Vulnerability of Object-oriented Applications – Problems with Deserialization

Abstract:

The article presents problems related to the use of the object deserialization mechanism, which may create application code vulnerabilities. The analysis of various serialization cases and deserialization of objects concerning the most commonly used object-oriented programming languages was carried out: Java, C # and Python.

We presented source code examples that may pose a threat to the operation of the application, and we identified various vulnerabilities of the program code developed in these languages. Presented the vectors of attacks on deserializers to conduct further attacks such as DoS, access control or RCE (Remote Code Execution).

We analysed security mechanisms in the context of the possibility of performing dangerous operations by malicious code that provides unauthorized access to system resources. We indicated mechanisms of protection against known and potential vulnerabilities of applications developed in these languages. The main goal is to identify these vulnerabilities and identify solutions in the form of security mechanisms against such threats..

Predicting software vulnerabilities is considered an essential step in improving software quality. These predictions help security engineers to predict the future, i.e. identify software components that may be defective. Data mining techniques can be used to identify gaps in complete and new projects without enough data using machine learning. For complete projects, we can use detection techniques with reliable classifiers.