Monthly Meeting - Chris Frohoff from Qualcomm - "Deserialize My Shorts"

https://frohoff.github.io/appseccali-marshalling-pickles/
https://github.com/frohoff/ysoserial

http://photos4.meetupstatic.com/photos/event/b/d/3/8/600_447888440.jpeg

Deserialize My Shorts: Or How I Learned To Start Worrying and Hate Java Object Deserialization

Object deserialization is an established but poorly understood attack vector in applications that is disturbingly prevalent across many languages, platforms, formats, and libraries.

In January 2015 at AppSec California, Chris Frohoff and Gabe Lawrence gave a talk on this topic, covering deserialization vulnerabilities across platforms, the many forms they take, and places they can be found. It covered, among other things, somewhat novel techniques using classes in commonly used libraries for attacking Java serialization that were subsequently released in the form of the ysoserial tool. Few people noticed until late 2015, when other researchers used these techniques/tools to exploit well known products such as Bamboo, WebLogic, WebSphere, ApacheMQ, and Jenkins, and then services such as PayPal. Since then, the topic has gotten some long-overdue attention and great work is being done by many to improve our understanding and developer awareness on the subject.

This talk will review the details of Java deserialization exploit techniques and mitigations, as well as report on some of the recent (and future) activity in this area.

Bio

Chris Frohoff is a Cyber Security Engineer at Qualcomm with a focus on Application Security; he performs Application Security Assessments and Penetration Tests, develops Security Systems and Infrastructure, and sometimes dabbles in Incident Response, Reverse Engineering, and general research mischief. In a former life, Chris developed enterprise web applications and services at Sony Network Entertainment and UC San Diego. His primary areas of interest include JVM stuff, programming languages, parsers/compilers/interpreters, crypto, covert channels, and HTTP/REST.