License: Creative Commons Attribution 3.0 Unported license (CC BY 3.0)
When quoting this document, please refer to the following
DOI: 10.4230/LIPIcs.ECOOP.2017.10
URN: urn:nbn:de:0030-drops-72606
URL: http://dagstuhl.sunsite.rwth-aachen.de/volltexte/2017/7260/
Go to the corresponding LIPIcs Volume Portal

Dietrich, Jens ; Jezek, Kamil ; Rasheed, Shawn ; Tahir, Amjed ; Potanin, Alex

Evil Pickles: DoS Attacks Based on Object-Graph Engineering

pdf-format:
LIPIcs-ECOOP-2017-10.pdf (1.0 MB)

Abstract

In recent years, multiple vulnerabilities exploiting the serialisation APIs of various programming languages, including Java, have been discovered. These vulnerabilities can be used to devise in- jection attacks, exploiting the presence of dynamic programming language features like reflection or dynamic proxies. In this paper, we investigate a new type of serialisation-related vulnerabilit- ies for Java that exploit the topology of object graphs constructed from classes of the standard library in a way that deserialisation leads to resource exhaustion, facilitating denial of service attacks. We analyse three such vulnerabilities that can be exploited to exhaust stack memory, heap memory and CPU time. We discuss the language and library design features that enable these vulnerabilities, and investigate whether these vulnerabilities can be ported to C#, Java- Script and Ruby. We present two case studies that demonstrate how the vulnerabilities can be used in attacks on two widely used servers, Jenkins deployed on Tomcat and JBoss. Finally, we propose a mitigation strategy based on contract injection.

BibTeX - Entry

@InProceedings{dietrich_et_al:LIPIcs:2017:7260,
  author =	{Jens Dietrich and Kamil Jezek and Shawn Rasheed and Amjed Tahir and Alex Potanin},
  title =	{{Evil Pickles: DoS Attacks Based on Object-Graph Engineering}},
  booktitle =	{31st European Conference on Object-Oriented Programming (ECOOP 2017)},
  pages =	{10:1--10:32},
  series =	{Leibniz International Proceedings in Informatics (LIPIcs)},
  ISBN =	{978-3-95977-035-4},
  ISSN =	{1868-8969},
  year =	{2017},
  volume =	{74},
  editor =	{Peter M{\"u}ller},
  publisher =	{Schloss Dagstuhl--Leibniz-Zentrum fuer Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{http://drops.dagstuhl.de/opus/volltexte/2017/7260},
  URN =		{urn:nbn:de:0030-drops-72606},
  doi =		{10.4230/LIPIcs.ECOOP.2017.10},
  annote =	{Keywords: serialisation, denial of service, degradation of service, Java, C#, JavaScript, Ruby, vulnerabilities, library design, collection libraries}
}

Keywords: serialisation, denial of service, degradation of service, Java, C#, JavaScript, Ruby, vulnerabilities, library design, collection libraries
Collection: 31st European Conference on Object-Oriented Programming (ECOOP 2017)
Issue Date: 2017
Date of publication: 16.06.2017

DROPS-Home | Fulltext Search | Imprint | Privacy Published by LZI