Abstract
Deserialization of untrusted data is an issue in many programming languages. In particular, deserialization of untrusted data in Java can lead to Remote Code Execution attacks. Conditions for this type of attack exist, but vulnerabilities are hard to detect. In this paper, we propose a novel sandboxing approach for protecting Java applications based on trusted execution path used for defining the deserialization behavior. We test our defensive mechanism on two main Java Framework JBoss and Jenkins and we show the effectiveness and efficiency of our system. We also discuss the limitations of our current system on newer attacks strategies.
Author supplied keywords
Cite
CITATION STYLE
Cristalli, S., Vignati, E., Bruschi, D., & Lanzi, A. (2018). Trusted execution path for protecting java applications against deserialization of untrusted data. In Lecture Notes in Computer Science (Vol. 11050 LNCS, pp. 445–464). Springer Verlag. https://doi.org/10.1007/978-3-030-00470-5_21
Register to see more suggestions
Mendeley helps you to discover research relevant for your work.
