A Hybrid Analysis to Detect Java Serialisation Vulnerabilities
Serialisation related security vulnerabilities have recently been reported for numerous Java applications. Since serialisation presents both soundness and precision challenges for static analysis, it can be difficult for analyses to precisely pinpoint serialisation vulnerabilities in a Java library....
Gespeichert in:
| Veröffentlicht in: | 2020 35th IEEE/ACM International Conference on Automated Software Engineering (ASE) S. 1209 - 1213 |
|---|---|
| Hauptverfasser: | , |
| Format: | Tagungsbericht |
| Sprache: | Englisch |
| Veröffentlicht: |
ACM
01.09.2020
|
| Schlagworte: | |
| ISSN: | 2643-1572 |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| Abstract | Serialisation related security vulnerabilities have recently been reported for numerous Java applications. Since serialisation presents both soundness and precision challenges for static analysis, it can be difficult for analyses to precisely pinpoint serialisation vulnerabilities in a Java library. In this paper, we propose a hybrid approach that extends a static analysis with fuzzing to detect serialisation vulnerabilities. The novelty of our approach is in its use of a heap abstraction to direct fuzzing for vulnerabilities in Java libraries. This guides fuzzing to produce results quickly and effectively, and it validates static analysis reports automatically. Our approach shows potential as it can detect known serialisation vulnerabilities in the Apache Commons Collections library. |
|---|---|
| AbstractList | Serialisation related security vulnerabilities have recently been reported for numerous Java applications. Since serialisation presents both soundness and precision challenges for static analysis, it can be difficult for analyses to precisely pinpoint serialisation vulnerabilities in a Java library. In this paper, we propose a hybrid approach that extends a static analysis with fuzzing to detect serialisation vulnerabilities. The novelty of our approach is in its use of a heap abstraction to direct fuzzing for vulnerabilities in Java libraries. This guides fuzzing to produce results quickly and effectively, and it validates static analysis reports automatically. Our approach shows potential as it can detect known serialisation vulnerabilities in the Apache Commons Collections library. |
| Author | Dietrich, Jens Rasheed, Shawn |
| Author_xml | – sequence: 1 givenname: Shawn surname: Rasheed fullname: Rasheed, Shawn email: s.rasheed@massey.ac.nz organization: Massey University,Palmerston North,New Zealand – sequence: 2 givenname: Jens surname: Dietrich fullname: Dietrich, Jens email: jens.dietrich@vuw.ac.nz organization: Victoria University of Wellington,Wellington,New Zealand |
| BookMark | eNotjktLxDAURqMoODPO2oWb_IGOSW6ax0Yo4-goAy58bIfb9BYitZUmCv33FnT1cThw-JbsrB96YuxKio2UurwBUNo5vQEtnQd5wtbeulkIMNY4fcoWymgoZGnVBVum9CFEOYNdsNuK76d6jA2veuymFBPPA7-jTCHzJ_xB_kJjxC4mzHHo-ft319OIdexijpQu2XmLXaL1_67Y2_3udbsvDs8Pj9vqUKDSNhfOkXCNDsr5GrQIEluPjiC0pBolgxXz14akIEBvICgtS-mDdmiU0oCwYtd_3UhEx68xfuI4Hb1yRhgDvwDrSR4 |
| CODEN | IEEPAD |
| ContentType | Conference Proceeding |
| DBID | 6IE 6IL CBEJK RIE RIL |
| DOI | 10.1145/3324884.3418931 |
| DatabaseName | IEEE Electronic Library (IEL) Conference Proceedings IEEE Xplore POP ALL IEEE Xplore All Conference Proceedings IEEE Electronic Library (IEL) IEEE Proceedings Order Plans (POP All) 1998-Present |
| DatabaseTitleList | |
| Database_xml | – sequence: 1 dbid: RIE name: IEL url: https://ieeexplore.ieee.org/ sourceTypes: Publisher |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Computer Science |
| EISBN | 9781450367684 1450367682 |
| EISSN | 2643-1572 |
| EndPage | 1213 |
| ExternalDocumentID | 9286066 |
| Genre | orig-research |
| GroupedDBID | 29I 6IE 6IF 6IH 6IK 6IL 6IM 6IN 6J9 AAJGR AAWTH ABLEC ACREN ADYOE ADZIZ AFYQB ALMA_UNASSIGNED_HOLDINGS AMTXH APO BEFXN BFFAM BGNUA BKEBE BPEOZ CBEJK CHZPO IEGSK IPLJI M43 OCL RIE RIL |
| ID | FETCH-LOGICAL-a247t-88e08d4c289b340c1af9a8e3cfe2d21c70450de10e3a963c241519c48a62243a3 |
| IEDL.DBID | RIE |
| ISICitedReferencesCount | 16 |
| ISICitedReferencesURI | http://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=Summon&SrcAuth=ProQuest&DestLinkType=CitingArticles&DestApp=WOS_CPL&KeyUT=000651313500109&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| IngestDate | Wed Aug 27 02:33:27 EDT 2025 |
| IsPeerReviewed | false |
| IsScholarly | true |
| Language | English |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-a247t-88e08d4c289b340c1af9a8e3cfe2d21c70450de10e3a963c241519c48a62243a3 |
| PageCount | 5 |
| ParticipantIDs | ieee_primary_9286066 |
| PublicationCentury | 2000 |
| PublicationDate | 2020-Sept. |
| PublicationDateYYYYMMDD | 2020-09-01 |
| PublicationDate_xml | – month: 09 year: 2020 text: 2020-Sept. |
| PublicationDecade | 2020 |
| PublicationTitle | 2020 35th IEEE/ACM International Conference on Automated Software Engineering (ASE) |
| PublicationTitleAbbrev | ASE |
| PublicationYear | 2020 |
| Publisher | ACM |
| Publisher_xml | – name: ACM |
| SSID | ssj0051577 ssj0002871035 |
| Score | 2.2991855 |
| Snippet | Serialisation related security vulnerabilities have recently been reported for numerous Java applications. Since serialisation presents both soundness and... |
| SourceID | ieee |
| SourceType | Publisher |
| StartPage | 1209 |
| SubjectTerms | Fuzzing Java Java Serialisation Libraries Manuals Program Analysis Security Security Analysis Software engineering Static analysis |
| Title | A Hybrid Analysis to Detect Java Serialisation Vulnerabilities |
| URI | https://ieeexplore.ieee.org/document/9286066 |
| WOSCitedRecordID | wos000651313500109&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV09SwMxGH5pi4NT1Vb8JoOj1-arl9wiiFqKQ-mg0q3kkvdAkFbqXcF_b5JeTwQXt5AsISF5nuf9BLj2-iynae6SNHUikTqziTEFJkiNx0vmgvMuNptQ06mez7NZC26aXBhEjMFnOAjD6Mt3K1sFU9kw4zrw7Ta0lVLbXK3GnhKYPxUN9fUwrVRdyofJ0VB44qC1HPhP2yM0-9VLJULJuPu_TRxA_ycnj8watDmEFi6PoLtrykDqN9qD2zsy-QppWGRXb4SUK_KAwVlAnszGkK1BrA7jIa_Veyg8HWNkvWruw8v48fl-ktRNEhLDpSoTrZFqJ60XTrmQ1DJTZEajsAVyx5lVnrNRh4yiMP6x2YDYLLNSm9SjtzDiGDrL1RJPgKicF0phxjGsjFRmPB3xksdar58Z0lPoheNYfGzrYCzqkzj7e_oc9nnQpjEe6wI65brCS9izm_Ltc30VL-8bcjyYnA |
| linkProvider | IEEE |
| linkToHtml | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1NS8MwGH6ZU9DT1E38NgePdsvXmvQiiDqmzrHDlN1Gmr4FQVaZ3cB_b9J1FcGLt5BcQkLyPM_7CXDp9FlMwzgJwjARgdSRDYxJMUBqHF6yxDvvimYTajjUk0k0qsFVlQuDiEXwGbb9sPDlJ5ldeFNZJ-La8-0N2OxKydkqW6uyqHjuT0VFfh1QK1UW82Gy2xGOOmgt2-7bdhjNfnVTKcCk1_jfNnah9ZOVR0YV3uxBDWf70Fi3ZSDlK23C9Q3pf_lELLKuOELyjNyhdxeQR7M0ZGUSKwN5yOvi3ZeeLqJknW5uwUvvfnzbD8o2CYHhUuWB1kh1Iq2TTrGQ1DKTRkajsCnyhDOrHGujCTKKwrjnZj1ms8hKbUKH38KIA6jPshkeAlExT5XCiKNf6arIOELiRI-1TkEzpEfQ9Mcx_VhVwpiWJ3H89_QFbPfHz4Pp4GH4dAI73CvVIjrrFOr5fIFnsGWX-dvn_Ly4yG-WpZvj |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.title=2020+35th+IEEE%2FACM+International+Conference+on+Automated+Software+Engineering+%28ASE%29&rft.atitle=A+Hybrid+Analysis+to+Detect+Java+Serialisation+Vulnerabilities&rft.au=Rasheed%2C+Shawn&rft.au=Dietrich%2C+Jens&rft.date=2020-09-01&rft.pub=ACM&rft.eissn=2643-1572&rft.spage=1209&rft.epage=1213&rft_id=info:doi/10.1145%2F3324884.3418931&rft.externalDocID=9286066 |