In recent years, multiple vulnerabilities exploiting the serialisation APIs of various programming languages, including Java, have been discovered. These vulnerabilities can be used to devise in- jection attacks, exploiting the presence of dynamic programming language features like reflection or dynamic proxies. In this paper, we investigate a new type of serialisation-related vulnerabilit- ies for Java that exploit the topology of object graphs constructed from classes of the standard library in a way that deserialisation leads to resource exhaustion, facilitating denial of service attacks. We analyse three such vulnerabilities that can be exploited to exhaust stack memory, heap memory and CPU time. We discuss the language and library desi...
While the Java runtime is installed on billions of devices and servers worldwide, it remains a prima...
Nowadays software development greatly relies upon using third-party source code. A logical consequen...
Applications that manage \ sensitive secrets, including cryptographic keys, are typically \ engineer...
We study a class of denial-of-service (DoS) vulnerabilities that occur in parsing structured data. T...
International audienceNowadays, an increasing number of applications uses deserialization. This tech...
The most dangerous security-related software errors, according to the OWASP Top Ten 2017 list, affec...
International audienceOpen-source software supply chain attacks aim at infecting downstream users by...
Object serialization and deserialization is widely used for storing and preserving objects in files,...
When created, the Java platform was among the first runtimes designed with security in mind. Yet, nu...
Java has been a target for many zero-day exploits in the past years. We investigate one category of ...
This paper presents the source code analysis of a file reader server socket program (connection-orie...
This paper provides a taxonomy of runtime taint tracking approaches for managed code, such as code w...
The loosely-coupled and dynamic nature of web services architectures has many benefits, but also lea...
Deserialization of untrusted data is an issue in many programming languages. In particular, deserial...
Invalid object initialization vulnerabilities have been identified since the 1990’s by a resea...
While the Java runtime is installed on billions of devices and servers worldwide, it remains a prima...
Nowadays software development greatly relies upon using third-party source code. A logical consequen...
Applications that manage \ sensitive secrets, including cryptographic keys, are typically \ engineer...
We study a class of denial-of-service (DoS) vulnerabilities that occur in parsing structured data. T...
International audienceNowadays, an increasing number of applications uses deserialization. This tech...
The most dangerous security-related software errors, according to the OWASP Top Ten 2017 list, affec...
International audienceOpen-source software supply chain attacks aim at infecting downstream users by...
Object serialization and deserialization is widely used for storing and preserving objects in files,...
When created, the Java platform was among the first runtimes designed with security in mind. Yet, nu...
Java has been a target for many zero-day exploits in the past years. We investigate one category of ...
This paper presents the source code analysis of a file reader server socket program (connection-orie...
This paper provides a taxonomy of runtime taint tracking approaches for managed code, such as code w...
The loosely-coupled and dynamic nature of web services architectures has many benefits, but also lea...
Deserialization of untrusted data is an issue in many programming languages. In particular, deserial...
Invalid object initialization vulnerabilities have been identified since the 1990’s by a resea...
While the Java runtime is installed on billions of devices and servers worldwide, it remains a prima...
Nowadays software development greatly relies upon using third-party source code. A logical consequen...
Applications that manage \ sensitive secrets, including cryptographic keys, are typically \ engineer...