Automatic generation of deserialisation gadgets via fuzzing

Project

Automatic generation of deserialisation gadgets via fuzzing

Principal Investigator

École polytechnique fédérale de Lausanne ‐ EPFL

Oracle Fellowship Recipient

Prashast Srivastava

Oracle Principal Investigator

Cristina Cifuentes, Vice President, Software Assurance
Francois Gauthier, Consulting Researcher
Kostyantyn Vorobyov, Principal Researcher

Summary

Deserialization is an integral part of data processing in business-critical systems where object hierarchies are serialized and transferred between two endpoints. Deserialization gadgets pose a major threat to modern Java frameworks. During stream deserialization, objects of the specified classes are instantiated, allowing the application to work with these objects as if they were created “locally”. Deserialization attacks abuse this mechanism by supplying a manually crafted object stream that triggers attacker-controlled code execution. In this project we will generate a framework to automatically detect deserialization gadgets via fuzzing, allowing developers to proactively secure their systems against 0-day deserialization gadgets before an attacker can use them.