Runtime Prevention of Deserialization Attacks

Untrusted deserialization exploits, where a serialised object graph is used to achieve denial-of-service or arbitrary code execution, have become so prominent that they were introduced in the 2017 OWASP Top 10. In this paper, we present a novel and lightweight approach for runtime prevention of deserialization attacks using Markov chains. The intuition behind our work is that the features and ordering of classes in malicious object graphs make them distinguishable from benign ones. Preliminary results indeed show that our approach achieves an Fl-score of 0.94 on a dataset of 264 serialised payloads, collected from an industrial Java BE application server and a repository of deserialization exploits. ACM Reference Format: François Gauthier and Sora Bae. 2022. Runtime Prevention of Deserialization Attacks. In New Ideas and Emerging Results (ICSE-NIER’22), May 21–29, 2022, Pittsburgh, PA, USA. ACM, New York, NY, USA, 5 pages. https://doi.org/10.1145/3510455.3512786