deserialization of untrusted data in java
play

Deserialization of untrusted data in Java Analysis, current - PowerPoint PPT Presentation

Jun 06, 2023 •126 likes •587 views

Deserialization of untrusted data in Java Analysis, current solutions & a new approach Apostolos Giannakidis OWASP London Meetup @apgiannakidis 18th May 2017 1 Whois Security Architect at Waratek Application security

  1. Deserialization of untrusted data in Java Analysis, current solutions & a new approach Apostolos Giannakidis OWASP London Meetup @apgiannakidis 18th May 2017 1

  2. Whois • Security Architect at Waratek • Application security • Vulnerability and exploit research • R&D exploit mitigation • Product development • Over a decade of professional experience in software and security • MSc Computer Science 2

  3. Agenda • Java serialization basics • Deserialization of untrusted data • Understanding the vulnerability and the exploits • Common misconceptions • Known mitigations and their limitations • A new mitigation approach using runtime virtualization • Q & A 3

  4. Serialization 101 4

  5. Use Cases • Remote / Interprocess Communication (RPC/IPC) • Message Brokers • Caching • Tokens / Cookies • RMI • JMX • JMS 5

  6. Serialization Format • Data only • Class metadata •Names of data types •Names of object fields • Object field values 6

  7. Serializable is not easy ” Allowing a class’s instances to be serializable can be as simple as adding the words “implements Serializable” to the class. This is a common misconception, the truth is far more complex . ” - Joshua Bloch Effective Java 7

  8. Serializable makes objects untrusted • Serializable creates: • a public hidden constructor • a public interface to all fields of that class • Deserialization is Object Creation and Initialization • Without invoking the actual class’s constructor • Treat it as a Constructor • Apply same input validation, invariant constraints, and security permissions • Before any of its methods is invoked ! 8

  9. Serializable is a commitment • Audit your Serializable classes • Create a Threat Model • Class definitions evolve • Re-evaluate threat models on every new class version • Document all deserialization end-points 9

  10. Attacking Java Serialization Focus on attack techniques found by Gabriel Lawrence, Chris Frohoff, Steve Breen, Matthias Kaiser, Alvaro Muñoz • Integrity • RCE via gadget chains • Availability • DoS via gadget chains 10

  11. Misconception #1 My app does not use serialization, so I am safe • Custom Java App • 3rd party libs (Apache Commons, Spring, Log4j, etc.) • Middleware (IBM WebSphereMQ, Oracle OpenMQ, Apache ActiveMQ, JBoss EAP, etc.) • App Server (Oracle WebLogic, IBM WebSphere, etc.) 11

  12. Who is affected? ● Oracle ● VMWare ● Red Hat ● Cisco ● Apache ● Pivotal ● IBM ● Atlassian ● Symantec ● Jenkins Virtually everyone! 12

  13. Deserialization of untrusted data (CWE-502) InputStream untrusted = request.getInputStream(); ObjectInputStream ois = new ObjectInputStream( untrusted ); SomeObject deserialized = (SomeObject) ois. readObject() ; • What is the problem here? • Any available class can be deserialized • Calling ObjectInputStream.readObject() using untrusted data can result in malicious behavior • Arbitrary code execution •Denial of Service •Remote command execution • Malware / Ransomware infection 13

  14. SFMTA Ransomware Incident • San Francisco Municipal Transportation Agency • Ransomware infection via Java Deserialization RCE • ~ 900 computers • $559k in fares daily loss • Exfiltrated 30GB of files Source: https://www.thesslstore.com, https://arstechnica.com 14

  15. Misconception #2 I am deserializing trusted data, so I am safe • What is trusted data? • Sources that are trusted today may not be tomorrow 15

  16. Abusing Java Deserialization • Attackers find dangerous classes available in the system • Not necessarily used by the system • Dangerous classes (NOT necessarily vulnerable) • extend Serializable or Externalizable • utilize their member fields during or after deserialization • no input validation • Known as gadget classes • JRE, App Servers, common libraries, frameworks, Apps • e.g., Apache Commons Collections InvokerTransformer 16

  17. Misconception #3 ACC InvokerTransformer is on my ClassPath, therefore I am vulnerable • Not a vulnerability of the ACC InvokerTransformer • The vulnerability is the deserialization of untrusted data • The InvokerTransformer simply made the vulnerability exploitable 17

  18. Unrealistic Gadget public class SomeClass implements Serializable { private String cmd; private void readObject( ObjectInputStream stream ) throws Exception { stream.defaultReadObject(); Runtime.getRuntime().exec( cmd ); } } 18

  19. Unrealistic Gadget Remote Shell public class SomeClass implements Serializable { private String cmd; By Design! private void readObject( ObjectInputStream stream ) throws Exception { stream.defaultReadObject(); Runtime.getRuntime().exec( cmd ); } } 19

  20. Chaining Gadgets together • Attackers create chains of method calls • Known as gadget chains • Abuse the deserialization logic • Gadget Chains are self-executing • Triggered by the JVM during or after deserialization • Their goal is to exhibit malicious behavior 20

  21. Gadget Chain Creation • Gadget chain creation is like a game of Scrabble • Gadgets are letters of the words • Gadget chains are words • correct words win the game • The more classes you have loaded • the more letters you have • more chances to create words • more likely to be exploitable 21

  22. Do It Yourself • Ysoserial, by Chris Frohoff • PoC payload generation tool • Tens of ready-to-use gadgets • https://github.com/frohoff/ysoseri al/ 22

  23. Possible Mitigations • Avoid object serialization • WAFs / Firewalls • Custom Java Security Manager • Filter trusted / untrusted classes • Blacklisting • Whitelisting 23

  24. Avoid Object Serialization • Recommended • Redesign / re-architect the software Existing Mitigations • But you may still be vulnerable • Deserialization may still occur in components you don’t control 24

  25. WAFs / Firewalls • Block ports and apply basic heuristics • Can produce false positives Existing Mitigations • Lack visibility of the runtime • Runtime provides full context • Protection should be in the runtime 25

  26. Checking WAFs for False Positives HashMap<String, String> map = new HashMap<>(); Existing Mitigations map.put( “org.apache.commons.collections.functors.InvokerTransformer”, “calc.exe” ); FileOutputStream file = new FileOutputStream( "out.bin" ); ObjectOutputStream out = new ObjectOutputStream(file); out.writeObject( map ); out.close(); 26

  27. Filter Untrusted Classes - Blacklisting • Always a bad idea • Never complete Existing Mitigations • False sense of security • Requires profiling • Not possible if gadget class is needed • Can be bypassed (see A.Muñoz & C.Schneider Serial Killer: Silently Pwning Your Java Endpoints) 27

  28. Filter Trusted Classes - Whitelisting • Better approach than Blacklisting • Requires profiling Existing Mitigations • Difficult to configure • No protection if gadget class is needed • May not protect against Golden Gadget s • SerialDoS • SerialDNSDoS • <= JRE 1.7u21 • Many more... 28

  29. Maintaining lists is a commitment • Whitelists may need to be updated on new releases • Blacklists must be updated on every new gadget Existing Mitigations • Forgetting to whitelist a class breaks your app • Forgetting to blacklist a class makes you vulnerable 29

  30. Risk-based Management using whitelists • Who should be responsible for their maintenance? • Difficult to apply risk-based managemen t Existing Mitigations • How should a class’s risk profile be assessed? • Devs understand code • Security teams understand operations 30

  31. Whitelisting is not easy • Dev asks Security team to whitelist a new class: SomeClass Existing Mitigations class SomeClass extends BaseClass { // nothing suspicious } • Security team whitelists the class 31

  32. Whitelisting is not easy • Dev asks Security team to whitelist a new class: SomeClass Existing Mitigations class SomeClass extends BaseClass { // nothing suspicious } • Security team whitelists the class class BaseClass extends HashMap { } • Vulnerable to SerialDoS 32

  33. JEP 290 - Serialization Filtering • White / Black listing approach • 3 types of filters Existing Mitigations • Global Filter • Specific Filter • Built-in Filters • Graph and Stream Limits • Patterns to whitelist classes and package 33

  34. Custom Java Security Manager • Always a good idea • It’s a type of whitelisting Existing Mitigations • Requires profiling • Difficult to configure • Can be bypassed • Deserialization payload can unset the Security Manager • See ZoneInfo Exploit (CVE-2008-5353) • Does not protect against some DoS attacks • Does not protect against deferred attacks (such as finalize()) 34

  35. Apache Commons Collections Gadget Chain ObjectInputStream.readObject() AnnotationInvocationHandler.readObject() Map(Proxy).entrySet() AnnotationInvocationHandler.invoke() LazyMap.get() ChainedTransformer.transform() ... Method.invoke() Runtime.getRuntime() InvokerTransformer.transform() Method.invoke() Source: Chris Frohoff Marshalling Pickles Runtime.exec() AppSecCali 2015 35

  36. JRE 1.7u21 Gadget Chain LinkedHashSet.readObject() ... LinkedHashSet.add() ... Proxy(Templates).equals() ... ClassLoader.defineClass() Class.newInstance() ... Runtime.exec() Source: Chris Frohoff ysoserial 36

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Simulated Pointers Limitations Of Java Pointers May be used for internal data structures

Simulated Pointers Limitations Of Java Pointers May be used for internal data structures

Simulated Pointers Limitations Of Java Pointers May be used for internal data structures only. Data structure backup requires serialization and deserialization. No arithmetic. Simulated-Pointer Memory Layout c a e d b Data

1.12k views • 13 slides
Object lessons Deserialization after Apache Commons Collections T i m J a r r e t t , N o v e m

Object lessons Deserialization after Apache Commons Collections T i m J a r r e t t , N o v e m

Object lessons Deserialization after Apache Commons Collections T i m J a r r e t t , N o v e m b e r 2 0 1 6 Who am I? @tojarrett Over 20 years in the software business At Veracode since 2008 Grammy award winner Bacon

692 views • 24 slides
Chip-Secured Data Access: Confidential Data on Untrusted Servers L. Bouganim, P. Pucheral

Chip-Secured Data Access: Confidential Data on Untrusted Servers L. Bouganim, P. Pucheral

Chip-Secured Data Access: Confidential Data on Untrusted Servers L. Bouganim, P. Pucheral University of Versailles The need for Open Trusted Data Stores PAGE 2 Virtual teams distributed among space, time and organizations

394 views • 12 slides
Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras

Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras

Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras Untrusted Programs Untrusted Application Entire Application untrusted Part of application untrusted Modules or library untrusted

797 views • 46 slides
CSE 510 Web Data Engineering Java Beans UB CSE 510 Web Data Engineering What is a Java Bean?

CSE 510 Web Data Engineering Java Beans UB CSE 510 Web Data Engineering What is a Java Bean?

CSE 510 Web Data Engineering Java Beans UB CSE 510 Web Data Engineering What is a Java Bean? Simply a class wrapping some data and meets certain restrictions Three components: Default constructor (no arguments) Private

280 views • 11 slides
JAVA Java vs. Java Java Language Specification

JAVA Java vs. Java Java Language Specification

BR 10/05 JAVA Java vs. Java Java Language Specification http://java.sun.com/docs/books/jls/second_edition/html/j.title.doc.html Java programming language is compiled into java byte code Java Virtual Machine Specification

1.07k views • 44 slides
Data Structures in Java Java Review 9/14/2015 Daniel Bauer and Larry Stead 1 Disclaimer

Data Structures in Java Java Review 9/14/2015 Daniel Bauer and Larry Stead 1 Disclaimer

Data Structures in Java Java Review 9/14/2015 Daniel Bauer and Larry Stead 1 Disclaimer This Data Structures class (and Jarvis!) uses Java 8. Java Review - Contents (1) Writing and Running Java Programs. Structure of a Program:

745 views • 57 slides
Data Structures in Java Lecture 3: ADTs in Java. 9/16/2015 Daniel Bauer 1 Today ADTs and

Data Structures in Java Lecture 3: ADTs in Java. 9/16/2015 Daniel Bauer 1 Today ADTs and

Data Structures in Java Lecture 3: ADTs in Java. 9/16/2015 Daniel Bauer 1 Today ADTs and Data Structures in Java (Generics, Interfaces etc., Java Standard Library) Linked List Implementation. Binary Search Example. Recitation

458 views • 27 slides
Introduction to Java Chapters 1 and 2 The Java Language Section 1.1 Data &amp; Expressions

Introduction to Java Chapters 1 and 2 The Java Language Section 1.1 Data &amp; Expressions

Introduction to Java Chapters 1 and 2 The Java Language Section 1.1 Data &amp; Expressions Sections 2.1 2.5 Instructor: Scott Kristjanson CMPT 125/125 SFU Burnaby, Fall 2013 Scope 2 Introduce the Java programming language

725 views • 61 slides
Protecting Data in Untrusted Locations An exercise in Real World threat modeling. Jan

Protecting Data in Untrusted Locations An exercise in Real World threat modeling. Jan

Protecting Data in Untrusted Locations An exercise in Real World threat modeling. Jan Schaumann 99CE 1DC7 770A C5A8 09A6 @jschauma 0DCD 66CE 4FE9 6F6B D3D7 Me. Errday. Obligatory James Mickens This World of Ours reference.

714 views • 40 slides
CSE 510 Web Data Engineering Java Server Pages (JSPs) UB CSE 510 Web Data Engineering Java

CSE 510 Web Data Engineering Java Server Pages (JSPs) UB CSE 510 Web Data Engineering Java

CSE 510 Web Data Engineering Java Server Pages (JSPs) UB CSE 510 Web Data Engineering Java Server Pages: Embedding Java Code in Static Content 2 UB CSE 510 Web Data Engineering Why JSPs? Need to separate the business logic

439 views • 31 slides
Learning from Untrusted Data Moses Charikar, Jacob Steinhardt, Gregory Valiant Symposium on the

Learning from Untrusted Data Moses Charikar, Jacob Steinhardt, Gregory Valiant Symposium on the

Learning from Untrusted Data Moses Charikar, Jacob Steinhardt, Gregory Valiant Symposium on the Theory of Computing June 19, 2017 (Icon credit: Annie Lin) Motivation: data poisoning attacks: 1 (Icon credit: Annie Lin) Motivation: data

621 views • 48 slides
Hails: Protecting Data Privacy in Untrusted Web Applications Daniel B. Giffin, Amit Levy, Deian

Hails: Protecting Data Privacy in Untrusted Web Applications Daniel B. Giffin, Amit Levy, Deian

Hails: Protecting Data Privacy in Untrusted Web Applications Daniel B. Giffin, Amit Levy, Deian Stefan, David Terei, John Mitchell, David Mazires, and Alejandro Russo Web platforms are great ! They allow third-party developers to build apps

714 views • 54 slides
Learning the Java Language Based on The Java Tutorial

Learning the Java Language Based on The Java Tutorial

Learning the Java Language Based on The Java Tutorial (http://docs.oracle.com/javase/tutorial/java/) Bryn Mawr College CS206 Intro to Data Structures Language Basics Variables Operators Expressions, Statements and Blocks

415 views • 20 slides
Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006)

Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006)

Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006) Java 7 (2010) Other topics Basic concurrency in Java Java Memory Model describes how threads interact through memory Single thread

812 views • 34 slides
HOW TO USE JAVA STREAMS TO ACCESS EXISTING DATA WITH ULTRA-LOW LATENCY PER MINBORG, CTO,

HOW TO USE JAVA STREAMS TO ACCESS EXISTING DATA WITH ULTRA-LOW LATENCY PER MINBORG, CTO,

HOW TO USE JAVA STREAMS TO ACCESS EXISTING DATA WITH ULTRA-LOW LATENCY PER MINBORG, CTO, SPEEDMENT, INC. WHO AM I? Serial Entrepreneur +15 US Patents Java Expert Palo Alto Minborgs Java Pot TITLE OF SLIDE GOES HERE

609 views • 43 slides
How testable is Business Software? Peter Schrammel What is this talk about? Desire for software

How testable is Business Software? Peter Schrammel What is this talk about? Desire for software

How testable is Business Software? Peter Schrammel What is this talk about? Desire for software that has fewer bugs Focus on non-safety-critical software Great techniques developed by formal methods, programming languages and

454 views • 41 slides
Practical Mostly-Static Information Flow Control Andrew Myers MIT Lab for Computer Science

Practical Mostly-Static Information Flow Control Andrew Myers MIT Lab for Computer Science

Practical Mostly-Static Information Flow Control Andrew Myers MIT Lab for Computer Science Privacy Old problem (secrecy, confidentiality) : prevent programs from leaking data Untrusted, downloaded code: more important Standard

891 views • 23 slides
Defining methods Defining methods Method header: type name ( parameter declarations )

Defining methods Defining methods Method header: type name ( parameter declarations )

Defining methods Defining methods Method header: type name ( parameter declarations ) type refers to the result of the method May be any primitive type, any class, or void If not void , statements in the method body must

292 views • 11 slides
Reagents: Functional programming meets scalable concurrency Aaron Turon Northeastern University

Reagents: Functional programming meets scalable concurrency Aaron Turon Northeastern University

Reagents: Functional programming meets scalable concurrency Aaron Turon Northeastern University Saturday, November 10, 12 Concurrency Parallelism Concurrency is overlapped execution of processes. Parallelism is simultaneous execution of

958 views • 94 slides
Programming Languages Function-Closure Idioms More idioms We know the rule for lexical scope

Programming Languages Function-Closure Idioms More idioms We know the rule for lexical scope

Programming Languages Function-Closure Idioms More idioms We know the rule for lexical scope and function closures Now what is it good for A partial but wide-ranging list: Pass functions with private data to iterators: Done

405 views • 25 slides
Lecture #14 and 15: Object-Oriented Programming http://inst.eecs.berkeley.edu/~cs88

Lecture #14 and 15: Object-Oriented Programming http://inst.eecs.berkeley.edu/~cs88

Computational Structures in Data Science Lecture #14 and 15: Object-Oriented Programming http://inst.eecs.berkeley.edu/~cs88 Computational Concepts Toolbox Data type: values, literals, Higher Order Functions operations, Functions

260 views • 23 slides
Strategic Automated Software Testing in the Absence of Specifications Tao Xie Dept. of Computer

Strategic Automated Software Testing in the Absence of Specifications Tao Xie Dept. of Computer

Strategic Automated Software Testing in the Absence of Specifications Tao Xie Dept. of Computer Science &amp; Engineering University of Washington Parasoft Co. Nov. 2004 1 Motivation How do we generate useful tests automatically?

714 views • 42 slides
Exploring Lightweight Event Sourcing Erik Rozendaal &lt;erozendaal@zilverline.com&gt;

Exploring Lightweight Event Sourcing Erik Rozendaal &lt;erozendaal@zilverline.com&gt;

Exploring Lightweight Event Sourcing Erik Rozendaal &lt;erozendaal@zilverline.com&gt; @erikrozendaal GOTO Amsterdam 2011 Goals The problem of data persistence Understand event sourcing Show why Scala is well-suited as

1.39k views • 108 slides

More recommend