A Hybrid Analysis to Detect Java Serialisation Vulnerabilities
Serialisation related security vulnerabilities have recently been reported for numerous Java applications. Since serialisation presents both soundness and precision challenges for static analysis, it can be difficult for analyses to precisely pinpoint serialisation vulnerabilities in a Java library. In this paper, we propose a hybrid approach that extends a static analysis with fuzzing to detect serialisation vulnerabilities. The novelty of our approach is in its use of a heap model to direct fuzzing for vulnerabilities in Java libraries. The advantage is that the analysis guides fuzzing to quickly and effectively produce results, which may also automatically validate static analysis reports.
Wed 23 Sep Times are displayed in time zone: (UTC) Coordinated Universal Time
01:10 - 02:10: Software Security and Trust (1) Research Papers / NIER track / Tool Demonstrations at Platypus Chair(s): Christoph CsallnerUniversity of Texas at Arlington | |||
01:10 - 01:30 Talk | Continuous ComplianceExperience Research Papers Martin KelloggUniversity of Washington, Seattle, Martin SchäfAmazon Web Services, Serdar TasiranAmazon Web Services, Michael D. ErnstUniversity of Washington, USA | ||
01:30 - 01:50 Talk | SADT: Syntax-Aware Differential Testing of Certificate Validation in SSL/TLS Implementions Research Papers Lili QuanCollege of Intelligence and Computing,Tianjin University, Qianyu GuoCollege of Intelligence and Computing, Tianjin University, Hongxu ChenResearch Associate, xiexiaofei , Li XiaohongTianJin University, Yang LiuNanyang Technological University, Singapore, Jing HuTianjin Key Laboratory of Advanced Networking (TANK), College of Intelligence and Computing,Tianjin University | ||
01:50 - 02:00 Talk | A Hybrid Analysis to Detect Java Serialisation Vulnerabilities NIER track | ||
02:00 - 02:10 Talk | EXPRESS: An Energy-Efficient and Secure Framework for Mobile Edge Computing and Blockchain based Smart Systems Tool Demonstrations |