Mitigating Java Deserialization Attacks

It is known that Deserialization in Java is highly insecure and can be easily abused resulting in RCE and DoS attacks. The publication of these attacks exposed critical vulnerabilities in numerous Java applications and products, in all layers of the Java software stack. Because deserialization exploits are complex in nature, developers and code reviewers often fail to detect deserialization abuse cases. In this talk we will discuss the problem of Java deserialization. Developers and security code reviewers will learn how to identify dangerous code that can lead to new gadgets and how to avoid them. We will also discuss how the new Java Serialization Filtering (JEP 290) can help developers and security teams mitigate such attacks. A live demo will also show how to bypass an existing popular solution. Finally, we will present the root cause of these attacks from a different point of view and propose a new approach for protecting the JVM.