JDD - In-depth Mining of Java Deserialization Gadget Chains via Bottom-up Gadget Search and Dataflow-aided Payload Construction

Explore advanced techniques for discovering Java deserialization vulnerabilities in this 37-minute Black Hat conference presentation that introduces JDD, a novel approach to mining Java Object Injection (JOI) gadget chains. Learn how researchers address two critical challenges in current vulnerability detection methods: path explosion in static gadget searches and insufficient object relations in dynamic payload construction. Discover the innovative gadget fragment-based summary and bottom-up search methodology that overcomes path explosion limitations, followed by dataflow dependency inference techniques that guide dynamic fuzzing for generating exploitable objects. Examine the practical application of JDD across six popular Java applications including Apache Dubbo, Sofa-RPC, and Solon, which resulted in the discovery of 127 zero-day exploitable gadget chains and six high-severity CVEs with CVSS scores of 9.8. Understand the significant security implications of Java deserialization vulnerabilities and the systematic approach to identifying and constructing exploit chains that can lead to remote code execution. Gain insights from leading security researchers from Fudan University and Johns Hopkins University who demonstrate how their methodology successfully identified critical vulnerabilities that were promptly patched by developers after responsible disclosure.