Automated Gadget Chain Discovery for Deserialization Vulnerability Remediation

Explore deserialization vulnerability remediation techniques and automated gadget chain discovery in this conference talk. Learn about the persistent threat of unsafe deserialization in Java and other languages, despite years of awareness. Dive into a new methodology for automatically finding deserialization gadget chains, allowing security teams to quickly assess and prioritize vulnerabilities. Examine a free, open-source toolkit developed to implement this approach, which has been successfully used to evaluate vulnerabilities in both internal and open-source projects. Gain insights into the inner workings of deserialization vulnerabilities, including magic methods and gadget chains, and understand various remediation options. Discover new gadget chains in popular libraries like Clojure and Scala, and see real-world examples of vulnerability assessments in Netflix internal applications. Conclude with reflections on the emerging field of automatic gadget chain discovery and its implications for application security.

Intro
Deserialization Gadget Chains
What is a Deserialization Vulnerability? In object oriented languages (like Java), data is contained in classes and classes contain code.
Magic Methods? • readObject() and readResolve() are the main ones...
Magic Methods to Gadget Chains
Example Payload
Finding Vulnerabilities • Finding potential vulnerabilities is similar to finding many application security issues
Remediation Options • Why not use a better serialization strategy? "It's 2016, there are better options." -Luca Carettoni
Finding Exploits
Gadget Inspector • Operates on any given classpath, i.e. a particular library or an entire war • Reports discovered gadget chains as a sequence of method invocations • Performs some simplistic symbolic execution to understand possible dataflow from method arguments to subsequent method invocations • Makes a lot of simplifying assumptions that make code analysis easy
How Does It Work?
Deserialization Library Flexibility
New Gadget Chains: Clojure org.clojure clojure 6th most popular maven dependency
New Gadget Chains: Scala
Results: Netflix Internal Webapp 1
Results: Netflix Internal Webapp 2
Final Thoughts • Automatic discovery for gadget chains is new territory