Week 11 - Object Serialisation Flashcards

1
Q

What is serialisation?

A

Process of converting an object into a series of bytes that saves the state of the object in an easily transmittable form.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Why do we need serialisation?

A
  1. Caching
    - Save the state of an object & loads instantly.
  2. Replication
    - Clones object across different machines/environments.
  3. Communication
    - Makes objects transferrable through a network.
  4. Persistence
    - Complies with any database or a file system for later use.
  5. Cross-machine Synchronisation
    - Supports remote invocation and update.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Tell me an example of Serialisation.

A

If you shop online and save items to a cart and close the browser, the content can remain in the cart if the items are serialised to disk or database. Once you return, the items will be derserialised and returned to cart.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

List a few vulnerabilities with Serialisation.

A
  1. Untrusted data (Miss Assignment)
    - Objects fields normally inaccessible to users.
  2. Custom Derserialisation Functions/Code
    - No different than any insecure code.
  3. Object Type Specifications
    - Unexpected objects.
  4. Function Trampolines/Gadgets
    - Chain multiple object types.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

In the context of Serialisation, what are gadgets?

A

Class that you can use to escalate a deserialisation into remote code execution are called gadgets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is a gadget chain?

A

A sequence of gadgets that perform actions on behalf of a malicious actor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How does a gadget chain work?

A

Once an attacker identifies a series of gadgets he can chain them together creating a sequence of instructions that, when executed, can leverage the vulnerabilities in the target software to achieve a malicious objective.
Attack achieved:
- Arbitrary code execution
- Privilege escalation
- Bypass security mechanisms

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How to prevent serialisation attacks?

A
  1. Use non-native formats such as XML and JSON.
  2. Use runtime application self protection (RASP).
  3. Implement checks for data integrity/deserialisation signed data.
  4. Only deserialise ‘simple’ objects.
  5. Run deserialisation code in low privilege environments.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly