EvilPickles: DoS attacks based on Object-Graph Engineering
In recent years, multiple vulnerabilities exploiting the serializations APIs of various programming languages including Java have been discovered. These vulnerabilities can be used to devise injection attacks, exploiting the presence of dynamic programming language features like reflection or dynamic proxies. In this paper, we investigate a new type of serialization-related vulnerabilities for Java that exploit the topology of object graphs constructed from classes of the standard library in a way that deserialisation leads to resource exhaustion, facilitating denial of service attacks. We analyse three such vulnerabilities that can be exploited to exhaust stack memory, heap memory and cpu time. We discuss the language and library design features that enable these vulnerabilities, and investigate whether these vulnerabilities can be ported to C#, JavaScript and Ruby. We present two case studies that demonstrate how the vulnerabilities can be used in attacks on two widely used servers, Jenkins deployed on Tomcat and JBoss. Finally, we propose a mitigation strategy based on contract injection.
Fri 23 Jun Times are displayed in time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
15:50 - 17:05: SecurityECOOP Research Papers at Auditorium, Vertex Building Chair(s): Peter MüllerETH Zurich | |||
15:50 - 16:15 Talk | Type Abstraction for Relaxed Noninterference ECOOP Research Papers Raimil CruzUniversity of Chile, Tamara RezkInria, Bernard SerpetteInria, Éric TanterUniversity of Chile Link to publication Media Attached | ||
16:15 - 16:40 Talk | EvilPickles: DoS attacks based on Object-Graph Engineering ECOOP Research Papers Jens DietrichMassey University, Kamil JezekUniversity of West Bohemia, Pilsen, CZ, Shawn RasheedMassey University, Amjed TahirMassey University, Alex PotaninVictoria University of Wellington Link to publication Pre-print Media Attached | ||
16:40 - 17:05 Talk | A Capability-Based Module System for Authority Control ECOOP Research Papers Darya MelicherCarnegie Mellon University, Yangqingwei ShiPeking University, Alex PotaninVictoria University of Wellington, Jonathan AldrichCarnegie Mellon University Link to publication |