Litcius/Paper detail

Tabby: Automated Gadget Chain Detection for Java Deserialization Vulnerabilities

Xingchen Chen, Baizhu Wang, Ze Jin, Yun Feng, Xianglong Li, Xincheng Feng, Qixu Liu

202316 citationsDOI

Abstract

Java is one of the preferred options of modern developers and has become increasingly more prominent with the prevalence of the open-source culture. Thanks to the serialization and deserialization features, Java programs have the flexibility to transmit object data between multiple components or systems, which significantly facilitates development. However, the features may also allow the attackers to construct gadget chains and lead to Java deserialization vulnerabilities. Due to the highly flexible and customizable nature of Java deserialization, finding an exploitable gadget chain is complicated and usually costs researchers a great deal of effort to confirm the vulnerability. To break such a dilemma, in this paper, we introduced Tabby, a highly accurate framework that leverages the Soot framework and Neo4j graph database for finding Java deserialization gadget chains. We leveraged Tabby to analyze 248 Jar files, found 80 practical gadget chains, and received 7 CVE-IDs from Xstream and Apache Dubbo. They both improved the security design to deal with potential security risks.

Topics & Concepts

GadgetComputer scienceJavaSerializationFlexibility (engineering)Construct (python library)Web applicationComputer securityOperating systemProgramming languageAlgorithmStatisticsMathematicsWeb Application Security VulnerabilitiesSecurity and Verification in ComputingAdvanced Malware Detection Techniques