OWASP defines serialization as the process of disassembling an object into a sequence of bits for easier storage and transportation. Deserialization is the reassembly of bits into an object.

OWASP recently added A8 Insecure Deserialization to the OWASP Top 10 2017.

Insecure deserialization flaws occur when an application receives hostile serialized objects. Insecure deserialization leads to remote code execution. Even if deserialization flaws do not result in remote code execution, serialized objects can be replayed, tampered or deleted to spoof users, conduct injection attacks, and elevate privileges.

Since many apps that accept serialized objects do not validate or check untrusted input before deserializing it, attackers can inject malicious objects into a data stream and execute it on the app server. Deserialization vulnerabilities affect virtually all apps that accept serialized Java objects and gives attackers a way to gain complete remote control of an app server.

Several major middleware products including WebSphere, WebLogic and JBoss are vulnerable to these attacks.

Both blacklisting and whitelisting can be used, but they have significant shortcomings.
Blacklisting completely disables the vulnerable classes even if they must be used for legitimate functionality, which often breaks applications.
Whitelisting requires profiling, does not scale and is difficult to manage in enterprise environments.

Waratek uses a virtualization-based approach to runtime application self-protection or RASP. This allows us to create a smart, restricted compartment that prevents malicious operations from executing. Our deserialization protection capability is activated when deserialization occurs and is automatically disabled once it has completed.

With this feature, Waratek not only remediates the Deserialization vulnerability and its various payloads and variations, but also addresses the following CWEs:

CWE-502: Deserialization of Untrusted Data
CWE-674: Uncontrolled Recursion
CWE-799: Improper Control of Interaction Frequency
CWE-400: Uncontrolled Resource Consumption (‘Resource Exhaustion’)
CWE-770: Allocation of Resources Without Limits or Throttling
CWE-648: Incorrect Use of Privileged APIs

Waratek’s approach offers significantly improved security protection without increasing deployment or operational complexity. It also:

  • Is compatible with legacy applications that depend on the vulnerable classes. This is achieved by allowing the vulnerable classes to be used safely if their use does not alter or damage the system
  • Produces no false positives or false negatives
  • Reduces the risk of breaking the application
  • Does not require application profiling
  • Does not require blacklisting or whitelisting
  • Protects against Denial of Service, deferred-execution and lateral attacks
  • Can be actively deployed and works in both allow or deny mode
  • Does not require separate rules for separate exploits. For example, a single rule mitigates all ysoserial exploits (27 out of 27). Blacklisting only mitigates exploits with external dependencies. Blacklisting the InvokerTransformer mitigates only 6 out of 27 ysoserial exploits.
  • Protects against any unpublished, zero-day exploit with no code changes

The Deserialization Problem

What is the Deserialization vulnerability and what are the challenges in providing a solution?