SlideShare a Scribd company logo

Fixing the Java Serialization Mess

Salesforce Engineering
Salesforce Engineering

This document discusses Java serialization vulnerabilities and mitigations. It introduces Java serialization, attack vectors like serialization gadgets and deserialization endpoints, and demonstrates denial of service attacks. It covers mitigations such as validating class names during deserialization, but notes this approach can be bypassed. It proposes a new concept of also validating methods during deserialization. The goal is to help fix issues with the Java serialization process.

Engineering
1 of 46
Fixing the Java Serialization mess Pierre Ernst, HackFest.ca 2016
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Agenda Fixing the Java Serialization mess
https://goo.gl/rOpF0u Software development background Secure Code Review Found security vulnerabilities in applications made by: Pierre Ernst linkedin.com/in/pernst @e_rnst Source: http://www.wordle.net
https://goo.gl/rOpF0u https://research.trust.salesforce.com/ Salesforce is hiring application security engineers for: • Enterprise Security (Vendor applications) • Product Security (Salesforce web applications) • Infrastructure Security (Salesforce network and Linux environment). Contact: James Sale, Principal Technical Recruiter jsale@salesforce.com 415-633-6059 Trust team Salesforce linkedin.com/in/jamesgsale
https://goo.gl/rOpF0u The Big Picture Java Serialization 101 00000000 AC ED 00 05 73 72 00 11 62 6F 6E 68 6F 6D 6D 65 ....sr..bonhomme 00000010 2E 43 61 72 6E 61 76 61 6C 20 51 75 65 62 65 63 .Carnaval Quebec 00000020 20 02 00 00 78 70 ...xp serialize deserialize
https://goo.gl/rOpF0u Java Serialization 101 Convert Java instance to/from a binary stream • Used for persistence (file, database blob) • Used for transmission (RMI: Remote Method Invocation) Java API: • ObjectOutputStream: to serialize (write) • ObjectInputStream: to deserialize (read) • JVM knows how to (de)serialize primitive types • JVM uses reflection and Unsafe to (de)serialize members of any given class. • Must implements interface java.io.Serializable
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u What could possibly go wrong? Some classes require special handling • writeObject() and readObject() methods • e.g.: java.math.BigDecimal An application is vulnerable if: • deserializing untrusted input, • and existing classes on the classpath have “unsecure” readObject() method The readObject() methods can be chained, abused • “gadget” in reference to ROP gadgets • Similarly, some other methods can also be abused (TBD later): “Magic Methods”
https://goo.gl/rOpF0u Prior Art (pre-2016) Date Type Product Researcher(s) Reference Apr 2005 DOS JRE Marc Schönefeld CVE-2004-2540 Aug 2008 Applet->RCE JRE Sami Koivu CVE-2008-5353 Apr 2010 Applet->RCE JRE Sami Koivu CVE-2010-0094 Mar 2010 DOS Sun Java Web Console Luca Carettoni Source Code Sept 2011 RCE Spring Framework Wouter Coekaerts CVE-2011-2894 Oct 2012 RCE IBM Cognos BI Pierre Ernst CVE-2012-4858 Feb 2013 File Write->RCE Apache OpenJPA Pierre Ernst CVE-2013-1768 Mar 2013 File Write->RCE Apache Tomcat Pierre Ernst CVE-2013-2185 July 2015 RCE Apache Groovy "cpnrodzc7" CVE-2015-3253 Aug 2015 Buffer Overflow->RCE Android Or Peles & Roee Hay CVE-2015-3837 Nov 2015 RCE Apache Commons Collections Chris Frohoff & Gabriel Lawrence CVE-2015-7450 Nov 2015 DOS JRE Wouter Coekaerts Source Code
https://goo.gl/rOpF0u Attack Surfaces: Endpoints Vs. Gadgets Attacker Vulnerable Service Malicious serialized input (Vulnerable.class) JVM Deserialization (bonhomme.Carnaval. class) classpath Vulnerable bonhomme.Carnaval instance = (bonhomme.Carnaval)in.readObject(); Calls “magic” method private void readObject (ObjectInputStream in) { } 1 2
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u What are the “Magic” methods? • readObject() • readResolve() • validateObject() • readObjectNoData() • readExternal() • finalize() It has a “magic” method that can be abused Class is vulnerable if: • <init>()
https://goo.gl/rOpF0u File I/O Network I/O Code injection Denial of service … Any side effect with security impact How can magic methods be abused?
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u Pervasive problem • com.sun.xml.internal.ws.protocol.xml.XMLMessageException • java.util.concurrent.CopyOnWriteArrayList • java.util.logging.LogRecord • java.util.PriorityQueue • org.apache.catalina.tribes.membership.MemberImpl Java Memory Exhaustion private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException { int len = in.readInt(); this.parameters = new Object[len]; // ... } Controlled by attacker Memory exhaustion
https://goo.gl/rOpF0u
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u java.io.ObjectInputStream ois = new java.io.ObjectInputStream(/* contains user’s input */) ois.readObject(); /* OR */ ois.readUnshared(); It deserializes user’s input Endpoint is vulnerable if:
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u Fixed in Java 8 Update 91 (April 2016) JMX = Java Management eXtensions • API for managing/monitoring resources • Client-Server on TCP/IP • Optional features: • TLS socket • Authentication JMX untrusted deserialization CVE-2016-3427 !
https://goo.gl/rOpF0u Tomcat JMX Retrieving all the session ids Abusing Existing Features Prior JMX vulnerabilities
https://goo.gl/rOpF0u Only vulnerable when authentication is not enabled Source: • Exploiting JMX RMI • Class MLet RCE with MLet Prior JMX vulnerabilities evil.org victim.com JMX connect createMBean javax.management.loading.MLet load evil bean invoke
https://goo.gl/rOpF0u How many times did you read “RMI” ? • JMX connection strings is future-proof • Might use some other transport technologies in the future • But it relies on RMI for now. We can use RMI directly to connect to a JMX server a.k.a JMX “URLs” JMX Connection Strings service:jmx:rmi://bonhomme.local:10002/jndi/rmi://bonhomme.local:10001/jmxrmi rmi://bonhomme.local:10002 rmi://bonhomme.local:10001/jmxrmi JMX endpoint Naming Registry
https://goo.gl/rOpF0u Registry registry = LocateRegistry.getRegistry("bonhomme.local", 10001); RMIServer rmiServer = (RMIServer) registry.lookup("jmxrmi"); RMIConnection rmiConnection = rmiServer.newClient(new String[]{ "tomcat", "secret"}); (directly) Connecting to JMX with RMI service:jmx:rmi://bonhomme.local:10002/jndi/rmi://bonhomme.local:10001/jmxrmi
https://goo.gl/rOpF0u RMI: Client-Server network protocol RPC-style Uses serialization What is RMI again? 00000000 50 AC ED 00 05 77 22 A1 F2 A2 CB 82 19 D4 02 D0 P....w"......... 00000010 70 E5 1A 00 00 01 57 52 A7 43 A2 80 01 FF FF FF p.....WR.C...... 00000020 FF F0 E0 74 EA AD 0C AE A8 75 72 00 13 5B 4C 6A ...t.....ur..[Lj 00000030 61 76 61 2E 6C 61 6E 67 2E 53 74 72 69 6E 67 3B ava.lang.String; 00000040 AD D2 56 E7 E9 1D 7B 47 02 00 00 70 78 70 00 00 ..V...{G...pxp.. 00000050 00 02 74 00 06 74 6F 6D 63 61 74 74 00 06 73 65 ..t..tomcatt..se 00000060 63 72 65 74 cret RMI Call
https://goo.gl/rOpF0u https://docs.oracle.com/javase/8/docs/api/javax/management/remote/rmi/RMIServer.html RMIServer API Deserialization happens before authentication can even take place
https://goo.gl/rOpF0u
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u The Blame Game Where do we fix it? “Applications should never deserialize untrusted input” 1 2 “3rd party libraries should only have secure magic methods” vs .
https://goo.gl/rOpF0u In both places! Defense in Depth
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u Does the class really need to be serializable? Can we add input validation? • Prevent path traversal • Prevent resource exhaustion • … Making “magic” methods more secure
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u bonhomme.Carnaval obj = (bonhomme.Carnaval)ois.readObject(); Fix: Java API change today bonhomme.Carnaval obj = ois.readObject(bonhomme.Carnaval.class); tomorrow?
https://goo.gl/rOpF0u Mitigation: Sandboxing Deserialization inside a block protected by a Security Manager Could prevent “malicious” calls • File R/W access • Process creation • Network access • … Not recommended: • Hard to fine-tune: what is legitimately required? • Known to be broken e.g. CVE-2013-4444 code inside finalize() can be abused
https://goo.gl/rOpF0u Mitigation: Class Name Input Validation Look-ahead Java deserialization, Jan 2013, Pierre Ernst Concept used by various validation libraries • SerialKiller, by Luca Carettoni • contrast-rO0 by Contrast Security • JDK enhancement proposal #290 and CERT Secure Coding SER12-J We want to validate which classes get deserialized Object Serialization Stream Protocol defines a class description 00000000 AC ED 00 05 73 72 00 11 62 6F 6E 68 6F 6D 6D 65 ....sr..bonhomme 00000010 2E 43 61 72 6E 61 76 61 6C 20 51 75 65 62 65 63 .Carnaval Quebec 00000020 20 02 00 00 78 70 ...xp So we could use our own binary parser to decide whether we should stop reading … … or use existing Java API that allows us to add our own validation hook. TC_NULL STREAM_MAGICSTREAM_VERSIONTC_OBJECTTC_CLASSDESC className serialVersionUID classDescFlagsfieldsTC_ENDBLOCKDATA className
https://goo.gl/rOpF0u Callback provided by Java Normally used for custom class loading Adding your own validation hook Look-ahead Java deserialization public class LookAheadObjectInputStream extends ObjectInputStream { @Override protected Class<?> resolveClass(ObjectStreamClass desc) { if ( ! desc.getName().equals("bonhomme.Carnaval") ) { throw new InvalidClassException( "Unauthorized deserialization attempt", desc.getName()); } return super.resolveClass(desc); } }
https://goo.gl/rOpF0u • White-listing classes that are OK to deserialize • Tedious, Impossible in real life scenario? • Black-listing classes known to have “bad” “magic” methods • a.k.a. Whack-a-mole • Known to be broken RSA conference 2016-03-04 Alvaro Muñoz Christian Schneider Two ways of validating class names Look-ahead Java deserialization public class NestedProblems implements Serializable{ private void readObject(ObjectInputStream in) { ObjectInputStream ois = new ObjectInputStream( /* attacker controlled input */); ois.readObject(); } }
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u org.apache.webbeans.inject.impl.InjectionPointImpl org.apache.webbeans.inject.instance.InstanceImpl org.apache.webbeans.event.EventImpl • Fixed in Apache TomEE 7.0.1 (June 2016) • Fixed in Apache OpenWebBeans 1.5.0 (October 2015) Only an issue if using the black list mode Black List mode Class Name Input Validation Bypass new
https://goo.gl/rOpF0u
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u Mitigation: Look-ahead Method Blacklist Input Validation Black List • method1 • method2 Magic methods? Class x.y.z accept reject blacklisted methods? yes yes no no Called methods • methodA • methodB Analyze Magic method
https://goo.gl/rOpF0u Check it out Source code with POC implementation published
https://goo.gl/rOpF0u Mitigation Putting everything together Security Manager Look-ahead Class name validation • Whitelisting • Blacklisting Look-ahead Method blacklisting P !
https://goo.gl/rOpF0u Serialization: 1.Don’t use it 2.Class name whitelisting 3.Method blacklisting

Recommended

Black Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized CommunicationBlack Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized Communication
msaindane
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities
Luca Carettoni
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Christian Schneider
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
Christopher Frohoff
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in Java
CODE WHITE GmbH
 
Java - Exception Handling
Java - Exception HandlingJava - Exception Handling
Java - Exception Handling
Prabhdeep Singh
 
Java Concurrency Gotchas
Java Concurrency GotchasJava Concurrency Gotchas
Java Concurrency Gotchas
Alex Miller
 
Java Threads and Concurrency
Java Threads and ConcurrencyJava Threads and Concurrency
Java Threads and Concurrency
Sunil OS
 

Recommended

Black Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized CommunicationBlack Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized Communication
msaindane
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities
Luca Carettoni
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Christian Schneider
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
Christopher Frohoff
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in Java
CODE WHITE GmbH
 
Java - Exception Handling
Java - Exception HandlingJava - Exception Handling
Java - Exception Handling
Prabhdeep Singh
 
Java Concurrency Gotchas
Java Concurrency GotchasJava Concurrency Gotchas
Java Concurrency Gotchas
Alex Miller
 
Java Threads and Concurrency
Java Threads and ConcurrencyJava Threads and Concurrency
Java Threads and Concurrency
Sunil OS
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
CODE WHITE GmbH
 
Java 8 Streams
Java 8 StreamsJava 8 Streams
Java 8 Streams
Manvendra Singh
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
Christopher Frohoff
 
Spring boot introduction
Spring boot introductionSpring boot introduction
Spring boot introduction
Rasheed Waraich
 
Java Quiz Questions
Java Quiz QuestionsJava Quiz Questions
Java Quiz Questions
CodeOps Technologies LLP
 
Java SE 8 lambdaで変わる プログラミングスタイル
Java SE 8 lambdaで変わる プログラミングスタイルJava SE 8 lambdaで変わる プログラミングスタイル
Java SE 8 lambdaで変わる プログラミングスタイル
なおき きしだ
 
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
joaomatosf_
 
Java Basics
Java BasicsJava Basics
Java Basics
shivamgarg_nitj
 
100 JAVA Programs-1.pdf
100 JAVA Programs-1.pdf100 JAVA Programs-1.pdf
100 JAVA Programs-1.pdf
Abhay
 
Java features
Java featuresJava features
Java features
Prashant Gajendra
 
Jdbc
JdbcJdbc
Jdbc
Nitesh Kumar Pandey
 
Introduction to java 8 stream api
Introduction to java 8 stream apiIntroduction to java 8 stream api
Introduction to java 8 stream api
Vladislav sidlyarevich
 
Spring boot - an introduction
Spring boot - an introductionSpring boot - an introduction
Spring boot - an introduction
Jonathan Holloway
 
55 New Features in Java SE 8
55 New Features in Java SE 855 New Features in Java SE 8
55 New Features in Java SE 8
Simon Ritter
 
Java Collection framework
Java Collection frameworkJava Collection framework
Java Collection framework
ankitgarg_er
 
Serialization & De-serialization in Java
Serialization & De-serialization in JavaSerialization & De-serialization in Java
Serialization & De-serialization in Java
InnovationM
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Christian Schneider
 
Java Garbage Collection - How it works
Java Garbage Collection - How it worksJava Garbage Collection - How it works
Java Garbage Collection - How it works
Mindfire Solutions
 
Spring boot jpa
Spring boot jpaSpring boot jpa
Spring boot jpa
Hamid Ghorbani
 
Multithreading In Java
Multithreading In JavaMultithreading In Java
Multithreading In Java
parag
 
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Yulia Tsisyk
 
powershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-london
nettitude_labs
 

More Related Content

What's hot

Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Christian Schneider
 
Multithreading In Java
Multithreading In JavaMultithreading In Java
Multithreading In Java
parag
 

What's hot (20)

Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
 
Java 8 Streams
Java 8 StreamsJava 8 Streams
Java 8 Streams
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
 
Spring boot introduction
Spring boot introductionSpring boot introduction
Spring boot introduction
 
Java Quiz Questions
Java Quiz QuestionsJava Quiz Questions
Java Quiz Questions
 
Java SE 8 lambdaで変わる プログラミングスタイル
Java SE 8 lambdaで変わる プログラミングスタイルJava SE 8 lambdaで変わる プログラミングスタイル
Java SE 8 lambdaで変わる プログラミングスタイル
 
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
 
Java Basics
Java BasicsJava Basics
Java Basics
 
100 JAVA Programs-1.pdf
100 JAVA Programs-1.pdf100 JAVA Programs-1.pdf
100 JAVA Programs-1.pdf
 
Java features
Java featuresJava features
Java features
 
Jdbc
JdbcJdbc
Jdbc
 
Introduction to java 8 stream api
Introduction to java 8 stream apiIntroduction to java 8 stream api
Introduction to java 8 stream api
 
Spring boot - an introduction
Spring boot - an introductionSpring boot - an introduction
Spring boot - an introduction
 
55 New Features in Java SE 8
55 New Features in Java SE 855 New Features in Java SE 8
55 New Features in Java SE 8
 
Java Collection framework
Java Collection frameworkJava Collection framework
Java Collection framework
 
Serialization & De-serialization in Java
Serialization & De-serialization in JavaSerialization & De-serialization in Java
Serialization & De-serialization in Java
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
 
Java Garbage Collection - How it works
Java Garbage Collection - How it worksJava Garbage Collection - How it works
Java Garbage Collection - How it works
 
Spring boot jpa
Spring boot jpaSpring boot jpa
Spring boot jpa
 
Multithreading In Java
Multithreading In JavaMultithreading In Java
Multithreading In Java
 

Similar to Fixing the Java Serialization Mess

Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Yulia Tsisyk
 
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Priyanka Aash
 
Spring framework
Spring frameworkSpring framework
Spring framework
srmelody
 
香港六合彩 &raquo; SlideShare
香港六合彩 &raquo; SlideShare香港六合彩 &raquo; SlideShare
香港六合彩 &raquo; SlideShare
yayao
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
qqlan
 
Monitoring distributed (micro-)services
Monitoring distributed (micro-)servicesMonitoring distributed (micro-)services
Monitoring distributed (micro-)services
Rafael Winterhalter
 
DotNet Introduction
DotNet IntroductionDotNet Introduction
DotNet Introduction
Wei Sun
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
GiorgiRcheulishvili
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
guestad13b55
 

Similar to Fixing the Java Serialization Mess (20)

Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
 
powershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-london
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
 
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
 
Jdk Tools For Performance Diagnostics
Jdk Tools For Performance DiagnosticsJdk Tools For Performance Diagnostics
Jdk Tools For Performance Diagnostics
 
Spring framework
Spring frameworkSpring framework
Spring framework
 
香港六合彩 &raquo; SlideShare
香港六合彩 &raquo; SlideShare香港六合彩 &raquo; SlideShare
香港六合彩 &raquo; SlideShare
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
 
Monitoring distributed (micro-)services
Monitoring distributed (micro-)servicesMonitoring distributed (micro-)services
Monitoring distributed (micro-)services
 
DotNet Introduction
DotNet IntroductionDotNet Introduction
DotNet Introduction
 
Google App Engine for Java v0.0.2
Google App Engine for Java v0.0.2Google App Engine for Java v0.0.2
Google App Engine for Java v0.0.2
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life Scenarious
 
PyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application securePyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application secure
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
 
iPhone development from a Java perspective (Jazoon '09)
iPhone development from a Java perspective (Jazoon '09)iPhone development from a Java perspective (Jazoon '09)
iPhone development from a Java perspective (Jazoon '09)
 
soft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.jssoft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.js
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
 

More from Salesforce Engineering

More from Salesforce Engineering (20)

Locker Service Ready Lightning Components With Webpack
Locker Service Ready Lightning Components With WebpackLocker Service Ready Lightning Components With Webpack
Locker Service Ready Lightning Components With Webpack
 
Scaling HBase for Big Data
Scaling HBase for Big DataScaling HBase for Big Data
Scaling HBase for Big Data
 
Techniques to Effectively Monitor the Performance of Customers in the Cloud
Techniques to Effectively Monitor the Performance of Customers in the CloudTechniques to Effectively Monitor the Performance of Customers in the Cloud
Techniques to Effectively Monitor the Performance of Customers in the Cloud
 
Predictive System Performance Data Analysis
Predictive System Performance Data AnalysisPredictive System Performance Data Analysis
Predictive System Performance Data Analysis
 
Apache HBase State of the Project
Apache HBase State of the ProjectApache HBase State of the Project
Apache HBase State of the Project
 
Hit the Trail with Trailhead
Hit the Trail with TrailheadHit the Trail with Trailhead
Hit the Trail with Trailhead
 
HBase/PHOENIX @ Scale
HBase/PHOENIX @ ScaleHBase/PHOENIX @ Scale
HBase/PHOENIX @ Scale
 
Scaling up data science applications
Scaling up data science applicationsScaling up data science applications
Scaling up data science applications
 
Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOps
 
Aspect Oriented Programming: Hidden Toolkit That You Already Have
Aspect Oriented Programming: Hidden Toolkit That You Already HaveAspect Oriented Programming: Hidden Toolkit That You Already Have
Aspect Oriented Programming: Hidden Toolkit That You Already Have
 
Monitoring @ Scale in Salesforce
Monitoring @ Scale in SalesforceMonitoring @ Scale in Salesforce
Monitoring @ Scale in Salesforce
 
Performance Tuning with XHProf
Performance Tuning with XHProfPerformance Tuning with XHProf
Performance Tuning with XHProf
 
A Smarter Pig: Building a SQL interface to Pig using Apache Calcite
A Smarter Pig: Building a SQL interface to Pig using Apache CalciteA Smarter Pig: Building a SQL interface to Pig using Apache Calcite
A Smarter Pig: Building a SQL interface to Pig using Apache Calcite
 
Implementing a Content Strategy Is Like Running 100 Miles
Implementing a Content Strategy Is Like Running 100 MilesImplementing a Content Strategy Is Like Running 100 Miles
Implementing a Content Strategy Is Like Running 100 Miles
 
Salesforce Cloud Infrastructure and Challenges - A Brief Overview
Salesforce Cloud Infrastructure and Challenges - A Brief OverviewSalesforce Cloud Infrastructure and Challenges - A Brief Overview
Salesforce Cloud Infrastructure and Challenges - A Brief Overview
 
Koober Preduction IO Presentation
Koober Preduction IO PresentationKoober Preduction IO Presentation
Koober Preduction IO Presentation
 
Finding Security Issues Fast!
Finding Security Issues Fast!Finding Security Issues Fast!
Finding Security Issues Fast!
 
Microservices
MicroservicesMicroservices
Microservices
 
Global State Management of Micro Services
Global State Management of Micro ServicesGlobal State Management of Micro Services
Global State Management of Micro Services
 
The Future of Hbase
The Future of HbaseThe Future of Hbase
The Future of Hbase
 

Recently uploaded

Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
roncy bisnoi
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Call Girls in Nagpur High Profile
 
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night StandCall Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
amitlee9823
 
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
Kamal Acharya
 
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
tanu pandey
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Christo Ananth
 
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
ranjana rawat
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
dollysharma2066
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ssuser89054b
 
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
ankushspencer015
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
MsecMca
 

Recently uploaded (20)

Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night StandCall Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
 
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
 
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
 
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
 
Unit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdfUnit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdf
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
 
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdfIntze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 

Fixing the Java Serialization Mess

  • 1. Fixing the Java Serialization mess Pierre Ernst, HackFest.ca 2016
  • 2. https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Agenda Fixing the Java Serialization mess
  • 3. https://goo.gl/rOpF0u Software development background Secure Code Review Found security vulnerabilities in applications made by: Pierre Ernst linkedin.com/in/pernst @e_rnst Source: http://www.wordle.net
  • 4. https://goo.gl/rOpF0u https://research.trust.salesforce.com/ Salesforce is hiring application security engineers for: • Enterprise Security (Vendor applications) • Product Security (Salesforce web applications) • Infrastructure Security (Salesforce network and Linux environment). Contact: James Sale, Principal Technical Recruiter jsale@salesforce.com 415-633-6059 Trust team Salesforce linkedin.com/in/jamesgsale
  • 5. https://goo.gl/rOpF0u The Big Picture Java Serialization 101 00000000 AC ED 00 05 73 72 00 11 62 6F 6E 68 6F 6D 6D 65 ....sr..bonhomme 00000010 2E 43 61 72 6E 61 76 61 6C 20 51 75 65 62 65 63 .Carnaval Quebec 00000020 20 02 00 00 78 70 ...xp serialize deserialize
  • 6. https://goo.gl/rOpF0u Java Serialization 101 Convert Java instance to/from a binary stream • Used for persistence (file, database blob) • Used for transmission (RMI: Remote Method Invocation) Java API: • ObjectOutputStream: to serialize (write) • ObjectInputStream: to deserialize (read) • JVM knows how to (de)serialize primitive types • JVM uses reflection and Unsafe to (de)serialize members of any given class. • Must implements interface java.io.Serializable
  • 7. https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 8. https://goo.gl/rOpF0u What could possibly go wrong? Some classes require special handling • writeObject() and readObject() methods • e.g.: java.math.BigDecimal An application is vulnerable if: • deserializing untrusted input, • and existing classes on the classpath have “unsecure” readObject() method The readObject() methods can be chained, abused • “gadget” in reference to ROP gadgets • Similarly, some other methods can also be abused (TBD later): “Magic Methods”
  • 9. https://goo.gl/rOpF0u Prior Art (pre-2016) Date Type Product Researcher(s) Reference Apr 2005 DOS JRE Marc Schönefeld CVE-2004-2540 Aug 2008 Applet->RCE JRE Sami Koivu CVE-2008-5353 Apr 2010 Applet->RCE JRE Sami Koivu CVE-2010-0094 Mar 2010 DOS Sun Java Web Console Luca Carettoni Source Code Sept 2011 RCE Spring Framework Wouter Coekaerts CVE-2011-2894 Oct 2012 RCE IBM Cognos BI Pierre Ernst CVE-2012-4858 Feb 2013 File Write->RCE Apache OpenJPA Pierre Ernst CVE-2013-1768 Mar 2013 File Write->RCE Apache Tomcat Pierre Ernst CVE-2013-2185 July 2015 RCE Apache Groovy "cpnrodzc7" CVE-2015-3253 Aug 2015 Buffer Overflow->RCE Android Or Peles & Roee Hay CVE-2015-3837 Nov 2015 RCE Apache Commons Collections Chris Frohoff & Gabriel Lawrence CVE-2015-7450 Nov 2015 DOS JRE Wouter Coekaerts Source Code
  • 10. https://goo.gl/rOpF0u Attack Surfaces: Endpoints Vs. Gadgets Attacker Vulnerable Service Malicious serialized input (Vulnerable.class) JVM Deserialization (bonhomme.Carnaval. class) classpath Vulnerable bonhomme.Carnaval instance = (bonhomme.Carnaval)in.readObject(); Calls “magic” method private void readObject (ObjectInputStream in) { } 1 2
  • 11. https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 12. https://goo.gl/rOpF0u What are the “Magic” methods? • readObject() • readResolve() • validateObject() • readObjectNoData() • readExternal() • finalize() It has a “magic” method that can be abused Class is vulnerable if: • <init>()
  • 13. https://goo.gl/rOpF0u File I/O Network I/O Code injection Denial of service … Any side effect with security impact How can magic methods be abused?
  • 14. https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 15. https://goo.gl/rOpF0u Pervasive problem • com.sun.xml.internal.ws.protocol.xml.XMLMessageException • java.util.concurrent.CopyOnWriteArrayList • java.util.logging.LogRecord • java.util.PriorityQueue • org.apache.catalina.tribes.membership.MemberImpl Java Memory Exhaustion private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException { int len = in.readInt(); this.parameters = new Object[len]; // ... } Controlled by attacker Memory exhaustion
  • 17. https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 18. https://goo.gl/rOpF0u java.io.ObjectInputStream ois = new java.io.ObjectInputStream(/* contains user’s input */) ois.readObject(); /* OR */ ois.readUnshared(); It deserializes user’s input Endpoint is vulnerable if:
  • 19. https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 20. https://goo.gl/rOpF0u Fixed in Java 8 Update 91 (April 2016) JMX = Java Management eXtensions • API for managing/monitoring resources • Client-Server on TCP/IP • Optional features: • TLS socket • Authentication JMX untrusted deserialization CVE-2016-3427 !
  • 21. https://goo.gl/rOpF0u Tomcat JMX Retrieving all the session ids Abusing Existing Features Prior JMX vulnerabilities
  • 22. https://goo.gl/rOpF0u Only vulnerable when authentication is not enabled Source: • Exploiting JMX RMI • Class MLet RCE with MLet Prior JMX vulnerabilities evil.org victim.com JMX connect createMBean javax.management.loading.MLet load evil bean invoke
  • 23. https://goo.gl/rOpF0u How many times did you read “RMI” ? • JMX connection strings is future-proof • Might use some other transport technologies in the future • But it relies on RMI for now. We can use RMI directly to connect to a JMX server a.k.a JMX “URLs” JMX Connection Strings service:jmx:rmi://bonhomme.local:10002/jndi/rmi://bonhomme.local:10001/jmxrmi rmi://bonhomme.local:10002 rmi://bonhomme.local:10001/jmxrmi JMX endpoint Naming Registry
  • 24. https://goo.gl/rOpF0u Registry registry = LocateRegistry.getRegistry("bonhomme.local", 10001); RMIServer rmiServer = (RMIServer) registry.lookup("jmxrmi"); RMIConnection rmiConnection = rmiServer.newClient(new String[]{ "tomcat", "secret"}); (directly) Connecting to JMX with RMI service:jmx:rmi://bonhomme.local:10002/jndi/rmi://bonhomme.local:10001/jmxrmi
  • 25. https://goo.gl/rOpF0u RMI: Client-Server network protocol RPC-style Uses serialization What is RMI again? 00000000 50 AC ED 00 05 77 22 A1 F2 A2 CB 82 19 D4 02 D0 P....w"......... 00000010 70 E5 1A 00 00 01 57 52 A7 43 A2 80 01 FF FF FF p.....WR.C...... 00000020 FF F0 E0 74 EA AD 0C AE A8 75 72 00 13 5B 4C 6A ...t.....ur..[Lj 00000030 61 76 61 2E 6C 61 6E 67 2E 53 74 72 69 6E 67 3B ava.lang.String; 00000040 AD D2 56 E7 E9 1D 7B 47 02 00 00 70 78 70 00 00 ..V...{G...pxp.. 00000050 00 02 74 00 06 74 6F 6D 63 61 74 74 00 06 73 65 ..t..tomcatt..se 00000060 63 72 65 74 cret RMI Call
  • 28. https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 29. https://goo.gl/rOpF0u The Blame Game Where do we fix it? “Applications should never deserialize untrusted input” 1 2 “3rd party libraries should only have secure magic methods” vs .
  • 31. https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 32. https://goo.gl/rOpF0u Does the class really need to be serializable? Can we add input validation? • Prevent path traversal • Prevent resource exhaustion • … Making “magic” methods more secure
  • 33. https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 34. https://goo.gl/rOpF0u bonhomme.Carnaval obj = (bonhomme.Carnaval)ois.readObject(); Fix: Java API change today bonhomme.Carnaval obj = ois.readObject(bonhomme.Carnaval.class); tomorrow?
  • 35. https://goo.gl/rOpF0u Mitigation: Sandboxing Deserialization inside a block protected by a Security Manager Could prevent “malicious” calls • File R/W access • Process creation • Network access • … Not recommended: • Hard to fine-tune: what is legitimately required? • Known to be broken e.g. CVE-2013-4444 code inside finalize() can be abused
  • 36. https://goo.gl/rOpF0u Mitigation: Class Name Input Validation Look-ahead Java deserialization, Jan 2013, Pierre Ernst Concept used by various validation libraries • SerialKiller, by Luca Carettoni • contrast-rO0 by Contrast Security • JDK enhancement proposal #290 and CERT Secure Coding SER12-J We want to validate which classes get deserialized Object Serialization Stream Protocol defines a class description 00000000 AC ED 00 05 73 72 00 11 62 6F 6E 68 6F 6D 6D 65 ....sr..bonhomme 00000010 2E 43 61 72 6E 61 76 61 6C 20 51 75 65 62 65 63 .Carnaval Quebec 00000020 20 02 00 00 78 70 ...xp So we could use our own binary parser to decide whether we should stop reading … … or use existing Java API that allows us to add our own validation hook. TC_NULL STREAM_MAGICSTREAM_VERSIONTC_OBJECTTC_CLASSDESC className serialVersionUID classDescFlagsfieldsTC_ENDBLOCKDATA className
  • 37. https://goo.gl/rOpF0u Callback provided by Java Normally used for custom class loading Adding your own validation hook Look-ahead Java deserialization public class LookAheadObjectInputStream extends ObjectInputStream { @Override protected Class<?> resolveClass(ObjectStreamClass desc) { if ( ! desc.getName().equals("bonhomme.Carnaval") ) { throw new InvalidClassException( "Unauthorized deserialization attempt", desc.getName()); } return super.resolveClass(desc); } }
  • 38. https://goo.gl/rOpF0u • White-listing classes that are OK to deserialize • Tedious, Impossible in real life scenario? • Black-listing classes known to have “bad” “magic” methods • a.k.a. Whack-a-mole • Known to be broken RSA conference 2016-03-04 Alvaro Muñoz Christian Schneider Two ways of validating class names Look-ahead Java deserialization public class NestedProblems implements Serializable{ private void readObject(ObjectInputStream in) { ObjectInputStream ois = new ObjectInputStream( /* attacker controlled input */); ois.readObject(); } }
  • 39. https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 40. https://goo.gl/rOpF0u org.apache.webbeans.inject.impl.InjectionPointImpl org.apache.webbeans.inject.instance.InstanceImpl org.apache.webbeans.event.EventImpl • Fixed in Apache TomEE 7.0.1 (June 2016) • Fixed in Apache OpenWebBeans 1.5.0 (October 2015) Only an issue if using the black list mode Black List mode Class Name Input Validation Bypass new
  • 42. https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 43. https://goo.gl/rOpF0u Mitigation: Look-ahead Method Blacklist Input Validation Black List • method1 • method2 Magic methods? Class x.y.z accept reject blacklisted methods? yes yes no no Called methods • methodA • methodB Analyze Magic method
  • 44. https://goo.gl/rOpF0u Check it out Source code with POC implementation published
  • 45. https://goo.gl/rOpF0u Mitigation Putting everything together Security Manager Look-ahead Class name validation • Whitelisting • Blacklisting Look-ahead Method blacklisting P !
  • 46. https://goo.gl/rOpF0u Serialization: 1.Don’t use it 2.Class name whitelisting 3.Method blacklisting

Editor's Notes

  1. AC ED 00 05: Remember this
  2. Root cause is *NOT* weak boundary between data & code Magic methods not always present
  3. Successful exploitation requires both attack surfaces
  4. The attacker can control anything that has been read from the stream, or any member that has been deserialized with the default behavior
  5. It would be nice if we could send something else than String[]…
  6. Vulnerable even if authentication is enabled (happens before) Tomcat used as an example
  7. New Argument: Class or Class[]
  8. Strongly encourage to stop using deserialization altogether
  9. For lack of a better name…
  10. Security Manager is not enough, but it still adds value