Beating hackers at their pwn game


Payer Mathias

Research Partners

Oracle Corporation Oracle

People have been attempting to find and exploit vulnerabilities in deserialization code, including Oracle's, for years: either intent on gaining some kind of direct advantage, or to earn money by submitting bug reports. Either way, these are dedicated, manual attacks. In these manual attacks, the analyst thoroughly analyzes the source code of the target and then painstakingly crafts the exploit.

What we have developed, in collaboration with Oracle, is a mechanism that automates the process, and allows Oracle to get ahead of the attackers

In addition to this, the bugs that we are finding can be much more complex than the ones that experts are finding manually. Most analysts are trained to search to a depth of two manipulations: an entry and a control vector. Our platform creates an abstract dependency graph for all available classes, and can do a fuzzy search to a depth of up to eight manipulations.

Although our tool is neutral, i.e., it can be used by both attackers and defenders, developers have full access to and understanding of their own code, which gives them a huge advantage over a hacker when it comes to interpreting the results. They therefore have a very good chance of finding weak points before the attacker.

Read the full feature