Related papers: Deserialization Gadget Chains are not a Pathological Problem in Android:an In-Depth Study of Java Gadget Chains in AOSP

Deserialization Gadget Chains are not a Pathological Problem in Android:an In-Depth Study of Java Gadget Chains in AOSP

URL: http://arxiv.org/abs/2502.08447v1
Date: Wed, 12 Feb 2025 14:39:30 GMT
Title: Deserialization Gadget Chains are not a Pathological Problem in Android:an In-Depth Study of Java Gadget Chains in AOSP
Authors: Bruno Kreyssig, Timothée Riom, Sabine Houy, Alexandre Bartel, Patrick McDaniel,
Abstract summary: Java's Serializable API has a long history of deserialization vulnerabilities, specifically deserialization gadget chains.<n>We design a gadget chain detection tool optimized for soundness and efficiency.<n>Running our tool on the Android SDK and 1,200 Android dependencies, in combination with a comprehensive sink dataset, yields no security-critical gadget chains.
Score: 40.53819791643813
License: http://creativecommons.org/licenses/by/4.0/
Abstract: Inter-app communication is a mandatory and security-critical functionality of operating systems, such as Android. On the application level, Android implements this facility through Intents, which can also transfer non-primitive objects using Java's Serializable API. However, the Serializable API has a long history of deserialization vulnerabilities, specifically deserialization gadget chains. Research endeavors have been heavily directed towards the detection of deserialization gadget chains on the Java platform. Yet, there is little knowledge about the existence of gadget chains within the Android platform. We aim to close this gap by searching gadget chains in the Android SDK, Android's official development libraries, as well as frequently used third-party libraries. To handle this large dataset, we design a gadget chain detection tool optimized for soundness and efficiency. In a benchmark on the full Ysoserial dataset, it achieves similarly sound results to the state-of-the-art in significantly less time. Using our tool, we first show that the Android SDK contains almost the same trampoline gadgets as the Java Class Library. We also find that one can trigger Java native serialization through Android's Parcel API. Yet, running our tool on the Android SDK and 1,200 Android dependencies, in combination with a comprehensive sink dataset, yields no security-critical gadget chains. This result opposes the general notion of Java deserialization gadget chains being a widespread problem. Instead, the issue appears to be more nuanced, and we provide a perspective on where to direct further research.

Related papers

Sleeping Giants -- Activating Dormant Java Deserialization Gadget Chains through Stealthy Code Changes [42.95491588006701]
Java deserialization gadget chains are a well-researched critical software weakness. Small code changes in dependencies have enabled these gadget chains. This work shows that Java deserialization gadget chains are a broad liability to software and proves dormant gadget chains as a lucrative supply chain attack vector.
arXiv Detail & Related papers (2025-04-29T07:24:34Z)
DroidCall: A Dataset for LLM-powered Android Intent Invocation [5.147660365233947]
We introduce DroidCall, the first training and testing dataset for accurate Android intent invocation. With a highly flexible and reusable data generation pipeline, we constructed 10k samples in DroidCall. We also provide an end-to-end Android app equipped with these fine-tuned models to demonstrate the Android intent invocation process.
arXiv Detail & Related papers (2024-11-30T08:55:39Z)
Java-Class-Hijack: Software Supply Chain Attack for Java based on Maven Dependency Resolution and Java Classloading [9.699225997570384]
Java-Class-Hijack enables an attacker to inject malicious code by crafting a class that shadows a legitimate class that is in the dependency tree. We describe the attack, provide a proof-of-concept demonstrating its feasibility, and replicate it in the German Corona-Warn-App application.
arXiv Detail & Related papers (2024-07-26T14:17:47Z)
Serializing Java Objects in Plain Code [10.405775369526006]
In managed languages, serialization of objects is typically done in bespoke binary formats such as Protobuf. Human developers cannot read binary code, and in most cases suffer from noticeable XML or readability limitations. This is a major issue when objects are meant to be embedded and read in source code, such as in test cases. Our core idea is toserialize objects observed at runtime in the native syntax of a programming language.
arXiv Detail & Related papers (2024-05-18T13:40:36Z)
Open-Vocabulary Object Detection with Meta Prompt Representation and Instance Contrastive Optimization [63.66349334291372]
We propose a framework with Meta prompt and Instance Contrastive learning (MIC) schemes. Firstly, we simulate a novel-class-emerging scenario to help the prompt that learns class and background prompts generalize to novel classes. Secondly, we design an instance-level contrastive strategy to promote intra-class compactness and inter-class separation, which benefits generalization of the detector to novel class objects.
arXiv Detail & Related papers (2024-03-14T14:25:10Z)
Are Dense Labels Always Necessary for 3D Object Detection from Point Cloud? [72.40353149833109]
Current state-of-the-art (SOTA) 3D object detection methods often require a large amount of 3D bounding box annotations for training. We propose a novel sparsely-annotated framework, in which we just annotate one 3D object per scene. We develop the SS3D++ method that alternatively improves 3D detector training and confident fully-annotated scene generation.
arXiv Detail & Related papers (2024-03-05T09:38:11Z)
Seneca: Taint-Based Call Graph Construction for Java Object Deserialization [3.6731536660959985]
We present Seneca, an approach for handling serialization with improved soundness in the context of call graph construction. We evaluate our approach with respect to soundness, precision, performance, and usefulness in detecting untrusted object deserialization vulnerabilities.
arXiv Detail & Related papers (2023-11-02T02:07:54Z)
ComplETR: Reducing the cost of annotations for object detection in dense scenes with vision transformers [73.29057814695459]
ComplETR is designed to explicitly complete missing annotations in partially annotated dense scene datasets. This reduces the need to annotate every object instance in the scene thereby reducing annotation cost. We show performance improvement for several popular detectors such as Faster R-CNN, Cascade R-CNN, CenterNet2, and Deformable DETR.
arXiv Detail & Related papers (2022-09-13T00:11:16Z)
Embracing Single Stride 3D Object Detector with Sparse Transformer [63.179720817019096]
In LiDAR-based 3D object detection for autonomous driving, the ratio of the object size to input scene size is significantly smaller compared to 2D detection cases. Many 3D detectors directly follow the common practice of 2D detectors, which downsample the feature maps even after quantizing the point clouds. We propose Single-stride Sparse Transformer (SST) to maintain the original resolution from the beginning to the end of the network.
arXiv Detail & Related papers (2021-12-13T02:12:02Z)
TAO: A Large-Scale Benchmark for Tracking Any Object [95.87310116010185]
Tracking Any Object dataset consists of 2,907 high resolution videos, captured in diverse environments, which are half a minute long on average. We ask annotators to label objects that move at any point in the video, and give names to them post factum. Our vocabulary is both significantly larger and qualitatively different from existing tracking datasets.
arXiv Detail & Related papers (2020-05-20T21:07:28Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.