AppSec Europe 2016 has ended
Back To Schedule
Thursday, June 30 • 11:35 - 12:20
Surviving the Java serialization apocalypse

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

The hidden danger of Java deserialization vulnerabilities – which often lead to remote code execution – has gained extended visibility in the past year. The issue has been known for years; however, it seems that the majority of developers were unaware of it until recent media coverage around commonly used libraries and major products. This talk aims to shed some light about how this vulnerability can be abused, how to detect it from a static and dynamic point of view, and -- most importantly -- how to effectively protect against it. The scope of this talk is not limited to the Java serialization protocol but also other popular Java libraries used for object serialization.

The ever-increasing number of new vulnerable endpoints and attacker-usable gadgets has resulted in a lot of different recommendations on how to protect your applications, including look-ahead deserialization and runtime agents to monitor and protect the deserialization process. Coming at the problem from a developer’s perspective and triaging the recommendations for you, this talk will review existing protection techniques and demonstrate their effectiveness on real applications. It will also review existing techniques and present new gadgets that demonstrates how attackers can actually abuse your application code and classpath to craft a chain of gadgets that will allow them to compromise your servers.

This talk will also present the typical architectural decisions and code patterns that lead to an increased risk of exposing deserialization vulnerabilities. Mapping the typical anti-patterns that must be avoided, through the use of real code examples we present an overview of hardening techniques and their effectiveness. The talk will also show attendees what to search the code for in order to find potential code gadgets the attackers can leverage to compromise their applications. We’ll conclude with action items and recommendations developers should consider to mitigate this threat.

avatar for Alvaro Muñoz

Alvaro Muñoz

Principal Security Researcher, Micro Focus Fortify
Alvaro Muñoz(@pwntester) works as a Principal Software Security Researcher with Micro Focus Fortify, Software Security Research (SSR) team. Before joining the research organization, he worked as an Application Security Consultant helping top enterprises to deploy their application... Read More →
avatar for Christian Schneider

Christian Schneider

Freelancer, Christian Schneider
Christian has pursued a successful career as a freelance software developer since 1997 and expanded it in 2005 to include the focus on IT security. His major areas of work are penetration testing, security architecture consulting, and threat modeling. As a trainer, Christian regularly... Read More →

Thursday June 30, 2016 11:35 - 12:20 CEST
Room A (Michelangelo Ballroom Sect. 3)