SlideShare une entreprise Scribd logo

A Modern Fairy Tale: Java Serialization

Télécharger en tant que PPTX, PDF
Steve Poole
Steve Poole

The document discusses Java serialization and its flaws. It begins by explaining common uses of serialization and how easy it is to implement. However, it notes that the built-in design has security issues, as serialization data can contain sensitive object details. It also explains that serialization is exploited in attacks and discusses how to mitigate risks from Java and alternative serialization formats.

Logiciels
1  sur  102
A Modern Fairy Tale: Java Serialization @spoole167
Steve Poole Developer Advocate, IBM JVM Developer Open Source Advocate DevOps Practitioner (whatever that means!) Driving Change
A Modern Fairy Tale: Java Serialization • Why we still need serialization and where we use it. • How the built-in design is flawed • How it is being exploited and used against us. • How to work against the dark arts rallied against us • How even the alternative forms of Java serialization can still be open to attack.
Why do we need serialization?
Common serialization uses Java Persistence API (JPA) Remote EJB Remote Method Invocation (RMI) Java Management Extensions (JMX) Contexts and Dependency Injection (CDI) HTTP cookies HTML Forms REST Services
Anywhere you find ObjectInputStream
Java Serialization is easy to use implementsjava.io.Serializable; You just have to opt in….
Java Serialization is easy to use FileOutputStream fos=new FileOutputStream(output); ObjectOutputStream oos=new ObjectOutputStream(fos); oos.writeObject(m); FileInputStream fis=new FileInputStream(input); ObjectInputStream ois=new ObjectInputStream(fis); Thing t=(Thing) ois.readObject(); Then its easy to save and restore objs
If you don’t opt-in java.io.NotSerializableException: atjava.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1184) atjava.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:348)
Java Serialization is a useful and relatively easy to use technology There might just be some side effects
Example OC1 example=newOC1(); oos.writeObject(example); public class OC1 implements Serializable { private String hello="hello"; } 0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri 0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z. 0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello 0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St 0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello
public class OC1 implements Serializable { private String hello="hello"; } 0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri 0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z. 0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello 0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St 0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello <STREAM_MAGIC>
public class OC1 implements Serializable { private String hello="hello"; } 0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri 0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z. 0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello 0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St 0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello <STREAM_MAGIC><STREAM_VERSION>
public class OC1 implements Serializable { private String hello="hello"; } 0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri 0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z. 0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello 0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St 0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello <STREAM_MAGIC><STREAM_VERSION><TC_OBJECT>
public class OC1 implements Serializable { private String hello="hello"; } 0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri 0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z. 0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello 0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St 0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello <STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC>
public class OC1 implements Serializable { private String hello="hello"; } 0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri 0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z. 0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello 0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St 0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello <STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC> <UTF8-ClassName>
public class OC1 implements Serializable { private String hello="hello"; } 0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri 0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z. 0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello 0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St 0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello <STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC> <UTF8-ClassName><serial-version-id>
public class OC1 implements Serializable { private String hello="hello"; } 0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri 0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z. 0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello 0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St 0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello <STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC> <UTF8-ClassName><serial-version-id><flags>
public class OC1 implements Serializable { private String hello="hello"; } 0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri 0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z. 0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello 0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St 0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello <STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC> <UTF8-ClassName><serial-version-id><flags><field count>
public class OC1 implements Serializable { private String hello="hello"; } 0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri 0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z. 0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello 0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St 0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello <STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC> <UTF8-ClassName><serial-version-id><flags><field count><field type(Object)>
public class OC1 implements Serializable { private String hello="hello"; } 0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri 0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z. 0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello 0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St 0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello <STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC> <UTF8-ClassName><serial-version-id><flags><field count> ><field type(Object)> <UTF8-FieldName>
public class OC1 implements Serializable { private String hello="hello"; } 0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri 0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z. 0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello 0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St 0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello <STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC> <UTF8-ClassName><serial-version-id><flags><field count> ><field type(Object)> <UTF8-FieldName><Class Name>
public class OC1 implements Serializable { private String hello="hello"; } 0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri 0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z. 0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello 0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St 0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello <STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC> <UTF8-ClassName><serial-version-id><flags><field count> ><field type(Object)> <UTF8-FieldName><Class Name><flags>
public class OC1 implements Serializable { private String hello="hello"; } 0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri 0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z. 0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello 0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St 0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello <STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC> <UTF8-ClassName><serial-version-id><flags><field count> ><field type(Object)> <UTF8-FieldName><Class Name><flags><UTF8-String value>
Element Value STREAM_MAGIC 0xacdc STREAM_VERSION 0x0005 TC_OBJECT 0x73 TC_CLASSDESC 0x72 UTF8-ClassName oc1.serialisation.OC1 serial-version-id 0xab5aa959379f03ef flags 0x02 field count 0x0001 field type ‘L’ UTF8-FieldName ‘hello’ Class Name ‘java.lang.String’ flags 0x787074 UTF8-String value ‘hello’
Element Value STREAM_MAGIC 0xacdc STREAM_VERSION 0x0005 TC_OBJECT 0x73 TC_CLASSDESC 0x72 UTF8-ClassName oc1.serialisation.OC1 serial-version-id 0xab5aa959379f03ef flags 0x02 field count 0x0001 field type ‘L’ UTF8-FieldName ‘hello’ Class Name ‘java.lang.String’ flags 0x787074 UTF8-String value ‘hello’ A check that you’re talking about the same class
Element Value STREAM_MAGIC 0xacdc STREAM_VERSION 0x0005 TC_OBJECT 0x73 TC_CLASSDESC 0x72 UTF8-ClassName oc1.serialisation.OC1 serial-version-id 0xab5aa959379f03ef flags 0x02 field count 0x0001 field type ‘L’ UTF8-FieldName ‘hello’ Class Name ‘java.lang.String’ flags 0x787074 UTF8-String value ‘hello’ The actual contents of the instance are self-defining
Serialization allows you to easily turn a graph of objects into a transferable form – and back again @spoole167
Element Value STREAM_MAGIC 0xacdc STREAM_VERSION 0x0005 TC_OBJECT 0x73 TC_CLASSDESC 0x72 UTF8-ClassName oc1.serialisation.OC1 serial-version-id 0xab5aa959379f03ef flags 0x02 field count 0x0001 field type ‘I’ UTF8-FieldName ‘hello’ Class Name ‘java.lang.Number’ flags 0x787074 Integer value 0x0001 What happens if I do this?
“java.lang.ClassCastException: cannot assign instance of java.lang.Integer to field oc1.serialisation.OC1.hello of type java.lang.String in instance of oc1.serialisation.OC1”
Are we safe from changes to the serialization stream then?
public class OC1 { private String hello="hello"; } Element Value field name hello field type L class name java.lang.String value hello public class OC1 { private Objecthello="hello"; } Element Value field name hello field type L class name java.lang.Object value hello
public class OC1 { private Objecthello="hello"; } Element Value field name hello field type L class name java.lang.Object value hello Element Value field name hello field type [ class name java.lang.Array value 1,2,3,4 Element Value field name hello field type [ class name HashMap value A=1,B=2 Element Value field name hello field type L class name Any class name value Any value
Why is a self defining data stream dangerous?
public class Foo { static { System.out.println("static initaliser called"); } public Foo() { System.out.println("object constructor called"); } } What happens we run “new Foo()”
public class Foo { static { System.out.println("static initalizer called"); } public Foo() { System.out.println("object constructor called"); } } static initalizer called object constructor called
Element Value field type ‘L’ UTF8-FieldName ‘hello’ Class Name ‘org.random.Foo’ What happens if we do this in our serialized form? public class OC1 { private String hello="hello"; }
public class Foo implements Serializable{ static { System.out.println("static initaliser called"); } public Foo() { System.out.println("object constructor called"); } } What gets called - A,B, Both or Neither? A B
What gets called - A,B, Both or Neither? static initaliser called “Exception in thread "main" java.lang.ClassCastException: cannot assign instance of org.random.Foo to field oc1.serialisation.OC1.hello of type java.lang.String in instance of oc1.serialisation.OC1” output exception
Java Deserialization can be used to execute code even if it eventually fails That’s still useful to the bad guys.
We’ve just learnt that constructors do not get called during deserialization public class Foo implements Serializable{ private int data[]; public Foo() { data=new int[] {1,2,3,4}; } public int size() { return data.length; } What happens here?
Element Value STREAM_MAGIC 0xacdc STREAM_VERSION 0x0005 TC_OBJECT 0x73 TC_CLASSDESC 0x72 UTF8-ClassName oc1.serialisation.OC1 serial-version-id 0xab5aa959379f03ef flags 0x02 field count 0x0001 field type ‘[’ UTF8-FieldName ‘data’ Element Type I Element Count 0x04 Values 1,2,3,4 Valid stream
We’ve just learnt that constructors do not get called during deserialization public class Foo implements Serializable{ private int data[]; public Foo() { data=new int[] {1,2,3,4}; } public int size() { return data.length; } The answer is 4?
What happens if I do this? Element Value STREAM_MAGIC 0xacdc STREAM_VERSION 0x0005 TC_OBJECT 0x73 TC_CLASSDESC 0x72 UTF8-ClassName oc1.serialisation.OC1 serial-version-id 0xab5aa959379f03ef flags 0x02 field type null UTF8-FieldName ‘data’
We’ve just learnt that constructors do not get called during deserialization public class Foo implements Serializable{ private int data[]; public Foo() { data=new int[] {1,2,3,4}; } public int size() { return data.length; } Code here never Gets called
We’ve just learnt that constructors do not get called during deserialization public class Foo implements Serializable{ private int data[]; public Foo() { data=new int[] {1,2,3,4}; } public int size() { return data.length; } So NPE!
And its not just “implements Serializable” instances that are at risk
publicclassSubClassextendsParentimplementsSerializable{ static{ System.out.println("inSubClassclassinit"); } publicSubClass(){ System.out.println("inSubClassconstructor"); } } publicclassParent{ static{ System.out.println("inParentclassinit"); } publicParent(){ System.out.println("inParentconstructor"); } } This class just opted- in its parent
”new SubClass()”. Deserialise SubClass in Parentclass init in foo class init in Parentconstructor in Parentclass init in SubClass class init in Parentconstructor in SubClass constructor
public classSubClassextendsParentimplementsSerializable{ static{ System.out.println("inSubClassclassinit"); } public SubClass(){ System.out.println("inSubClassconstructor"); } } publicclassParent{ static{ System.out.println("inParentclassinit"); } publicParent(){ System.out.println("inParentconstructor"); } } called called called Not called This code was called. Did the author expect it to be part of a serialization story?
public interfaceIFoo { } public class FooImpl implementsIFoo { } Is FooImpl serializable?
public interfaceIFoo extends Serializable{ } public class FooImpl implementsIFoo { } Is FooImpl serializable? - it is now!
Java serialization is a great gift to the bad guys @spoole167
How many serialization vulnerabilities are there?
Can we be safer?
Classes can ‘opt-in’ to deserialization and take more control public class Log implements Serializable{ private File logfile; private transient FileOutputStream los; private void readObject(ObjectInputStream in) throws IOException,ClassNotFoundException { in.defaultReadObject(); los=new FileOutputStream(logfile); } }
But that can still be used against them public class Log implements Serializable{ private File logfile; private transient FileOutputStream los; private void readObject(ObjectInputStream in) throws IOException,ClassNotFoundException { in.defaultReadObject(); los=new FileOutputStream(logfile); } } Element Value field name logfile value /etc/passwd
Other ways to reduce exposure private final void readObject(ObjectInputStream in) throws java.io.IOException { throw new java.io.IOException("forbidden"); } Opt out of being deserialized (add to every class!)
Other ways to reduce exposure // reject deserialisation of any class belonging to untrustedmodule, // and of any array with more than 500 items in it jdk.serialFilter=!untrustedmodule/.**;maxarray=500 // white-list classes from package com.myorg.trusted, // but not necessarily from its subpackages. jdk.serialFilter=com.myorg.trusted.* Implement class filtering
Other ways to reduce exposure Implement your own ObjectInputSteam.
Other ways to reduce exposure Use modularity to reduce available classes Attackers can only call code available on your system
Other ways to reduce exposure Create a deliberate data transfer model public final class Packet implements Serializable{ String name; int size; List<ChildPacket> kids; } Complicated data structures converter
Other ways to reduce exposure And maybe stop using native serialization at all { "name" : "foobar" , "size" : 1 , "kids" : [ { } , {} ] } Complicated data structures converter
Switching to alternatives is not a panacea
Protecting yourself against serialization exploits is hard And remember – it’s not just your code. Its all of your dependencies too!
The self-defining design of Java Serialization is open to exploitation. It’s all about running the code you already have. Just not how you expected Or changing your data to invalid but useful values How do the bad guys do this?
Data manipulation
Serialisation of data DOS attack
Element Value STREAM_MAGIC 0xacdc STREAM_VERSION 0x0005 TC_OBJECT 0x73 TC_CLASSDESC 0x72 UTF8-ClassName oc1.serialisation.OC1 serial-version-id 0xab5aa959379f03ef flags 0x02 field count 0x0001 field type ‘[’ UTF8-FieldName ‘data’ Element Type I Element Count MAX_INT Values
Gadget Chains
ObjectInputStream.readObject() AnnotationInvocationHandler.readObject() Map(Proxy).entrySet() AnnotationInvocationHandler.invoke() LazyMap.get() ChainedTransformer.transform() ConstantTransformer.transform() InvokerTransformer.transform() Method.invoke() Class.getMethod() InvokerTransformer.transform() Method.invoke() Runtime.getRuntime() InvokerTransformer.transform() Method.invoke() Runtime.exec() Aseriesofunfortunatecalls
How bad is the situation though – it’s really hard to create gadget chains.
Discovery @spoole167
RMI port 1090
Discovery – Jenkins version 2.56
Exploit @spoole167
https://www.exploit-db.com/exploits/41965/
Impressive amount of tools and collateral out there – but does it really matter? How much risk are we taking by ignoring the problem?
In 2016 Cybercrime was estimated to be worth 450 Billion Dollars @spoole167 Cybercrime is the most profitable type of crime In 2016 The illicit drug trade was estimated to be worth 435 Billion Dollars @spoole167
Cybercrime is the most profitable type of crime • Guess which one has the least risk to the criminal ? • Guess which is growing the fastest ? • Guess which one is the hardest to prosecute ? • Guess which one is predicted to reach 2100 Billion Dollars by 2019? • Guess which one is predicted to reach 6000 Billion Dollars by 2021? @spoole167
0 1000 2000 3000 4000 5000 6000 2013 2014 2015 2016 2017 2018 2019 2020 2021 Cybercrime Drug trade@spoole167
That’s about $600 for every person on the planet In the US it’s about $8000 each @spoole167
Don’t agree? “The bad guys prey on the weak, vulnerable and ignorant” That’s you @spoole167
Ever googled for: “very trusting trust manager” “Getting Java to accept all certs over HTTPS” “How to Trust Any SSL Certificate” “Disable Certificate Validation in Java” @spoole167
TrustManager[] trustAllCerts = new TrustManager[]{ new X509TrustManager() { public X509Certificate[] getAcceptedIssuers() { return null; } public void checkClientTrusted( X509Certificate[] certs, String authType) { } public void checkServerTrusted( X509Certificate[] certs, String authType) { } public boolean isClientTrusted( X509Certificate[] cert) { return true; } public boolean isServerTrusted( X509Certificate[] cert) { return true; } }} Ever written something like this? @spoole167
We’ve all done something like that @spoole167
We’ve all done something like that We do it all the time @spoole167
We’ve all done something like that We do it all the time The whole world does it How bad can it be? @spoole167
We’ve all done something like that We do it all the time The whole world does it Github search “implements TrustManager” …. @spoole167
We’ve found 72,609 code results AlwaysValidTrustManager TrustAllServersWrappingTrustManager A very friendly, accepting trust manager factory. Allows anything through. all kind of certificates are accepted and trusted. A very trusting trust manager that accepts anything // Install the all-trusting trust manager OverTrustingTrustProvider AllTrustingSecurityManagerPlugin.java AcceptingTrustManagerFactory.java AllTrustingCertHttpRequester.java
Search github for “implements serializable”
Wrap up
Today Java serialization use is widespread. Java Persistence API (JPA) Remote EJB Remote Method Invocation (RMI) Java Management Extensions (JMX) Contexts and Dependency Injection (CDI) HTTP cookies HTML Forms REST Services
Much as you’d like to. You can’t escape
Reality • As developers we all need to wake up to our responsibilities to design and code secure software. • The bad guys exploit our ignorance and lack of attention
Games & Drinks on Us Please join our IBM Java devs on Wednesday after the community keynote for some drinks and video games! Coin-Op Game Room 508 4th St 7:30pm drinks 8:00pm light food, and quarters for games Here There Ibm.biz/javaparty

Recommandé

Getting access to Lantronix devices: exploring treasures of 77FEh at Confiden...
Getting access to Lantronix devices: exploring treasures of 77FEh at Confiden...Getting access to Lantronix devices: exploring treasures of 77FEh at Confiden...
Getting access to Lantronix devices: exploring treasures of 77FEh at Confiden...Vlatko Kosturjak
 
IBM Global Security Kit as a Cryptographic layer for IBM middleware
IBM Global Security Kit as a Cryptographic layer for IBM middlewareIBM Global Security Kit as a Cryptographic layer for IBM middleware
IBM Global Security Kit as a Cryptographic layer for IBM middlewareOktawian Powazka
 
Hta r31
Hta r31Hta r31
Hta r31SelectedPresentations
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchFelipe Prado
 
Java bytecode Malware Analysis
Java bytecode Malware AnalysisJava bytecode Malware Analysis
Java bytecode Malware AnalysisBrian Baskin
 
最小 Hello World! チャレンジ
最小 Hello World! チャレンジ最小 Hello World! チャレンジ
最小 Hello World! チャレンジTakashi Kawachi
 
Troubleshooting tips and tricks for Oracle Database Oct 2020
Troubleshooting tips and tricks for Oracle Database Oct 2020Troubleshooting tips and tricks for Oracle Database Oct 2020
Troubleshooting tips and tricks for Oracle Database Oct 2020Sandesh Rao
 
Profiling of Oracle Function Calls
Profiling of Oracle Function CallsProfiling of Oracle Function Calls
Profiling of Oracle Function CallsEnkitec
 

Recommandé

Getting access to Lantronix devices: exploring treasures of 77FEh at Confiden...
Getting access to Lantronix devices: exploring treasures of 77FEh at Confiden...Getting access to Lantronix devices: exploring treasures of 77FEh at Confiden...
Getting access to Lantronix devices: exploring treasures of 77FEh at Confiden...Vlatko Kosturjak
 
IBM Global Security Kit as a Cryptographic layer for IBM middleware
IBM Global Security Kit as a Cryptographic layer for IBM middlewareIBM Global Security Kit as a Cryptographic layer for IBM middleware
IBM Global Security Kit as a Cryptographic layer for IBM middlewareOktawian Powazka
 
Hta r31
Hta r31Hta r31
Hta r31SelectedPresentations
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchFelipe Prado
 
Java bytecode Malware Analysis
Java bytecode Malware AnalysisJava bytecode Malware Analysis
Java bytecode Malware AnalysisBrian Baskin
 
最小 Hello World! チャレンジ
最小 Hello World! チャレンジ最小 Hello World! チャレンジ
最小 Hello World! チャレンジTakashi Kawachi
 
Troubleshooting tips and tricks for Oracle Database Oct 2020
Troubleshooting tips and tricks for Oracle Database Oct 2020Troubleshooting tips and tricks for Oracle Database Oct 2020
Troubleshooting tips and tricks for Oracle Database Oct 2020Sandesh Rao
 
Profiling of Oracle Function Calls
Profiling of Oracle Function CallsProfiling of Oracle Function Calls
Profiling of Oracle Function CallsEnkitec
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 
LT SAP HANAネットワークプロトコル初段
LT SAP HANAネットワークプロトコル初段LT SAP HANAネットワークプロトコル初段
LT SAP HANAネットワークプロトコル初段Koji Shinkubo
 
Java is a new language on the mainframe
Java is a new language on the mainframeJava is a new language on the mainframe
Java is a new language on the mainframeMichael Erichsen
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
 
Profiling Oracle with GDB
Profiling Oracle with GDBProfiling Oracle with GDB
Profiling Oracle with GDBEnkitec
 
10 multiplexers-de mux
10 multiplexers-de mux10 multiplexers-de mux
10 multiplexers-de muxSushant Raj Srivastava
 
DEP/ASLR bypass without ROP/JIT
DEP/ASLR bypass without ROP/JITDEP/ASLR bypass without ROP/JIT
DEP/ASLR bypass without ROP/JITArtem I. Baranov
 
Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020
Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020
Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020Sandesh Rao
 
Broom not included curling the modern way
Broom not included curling the modern wayBroom not included curling the modern way
Broom not included curling the modern wayDanielStenberg7
 
2010-08-26-mongodb-step-by-step-by-hexnova
2010-08-26-mongodb-step-by-step-by-hexnova2010-08-26-mongodb-step-by-step-by-hexnova
2010-08-26-mongodb-step-by-step-by-hexnovaccdaisy
 
Counter Wars (JEEConf 2016)
Counter Wars (JEEConf 2016)Counter Wars (JEEConf 2016)
Counter Wars (JEEConf 2016)Alexey Fyodorov
 
Troubleshooting Tips and Tricks for Database 19c - Sangam 2019
Troubleshooting Tips and Tricks for Database 19c - Sangam 2019Troubleshooting Tips and Tricks for Database 19c - Sangam 2019
Troubleshooting Tips and Tricks for Database 19c - Sangam 2019Sandesh Rao
 
Julia: The language for future
Julia: The language for futureJulia: The language for future
Julia: The language for future岳華 杜
 
Behind the scenes with IOS security
Behind the scenes with IOS securityBehind the scenes with IOS security
Behind the scenes with IOS securityPriyanka Aash
 
The Language for future-julia
The Language for future-juliaThe Language for future-julia
The Language for future-julia岳華 杜
 
Project single cyclemips processor_verilog
Project single cyclemips processor_verilogProject single cyclemips processor_verilog
Project single cyclemips processor_verilogHarsha Yelisala
 
CONFidence 2014: Vlatko Kosturjak: Exploring treasures of 77FEh
CONFidence 2014: Vlatko Kosturjak: Exploring treasures of 77FEhCONFidence 2014: Vlatko Kosturjak: Exploring treasures of 77FEh
CONFidence 2014: Vlatko Kosturjak: Exploring treasures of 77FEhPROIDEA
 
Digital System Design-Synchronous Sequential Circuits
Digital System Design-Synchronous Sequential CircuitsDigital System Design-Synchronous Sequential Circuits
Digital System Design-Synchronous Sequential CircuitsIndira Priyadarshini
 
VizzMaintenance Eclipse Plugin Metrics
VizzMaintenance Eclipse Plugin MetricsVizzMaintenance Eclipse Plugin Metrics
VizzMaintenance Eclipse Plugin MetricsZarko Acimovic
 
Enumerating cycles in bipartite graph using matrix approach
Enumerating cycles in bipartite graph using matrix approachEnumerating cycles in bipartite graph using matrix approach
Enumerating cycles in bipartite graph using matrix approachUsatyuk Vasiliy
 
Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Steve Poole
 
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHTHRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHSteve Poole
 

Contenu connexe

Similaire à A Modern Fairy Tale: Java Serialization

44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 
LT SAP HANAネットワークプロトコル初段
LT SAP HANAネットワークプロトコル初段LT SAP HANAネットワークプロトコル初段
LT SAP HANAネットワークプロトコル初段Koji Shinkubo
 
Java is a new language on the mainframe
Java is a new language on the mainframeJava is a new language on the mainframe
Java is a new language on the mainframeMichael Erichsen
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
 
Profiling Oracle with GDB
Profiling Oracle with GDBProfiling Oracle with GDB
Profiling Oracle with GDBEnkitec
 
DEP/ASLR bypass without ROP/JIT
DEP/ASLR bypass without ROP/JITDEP/ASLR bypass without ROP/JIT
DEP/ASLR bypass without ROP/JITArtem I. Baranov
 
Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020
Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020
Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020Sandesh Rao
 
Broom not included curling the modern way
Broom not included curling the modern wayBroom not included curling the modern way
Broom not included curling the modern wayDanielStenberg7
 
2010-08-26-mongodb-step-by-step-by-hexnova
2010-08-26-mongodb-step-by-step-by-hexnova2010-08-26-mongodb-step-by-step-by-hexnova
2010-08-26-mongodb-step-by-step-by-hexnovaccdaisy
 
Counter Wars (JEEConf 2016)
Counter Wars (JEEConf 2016)Counter Wars (JEEConf 2016)
Counter Wars (JEEConf 2016)Alexey Fyodorov
 
Troubleshooting Tips and Tricks for Database 19c - Sangam 2019
Troubleshooting Tips and Tricks for Database 19c - Sangam 2019Troubleshooting Tips and Tricks for Database 19c - Sangam 2019
Troubleshooting Tips and Tricks for Database 19c - Sangam 2019Sandesh Rao
 
Julia: The language for future
Julia: The language for futureJulia: The language for future
Julia: The language for future岳華 杜
 
Behind the scenes with IOS security
Behind the scenes with IOS securityBehind the scenes with IOS security
Behind the scenes with IOS securityPriyanka Aash
 
The Language for future-julia
The Language for future-juliaThe Language for future-julia
The Language for future-julia岳華 杜
 
Project single cyclemips processor_verilog
Project single cyclemips processor_verilogProject single cyclemips processor_verilog
Project single cyclemips processor_verilogHarsha Yelisala
 
CONFidence 2014: Vlatko Kosturjak: Exploring treasures of 77FEh
CONFidence 2014: Vlatko Kosturjak: Exploring treasures of 77FEhCONFidence 2014: Vlatko Kosturjak: Exploring treasures of 77FEh
CONFidence 2014: Vlatko Kosturjak: Exploring treasures of 77FEhPROIDEA
 
Digital System Design-Synchronous Sequential Circuits
Digital System Design-Synchronous Sequential CircuitsDigital System Design-Synchronous Sequential Circuits
Digital System Design-Synchronous Sequential CircuitsIndira Priyadarshini
 
VizzMaintenance Eclipse Plugin Metrics
VizzMaintenance Eclipse Plugin MetricsVizzMaintenance Eclipse Plugin Metrics
VizzMaintenance Eclipse Plugin MetricsZarko Acimovic
 
Enumerating cycles in bipartite graph using matrix approach
Enumerating cycles in bipartite graph using matrix approachEnumerating cycles in bipartite graph using matrix approach
Enumerating cycles in bipartite graph using matrix approachUsatyuk Vasiliy
 

Similaire à A Modern Fairy Tale: Java Serialization (20)

44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
 
LT SAP HANAネットワークプロトコル初段
LT SAP HANAネットワークプロトコル初段LT SAP HANAネットワークプロトコル初段
LT SAP HANAネットワークプロトコル初段
 
Java is a new language on the mainframe
Java is a new language on the mainframeJava is a new language on the mainframe
Java is a new language on the mainframe
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
 
Profiling Oracle with GDB
Profiling Oracle with GDBProfiling Oracle with GDB
Profiling Oracle with GDB
 
10 multiplexers-de mux
10 multiplexers-de mux10 multiplexers-de mux
10 multiplexers-de mux
 
DEP/ASLR bypass without ROP/JIT
DEP/ASLR bypass without ROP/JITDEP/ASLR bypass without ROP/JIT
DEP/ASLR bypass without ROP/JIT
 
Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020
Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020
Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020
 
Broom not included curling the modern way
Broom not included curling the modern wayBroom not included curling the modern way
Broom not included curling the modern way
 
2010-08-26-mongodb-step-by-step-by-hexnova
2010-08-26-mongodb-step-by-step-by-hexnova2010-08-26-mongodb-step-by-step-by-hexnova
2010-08-26-mongodb-step-by-step-by-hexnova
 
Counter Wars (JEEConf 2016)
Counter Wars (JEEConf 2016)Counter Wars (JEEConf 2016)
Counter Wars (JEEConf 2016)
 
Troubleshooting Tips and Tricks for Database 19c - Sangam 2019
Troubleshooting Tips and Tricks for Database 19c - Sangam 2019Troubleshooting Tips and Tricks for Database 19c - Sangam 2019
Troubleshooting Tips and Tricks for Database 19c - Sangam 2019
 
Julia: The language for future
Julia: The language for futureJulia: The language for future
Julia: The language for future
 
Behind the scenes with IOS security
Behind the scenes with IOS securityBehind the scenes with IOS security
Behind the scenes with IOS security
 
The Language for future-julia
The Language for future-juliaThe Language for future-julia
The Language for future-julia
 
Project single cyclemips processor_verilog
Project single cyclemips processor_verilogProject single cyclemips processor_verilog
Project single cyclemips processor_verilog
 
CONFidence 2014: Vlatko Kosturjak: Exploring treasures of 77FEh
CONFidence 2014: Vlatko Kosturjak: Exploring treasures of 77FEhCONFidence 2014: Vlatko Kosturjak: Exploring treasures of 77FEh
CONFidence 2014: Vlatko Kosturjak: Exploring treasures of 77FEh
 
Digital System Design-Synchronous Sequential Circuits
Digital System Design-Synchronous Sequential CircuitsDigital System Design-Synchronous Sequential Circuits
Digital System Design-Synchronous Sequential Circuits
 
VizzMaintenance Eclipse Plugin Metrics
VizzMaintenance Eclipse Plugin MetricsVizzMaintenance Eclipse Plugin Metrics
VizzMaintenance Eclipse Plugin Metrics
 
Enumerating cycles in bipartite graph using matrix approach
Enumerating cycles in bipartite graph using matrix approachEnumerating cycles in bipartite graph using matrix approach
Enumerating cycles in bipartite graph using matrix approach
 

Plus de Steve Poole

Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Steve Poole
 
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHTHRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHSteve Poole
 
Maven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainMaven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainSteve Poole
 
GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextGIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextSteve Poole
 
A new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn nextA new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn nextSteve Poole
 
Stop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptxStop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptxSteve Poole
 
Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?Steve Poole
 
The Secret Life of Maven Central
The Secret Life of Maven CentralThe Secret Life of Maven Central
The Secret Life of Maven CentralSteve Poole
 
The Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptxThe Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptxSteve Poole
 
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...Steve Poole
 
Log4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptxLog4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptxSteve Poole
 
DevnexusRansomeware.pptx
DevnexusRansomeware.pptxDevnexusRansomeware.pptx
DevnexusRansomeware.pptxSteve Poole
 
Game Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same againGame Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same againSteve Poole
 
Cybercrime and the developer 2021 style
Cybercrime and the developer 2021 styleCybercrime and the developer 2021 style
Cybercrime and the developer 2021 styleSteve Poole
 
Agile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and CultureAgile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and CultureSteve Poole
 
LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020Steve Poole
 
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...Steve Poole
 
Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?Steve Poole
 
Eclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talkEclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talkSteve Poole
 
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...Steve Poole
 

Plus de Steve Poole (20)

Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...
 
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHTHRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
 
Maven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainMaven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chain
 
GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextGIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
 
A new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn nextA new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn next
 
Stop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptxStop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptx
 
Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?
 
The Secret Life of Maven Central
The Secret Life of Maven CentralThe Secret Life of Maven Central
The Secret Life of Maven Central
 
The Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptxThe Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptx
 
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
 
Log4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptxLog4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptx
 
DevnexusRansomeware.pptx
DevnexusRansomeware.pptxDevnexusRansomeware.pptx
DevnexusRansomeware.pptx
 
Game Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same againGame Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same again
 
Cybercrime and the developer 2021 style
Cybercrime and the developer 2021 styleCybercrime and the developer 2021 style
Cybercrime and the developer 2021 style
 
Agile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and CultureAgile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and Culture
 
LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020
 
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
 
Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?
 
Eclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talkEclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talk
 
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
 

Dernier

Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 

Dernier (20)

Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 

A Modern Fairy Tale: Java Serialization

  • 1. A Modern Fairy Tale: Java Serialization @spoole167
  • 2. Steve Poole Developer Advocate, IBM JVM Developer Open Source Advocate DevOps Practitioner (whatever that means!) Driving Change
  • 3. A Modern Fairy Tale: Java Serialization • Why we still need serialization and where we use it. • How the built-in design is flawed • How it is being exploited and used against us. • How to work against the dark arts rallied against us • How even the alternative forms of Java serialization can still be open to attack.
  • 4. Why do we need serialization?
  • 5.
  • 6. Common serialization uses Java Persistence API (JPA) Remote EJB Remote Method Invocation (RMI) Java Management Extensions (JMX) Contexts and Dependency Injection (CDI) HTTP cookies HTML Forms REST Services
  • 7. Anywhere you find ObjectInputStream
  • 8. Java Serialization is easy to use implementsjava.io.Serializable; You just have to opt in….
  • 9. Java Serialization is easy to use FileOutputStream fos=new FileOutputStream(output); ObjectOutputStream oos=new ObjectOutputStream(fos); oos.writeObject(m); FileInputStream fis=new FileInputStream(input); ObjectInputStream ois=new ObjectInputStream(fis); Thing t=(Thing) ois.readObject(); Then its easy to save and restore objs
  • 10. If you don’t opt-in java.io.NotSerializableException: atjava.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1184) atjava.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:348)
  • 11. Java Serialization is a useful and relatively easy to use technology There might just be some side effects
  • 12. Example OC1 example=newOC1(); oos.writeObject(example); public class OC1 implements Serializable { private String hello="hello"; } 0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri 0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z. 0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello 0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St 0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello
  • 13. public class OC1 implements Serializable { private String hello="hello"; } 0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri 0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z. 0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello 0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St 0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello <STREAM_MAGIC>
  • 14. public class OC1 implements Serializable { private String hello="hello"; } 0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri 0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z. 0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello 0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St 0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello <STREAM_MAGIC><STREAM_VERSION>
  • 15. public class OC1 implements Serializable { private String hello="hello"; } 0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri 0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z. 0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello 0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St 0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello <STREAM_MAGIC><STREAM_VERSION><TC_OBJECT>
  • 16. public class OC1 implements Serializable { private String hello="hello"; } 0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri 0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z. 0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello 0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St 0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello <STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC>
  • 17. public class OC1 implements Serializable { private String hello="hello"; } 0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri 0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z. 0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello 0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St 0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello <STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC> <UTF8-ClassName>
  • 18. public class OC1 implements Serializable { private String hello="hello"; } 0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri 0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z. 0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello 0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St 0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello <STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC> <UTF8-ClassName><serial-version-id>
  • 19. public class OC1 implements Serializable { private String hello="hello"; } 0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri 0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z. 0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello 0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St 0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello <STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC> <UTF8-ClassName><serial-version-id><flags>
  • 20. public class OC1 implements Serializable { private String hello="hello"; } 0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri 0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z. 0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello 0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St 0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello <STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC> <UTF8-ClassName><serial-version-id><flags><field count>
  • 21. public class OC1 implements Serializable { private String hello="hello"; } 0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri 0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z. 0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello 0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St 0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello <STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC> <UTF8-ClassName><serial-version-id><flags><field count><field type(Object)>
  • 22. public class OC1 implements Serializable { private String hello="hello"; } 0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri 0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z. 0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello 0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St 0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello <STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC> <UTF8-ClassName><serial-version-id><flags><field count> ><field type(Object)> <UTF8-FieldName>
  • 23. public class OC1 implements Serializable { private String hello="hello"; } 0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri 0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z. 0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello 0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St 0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello <STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC> <UTF8-ClassName><serial-version-id><flags><field count> ><field type(Object)> <UTF8-FieldName><Class Name>
  • 24. public class OC1 implements Serializable { private String hello="hello"; } 0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri 0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z. 0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello 0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St 0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello <STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC> <UTF8-ClassName><serial-version-id><flags><field count> ><field type(Object)> <UTF8-FieldName><Class Name><flags>
  • 25. public class OC1 implements Serializable { private String hello="hello"; } 0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri 0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z. 0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello 0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St 0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello <STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC> <UTF8-ClassName><serial-version-id><flags><field count> ><field type(Object)> <UTF8-FieldName><Class Name><flags><UTF8-String value>
  • 26. Element Value STREAM_MAGIC 0xacdc STREAM_VERSION 0x0005 TC_OBJECT 0x73 TC_CLASSDESC 0x72 UTF8-ClassName oc1.serialisation.OC1 serial-version-id 0xab5aa959379f03ef flags 0x02 field count 0x0001 field type ‘L’ UTF8-FieldName ‘hello’ Class Name ‘java.lang.String’ flags 0x787074 UTF8-String value ‘hello’
  • 27. Element Value STREAM_MAGIC 0xacdc STREAM_VERSION 0x0005 TC_OBJECT 0x73 TC_CLASSDESC 0x72 UTF8-ClassName oc1.serialisation.OC1 serial-version-id 0xab5aa959379f03ef flags 0x02 field count 0x0001 field type ‘L’ UTF8-FieldName ‘hello’ Class Name ‘java.lang.String’ flags 0x787074 UTF8-String value ‘hello’ A check that you’re talking about the same class
  • 28. Element Value STREAM_MAGIC 0xacdc STREAM_VERSION 0x0005 TC_OBJECT 0x73 TC_CLASSDESC 0x72 UTF8-ClassName oc1.serialisation.OC1 serial-version-id 0xab5aa959379f03ef flags 0x02 field count 0x0001 field type ‘L’ UTF8-FieldName ‘hello’ Class Name ‘java.lang.String’ flags 0x787074 UTF8-String value ‘hello’ The actual contents of the instance are self-defining
  • 29. Serialization allows you to easily turn a graph of objects into a transferable form – and back again @spoole167
  • 30. Element Value STREAM_MAGIC 0xacdc STREAM_VERSION 0x0005 TC_OBJECT 0x73 TC_CLASSDESC 0x72 UTF8-ClassName oc1.serialisation.OC1 serial-version-id 0xab5aa959379f03ef flags 0x02 field count 0x0001 field type ‘I’ UTF8-FieldName ‘hello’ Class Name ‘java.lang.Number’ flags 0x787074 Integer value 0x0001 What happens if I do this?
  • 31. “java.lang.ClassCastException: cannot assign instance of java.lang.Integer to field oc1.serialisation.OC1.hello of type java.lang.String in instance of oc1.serialisation.OC1”
  • 32. Are we safe from changes to the serialization stream then?
  • 33. public class OC1 { private String hello="hello"; } Element Value field name hello field type L class name java.lang.String value hello public class OC1 { private Objecthello="hello"; } Element Value field name hello field type L class name java.lang.Object value hello
  • 34. public class OC1 { private Objecthello="hello"; } Element Value field name hello field type L class name java.lang.Object value hello Element Value field name hello field type [ class name java.lang.Array value 1,2,3,4 Element Value field name hello field type [ class name HashMap value A=1,B=2 Element Value field name hello field type L class name Any class name value Any value
  • 35. Why is a self defining data stream dangerous?
  • 36. public class Foo { static { System.out.println("static initaliser called"); } public Foo() { System.out.println("object constructor called"); } } What happens we run “new Foo()”
  • 37. public class Foo { static { System.out.println("static initalizer called"); } public Foo() { System.out.println("object constructor called"); } } static initalizer called object constructor called
  • 38. Element Value field type ‘L’ UTF8-FieldName ‘hello’ Class Name ‘org.random.Foo’ What happens if we do this in our serialized form? public class OC1 { private String hello="hello"; }
  • 39. public class Foo implements Serializable{ static { System.out.println("static initaliser called"); } public Foo() { System.out.println("object constructor called"); } } What gets called - A,B, Both or Neither? A B
  • 40. What gets called - A,B, Both or Neither? static initaliser called “Exception in thread "main" java.lang.ClassCastException: cannot assign instance of org.random.Foo to field oc1.serialisation.OC1.hello of type java.lang.String in instance of oc1.serialisation.OC1” output exception
  • 41. Java Deserialization can be used to execute code even if it eventually fails That’s still useful to the bad guys.
  • 42. We’ve just learnt that constructors do not get called during deserialization public class Foo implements Serializable{ private int data[]; public Foo() { data=new int[] {1,2,3,4}; } public int size() { return data.length; } What happens here?
  • 43. Element Value STREAM_MAGIC 0xacdc STREAM_VERSION 0x0005 TC_OBJECT 0x73 TC_CLASSDESC 0x72 UTF8-ClassName oc1.serialisation.OC1 serial-version-id 0xab5aa959379f03ef flags 0x02 field count 0x0001 field type ‘[’ UTF8-FieldName ‘data’ Element Type I Element Count 0x04 Values 1,2,3,4 Valid stream
  • 44. We’ve just learnt that constructors do not get called during deserialization public class Foo implements Serializable{ private int data[]; public Foo() { data=new int[] {1,2,3,4}; } public int size() { return data.length; } The answer is 4?
  • 45. What happens if I do this? Element Value STREAM_MAGIC 0xacdc STREAM_VERSION 0x0005 TC_OBJECT 0x73 TC_CLASSDESC 0x72 UTF8-ClassName oc1.serialisation.OC1 serial-version-id 0xab5aa959379f03ef flags 0x02 field type null UTF8-FieldName ‘data’
  • 46. We’ve just learnt that constructors do not get called during deserialization public class Foo implements Serializable{ private int data[]; public Foo() { data=new int[] {1,2,3,4}; } public int size() { return data.length; } Code here never Gets called
  • 47. We’ve just learnt that constructors do not get called during deserialization public class Foo implements Serializable{ private int data[]; public Foo() { data=new int[] {1,2,3,4}; } public int size() { return data.length; } So NPE!
  • 48. And its not just “implements Serializable” instances that are at risk
  • 50. ”new SubClass()”. Deserialise SubClass in Parentclass init in foo class init in Parentconstructor in Parentclass init in SubClass class init in Parentconstructor in SubClass constructor
  • 52. public interfaceIFoo { } public class FooImpl implementsIFoo { } Is FooImpl serializable?
  • 53. public interfaceIFoo extends Serializable{ } public class FooImpl implementsIFoo { } Is FooImpl serializable? - it is now!
  • 54. Java serialization is a great gift to the bad guys @spoole167
  • 55. How many serialization vulnerabilities are there?
  • 56.
  • 57. Can we be safer?
  • 58. Classes can ‘opt-in’ to deserialization and take more control public class Log implements Serializable{ private File logfile; private transient FileOutputStream los; private void readObject(ObjectInputStream in) throws IOException,ClassNotFoundException { in.defaultReadObject(); los=new FileOutputStream(logfile); } }
  • 59. But that can still be used against them public class Log implements Serializable{ private File logfile; private transient FileOutputStream los; private void readObject(ObjectInputStream in) throws IOException,ClassNotFoundException { in.defaultReadObject(); los=new FileOutputStream(logfile); } } Element Value field name logfile value /etc/passwd
  • 60. Other ways to reduce exposure private final void readObject(ObjectInputStream in) throws java.io.IOException { throw new java.io.IOException("forbidden"); } Opt out of being deserialized (add to every class!)
  • 61. Other ways to reduce exposure // reject deserialisation of any class belonging to untrustedmodule, // and of any array with more than 500 items in it jdk.serialFilter=!untrustedmodule/.**;maxarray=500 // white-list classes from package com.myorg.trusted, // but not necessarily from its subpackages. jdk.serialFilter=com.myorg.trusted.* Implement class filtering
  • 62. Other ways to reduce exposure Implement your own ObjectInputSteam.
  • 63. Other ways to reduce exposure Use modularity to reduce available classes Attackers can only call code available on your system
  • 64. Other ways to reduce exposure Create a deliberate data transfer model public final class Packet implements Serializable{ String name; int size; List<ChildPacket> kids; } Complicated data structures converter
  • 65. Other ways to reduce exposure And maybe stop using native serialization at all { "name" : "foobar" , "size" : 1 , "kids" : [ { } , {} ] } Complicated data structures converter
  • 66. Switching to alternatives is not a panacea
  • 67. Protecting yourself against serialization exploits is hard And remember – it’s not just your code. Its all of your dependencies too!
  • 68. The self-defining design of Java Serialization is open to exploitation. It’s all about running the code you already have. Just not how you expected Or changing your data to invalid but useful values How do the bad guys do this?
  • 70. Serialisation of data DOS attack
  • 71. Element Value STREAM_MAGIC 0xacdc STREAM_VERSION 0x0005 TC_OBJECT 0x73 TC_CLASSDESC 0x72 UTF8-ClassName oc1.serialisation.OC1 serial-version-id 0xab5aa959379f03ef flags 0x02 field count 0x0001 field type ‘[’ UTF8-FieldName ‘data’ Element Type I Element Count MAX_INT Values
  • 74. How bad is the situation though – it’s really hard to create gadget chains.
  • 75.
  • 76.
  • 79. Discovery – Jenkins version 2.56
  • 81.
  • 83.
  • 84. Impressive amount of tools and collateral out there – but does it really matter? How much risk are we taking by ignoring the problem?
  • 85. In 2016 Cybercrime was estimated to be worth 450 Billion Dollars @spoole167 Cybercrime is the most profitable type of crime In 2016 The illicit drug trade was estimated to be worth 435 Billion Dollars @spoole167
  • 86. Cybercrime is the most profitable type of crime • Guess which one has the least risk to the criminal ? • Guess which is growing the fastest ? • Guess which one is the hardest to prosecute ? • Guess which one is predicted to reach 2100 Billion Dollars by 2019? • Guess which one is predicted to reach 6000 Billion Dollars by 2021? @spoole167
  • 87. 0 1000 2000 3000 4000 5000 6000 2013 2014 2015 2016 2017 2018 2019 2020 2021 Cybercrime Drug trade@spoole167
  • 88. That’s about $600 for every person on the planet In the US it’s about $8000 each @spoole167
  • 89. Don’t agree? “The bad guys prey on the weak, vulnerable and ignorant” That’s you @spoole167
  • 90. Ever googled for: “very trusting trust manager” “Getting Java to accept all certs over HTTPS” “How to Trust Any SSL Certificate” “Disable Certificate Validation in Java” @spoole167
  • 91. TrustManager[] trustAllCerts = new TrustManager[]{ new X509TrustManager() { public X509Certificate[] getAcceptedIssuers() { return null; } public void checkClientTrusted( X509Certificate[] certs, String authType) { } public void checkServerTrusted( X509Certificate[] certs, String authType) { } public boolean isClientTrusted( X509Certificate[] cert) { return true; } public boolean isServerTrusted( X509Certificate[] cert) { return true; } }} Ever written something like this? @spoole167
  • 92. We’ve all done something like that @spoole167
  • 93. We’ve all done something like that We do it all the time @spoole167
  • 94. We’ve all done something like that We do it all the time The whole world does it How bad can it be? @spoole167
  • 95. We’ve all done something like that We do it all the time The whole world does it Github search “implements TrustManager” …. @spoole167
  • 96. We’ve found 72,609 code results AlwaysValidTrustManager TrustAllServersWrappingTrustManager A very friendly, accepting trust manager factory. Allows anything through. all kind of certificates are accepted and trusted. A very trusting trust manager that accepts anything // Install the all-trusting trust manager OverTrustingTrustProvider AllTrustingSecurityManagerPlugin.java AcceptingTrustManagerFactory.java AllTrustingCertHttpRequester.java
  • 97. Search github for “implements serializable”
  • 99. Today Java serialization use is widespread. Java Persistence API (JPA) Remote EJB Remote Method Invocation (RMI) Java Management Extensions (JMX) Contexts and Dependency Injection (CDI) HTTP cookies HTML Forms REST Services
  • 100. Much as you’d like to. You can’t escape
  • 101. Reality • As developers we all need to wake up to our responsibilities to design and code secure software. • The bad guys exploit our ignorance and lack of attention
  • 102. Games & Drinks on Us Please join our IBM Java devs on Wednesday after the community keynote for some drinks and video games! Coin-Op Game Room 508 4th St 7:30pm drinks 8:00pm light food, and quarters for games Here There Ibm.biz/javaparty