deserialization of untrusted data in java
play

Deserialization of untrusted data in Java Analysis, current - PowerPoint PPT Presentation

Jun 06, 2023 •126 likes •587 views

Deserialization of untrusted data in Java Analysis, current solutions & a new approach Apostolos Giannakidis OWASP London Meetup @apgiannakidis 18th May 2017 1 Whois Security Architect at Waratek Application security

  1. Deserialization of untrusted data in Java Analysis, current solutions & a new approach Apostolos Giannakidis OWASP London Meetup @apgiannakidis 18th May 2017 1

  2. Whois • Security Architect at Waratek • Application security • Vulnerability and exploit research • R&D exploit mitigation • Product development • Over a decade of professional experience in software and security • MSc Computer Science 2

  3. Agenda • Java serialization basics • Deserialization of untrusted data • Understanding the vulnerability and the exploits • Common misconceptions • Known mitigations and their limitations • A new mitigation approach using runtime virtualization • Q & A 3

  4. Serialization 101 4

  5. Use Cases • Remote / Interprocess Communication (RPC/IPC) • Message Brokers • Caching • Tokens / Cookies • RMI • JMX • JMS 5

  6. Serialization Format • Data only • Class metadata •Names of data types •Names of object fields • Object field values 6

  7. Serializable is not easy ” Allowing a class’s instances to be serializable can be as simple as adding the words “implements Serializable” to the class. This is a common misconception, the truth is far more complex . ” - Joshua Bloch Effective Java 7

  8. Serializable makes objects untrusted • Serializable creates: • a public hidden constructor • a public interface to all fields of that class • Deserialization is Object Creation and Initialization • Without invoking the actual class’s constructor • Treat it as a Constructor • Apply same input validation, invariant constraints, and security permissions • Before any of its methods is invoked ! 8

  9. Serializable is a commitment • Audit your Serializable classes • Create a Threat Model • Class definitions evolve • Re-evaluate threat models on every new class version • Document all deserialization end-points 9

  10. Attacking Java Serialization Focus on attack techniques found by Gabriel Lawrence, Chris Frohoff, Steve Breen, Matthias Kaiser, Alvaro Muñoz • Integrity • RCE via gadget chains • Availability • DoS via gadget chains 10

  11. Misconception #1 My app does not use serialization, so I am safe • Custom Java App • 3rd party libs (Apache Commons, Spring, Log4j, etc.) • Middleware (IBM WebSphereMQ, Oracle OpenMQ, Apache ActiveMQ, JBoss EAP, etc.) • App Server (Oracle WebLogic, IBM WebSphere, etc.) 11

  12. Who is affected? ● Oracle ● VMWare ● Red Hat ● Cisco ● Apache ● Pivotal ● IBM ● Atlassian ● Symantec ● Jenkins Virtually everyone! 12

  13. Deserialization of untrusted data (CWE-502) InputStream untrusted = request.getInputStream(); ObjectInputStream ois = new ObjectInputStream( untrusted ); SomeObject deserialized = (SomeObject) ois. readObject() ; • What is the problem here? • Any available class can be deserialized • Calling ObjectInputStream.readObject() using untrusted data can result in malicious behavior • Arbitrary code execution •Denial of Service •Remote command execution • Malware / Ransomware infection 13

  14. SFMTA Ransomware Incident • San Francisco Municipal Transportation Agency • Ransomware infection via Java Deserialization RCE • ~ 900 computers • $559k in fares daily loss • Exfiltrated 30GB of files Source: https://www.thesslstore.com, https://arstechnica.com 14

  15. Misconception #2 I am deserializing trusted data, so I am safe • What is trusted data? • Sources that are trusted today may not be tomorrow 15

  16. Abusing Java Deserialization • Attackers find dangerous classes available in the system • Not necessarily used by the system • Dangerous classes (NOT necessarily vulnerable) • extend Serializable or Externalizable • utilize their member fields during or after deserialization • no input validation • Known as gadget classes • JRE, App Servers, common libraries, frameworks, Apps • e.g., Apache Commons Collections InvokerTransformer 16

  17. Misconception #3 ACC InvokerTransformer is on my ClassPath, therefore I am vulnerable • Not a vulnerability of the ACC InvokerTransformer • The vulnerability is the deserialization of untrusted data • The InvokerTransformer simply made the vulnerability exploitable 17

  18. Unrealistic Gadget public class SomeClass implements Serializable { private String cmd; private void readObject( ObjectInputStream stream ) throws Exception { stream.defaultReadObject(); Runtime.getRuntime().exec( cmd ); } } 18

  19. Unrealistic Gadget Remote Shell public class SomeClass implements Serializable { private String cmd; By Design! private void readObject( ObjectInputStream stream ) throws Exception { stream.defaultReadObject(); Runtime.getRuntime().exec( cmd ); } } 19

  20. Chaining Gadgets together • Attackers create chains of method calls • Known as gadget chains • Abuse the deserialization logic • Gadget Chains are self-executing • Triggered by the JVM during or after deserialization • Their goal is to exhibit malicious behavior 20

  21. Gadget Chain Creation • Gadget chain creation is like a game of Scrabble • Gadgets are letters of the words • Gadget chains are words • correct words win the game • The more classes you have loaded • the more letters you have • more chances to create words • more likely to be exploitable 21

  22. Do It Yourself • Ysoserial, by Chris Frohoff • PoC payload generation tool • Tens of ready-to-use gadgets • https://github.com/frohoff/ysoseri al/ 22

  23. Possible Mitigations • Avoid object serialization • WAFs / Firewalls • Custom Java Security Manager • Filter trusted / untrusted classes • Blacklisting • Whitelisting 23

  24. Avoid Object Serialization • Recommended • Redesign / re-architect the software Existing Mitigations • But you may still be vulnerable • Deserialization may still occur in components you don’t control 24

  25. WAFs / Firewalls • Block ports and apply basic heuristics • Can produce false positives Existing Mitigations • Lack visibility of the runtime • Runtime provides full context • Protection should be in the runtime 25

  26. Checking WAFs for False Positives HashMap<String, String> map = new HashMap<>(); Existing Mitigations map.put( “org.apache.commons.collections.functors.InvokerTransformer”, “calc.exe” ); FileOutputStream file = new FileOutputStream( "out.bin" ); ObjectOutputStream out = new ObjectOutputStream(file); out.writeObject( map ); out.close(); 26

  27. Filter Untrusted Classes - Blacklisting • Always a bad idea • Never complete Existing Mitigations • False sense of security • Requires profiling • Not possible if gadget class is needed • Can be bypassed (see A.Muñoz & C.Schneider Serial Killer: Silently Pwning Your Java Endpoints) 27

  28. Filter Trusted Classes - Whitelisting • Better approach than Blacklisting • Requires profiling Existing Mitigations • Difficult to configure • No protection if gadget class is needed • May not protect against Golden Gadget s • SerialDoS • SerialDNSDoS • <= JRE 1.7u21 • Many more... 28

  29. Maintaining lists is a commitment • Whitelists may need to be updated on new releases • Blacklists must be updated on every new gadget Existing Mitigations • Forgetting to whitelist a class breaks your app • Forgetting to blacklist a class makes you vulnerable 29

  30. Risk-based Management using whitelists • Who should be responsible for their maintenance? • Difficult to apply risk-based managemen t Existing Mitigations • How should a class’s risk profile be assessed? • Devs understand code • Security teams understand operations 30

  31. Whitelisting is not easy • Dev asks Security team to whitelist a new class: SomeClass Existing Mitigations class SomeClass extends BaseClass { // nothing suspicious } • Security team whitelists the class 31

  32. Whitelisting is not easy • Dev asks Security team to whitelist a new class: SomeClass Existing Mitigations class SomeClass extends BaseClass { // nothing suspicious } • Security team whitelists the class class BaseClass extends HashMap { } • Vulnerable to SerialDoS 32

  33. JEP 290 - Serialization Filtering • White / Black listing approach • 3 types of filters Existing Mitigations • Global Filter • Specific Filter • Built-in Filters • Graph and Stream Limits • Patterns to whitelist classes and package 33

  34. Custom Java Security Manager • Always a good idea • It’s a type of whitelisting Existing Mitigations • Requires profiling • Difficult to configure • Can be bypassed • Deserialization payload can unset the Security Manager • See ZoneInfo Exploit (CVE-2008-5353) • Does not protect against some DoS attacks • Does not protect against deferred attacks (such as finalize()) 34

  35. Apache Commons Collections Gadget Chain ObjectInputStream.readObject() AnnotationInvocationHandler.readObject() Map(Proxy).entrySet() AnnotationInvocationHandler.invoke() LazyMap.get() ChainedTransformer.transform() ... Method.invoke() Runtime.getRuntime() InvokerTransformer.transform() Method.invoke() Source: Chris Frohoff Marshalling Pickles Runtime.exec() AppSecCali 2015 35

  36. JRE 1.7u21 Gadget Chain LinkedHashSet.readObject() ... LinkedHashSet.add() ... Proxy(Templates).equals() ... ClassLoader.defineClass() Class.newInstance() ... Runtime.exec() Source: Chris Frohoff ysoserial 36

Recommend

Simulated Pointers Limitations Of Java Pointers May be used for internal data structures

Simulated Pointers Limitations Of Java Pointers May be used for internal data structures

Simulated Pointers Limitations Of Java Pointers May be used for internal data structures only. Data structure backup requires serialization and deserialization. No arithmetic. Simulated-Pointer Memory Layout c a e d b Data

1.12k views • 13 slides
Object lessons Deserialization after Apache Commons Collections T i m J a r r e t t , N o v e m

Object lessons Deserialization after Apache Commons Collections T i m J a r r e t t , N o v e m

Object lessons Deserialization after Apache Commons Collections T i m J a r r e t t , N o v e m b e r 2 0 1 6 Who am I? @tojarrett Over 20 years in the software business At Veracode since 2008 Grammy award winner Bacon

692 views • 24 slides
Chip-Secured Data Access: Confidential Data on Untrusted Servers L. Bouganim, P. Pucheral

Chip-Secured Data Access: Confidential Data on Untrusted Servers L. Bouganim, P. Pucheral

Chip-Secured Data Access: Confidential Data on Untrusted Servers L. Bouganim, P. Pucheral University of Versailles The need for Open Trusted Data Stores PAGE 2 Virtual teams distributed among space, time and organizations

394 views • 12 slides
Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras

Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras

Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras Untrusted Programs Untrusted Application Entire Application untrusted Part of application untrusted Modules or library untrusted

797 views • 46 slides
CSE 510 Web Data Engineering Java Beans UB CSE 510 Web Data Engineering What is a Java Bean?

CSE 510 Web Data Engineering Java Beans UB CSE 510 Web Data Engineering What is a Java Bean?

CSE 510 Web Data Engineering Java Beans UB CSE 510 Web Data Engineering What is a Java Bean? Simply a class wrapping some data and meets certain restrictions Three components: Default constructor (no arguments) Private

280 views • 11 slides
JAVA Java vs. Java Java Language Specification

JAVA Java vs. Java Java Language Specification

BR 10/05 JAVA Java vs. Java Java Language Specification http://java.sun.com/docs/books/jls/second_edition/html/j.title.doc.html Java programming language is compiled into java byte code Java Virtual Machine Specification

1.07k views • 44 slides
Data Structures in Java Java Review 9/14/2015 Daniel Bauer and Larry Stead 1 Disclaimer

Data Structures in Java Java Review 9/14/2015 Daniel Bauer and Larry Stead 1 Disclaimer

Data Structures in Java Java Review 9/14/2015 Daniel Bauer and Larry Stead 1 Disclaimer This Data Structures class (and Jarvis!) uses Java 8. Java Review - Contents (1) Writing and Running Java Programs. Structure of a Program:

745 views • 57 slides
Data Structures in Java Lecture 3: ADTs in Java. 9/16/2015 Daniel Bauer 1 Today ADTs and

Data Structures in Java Lecture 3: ADTs in Java. 9/16/2015 Daniel Bauer 1 Today ADTs and

Data Structures in Java Lecture 3: ADTs in Java. 9/16/2015 Daniel Bauer 1 Today ADTs and Data Structures in Java (Generics, Interfaces etc., Java Standard Library) Linked List Implementation. Binary Search Example. Recitation

458 views • 27 slides
Introduction to Java Chapters 1 and 2 The Java Language Section 1.1 Data &amp; Expressions

Introduction to Java Chapters 1 and 2 The Java Language Section 1.1 Data &amp; Expressions

Introduction to Java Chapters 1 and 2 The Java Language Section 1.1 Data &amp; Expressions Sections 2.1 2.5 Instructor: Scott Kristjanson CMPT 125/125 SFU Burnaby, Fall 2013 Scope 2 Introduce the Java programming language

725 views • 61 slides
Protecting Data in Untrusted Locations An exercise in Real World threat modeling. Jan

Protecting Data in Untrusted Locations An exercise in Real World threat modeling. Jan

Protecting Data in Untrusted Locations An exercise in Real World threat modeling. Jan Schaumann 99CE 1DC7 770A C5A8 09A6 @jschauma 0DCD 66CE 4FE9 6F6B D3D7 Me. Errday. Obligatory James Mickens This World of Ours reference.

714 views • 40 slides
CSE 510 Web Data Engineering Java Server Pages (JSPs) UB CSE 510 Web Data Engineering Java

CSE 510 Web Data Engineering Java Server Pages (JSPs) UB CSE 510 Web Data Engineering Java

CSE 510 Web Data Engineering Java Server Pages (JSPs) UB CSE 510 Web Data Engineering Java Server Pages: Embedding Java Code in Static Content 2 UB CSE 510 Web Data Engineering Why JSPs? Need to separate the business logic

439 views • 31 slides
Learning from Untrusted Data Moses Charikar, Jacob Steinhardt, Gregory Valiant Symposium on the

Learning from Untrusted Data Moses Charikar, Jacob Steinhardt, Gregory Valiant Symposium on the

Learning from Untrusted Data Moses Charikar, Jacob Steinhardt, Gregory Valiant Symposium on the Theory of Computing June 19, 2017 (Icon credit: Annie Lin) Motivation: data poisoning attacks: 1 (Icon credit: Annie Lin) Motivation: data

621 views • 48 slides
Hails: Protecting Data Privacy in Untrusted Web Applications Daniel B. Giffin, Amit Levy, Deian

Hails: Protecting Data Privacy in Untrusted Web Applications Daniel B. Giffin, Amit Levy, Deian

Hails: Protecting Data Privacy in Untrusted Web Applications Daniel B. Giffin, Amit Levy, Deian Stefan, David Terei, John Mitchell, David Mazires, and Alejandro Russo Web platforms are great ! They allow third-party developers to build apps

714 views • 54 slides
Learning the Java Language Based on The Java Tutorial

Learning the Java Language Based on The Java Tutorial

Learning the Java Language Based on The Java Tutorial (http://docs.oracle.com/javase/tutorial/java/) Bryn Mawr College CS206 Intro to Data Structures Language Basics Variables Operators Expressions, Statements and Blocks

415 views • 20 slides
Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006)

Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006)

Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006) Java 7 (2010) Other topics Basic concurrency in Java Java Memory Model describes how threads interact through memory Single thread

812 views • 34 slides
HOW TO USE JAVA STREAMS TO ACCESS EXISTING DATA WITH ULTRA-LOW LATENCY PER MINBORG, CTO,

HOW TO USE JAVA STREAMS TO ACCESS EXISTING DATA WITH ULTRA-LOW LATENCY PER MINBORG, CTO,

HOW TO USE JAVA STREAMS TO ACCESS EXISTING DATA WITH ULTRA-LOW LATENCY PER MINBORG, CTO, SPEEDMENT, INC. WHO AM I? Serial Entrepreneur +15 US Patents Java Expert Palo Alto Minborgs Java Pot TITLE OF SLIDE GOES HERE

609 views • 43 slides
Java Java Basics Java Program Statements Java Review Conditional statements

Java Java Basics Java Program Statements Java Review Conditional statements

Java Java Basics Java Program Statements Java Review Conditional statements Repetition statements (loops) Writing Classes in Java Selim Aksoy Class definitions Bilkent University Encapsulation and Java modifiers

346 views • 11 slides
Proof-Carrying Data: secure computation on untrusted execution platforms Eran Tromer Joint work

Proof-Carrying Data: secure computation on untrusted execution platforms Eran Tromer Joint work

Proof-Carrying Data: secure computation on untrusted execution platforms Eran Tromer Joint work with Alessandro Chiesa Eli Ben-Sasson Daniel Genkin 1 Technion Cryptoday June 16, 2011 Motivation 3 Motivation INTEGRITY CONFIDENTIALITY

725 views • 50 slides
Robust Learning from Untrusted Sources Nikola Konstantinov Christoph H. Lampert ICML, June 2019

Robust Learning from Untrusted Sources Nikola Konstantinov Christoph H. Lampert ICML, June 2019

Robust Learning from Untrusted Sources Nikola Konstantinov Christoph H. Lampert ICML, June 2019 Konstantinov, Lampert; IST Austria Robust Learning from Untrusted Sources Poster 156 1 / 13 Motivation Collecting data for machine learning

386 views • 28 slides
Java I/O Department of Computer Science University of Maryland, College Park Storing Data

Java I/O Department of Computer Science University of Maryland, College Park Storing Data

CMSC 132: Object-Oriented Programming II Java I/O Department of Computer Science University of Maryland, College Park Storing Data Approaches to store file data Text files Data represented in human-readable form Example: Java

401 views • 9 slides
Sieve: Cryptographically Enforced Access Control for User Data in Untrusted Clouds Frank Wang (MIT

Sieve: Cryptographically Enforced Access Control for User Data in Untrusted Clouds Frank Wang (MIT

Sieve: Cryptographically Enforced Access Control for User Data in Untrusted Clouds Frank Wang (MIT CSAIL) , James Mickens (Harvard), Nickolai Zeldovich (MIT CSAIL), Vinod Vaikuntanathan (MIT CSAIL) 1 Motivation Boston Marathon NY Marathon

1.12k views • 95 slides
Data Structures Summary Today In-class work on Java: Gnome Static data and methods

Data Structures Summary Today In-class work on Java: Gnome Static data and methods

Computer Science 210 Data Structures Summary Today In-class work on Java: Gnome Static data and methods Compiling and running Java main Arrays Input and output for loops break, continue Writing a

255 views • 9 slides
Towards Application Security on Untrusted Operating Systems Dan R. K. Ports Tal Garfinkel MIT

Towards Application Security on Untrusted Operating Systems Dan R. K. Ports Tal Garfinkel MIT

Towards Application Security on Untrusted Operating Systems Dan R. K. Ports Tal Garfinkel MIT CSAIL &amp; VMware VMware Motivation Many applications handle sensitive data financial, medical, insurance, military... credit cards, medical

712 views • 25 slides
Computer Science 210: Data Structures Intro to Java Graphics Summary Today GUIs in

Computer Science 210: Data Structures Intro to Java Graphics Summary Today GUIs in

Computer Science 210: Data Structures Intro to Java Graphics Summary Today GUIs in Java using Swing in-class: a Scribbler program READING: browse Java online Docs, Swing tutorials GUIs in Java We ll be using Swing

287 views • 13 slides

More recommend