SlideShare ist ein Scribd-Unternehmen logo

Fixing the Java Serialization Mess

Salesforce Engineering
Salesforce Engineering

This document discusses Java serialization vulnerabilities and mitigations. It introduces Java serialization, attack vectors like serialization gadgets and deserialization endpoints, and demonstrates denial of service attacks. It covers mitigations such as validating class names during deserialization, but notes this approach can be bypassed. It proposes a new concept of also validating methods during deserialization. The goal is to help fix issues with the Java serialization process.

Ingenieurwesen
1 von 46
Fixing the Java Serialization mess Pierre Ernst, HackFest.ca 2016
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Agenda Fixing the Java Serialization mess
https://goo.gl/rOpF0u Software development background Secure Code Review Found security vulnerabilities in applications made by: Pierre Ernst linkedin.com/in/pernst @e_rnst Source: http://www.wordle.net
https://goo.gl/rOpF0u https://research.trust.salesforce.com/ Salesforce is hiring application security engineers for: • Enterprise Security (Vendor applications) • Product Security (Salesforce web applications) • Infrastructure Security (Salesforce network and Linux environment). Contact: James Sale, Principal Technical Recruiter jsale@salesforce.com 415-633-6059 Trust team Salesforce linkedin.com/in/jamesgsale
https://goo.gl/rOpF0u The Big Picture Java Serialization 101 00000000 AC ED 00 05 73 72 00 11 62 6F 6E 68 6F 6D 6D 65 ....sr..bonhomme 00000010 2E 43 61 72 6E 61 76 61 6C 20 51 75 65 62 65 63 .Carnaval Quebec 00000020 20 02 00 00 78 70 ...xp serialize deserialize
https://goo.gl/rOpF0u Java Serialization 101 Convert Java instance to/from a binary stream • Used for persistence (file, database blob) • Used for transmission (RMI: Remote Method Invocation) Java API: • ObjectOutputStream: to serialize (write) • ObjectInputStream: to deserialize (read) • JVM knows how to (de)serialize primitive types • JVM uses reflection and Unsafe to (de)serialize members of any given class. • Must implements interface java.io.Serializable
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u What could possibly go wrong? Some classes require special handling • writeObject() and readObject() methods • e.g.: java.math.BigDecimal An application is vulnerable if: • deserializing untrusted input, • and existing classes on the classpath have “unsecure” readObject() method The readObject() methods can be chained, abused • “gadget” in reference to ROP gadgets • Similarly, some other methods can also be abused (TBD later): “Magic Methods”
https://goo.gl/rOpF0u Prior Art (pre-2016) Date Type Product Researcher(s) Reference Apr 2005 DOS JRE Marc Schönefeld CVE-2004-2540 Aug 2008 Applet->RCE JRE Sami Koivu CVE-2008-5353 Apr 2010 Applet->RCE JRE Sami Koivu CVE-2010-0094 Mar 2010 DOS Sun Java Web Console Luca Carettoni Source Code Sept 2011 RCE Spring Framework Wouter Coekaerts CVE-2011-2894 Oct 2012 RCE IBM Cognos BI Pierre Ernst CVE-2012-4858 Feb 2013 File Write->RCE Apache OpenJPA Pierre Ernst CVE-2013-1768 Mar 2013 File Write->RCE Apache Tomcat Pierre Ernst CVE-2013-2185 July 2015 RCE Apache Groovy "cpnrodzc7" CVE-2015-3253 Aug 2015 Buffer Overflow->RCE Android Or Peles & Roee Hay CVE-2015-3837 Nov 2015 RCE Apache Commons Collections Chris Frohoff & Gabriel Lawrence CVE-2015-7450 Nov 2015 DOS JRE Wouter Coekaerts Source Code
https://goo.gl/rOpF0u Attack Surfaces: Endpoints Vs. Gadgets Attacker Vulnerable Service Malicious serialized input (Vulnerable.class) JVM Deserialization (bonhomme.Carnaval. class) classpath Vulnerable bonhomme.Carnaval instance = (bonhomme.Carnaval)in.readObject(); Calls “magic” method private void readObject (ObjectInputStream in) { } 1 2
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u What are the “Magic” methods? • readObject() • readResolve() • validateObject() • readObjectNoData() • readExternal() • finalize() It has a “magic” method that can be abused Class is vulnerable if: • <init>()
https://goo.gl/rOpF0u File I/O Network I/O Code injection Denial of service … Any side effect with security impact How can magic methods be abused?
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u Pervasive problem • com.sun.xml.internal.ws.protocol.xml.XMLMessageException • java.util.concurrent.CopyOnWriteArrayList • java.util.logging.LogRecord • java.util.PriorityQueue • org.apache.catalina.tribes.membership.MemberImpl Java Memory Exhaustion private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException { int len = in.readInt(); this.parameters = new Object[len]; // ... } Controlled by attacker Memory exhaustion
https://goo.gl/rOpF0u
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u java.io.ObjectInputStream ois = new java.io.ObjectInputStream(/* contains user’s input */) ois.readObject(); /* OR */ ois.readUnshared(); It deserializes user’s input Endpoint is vulnerable if:
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u Fixed in Java 8 Update 91 (April 2016) JMX = Java Management eXtensions • API for managing/monitoring resources • Client-Server on TCP/IP • Optional features: • TLS socket • Authentication JMX untrusted deserialization CVE-2016-3427 !
https://goo.gl/rOpF0u Tomcat JMX Retrieving all the session ids Abusing Existing Features Prior JMX vulnerabilities
https://goo.gl/rOpF0u Only vulnerable when authentication is not enabled Source: • Exploiting JMX RMI • Class MLet RCE with MLet Prior JMX vulnerabilities evil.org victim.com JMX connect createMBean javax.management.loading.MLet load evil bean invoke
https://goo.gl/rOpF0u How many times did you read “RMI” ? • JMX connection strings is future-proof • Might use some other transport technologies in the future • But it relies on RMI for now. We can use RMI directly to connect to a JMX server a.k.a JMX “URLs” JMX Connection Strings service:jmx:rmi://bonhomme.local:10002/jndi/rmi://bonhomme.local:10001/jmxrmi rmi://bonhomme.local:10002 rmi://bonhomme.local:10001/jmxrmi JMX endpoint Naming Registry
https://goo.gl/rOpF0u Registry registry = LocateRegistry.getRegistry("bonhomme.local", 10001); RMIServer rmiServer = (RMIServer) registry.lookup("jmxrmi"); RMIConnection rmiConnection = rmiServer.newClient(new String[]{ "tomcat", "secret"}); (directly) Connecting to JMX with RMI service:jmx:rmi://bonhomme.local:10002/jndi/rmi://bonhomme.local:10001/jmxrmi
https://goo.gl/rOpF0u RMI: Client-Server network protocol RPC-style Uses serialization What is RMI again? 00000000 50 AC ED 00 05 77 22 A1 F2 A2 CB 82 19 D4 02 D0 P....w"......... 00000010 70 E5 1A 00 00 01 57 52 A7 43 A2 80 01 FF FF FF p.....WR.C...... 00000020 FF F0 E0 74 EA AD 0C AE A8 75 72 00 13 5B 4C 6A ...t.....ur..[Lj 00000030 61 76 61 2E 6C 61 6E 67 2E 53 74 72 69 6E 67 3B ava.lang.String; 00000040 AD D2 56 E7 E9 1D 7B 47 02 00 00 70 78 70 00 00 ..V...{G...pxp.. 00000050 00 02 74 00 06 74 6F 6D 63 61 74 74 00 06 73 65 ..t..tomcatt..se 00000060 63 72 65 74 cret RMI Call
https://goo.gl/rOpF0u https://docs.oracle.com/javase/8/docs/api/javax/management/remote/rmi/RMIServer.html RMIServer API Deserialization happens before authentication can even take place
https://goo.gl/rOpF0u
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u The Blame Game Where do we fix it? “Applications should never deserialize untrusted input” 1 2 “3rd party libraries should only have secure magic methods” vs .
https://goo.gl/rOpF0u In both places! Defense in Depth
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u Does the class really need to be serializable? Can we add input validation? • Prevent path traversal • Prevent resource exhaustion • … Making “magic” methods more secure
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u bonhomme.Carnaval obj = (bonhomme.Carnaval)ois.readObject(); Fix: Java API change today bonhomme.Carnaval obj = ois.readObject(bonhomme.Carnaval.class); tomorrow?
https://goo.gl/rOpF0u Mitigation: Sandboxing Deserialization inside a block protected by a Security Manager Could prevent “malicious” calls • File R/W access • Process creation • Network access • … Not recommended: • Hard to fine-tune: what is legitimately required? • Known to be broken e.g. CVE-2013-4444 code inside finalize() can be abused
https://goo.gl/rOpF0u Mitigation: Class Name Input Validation Look-ahead Java deserialization, Jan 2013, Pierre Ernst Concept used by various validation libraries • SerialKiller, by Luca Carettoni • contrast-rO0 by Contrast Security • JDK enhancement proposal #290 and CERT Secure Coding SER12-J We want to validate which classes get deserialized Object Serialization Stream Protocol defines a class description 00000000 AC ED 00 05 73 72 00 11 62 6F 6E 68 6F 6D 6D 65 ....sr..bonhomme 00000010 2E 43 61 72 6E 61 76 61 6C 20 51 75 65 62 65 63 .Carnaval Quebec 00000020 20 02 00 00 78 70 ...xp So we could use our own binary parser to decide whether we should stop reading … … or use existing Java API that allows us to add our own validation hook. TC_NULL STREAM_MAGICSTREAM_VERSIONTC_OBJECTTC_CLASSDESC className serialVersionUID classDescFlagsfieldsTC_ENDBLOCKDATA className
https://goo.gl/rOpF0u Callback provided by Java Normally used for custom class loading Adding your own validation hook Look-ahead Java deserialization public class LookAheadObjectInputStream extends ObjectInputStream { @Override protected Class<?> resolveClass(ObjectStreamClass desc) { if ( ! desc.getName().equals("bonhomme.Carnaval") ) { throw new InvalidClassException( "Unauthorized deserialization attempt", desc.getName()); } return super.resolveClass(desc); } }
https://goo.gl/rOpF0u • White-listing classes that are OK to deserialize • Tedious, Impossible in real life scenario? • Black-listing classes known to have “bad” “magic” methods • a.k.a. Whack-a-mole • Known to be broken RSA conference 2016-03-04 Alvaro Muñoz Christian Schneider Two ways of validating class names Look-ahead Java deserialization public class NestedProblems implements Serializable{ private void readObject(ObjectInputStream in) { ObjectInputStream ois = new ObjectInputStream( /* attacker controlled input */); ois.readObject(); } }
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u org.apache.webbeans.inject.impl.InjectionPointImpl org.apache.webbeans.inject.instance.InstanceImpl org.apache.webbeans.event.EventImpl • Fixed in Apache TomEE 7.0.1 (June 2016) • Fixed in Apache OpenWebBeans 1.5.0 (October 2015) Only an issue if using the black list mode Black List mode Class Name Input Validation Bypass new
https://goo.gl/rOpF0u
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u Mitigation: Look-ahead Method Blacklist Input Validation Black List • method1 • method2 Magic methods? Class x.y.z accept reject blacklisted methods? yes yes no no Called methods • methodA • methodB Analyze Magic method
https://goo.gl/rOpF0u Check it out Source code with POC implementation published
https://goo.gl/rOpF0u Mitigation Putting everything together Security Manager Look-ahead Class name validation • Whitelisting • Blacklisting Look-ahead Method blacklisting P !
https://goo.gl/rOpF0u Serialization: 1.Don’t use it 2.Class name whitelisting 3.Method blacklisting

Empfohlen

Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Christian Schneider
 
Black Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized CommunicationBlack Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized Communicationmsaindane
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassCODE WHITE GmbH
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization VulnerabilitiesLuca Carettoni
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)CODE WHITE GmbH
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaCODE WHITE GmbH
 

Empfohlen

Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Christian Schneider
 
Black Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized CommunicationBlack Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized Communicationmsaindane
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassCODE WHITE GmbH
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization VulnerabilitiesLuca Carettoni
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)CODE WHITE GmbH
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaCODE WHITE GmbH
 
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...joaomatosf_
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Christian Schneider
 
Boxing & unboxing
Boxing & unboxingBoxing & unboxing
Boxing & unboxingLarry Nung
 
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...ufpb
 
Hibernate presentation
Hibernate presentationHibernate presentation
Hibernate presentationManav Prasad
 
Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017
Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017
Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017Nicky Bloor
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a JediYaroslav Babin
 
Autoboxing And Unboxing In Java
Autoboxing And Unboxing In JavaAutoboxing And Unboxing In Java
Autoboxing And Unboxing In Javachathuranga kasun bamunusingha
 
Java Serialization Deep Dive
Java Serialization Deep DiveJava Serialization Deep Dive
Java Serialization Deep DiveMartijn Dashorst
 
ORM, JPA, & Hibernate Overview
ORM, JPA, & Hibernate OverviewORM, JPA, & Hibernate Overview
ORM, JPA, & Hibernate OverviewBrett Meyer
 
remote-method-guesser - BHUSA2021 Arsenal
remote-method-guesser - BHUSA2021 Arsenal remote-method-guesser - BHUSA2021 Arsenal
remote-method-guesser - BHUSA2021 Arsenal Tobias Neitzel
 
Algebraic Data Types for Data Oriented Programming - From Haskell and Scala t...
Algebraic Data Types for Data Oriented Programming - From Haskell and Scala t...Algebraic Data Types for Data Oriented Programming - From Haskell and Scala t...
Algebraic Data Types for Data Oriented Programming - From Haskell and Scala t...Philip Schwarz
 
Introduction to Spring Boot!
Introduction to Spring Boot!Introduction to Spring Boot!
Introduction to Spring Boot!Jakub Kubrynski
 
Functional Programming 101 with Scala and ZIO @FunctionalWorld
Functional Programming 101 with Scala and ZIO @FunctionalWorldFunctional Programming 101 with Scala and ZIO @FunctionalWorld
Functional Programming 101 with Scala and ZIO @FunctionalWorldJorge Vásquez
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?Sam Thomas
 
Java collection
Java collectionJava collection
Java collectionArati Gadgil
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Modern JS with ES6
Modern JS with ES6Modern JS with ES6
Modern JS with ES6Kevin Langley Jr.
 
Idiomatic Kotlin
Idiomatic KotlinIdiomatic Kotlin
Idiomatic Kotlinintelliyole
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Yulia Tsisyk
 
powershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonnettitude_labs
 

Weitere ähnliche Inhalte

Was ist angesagt?

An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...joaomatosf_
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Christian Schneider
 
Boxing & unboxing
Boxing & unboxingBoxing & unboxing
Boxing & unboxingLarry Nung
 
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...ufpb
 
Hibernate presentation
Hibernate presentationHibernate presentation
Hibernate presentationManav Prasad
 
Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017
Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017
Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017Nicky Bloor
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a JediYaroslav Babin
 
Java Serialization Deep Dive
Java Serialization Deep DiveJava Serialization Deep Dive
Java Serialization Deep DiveMartijn Dashorst
 
ORM, JPA, & Hibernate Overview
ORM, JPA, & Hibernate OverviewORM, JPA, & Hibernate Overview
ORM, JPA, & Hibernate OverviewBrett Meyer
 
remote-method-guesser - BHUSA2021 Arsenal
remote-method-guesser - BHUSA2021 Arsenal remote-method-guesser - BHUSA2021 Arsenal
remote-method-guesser - BHUSA2021 Arsenal Tobias Neitzel
 
Algebraic Data Types for Data Oriented Programming - From Haskell and Scala t...
Algebraic Data Types for Data Oriented Programming - From Haskell and Scala t...Algebraic Data Types for Data Oriented Programming - From Haskell and Scala t...
Algebraic Data Types for Data Oriented Programming - From Haskell and Scala t...Philip Schwarz
 
Introduction to Spring Boot!
Introduction to Spring Boot!Introduction to Spring Boot!
Introduction to Spring Boot!Jakub Kubrynski
 
Functional Programming 101 with Scala and ZIO @FunctionalWorld
Functional Programming 101 with Scala and ZIO @FunctionalWorldFunctional Programming 101 with Scala and ZIO @FunctionalWorld
Functional Programming 101 with Scala and ZIO @FunctionalWorldJorge Vásquez
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?Sam Thomas
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Idiomatic Kotlin
Idiomatic KotlinIdiomatic Kotlin
Idiomatic Kotlinintelliyole
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 

Was ist angesagt? (20)

An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
 
Boxing & unboxing
Boxing & unboxingBoxing & unboxing
Boxing & unboxing
 
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
 
Hibernate presentation
Hibernate presentationHibernate presentation
Hibernate presentation
 
Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017
Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017
Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a Jedi
 
Autoboxing And Unboxing In Java
Autoboxing And Unboxing In JavaAutoboxing And Unboxing In Java
Autoboxing And Unboxing In Java
 
Java Serialization Deep Dive
Java Serialization Deep DiveJava Serialization Deep Dive
Java Serialization Deep Dive
 
ORM, JPA, & Hibernate Overview
ORM, JPA, & Hibernate OverviewORM, JPA, & Hibernate Overview
ORM, JPA, & Hibernate Overview
 
remote-method-guesser - BHUSA2021 Arsenal
remote-method-guesser - BHUSA2021 Arsenal remote-method-guesser - BHUSA2021 Arsenal
remote-method-guesser - BHUSA2021 Arsenal
 
Algebraic Data Types for Data Oriented Programming - From Haskell and Scala t...
Algebraic Data Types for Data Oriented Programming - From Haskell and Scala t...Algebraic Data Types for Data Oriented Programming - From Haskell and Scala t...
Algebraic Data Types for Data Oriented Programming - From Haskell and Scala t...
 
Introduction to Spring Boot!
Introduction to Spring Boot!Introduction to Spring Boot!
Introduction to Spring Boot!
 
Functional Programming 101 with Scala and ZIO @FunctionalWorld
Functional Programming 101 with Scala and ZIO @FunctionalWorldFunctional Programming 101 with Scala and ZIO @FunctionalWorld
Functional Programming 101 with Scala and ZIO @FunctionalWorld
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?
 
Java collection
Java collectionJava collection
Java collection
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Modern JS with ES6
Modern JS with ES6Modern JS with ES6
Modern JS with ES6
 
Idiomatic Kotlin
Idiomatic KotlinIdiomatic Kotlin
Idiomatic Kotlin
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
 

Ähnlich wie Fixing the Java Serialization Mess

Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Yulia Tsisyk
 
powershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonnettitude_labs
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)CODE WHITE GmbH
 
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!Priyanka Aash
 
Jdk Tools For Performance Diagnostics
Jdk Tools For Performance DiagnosticsJdk Tools For Performance Diagnostics
Jdk Tools For Performance DiagnosticsDror Bereznitsky
 
Spring framework
Spring frameworkSpring framework
Spring frameworksrmelody
 
香港六合彩 &raquo; SlideShare
香港六合彩 &raquo; SlideShare香港六合彩 &raquo; SlideShare
香港六合彩 &raquo; SlideShareyayao
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysqqlan
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security ClassRich Helton
 
Monitoring distributed (micro-)services
Monitoring distributed (micro-)servicesMonitoring distributed (micro-)services
Monitoring distributed (micro-)servicesRafael Winterhalter
 
DotNet Introduction
DotNet IntroductionDotNet Introduction
DotNet IntroductionWei Sun
 
Google App Engine for Java v0.0.2
Google App Engine for Java v0.0.2Google App Engine for Java v0.0.2
Google App Engine for Java v0.0.2Matthew McCullough
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousFrancis Alexander
 
PyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application securePyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application secureIMMUNIO
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9sumsid1234
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfGiorgiRcheulishvili
 
iPhone development from a Java perspective (Jazoon '09)
iPhone development from a Java perspective (Jazoon '09)iPhone development from a Java perspective (Jazoon '09)
iPhone development from a Java perspective (Jazoon '09)Netcetera
 
soft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.jssoft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.jssoft-shake.ch
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaoladrewz lin
 

Ähnlich wie Fixing the Java Serialization Mess (20)

Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
 
powershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-london
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
 
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
 
Jdk Tools For Performance Diagnostics
Jdk Tools For Performance DiagnosticsJdk Tools For Performance Diagnostics
Jdk Tools For Performance Diagnostics
 
Spring framework
Spring frameworkSpring framework
Spring framework
 
香港六合彩 &raquo; SlideShare
香港六合彩 &raquo; SlideShare香港六合彩 &raquo; SlideShare
香港六合彩 &raquo; SlideShare
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
 
Monitoring distributed (micro-)services
Monitoring distributed (micro-)servicesMonitoring distributed (micro-)services
Monitoring distributed (micro-)services
 
DotNet Introduction
DotNet IntroductionDotNet Introduction
DotNet Introduction
 
Google App Engine for Java v0.0.2
Google App Engine for Java v0.0.2Google App Engine for Java v0.0.2
Google App Engine for Java v0.0.2
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life Scenarious
 
PyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application securePyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application secure
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
 
iPhone development from a Java perspective (Jazoon '09)
iPhone development from a Java perspective (Jazoon '09)iPhone development from a Java perspective (Jazoon '09)
iPhone development from a Java perspective (Jazoon '09)
 
soft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.jssoft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.js
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaola
 

Mehr von Salesforce Engineering

Locker Service Ready Lightning Components With Webpack
Locker Service Ready Lightning Components With WebpackLocker Service Ready Lightning Components With Webpack
Locker Service Ready Lightning Components With WebpackSalesforce Engineering
 
Techniques to Effectively Monitor the Performance of Customers in the Cloud
Techniques to Effectively Monitor the Performance of Customers in the CloudTechniques to Effectively Monitor the Performance of Customers in the Cloud
Techniques to Effectively Monitor the Performance of Customers in the CloudSalesforce Engineering
 
Predictive System Performance Data Analysis
Predictive System Performance Data AnalysisPredictive System Performance Data Analysis
Predictive System Performance Data AnalysisSalesforce Engineering
 
Aspect Oriented Programming: Hidden Toolkit That You Already Have
Aspect Oriented Programming: Hidden Toolkit That You Already HaveAspect Oriented Programming: Hidden Toolkit That You Already Have
Aspect Oriented Programming: Hidden Toolkit That You Already HaveSalesforce Engineering
 
A Smarter Pig: Building a SQL interface to Pig using Apache Calcite
A Smarter Pig: Building a SQL interface to Pig using Apache CalciteA Smarter Pig: Building a SQL interface to Pig using Apache Calcite
A Smarter Pig: Building a SQL interface to Pig using Apache CalciteSalesforce Engineering
 
Implementing a Content Strategy Is Like Running 100 Miles
Implementing a Content Strategy Is Like Running 100 MilesImplementing a Content Strategy Is Like Running 100 Miles
Implementing a Content Strategy Is Like Running 100 MilesSalesforce Engineering
 
Salesforce Cloud Infrastructure and Challenges - A Brief Overview
Salesforce Cloud Infrastructure and Challenges - A Brief OverviewSalesforce Cloud Infrastructure and Challenges - A Brief Overview
Salesforce Cloud Infrastructure and Challenges - A Brief OverviewSalesforce Engineering
 
Global State Management of Micro Services
Global State Management of Micro ServicesGlobal State Management of Micro Services
Global State Management of Micro ServicesSalesforce Engineering
 

Mehr von Salesforce Engineering (20)

Locker Service Ready Lightning Components With Webpack
Locker Service Ready Lightning Components With WebpackLocker Service Ready Lightning Components With Webpack
Locker Service Ready Lightning Components With Webpack
 
Scaling HBase for Big Data
Scaling HBase for Big DataScaling HBase for Big Data
Scaling HBase for Big Data
 
Techniques to Effectively Monitor the Performance of Customers in the Cloud
Techniques to Effectively Monitor the Performance of Customers in the CloudTechniques to Effectively Monitor the Performance of Customers in the Cloud
Techniques to Effectively Monitor the Performance of Customers in the Cloud
 
Predictive System Performance Data Analysis
Predictive System Performance Data AnalysisPredictive System Performance Data Analysis
Predictive System Performance Data Analysis
 
Apache HBase State of the Project
Apache HBase State of the ProjectApache HBase State of the Project
Apache HBase State of the Project
 
Hit the Trail with Trailhead
Hit the Trail with TrailheadHit the Trail with Trailhead
Hit the Trail with Trailhead
 
HBase/PHOENIX @ Scale
HBase/PHOENIX @ ScaleHBase/PHOENIX @ Scale
HBase/PHOENIX @ Scale
 
Scaling up data science applications
Scaling up data science applicationsScaling up data science applications
Scaling up data science applications
 
Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOps
 
Aspect Oriented Programming: Hidden Toolkit That You Already Have
Aspect Oriented Programming: Hidden Toolkit That You Already HaveAspect Oriented Programming: Hidden Toolkit That You Already Have
Aspect Oriented Programming: Hidden Toolkit That You Already Have
 
Monitoring @ Scale in Salesforce
Monitoring @ Scale in SalesforceMonitoring @ Scale in Salesforce
Monitoring @ Scale in Salesforce
 
Performance Tuning with XHProf
Performance Tuning with XHProfPerformance Tuning with XHProf
Performance Tuning with XHProf
 
A Smarter Pig: Building a SQL interface to Pig using Apache Calcite
A Smarter Pig: Building a SQL interface to Pig using Apache CalciteA Smarter Pig: Building a SQL interface to Pig using Apache Calcite
A Smarter Pig: Building a SQL interface to Pig using Apache Calcite
 
Implementing a Content Strategy Is Like Running 100 Miles
Implementing a Content Strategy Is Like Running 100 MilesImplementing a Content Strategy Is Like Running 100 Miles
Implementing a Content Strategy Is Like Running 100 Miles
 
Salesforce Cloud Infrastructure and Challenges - A Brief Overview
Salesforce Cloud Infrastructure and Challenges - A Brief OverviewSalesforce Cloud Infrastructure and Challenges - A Brief Overview
Salesforce Cloud Infrastructure and Challenges - A Brief Overview
 
Koober Preduction IO Presentation
Koober Preduction IO PresentationKoober Preduction IO Presentation
Koober Preduction IO Presentation
 
Finding Security Issues Fast!
Finding Security Issues Fast!Finding Security Issues Fast!
Finding Security Issues Fast!
 
Microservices
MicroservicesMicroservices
Microservices
 
Global State Management of Micro Services
Global State Management of Micro ServicesGlobal State Management of Micro Services
Global State Management of Micro Services
 
The Future of Hbase
The Future of HbaseThe Future of Hbase
The Future of Hbase
 

Kürzlich hochgeladen

CS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdfCS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdfBalamuruganV28
 
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.elesangwon
 
Prach: A Feature-Rich Platform Empowering the Autism Community
Prach: A Feature-Rich Platform Empowering the Autism CommunityPrach: A Feature-Rich Platform Empowering the Autism Community
Prach: A Feature-Rich Platform Empowering the Autism Communityprachaibot
 
Javier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptxJavier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptxJavier Fernández Muñoz
 
Curve setting (Basic Mine Surveying)_MI10412MI.pptx
Curve setting (Basic Mine Surveying)_MI10412MI.pptxCurve setting (Basic Mine Surveying)_MI10412MI.pptx
Curve setting (Basic Mine Surveying)_MI10412MI.pptxRomil Mishra
 
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...Sumanth A
 
SOFTWARE ESTIMATION COCOMO AND FP CALCULATION
SOFTWARE ESTIMATION COCOMO AND FP CALCULATIONSOFTWARE ESTIMATION COCOMO AND FP CALCULATION
SOFTWARE ESTIMATION COCOMO AND FP CALCULATIONSneha Padhiar
 
Module-1-(Building Acoustics) Noise Control (Unit-3). pdf
Module-1-(Building Acoustics) Noise Control (Unit-3). pdfModule-1-(Building Acoustics) Noise Control (Unit-3). pdf
Module-1-(Building Acoustics) Noise Control (Unit-3). pdfManish Kumar
 
Input Output Management in Operating System
Input Output Management in Operating SystemInput Output Management in Operating System
Input Output Management in Operating SystemRashmi Bhat
 
Detection&Tracking - Thermal imaging object detection and tracking
Detection&Tracking - Thermal imaging object detection and trackingDetection&Tracking - Thermal imaging object detection and tracking
Detection&Tracking - Thermal imaging object detection and trackinghadarpinhas1
 
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...Stork Webinar | APM Transformational planning, Tool Selection & Performance T...
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...Stork
 
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithm
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithmComputer Graphics Introduction, Open GL, Line and Circle drawing algorithm
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithmDeepika Walanjkar
 
Katarzyna Lipka-Sidor - BIM School Course
Katarzyna Lipka-Sidor - BIM School CourseKatarzyna Lipka-Sidor - BIM School Course
Katarzyna Lipka-Sidor - BIM School Coursebim.edu.pl
 
Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________Romil Mishra
 
High Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMS
High Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMSHigh Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMS
High Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMSsandhya757531
 
Triangulation survey (Basic Mine Surveying)_MI10412MI.pptx
Triangulation survey (Basic Mine Surveying)_MI10412MI.pptxTriangulation survey (Basic Mine Surveying)_MI10412MI.pptx
Triangulation survey (Basic Mine Surveying)_MI10412MI.pptxRomil Mishra
 
TEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACHTEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACHSneha Padhiar
 
Research Methodology for Engineering pdf
Research Methodology for Engineering pdfResearch Methodology for Engineering pdf
Research Methodology for Engineering pdfCaalaaAbdulkerim
 
Substation Automation SCADA and Gateway Solutions by BRH
Substation Automation SCADA and Gateway Solutions by BRHSubstation Automation SCADA and Gateway Solutions by BRH
Substation Automation SCADA and Gateway Solutions by BRHbirinder2
 
AntColonyOptimizationManetNetworkAODV.pptx
AntColonyOptimizationManetNetworkAODV.pptxAntColonyOptimizationManetNetworkAODV.pptx
AntColonyOptimizationManetNetworkAODV.pptxLina Kadam
 

Kürzlich hochgeladen (20)

CS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdfCS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdf
 
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.
 
Prach: A Feature-Rich Platform Empowering the Autism Community
Prach: A Feature-Rich Platform Empowering the Autism CommunityPrach: A Feature-Rich Platform Empowering the Autism Community
Prach: A Feature-Rich Platform Empowering the Autism Community
 
Javier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptxJavier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptx
 
Curve setting (Basic Mine Surveying)_MI10412MI.pptx
Curve setting (Basic Mine Surveying)_MI10412MI.pptxCurve setting (Basic Mine Surveying)_MI10412MI.pptx
Curve setting (Basic Mine Surveying)_MI10412MI.pptx
 
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
 
SOFTWARE ESTIMATION COCOMO AND FP CALCULATION
SOFTWARE ESTIMATION COCOMO AND FP CALCULATIONSOFTWARE ESTIMATION COCOMO AND FP CALCULATION
SOFTWARE ESTIMATION COCOMO AND FP CALCULATION
 
Module-1-(Building Acoustics) Noise Control (Unit-3). pdf
Module-1-(Building Acoustics) Noise Control (Unit-3). pdfModule-1-(Building Acoustics) Noise Control (Unit-3). pdf
Module-1-(Building Acoustics) Noise Control (Unit-3). pdf
 
Input Output Management in Operating System
Input Output Management in Operating SystemInput Output Management in Operating System
Input Output Management in Operating System
 
Detection&Tracking - Thermal imaging object detection and tracking
Detection&Tracking - Thermal imaging object detection and trackingDetection&Tracking - Thermal imaging object detection and tracking
Detection&Tracking - Thermal imaging object detection and tracking
 
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...Stork Webinar | APM Transformational planning, Tool Selection & Performance T...
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...
 
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithm
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithmComputer Graphics Introduction, Open GL, Line and Circle drawing algorithm
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithm
 
Katarzyna Lipka-Sidor - BIM School Course
Katarzyna Lipka-Sidor - BIM School CourseKatarzyna Lipka-Sidor - BIM School Course
Katarzyna Lipka-Sidor - BIM School Course
 
Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________
 
High Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMS
High Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMSHigh Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMS
High Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMS
 
Triangulation survey (Basic Mine Surveying)_MI10412MI.pptx
Triangulation survey (Basic Mine Surveying)_MI10412MI.pptxTriangulation survey (Basic Mine Surveying)_MI10412MI.pptx
Triangulation survey (Basic Mine Surveying)_MI10412MI.pptx
 
TEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACHTEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACH
 
Research Methodology for Engineering pdf
Research Methodology for Engineering pdfResearch Methodology for Engineering pdf
Research Methodology for Engineering pdf
 
Substation Automation SCADA and Gateway Solutions by BRH
Substation Automation SCADA and Gateway Solutions by BRHSubstation Automation SCADA and Gateway Solutions by BRH
Substation Automation SCADA and Gateway Solutions by BRH
 
AntColonyOptimizationManetNetworkAODV.pptx
AntColonyOptimizationManetNetworkAODV.pptxAntColonyOptimizationManetNetworkAODV.pptx
AntColonyOptimizationManetNetworkAODV.pptx
 

Fixing the Java Serialization Mess

  • 1. Fixing the Java Serialization mess Pierre Ernst, HackFest.ca 2016
  • 2. https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Agenda Fixing the Java Serialization mess
  • 3. https://goo.gl/rOpF0u Software development background Secure Code Review Found security vulnerabilities in applications made by: Pierre Ernst linkedin.com/in/pernst @e_rnst Source: http://www.wordle.net
  • 4. https://goo.gl/rOpF0u https://research.trust.salesforce.com/ Salesforce is hiring application security engineers for: • Enterprise Security (Vendor applications) • Product Security (Salesforce web applications) • Infrastructure Security (Salesforce network and Linux environment). Contact: James Sale, Principal Technical Recruiter jsale@salesforce.com 415-633-6059 Trust team Salesforce linkedin.com/in/jamesgsale
  • 5. https://goo.gl/rOpF0u The Big Picture Java Serialization 101 00000000 AC ED 00 05 73 72 00 11 62 6F 6E 68 6F 6D 6D 65 ....sr..bonhomme 00000010 2E 43 61 72 6E 61 76 61 6C 20 51 75 65 62 65 63 .Carnaval Quebec 00000020 20 02 00 00 78 70 ...xp serialize deserialize
  • 6. https://goo.gl/rOpF0u Java Serialization 101 Convert Java instance to/from a binary stream • Used for persistence (file, database blob) • Used for transmission (RMI: Remote Method Invocation) Java API: • ObjectOutputStream: to serialize (write) • ObjectInputStream: to deserialize (read) • JVM knows how to (de)serialize primitive types • JVM uses reflection and Unsafe to (de)serialize members of any given class. • Must implements interface java.io.Serializable
  • 7. https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 8. https://goo.gl/rOpF0u What could possibly go wrong? Some classes require special handling • writeObject() and readObject() methods • e.g.: java.math.BigDecimal An application is vulnerable if: • deserializing untrusted input, • and existing classes on the classpath have “unsecure” readObject() method The readObject() methods can be chained, abused • “gadget” in reference to ROP gadgets • Similarly, some other methods can also be abused (TBD later): “Magic Methods”
  • 9. https://goo.gl/rOpF0u Prior Art (pre-2016) Date Type Product Researcher(s) Reference Apr 2005 DOS JRE Marc Schönefeld CVE-2004-2540 Aug 2008 Applet->RCE JRE Sami Koivu CVE-2008-5353 Apr 2010 Applet->RCE JRE Sami Koivu CVE-2010-0094 Mar 2010 DOS Sun Java Web Console Luca Carettoni Source Code Sept 2011 RCE Spring Framework Wouter Coekaerts CVE-2011-2894 Oct 2012 RCE IBM Cognos BI Pierre Ernst CVE-2012-4858 Feb 2013 File Write->RCE Apache OpenJPA Pierre Ernst CVE-2013-1768 Mar 2013 File Write->RCE Apache Tomcat Pierre Ernst CVE-2013-2185 July 2015 RCE Apache Groovy "cpnrodzc7" CVE-2015-3253 Aug 2015 Buffer Overflow->RCE Android Or Peles & Roee Hay CVE-2015-3837 Nov 2015 RCE Apache Commons Collections Chris Frohoff & Gabriel Lawrence CVE-2015-7450 Nov 2015 DOS JRE Wouter Coekaerts Source Code
  • 10. https://goo.gl/rOpF0u Attack Surfaces: Endpoints Vs. Gadgets Attacker Vulnerable Service Malicious serialized input (Vulnerable.class) JVM Deserialization (bonhomme.Carnaval. class) classpath Vulnerable bonhomme.Carnaval instance = (bonhomme.Carnaval)in.readObject(); Calls “magic” method private void readObject (ObjectInputStream in) { } 1 2
  • 11. https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 12. https://goo.gl/rOpF0u What are the “Magic” methods? • readObject() • readResolve() • validateObject() • readObjectNoData() • readExternal() • finalize() It has a “magic” method that can be abused Class is vulnerable if: • <init>()
  • 13. https://goo.gl/rOpF0u File I/O Network I/O Code injection Denial of service … Any side effect with security impact How can magic methods be abused?
  • 14. https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 15. https://goo.gl/rOpF0u Pervasive problem • com.sun.xml.internal.ws.protocol.xml.XMLMessageException • java.util.concurrent.CopyOnWriteArrayList • java.util.logging.LogRecord • java.util.PriorityQueue • org.apache.catalina.tribes.membership.MemberImpl Java Memory Exhaustion private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException { int len = in.readInt(); this.parameters = new Object[len]; // ... } Controlled by attacker Memory exhaustion
  • 17. https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 18. https://goo.gl/rOpF0u java.io.ObjectInputStream ois = new java.io.ObjectInputStream(/* contains user’s input */) ois.readObject(); /* OR */ ois.readUnshared(); It deserializes user’s input Endpoint is vulnerable if:
  • 19. https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 20. https://goo.gl/rOpF0u Fixed in Java 8 Update 91 (April 2016) JMX = Java Management eXtensions • API for managing/monitoring resources • Client-Server on TCP/IP • Optional features: • TLS socket • Authentication JMX untrusted deserialization CVE-2016-3427 !
  • 21. https://goo.gl/rOpF0u Tomcat JMX Retrieving all the session ids Abusing Existing Features Prior JMX vulnerabilities
  • 22. https://goo.gl/rOpF0u Only vulnerable when authentication is not enabled Source: • Exploiting JMX RMI • Class MLet RCE with MLet Prior JMX vulnerabilities evil.org victim.com JMX connect createMBean javax.management.loading.MLet load evil bean invoke
  • 23. https://goo.gl/rOpF0u How many times did you read “RMI” ? • JMX connection strings is future-proof • Might use some other transport technologies in the future • But it relies on RMI for now. We can use RMI directly to connect to a JMX server a.k.a JMX “URLs” JMX Connection Strings service:jmx:rmi://bonhomme.local:10002/jndi/rmi://bonhomme.local:10001/jmxrmi rmi://bonhomme.local:10002 rmi://bonhomme.local:10001/jmxrmi JMX endpoint Naming Registry
  • 24. https://goo.gl/rOpF0u Registry registry = LocateRegistry.getRegistry("bonhomme.local", 10001); RMIServer rmiServer = (RMIServer) registry.lookup("jmxrmi"); RMIConnection rmiConnection = rmiServer.newClient(new String[]{ "tomcat", "secret"}); (directly) Connecting to JMX with RMI service:jmx:rmi://bonhomme.local:10002/jndi/rmi://bonhomme.local:10001/jmxrmi
  • 25. https://goo.gl/rOpF0u RMI: Client-Server network protocol RPC-style Uses serialization What is RMI again? 00000000 50 AC ED 00 05 77 22 A1 F2 A2 CB 82 19 D4 02 D0 P....w"......... 00000010 70 E5 1A 00 00 01 57 52 A7 43 A2 80 01 FF FF FF p.....WR.C...... 00000020 FF F0 E0 74 EA AD 0C AE A8 75 72 00 13 5B 4C 6A ...t.....ur..[Lj 00000030 61 76 61 2E 6C 61 6E 67 2E 53 74 72 69 6E 67 3B ava.lang.String; 00000040 AD D2 56 E7 E9 1D 7B 47 02 00 00 70 78 70 00 00 ..V...{G...pxp.. 00000050 00 02 74 00 06 74 6F 6D 63 61 74 74 00 06 73 65 ..t..tomcatt..se 00000060 63 72 65 74 cret RMI Call
  • 28. https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 29. https://goo.gl/rOpF0u The Blame Game Where do we fix it? “Applications should never deserialize untrusted input” 1 2 “3rd party libraries should only have secure magic methods” vs .
  • 31. https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 32. https://goo.gl/rOpF0u Does the class really need to be serializable? Can we add input validation? • Prevent path traversal • Prevent resource exhaustion • … Making “magic” methods more secure
  • 33. https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 34. https://goo.gl/rOpF0u bonhomme.Carnaval obj = (bonhomme.Carnaval)ois.readObject(); Fix: Java API change today bonhomme.Carnaval obj = ois.readObject(bonhomme.Carnaval.class); tomorrow?
  • 35. https://goo.gl/rOpF0u Mitigation: Sandboxing Deserialization inside a block protected by a Security Manager Could prevent “malicious” calls • File R/W access • Process creation • Network access • … Not recommended: • Hard to fine-tune: what is legitimately required? • Known to be broken e.g. CVE-2013-4444 code inside finalize() can be abused
  • 36. https://goo.gl/rOpF0u Mitigation: Class Name Input Validation Look-ahead Java deserialization, Jan 2013, Pierre Ernst Concept used by various validation libraries • SerialKiller, by Luca Carettoni • contrast-rO0 by Contrast Security • JDK enhancement proposal #290 and CERT Secure Coding SER12-J We want to validate which classes get deserialized Object Serialization Stream Protocol defines a class description 00000000 AC ED 00 05 73 72 00 11 62 6F 6E 68 6F 6D 6D 65 ....sr..bonhomme 00000010 2E 43 61 72 6E 61 76 61 6C 20 51 75 65 62 65 63 .Carnaval Quebec 00000020 20 02 00 00 78 70 ...xp So we could use our own binary parser to decide whether we should stop reading … … or use existing Java API that allows us to add our own validation hook. TC_NULL STREAM_MAGICSTREAM_VERSIONTC_OBJECTTC_CLASSDESC className serialVersionUID classDescFlagsfieldsTC_ENDBLOCKDATA className
  • 37. https://goo.gl/rOpF0u Callback provided by Java Normally used for custom class loading Adding your own validation hook Look-ahead Java deserialization public class LookAheadObjectInputStream extends ObjectInputStream { @Override protected Class<?> resolveClass(ObjectStreamClass desc) { if ( ! desc.getName().equals("bonhomme.Carnaval") ) { throw new InvalidClassException( "Unauthorized deserialization attempt", desc.getName()); } return super.resolveClass(desc); } }
  • 38. https://goo.gl/rOpF0u • White-listing classes that are OK to deserialize • Tedious, Impossible in real life scenario? • Black-listing classes known to have “bad” “magic” methods • a.k.a. Whack-a-mole • Known to be broken RSA conference 2016-03-04 Alvaro Muñoz Christian Schneider Two ways of validating class names Look-ahead Java deserialization public class NestedProblems implements Serializable{ private void readObject(ObjectInputStream in) { ObjectInputStream ois = new ObjectInputStream( /* attacker controlled input */); ois.readObject(); } }
  • 39. https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 40. https://goo.gl/rOpF0u org.apache.webbeans.inject.impl.InjectionPointImpl org.apache.webbeans.inject.instance.InstanceImpl org.apache.webbeans.event.EventImpl • Fixed in Apache TomEE 7.0.1 (June 2016) • Fixed in Apache OpenWebBeans 1.5.0 (October 2015) Only an issue if using the black list mode Black List mode Class Name Input Validation Bypass new
  • 42. https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 43. https://goo.gl/rOpF0u Mitigation: Look-ahead Method Blacklist Input Validation Black List • method1 • method2 Magic methods? Class x.y.z accept reject blacklisted methods? yes yes no no Called methods • methodA • methodB Analyze Magic method
  • 44. https://goo.gl/rOpF0u Check it out Source code with POC implementation published
  • 45. https://goo.gl/rOpF0u Mitigation Putting everything together Security Manager Look-ahead Class name validation • Whitelisting • Blacklisting Look-ahead Method blacklisting P !
  • 46. https://goo.gl/rOpF0u Serialization: 1.Don’t use it 2.Class name whitelisting 3.Method blacklisting

Hinweis der Redaktion

  1. AC ED 00 05: Remember this
  2. Root cause is *NOT* weak boundary between data & code Magic methods not always present
  3. Successful exploitation requires both attack surfaces
  4. The attacker can control anything that has been read from the stream, or any member that has been deserialized with the default behavior
  5. It would be nice if we could send something else than String[]…
  6. Vulnerable even if authentication is enabled (happens before) Tomcat used as an example
  7. New Argument: Class or Class[]
  8. Strongly encourage to stop using deserialization altogether
  9. For lack of a better name…
  10. Security Manager is not enough, but it still adds value