Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
First of all
Ask yourself the following question:
Do I really need to use Java Serialization with user-supplied data?
As illustrated in this presentation, SerialKiller (and all other alternatives) are suboptimal mitigations. If you do need to deserialize untrusted data, keep reading.
Deploying SerialKiller is easy:
Import SerialKiller's Jar in your project
Replace all initializations of ObjectInputStream with SerialKiller
ObjectInputStream ois = new ObjectInputStream(is);
ObjectInputStream ois = new SerialKiller(is, "/etc/serialkiller.conf");
- Tune the configuration file, based on your application requirements
A step-by-step tutorial on how to whitelist classes
Whitelisting is the safest approach to protect your application. In this configuration, SerialKiller will allow approved classes only. While look-ahead whitelisting provides a robust protection to modern applications, it requires complete enumeration of all Java classes exchanged by the application.
The following step-by-step tutorial illustrates how to setup SerialKiller for profiling and whitelisting in blocking mode. This tutorial assumes that you've already configured your application to use SerialKiller.
- Enable profiling with logging support using the following configuration in serialikiller.conf
<mode> <profiling>true</profiling> </mode> <logging> <enabled>true</enabled> <logfile>/tmp/serialkiller.log</logfile> </logging>
If you've already started your application, you don't need to reboot to change the profiling mode. However, you do need to restart whenever you change the location of the logfile.
Use the application as you would normally do, making sure to exercise all possible functionalities. In this 'learning' phase, it is crucial to have client-server exchange all required Java classes. Since SerialKiller is not yet protecting your application, do not expose the service to untrusted environments.
When you're confident that you've collected enough data, run the following command line in your terminal
$ cat /tmp/serialkiller.log | grep "Whitelist match:" | cut -d"'" -f2 | sort -u
which should lead to a list of classes.
- Go back to SerialKiller's configuration file, and customize the following settings:
Enforce blocking mode by setting profile mode to false. Optionally, you can also turn off logging to avoid performance overhead.
<mode> <profiling>false</profiling> </mode> <logging> <enabled>false</enabled> </logging>
In the whitelist section, define the classes observed during the learning phase.
For the example above, you would need to change your configuration from
<whitelist> <regexp>.*</regexp> </whitelist>
<whitelist> <regexp>deserializerserver\.MyCustomPayload$</regexp> <regexp>java\.lang\.Integer$</regexp> <regexp>java\.lang\.String$</regexp> </whitelist>
- Once again, no need to restart (unless you've changed a logging option). Your application is now protected using SerialKiller in whitelisting mode. Please note that the user-defined whitelist is always applied after the built-in blacklist thus blacklisting takes precedence over whitelisting.