Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Thursday, June 30 • 11:35 - 12:20
Surviving the Java serialization apocalypse

Sign up or log in to save this to your schedule and see who's attending!

The hidden danger of Java deserialization vulnerabilities – which often lead to remote code execution – has gained extended visibility in the past year. The issue has been known for years; however, it seems that the majority of developers were unaware of it until recent media coverage around commonly used libraries and major products. This talk aims to shed some light about how this vulnerability can be abused, how to detect it from a static and dynamic point of view, and -- most importantly -- how to effectively protect against it. The scope of this talk is not limited to the Java serialization protocol but also other popular Java libraries used for object serialization.

The ever-increasing number of new vulnerable endpoints and attacker-usable gadgets has resulted in a lot of different recommendations on how to protect your applications, including look-ahead deserialization and runtime agents to monitor and protect the deserialization process. Coming at the problem from a developer’s perspective and triaging the recommendations for you, this talk will review existing protection techniques and demonstrate their effectiveness on real applications. It will also review existing techniques and present new gadgets that demonstrates how attackers can actually abuse your application code and classpath to craft a chain of gadgets that will allow them to compromise your servers.

This talk will also present the typical architectural decisions and code patterns that lead to an increased risk of exposing deserialization vulnerabilities. Mapping the typical anti-patterns that must be avoided, through the use of real code examples we present an overview of hardening techniques and their effectiveness. The talk will also show attendees what to search the code for in order to find potential code gadgets the attackers can leverage to compromise their applications. We’ll conclude with action items and recommendations developers should consider to mitigate this threat.

Speakers
avatar for Alvaro Muñoz

Alvaro Muñoz

Principal Security Researcher, HPE
Alvaro Muñoz (@pwntester) works as Principal Software Security Researcher with HPE Security Research (HPSR). His research focuses on different programming languages and web application frameworks searching for vulnerabilities or unsafe uses of APIs. Before joining the HPSR team, he worked as an Application Security Consultant helping enterprises to deploy their application security programs.
avatar for Christian Schneider

Christian Schneider

Whitehat Hacker, Christian Schneider
Christian Schneider (@cschneider4711) writes software since the nineties, works as a freelance software developer since 1997, and focuses on Java since 1999. Aside from the traditional software engineering tasks he support clients in the field of IT security. This includes penetration testing, security audits, architectural reviews, and web application hardening. Christian enjoys writing articles about web application security (for the German... Read More →


Thursday June 30, 2016 11:35 - 12:20
Room A (Michelangelo Ballroom Sect. 3)

Attendees (29)