Umeå universitets logga

umu.sePublikationer
EnglishSvenskaNorsk
Ändra sökning
RefereraExporteraLänk till posten
Permanent länk

Direktlänk
Referera
Referensformat
  • apa
  • ieee
  • vancouver
  • Annat format
Fler format
Språk
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Annat språk
Fler språk
Utmatningsformat
  • html
  • text
  • asciidoc
  • rtf
Analyzing prerequistes of known deserializtion vulnerabilities on java applications
Umeå universitet, Teknisk-naturvetenskapliga fakulteten, Institutionen för datavetenskap.
Umeå universitet, Teknisk-naturvetenskapliga fakulteten, Institutionen för datavetenskap.ORCID-id: 0000-0003-1383-0372
2024 (Engelska)Ingår i: EASE '24: proceedings of the 28th international conference on evaluation and assessment in software engineering, New York: Association for Computing Machinery (ACM), 2024, s. 28-37Konferensbidrag, Publicerat paper (Refereegranskat)
Abstract [en]

We analyze known deserialization exploits targeting applications developed in the Java programming language. As previous research implies, fully comprehending this type of vulnerability is no easy task due to the complexity of exploitation, mostly relying on so-called gadget chains. Even considering known gadget chains, knowledge about their prerequisites is rather limited. In particular, the full range of external library versions, adding exploitable gadgets to the Java classpath was formerly only partially examined. We contribute an in-depth analysis of publicly available Java deserialization vulnerabilities. Specifically, we experimentally assess the prerequisites for exploitation, using 46 different gadget chains on 244 JDK and 5,455 Java dependency versions. Previous research only covered 19 of these gadget chains. Furthermore, we develop a command line tool, Gadgecy, for lightweight detection of whether a given Java project contains dependency combinations that enable gadget chains. Using this tool, we conduct an analysis of 2,211 projects from the Apache Distribution directory and 400 well-known Github repositories. The outcome reveals that (1) deserialization exploits apply to recent JDK and library versions, (2) these gadget chains are not being fully reported, and (3) are frequently present in popular Java projects (such as Apache Kafka or Hadoop).
Ort, förlag, år, upplaga, sidor
New York: Association for Computing Machinery (ACM), 2024. s. 28-37
Nyckelord [en]
dependency, deserialization, gadget chain, Java, serialization, vulnerabilitiy
Nationell ämneskategori
Programvaruteknik Datavetenskap (datalogi)
Identifikatorer
URN: urn:nbn:se:umu:diva-227817DOI: 10.1145/3661167.3661176ISI: 001253340600009Scopus ID: 2-s2.0-85197420952ISBN: 9798400717017 (digital)OAI: oai:DiVA.org:umu-227817DiVA, id: diva2:1883988
Konferens
28th International Conference on Evaluation and Assessment in Software Engineering, Salerno, Italy, June 18-21, 2024
Forskningsfinansiär
Wallenberg AI, Autonomous Systems and Software Program (WASP)Tillgänglig från: 2024-07-12 Skapad: 2024-07-12 Senast uppdaterad: 2025-04-24Bibliografiskt granskad

Open Access i DiVA

fulltext(3512 kB)658 nedladdningar
Filinformation
Filnamn FULLTEXT01.pdfFilstorlek 3512 kBChecksumma SHA-512
d39e11994502c95bcd97f3c4accdb8623fef590a1deff9027f17db5e9aa82e986543ee71fe21acb391aa2e880671270afbf983a37892836cc938fe0d3320a779
Typ fulltextMimetyp application/pdf

Övriga länkar

Förlagets fulltextScopus

Person

Kreyßig, BrunoBartel, Alexandre

Sök vidare i DiVA

Av författaren/redaktören
Kreyßig, BrunoBartel, Alexandre
Av organisationen
Institutionen för datavetenskap
ProgramvaruteknikDatavetenskap (datalogi)

Sök vidare utanför DiVA

GoogleGoogle Scholar
Totalt: 659 nedladdningar
Antalet nedladdningar är summan av nedladdningar för alla fulltexter. Det kan inkludera t.ex tidigare versioner som nu inte längre är tillgängliga.

doi
isbn
urn-nbn

Altmetricpoäng

doi
isbn
urn-nbn
Totalt: 534 träffar
RefereraExporteraLänk till posten
Permanent länk

Direktlänk
Referera
Referensformat
  • apa
  • ieee
  • vancouver
  • Annat format
Fler format
Språk
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Annat språk
Fler språk
Utmatningsformat
  • html
  • text
  • asciidoc
  • rtf
v. 2.47.0
|
WCAG
|
Logga in
|
Manualer
|
Kontakta biblioteket