Deserialization Vulnerability Remediation with Automated Gadget Chain Discovery - Ian Haken
Although vulnerabilities stemming from the deserialization of untrusted data have been understood for many years, unsafe deserialization continues to be a vulnerability class that isn't going away. Attention on Java deserialization vulnerabilities skyrocketed in 2015 when Frohoff and Lawrence published an RCE gadget chain in the Apache Commons library and as recently as last year's Black Hat Muñoz and Miroshis presented a survey of dangerous JSON deserialization libraries. While much research and automated detection technology has so far focused on the discovery of vulnerable entry points (i.e. code that deserializes untrusted data), finding a "gadget chain" to actually make the vulnerability exploitable has thus far been a largely manual exercise. In this talk I present a new technique for the automated discovery of deserialization gadget chains in Java, allowing defensive teams to quickly identify the significance of a deserialization vulnerability. This allows developers to properly prioritize remediation and weigh the tradeoff of potential exploits against refactoring an application's entire RPC mechanism. In this talk I will also present a FOSS toolkit developed to utilize this methodology and which has already been used to evaluate deserialization vulnerabilities in both internal applications and open source projects.
Speaker
Ian Haken
Senior Security Software Engineer, Netflix
I'm a senior security software engineer at Netflix where I work on the platform security team to develop tools and services that defend the Netflix platform. Before working at Netflix, I spent two years as security researcher at Coverity where I developed defensive application security.
-
Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP...