Jonathan Birch, Microsoft
Serialization is a powerful tool in .Net, but if used incorrectly it can create vulnerabilities, including remote code execution. In this talk, I explain how .Net deserialization vulnerabilities occur, and why they can only be prevented by application developers. I explain four common forms of this vulnerability in detail, two using only .Net libraries and two using common vulnerable 3rd party libraries. For each of these I explain multiple ways to modify the vulnerable code to make it safe. I then use these as a basis to provide general guidelines for securing deserialization. Finally, I discuss methods for detecting .Net deserialization vulnerabilities both through static and dynamic analysis, along with coding best practices to prevent these vulnerabilities from being introduced into a product. A handout will be provided listing potentially vulnerable API’s and how to use them safely, along with useful notes on detecting this vulnerability.