A Hybrid Analysis to Detect Java Serialisation Vulnerabilities

Serialisation related security vulnerabilities have recently been reported for numerous Java applications. Since serialisation presents both soundness and precision challenges for static analysis, it can be difficult for analyses to precisely pinpoint serialisation vulnerabilities in a Java library....

Celý popis

Uložené v:
Podrobná bibliografia
Vydané v:2020 35th IEEE/ACM International Conference on Automated Software Engineering (ASE) s. 1209 - 1213
Hlavní autori: Rasheed, Shawn, Dietrich, Jens
Médium: Konferenčný príspevok..
Jazyk:English
Vydavateľské údaje: ACM 01.09.2020
Predmet:
Fuzzing
Java
Java Serialisation
Libraries
Manuals
Program Analysis
Security
Security Analysis
Software engineering
Static analysis
ISSN:2643-1572
On-line prístup:Získať plný text
Tagy: Pridať tag
Žiadne tagy, Buďte prvý, kto otaguje tento záznam!
Popis
Shrnutí:Serialisation related security vulnerabilities have recently been reported for numerous Java applications. Since serialisation presents both soundness and precision challenges for static analysis, it can be difficult for analyses to precisely pinpoint serialisation vulnerabilities in a Java library. In this paper, we propose a hybrid approach that extends a static analysis with fuzzing to detect serialisation vulnerabilities. The novelty of our approach is in its use of a heap abstraction to direct fuzzing for vulnerabilities in Java libraries. This guides fuzzing to produce results quickly and effectively, and it validates static analysis reports automatically. Our approach shows potential as it can detect known serialisation vulnerabilities in the Apache Commons Collections library.
ISSN:2643-1572
DOI:10.1145/3324884.3418931