QUACK: Hindering Deserialization Attacks via Static Duck Typing
Black Hat USA 2025 · Day 1 · Briefings
Researchers from Brown and Columbia universities present QUACK, a static program analysis tool that automatically infers which PHP classes a developer intended to allow through `unserialize()` calls — and then enforces that restriction using PHP's native `allowed_classes` parameter. Evaluated against 11 real applications with known CVEs, QUACK blocked 100% of auto-generated exploits and eliminated 97% of the methods available to an attacker's property-oriented programming (POP) chains, all without requiring any changes to application logic. ---
AI review
Solid academic work automating the boring part of PHP deserialization defense. The 97% method elimination and 100% exploit block numbers are credible, and the duck typing inference approach is genuinely clever. But this is a PHP deserialization paper — a decade-old vulnerability class — and it won't change anyone's life who isn't maintaining a legacy PHP codebase.