Preventing Deserialization attacks in Java applications
Tuesday 11:15 a.m.–11:45 a.m.
Target audience: Developer
Recent research by Chris Frohoff and Gabriel Lawrence has exposed gadget chains in various libraries that allow code to be executed during object deserialization in Java. They've done some excellent research, including publishing some code that allows anyone to serialize a malicious payload that when deserialized runs the operating system command of their choice, as the user which started the Java Virtual Machine (JVM). The vulnerabilities are not with the gadget chains themselves but with the code that deserializes them.
There are couple of ways in which this type of attack on the JVM can be mitigated:
- not deserializing untrusted objects;
- not having the classes used in the 'gadget chain' in the classpath;
- running the JVM as a non-root operating system user, with reduced privileges;
- egress filtering not allowing any outbound traffic other than that matching a connection for which the firewall already has an existing state table entry.
In this talk we'll explore each of these in detail, using JBoss EAP as a example of how these mitigations can be introduced.
Jason Shepherd, @jazinner has over 8 years experience as a software developer working with Java Enterprise technologies. In 2013 Jason authored a series of videos published by Packt Publishing on JBoss Enterprise Application Platform. In 2015 Jason moved from the Technical Support team at Red Hat to the Product Security team where he now focuses on Java EE security full time.