Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Data Deserialization
Computer data is generally organized in data structures such as arrays, records,
graphs, classes, or other configurations for efficiency. When data structures need to be
stored or transmitted to another location, such as across a network, they need to go
through a process called serialization. This process converts and changes the data
organization into a linear format that is needed for storage or transmission across
computing devices.
Using Java as an example platform for serialization, an object of type Address would
logically have members of street, city, state, and postal code as shown in the diagram
below.
Once serialized, this data is converted into a linear data format (such as the XML text
form in the diagram) representing the Address object.
The deserialization process from the linear data is the reverse, and causes the Address
object to be instantiated in memory as shown in this diagram:
https://www.cisecurity.org/blog/data-deserialization/ 1/5
2/14/2020 Data Deserialization
https://www.cisecurity.org/blog/data-deserialization/ 2/5
2/14/2020 Data Deserialization
https://www.cisecurity.org/blog/data-deserialization/ 3/5
2/14/2020 Data Deserialization
MS-ISAC Recommendations
Best practices to protect against deserialization vulnerability exploits include the
following measures:
Apply all the latest patches after appropriate testing and keep your software up-
to-date. Information on the most recent Apache Commons Collection patch is
available in MS-ISAC Cybersecurity Advisory 2015-152:
https://msisac.cisecurity.org/advisories/2016/2015-152.cfm
(https://msisac.cisecurity.org/advisories/2016/2015-152.cfm)
Adhere to the principle of least privilege by minimizing or disabling access to
administrative privileges to reduce impact of exploit.
When developing software, minimize usage of deserialization by reducing
unnecessary data transfers across applications/systems and reducing the
amount of files written to disk. Also consider developing your own format for
data transfer if needed, to reduce probability of misuse of data transfer
functionality by attackers. Developing a new format would be useful such that
attackers won’t easily know which location in the serialized data to insert their
code for successful attacks.
Follow a secure development lifecycle alongside your software development
lifecycle.
References
[1] https://en.wikipedia.org/wiki/Xerox_Network_Systems
(https://en.wikipedia.org/wiki/Xerox_Network_Systems)
https://www.cisecurity.org/blog/data-deserialization/ 4/5
2/14/2020 Data Deserialization
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=221526
(https://bugzilla.mozilla.org/show_bug.cgi?id=221526)
[3] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=deserialization
(https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=deserialization)
[4] http://sensorstechforum.com/serious-java-deserialization-vulnerability-uncovered-
in-70-libraries/ (http://sensorstechforum.com/serious-java-deserialization-
vulnerability-uncovered-in-70-libraries/)
[5] http://www.pcworld.com/article/3004633/business-security/thousands-of-java-
applications-vulnerable-to-nine-month-old-remote-code-execution-exploit.html
(http://www.pcworld.com/article/3004633/business-security/thousands-of-java-
applications-vulnerable-to-nine-month-old-remote-code-execution-exploit.html)
[6] http://www.contextis.com/documents/1/are_you_my_type.pdf
[7] https://msdn.microsoft.com/en-us/library/ms733135(v=vs.110).aspx
(https://msdn.microsoft.com/en-us/library/ms733135(v=vs.110).aspx)
[8] http://www.aspectsecurity.com/blog/deserialization-attacks-via-apache-commons-
collections (https://www.aspectsecurity.com/blog/deserialization-attacks-via-apache-
commons-collections)
[9] https://msdn.microsoft.com/en-us/library/ms995349.aspx
(https://msdn.microsoft.com/en-us/library/ms995349.aspx)
[10]https://developers.google.com/protocol-buffers/docs/overview?csw=1
(https://developers.google.com/protocol-buffers/docs/overview?csw=1)
https://www.cisecurity.org/blog/data-deserialization/ 5/5