Automated Discovery of Deserialization Gadget Chains

Explore automated discovery techniques for deserialization gadget chains in this Black Hat conference talk. Delve into the persistent threat of unsafe deserialization vulnerabilities and their impact on Java applications. Learn about magic methods, payload examples, and vulnerable libraries. Examine existing tools and discover a new approach for finding gadget chains through class/method hierarchy enumeration, passthrough dataflow discovery, and callgraph analysis. Investigate the results of open-source library scans, including newly discovered gadget chains in Clojure and Scala. Gain insights into potential improvements and future directions for automated discovery in this emerging field of cybersecurity research.

Syllabus

Intro
Deserialization? That's so 2016...
Why are Deserialization Vulnerabilities so Bad? Magic methods get executed automatically by the deserializer, even before deserialization finishes!
Magic methods? • readObject() and readResolve() are the main ones...
Magic Methods to Gadget Chains
Example Payload
What (Java) Libraries are Vulnerable?
Finding Vulnerabilities
Remediation Options
Finding Exploits
Existing Gadget Chain Tools
Building a New Tool to Find Gadget Chains
Enumerate class/method hierarchy
Discover "Passthrough" Dataflow
Enumerate "Passthrough" Callgraph
Enumerate Sources Using Known Tricks
BFS on Call Graph for Chains Sources
Deserialization Library Flexibility
Results: OSS Library Scans
Results: Old Gadget Chains
New Gadget Chains: Clojure org.clojure clojure
New Gadget Chains: Scala
Results: Netflix Internal Webapp 2
Room for Improvement
Final Thoughts • Automatic discovery for gadget chains is new territory