Skip to main content
Annual Computer Security Applications Conference (ACSAC) 2017

Full Program »

M2: Java Serialization

Monday, 4 December 2017
08:30 - 12:00
13:30 - 17:00

Salon II


This course provides developers with practical guidance for securely implementing Java Serialization. Java deserialization is a clear and present danger as it is both widely used and easily exploited. Java serialization is used directly by applications and indirectly through the use of Java subsystems such as RMI (Remote Method Invocation), JMX (Java Management Extension), and JMS (Java Messaging System). Deserialization of untrusted streams can result in remote code execution (RCE), denial-of-service (DoS), and all manner of exploits in between. Applications can be vulnerable to these attacks even if  in the absence of coding and configuration errors.

The course instructor will explain and demonstrate these attacks and show developers how to securely code their systems to support Java serialization. Material in this presentation was derived from the Addison-Wesley book The CERT Oracle Secure Coding Standard for Java and is supported by the Secure Coding Rules for Java LiveLessons videos.

Participants should come away from the course with a detailed understanding of how Java serialization can be exploited and a working knowledge of mitigation strategies for preventing or limiting the effects of these exploits.

Prerequisites. The course is designed primarily for Java SE 8 developers but should also be useful to developers using older versions of the SE platform as well as Java EE and ME developers. The course assumes basic Java programming skills but does not assume an in-depth knowledge of software security.

Students must bring a personal computer equipped with the following:


  1. Serialization
    • Understand Java object serialization (20 minutes)
    • Understand Java object externalization (20 minutes)
    • Mitigate security risks of deserializing unvalidated data (20 minutes)
    • Assign versions to serializable classes (20 minutes)
    • Do not serialize unencrypted sensitive data (20 minutes)
    • Do not serialize security-sensitive classes (20 minutes)
    • Avoid extending a class or interface that implements Serializable (20 minutes)
    • Beware of hidden constructors (20 minutes)
    • Do not serialize inner classes (20 minutes)
    • Use the proper signatures of serialization methods (20 minutes)
    • The defaultReadObject() Method (20 minutes)
    • Whitelist valid deserialization objects (20 minutes)
    • Use a Java Virtual Container to mitigate against deserialization vulnerabilities (20  minutes)
    • Apply appropriate security permissions to serialization and deserialization (20 minutes) Use serialization proxies instead of serialized instances (20 minutes)
    • Prevent loss of state due to caching objects in the stream (20 minutes)
    • Using an alternative solution to Java Serialization (20 minutes)
    • Summary (20 minutes)
  2. Exercises and Demonstrations
    • Demo: Person
    • Demo: Person Redux
    • Demo: Person Again
    • Exercise:  Hometown
    • Exercise:  SensitiveClass
    • Exercise:  Hometown Redux
    • Exercise: LAOIS
    • Demo:  Period

About the Instructor:

Robert C. Seacord is a Technical Director at NCC Group where he works with software developers and software development organizations to eliminate vulnerabilities resulting from coding errors before they are deployed. Previously, Robert founded the Secure Coding Initiative in the CERT Division of Carnegie Mellon University’s Software Engineering Institute (SEI). Robert is also an adjunct professor in the School of Computer Science and the Information Networking Institute at Carnegie Mellon University. Robert is the author of six books, including The CERT Oracle Secure Coding Standard for Java (Addison-Wesley, 2011), Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs (Addison-Wesley, 2014),  The CERT C Coding Standard, Second Edition (Addison-Wesley, 2014), and Secure Coding in C and C++, Second Edition (Addison-Wesley, 2013). Robert is on the Advisory Board for the Linux Foundation and an expert on the ISO/IEC JTC1/SC22/WG14 international standardization working group for the C programming language.




Powered by OpenConf®
Copyright ©2002-2017 Zakon Group LLC