Umeå University's logo

umu.sePublications
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Analyzing prerequistes of known deserializtion vulnerabilities on java applications
Umeå University, Faculty of Science and Technology, Department of Computing Science.
Umeå University, Faculty of Science and Technology, Department of Computing Science.ORCID iD: 0000-0003-1383-0372
2024 (English)In: EASE '24: proceedings of the 28th international conference on evaluation and assessment in software engineering, New York: Association for Computing Machinery (ACM), 2024, p. 28-37Conference paper, Published paper (Refereed)
Abstract [en]

We analyze known deserialization exploits targeting applications developed in the Java programming language. As previous research implies, fully comprehending this type of vulnerability is no easy task due to the complexity of exploitation, mostly relying on so-called gadget chains. Even considering known gadget chains, knowledge about their prerequisites is rather limited. In particular, the full range of external library versions, adding exploitable gadgets to the Java classpath was formerly only partially examined. We contribute an in-depth analysis of publicly available Java deserialization vulnerabilities. Specifically, we experimentally assess the prerequisites for exploitation, using 46 different gadget chains on 244 JDK and 5,455 Java dependency versions. Previous research only covered 19 of these gadget chains. Furthermore, we develop a command line tool, Gadgecy, for lightweight detection of whether a given Java project contains dependency combinations that enable gadget chains. Using this tool, we conduct an analysis of 2,211 projects from the Apache Distribution directory and 400 well-known Github repositories. The outcome reveals that (1) deserialization exploits apply to recent JDK and library versions, (2) these gadget chains are not being fully reported, and (3) are frequently present in popular Java projects (such as Apache Kafka or Hadoop).

Place, publisher, year, edition, pages
New York: Association for Computing Machinery (ACM), 2024. p. 28-37
Keywords [en]
dependency, deserialization, gadget chain, Java, serialization, vulnerabilitiy
National Category
Software Engineering Computer Sciences
Identifiers
URN: urn:nbn:se:umu:diva-227817DOI: 10.1145/3661167.3661176Scopus ID: 2-s2.0-85197420952ISBN: 9798400717017 (electronic)OAI: oai:DiVA.org:umu-227817DiVA, id: diva2:1883988
Conference
28th International Conference on Evaluation and Assessment in Software Engineering, Salerno, Italy, June 18-21, 2024
Funder
Wallenberg AI, Autonomous Systems and Software Program (WASP)Available from: 2024-07-12 Created: 2024-07-12 Last updated: 2024-07-12Bibliographically approved

Open Access in DiVA

fulltext(3512 kB)69 downloads
File information
File name FULLTEXT01.pdfFile size 3512 kBChecksum SHA-512
d39e11994502c95bcd97f3c4accdb8623fef590a1deff9027f17db5e9aa82e986543ee71fe21acb391aa2e880671270afbf983a37892836cc938fe0d3320a779
Type fulltextMimetype application/pdf

Other links

Publisher's full textScopus

Authority records

Kreyßig, BrunoBartel, Alexandre

Search in DiVA

By author/editor
Kreyßig, BrunoBartel, Alexandre
By organisation
Department of Computing Science
Software EngineeringComputer Sciences

Search outside of DiVA

GoogleGoogle Scholar
Total: 70 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

doi
isbn
urn-nbn

Altmetric score

doi
isbn
urn-nbn
Total: 234 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf