New Capability Safely Mitigates Vulnerabilities without Breaking Applications
OWASP defines serialization as the process of disassembling an object into a sequence of bits for easier storage and transportation. Deserialization is the reassembly of bits into an object. Since many apps that accept serialized objects do not validate or check untrusted input before deserializing it, attackers can inject malicious objects into a data stream and execute them on the app server to gain complete remote control over it.
Blacklist and Whitelists Fall Short
Deserialization attacks are commonly blocked by blacklisting vulnerable classes. However, blacklisting has several shortcomings and negative side effects:
- Profiling is required before deployment and when an application is updated or upgraded
- Apps that depend on a blacklisted class are likely to break
- Vulnerable classes cannot be blocked if they are required for execution
- It does not block new, unpublished, zero-day exploits
- A separate configuration is required to protect each vulnerable class
- It only mitigates exploits with external dependencies and cannot mitigate exploits that do not have external dependencies, such as so-called “golden gadget chain” payloads
Whitelisting, another common defense also has shortcomings. Profiling of the application is required for each new release of the application. The white list tends to be much bigger than the black list, and is difficult to maintain. The list also requires frequent updates that if not maintained results in false positives. Also, whitelisting does not protect against several Denial of Service deserialization attacks.
“Since Waratek uses a virtualization-based approach to runtime application self-protection, our new deserialization security capability creates a smart, restricted compartment that prevents malicious operations from executing,” noted Waratek Founder and CTO John Matthew Holt. “This protection mechanism is activated when deserialization occurs and is automatically disabled when completed. It is also automatically activated when the deserialized objects perform specific actions, such as during their garbage collection. This offers significantly improved security protection compared to any existing security solution without increasing deployment or operational complexity.”
Waratek RASP-Based Approach
Waratek Deserialization Protection provides the following benefits:
- Is compatible with legacy applications that depend on vulnerable classes. This is achieved by allowing the vulnerable classes to be used safely if their use does not alter or damage the system
- Produces no false positives or false negatives
- Reduces the risk of breaking the application
- Protects against deferred-execution and lateral attacks
- Does not require blacklisting or whitelisting
- Does not require application profiling or code changes
- Does not require separate rules for separate exploits -- a single rule mitigates all ysoserial exploits (27 out of 27)
- Protects against Denial of Service, deferred-execution and lateral attacks
- Protects against any unpublished, zero-day exploit with no code changes
- Can be actively deployed and works in both allow or deny mode
The latest version of the Waratek solution with deserialization protection is available immediately from Waratek and its business partners worldwide. Technical demonstrations and Proof of Concepts are available upon request.
Waratek is a pioneer in the next generation of application security solutions known as Runtime Application Self-Protection or RASP. Based on virtualization, Waratek’s solution is highly accurate, easy to install, simple to operate and does not slow application performance – while providing protection against known and unknown vulnerabilities in current and legacy software. Waratek is based in Atlanta, Georgia and Dublin, Ireland.