Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Automated Discovery of Deserialization Gadget Chains

Black Hat via YouTube

Overview

Explore automated discovery techniques for deserialization gadget chains in this Black Hat conference talk. Delve into the persistent threat of unsafe deserialization vulnerabilities and their impact on Java applications. Learn about magic methods, payload examples, and vulnerable libraries. Examine existing tools and discover a new approach for finding gadget chains through class/method hierarchy enumeration, passthrough dataflow discovery, and callgraph analysis. Investigate the results of open-source library scans, including newly discovered gadget chains in Clojure and Scala. Gain insights into potential improvements and future directions for automated discovery in this emerging field of cybersecurity research.

Syllabus

Intro
Deserialization? That's so 2016...
Why are Deserialization Vulnerabilities so Bad? Magic methods get executed automatically by the deserializer, even before deserialization finishes!
Magic methods? • readObject() and readResolve() are the main ones...
Magic Methods to Gadget Chains
Example Payload
What (Java) Libraries are Vulnerable?
Finding Vulnerabilities
Remediation Options
Finding Exploits
Existing Gadget Chain Tools
Building a New Tool to Find Gadget Chains
Enumerate class/method hierarchy
Discover "Passthrough" Dataflow
Enumerate "Passthrough" Callgraph
Enumerate Sources Using Known Tricks
BFS on Call Graph for Chains Sources
Deserialization Library Flexibility
Results: OSS Library Scans
Results: Old Gadget Chains
New Gadget Chains: Clojure org.clojure clojure
New Gadget Chains: Scala
Results: Netflix Internal Webapp 2
Room for Improvement
Final Thoughts • Automatic discovery for gadget chains is new territory

Taught by

Black Hat

Reviews

Start your review of Automated Discovery of Deserialization Gadget Chains

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.