EvilPickles: DoS attacks based on Object-Graph Engineering (ECOOP 2017 - ECOOP Research Papers)

Who

Jens Dietrich, Kamil Jezek, Shawn Rasheed, Amjed Tahir, Alex Potanin

Track

ECOOP 2017 ECOOP Research Papers

Time Zone

The program is currently displayed in (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna.

Use conference time zone: (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, ViennaSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Fri 23 Jun 2017 16:15 - 16:40 at Auditorium, Vertex Building - Security Chair(s): Peter Müller

Abstract

In recent years, multiple vulnerabilities exploiting the serializations APIs of various programming languages including Java have been discovered. These vulnerabilities can be used to devise injection attacks, exploiting the presence of dynamic programming language features like reflection or dynamic proxies. In this paper, we investigate a new type of serialization-related vulnerabilities for Java that exploit the topology of object graphs constructed from classes of the standard library in a way that deserialisation leads to resource exhaustion, facilitating denial of service attacks. We analyse three such vulnerabilities that can be exploited to exhaust stack memory, heap memory and cpu time. We discuss the language and library design features that enable these vulnerabilities, and investigate whether these vulnerabilities can be ported to C#, JavaScript and Ruby. We present two case studies that demonstrate how the vulnerabilities can be used in attacks on two widely used servers, Jenkins deployed on Tomcat and JBoss. Finally, we propose a mitigation strategy based on contract injection.

Link to Publication

http://drops.dagstuhl.de/opus/volltexte/2017/7260/pdf/LIPIcs-ECOOP-2017-10.pdf

Link to Preprint

https://sites.google.com/site/jensdietrich/publications/preprints/EvilPickles_ECOOP17.pdf

Jens Dietrich

Massey University

New Zealand

Kamil Jezek

University of West Bohemia, Pilsen, CZ

Shawn Rasheed

Massey University

New Zealand

Amjed Tahir

Massey University

New Zealand

Alex Potanin

Victoria University of Wellington

New Zealand

Video

Time Zone

The program is currently displayed in (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna.

Use conference time zone: (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, ViennaSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

Display full programSpecify a time band

Save

Session Program

Fri 23 Jun
Times are displayed in time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

	15:50 - 17:05: SecurityECOOP Research Papers at Auditorium, Vertex Building Chair(s): Peter MüllerETH Zurich

	15:50 - 16:15 Talk		Type Abstraction for Relaxed Noninterference ECOOP Research Papers Raimil CruzUniversity of Chile, Tamara RezkInria, Bernard SerpetteInria, Éric TanterUniversity of Chile Link to publication Media Attached
	16:15 - 16:40 Talk		EvilPickles: DoS attacks based on Object-Graph Engineering ECOOP Research Papers Jens DietrichMassey University, Kamil JezekUniversity of West Bohemia, Pilsen, CZ, Shawn RasheedMassey University, Amjed TahirMassey University, Alex PotaninVictoria University of Wellington Link to publication Pre-print Media Attached
	16:40 - 17:05 Talk		A Capability-Based Module System for Authority Control ECOOP Research Papers Darya MelicherCarnegie Mellon University, Yangqingwei ShiPeking University, Alex PotaninVictoria University of Wellington, Jonathan AldrichCarnegie Mellon University Link to publication