Philipp Holzinger
ABSTRACT
When created, the Java platform was among the first runtimes designed with security in mind. Yet, numerous Java versions were shown to contain far-reaching vulnerabilities, permitting denial-of-service attacks or even worse allowing intruders to bypass the runtime's sandbox mechanisms, opening the host system up to many kinds of further attacks.
This paper presents a systematic in-depth study of 87 publicly available Java exploits found in the wild. By collecting, minimizing and categorizing those exploits, we identify their commonalities and root causes, with the goal of determining the weak spots in the Java security architecture and possible countermeasures.
Our findings reveal that the exploits heavily rely on a set of nine weaknesses, including unauthorized use of restricted classes and confused deputies in combination with caller-sensitive methods. We further show that all attack vectors implemented by the exploits belong to one of three categories: single-step attacks, restricted-class attacks, and information hiding attacks.
The analysis allows us to propose ideas for improving the security architecture to spawn further research in this area.
- Java trusted method chaining (cve-2010-0840/zdi-10-056). http://slightlyrandombrokenthoughts.blogspot.de/2010/04/java-trusted-method-chaining-cve-2010.html. {Online; accessed on 22-May-2016}.Google Scholar
- The state of the module system. http://openjdk.java.net/projects/jigsaw/spec/sotms/. {Online; accessed on 22-May-2016}.Google Scholar
- Recent java exploitation trends and malware. https://media.blackhat.com/bh-us-12/Briefings/Oh/BH_US_12_Oh_Recent_Java_Exploitation_Trends_and_Malware_WP.pdf, 2012. {Online; accessed on 18-May-2016}.Google Scholar
- Brewing up trouble: Analyzing four widely exploited java vulnerabilities. https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-java-vulnerabilities.pdf, 2014. {Online; accessed on 18-May-2016}.Google Scholar
- Martin Abadi and Cédric Fournet. Access control based on execution history. In NDSS, volume 3, pages 107--121, 2003.Google Scholar
- Eric Bodden, Andreas Sewe, Jan Sinschek, Hela Oueslati, and Mira Mezini. Taming reflection: Aiding static analysis in the presence of reflection and custom class loaders. In ICSE '11: International Conference on Software Engineering, pages 241--250. ACM, May 2011. Google ScholarDigital Library
- Security Exploration. {se-2012-01} broken security fix in ibm java 7/8. http://seclists.org/bugtraq/2016/Apr/19, 2016. {Online; accessed on 17-May-2016}.Google Scholar
- Security Exploration. {se-2012-01} yet another broken security fix in ibm java 7/8. http://seclists.org/fulldisclosure/2016/Apr/43, 2016. {Online; accessed on 17-May-2016}.Google Scholar
- Li Gong and Gary Ellison. Inside Java (TM) 2 Platform Security: Architecture, API Design, and Implementation. Pearson Education, 2003. Google ScholarDigital Library
- Kaspersky Labs. Java under attack -- the evolution of exploits in 2012--2013. https://securelist.com/analysis/publications/57888/kaspersky-lab-report-java-under-attack, 2013. {Online; accessed on 19-May-2016}.Google Scholar
- Luis Mastrangelo, Luca Ponzanelli, Andrea Mocci, Michele Lanza, Matthias Hauswirth, and Nathaniel Nystrom. Use at your own risk: the java unsafe api in the wild. In Proceedings of the 2015 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications, pages 695--710. ACM, 2015. Google ScholarDigital Library
- Or Peles and Roee Hay. One class to rule them all: 0-day deserialization vulnerabilities in android. In 9th USENIX Workshop on Offensive Technologies (WOOT 15), 2015. Google ScholarDigital Library
- CP Pfleeger and SL Pfleeger. Security in computing. 4th, 2007.Google Scholar
- Marco Pistoia, Anindya Banerjee, and David A Naumann. Beyond stack inspection: A unified access-control and information-flow security model. In 2007 IEEE Symposium on Security and Privacy (SP'07), pages 149--163. IEEE, 2007. Google ScholarDigital Library
- Johannes Schlumberger, Christopher Kruegel, and Giovanni Vigna. Jarhead analysis and detection of malicious java applets. In Proceedings of the 28th Annual Computer Security Applications Conference, pages 249--257. ACM, 2012. Google ScholarDigital Library
- Bruce Schneier. Attack trees. Dr. Dobb's journal, 24(12):21--29, 1999.Google Scholar
- John Viega, Gary McGraw, Tom Mutdosch, and Edward W. Felten. Statically scanning java code: Finding security vulnerabilities. IEEE Software, 17(5):68--74, 2000. Google ScholarDigital Library
Index Terms
- An In-Depth Study of More Than Ten Years of Java Exploitation
Recommendations
A threat pattern for the "cross-site scripting (XSS)" attack
PLoP '15: Proceedings of the 22nd Conference on Pattern Languages of ProgramsWe present a threat pattern that describes cross-site scripting (XSS) attacks. In this attack attackers insert scripts in web applications that will lead to misuses in a target web application. Cross-Site Scripting is listed as number three risk on the ...
It's a TRaP: Table Randomization and Protection against Function-Reuse Attacks
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications SecurityCode-reuse attacks continue to evolve and remain a severe threat to modern software. Recent research has proposed a variety of defenses with differing security, efficiency, and practicality characteristics. Whereas the majority of these solutions focus ...
The Shellcode Generation
Attackers carry out many network security compromises using exploitation programs, or exploits, which take advantage of bugs in software running on vulnerable systems. These programs are often the only remaining evidence of a security compromise; by ...
Comments