Automated Discovery of Deserialization Gadget Chains

Conference:  BlackHat USA 2018



The talk discusses the importance of understanding gadget chains in deserialization vulnerabilities and introduces a tool that automatically finds gadget chains in Java applications.
  • Gadget chains are important to understand because updating IPC mechanisms in existing applications can be difficult and expensive
  • Tools like Y so serial and Marshal SEC can help identify known gadget chains in open source libraries, but may not be able to identify unique gadget chains in a specific application
  • The speaker introduces a tool they developed that uses static analysis to automatically find gadget chains in Java applications
  • The tool was able to identify a sophisticated gadget chain in a real-world application that allowed for arbitrary code execution
  • The speaker believes that better tools are needed to understand the risk profile of deserialization vulnerabilities in Java applications
The speaker shares an anecdote about a gadget chain they discovered in a real-world application that allowed for arbitrary code execution and exfiltration of secrets. The tool they developed was able to identify the gadget chain in just a few minutes, demonstrating the usefulness of automatic gadget chain detection.


Although vulnerabilities stemming from the deserialization of untrusted data have been understood for many years, unsafe deserialization continues to be a vulnerability class that isn't going away. Attention on Java deserialization vulnerabilities skyrocketed in 2015 when Frohoff and Lawrence published an RCE gadget chain in the Apache Commons library and as recently as last year's Black Hat, Muñoz and Miroshis presented a survey of dangerous JSON deserialization libraries. While much research and automated detection technology has so far focused on the discovery of vulnerable entry points (i.e. code that deserializes untrusted data), finding a "gadget chain" to actually make the vulnerability exploitable has thus far been a largely manual exercise. In this talk, I present a new technique for the automated discovery of deserialization gadget chains in Java, allowing defensive teams to quickly identify the significance of a deserialization vulnerability and allowing penetration testers to quickly develop working exploits. At the conclusion, I will also be releasing a FOSS toolkit which utilizes this methodology and has been used to successfully develop many deserialization exploits in both internal applications and open source projects.