Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/ikkisoft/SerialKiller
Look-Ahead Java Deserialization Library
https://github.com/ikkisoft/SerialKiller
deserialization java security security-hardening
Last synced: 21 days ago
JSON representation
Look-Ahead Java Deserialization Library
- Host: GitHub
- URL: https://github.com/ikkisoft/SerialKiller
- Owner: ikkisoft
- License: other
- Created: 2015-11-08T05:10:30.000Z (about 9 years ago)
- Default Branch: master
- Last Pushed: 2020-01-07T14:29:56.000Z (almost 5 years ago)
- Last Synced: 2024-11-13T17:13:40.869Z (29 days ago)
- Topics: deserialization, java, security, security-hardening
- Language: Java
- Homepage:
- Size: 59.6 KB
- Stars: 405
- Watchers: 26
- Forks: 68
- Open Issues: 10
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-hacking-lists - ikkisoft/SerialKiller - Look-Ahead Java Deserialization Library (Java)
README
# SerialKiller ![SerialKiller Logo](https://ikkisoft.com/img/sk.png "SerialKiller Logo")
**SerialKiller** is an easy-to-use look-ahead Java deserialization library to secure application from untrusted input.
When Java serialization is used to exchange information between a client and a server, attackers can replace the legitimate serialized stream with malicious data. Inspired by this [article](http://www.ibm.com/developerworks/library/se-lookahead/), SerialKiller inspects Java classes during naming resolution and allows a combination of blacklisting/whitelisting to secure your application.
![SerialKiller in action](http://i.imgur.com/wgoF62D.png "SerialKiller in action")
> **Disclaimer:**
> This library may (or may not) be 100% production ready yet. Use at your own risk!### How to protect your application with SerialKiller
1. Download the latest version of the [SerialKiller's Jar](https://github.com/ikkisoft/SerialKiller/releases/). Alternatively, this library is also available on [Maven Central](http://search.maven.org/#search%7Cga%7C1%7Cserialkiller)
2. Import SerialKiller's Jar in your project
3. Replace your deserialization *ObjectInputStream* with SerialKiller
4. Tune the configuration file, based on your application requirementsEasy, isn't it? Let's look at a few details...
### Changes required in your code (step 3)
In your original code, you'll probably have something similar to:```java
ObjectInputStream ois = new ObjectInputStream(is);
String msg = (String) ois.readObject();
```In order to detect malicious payloads or allow your application's classes only, we need to use SerialKiller instead of the standard *java.io.ObjectInputStream*. This can be done with a one-line change:
```java
ObjectInputStream ois = new SerialKiller(is, "/etc/serialkiller.conf");
String msg = (String) ois.readObject();
```The second argument is the location of SerialKiller's configuration file.
Finally, you may want to catch *InvalidClassException* exceptions to gracefully handle insecure object deserializations.
Please note that this library does require *Java 8*.### Tuning SerialKiller's configuration file (step 4)
SerialKiller config supports the following settings:- **Refresh**: The refresh delay in milliseconds, used to *hot-reload* the configuration file. Good news! You don't need to restart your application if you change the config file
- **BlackList**: A [Java regex](http://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html) to define malicious classes. The [default configuration file](https://github.com/ikkisoft/SerialKiller/blob/master/config/serialkiller.conf) already includes several known payloads so that your application is protected by default against known attacks
- **WhiteList**: A [Java regex](http://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html) to define classes used by your application. If you can quickly identify a list of trusted classes, this is the best way to secure your application. For instance, you could allow classes in your own package only
- **Profiling**: Starting from v0.4, SerialKiller introduces a *profiling* mode to enumerate classes deserialized by the application. In this mode, the deserialization is not blocked. To protect your application, make sure to use *'false'* for this setting in production (default value)
- **Logging**: Logging support compatible to native LogManager using the *java.util.logging.config.file* system property or *lib/logging.properties*. See [Java8 LogManager](https://docs.oracle.com/javase/8/docs/api/java/util/logging/LogManager.html) for more details.Example of *serialkiller.conf*
```xml
6000
false
bsh\.XThis$
bsh\.Interpreter$
com\.mchange\.v2\.c3p0\.impl\.PoolBackedDataSourceBase$
org\.mozilla\.javascript\..*$
[...]
org.apache.commons.collections.functors.InstantiateTransformer
org.apache.commons.collections.functors.ConstantTransformer
org.apache.commons.collections.functors.ChainedTransformer
org.apache.commons.collections.functors.InvokerTransformer
[...]
.*
```
### Credits
- Ironically, SerialKiller uses some [Apache Commons](https://commons.apache.org/) libraries (configuration, logging, lang, collections)
- Thanks to [@frohoff](https://twitter.com/frohoff) and [@gebl](https://twitter.com/gebl) for their work on unsafe Java object deserialization payloads. [Ysoserial](https://github.com/frohoff/ysoserial) is awesome!
- [Pierre Ernst](http://www.ibm.com/developerworks/library/se-lookahead/#authorN10032) for the original idea around look-ahead java deserialization filters### License
This library has been dual-licensed to Apache License, Version 2.0 and GNU General Public License.### Contributing
- If you've discovered a bug, please open an [issue in Github](https://github.com/ikkisoft/SerialKiller/issues).
- Submit a new RB, especially if you're aware of Java gadgets that can be abused by vulnerable applications. Providing a safe default configuration is extremely useful for less security-oriented users.