Tabby: Automated Gadget Chain Detection for Java Deserialization Vulnerabilities | IEEE Conference Publication | IEEE Xplore

Tabby: Automated Gadget Chain Detection for Java Deserialization Vulnerabilities


Abstract:

Java is one of the preferred options of modern developers and has become increasingly more prominent with the prevalence of the open-source culture. Thanks to the seriali...Show More

Abstract:

Java is one of the preferred options of modern developers and has become increasingly more prominent with the prevalence of the open-source culture. Thanks to the serialization and deserialization features, Java programs have the flexibility to transmit object data between multiple components or systems, which significantly facilitates development. However, the features may also allow the attackers to construct gadget chains and lead to Java deserialization vulnerabilities. Due to the highly flexible and customizable nature of Java deserialization, finding an exploitable gadget chain is complicated and usually costs researchers a great deal of effort to confirm the vulnerability. To break such a dilemma, in this paper, we introduced Tabby, a highly accurate framework that leverages the Soot framework and Neo4j graph database for finding Java deserialization gadget chains. We leveraged Tabby to analyze 248 Jar files, found 80 practical gadget chains, and received 7 CVE-IDs from Xstream and Apache Dubbo. They both improved the security design to deal with potential security risks.
Date of Conference: 27-30 June 2023
Date Added to IEEE Xplore: 09 August 2023
ISBN Information:

ISSN Information:

Conference Location: Porto, Portugal

Funding Agency:


I. Introduction

Java is one of the most widely used programming languages today, owing to its convenience and cross-platform capabilities. According to Statista's 2022 report [1], 33.27% of developers use Java for their programming needs. However, the features that make Java so popular also make it vulnerable to security risks, particularly Java deserialization vulnerabilities (JDVs). In recent years, a number of high-risk and severe-impact JDVs have been identified, such as the Apache Log4j 2 remote code execution vulnerability (CVE-2021-44228) [2]. This vulnerability allows attackers to construct a malicious JNDI injection [3] to execute malicious commands on a remote server by returning a serialized payload. The Cyberint research team found that millions of servers were affected by this vulnerability [4].

Contact IEEE to Subscribe

References

References is not available for this document.