Synthesis of Java Deserialisation Filters from Examples
Kostyantyn Vorobyov, Francois Gauthier, Sora Bae, Padmanabhan Krishnan, Rebecca ODonoghue
26 June 2022
Java natively supports serialisation and deserialisation, features that are necessary to enable distributed systems to exchange Java objects. Deserialisation of data from malicious sources can lead to security exploits including remote code execution because by default Java does not validate deserialised data. In the absence of validation, a carefully crafted payload can trigger arbitrary functionality. The state-of-the-art general mitigation strategy for deserialisation exploits in Java is deserialisation filtering that validates the contents of an object input stream before the object is deserialised using user-provided filters.
In this paper we describe a novel technique called ds-prefix for automatic synthesis of deserialisation filters (as regular expressions) from examples. We focus on synthesis of allowlists (permitted behaviours) as they provide a better level of security. Ds-prefix is based on deserialisation heuristics and specifically targets synthesis of deserialisation allowlists. We evaluate our approach by executing ds-prefix on popular open-source systems and show that ds-prefix can produce filters preventing real CVEs using a small number of training examples. We also compare our approach with other synthesis tools which demonstrates that ds-prefix outperforms existing tools and achieves better precision.
Venue : IEEE Computer Society Signature Conference on Computers, Software and Applications