Coursera Flash Sale
40% Off Coursera Plus for 3 Months!
Grab it
Learn about QUACK, an innovative security framework designed to automatically protect applications from deserialization attacks through static duck typing inference. Discover how this 35-minute Black Hat conference presentation explores the vulnerabilities in managed languages' serialization features, where attackers manipulate serialized objects to trigger chained code execution using existing code segments as gadgets. Understand the challenges developers face in properly deploying deserialization defenses and how QUACK addresses these issues by automatically fixing calls to deserialization APIs. Explore the framework's novel approach of statically collecting program statements that manipulate deserialized objects to create runtime class filters, effectively limiting available code for exploitation. Examine the implementation details for PHP and the evaluation results on applications with known CVEs and popular GitHub projects, where QUACK successfully prevented automated exploit generation by blocking an average of 97% of potential gadget code. Review real-world validation through developer-accepted pull requests and gain insights into this cutting-edge approach to application security from researchers at Brown University and Columbia University.
