Submitted Abstract
We are living in the information all companies rely on software for their businesses. Unfortunately, we still do not know how to write software without bugs. The consequence is that all software running in these companies contain bugs. Most bugs are benign. Others, on the other hand, are software vulnerabilities which can open security holesin computer systems. They are a serious threat for companies since an attacker can leverage software vulnerabilities to compromise the companies’ information infrastructures. In the ONNIVA project we focus on the deserialisation vulnerability. This vulnerability has a major impact on the security of software and is leveraged by many high profile attacks. Understanding this vulnerability, automatically detecting it and protecting against attacks using it will considerably improve the security of systems at risk. The ONNIVA project goes into the direction of automated vulnerability detection. We aim at (1) understanding the serialization protocol and existing vulnerabilities, (2) automatically explore the code of programs with static and dynamic analyses to find concrete paths to vulnerabilities linked to the serialization protocol and (3) correct and/orprevent the vulnerabilities. Algorithms developed in ONNIVA are generic and could be used to analyze other security vulnerabilities.