filmov
tv
Java Serialization Attacks - Robert Seacord
Показать описание
Robert Seacord, presents - Java Deserialization Attacks
Java Serialization is an important and useful feature of Core Java that allows developers to transform a graph of Java objects into a stream of bytes for storage or transmission and then back into a graph of Java objects. Unfortunately, the Java Serialization architecture is highly insecure and has led to numerous vulnerabilities, including remote code execution (RCE) and denial-of-service (DoS) attacks. Any Java program that deserializes a stream is susceptible to such vulnerabilities unless proper mitigations are taken. One such mitigation strategy is look-ahead deserialization or look-ahead object input streams (LAOIS). This whitepaper examines Java deserialization vulnerabilities and evaluates various LAOIS solutions including JDK Enhancement Proposal (JEP) 290.
Paper Referenced in the talk:
Java Serialization is an important and useful feature of Core Java that allows developers to transform a graph of Java objects into a stream of bytes for storage or transmission and then back into a graph of Java objects. Unfortunately, the Java Serialization architecture is highly insecure and has led to numerous vulnerabilities, including remote code execution (RCE) and denial-of-service (DoS) attacks. Any Java program that deserializes a stream is susceptible to such vulnerabilities unless proper mitigations are taken. One such mitigation strategy is look-ahead deserialization or look-ahead object input streams (LAOIS). This whitepaper examines Java deserialization vulnerabilities and evaluates various LAOIS solutions including JDK Enhancement Proposal (JEP) 290.
Paper Referenced in the talk:
1:04:18
0:47:11
0:22:10
0:42:07
0:47:33
0:48:24
0:55:26
0:46:35
0:34:26
0:36:02
0:46:31
0:47:44
0:13:01
0:53:02
0:05:41
0:39:56
1:29:45
0:04:40
0:35:13
0:00:45
1:10:35
0:03:55
2:02:56
0:39:51