Crystallizer: A Hybrid Path Analysis Framework To Aid in Uncovering Deserialization Vulnerabilities
Applications leverage serialization and deserialization to exchange data between instances. Serialization allows developers to exchange messages or perform remote method invocation in distributed ap- plications. However, the application logic itself is responsible for security. Adversaries may abuse bugs in the deserialization logic to forcibly invoke attacker-controlled methods by crafting malicious bytestreams (payloads). Crystallizer presents a novel hybrid framework to automati- cally identify deserialization vulnerabilities by combining static and dynamic analyses. Our intuition is to first over-approximate possi- ble payloads through static analysis (to constrain the search space). Then, we use dynamic analysis to instantiate concrete payloads as a proof-of-concept of a vulnerability (giving the analyst concrete examples of possible attacks). Our proof-of-concept focuses on Java deserialization as the imminent domain of such attacks. We evaluate our prototype on seven popular Java libraries against state-of-the-art frameworks for uncovering gadget chains. In con- trast to existing tools, we uncovered 47 previously unknown ex- ploitable chains. Finally, we show the real-world security impact of Crystallizer by using it to synthesize gadget chains to mount RCE and DoS attacks on two popular Java applications automatically. We have responsibly disclosed all newly discovered vulnerabilities
Thu 7 DecDisplayed time zone: Pacific Time (US & Canada) change
14:00 - 15:30 | Security IIResearch Papers / Journal First at Golden Gate C3 Chair(s): Caroline Lemieux University of British Columbia | ||
14:00 15mTalk | Mate! Are You Really Aware? An Explainability-Guided Testing Framework for Robustness of Malware Detectors Research Papers Ruoxi Sun CSIRO's Data61, Jason Minhui Xue CSIRO’s Data61, Gareth Tyson Hong Kong University of Science and Technology, Tian Dong Shanghai Jiao Tong University, Shaofeng Li Shanghai Jiao Tong University, Shuo Wang CSIRO's Data61, Haojin Zhu Shanghai Jiao Tong University, Seyit Camtepe CSIRO Data61, Surya Nepal CSIRO’s Data61 Media Attached | ||
14:15 15mTalk | Security Misconfigurations in Open Source Kubernetes Manifests: An Empirical Study Journal First Akond Rahman Auburn University, USA, Shazibul Islam Shamim Auburn University, Dibyendu Brinto Bose Virginia Tech, Rahul Pandita GitHub, Inc. Media Attached | ||
14:30 15mTalk | Crystallizer: A Hybrid Path Analysis Framework To Aid in Uncovering Deserialization Vulnerabilities Research Papers Prashast Srivastava Columbia University, USA, Flavio Toffalini EPFL, Kostyantyn Vorobyov Oracle Labs, Australia, François Gauthier Oracle Labs, Antonio Bianchi Purdue University, Mathias Payer EPFL Media Attached | ||
14:45 15mTalk | Neural Transfer Learning for Repairing Security Vulnerabilities in C Code Journal First Zimin Chen KTH Royal Institute of Technology, Steve Kommrusch Leela AI, Martin Monperrus KTH Royal Institute of Technology Media Attached | ||
15:00 15mTalk | ViaLin: Path-Aware Dynamic Taint Analysis for Android Research Papers Khaled Ahmed University of British Columbia (UBC), Yingying Wang University of British Columbia, Mieszko Lis The University of British Columbia, Canada, Julia Rubin University of British Columbia, Canada Media Attached | ||
15:15 15mTalk | [Remote] Distinguishing Look-Alike Innocent and Vulnerable Code by Subtle Semantic Representation Learning and Explanation Research Papers Chao Ni School of Software Technology, Zhejiang University, Xin Yin The State Key Laboratory of Blockchain and Data Security, Zhejiang University, Kaiwen Yang College of Computer Science and Technology, Zhejiang University, Dehai Zhao Australian National University, Australia, Zhenchang Xing Data61, Xin Xia Huawei Technologies Media Attached | ||