Our paper, “Counterfeit Object-Oriented Programming Vulnerabilities: An Empirical Study in Java”, got accepted for The 1st International Workshop on Mining Software Repositories Applications for Privacy and Security(MSR4P&S’ 22) co-located with ESEC/FSE 2022. In this paper, we describe a preliminary empirical investigation of COOP attacks in real software systems caused by untrusted object deserialization. In this preliminary study, we investigated the severity of these attacks, their consequences, and how they were mitigated by developers. Furthermore, we used the findings to create a dataset of vulnerable software projects and their fixes.
Preprint: MSR4P&S
Research Lab
@inproceedings{santos2022coop,
author = {Santos, Joanna C. S. and Zhang, Xueling and Mirakhorli, Mehdi},
title = {Counterfeit Object-Oriented Programming Vulnerabilities: An Empirical Study in Java},
year = {2022},
isbn = {9781450394574},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3549035.3561183},
doi = {10.1145/3549035.3561183},
abstract = {Many modern applications rely on Object-Oriented (OO) design principles, where the basic system components are objects and classes. They share objects with other processes, store them in disk/files for future retrieval or transport them over network to other systems. Object-oriented programs leverage numerous dynamic features and design principles such as runtime dispatching and object-oriented callbacks which allow flexible software design. Although seemingly innocuous, these features can be abused by the attackers to hijack the program's control flow to an undesirable behavior. This is referred to as Counterfeit Object-Oriented Programming (COOP), in which attackers hijack objects in the program in order to create a sequence of method calls that introduce a malicious behavior. COOP is a type of code reuse attack in which a hacker hijacks objects (gadgets) in the program and use that to control the program execution flow via manipulating the sequence of methods and data being passed among these methods (gadget chains). In this paper, we describe a preliminary empirical investigation of COOP attacks in real software systems caused by untrusted object deserialization. In this preliminary study, we investigated the severity of these attacks, their consequences, and how they were mitigated by developers. Furthermore, we used the findings to create a dataset of vulnerable software projects and their fixes.},
booktitle = {Proceedings of the 1st International Workshop on Mining Software Repositories Applications for Privacy and Security},
pages = {21–28},
numpages = {8},
keywords = {common weakness enumeration, untrusted object deserialization, counterfeit object-oriented programming},
location = {Singapore, Singapore},
series = {MSR4P&S 2022}
}
Subscribe to this blog via RSS.
Paper 9
Research 9
Tool 2
Llm 6
Dataset 2
Paper (9) Research (9) Tool (2) Llm (6) Dataset (2) Qualitative-analysis (1)