Sleeping Giants -- Activating Dormant Java Deserialization Gadget Chains through Stealthy Code Changes
- URL: http://arxiv.org/abs/2504.20485v1
- Date: Tue, 29 Apr 2025 07:24:34 GMT
- Title: Sleeping Giants -- Activating Dormant Java Deserialization Gadget Chains through Stealthy Code Changes
- Authors: Bruno Kreyssig, Sabine Houy, Timothée Riom, Alexandre Bartel,
- Abstract summary: Java deserialization gadget chains are a well-researched critical software weakness.<n>Small code changes in dependencies have enabled these gadget chains.<n>This work shows that Java deserialization gadget chains are a broad liability to software and proves dormant gadget chains as a lucrative supply chain attack vector.
- Score: 42.95491588006701
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Java deserialization gadget chains are a well-researched critical software weakness. The vast majority of known gadget chains rely on gadgets from software dependencies. Furthermore, it has been shown that small code changes in dependencies have enabled these gadget chains. This makes gadget chain detection a purely reactive endeavor. Even if one dependency's deployment pipeline employs gadget chain detection, a gadget chain can still result from gadgets in other dependencies. In this work, we assess how likely small code changes are to enable a gadget chain. These changes could either be accidental or intentional as part of a supply chain attack. Specifically, we show that class serializability is a strongly fluctuating property over a dependency's evolution. Then, we investigate three change patterns by which an attacker could stealthily introduce gadgets into a dependency. We apply these patterns to 533 dependencies and run three state-of-the-art gadget chain detectors both on the original and the modified dependencies. The tools detect that applying the modification patterns can activate/inject gadget chains in 26.08% of the dependencies we selected. Finally, we verify the newly detected chains. As such, we identify dormant gadget chains in 53 dependencies that could be added through minor code modifications. This both shows that Java deserialization gadget chains are a broad liability to software and proves dormant gadget chains as a lucrative supply chain attack vector.
Related papers
- Rethinking Reuse in Dependency Supply Chains: Initial Analysis of NPM packages at the End of the Chain [2.4969046521751768]
This paper advocates for a shift in software development practices toward minimizing reliance on third-party packages.
We find that these end-of-chain packages offer unique insights, as they play a key role in the ecosystem.
arXiv Detail & Related papers (2025-03-04T17:26:34Z) - Deserialization Gadget Chains are not a Pathological Problem in Android:an In-Depth Study of Java Gadget Chains in AOSP [40.53819791643813]
Java's Serializable API has a long history of deserialization vulnerabilities, specifically deserialization gadget chains.<n>We design a gadget chain detection tool optimized for soundness and efficiency.<n>Running our tool on the Android SDK and 1,200 Android dependencies, in combination with a comprehensive sink dataset, yields no security-critical gadget chains.
arXiv Detail & Related papers (2025-02-12T14:39:30Z) - Pinning Is Futile: You Need More Than Local Dependency Versioning to Defend against Supply Chain Attacks [23.756533975349985]
Recent high-profile incidents in open-source software have raised practitioner attention on software supply chain attacks.<n>Security practitioners advocate pinning dependency to specific versions rather than floating in version ranges.<n>We quantify, through counterfactual analysis and simulations, the security and maintenance impact of version constraints in the npm ecosystem.
arXiv Detail & Related papers (2025-02-10T16:50:48Z) - Dirty-Waters: Detecting Software Supply Chain Smells [10.405775369526006]
We define the novel concept of software supply chain smell and present Dirty-Waters, a novel tool for detecting software supply chain smells.
We evaluate Dirty-Waters on three JavaScript projects across nine versions and demonstrate the prevalence of all proposed software supply chain smells.
arXiv Detail & Related papers (2024-10-21T14:24:12Z) - GoSurf: Identifying Software Supply Chain Attack Vectors in Go [9.91891839872381]
We propose a novel taxonomy of 12 distinct attack vectors tailored for the Go language and its package lifecycle.
Our work provides preliminary insights for securing the open-source software supply chain within the Go ecosystem.
arXiv Detail & Related papers (2024-07-05T11:52:27Z) - Model Supply Chain Poisoning: Backdooring Pre-trained Models via Embedding Indistinguishability [61.549465258257115]
We propose a novel and severer backdoor attack, TransTroj, which enables the backdoors embedded in PTMs to efficiently transfer in the model supply chain.<n> Experimental results show that our method significantly outperforms SOTA task-agnostic backdoor attacks.
arXiv Detail & Related papers (2024-01-29T04:35:48Z) - On the Security Blind Spots of Software Composition Analysis [46.1389163921338]
We present a novel approach to detect vulnerable clones in the Maven repository.
We retrieve over 53k potential vulnerable clones from Maven Central.
We detect 727 confirmed vulnerable clones and synthesize a testable proof-of-vulnerability project for each of those.
arXiv Detail & Related papers (2023-06-08T20:14:46Z) - Visual Dependency Transformers: Dependency Tree Emerges from Reversed
Attention [106.67741967871969]
We propose Visual Dependency Transformers (DependencyViT) that can induce visual dependencies without any labels.
We formulate it as a dependency graph where a child token in reversed attention is trained to attend to its parent tokens and send information.
DependencyViT works well on both self- and weakly-supervised pretraining paradigms on ImageNet.
arXiv Detail & Related papers (2023-04-06T17:59:26Z) - Will bots take over the supply chain? Revisiting Agent-based supply
chain automation [71.77396882936951]
Agent-based supply chains have been proposed since early 2000; industrial uptake has been lagging.
We find that agent-based technology has matured, and other supporting technologies that are penetrating supply chains are filling in gaps.
For example, the ubiquity of IoT technology helps agents "sense" the state of affairs in a supply chain and opens up new possibilities for automation.
arXiv Detail & Related papers (2021-09-03T18:44:26Z) - Controlled quantum state transfer in $XX$ spin chains at the Quantum
Speed Limit [62.997667081978825]
In homogeneous chains it implies that taking information from one extreme of the chain to the other will take a time $O(N/2)$, where $N$ is the chain length.
We design control pulses that achieve near perfect population transfer between the extremes of the chain at times on the order of $N/2$, or larger.
arXiv Detail & Related papers (2020-05-15T23:10:19Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.