Automatic Policy Synthesis and Enforcement for Protecting Untrusted Deserialization
Quan Zhang
Network and Distributed System Security (NDSS) Symposium 2024 · Day 1 · Android & IoT Security
Java deserialization vulnerabilities represent a persistent and critical security threat to modern applications. Attackers exploit these flaws by injecting meticulously crafted malicious objects, leveraging existing methods within an application's classpath to construct "gadget chains" that can lead to severe consequences, including **Remote Code Execution (RCE)**, **Denial of Service (DoS)**, and **Server-Side Request Forgery (SSRF)**. This is not a theoretical concern; over the past five years, approximately 800 vulnerabilities, categorized under **CWE 502 (Deserialization of Untrusted Data)**, have been reported in the Common Vulnerabilities and Exposures (CVE) database, underscoring the widespread impact and gravity of the problem. Existing mitigation strategies, such as blocklist or manually-crafted allowlist policies, have proven insufficient due to their reactive nature, the continuous discovery of new bypasses, and the immense manual effort and expertise required for their accurate formulation.