RASPunzel for deserialization in 5 min

RASPunzel for deserialization in 5 min

Francois Gauthier

22 May 2021

In this talk, we show how data-driven allowlist synthesis can help prevent deserialization vulnerabilities, which often lead to remote code execution attacks. Serialization is the process of converting an in-memory object to and re-creating it from a persistent format (e.g. byte stream, JSON, XML, binary). Serialization is present in many languages like Java, Python, Ruby, and C# and it is commonly used to exchange data in distributed systems or across different languages. In many cases, however, it can be exploited by crafting serialised payloads that will trigger arbitrary code upon deserialization. The most common, and insufficient, defence against deserialization attacks are blocklists, which prevent deserialization of known malicious code. Allowlists instead restrict deserialization to known benign code, but shift the burden of creating and maintaining the list from security practitioners to developers. In this talk, we show how data-driven allowlist synthesis combined with runtime application self-protection greatly simplifies the creation and enforcement of allowlists while significantly improving security. Through a demo, we will show how a runtime application self-protection (RASP) agent enforcing a synthesized allowlist prevents real-world deserialization attacks without the need to alter or re-compile application code.


Venue : IEEE Security and Privacy Symposium 2021