Automatic Policy Synthesis and Enforcement for Protecting Untrusted Deserialization

—Java deserialization vulnerabilities have long been a grave security concern for Java applications. By injecting malicious objects with carefully crafted structures, attackers can reuse a series of existing methods during deserialization to achieve diverse attacks like remote code execution. To mitigate such attacks, developers are encouraged to implement policies restricting the object types that applications can deserialize. However, the design of precise policies requires expertise and significant manual effort, often leading to either the absence of policy or the implementation of inadequate ones. In this paper, we propose D ESERI G UARD , a tool designed to assist developers in securing their applications seamlessly against deserialization attacks. It can automatically formulate a policy based on the application’s semantics and then enforce it to restrict illegal deserialization attempts. First, D ESERI G UARD utilizes dataflow analysis to construct a semantic-aware property tree, which records the potential structures of deserialized objects. Based on the tree, D ESERI G UARD identifies the types of objects that can be safely deserialized and synthesizes an allowlist policy. Then, with the Java agent, D ESERI G UARD can seamlessly enforce the policy during runtime to protect various deserialization procedures. In evaluation, D ESERI G UARD successfully blocks all deserialization attacks on 12 real-world vulnerabilities. In addition, we compare D ESERI G UARD ’s automatically synthesized policies with 109 developer-designed policies. The results demonstrate that D ESERI G UARD effectively restricts 99.12% more classes. Meanwhile, we test the policy-enhanced applications with their unit tests and integration tests, which demonstrate that D ESERI G UARD ’s policies will not interfere with applications’ execution and induce a negligible time overhead of 2.17%.