没有合适的资源?快使用搜索试试~ 我知道了~
资源推荐
资源详情
资源评论
Java Deserialization
Vulnerabilities
Exploitation Techniques and Mitigations
Sondre Fingann
Master’s Thesis, Spring 2020
This master’s thesis is submitted under the master’s programme Programming
and System Architecture, with programme option Information Security, at the
Department of Informatics, University of Oslo. The scope of the thesis is 30
credits.
Abstract
The goal of this thesis is to provide an overview of the Java serialization API
and how an attacker can exploit its vulnerabilities using different techniques,
as well as which mitigation strategies can be employed to minimize the attack
surface. An overview of the Serialization API, the requirements for serializing
objects, release compatibility and methods for customizing serialization and
deserialization is provided to give the necessary background information to
understand its vulnerabilities. A short explanation of gadgets and gadget chains
is provided, along with the approach for locating them within an application.
Different exploitation techniques are presented and examples are provided to
illustrate how they work. Mitigations that can be applied to reduce the attack
surface of the application and the consequence of exploits are discussed. In
the conclusion a mitigation strategy is suggested that can help mitigate Java
deserialization vulnerabilities.
1
Contents
Contents 3
List of Figures 5
List of Tables 7
1 Introduction 1
1.1 Research Goal . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.3 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.4 History of Java Serialization Attacks . . . . . . . . . . . . . . 3
1.5 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2 Literature 7
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2 Timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3 Known Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . 10
3 What is Java Serialization? 13
3.1 Introduction to Serialization . . . . . . . . . . . . . . . . . . . 13
3.2 What is Serialized Data used for? . . . . . . . . . . . . . . . . 14
3.3 Release compatibility . . . . . . . . . . . . . . . . . . . . . . . 16
3.4 Java Serialization . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.5 Java Deserialization . . . . . . . . . . . . . . . . . . . . . . . . 21
3.6 Serializable Interface . . . . . . . . . . . . . . . . . . . . . . . 23
3.7 Exernalizable interface . . . . . . . . . . . . . . . . . . . . . . 24
3.8 Java Serialization Format . . . . . . . . . . . . . . . . . . . . . 24
4 Deserialization vulnerabilities 29
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.2 Java Deserialization Magic Methods . . . . . . . . . . . . . . . 30
4.3 Deserialization Gadgets . . . . . . . . . . . . . . . . . . . . . . 30
4.4 Locating Deserialization Gadgets . . . . . . . . . . . . . . . . 32
4.5 The Classpath . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
4.6 Deserialization Techniques . . . . . . . . . . . . . . . . . . . . 34
4.7 Example 1 - Variable Modification Attack . . . . . . . . . . . 35
4.8 Example 2 - Polymorphism Attack . . . . . . . . . . . . . . . 40
3
剩余91页未读,继续阅读
资源评论
陈秋彰
- 粉丝: 2
- 资源: 26
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功