AppSec US 2018 (Please, make sure you register to attend)

Although vulnerabilities stemming from the deserialization of untrusted data have been understood for many years, unsafe deserialization continues to be a vulnerability class that isn't going away. Attention on Java deserialization vulnerabilities skyrocketed in 2015 when Frohoff and Lawrence published an RCE gadget chain in the Apache Commons library and as recently as last year's Black Hat Muñoz and Miroshis presented a survey of dangerous JSON deserialization libraries. While much research and automated detection technology has so far focused on the discovery of vulnerable entry points (i.e. code that deserializes untrusted data), finding a "gadget chain" to actually make the vulnerability exploitable has thus far been a largely manual exercise. In this talk I present a new technique for the automated discovery of deserialization gadget chains in Java, allowing defensive teams to quickly identify the significance of a deserialization vulnerability. This allows developers to properly prioritize remediation and weigh the tradeoff of potential exploits against refactoring an application's entire RPC mechanism. In this talk I will also present a FOSS toolkit developed to utilize this methodology and which has already been used to evaluate deserialization vulnerabilities in both internal applications and open source projects.