all InfoSec news
Improving Java Deserialization Gadget Chain Mining via Overriding-Guided Object Generation. (arXiv:2303.07593v1 [cs.CR])
cs.CR updates on arXiv.org arxiv.org
Java (de)serialization is prone to causing security-critical vulnerabilities
that attackers can invoke existing methods (gadgets) on the application's
classpath to construct a gadget chain to perform malicious behaviors. Several
techniques have been proposed to statically identify suspicious gadget chains
and dynamically generate injection objects for fuzzing. However, due to their
incomplete support for dynamic program features (e.g., Java runtime
polymorphism) and ineffective injection object generation for fuzzing, the
existing techniques are still far from satisfactory.
In this paper, we first …
application attackers critical critical vulnerabilities deserialization dynamic features fuzzing gadget gadgets identify injection java java deserialization malicious mining object polymorphism program runtime security serialization support techniques vulnerabilities