zest. In Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis (Beijing, China) (ISSTA 2019). Association for Computing Machinery, New York, NY, USA, 329âĂŞ340.

Digital Library

[31]

S. Shamshiri, R. Just, J. M. Rojas, G. Fraser, P. McMinn, and A. Arcuri. 2015. Do Automatically Generated Unit Tests Find Real Faults? An Empirical Study of Effectiveness and Challenges (T). In 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE). 201--211.

[32]

Manu Sridharan, Denis Gopan, Lexin Shan, and Rastislav Bodík. 2005. Demand-driven Points-to Analysis for Java. SIGPLAN Not. 40, 10 (Oct. 2005), 59--76.

Digital Library

[33]

Arshan Dabirsiaghi Stefano Di Paola. 2016. Expression Language Injection. https://www.mindedsecurity.com/fileshare/ExpressionLanguageInjection.pdf. https://www.mindedsecurity.com/fileshare/ExpressionLanguageInjection.pdf [Online; accessed 25-May-2020].

[34]

Li Sui, Jens Dietrich, Michael Emery, Shawn Rasheed, and Amjed Tahir. 2018. On the Soundness of Call Graph Construction in the Presence of Dynamic Language Features - A Benchmark and Tool Evaluation. In Programming Languages and Systems, Sukyoung Ryu (Ed.). Springer International Publishing, Cham.

[35]

Li Sui, Jens Dietrich, Amjed Tahir, and George Fourtounis. 2020. On the Recall of Static Call Graph Construction in Practice. In 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE).

[36]

Michal Zalewski. 2017. American Fuzzy Lop (AFL). http://lcamtuf.coredump.cx/afl/technical_details.txt. http://lcamtuf.coredump.cx/afl/technical_details.txt [Online; accessed 25-May-2020].

Cited By

Kreyssig BBartel A(2024)Analyzing Prerequistes of known Deserializtion Vulnerabilities on Java ApplicationsProceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering10.1145/3661167.3661176(28-37)Online publication date: 18-Jun-2024
https://dl.acm.org/doi/10.1145/3661167.3661176
Liu XWang HXu MZhang Y(2024)SerdeSniffer: Enhancing Java Deserialization Vulnerability Detection with Function SummariesComputer Security – ESORICS 202410.1007/978-3-031-70896-1_9(174-193)Online publication date: 6-Sep-2024
https://doi.org/10.1007/978-3-031-70896-1_9
Luo YCui B(2024)Rev Gadget: A Java Deserialization Gadget Chains Discover Tool Based on Reverse Semantics and Taint AnalysisAdvances in Internet, Data & Web Technologies10.1007/978-3-031-53555-0_22(229-240)Online publication date: 14-Feb-2024
https://doi.org/10.1007/978-3-031-53555-0_22
Show More Cited By

Recommendations

Data-flow based vulnerability analysis and java bytecode
ACS'07: Proceedings of the 7th Conference on 7th WSEAS International Conference on Applied Computer Science - Volume 7

The security of information systems has been the focus because of network applications. Vulnerability analysis is widely used to evaluate the security of a system to assure system security. With the help of vulnerability analysis, the security risk of a ...
Static Analysis of Object References in RMI-Based Java Software

Distributed applications provide numerous advantages related to software performance, reliability, interoperability, and extensibility. This paper focuses on distributed Java programs built with the help of the Remote Method Invocation (RMI) mechanism. ...
Java virtual machine support for object serialization
JGI '01: Proceedings of the 2001 joint ACM-ISCOPE conference on Java Grande

Distributed computing has become increasingly popular in the high performance community. Java's Remote Method Invocation (RMI) provides a simple, yet powerful method for implementing parallel algorithms. The performance of RMI has been less than ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASE '20: Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering

December 2020

1449 pages

ISBN:9781450367684

DOI:10.1145/3324884

General Chair:
John Grundy,
Program Chairs:
Claire Le Goues,
David Lo

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

In-Cooperation

IEEE CS

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 January 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ASE '20

Sponsor:

ASE '20: 35th IEEE/ACM International Conference on Automated Software Engineering

December 21 - 25, 2020

Virtual Event, Australia

Acceptance Rates

Overall Acceptance Rate 82 of 337 submissions, 24%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

13
Total Citations
View Citations
452
Total Downloads

Downloads (Last 12 months)81
Downloads (Last 6 weeks)11

Reflects downloads up to 05 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Kreyssig BBartel A(2024)Analyzing Prerequistes of known Deserializtion Vulnerabilities on Java ApplicationsProceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering10.1145/3661167.3661176(28-37)Online publication date: 18-Jun-2024
https://dl.acm.org/doi/10.1145/3661167.3661176
Liu XWang HXu MZhang Y(2024)SerdeSniffer: Enhancing Java Deserialization Vulnerability Detection with Function SummariesComputer Security – ESORICS 202410.1007/978-3-031-70896-1_9(174-193)Online publication date: 6-Sep-2024
https://doi.org/10.1007/978-3-031-70896-1_9
Luo YCui B(2024)Rev Gadget: A Java Deserialization Gadget Chains Discover Tool Based on Reverse Semantics and Taint AnalysisAdvances in Internet, Data & Web Technologies10.1007/978-3-031-53555-0_22(229-240)Online publication date: 14-Feb-2024
https://doi.org/10.1007/978-3-031-53555-0_22
Li RKong XGuo WGuo JLi HZhang F(2024)Boosting Multimode Ruling in DHR Architecture With Metamorphic RelationsSoftware Testing, Verification and Reliability10.1002/stvr.189034:7Online publication date: 23-Jul-2024
https://doi.org/10.1002/stvr.1890
Srivastava PToffalini FVorobyov KGauthier FBianchi APayer MChandra SBlincoe KTonella P(2023)Crystallizer: A Hybrid Path Analysis Framework to Aid in Uncovering Deserialization VulnerabilitiesProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616313(1586-1597)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3611643.3616313
Cao SHe BSun XOuyang YZhang CWu XSu TBo LLi BMa CLi JWei T(2023)ODDFuzz: Discovering Java Deserialization Vulnerabilities via Structure-Aware Directed Greybox Fuzzing2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179377(2726-2743)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179377
Li WLu HSun YSu SQiu JTian Z(2023)Improving Precision of Detecting Deserialization Vulnerabilities with Bytecode Analysis2023 IEEE/ACM 31st International Symposium on Quality of Service (IWQoS)10.1109/IWQoS57198.2023.10188756(1-2)Online publication date: 19-Jun-2023
https://doi.org/10.1109/IWQoS57198.2023.10188756
Cao SSun XWu XBo LLi BWu RLiu WHe BOuyang YLi J(2023)Improving Java Deserialization Gadget Chain Mining via Overriding-Guided Object Generation2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE)10.1109/ICSE48619.2023.00044(397-409)Online publication date: May-2023
https://doi.org/10.1109/ICSE48619.2023.00044
Chen XWang BJin ZFeng YLi XFeng XLiu Q(2023)Tabby: Automated Gadget Chain Detection for Java Deserialization Vulnerabilities2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58367.2023.00028(179-192)Online publication date: Jun-2023
https://doi.org/10.1109/DSN58367.2023.00028
Antal GHegedűs PHerczeg ZLóki GFerenc R(2023)Is JavaScript Call Graph Extraction Solved Yet? A Comparative Study of Static and Dynamic ToolsIEEE Access10.1109/ACCESS.2023.325598411(25266-25284)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3255984
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents