Abstract
Deserialization of untrusted data is an issue in many programming languages. In particular, deserialization of untrusted data in Java can lead to Remote Code Execution attacks. Conditions for this type of attack exist, but vulnerabilities are hard to detect. In this paper, we propose a novel sandboxing approach for protecting Java applications based on trusted execution path used for defining the deserialization behavior. We test our defensive mechanism on two main Java Framework JBoss and Jenkins and we show the effectiveness and efficiency of our system. We also discuss the limitations of our current system on newer attacks strategies.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: USENIX Security Symposium, vol. 14 (2005)
Cristalli, S., Pagnozzi, M., Graziano, M., Lanzi, A., Balzarotti, D.: Micro-virtualization memory tracing to detect and prevent spraying attacks. In: Proceedings of the 25th USENIX Security Symposium (USENIX Security) (2016)
Dahse, J., Krein, N., Holz, T.: Code reuse attacks in php: automated pop chain generation. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 42–53. ACM (2014)
Fattori, A., Lanzi, A., Balzarotti, D., Kirda, E.: Hypervisor-based malware protection with accessminer. Comput. Secur. 52, 33–50 (2015). https://doi.org/10.1016/j.cose.2015.03.007
Feng, H.H., Kolesnikov, O.M., Fogla, P., Lee, W., Gong, W.: Anomaly detection using call stack information. In: Proceedings of 2003 Symposium on Security and Privacy, pp. 62–75. IEEE (2003)
Frohoff, C.: ysoserial repository (2015). https://github.com/frohoff/ysoserial
Gotz Lindenmeier, V.S.: Hotspot internals: Explore and debug the VM at the OS level. In: JavaOne Conference (2013)
Karger, P.A.: Limiting the damage potential of discretionary trojan horses. In: 1987 IEEE Symposium on Security and Privacy, p. 32. IEEE (1987)
Kim, D., Kwon, B.J., Dumitras, T.: Certified malware: measuring breaches of trust in the windows code-signing PKI. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, vol. 14 (2017)
Landman, D., Serebrenik, A., Vinju, J.J.: Challenges for static analysis of java reflection: literature review and empirical study. In: Proceedings of the 39th International Conference on Software Engineering. IEEE Press (2017)
Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in java applications with static analysis. In: USENIX Security Symposium, vol. 14, p. 18 (2005)
Mettler, A., Wagner, D., Close, T.: Joe-E: a security-oriented subset of java. In: NDSS, vol. 10, pp. 357–374 (2010)
Miller, M.S., Samuel, M., Laurie, B., Awad, I., Stay, M.: Safe active content in sanitized javascript. Google Inc., Technical report (2008)
Oracle Corporation: Hotspot runtime overview (2017). http://openjdk.java.net/groups/hotspot/docs/RuntimeOverview.html
Oracle Corporation: Interface instrumentation (2017). https://docs.oracle.com/javase/8/docs/api/java/lang/instrument/Instrumentation.html#setNativeMethodPrefix-java.lang.instrument.ClassFileTransformer-java.lang.String-
Oracle Corporation: Java object serialization (2017). https://docs.oracle.com/javase/8/docs/technotes/guides/serialization/
Oracle Corporation: The serializable interface (2017). https://docs.oracle.com/javase/8/docs/platform/serialization/spec/serial-arch.html#a4539
Seacord, R.C.: Combating java deserialization vulnerabilities with look-ahead object input streams (laois) (2017)
Svoboda, D.: Exploiting java deserialization for fun and profit (2016)
Vilanova, L., Ben-Yehuda, M., Navarro, N., Etsion, Y., Valero, M.: Codoms: protecting software with code-centric memory domains. In: ACM SIGARCH Computer Architecture News, vol. 42, pp. 469–480. IEEE Press (2014)
Watson, R.N., et al.: Cheri: a hybrid capability-system architecture for scalable software compartmentalization. In: 2015 IEEE Symposium on Security and Privacy (SP), pp. 20–37. IEEE (2015)
Witchel, E., Rhee, J., Asanović, K.: Mondrix: memory isolation for linux using mondriaan memory protection. In: ACM SIGOPS Operating Systems Review, vol. 39, pp. 31–44. ACM (2005)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Cristalli, S., Vignati, E., Bruschi, D., Lanzi, A. (2018). Trusted Execution Path for Protecting Java Applications Against Deserialization of Untrusted Data. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2018. Lecture Notes in Computer Science(), vol 11050. Springer, Cham. https://doi.org/10.1007/978-3-030-00470-5_21
Download citation
DOI: https://doi.org/10.1007/978-3-030-00470-5_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-00469-9
Online ISBN: 978-3-030-00470-5
eBook Packages: Computer ScienceComputer Science (R0)