Automatic generation of deserialisation gadgets via fuzzing
Project
Automatic generation of deserialisation gadgets via fuzzing
Principal Investigator
École polytechnique fédérale de Lausanne ‐ EPFL
Oracle Fellowship Recipient
Prashast Srivastava
Oracle Principal Investigator
Cristina Cifuentes, Vice President, Software Assurance
Francois Gauthier, Consulting Researcher
Kostyantyn Vorobyov, Principal Researcher
Summary
Deserialization is an integral part of data processing in business-critical systems where object hierarchies are serialized and transferred between two endpoints. Deserialization gadgets pose a major threat to modern Java frameworks. During stream deserialization, objects of the specified classes are instantiated, allowing the application to work with these objects as if they were created “locally”. Deserialization attacks abuse this mechanism by supplying a manually crafted object stream that triggers attacker-controlled code execution. In this project we will generate a framework to automatically detect deserialization gadgets via fuzzing, allowing developers to proactively secure their systems against 0-day deserialization gadgets before an attacker can use them.