Automatic Detection and Prevention of Deserialization Vulnerabilities

SCHEME: CORE

CALL: 2018

DOMAIN: IS - Information Security and Trust Management

FIRST NAME: Alexandre

LAST NAME: Bartel

INDUSTRY PARTNERSHIP / PPP: No

INDUSTRY / PPP PARTNER:

HOST INSTITUTION: University of Luxembourg

KEYWORDS: Software vulnerability, static analysis, dynamic analysis, security mechanism, deserialization vulnerability, constraint generation, gadget chaining, Java

START: 2019-07-01

END:

WEBSITE: https://www.uni.lu

Submitted Abstract

We are living in the information all companies rely on software for their businesses. Unfortunately, we still do not know how to write software without bugs. The consequence is that all software running in these companies contain bugs. Most bugs are benign. Others, on the other hand, are software vulnerabilities which can open security holesin computer systems. They are a serious threat for companies since an attacker can leverage software vulnerabilities to compromise the companies’ information infrastructures. In the ONNIVA project we focus on the deserialisation vulnerability. This vulnerability has a major impact on the security of software and is leveraged by many high profile attacks. Understanding this vulnerability, automatically detecting it and protecting against attacks using it will considerably improve the security of systems at risk. The ONNIVA project goes into the direction of automated vulnerability detection. We aim at (1) understanding the serialization protocol and existing vulnerabilities, (2) automatically explore the code of programs with static and dynamic analyses to find concrete paths to vulnerabilities linked to the serialization protocol and (3) correct and/orprevent the vulnerabilities. Algorithms developed in ONNIVA are generic and could be used to analyze other security vulnerabilities.

This site uses cookies. By continuing to use this site, you agree to the use of cookies for analytics purposes. Find out more in our Privacy Statement