ODDFUZZ: Discovering Java Deserialization Vulnerabilities via Structure-Aware Directed Greybox Fuzzing

by   Sicong Cao, et al.

Java deserialization vulnerability is a severe threat in practice. Researchers have proposed static analysis solutions to locate candidate vulnerabilities and fuzzing solutions to generate proof-of-concept (PoC) serialized objects to trigger them. However, existing solutions have limited effectiveness and efficiency. In this paper, we propose a novel hybrid solution ODDFUZZ to efficiently discover Java deserialization vulnerabilities. First, ODDFUZZ performs lightweight static taint analysis to identify candidate gadget chains that may cause deserialization vulner-abilities. In this step, ODDFUZZ tries to locate all candidates and avoid false negatives. Then, ODDFUZZ performs directed greybox fuzzing (DGF) to explore those candidates and generate PoC testcases to mitigate false positives. Specifically, ODDFUZZ applies a structure-aware seed generation method to guarantee the validity of the testcases, and adopts a novel hybrid feedback and a step-forward strategy to guide the directed fuzzing. We implemented a prototype of ODDFUZZ and evaluated it on the popular Java deserialization repository ysoserial. Results show that, ODDFUZZ could discover 16 out of 34 known gadget chains, while two state-of-the-art baselines only identify three of them. In addition, we evaluated ODDFUZZ on real-world applications including Oracle WebLogic Server, Apache Dubbo, Sonatype Nexus, and protostuff, and found six previously unreported exploitable gadget chains with five CVEs assigned.


page 1

page 2

page 3

page 4


Improving Java Deserialization Gadget Chain Mining via Overriding-Guided Object Generation

Java (de)serialization is prone to causing security-critical vulnerabili...

HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing

Contemporary fuzz testing techniques focus on identifying memory corrupt...

Industrial Experience of Finding Cryptographic Vulnerabilities in Large-scale Codebases

Enterprise environments need to screen large-scale (millions of lines of...

Multiple Targets Directed Greybox Fuzzing

Directed greybox fuzzing (DGF) can quickly discover or reproduce bugs in...

To what extent can we analyze Kotlin programs using existing Java taint analysis tools? (Extended Version)

As an alternative to Java, Kotlin has gained rapid popularity since its ...

CHIRON: Deployment-quality Detection of Java Cryptographic Vulnerabilities

Cryptographic API misuses threaten software security. Examples include e...

Please sign up or login with your details

Forgot password? Click here to reset