Java Serialization Attacks

uh we're g to hand it over to Robert Secord uh who I don't even know what your position is principal security consult technor technical director uh at NTC group a lot technology technology yes SEC coding stuff used to be at the C and now he's at NCC and doing great things so uh so yeah I'm Technic director NCC gr I do some Consulting I do some uh research there's actually a paper on our website that goes along with this so if you want the 20 Page version this you can download it and uh absorb it like that I probably won't have enough time tonight to do as much details as in the actual uh paper um and prior to that I was we did

some work on secure coding standards with with Java uh so the material from this is sort of taken from the Oracle secure coding standard for Java uh I've been going through that trying to update that material it it actually sort of needs some it needs some TLC um so uh I've been going through with pearon and doing a a video series of java live lessons trying to update some of this material um I'm I'm I'm trying to stealthy thinking about writing a book on secure coding in Java that and so like this 20 page paper I put up on the site I might write a bunch of those and then if there's enough of them I going try to stitch them together

see if I can trick a publisher to turning that to a book um so Java calization was introduced in jpk 1.1 which means is more or less there from the beginning uh it supports transformation of the graph of java objects into stream of bites for storage Andor transmission um and these bites of course can be later uh the object can be later be recovered from the graph bites the uh CRS quum has to identify and verify the class corresponding to the saved object and then restore the Conant or the content into a new instance there's a tiny little picture of what that process looks like um so objects to be saved can either support the serializable or the

externalizable interface um I haven't delt into externalizable quite as much uh the sense I've got from the The Limited investigation I've done is that it's is just as bad uh but but most of the research doesn't really Del into externalizable is different in that uh you you determine the actual storage format so that's really the only difference um for SE lines of objects a stream has to include sufficient data to store a comptiable version of the class uh again for externalizable the class is only responsible for the external format of its contents the uh programmer has to do the rest so Cal classes uh can save restore the field of each class of an object and

they they're actually um you know so there's there's a misconception right so the misconception is um well we wrote this program and we use serialization to store some sort of database and uh now we need to add things or change things and we're stuck because we've saved it into this serialized form uh and uh that that's actually incorrect calization was designed to be evolvable uh so you know there are a bunch of Concepts built into it that let you uh sort of grow and evolve and that's that's of course one of the problems with vulnerabilities and deserialization is that uh it isn't it isn't extremely rigid because it was designed to be evolable uh so serializable class can

declare uh which of its fields are saved or restored and uh uh write and read optional values and objects so the serializable fields of class are defined to be non-transient uh and non-static so static Fields uh aren't uh serialized because there's no need to do that and if you mark them as a programmer you can Mark Fields transient to prevent uh them from being serialized and and you want to Mark Fields as transient if uh basically you know they'll have no meaning when you see realiz so if it's something uh you know what the current time is or you know something about the current system on which that object is being con you know reconstituted then it

makes no sense to store and transmit that you're just going to have to recalculate that when the object is deserialized okay so let's say we want to just take today's date and serialize it to a file okay so uh you can create a new file output stream and then uh wrap it into an object output stream uh so the uh the file output stream is needed to receive the bytes and then the object output stream uh is created to uh to write to the file output stream and the objects are actually written by the right object method and so here we're going to uh I've got a laser death right here so so we're going to we're going to

write uh uh the string today and then we're going to write the date uh and then we're going to flush out uh uh the stream to uh to the output uh so this is this is all it takes and and the interesting thing about um so this this was this was one of my discoveries going through the process of uh so so I this is actually part of a uh secure coding in Java course so I actually did a full day on this uh and now one of the things I'm thinking about is you know can I really sell this because it's only it's only of interest that people who are doing you know job of serialization so I

might have picked a little bit too niche of a top topic there um but okay but what I learned is uh a lot of people start you know looking through source code to look for read object calls and oh that's exploitable uh no this this is exploitable okay so uh the the big issue with jav and dualization is that you can do everything absolutely correctly which this is Absolut correct and this is totally exploitable by uh remote uh remote command execution Den op service uh the whole works okay so you can write it perfectly and it's still uh vulnerable so this is a big issue with serialization that sometimes uh you know not apparent people think you have to

make a read object call um so the right object method serializes the object and traverses its references to other objects uh in the graph uh to recursively create a complete serialized representation graph so you know if you have a an object a and it has a couple B's in it and the B's have C's in it you have to serialize all that data uh in order to be able to reconstitute the entire object uh when you deserialize uh primitive types are also serialized so you don't have to you know Mark those explicitly as serializable uh so when we go to deserialize we we basically just inverse the steps and you'll see that you know these things are uh you know just just

sort of reversed in process so we'll create an input stream and we'll W WP an object input stream around that and then we can go ahead and call a read object for the string and then read object for the date um so the input stream is needed is the source stream and the object input stream uh will read deserialize the data from the uh input stream okay so the read object method de serializes the next object in the Stream and traverses its references to other objects and then cursively um uh deserializes the complete graph of objects okay and again object imp can be extended to use custom information in the Stream about the classes uh or to

replace objects that have been deserialized so you actually don't have to keep the same object there's an ability to sort of replace it with a different object and that lets you do things like use proxy to represent objects uh so the object output stream implements object seriz it maintains a state of the stream including the uh set of objects already serialized uh so the methods Traverse objects we serialize to save the specified objects and objects to which they refer and the right object method is used to serialize an object to the screen okay so only the data is serialized the code is not serialized so so the code has to be present on the platform which is doing the

distalization and that's part of the requirement right so uh so what you typically hear is that the you know the class has to be on the class path uh it's actually a little bit more complex it's basically um you know it's going to follow the the the mechanism for loading classes uh that the JDM follows which you know involves uh which class loaders were involved and uh a more you know complex uh topic but you it's probably and no one talks about this at all but it um you know I would think if I were deploying a Joba application and I was concerned about security probably the first question I would ask myself is where are these classes coming from you

know I mean and and making sure that those things are all locked down because probably most people don't really know those set of director which classes will be discovered and and in what order because they're all good sort of targets for you know planting Trojans I suppose um okay so the the single argument object output stre Constructor creates uh an object stream that serializes uh objects uh and the uh the Constructor first called right stream hter and it prints out some some magic information so you get um you get a a magic uh uh a magic value aset uh and you get the stream version and so I think the current version is five so

these could be one through five um so that's going to be read and verified by the carpine called to read stream uh header in the single argument object input stream Constructor when we go to deserialize this uh so if the security manager installed the Constructor will uh for the enabled subclass implementation um when invoked directly or indirectly by uh the structure of a subass which overrides put fields or uh rate uh unshared methods and this this idea of um running a security manager which with decentralization is a good um it's a good um mitigation um whether or not it's it's 100% uh effective at preventing vulnerabilities is unclear but it it does it does mitigate for certain right

I mean so if you have uh um you know if the code if the remote command execution that's attacking you is trying to load a file uh and you're running in a uh with a security manager that prevents loading of files then that class of attachs would then be uh ineffective uh you know whether or not you can uh disable the security manager for dis serialization T I have to investigate more I knowa talks about that on a slide and I was actually a Java one a few years ago and we presented that I think that exploit requires multiple vulner not just a single serialization uh so so developers can Implement methods to customize how

objects are serialized and serialized and this uh comes in handy when um trying to um you know trying to be able to evolve some of these classes so right replace provides replacement object to serialize so that that allows for the use of proxies uh right object gets full control over writing the stream and for de serialization a read object get full control over reading the stream and read resolve will replace a deserialized object with another one so you can uh you can override both of these methods and uh change how you read an object and then you know replace it with a different one and that's the sort of how the proxy pattern Works um there's also validate object uh

that gets called once optionally at the end of the process that's uh another potential area for uh overwriting and the final area is not even on this slide is uh the finalize method which is actually particularly Troublesome because um it's called by the garbage collector thread which runs in a separate security context um and and so that could actually be quite problematic um so the right replace method is executed first if present the right object method will operate on the replaced object uh which only makes sense right you don't want to uh start working on an object and then not use it replace it with a different object uh when you deserialize you read the object

first and then you potentially replace it with a different object object and then finally there's a there's a one time validation Step at the end um so the validation method is executed only on the replacement object and not on the uh originally deserialized object which is silently discarded you guys don't ask lot of questions this one nods a bit I feel good about him nodding because maybe he's just nodding off but at least it seems like he's following um so this is a helpful uh slide it's always nice to have a graphic so the application um here uh you know initially gets the bites from a file from scen what have you initializes or constructs an object input scen that

that calls read object that transfers control to the object input stream which will uh resolve the stream classes using resolve class and then deserialize the uh the graph of objects uh so this then control thing goes back to the serializable class which which restores the object member Fields uh by calling read object or read object no data read object no data is another one that I'm I'm trying to get more of a handle on that's that's something that was added in um like Java 1.4 to address an early vulnerability uh I think it has something to do with when the class is when the class can't be found uh when you tried to serialize and that was used

in exploits uh so uh sorry I'm a little weak on that but this is you know a this is a cut down from a full day tutorial and that full day tutorial is currently still insufficient to do this stuff securely I don't I'm not quite sure what the end of this is I I I mean but um you know we'll we'll kind of show you um or we'll get to talking about how you can do this a little bit more secure but you know the um the advice and may you can see this coming already is um generally speaking you seriously want to avoid um the serializing data from untrusted sources and I put that in the paper and

I got a lot of uh internal grief from people in secret who said uh you know well that seems to imply that you can uh deserialize data from uh from um trusted sources and I said good well yeah I mean if you're writing both sides of this it's okay to serialized right but then this guy went further I think into sort of kind of crazy land where um we're getting this on tape right I want my co-workers to hear this um where you know his concern was well people might think um you know they've got a trusted connection when they don't uh but to me that that's a whole different topic because that all domain

specific um oh okay so uh so at the end we cast the deserialized object to the expected type and then use the deserialized object and then eventually and the finalized method is called uh from the garbage collector um and this can be dangerous the the cast here uh is relevant in that um okay um I might be getting ah H myself but I guess I'm about to say this the um so so when you deeral when you cast to a given object that might be the first time you realiz what type of object you're dealing with right so that cast might fail because it might not be the object expected it might be basically an exploit object right and

and and and so you'll get a cast exception there but the whole point of this is it's too damn late right because what's happened uh you know this method's run this method's run this method's run this method's run right bunch of shit's run and and so before this code ever returns to you from this call to read object uh the exploit is finished okay the attacker gone off we basically um executed a collection of gadgets right and so the concept of gadgets is that it's code uh that exist in the the target uh on the target platform right so return oriented programming that's a series of little uh Snippets of assembly but here it's basically code somewhere

in a read object method or read resolve method or valid object method it does something interesting uh in situations where the attacker supplies the data right and the you know there's there's some number of identified gadgets but the real number is basically um I'm just going to say unlimited you know there's an unlimited supply of gadgets um I'm just going to do a time check because I've got this sense I'm doing Harmony 7:25 so uh naive use of object serialization uh which might mean um any use of object cation may allow uh malicious party with access to calization bite stream to read private data right so so there's no absolutely zero attempt to make this

information private right so if you serialize someone's credit card information you put on a dis uh on a file and someone sees that file they have that person's information no attempted privacy with serialization um create objects with illegal danger state so you get a hold of the serialized data right there's a specification you know exactly what each bit is and what it does you know so you can alter those bits and create whatever type of object you want even if that sort of object uh breaks in variance and is infeasible that that object ever exist in in a real application but you can create it in the serialized data and then deserialize that impossible object

into memory now is that something that the security manager would normally catch or no no not at all not at all yeah um so you know I didn't say this at the beginning of this but you know serialization is just an inherently insecure technique right because at its core it's basically let me take code from somewhere and run it right that's what we doing right and so knocking this stuff down is really difficult you know so uh so so there might be you know somewhere that might be a subset of this that's secure where you can sort of do kind of plain data but it it's you know and I'll talk about mitigations and the

M the best mitigations I'm aware of uh are inadequate I mean so uh I can I can maybe argue that I can prevent against uh remote command execution limited cases uh but there are denial service attacks to which I am not aware of any known defense um and people a lot of people tell me that so what you know it's an unsolvable problem in general but I'm I'm not smart enough to make that assertion um so uh so you can obviously obtain references to private fields of distalized objects and and and this is a good graph this is um you know if you want one graph to sort of summarize this topic uh this is how smart you need to

be to uh to write serialization code uh this is Mark Sherman smart hi Mark and this is how smart you need to be to get it right okay and and and and the Gap from here to here is tremendous um least I didn't say Garen crossmar cuz he's got a lot of money now he could probably come after hi Gary um so the F calization of an object rights to Val of all object fields to the calization stream that includes private package private protected public uh and you know once you serialize that that information is available for everyone to see so so frequently you know you want to give a lot of thought to private Fields right so need to be

transient in terms of not writing that information out but of course that means that you need to rec constituted right so if you have someone's credit card information how do you transmit it that's a tough problem right because if you don't transmit they don't know it they can't reconstitute it so it does really have to be transmitted in some form um so obviously malicious code can easily uh read the results and then you don't need codes you can just do it with the editor um so we a iety of security risks with uh D serialization um so the consequences of so there's this one C that sort of covers the range the consequences vary widely depending on which objects are de

serialized and how they're used uh but basically um you know all all three aspects of CIA are can be compromised with the serialization attas so again during distalization objects are created initialized using data from incoming stream uh these can easily be corrupted or tampered with prior to deserialization particularly if these are used to say as cookies and sitting on a file system where someone can just edit them um so during the serialization attackers can also for various references to objects in screen by uh inserting extra handle references into serialization B screen that's a whole class of attacks and I'm not going to talk about too much uh in this one hour um and so it's unsafe for developers to

assume that references uh to private objects uh are unique so distalizing untrust data can cause a job to create objects of arbitrary attackers Supply classes uh so so here's a loading process so jbm walks a stack uses the first non boot class loer it finds to identify the classes uh RMI which I don't talk about RMI uses serialization underneath of it uh I RMI can also use a remote codebase um RMI I I need to put together half day lecture on because it's really problematic from a security perspective even more problematic maybe than the serialization um so again some classes have triggers that will execute additional code um so if these classes are poorly designed they could uh invoke

arbitrary methods with ATT attacker Supply arguments uh so again just going back to the same chart uh each of these calls here uh is an opportunity uh sorry these calls here is an opportunity uh for um for malevolent action and and again the attacker does not supply the code okay these are going to be gadgets these are going to be code that exist in the space but a lot of times this code is kind of poorly designed and what the attacker does control here is all the data okay that the all the fields all the data that's used to load up the class so um so you know if you have an action that used to

be safe because you had an invariance which controlled what sort of data was operated on the attacker can violate those invariants and trick your code into operating on data that was not expected um so here's a simple unrealistic example but it's a really good place to start because it sort of lets you understand how this stuff works uh so here we've got a private field called plan right so so you as a programmer might think um well there is no way uh someone can modify the contents of this because it's a private field okay so we're going to do a read object uh and then uh in our override the read object we're going to call exact go of

command okay so this is a non-realistic example hopefully you don't have this in your systems hopefully no one's written this uh but you can see very easily now right when when someone de serializes this if they get a hold of this object they can insert any command they want uh into the uh serialized form of the object and and when you call read object to read it even before you know what object it is right it can um you know it will load this and they call read object okay so again to be clear about that let's say you have a bicycle object right and you serialize that and then you read the bicycle object back okay

what happens is you're not reading a Serial a bicycle object back you're reading whatever object back any object in your entire you know any anything in your entire class search path right any class that the loader can find it can be loading that object right and and so what the attacker is going to do is in all that code they're going to find something like this for you to load right and Supply the DAT that's going to cause the attack so the the class that runs the code that runs has nothing to do with the object that you think you're deeral so you don't have to screw up writing your serialization your serialization things to be vulnerable to

these attacks you just have to materialize something uh so these are you know my sense of this is is much worse than people think I mean this is just I mean some people understand how bad this is but this is very bad I sound like Trump there feel sad um okay so um okay I think I've killed that uh so again developers put too much trust in Java object cation even the serialized objects pre-authentication um the serialized objects again typically cast to expected type so the jav's type system will ensure valid object treeses but again before you get there all this bad code is R um okay and part of what the um just like sort of Rob attacks an attacker

will actually create chains of pagents so they'll find a bunch of objects Each of which perform some of the functionality they want and they'll chain these things together in order to create the desired effect so uh so one of the things that's most famous is the Apache Comm collection V Transformer class uh because it lets you do some really cool things like you know uh execute methods right um and so this is again used in a lot of places um I now have it uh actually on might BM because I teach about this sometimes I wonder about that like all the crap I put on my computer so I can demonstrate pability um okay and if you go to the pachy

common site I me this is what they tell you they say this is not our fault right because they have a tool uh but you know what's happening is that people are misusing the tool um but so and they're they're they're mostly right okay I mean they I'll show you this later but they fix uh they fix this problem at least the existing exploit no longer works um but it doesn't matter you know there's an unlimited supply of these gadgets elsewhere right so so the these guys took a lot of a lot of heat for something which wasn't entirely their fault I mean they could have done better now they have but um so work

transform transforms objects in collection by invoking a method using reflection uh attackers could use that functionality to invoke any method um including you know run called run time exac uh and they do that by creating uh a method sequence uh which is typically referred to as a gadget chain and each each you know object in that is a gadget um and so the the in Transformers is usually the final U Gadget in that chain uh there's also concept of golden chains uh which is you know mostly kind of wrap stuff but um the um so these are basically chains that uh only use gadgets from the JRE right so you can always uh attack the

system you're attacking you don't have to depend on them having used third party libraries and there are there are uh there are these golden chains that are available um you know the problem with security I mean I I'll give you this demo um um is that um you know as soon as these things are reported they get fixed so uh so I can I can do a demo on an old version to the JPM which is so disingenuous because you know I have to go back to an old version to demonstrate the problem um or I can go go find a new one but if I find a new one I'm going to feel obligate to report it and I'm going

to consequently invalidate my slides so uh when I demo this it's actually a a kind of a failed attack because this problem uh had been fixed within both Transformer uh but it will show some successful attacks um so again as I pointed out this particular problem been fixed so how do you decide what G gadg as an attacker uh what CH what the CH together yeah so here's the easy way okay um I had that first slide with the joker and it said why so serial um there's a tool called why so serial and you download that tool and you tell it what your payload is what command you want to run uh and you

press the button and it generates a Gad VI so uh so you can just use that the other thing you can do if you're a researcher right is you can you can start with that and look at their their chains and then you can think oh this is in what other chains can I put together to provide perform other fun things right so you know go get the open source jdk code look for you know interesting stuff in these methods I guess you just start looking for these read object these overridable methods and look for interesting things that are being done um yeah yeah so I get that if you have an object that has like execute

this code or this command override that command and then run thatal but can you go into a little bit more detail about the gadgets themselves like why you need what do they do like I understand Rock gadgets like an x86 well get the gadgets do whatever you know they do whatever they do right so so it's just code that runs uh with with data supplied by the attacker right so let's say let's say the let's say the code opens a file okay um you know so now what can happen is you supply as an attacker the file you want to be open and when that code wrotes it's just going to open that file right so you get whatever sort of

functionality you want but the surprising way to the object was so if that was a private field and they constrain very carefully what values could be in that file that you're about to open right so that's it can do whatever it's just it's sort of like insecure bi operations right if you let that run with elevated Privileges and this is again why it is a it is a valid defense to run this with the security me right because uh you know at least you want to um you want it you want the um security policy during der serialization to be the same as during serialization right you don't want to U well you know you know the best way to start with

dualization the same way you all secur polies right you turn off everything and then you enable what you need and then you look at what you're enabling and you decide uh can I live with this enabled how much risk is that exposing and the answer is probably too much you know if you need to enable any any at all okay you okay um so uh so there's been a variety of denial service attacks uh there's one by this guy and these guys are all so clever um you know um so he has a half set with Cycles where the deserializing will recurse indefinitely consuming CPU I have a demo of that but I'm not going

to do it because I I I didn't realize i' left that little demo diagram in there to just now um but I only left time I could do it but I only left time for one um so this is an example of uh sort of vulnerable systems and vulnerable exploits right so so basically the story here is that there are a lot of vulnerable things uh so so um Java calization um underlies all these Technologies right so if you're using any of these Technologies um you could be susceptible to these um distalization attacks you know and and uh the way people fix these is uh almost entirely inadequate right so so all these things are always solved by

basically black listing the particular object that is using the attack you know usually the uh the Transformer right so uh it's only protected against that not against the U the undiscover under reported problem yeah so you're mentioning different protocols and products that have issues because of this but um I guess my question is where are some of the most common injection points or control points that people find in these products are they a specific kind of interaction with say like if it's a a Java spring application where is there certain usage of it that tends to be able to be controllable by an attacker yeah so I'm not you know I'm not expert in all these technology snacks uh but

I'll just throw out like a simple example right but people will create serialized cookies right and so it's very easy for you know one of your users you know say I'm a you know PNC Bank customer right they say my account information on a cookie uh you know so I'll edit that cookie and I'll you know replace that account information someone account information does much better than I do right and then I'll make some withdrawals I something like that I mean that's just I I would guess that would be common because it's just so damn easy right so that's really kind of the being the low hanging fruit of exploits um you don't really have to

write a tood to do that um that was a great answer but probably best I can do um okay so so to prevent these attacks you really have to not deserialize obious in arbitrate classes and based on what I've told you so far that's impossible right because you you de serialize them before you know toer um there's always going to be vulnerable classes uh that can be leveraged for the attack uh and those can be used for Deni service remote code execution everything in between so uh an attacker could serialize an instance an unexpected class send it to a service it deize delicious object probably cast it to the class it's expecting cause an exception to be thrown but that again is

too late to prevent the back um so the G jbf serializes uh dualization inv BS uh the following methods of implemented the read object uh it's used by developers and standard serialization cannot be used and you know elsewhere right when you're trying to explain to someone how to write good to serialization code you will tell them to write a customiz method in order to write good code uh so again this is not uncommon this is actually best practice and that's sort of surprising to people as well when you're writing uh deserialization code uh read resolve again typically use the deserialize single objects using a proxy um read external for externalizable objects we didn't talk a lot about externalizable

but again those are equally vulnerable uh and finalize is kind of the Forgotten thing which might again be the most dangerous um I want to skip this one maybe I'll show it I mean so here's here's uh file upload and this is a good example where uh it it's just going to take a file that's data right so this data can be supplied by the attacker and that's going to delete it right and so uh so you can use this as a gadget just start believing files on the system you're attacking I mean so so again the code does whatever the code does but it it does it uh By Request of the attacker using attacker Supply data which is you

know just infinite amount of fun uh right there you know you know keep yourself entertain gr for months do that stuff um okay so here's a bicycle class uh written by um uh Pierre Ernst at IBM uh and um you know it's it's just a reasonable implementation of a serializable class that that implements a bicycle object uh this is what it looks like if you look at the ASI and you know you can look over here and you can see stuff so you know what classes here and you've got information about the object uh so so there has to be adequate data here basically to tell the dis serialization function what type of object is it that you're reconstituting

and what is all the data that's going to be in that constituted object so when you look at this uh You' got the you know the magic numbers here in front the reason I keep putting up these magic numbers I forgot earlier I would have said then right this is for people who do firewalls and stuff like that they want to keep keep an eye out for de serialization traffic um so but my key Point here is that um you can tell what sort of objects you're going to De serialize because that data is here right but no one's been using this information uh until recently okay so this is transitioning into some of the defenses

against this um so uh the two common approach are uh whitelisting trusted classes and I I think this is a a valid solution right now when I talk to Oracle people they'll say uh no this is because it it prevents the capabilities of the serialization right and and the response is you know your capabilities are killing us so uh so I I think it's a valid solution but basically what what what this means is uh just basically say uh I've got three or four different objects that I potentially are deiz and that's all I want to serialize and if the class evolves something changes tough your code is broken you're have to rewrite the code and you know do

something to modifying existing uh serialization files um you know I think the Alterna just don't use it right um so again you specify these in the white list uh this is accomplished by overwriting the resolve class of the Java object input stream method so that's done to something called a look ahead uh object input stream or L um I kind of figure some way to get my boss s me the L to work on this too bad I'm not working with Mark anym I'm to convince him those two things were related somehow um so um so there are variety of off shelf Solutions um so so this uh this o the irony is because a pachy Commons has a

solution so you know basically you you install a Pache common so you have a solution to the problem created by installing Pache Commons that's kind of ironic right um um so so my favorite is Jeep's 290 uh so this is basically uh Jeff's job enhancement process so this is a feature added by Oracle uh it's it's most it's fully implemented in Java 9 uh and they took some of the the Quick Fix portions of it and backported it to 67 and 8 so you can use this in new new releases of 67 and 8 as well as nine um portions of it um I feel like I should have had the demo by now but I guess I'm going to

have the demo at the end uh how much time what time is it 10 10 two 10 two that sucks uh some time after okay let me what's that get some time after the hour and leaving probably probably shouldn't have told me that but okay let me let me let me jam through this um so so job anding again adds some serialization filter this white listing and black listing uh so this allows you to narrow the set of the seral serial the serializable classes to appropriate set of classes like just the bicycle um you can also filter for graph size and complexity in order to limit sort of these unbounded graph sizes or just amount of data that an attacker might

launch you to try to prevent Doss attacks and not all the solutions I listed work for Doss attacks they all address at least RC um it also defines a global configurable solution and uh filter sorry filter and that's a part that's back corded to 67 and 8 right so so if you want a quick fix you can set a systemwide filter say I don't want any of these classes or I only want to allow these classes and that will you know that will make you feel better especially the black listic stuff yeah so for the second bullet the filtering the graph size um is there an easy method for determining what graph size and complexity is normal with an application

and set that as your Baseline well yeah so here's here's what I would do well yeah I mean so here what I would do right so um there are some of these tools which have uh collect metrics okay or you you can just put a print statement into your D serialization code uh right and so what I would do right is basically instrument your deserialization code right run it on your data sets right and then find the Maxes and then plug in all the max values and that will work until things go up so you could make make it also you can make it user configurable so you can put those Maxes in a secure

configuration po which are red so they go up your customer can adjust them at uh you know after deployment so I I think that's the best solution and and the question always is you know how big can you make those numbers before you're in trouble you know um and you know and unfortunately um there are uh deserialization attacks uh which um for which JP 29 is ineffective right and I I asked the author of JP 290 you know they could defend against this and he said uh we can't reply to that which is Oracle speak for no right I guess so yeah so this might go along with with whitelisting if you can control it at

this level but is there any thought I can be completely without the reservation here but is there any thought to possibly um like signatures or Integrity checks if you have first party systems that that you control those sides of the serialization you can confirm that it's the same coming from A to B is it yeah well you know so I'll I'll say something and I'll get your reaction so this could be a learning experience for me too right um You can sign and seal objects right and so one solution here is you take your object graph uh and you put it in an object and you sign and seal that object and you you transmit

that right and I I sort of think okay that solves the problem um you know and and what I'm wondering is why am I wrong is that is that too expensive why aren't people using that as a solution right the the other the other solution is that that you you have a secure authenticated interface with a trusted you know user but that gets into the thing my my my uh associate is concerned about that people misplace trust in those situations uh yeah in that scenario do you run into problems say if you have uh like a larger end tier environment where you're communicating between a cluster of things do you have to sort of like

when you're using Max and and other uh encryption for for view State objects and that sort of thing where if serial uh data is generated in one part of an application but read in another part or in another system together I say I would saying no I mean he's he's saying yes but I I mean so so first of all it's Java right so it's right once Run Anywhere mostly I I mean so so you're transmitting data it's a well-defined standard format part of the problem right so that part's not an issue and and the part about you know digital signatures and all that code signing I mean that's also standardized so I think every system would be able to to do that

I don't think you know there's a system that's going to have little Indian of big Indian or something like that okay any other questions um you sense that I wasn't going to finish on time said let's let's totally stop it get last slide um so um I didn't mean that I like the questions I I feel like I was was being I ask questions um okay the core um the core mechanism is a filter interface implemented by serialization clients and set on the object input screen so the interface is called during the serialization to validate the class of being de serialized so basically they look ahead right as the name suggests into that uh stream of data and it sees

what are all the classes that we're de serializing are any of these on The Black List or are some of these not on the white list um and again you can also uh set the size of arrays being created because a very easy um you know Doss attack is uh oh they're creating an array some size where the size is specified in class right so let me put H Max boom dos attack you know how easy is that um so the filter will either accept reject or leave the status undecided uh meaning it you know it's waiting for another filter to make the decision so Java 9 has all the filters it has the process wide filters it has

custom filters that you can write and built-in filters uh 67 and 8 only have the process wide filters um so a process wi filters configur configured via system property or configuration file uh so that will uh be in one of these locations and you can uh include white list black list but also limit pattern so you can set a max depth a max number of internal references uh a maximum number of bites in the input streen uh and maximum array sizes uh so this is used to combat dos attacks but it's not 100% successful there are taxs which uh can succeed inist for the filters here's an example setting a property um a process wide

filter uh so here um you know um I I say hey I want you serialize a bicycle I'm only to have one object I only have one reference uh it's 78 byes long and it's going to have an array with 10 elements okay and the way I got this was you know I wrote the code I the serialized I printed out all the data and I said this is my object now um you know if someone create an object where the name of the bicycle was a little bit longer right then this would block it right so uh you have to kind of figure out what is the largest object you're going to have reasonably uh support

here um so custom filters can be written by implementing the object uh object input filter interface this is only available in Java 9 and overwriting the check input method um it has uh additional methods is set and get the current filter uh and if there's no filter set then it uses the global filter that you set in the configuration file um I'm going to skip serial killar skip this this is the one from uh um Apache Commons you know which is okay so here's the demo

okay so we see code um this is actually the right code which was lucky uh make this bigger everyone back can read the code yeah good um okay so I'm going to just start debugging this and typically um I've left a break point in a good location um this is what happens when you're old guy you know I have a note on my front door that says go back put on pants you know before I walk out of the front door that's uh saves a lot of money in lawsuits really um so here we're going to serialize a bicycle object and then uh well I guess that's what we're going to do so we serialize a

bicycle object and uh you guys have seen the bicycle object already I going to show it to you again um and then we're going to serialize a file of objects okay and the point of the file object is it's not a bicycle not a bicycle object and here we're going to deserialize the bicycle object and print it out that succeeds okay that's the valid use case we want to serialize and deserialize uh a bicycle but now we're going to deserialize the serialize file and uh that's going to work as well okay so I I did something here um maybe some of you notice the difference uh so here I cast I I I put the object I cast it to

Bicycle right um and here I cast it to object okay so the fact that I cast it to object allows this code to fail without giving a you know cast exception right because uh this object is a file and not a bicycle so code that looks like this is especially bad but even if I had put bicycle here again it doesn't matter all the exploit stuff is already run uh it's just eventually your code will crash as opposed to this example where it will continue to run okay so now I'm going to deserialize the rce payload let me show you the RCU payload okay so this is something I I took off of you know why so serial we

create a uh constant uh uh Transformer class uh create a new object F uh get some arguments call a chain Transformer uh create a priority CU put the transformer into the priority CU we set some Fields uh and then we serialize it so we're we're kind of chaining together this series of objects so normally uh this would deliver a payload um here the payload is is going to run the Cal EFC program you put your payload there whatever it is so when I when I execute this um I get a I get a an exception okay so the problem is if you go to the Apache page they'll tell you that they they modify their class uh to um to make

it not serializable okay so uh so this attack fails uh on recent versions of Apache comms right it will still succeed for older versions of it now again um I didn't want to fake anything here I didn't want to put an old version of this to get the demo to work okay the fact that this fied failed okay doesn't matter in the least okay there are a gazillion other gadgets out there uh all of which will succeed the problem is is if I find one I have to record it and then it will fail again so it's sort of a pointless cycle for me to find them uh but again don't worry about it if you if

you do this You're vulnerable and now I'm going to do this uh this dos payload if I go up here and show you the Dos payload uh the Dos payload is the one from uh that guy I mentioned ear ear I think he from Denmark or some place where their names are hard to pronounce uh and uh he's just got this hash set which uh sort of creates references to other hash sets within it uh and and this was uh this was crafted basically to not fail okay that was the key to this right it's easy to make this blow up what this guy managed to do was he managed come up with an object which

will run forever without family um so if we if we go ahead and single step here uh you'll see that um we're processing right we're I can't single step again I'm waiting for it to come back um okay this is a long wait for training come this is gone um so so that particular exploit can be blocked that the attack can be blocked by Jeet 290 uh that I showing you but there are other the serialization TS which cannot be block by it so uh so basically not it's not 100% effective um I think I have a couple other slides three four slides and then I'll let you go so or go get meters so uh I said that a

lot you know Jeff 290 does address both RC and Doss you know maybe I'm selling it too much because it doesn't work against old dosses so you know if you if you use it you're still vulnerable to that style of attack so you acknowledging that risk that your system can be uh subject to Dos attack uh there are a bunch of Alternatives okay um so here's a scoop on alternative to the degree that people have investigated these Alternatives they are less secure than job serialization right to the degree they haven't uh examined them they look great okay it's only because people haven't worked yet okay chances are really good but all these things are much worse because Java's

been around since one serialization been around since Java 11 so it's been become more secure over 30 years or whatever it's been so um for those of you go to black hat um there's supposed to be a talk on uh rce for Jackson and Json so you thought Json Made You Secure go sit in that talk and tell me what you find out um okay so again the scary thing here is you can do everything right and you've got a vulnerability the primary mitigation is just don't deserialize un trusted data uh the c or coding standard has a rule like that and all those other solutions for doing this kind of thing might turn out to be

actually worse um and that's all I have anyone have any anyone have any more questions were there wild exploits for I yeah I think so um I mean it's in all sorts of web Frameworks and web sphere you guys would know that more than I would yeah probably do yeah I I'm pretty sure this was ACC being attached because it's honestly it's just super easy you know I mean there's a tool I guess that's like a kitty kitty script kind of tool right just so here's a pable that I want a it at your target IP address yeah if you cre your application seriz yeah something like thata typ yeah well you know yeah it's vulnerable

for probably every reason right so the first vulnerable is the one I talk about which is uh playing with the fields modifying them in order to you know get into someone else's account and stuff like that um you know absent other controls but also probably uh you know I could write some code which will generate that um rce attack right I can store that in serialization file correspond to the cookie and then when you contact the server it will send that file over and that will launch the RC our service or whatever it is uh so I I I think that's just a very simple case where the whole range of exploits are on the

table yeah it's not hard thank other questions yeah so um yep thanks for your time I have a whole day on this if you want to you know if you have to do this um you probably want to spend a whole day with me and then maybe some more time um but uh I also do like a 5 day secure coding in Java where we do uh numerics and I have a whole day on exception handling that I sent to some people to AR review and said oh thanks for sending this we learned a lot which is a little bit frighten but uh it's pretty good everyone like I do um when I'm not doing

training or not writing papers I I do um you know code analysis for customers and the reason I did a day on exception handling is every system I've ever looked at does it completely wrong okay so sometimes there are one or two guys at a company who know how to do exception handling so you you will find examples in the code of it done correctly but the other you know 100 people at the company don't know how to do it and so every system I've ever seen has it completely wrong uh so that's an area where we need to improve everyone does string handling Java wrong too by the way everyone thinks a Char represents a

character in Java and it does not yeah no no any other questions okay thank you watch [Applause]