Srivastava et al., 2023 - Google Patents
Crystallizer: A hybrid path analysis framework to aid in uncovering deserialization vulnerabilitiesSrivastava et al., 2023
View PDF- Document ID
- 4500437703218229638
- Author
- Srivastava P
- Toffalini F
- Vorobyov K
- Gauthier F
- Bianchi A
- Payer M
- Publication year
- Publication venue
- Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering
External Links
Snippet
Applications use serialization and deserialization to exchange data. Serialization allows developers to exchange messages or perform remote method invocation in distributed applications. However, the application logic itself is responsible for security. Adversaries …
- 238000004458 analytical method 0 title abstract description 52
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING; COUNTING
- G06F—ELECTRICAL DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for programme control, e.g. control unit
- G06F9/06—Arrangements for programme control, e.g. control unit using stored programme, i.e. using internal store of processing equipment to receive and retain programme
- G06F9/44—Arrangements for executing specific programmes
- G06F9/4421—Execution paradigms
- G06F9/4428—Object-oriented
- G06F9/443—Object-oriented method invocation or resolution
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING; COUNTING
- G06F—ELECTRICAL DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for programme control, e.g. control unit
- G06F9/06—Arrangements for programme control, e.g. control unit using stored programme, i.e. using internal store of processing equipment to receive and retain programme
- G06F9/44—Arrangements for executing specific programmes
- G06F9/445—Programme loading or initiating
- G06F9/44521—Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING; COUNTING
- G06F—ELECTRICAL DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for programme control, e.g. control unit
- G06F9/06—Arrangements for programme control, e.g. control unit using stored programme, i.e. using internal store of processing equipment to receive and retain programme
- G06F9/44—Arrangements for executing specific programmes
- G06F9/455—Emulation; Software simulation, i.e. virtualisation or emulation of application or operating system execution engines
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING; COUNTING
- G06F—ELECTRICAL DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for programme control, e.g. control unit
- G06F9/06—Arrangements for programme control, e.g. control unit using stored programme, i.e. using internal store of processing equipment to receive and retain programme
- G06F9/44—Arrangements for executing specific programmes
- G06F9/445—Programme loading or initiating
- G06F9/44589—Programme code verification, e.g. Java bytecode verification, proof-carrying code
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING; COUNTING
- G06F—ELECTRICAL DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3604—Software analysis for verifying properties of programs
- G06F11/3612—Software analysis for verifying properties of programs by runtime analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING; COUNTING
- G06F—ELECTRICAL DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformations of program code
- G06F8/41—Compilation
- G06F8/43—Checking; Contextual analysis
- G06F8/436—Semantic checking
- G06F8/437—Type checking
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING; COUNTING
- G06F—ELECTRICAL DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING; COUNTING
- G06F—ELECTRICAL DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING; COUNTING
- G06F—ELECTRICAL DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/54—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING; COUNTING
- G06F—ELECTRICAL DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for programme control, e.g. control unit
- G06F9/06—Arrangements for programme control, e.g. control unit using stored programme, i.e. using internal store of processing equipment to receive and retain programme
- G06F9/46—Multiprogramming arrangements
- G06F9/54—Interprogramme communication; Intertask communication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING; COUNTING
- G06F—ELECTRICAL DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/362—Software debugging
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING; COUNTING
- G06F—ELECTRICAL DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING; COUNTING
- G06F—ELECTRICAL DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/70—Software maintenance or management
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING; COUNTING
- G06F—ELECTRICAL DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/30—Creation or generation of source code
- G06F8/31—Programming languages or programming paradigms
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Machiry et al. | {DR}.{CHECKER}: A soundy analysis for linux kernel drivers | |
| Choi et al. | NTFuzz: Enabling type-aware kernel fuzzing on windows with static binary analysis | |
| Bruce et al. | Jshrink: In-depth investigation into debloating modern java applications | |
| Bodell III et al. | Proxy hunting: Understanding and characterizing proxy-based upgradeable smart contracts in blockchains | |
| Bichhawat et al. | Information flow control in WebKit’s JavaScript bytecode | |
| Cao et al. | Oddfuzz: Discovering java deserialization vulnerabilities via structure-aware directed greybox fuzzing | |
| Sui et al. | On the soundness of call graph construction in the presence of dynamic language features-a benchmark and tool evaluation | |
| Srivastava et al. | Crystallizer: A hybrid path analysis framework to aid in uncovering deserialization vulnerabilities | |
| Srivastava et al. | A security policy oracle: Detecting security holes using multiple API implementations | |
| Clarke et al. | Saving the world from bad beans: Deployment-time confinement checking | |
| Dhok et al. | Type-aware concolic testing of JavaScript programs | |
| Filho et al. | Evasion and countermeasures techniques to detect dynamic binary instrumentation frameworks | |
| Santos et al. | Seneca: Taint-based call graph construction for java object deserialization | |
| Badoux et al. | Type++: prohibiting type confusion with inline type information | |
| Sharma et al. | SBOM. EXE: Countering dynamic code injection based on software bill of materials in Java | |
| Buccioli et al. | JChainz: Automatic Detection of Deserialization Vulnerabilities for the Java Language | |
| Bastani et al. | Eventually sound points-to analysis with specifications | |
| Zhao et al. | Program Ingredients Abstraction and Instantiation for Synthesis-based JVM Testing | |
| Dietrich et al. | On the construction of soundness oracles | |
| Dann et al. | Modguard: Identifying integrity & confidentiality violations in Java modules | |
| Cesarano et al. | GoSurf: Identifying Software Supply Chain Attack Vectors in Go | |
| Jezek et al. | Magic with Dynamo--Flexible Cross-Component Linking for Java with Invokedynamic | |
| Rose et al. | IronNetInjector: Weaponizing. NET Dynamic Language Runtime Engines | |
| Gudka et al. | Clean application compartmentalization with SOAAP (extended version) | |
| Huang et al. | Towards automatic detection and exploitation of java web application vulnerabilities via concolic execution guided by cross-thread object manipulation |