ODDFuzz: Discovering Java Deserialization Vulnerabilities via Structure-Aware Directed Greybox Fuzzing

Cao, Sicong; He, Bin; Sun, Xiaoying; Ouyang, Yu; Zhang, Chao; Wu, Xiaoxue; Su, Ting; Bo, Lili; Li, Bin; Ma, Chuanlei; Li, Jiajia; Tao, Wei

doi:10.1109/sp46215.2023.10179377

Cited by 9 publications

(2 citation statements)

References 43 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Automated deserialization exploit generation Automatically generating payloads for exploiting deserialization vulnerabilities has been explored by several works. Cao et al suggested ODDFUZZ [9] for using structured information for generating POP exploits for Java projects with deserialization vulnerabilities. ysoserial [15] is a tool that generates exploit objects using known POP gadgets in specific Java applications.…”

Section: Related Workmentioning

confidence: 99%

QUACK: Hindering Deserialization Attacks via Static Duck Typing

David,

Christou,

Kellas

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Managed languages facilitate convenient ways for serializing objects, allowing applications to persist and transfer them easily, yet this feature opens them up to attacks. By manipulating serialized objects, attackers can trigger a chained execution of existing code segments, using them as gadgets to form an exploit. Protecting deserialization calls against attacks is cumbersome and tedious, leading to many developers avoiding deploying defenses properly. We present QUACK, a framework for automatically protecting applications by fixing calls to deserialization APIs. This "binding" limits the classes allowed for usage in the deserialization process, severely limiting the code available for (ab)use as part of exploits. QUACK computes the set of classes that should be allowed using a novel static duck typing inference technique. In particular, it statically collects all statements in the program code that manipulate objects after they are deserialized, and puts together a filter for the list of classes that should be available at runtime. We have implemented QUACK for PHP and evaluated it on a set of applications with known CVEs, and popular applications crawled from GitHub. QUACK managed to fix the applications in a way that prevented any attempt at automatically generating an exploit against them, by blocking, on average, 97% of the application's code that could be used as gadgets. We submitted a sample of three fixes generated by QUACK as pull requests, and their developers merged them.

show abstract

Section: Related Workmentioning

confidence: 99%

QUACK: Hindering Deserialization Attacks via Static Duck Typing

David,

Christou,

Kellas

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Nevertheless, some inadequacies persist [13,[21][22][23][24][25]. Firstly, while some fuzzers provide more accurate definitions for distance metrics, they neglect the fact that distinct branches may have varying arrival probabilities in certain situations.…”

Section: Introductionmentioning

confidence: 99%

WolfFuzz: A Dynamic, Adaptive, and Directed Greybox Fuzzer

Zeng,

Xiong,

et al. 2024

Electronics

View full text Add to dashboard Cite

As the directed greybox fuzzing (DGF) technique advances, it is being extensively utilized in various fields such as defect reproduction, patch testing, and vulnerability identification. Nevertheless, current DGFs waste a significant amount of resources due to their simplistic distance definitions and overly straightforward energy distribution for the seeds. To address these issues, a dynamic distance-weighting-based distance estimation strategy is proposed first, which facilitates strategies for seed distribution that take energy into consideration. Second, to overcome the limitations of current seed energy distribution strategies, the gray wolf optimizer (GWO) is improved by integrating four strategies, leading to the development of the improved gray wolf optimizer (IGWO). Lastly, an adaptive search algorithm is proposed, and the WolfFuzz prototype tool is implemented. In vulnerability recurrence scenarios, WolfFuzz is 3.2× faster on average compared with the baseline and reproduces 76.4% of existing bugs faster. WolfFuzz also discovers nine different types of bugs in seven real-world programs.

show abstract

Rev Gadget: A Java Deserialization Gadget Chains Discover Tool Based on Reverse Semantics and Taint Analysis

Luo,

Cui

2024

Lecture Notes on Data Engineering and Communications Technologies

View full text Add to dashboard Cite

ODDFuzz: Discovering Java Deserialization Vulnerabilities via Structure-Aware Directed Greybox Fuzzing

Cited by 9 publications

References 43 publications

QUACK: Hindering Deserialization Attacks via Static Duck Typing

QUACK: Hindering Deserialization Attacks via Static Duck Typing

WolfFuzz: A Dynamic, Adaptive, and Directed Greybox Fuzzer

Rev Gadget: A Java Deserialization Gadget Chains Discover Tool Based on Reverse Semantics and Taint Analysis

Contact Info

Product

Resources

About