JDD: In-depth Mining of Java Deserialization Gadget Chains
Black Hat Asia 2025 · Day 1 · Briefings
Java deserialization vulnerabilities represent a critical and persistent threat within modern application security, often leading to severe consequences such as **Remote Code Execution (RCE)**. This talk introduces **JDD**, an innovative tool designed for the in-depth mining of Java deserialization gadget chains. Developed by researchers from Johns Hopkins University and Fudan University, JDD employs a novel fragment-based, bottom-up gadget search approach combined with data flow-aided payload construction to overcome the significant challenges faced by traditional detection and exploitation methods.
AI review
JDD presents a genuinely novel and highly effective methodology for discovering Java deserialization gadget chains, addressing the long-standing challenges of path explosion and complex payload generation. By employing a fragment-based, bottom-up search and data flow-aided directed fuzzing, the researchers have not only significantly outperformed existing state-of-the-art tools but also uncovered 127 zero-day vulnerabilities in widely-used Java applications. This research offers critical insights into the evolving nature of deserialization threats and provides an open-source tool that shifts…