Although the Java deserialization vulnerability has been widely known for many years, it still poses a severe threat to security. The attackers and defenders both focus on hunting gadget chains, which are the key to actually exploiting the vulnerability.
There are some available tools that can be used to hunt for gadget chains automatically. Unfortunately, these tools struggle to address the following challenges: (1) Existing tools have difficulty making trade-offs between precision and recall, because runtime polymorphism and other dynamic language features (e.g., reflection, dynamic proxy) are ubiquitous in the Java ecosystem, and the length of gadget chains in Java is longer than other programming languages, which causes huge computation space and amplifies the inaccuracy caused by dynamic features. (2) Existing tools are unable to validate candidate gadget chains, which require manual inspection and are time-consuming and error-prone.
We propose a novel approach ODDFuzz to hunt gadget chains efficiently and precisely...
By: Biao He , Haowen Mu , Yu Ouyang
Full Abstract and Presentation Materials:
#oddfuzz-hunting-java-deserialization-gadget-chains-via-structure-aware-directed-greybox-fuzzing-31367