[2022 javaone] deserializaion exploits – why should i care?

Speaker: Brian Vermeer

For more see the table of contents

Star Trek

  • Everything in Star Trek could be real. And some tech surpassed
  • Teleportation would be awesome
  • Already have, but for data

Serialization

  • Turn object into data stream.
  • Send to another system or save on disk

Deseriaization

  • Basic serialization is easy. Just implement Serializable
  • On deserialization, skips constructor and sets fields directly
  • No hash/checksum. Can change in a hex editor.
  • Man in the middle attack can change data
  • If error reading, get a class cast exception

Libraries

  • Anything in classpath could be in memory. Such as library code that will run code for you
  • HashMap provides custom implementation for read object
  • ysoserial – gadgets for unsafe deserialization.
  • examples of issues with frequent issues: jackson, ehcache
  • patching to latest helps fix known things

log4j

  • 17K packages affected
  • 800K attacks in first 72 hours
  • 57% have has transitive dependencies
  • JNDI looks up and retrieves object
  • If own LDAP server can return any object
  • Then logger calls
  • So passng in the JNDI lookup string can have app do anything
  • Showed getting an interactive shell to docker container (which is root)

records

  • Does call constructor on serialization
  • Opt in – need to implement serializable
  • Still call read object

How to improve when writing custom serialization code

  • ValidatingObjectInputStream – call accept() with expected type before reading
  • ObjectInputFilter.Config.createFilter – allow specific type and deny everything else
  • Setting filter on streams overrides global one.
  • JEP-415 – OjectInputFilter.Config.setSeriialFilterFactory – let’s you merge the global and local ones
  • See blog post

JSON and Jackson

  • ObjectMapper has default typing off unless set it to enabled
  • With enabled can inject a malicious gadget

YAML

  • Deserialization product, but can read
  • Can create variables (same problem from XML – billion laughs attack). Reference as *myVarName. Keeps expanding until run out of heap

XML

  • Doc type references to read other files and reference has &var;
  • On by default on XML Parsers
  • Need to explicitly turn it off

Lessons

  • Do not deserialize data from unkown soures
  • Prevent custom serialization
  • Use filters if still need to do so
  • Understand settings for JSON/XML/YAML
  • Check for insuecre defaults
  • Update insecure libraries

Other notes

  • Gadget chain – string of side effects

My take

Good intro to serialization. Sad there is no try with resources in the initial write and read examples. The examples were great. Good mix of slides and demos. I’m surprised I’ve gotten this far without seeing a live log4j demo.

[2022 javaone] fundamentals of diversity and inclusion for technologists

Speaker: Reza Rahman

For more see the table of contents

General

  • not a lot of social captical on this topic
  • Word cloud type slide with quotes about thngs people say to be dismisive. ex: ”I didn’t ean it that way”, ”Your English is pretty good”, ”You are overreacting”, ”Who are you to criticize us”
  • 67% of tech companies are made up of less than 5% Black employees (includes Nigerians, not just African Americans). Asians exceed population % in tech, but not in leadership
  • Women hold 25% computing roles. 47% of workforce is women. More eadership obs than tech jobs
  • People put blinders on/tune out the bad stuff

Why care

  • Diverse perspectives – solving global scae problems (unless niche), oxymeter and skin color, underwriting stats
  • Broadening reach – want people to want to use your product, spectrum of life experiences
  • Untapped potential – most important when tight labor force, educate more people
  • Greater prosperity – avoid zero sum mindset
  • Ethical imperative – perception about divisiveness in US

Diversity

  • 80s mindset – African Americans and women
  • Encompoasses range of identiies and visibile/invisible differenes – race, etnicity, faith, socioeconomics, etc
  • Helps disarm conversation away from ”us vs them”

Inclusion

  • Intentionally creating an enviornment where diversity prospers and common good prevails
  • Fair, respectful, supportive and empowering
  • Diversity is a fact, inclusion is an act
  • How people feel at work
  • Respected, listed to, accepted, valued, included, welcomed, safe

Discrimination

  • Predjudicial treatment
  • Recognition this is wron
  • Often intentional/conisistent
  • Likely legal protected identies such as race/gender

Unconscious bias

  • Stereotypes/prejudices/preferences
  • Often intententional
  • Advantage one set of people o the detriment of others
  • Hardly anyone lacks unconscious bias – need to recognize this (eg: negative association)

Anti defamation league – pyramid of hate

  • Acts of bias
  • Prejudice
  • Discrimination
  • Bias-motivated violence
  • Genocide

Equality

  • Theoretical construct
  • Being truly equal – particularly with regards to resources and oppotunities
  • Doesn’t happen because of privileges (unearned advantages)

Equity

  • State of fairness
  • Intentional remedy impacts of inequality and injustice
  • Cartoon with slanted apple tree (inequality = one side falls, equality = same later so on side reach, equity = taller ladder, justice = fix tree so no longer slanted)

Covering

  • Deliberately downplaying part of identity to attempt to reduce effects of marginalization

Allyship

  • Informed, intentional and consistent practice to understand, empathize an suppor tothers with the objective of grater fairness, diversity and inclusion
  • Continuum – apety, awareness, active advocate
  • Privately check on someone have questionable interaction
  • Don’t assume someone wants help
  • And so much more – see deck

My take

While it was a small audience (13 people), I’m glad this talk happened. Techies are unlikely to go to a whole event on his topic so one session representated a good opportunity. Reza noted that for some parts, the self selecting audience didn’t need to hear it. While this is true, you never know which part stews in your head and becomes useful later.

[2022 javaone] Secure Coding Guidelines for Java SE

Speaker: Chris Ries

For more see the table of contents

Vulnerabilities and Secure Coding

  • “A flaw or weakness … that could be exploited to violated the system’s security policy” RFC 4949
  • Cost – remediation, immediate response (mitigation, detection, incident response, intermediate state while fix), reputation effect

Lifecycle

  • Design – Threat modeling, misuse cases
  • Implementation – , code review, static analysis
  • Integration/test – , dependency checkers, static analysis, runtime testing
  • Deployment/release (ex: missing third party patches) – vulnerability scanning, monitoring (ex: web application firewalls), dependency patching, vulnerability remediation

Resources

Scope of Oracle’s doc

  • General secure coding guidelines
  • Unique/especially relevant to Java
  • Not a comprehensive guide
  • Software security not security software
  • Read once and then use as a reference
  • Each section has a name and each item has a numbered key

Privileges and trust boundaries

  • FUNDAMENTALS-3 – Restrict privileges – app level isolation, separate services, lower level mechanisms (ex: containers, OS level restrictions)
  • FUNDAMENTALS-4 – Establish trust boundaries – identify interactions with untrusted datacode/users, apply security mechanisms, reduce attack surface

Secure third party code

  • FUNDAMENTALS-8 – Secure third-party code
  • Patching – apply patches, watch out for bundled/renamed code (shading), leverage automated tools
  • Best practices – understand model of libraries/frameworks, review config options
  • Tracking – check for updates/support, periodically review security “state of the art”

Denial of Service

  • DOS-4 – Robust errors/exception handling for services
  • Newest one
  • Exception causes – malformed input, logic errors, misconfiguration, environment failures, etc
  • can handle or propagate
  • Apps/libs may want to propagate. Long running systems may need to do more.
  • Define policy for when errors/exceptions reach bottom of call stack – ok to have general catch. Could discard current work, log/cleanup and continue. Rare to have to exit and restart

Injection and inclusion

  • Covers more common vulnerabilities – ex: SQL injection, XML processing
  • Prefer trusted library rather than rolling your own.

Input Validation

  • INPUT-1 – Validate inputs – avoid using untrusted input or validate. Validate early to avoid exposure. Validate immediately prior to use
  • INPUT-4 – Verify API behavior related to input validation – very thru docs/testing. Use created/returned object vs original input. Do additional validation as needed

Deserialization

  • Avoid deserializing untrusted data if at all possible
  • SERIAL-6 – Filter untrusted serial data
  • jdk.serialFilter – can specify class/packages with default deny.
  • Can set resource limits.
  • Alternatively, can setObjectInputFilter() on ObjectInputStream instance

Log4Shell

  • JNDI injection vulnerability
  • Untrusted lookup -> malicious server -> info disclosure, denial of service/remote code execution
  • INJECT-8 – Avoid JNDI lookups using untrusted data or follow measures in guidance
  • FUNDAMENTALS-3 – Restrict privileges. Minimize impact of compromises from zero days
  • FUNDAMENTALS-8 – Secure 3rd party code – Log4J often bundled/renamed, challenge to find vulnerable instances
  • FUNDAMENTALS-4 – Establish trust boundaries – where does untrusted data enter, what APIs does it reach
  • INPUT-1 – Validate inputs – avoid untrusted data or escape/encode/filter. Potentially useful for logged data

My take

This session was during the networking event and the live band was clearly audible. The walls were good as the noise went up greatly when the door opened. Still, I wish sessions weren’t at the same time. Props to the speaker for ignoring the band and the AV guy for managing the speaker

We got to the Oracle Secure Coding Guidelines at minute 15. I thought the whole session would be about this so was surprised there was so much intro. I tried reading the guide last year. Some parts are a tough read so it was nice to see a presentation. And I got to learn about setting filters on ObjectInputStream. The tie to Log4Shell was nice.