BSides Rochester 2019 - Jackson Deserialization Vulnerabilities

she's got three minutes left I think so but people come in and everything I've learned about the InfoSec community they're not a proper Bunch

yeah start okay think we're gonna go ahead and get going I guess we just have the stationary mic great so I've got a stay here or project so there's a guy right there and I on the back row can you raise your hand yeah okay good that's just a sound check you know if you can hear me probably anyone can because you're furthest away not because you're old and your hearings become enfeebled or anything okay so I'm gonna talk to you today about Jackson deserialization vulnerabilities again my name's Robert Secord I'm a technical director NCC group so mostly what I do for living is develop and deliver training secure coding courses in Java C C++ and C sharp so this is actually some

material I did some research on last year and then sort of incorporated this into some of our Java training so when I'm not doing training development I'm doing some you know secure coding research and a lot of this stuff kind of folds in I'm actually a member of the C Standards Committee so I'm more you know you know kind of funny story but I was on the C Standards Committee for the entire c11 project so if you ever wondered who was responsible for that garbage you could probably blame me or throw hopefully soft objects yeah nothing yeah nothing that would leave a dent and I also do some consulting typically I'll do a lot of you know source source code

analysis for customers you know source code II did security testing so and I think we take questions as we go longer do you have a way to wait to the end yeah so if you have a question just go ahead and ask the question I hopefully I'd kind of design this talk to fit the available time so you know shouldn't run over so Jackson so Jackson's basically a JSON for Java so it supports the data binding capability that supports data binding and object serialization basically allows you to serialize Java objects into JSON strings and then deserialize JSON strings back into Java objects you know sort of a converter between JSON and in Java objects and it's it's quite popular it's

the most popular package for doing this so this is again part of a I have actually an entire day on Java serialization so this is part of that material and when I put together entire day on that and I was finished I thought you know maybe I screwed up here and I'm not sure anyone's gonna want to listen to this for entire day but actually turned into a kind of a popular module of the course so the way Jackson deserialization works is that you define or identify a Java class correspond to the JSON so that's already taking the perspective that you're starting with D serialization of course you know another typical scenario is to have a Java

object which you serialize and then you would then just deserialize that object back to this you know that string back to the same object but if you're starting with the JSON you would define or identify a Java class for that JSON and then you create an instance of this Jaxson class called object mapper and an object mapper is actually a bit simpler than Java serialization object mapper does serialization and deserialization for you and you basically just create one instance of this thing and keep it around the entire time so I'll get mapper has a read value method so you could call revalue and that will then read in a JSON object from a file input

stream string or byte array and again it's a thread safe service class that you can instantiate once and just keep it around for your whole application and really you want to do that because the startup time for this object is is pretty expensive so object mapper again converts between the Java objects and the corresponding JSON strings it has functionality read and write JSON to and from plain old Java objects so it uses the JC parser JSON generator for reading and writing JSON and it's a highly customizable to work with different styles of JSON content and to support more advanced concepts such as polymorphism and object identity and I'll say something quickly about this so as a member of the C Standards Committee

we have a principle which is conservation mechanism right and so the ideas try to only provide one way to do things right don't try to provide three or four or five different ways to do the same thing and that is not a principle which was greatly entertained by the authors of the Jackson package right so they they sort of had the opposite view of let's provide all sorts of different kind of ways to do things and sort of this way programmers can decide you know what style they like or you know which flavor which interface and you know so there's just a lot of ways to do things and and what's the reason the see committee

doesn't do that and I would recommend against it is that you you create all sorts of combinatorics right so so you have to start wandering things like what happens if I use you know this approach to do this part of the process and then a different approach to do this other part of the process you know what if I combine things in different ways and you have to test all of those things for what sort of odd behavior might come out of that but basically it's a there's a lot of complexity to this API and no one really knows how it works so you know and and the way it evolved was the guy writing

it didn't know how it worked right so he would write it and would say oh that's not quite right let me tweak it and uh that's a little better let me tweak it some more right so it was a it was sort of a process of discovery so just to look at some code if you want to construct objects again you create instances of this object mapper and then we're creating a new object that's just a random object a year ago to serialize and deserialize in this case we're going to serialize it to a file called serialization data' JSON and to serialize it it's really just as simple as calling the right value method on this mapper object and

giving it the name you know the file identifier and the you know value of the object that you want to serialize and then to deserialize it you just called read value and you just get specify the file identifier and the name of the class that you're deserializing to and of course you can use this in to serialize any type of object so it just returns an object write generic object and then you cast it or assign it to whatever type of object you're actually creating so again I mentioned you know so so think about the process of deserializing a JSON string you've got you know collection of you know objects and each object has a set of properties

and so when you create a class you're gonna have a class with a bunch of corresponding fields and so what what the JSON deserialization process has to do is it has to take each each property it finds in the JSON and basically call a setter method in the class well first of all it has to figure out what class it is a call constructor for that class then it has to take each property call a setter method in order to take the data from the JSON object and set it in the in the object so there's a lot of code that's executing as the part of the process of deserializing one of these JSON strings and again the process of

doing this is non-trivial and it's constantly evolving and you know what the the author of this package is trying to do is make it you know as the least surprising interface as possible so they're trying to create this so it seems intuitive but you know it's intuitive at one level is sort of complex at a more detailed level so the simplest way to make a field in your class both serializable and d serializable is just to make it public if you don't want to make it public because generally speaking that's bad software during practice you can have getters so non-public getters will make non-public fields serializable and that that makes certain amount of sense it will also makes

private fields DC realizable because once you have it getter for it it's now considered a property by Jackson because it has a because it has a getter and so it now become D serializable and setters will also mark non-public fields as d serializable so there's there's some automatic so public getters and setters are detected again regardless of accessibility and there's a certain amount of automatic detection that Jackson does for the class and of course you know the the secret sauce and all these serialization deserialization mechanisms is reflection you know it's kind of a secret sauce behind java right they the way they get away is not introducing new keywords and things like this as they they write reflection

routines that will look for methods with certain signatures and then give those methods you know special properties so so non-public fields can be accessed by non private getters so just any getter property with a matching name and also single argument constructors automatically detect it if they use one of these sort of I don't know how to describe these types basic type string boolean integer and long and also a static single value arguments of value of methods are automatically detected so if you don't want to rely on the magic of automatic detection and some of that stuff is sort of legacy mechanisms have just been around for a while and wouldn't be included today if you know

they were starting over from scratch so you can also explicitly provide annotations and those who take precedence over automatically detected properties so you can use a JSON property which will indicate that a property is to be included JSON any setter will take a two argument method and use it for see realizing just sort of arbitrary properties for which there are no matching getters and setters available and JSON creator can be used to indicate that a method is a constructor for that object again Jackson's gonna have to call a constructor of some kind in order to create that object or it might be that you have a static factory method which is you know not a constructor but

used in that pattern to instantiate objects so you can use JSON creator to you indicate that static factory method is the correct mechanism you used to you know instantiate new instances of that object and JSON setters and all alternative JSON property for marking methods as setters so I mentioned polymorphic type handling it's a probably the fanciest phrase I use in the talk but basically this supports two things it supports job inheritance and it supports knock non concrete type senses after classes interfaces and so without polymorphic type handling the D serialization mechanism wouldn't be able to differentiate between two subclasses of a superclass and so it would wind up instantiating an object of the superclass which means that you know if

I take if I take some objects and I serialize them and ID serialize them I could wind up with something different right and that's not really a property you want from your serialization deserialization you want to you want to go full full circle end up with what you started out with and so basically polymorphic type handling is required in order to correctly deserialize the object chain so people tend to enable this I mean so basically you have this turned off your DC relation fails you turn this on the serialization works everything's great the problem is that so polymorphic type handling cars embedding type information into the json representations so that those objects can be correctly restored

and again because Jackson likes to do everything for everyone there's several different mechanisms they use for embedding the type information into the object and and it doesn't doesn't really matter to this to this lecture about this talk what mechanism you use but basically this has to be enabled to sort of allow the correct D serialization and the enabling of this feature which is what then makes your your JSON vulnerable to exploits and and so you know you'll hear people try to you well you'll hear people say that by default Jackson is secure and that's correct without enabling this feature you can't accomplish these exploits but everyone enables this feature because it's necessary to do sort of correct D

serialization of Java objects so you know the your reassurance that it's secure by default is very misleading it's actually more problematic than that so again Jackson being Jackson it supports multiple mechanisms for providing type information the easiest way to do it is be in that object mapper class that we looked at you can just call enabled default typing you can also build a custom type resolver builder I don't talk about that one much I don't think I've ever seen anyone do that I think that's basically a mechanism you use if you want to sort of rewrite the entire way you you handled the process so it's not that frequently used and the other option is locally using JSON type

info annotations another set of annotations so the simplest and also of course the least secure is to use the default typing so you have your object mapper object again that supports serialization deserialization and you can just call mapper and able default typing and boom you're done right so it's the easiest thing to do but it's it's also what makes your system completely insecure and so you know the author of this package as well as as me both both suspect this is done a lot right because what happens is you know UDC realize you get some error messages you you do Google you wind up in a stock overflow right and then there's a little Stack Overflow article

says Oh get rid of that problem by calling and able default typing you type that in your problems go away you know then you do wqx make some mark ship right same one old guy knows I'm talking about okay and so there's also some arguments you can use to limit the effects of this for example just to apply to non non final objects which you know is really all you need it for but doesn't limit to limiting the call and that way doesn't eliminate the vulnerabilities here so for things to be exploitable step one is the serialization of untrusted JSON data and whenever I talk about any mitigation for any of this stuff you know all the

security people in my company always say you know tell them never DC relays untrusted data so that's there's a rule number one just don't DC aryl is untrusted data but you know every time I say that to an audience they say but but we have to that's our whole architecture you know so so people do seem to need to do this and so that's you know there are ways to try to secure this right but of course step one is you know I mean basically there's a certain amount of risk taking a gun holding your head pulling the trigger right but if you absolutely need to do that okay we can talk about ways to try to reduce the

risk this is going from there okay so don't DC relies on trusted data so the specific gadget class that's using the exploit has to accessible from the vulnerable JBM and i didn't talk about a lot about gadget classes but but the the basic exploit here is that you are expecting a certain object a certain class to deserialize but what happens is the the attacker supplies you with a bunch of other objects right and so you go to DC you realize that you call your read value method and until that read value method returns you don't know what sort of objects are being DC realized so basically the attacker supplies a bunch of objects with a bunch of JSON objects

with a bunch of properties right and so as those objects of DC realized it's going to execute code in your JVM and it's gonna execute that code with value supplied by the attacker so basically DC realizing untrusted data is equivalent to having the attacker tell you what code they want you to run with what specific data values and so it turns out there are some very interesting classes which you know can do some fun things some some classes you know for example you can pack it with arbitrary byte code that gets executed when there DC realized great that's obviously problematic but there's a variety of other guys as well and so the gadgets you know the code that there be

that they're asking you to execute is they're not providing it has to be present in your JVM but you don't actually have to be using that functionality it just has to be in a class which is loadable by your JVM right so any any class in any library that's in the you know the class path for your JVM that can be you know loaded by the boot class loader and execute it can be part of this exploit so for example you know if you just happen to have old library sitting around in your class path that becomes a risk because the attacker could instantiate you know objects for those classes so third thing again is that you have to have a

polymorphic type handling enabled and the one thing you know one things it's better about Jackson and say just Java serialization is that you can specify the root class to which you want to see realize and the root class is specific enough it's going to prevent you from deserializing a wide array of objects but it is very very common to have a type of java.lang object as your root type which means again that you can deserialize anything because everything in Java is an object so including the complete you know set of gadgets that are available and the reason you know one reason that's common is a lot of times people will write a method right to handle their deserialization and

they'll generalize that method to work for you know all the times they deserialize within their system and so for that method to work with everything it has to deserialize to an object type right otherwise I guess it could be passed as an argument but it is quite common for people to do this the other thing that would work is that you could use a permissive tag interface so for example anything which implements serializable or comparable and if you were to use an interface like that it's broad enough that there's gonna be a wide selection and gadgets that an attacker could then to serialize and then finally so Jackson's mitigation for these attacks is to try to apply a deny

list or blacklist and so if you you know if you have a recent version of Jackson and the particular gadget you're trying to serialize has been blacklisted that won't succeed but denied list or blacklist are really not particularly effective solution and we'll talk more about that okay so I have a demonstration and I have two versions of this I might just do one because it's just the same two ways but one uses a vulnerable version of Zeeland that's built into the JRE that exploit only works with Java 8 4 or 5 and earlier versions and the reason I saying that out loud is because when I do the demo I always forget to set the version so it

fails the first time and then you'll say you forgot to set that all right and I'll fix it and it also works with the current version of the Apaches Elan right which is a separate library that has to be installed but you know attacking gadgets that are part of the Jerry are great because they absolutely have to be there let me go ahead and show this and I called this Jackson cage because it was a brief Springsteen song that no one seems to remember anymore anybody remember dude Jackson nobody you do somebody one person Wow okay so let's see if I can demo this usually what I do is I I set up a bunch of breakpoints and

stuff at strategic places because old enough now that I can't what's that

that's the only way to do this might not be part of the recording yeah okay I'll try to be very descriptive so yeah so so here see what we're doing okay so down here you can see we're using JDK 1 804 T so that's a vulnerable version the JDK so we've got passed a step where I mess up already so that's good okay so here we're setting a property and this is just for whether or not I want to use the the version of Zeeland is built into dairy or use the library version and my interface he are so good that I can never remember what upstream means if it means library version I think upstream means a library version

so this will test the built in dairy version and so we're going to create this remote command execution payload so I'm going to step into that and our pail is gonna be calculator cuz that's mandatory I gave a talk in Boston a couple years ago and at the end of the talk the guy says well one of the people asked a question they said okay so you can execute a calculator but what's the risk to me and my systems and I'm like people can run arbitral coding your systems and like hmm so how's that a vulnerability and and at some point I just started stammering and I had to get like help from the audience to explain

to him why you don't want random people in the world running executables on your system but you know get that right that's not not good so we're gonna you know pop up the calculator and let me continue so we're gonna use this temples in plet let me step into this and you can see here that we're going to based on the property setting we might either use the Apache version or the built in version again I think what we're doing here is we're using the built in JRE verse of this let me step into this further so we're gonna create this temple in plaits so we're going to create basically these gadget objects so this is going to involve something known

as a translate which has this interesting property of basically it's an existing class that lets you compile Java into byte codes and install it as a property in that class and that property will get invoked during the Jackson T serialization property so let me continue oh so here we're just creating the JSON so one thing that makes JSON attacks a little bit harder than Java tax is that for Java D serialization vulnerabilities you can just serialize your object and then when you DC realize it it will it will execute the exploit but that doesn't work with Jackson because when you when you serialize the jackson object it actually runs the exploit so that's sort of the attacker sort of self owning

themselves right so what you have to do is you have to handcraft the strings you have to do the serialization process manually to avoid triggering the exploit during the serialization process so that's what we just did with those string routines oh and so here is the line see this make class initializer insert after you can see that we're we're giving it some source code some Java source code and the Java source code does the simplest thing imaginable it just invokes runtime get runtime exec to execute the contents of a string and so the string we're passing here is the the cow exe we passed as an argument you can of course pass a string with an

arbitrary number of arguments to it if you need a little bit more sophisticated you know exploit string and now next we're going to you we're going to convert that to bytecode and inject it into the object and then we do some reflective setting of these fields and we return this this object that we've created the serialized object was sort of this built-in surprise for when you deserialize it okay so here against the RCE payload we're going to do some more sort of configurations we're gonna write the string to this translate byte codes then we put it in output properties and output properties is the specific property that gets invoked when we deserialize this object and I just

pushed down on the the button and forwarded a bunch of things I think that's okay and so I'll make this one point maybe it'll come up again when i DC realize but the the the property were actually that's gonna get in run is in a is in a getter method and to me that was surprising in itself right because during the serialization process you're reading in the JSON object and the properties and you're taking the data from the property and you should be calling a setter right in order to put that information from the JSON property into the object field but it turns out that this process is on an you know unintuitive and so there are a bunch of

getters and things what are called also frequently just because Jackson's trying to figure out the structure of your object so a lot of objects have some references to other objects that need to instantiate it and so Jackson will call these getter methods and that's actually you know again here a surprise and and and we all know that you know security and surprises are problematic so here's you see if I can make sure we can see this okay so here's the the JSON string and it's kind of hard to look at because it's just encoded byte codes right so you've got a weird-looking a string here but you can see this output properties getter which is going to be invoked as

part of the deserialization process so here's the deserialization in the next step so let me try to step into this and see if we can get anything interesting out of that so we're gonna create a new object mapper that's the object that does all the serialization deserialization next we do the C and you see how slow that is this way you want to create one of these and then you can see this next step we do the very dangerous thing that enables polymorphic type handling and also allows for these exploits to succeed and now we're gonna call read value and then we on this revalued line we do the one the one final thing that's necessary for this

exploit to work which is that we deserialize to a very general class such as object which will allow us to deserialize that that day lawn gadget that we just created so that's all the all the problems that we need to make this exploit succeed let me step into this again maybe I'll just hit continue I think I've gotten some great points okay so we're about to call a getter method and again you probably wouldn't have thought that at the beginning of this talk that you would call a getter method during the serialization that came as a surprise to me as well let me see if I can step into that I've got a feeling this next step

is gonna trigger the yeah so so calling that getter method triggers the exploit we deserialize the calculator this works just fine and that's most of the demo you see if I can just wrap up here and get out these will I believe throw an exception which is unfortunate from the attacker perspective with the Javed deserialization you can you can deserialize the vulnerability without getting any sort of exception but there'll be some indication that this attack has occurred and yeah so you'll see an exception there so that's the end of that demo any questions on the demo before I put that away kind of a quiet bunch I mean people are paying attention they do see nods at the right time and

all that okay and I'm gonna skip the part where I show that with the external library version but again the current version of the Apache library is still vulnerable today as far as I know so all you need again is that thing to be sitting on your path you don't need to even use it right so that's just a good reason in general to clean up your your directories and make sure you don't have old files sitting around that you're not not using for any reason so again the primary mitigation for this is just never deserialize untrusted data I mean all and there's a lot of you know I'm talking about Jackson I've talked a

little bit about Java deserialization there's you know all sorts of deserialization libraries out there for c-sharp and other languages and they all pretty much have this problem you know and the basic problem here is that you're allowing an attacker to specify code that they that they want you know you to execute for them with data value supplied by the attacker so basically the the problem of DC realization is is the problem of executing attacker supply code in your system and that's probably the toughest problem is security to solve so deserialization is a very problematic class of vulnerabilities in general so Jasin has a black list of known gadget types that is not particularly effective have a good demo that a second

another mitigation strategies to eliminate polymorphic type handling using the names of the classes so you can actually use other things besides the names of the classes and if you don't use the names then that sort of breaks the generic mechanism that an attacker would use and then again you want to specify the specific type of the expected route object and not something very general like object class or permissive tag interface okay so here's the Jackson blacklist so there's a list of known gadgets right and and the first thing I can tell you about this list of gadgets is is I've seen bigger lists of gadgets right so to me that means that that list is not exhaustive right

there's other known gadgets that that haven't been included here the second problem with gadgets can sort of be shown on this chart great so I better stay here I'm going to lose the mic so at the bottom there the number five that's the original vulnerability that reported this and so the fix was to add this blacklist and so the the one number four second from the bottom basically says oh here's a gadget that you missed I'm putting on the blacklist so that was then add it and the number three says here's another gadget that you forgot to put a blacklist and number two says here's another gadget you forgot to put in a blacklist and number one does the

same thing right and that's the inherit problem with these black lists you know black lists can succeed when you have an innumerable set of things to defend against right and the problem here is that this there's no enumerable set of vulnerable gadgets there's basically an infinite number of them and you know they're only including the ones I know now on the other hand if you are the Jackson library person this is the best you can do right so so a better solution obvious to white list but as a library writer you don't know what sort of objects your users are going to deserialize so the best you can do as a library writers to create one of these

Nilus so type information can also be provided using jackson polymorphic type handling annotations so instead of just turning it on for everything which isn't going to enable this type of tax you just turn it on for the things that need it so JSON type info indicates details of what type of information is clued in serialization JSON subtypes indicate subtypes of annotated type and Jason type name to find a logical tightening and so the logical type name that you defined can be used instead of the class name and that's again a mechanism to prevent DC realization and so so there's you know there's sort of four prerequisites for DC relation attack to work right and so the mitigations and

i've gone through these already or to eliminate take those away right break those preconditions and theoretically if you eliminate any one of them it will prevent deserialization attacks but i'm a little more paranoid than that so so i'd recommend strongly you know apply all the mitigations because you never know down the road when someone might find a bypass for one of the mitigations you thought we're gonna prevent it so theoretically just having one should do but i recommend using them all and so again one of the mitigations is don't use the class name by default use JSON type name to indicate a specific logical name for that object that you know and the attacker doesn't know uh so I'm

gonna show another quick demo and this demo is is not next point this is just a kind of a demo of using polymorphic type annotations in order to secure your system

and Wow the resolution if this is so so bad so I'm gonna demonstrate this using Java leaven because I worked on this last night in my hotel room and got it working and I'm that stupid that I think something I just got working last night it's gonna work when I show it today okay so and this is not this is not exciting you know no calculators gonna pop up this is just trying to show you how to do this and as secure manner so we have we create a zoo object we create some animals to put in our zoo with create a list of the animals in the zoo and then we add each of these animals then we go ahead and

see realize that deserialize that and if i ran it it it should work but it's just gonna say hey we've serialize and deserialize let me skip the zoo and go right to the animal class so the animal class is where we add the typing information and again this whole polymorphic type thing is because without it the deserialization isn't gonna be a recognized subtypes it's just gonna have to stay and she ate a bunch of animals it's not gonna be of instantiate lions and there's just a pig's but you're gonna have pigs and zoos because you have and so here we have a json type info annotation one of the things we do is we say by default is gonna use the

class name we don't want to use the default we want to specify a name so we're gonna say we're gonna identify this object by name and so for the subtypes here and this is in the animal class we have to say that lion is going to be a subclass of animal and also elephant is gonna be a subclass of animal and we specified the names for each of those objects and then we go ahead and in the superclass the animal class we specify which of the fields in this class are going to be properties of the object so that's basically all you need to do I could pop up also one of these subclasses let's look at lion and lion I

don't believe has really much in the way of annotations okay so you'll see some annotations here but these annotations are just to identify additional fields in this subclass of properties of this object that are gonna be serialize and deserialize and things like JSON creator so one of the flaws with this anyone here see what the flaws with this because I assume you're mostly security people and not some how many people here developers okay so you guys should be a bespoke the flaw here okay so there's really this implementation violates basic object-oriented programming principles in that when you write a superclass the idea is that you don't know how that's going to use so users of

your superclass you're going to subclass that for different classes of animals you don't know a priori all the animals that your zoo is gonna have but to use this mechanism you actually have to put into the super type the names of all the subtypes that you're going to create so that sort of pre limits this as to how extensible it is so it means you can only sort of use this yourself you can't package this in a library and have someone else subclasses because they're not gonna have the source code to modify the the library code so it is it's not you know there's a violation of a basic principle here but you know you sort of

need to do something like this and want to make it secure so the author of the kids told me they also have a dynamic methods that you can use to supply the type information so instead of doing it using annotations you can do it by invoking methods at runtime and that ought to support you know the general inheritance if you need to do that but again it's all it's all a little bit half-ass it's not it's not you know really well architected the security solution here so I'm just about done I think I've got a summary slide and then we've got a few minutes left if there are any questions so so that the author

of the Jackson package I can't remember his name I think he's got some cow cow something in his his alias which is funny because I said in the news lately too with new mrs. cow you know he read the news so anyway he was a pretty nice guy and because he was a nice guy I used this line that says poorly written Java code that dis seer lies the JSON strung strings from untrusted sources can be vulnerable to a range of exploits so what I've done with that line is I blame the user of his packets instead of blaming him for writing a package which was easily misused to create vulnerabilities and this is this sort of

language is familiar to me from my years on the C Standards Committee where you know they never did anything wrong people just calling you know get us incorrectly it's basically their position so so again this can be used to do remote command execution which we demonstrated I've never seen a paper on using this for denial of service attack I haven't demonstrated it both the author of this package and myself think this is trivially done it just takes a little bit of work because you have to hand code the strings we can't just deserialize the attack and you know it's easier to try things out with Java deserialization next place and it is with these Jackson ones these take

a little bit more work so one day when I'm bored I guess I'll try to create a sample Pok for that and then you know very broadly the serialization vulnerabilities can really exploit any functionality in any of the classes that are deserializing so sometimes it's very trivial things sometimes you just have a you know a setter getter method which deletes a file right and so what the attacker would do we use that the series ation method to delete an arbitrary file on your filesystem right so so those basically and this is why you can't enumerate all the dangerous classes right any functionality that's executed as part of deserializing any class might be part of an exploit and so again these

attacks are possible when the Java class name is used and the resulting object is deserialized to a very general class such as object or serializable or something like this so that's all I have I could take questions this is me this how you get in touch with me I answer email 7:24 you can email me at 3:00 in the morning on a Tuesday night and I'll answer it within 5 minutes because I don't know why ok any questions

yeah I mean that old you know yeah pretty much work anywhere I mean the only part of that that's clutch platform-specific is the name of the command to execute right I mean we do

[Music]

[Applause]