Java反序列化漏洞介绍书籍

Java Deserialization

Vulnerabilities

Exploitation Techniques and Mitigations

Sondre Fingann

Master’s Thesis, Spring 2020

This master’s thesis is submitted under the master’s programme Programming

and System Architecture, with programme option Information Security, at the

Department of Informatics, University of Oslo. The scope of the thesis is 30

credits.

deserialization is provided to give the necessary background information to

understand its vulnerabilities. A short explanation of gadgets and gadget chains

is provided, along with the approach for locating them within an application.

Different exploitation techniques are presented and examples are provided to

illustrate how they work. Mitigations that can be applied to reduce the attack

surface of the application and the consequence of exploits are discussed. In

the conclusion a mitigation strategy is suggested that can help mitigate Java

deserialization vulnerabilities.

1

Contents

1.3 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.4 History of Java Serialization Attacks . . . . . . . . . . . . . . 3

1.5 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2 Literature 7

2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.2 Timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.3 Known Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . 10

3 What is Java Serialization? 13

3.1 Introduction to Serialization . . . . . . . . . . . . . . . . . . . 13

3.2 What is Serialized Data used for? . . . . . . . . . . . . . . . . 14

4 Deserialization vulnerabilities 29

4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

4.2 Java Deserialization Magic Methods . . . . . . . . . . . . . . . 30

4.3 Deserialization Gadgets . . . . . . . . . . . . . . . . . . . . . . 30

4.4 Locating Deserialization Gadgets . . . . . . . . . . . . . . . . 32

4.5 The Classpath . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

4.6 Deserialization Techniques . . . . . . . . . . . . . . . . . . . . 34

4.7 Example 1 - Variable Modification Attack . . . . . . . . . . . 35

4.8 Example 2 - Polymorphism Attack . . . . . . . . . . . . . . . 40

3