Evil Pickles: DoS Attacks Based on Object-Graph Engineering

Authors Jens Dietrich, Kamil Jezek, Shawn Rasheed, Amjed Tahir, Alex Potanin

Thumbnail PDF


  • Filesize: 0.99 MB
  • 32 pages

Document Identifiers

Author Details

Jens Dietrich
Kamil Jezek
Shawn Rasheed
Amjed Tahir
Alex Potanin

Cite AsGet BibTex

Jens Dietrich, Kamil Jezek, Shawn Rasheed, Amjed Tahir, and Alex Potanin. Evil Pickles: DoS Attacks Based on Object-Graph Engineering. In 31st European Conference on Object-Oriented Programming (ECOOP 2017). Leibniz International Proceedings in Informatics (LIPIcs), Volume 74, pp. 10:1-10:32, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2017)


In recent years, multiple vulnerabilities exploiting the serialisation APIs of various programming languages, including Java, have been discovered. These vulnerabilities can be used to devise in- jection attacks, exploiting the presence of dynamic programming language features like reflection or dynamic proxies. In this paper, we investigate a new type of serialisation-related vulnerabilit- ies for Java that exploit the topology of object graphs constructed from classes of the standard library in a way that deserialisation leads to resource exhaustion, facilitating denial of service attacks. We analyse three such vulnerabilities that can be exploited to exhaust stack memory, heap memory and CPU time. We discuss the language and library design features that enable these vulnerabilities, and investigate whether these vulnerabilities can be ported to C#, Java- Script and Ruby. We present two case studies that demonstrate how the vulnerabilities can be used in attacks on two widely used servers, Jenkins deployed on Tomcat and JBoss. Finally, we propose a mitigation strategy based on contract injection.
  • serialisation
  • denial of service
  • degradation of service
  • Java
  • C#
  • JavaScript
  • Ruby
  • vulnerabilities
  • library design
  • collection libraries


  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    PDF Downloads


  1. Mehmud Abliz. Internet denial of service attacks and defense mechanisms. University of Pittsburgh, Department of Computer Science, Technical Report, 2011. Google Scholar
  2. Glenn Ammons, Thomas Ball, and James R Larus. Exploiting hardware performance counters with flow and context sensitive profiling. In Proceedings PLDI'97. ACM, 1997. Google Scholar
  3. Godmar Back and Wilson C. Hsieh. The kaffeos java runtime system. ACM Trans. Program. Lang. Syst., 27(4):583-630, July 2005. URL: http://dx.doi.org/10.1145/1075382.1075383.
  4. Antoine Beugnard, Jean-Marc Jézéquel, Noël Plouzeau, and Damien Watkins. Making components contract aware. Computer, 32(7):38-45, 1999. Google Scholar
  5. Walter Binder, Jane G. Hulaas, and Alex Villazón. Portable resource control in java. In Proceedings OOPSLA '01, pages 139-155. ACM, 2001. Google Scholar
  6. Stephen M Blackburn, Robin Garner, Chris Hoffmann, Asjad M Khang, Kathryn S McKinley, Rotem Bentzur, Amer Diwan, Daniel Feinberg, Daniel Frampton, Samuel Z Guyer, et al. The dacapo benchmarks: Java benchmarking development and analysis. In Proceedings OOPSLA '06. ACM, 2006. Google Scholar
  7. Joshua Bloch. Effective Java (2nd Edition) (The Java Series). Prentice Hall PTR, NJ, USA, 2 edition, 2008. Google Scholar
  8. Stephen Breen. What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability, 2015. [Online; accessed 5-November-2016]. URL: https://goo.gl/cx7X4D.
  9. Richard Chang, Guofei Jiang, Franjo Ivancic, Sriram Sankaranarayanan, and Vitaly Shmatikov. Inputs of coma: Static detection of denial-of-service vulnerabilities. In Proceedings CSF'09, pages 186-199. IEEE, 2009. Google Scholar
  10. Cristina Cifuentes, Andrew Gross, and Nathan Keynes. Understanding caller-sensitive method vulnerabilities: A class of access control vulnerabilities in the java platform. In Proceedings SOAP'15, pages 7-12. ACM, 2015. Google Scholar
  11. David G Clarke, John M Potter, and James Noble. Ownership types for flexible alias protection. In Proceedings OOPSLA'98. ACM, 1998. Google Scholar
  12. Wouter Coekaerts. SerialDOS, 2015. [Online; accessed 31-October-2016]. URL: https://gist.github.com/coekie/a27cc406fc9f3dc7a70d.
  13. CVE-2003-1564 (Billion Laughs), 2003. [Online; accessed 31-October-2016]. URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1564.
  14. CVE-2012-0160 (.NET Framework Serialization Vulnerability), 2012. [Online; accessed 31-October-2016]. URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0160.
  15. CVE-2012-0161 (.NET Framework Serialization Vulnerability), 2012. [Online; accessed 31-October-2016]. URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0161.
  16. CVE-2012-4406 (Deserialization Vulnerability in OpenStack Object Storage), 2012. [Online; accessed 3-December-2016]. URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4406.
  17. CVE-2013-0269 (Denial of Service and Unsafe Object Creation Vulnerability in JSON), 2013. [Online; accessed 31-October-2016]. URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0269.
  18. CVE-2015-2937 (MediaWiki quadratic blowup vulnerability), 2015. [Online; accessed 3-December-2016]. URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2937.
  19. CVE-2013-3171 (Delegate Serialization Vulnerability), 2016. [Online; accessed 31-October-2016]. URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3171.
  20. Scott A Crosby and Dan S Wallach. Denial of service via algorithmic complexity attacks. In Proceedings of 21th Usenix Security Symposium, volume 2, 2003. Google Scholar
  21. CVE-2009-1190 (Algorithmic Complexity Vulnerability in java.util.regex.Pattern.compile), 2009. [Online; accessed 31-October-2016]. URL: http://www.cvedetails.com/cve/CVE-2009-1190/.
  22. CVE-2015-6420 (Vulnerability in Java Deserialization), 2015. [Online; accessed 31-October-2016]. URL: http://www.cvedetails.com/cve/CVE-2015-6420/.
  23. CVE-2016-2510 (Vulnerability in Java Deserialization), 2016. [Online; accessed 31-October-2016]. URL: http://www.cvedetails.com/cve/CVE-2016-2510/.
  24. Oracle » JRE: Vulnerability Statistics, 2016. [Online; accessed 15-December-2016]. URL: https://www.cvedetails.com/product/19117/Oracle-JRE.html?vendor_id=93.
  25. Grzegorz Czajkowski and Thorsten von Eicken. Jres: A resource accounting interface for java. In Proceedings OOPSLA '98, pages 21-35. ACM, 1998. Google Scholar
  26. Joseph D. Darcy. JDK Release Types and Compatibility Regions, 2009. [Online; accessed 5-November-2016]. URL: https://blogs.oracle.com/darcy/entry/release_types_compatibility_regions.
  27. Jens Dietrich, Nicholas Hollingum, and Bernhard Scholz. Giga-scale exhaustive points-to analysis for java in under a minute. In OOPSLA'15. ACM, 2015. Google Scholar
  28. ECMAScript Language Specification, Standard ECMA-262 5.1 Edition / June 2011, 2011. [Online; accessed 31-October-2016]. URL: http://www.ecma-international.org/ecma-262/5.1/index.html.
  29. ECMAScript 2015 Language Specification, Standard ECMA-262 6th Edition / June 2015, 2015. [Online; accessed 31-October-2016]. URL: http://www.ecma-international.org/ecma-262/6.0/index.html.
  30. G. Endignoux, O. Levillain, and J. Y. Migeon. Caradoc: A pragmatic approach to pdf parsing and validation. In 2016 IEEE Security and Privacy Workshops (SPW), pages 126-139, May 2016. URL: http://dx.doi.org/10.1109/SPW.2016.39.
  31. Kryo: Java serialization and cloning: fast, efficient, automatic, 2016. [Online; accessed 31-October-2016]. URL: https://github.com/EsotericSoftware/kryo.
  32. Christopher Frohoff and Gabriel Lawrence. Marshalling Pickles, 2015. [Online; accessed 31-October-2016]. URL: http://frohoff.github.io/appseccali-marshalling-pickles/.
  33. Erich Gamma, John Vlissides, Ralph Johnson, and Richard Helm. Design patterns: elements of reusable object-oriented software. Addison-Wesley, 1994. Google Scholar
  34. Brian Goetz and Tim Peierls. Java concurrency in practice. Pearson Education, 2006. Google Scholar
  35. Protocol Buffers, 2016. [Online; accessed 30-November-2016]. URL: https://developers.google.com/protocol-buffers/.
  36. Ben Greenman, Fabian Muehlboeck, and Ross Tate. Getting f-bounded polymorphism into shape. In Proceedings PLDI'14. ACM, 2014. Google Scholar
  37. Gu and Liu. Denial of Service Attacks, 2015. [Online; accessed 5-November-2016]. URL: https://s2.ist.psu.edu/paper/ddos-chap-gu-june-07.pdf.
  38. Chris Hawblitzel and Thorsten von Eicken. Luna: A flexible java protection system. In Proceedings OSDI '02, pages 391-403. ACM, 2002. Google Scholar
  39. Maurice P Herlihy and Barbara Liskov. A value transmission method for abstract data types. ACM Transactions on Programming Languages and Systems (TOPLAS), 4(4):527-551, 1982. Google Scholar
  40. Benjamin Holland, Ganesh Ram Santhanam, Payas Awadhutkar, and Suresh Kothari. Statically-informed dynamic analysis tools to detect algorithmic complexity vulnerabilities. In Proceedings SCAM'16. IEEE, 2016. Google Scholar
  41. Philipp Holzinger, Stefan Triller, Alexandre Bartel, and Eric Bodden. An in-depth study of more than ten years of java exploitation. In Proceedings CCS'16. ACM, 2016. Google Scholar
  42. JSR 284: Resource Consumption Management API, 2016. [Online; accessed 1-December-2016]. URL: https://jcp.org/en/jsr/detail?id=284.
  43. Matthias Kaiser. Pwning Your Java Messaging With Deserialization Vulnerabilities, 2016. [Online; accessed 31-October-2016]. URL: https://goo.gl/5ZQku0.
  44. Tomas Kalibera and Richard Jones. Rigorous benchmarking in reasonable time. In Proceedings ISMM’13, pages 63-74. ACM, 2013. Google Scholar
  45. Gregor Kiczales, Erik Hilsdale, Jim Hugunin, Mik Kersten, Jeffrey Palm, and William G Griswold. An overview of aspectj. In Proceedings ECOOP '01, pages 327-354. Springer, 2001. Google Scholar
  46. Nicolas Le Sommer and Frédéric Guidec. A contract-based approach of resource-constrained software deployment. In Proceedings CD'02. Springer, 2002. Google Scholar
  47. Benjamin Livshits, Manu Sridharan, Yannis Smaragdakis, Ondrej Lhoták, José Nelson Amaral, Bor-Yuh Evan Chang, Samuel Z Guyer, Uday P Khedker, Anders Møller, and Dimitrios Vardoulakis. In defense of soundiness: a manifesto. Commun. ACM, 58(2):44-46, 2015. Google Scholar
  48. Fred Long. Software vulnerabilities in java. Technical Report CMU/SEI-2005-TN-044, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, 2005. URL: http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=7573.
  49. Luis Mastrangelo, Luca Ponzanelli, Andrea Mocci, Michele Lanza, Matthias Hauswirth, and Nathaniel Nystrom. Use at your own risk: the java unsafe api in the wild. In Proceedings OOSPSLA'15. ACM, 2015. Google Scholar
  50. Bertrand Meyer. Applying'design by contract'. Computer, 25(10):40-51, 1992. Google Scholar
  51. Heather Miller, Philipp Haller, Eugene Burmako, and Martin Odersky. Instant pickles: generating object-oriented pickler combinators for fast and extensible serialization. In Proceedings OOPSLA'13, pages 183-202. ACM, 2013. Google Scholar
  52. A. Muñoz and C. Schneider. The Perils of Java Deserialization, 2016. [Online; accessed 1-December-2016]. URL: https://community.hpe.com/t5/Security-Research/The-perils-of-Java-deserialization/ba-p/6838995#.WECzUsJ96cY.
  53. Alvaro Muñoz. Serial Killer: Silently Pwning Your Java Endpoints, 2016. [Online; accessed 3-December-2016]. URL: https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf.
  54. Oswaldo Olivo, Isil Dillig, and Calvin Lin. Static detection of asymptotic performance bugs in collection traversals. In Proceedings PLDI'15, pages 369-378. ACM, 2015. Google Scholar
  55. JEP 290: Filter Incoming Serialization Data, 2016. [Online; accessed 5-November-2016]. URL: http://openjdk.java.net/jeps/290.
  56. Or Peles and Roee Hay. One class to rule them all: 0-day deserialization vulnerabilities in android. In Proceedings WOOT'15. USENIX, 2015. Google Scholar
  57. Tomas Polesovsky. Java Deserialization Denial-of-Service Payloads, 2016. [Online; accessed 31-October-2016]. URL: http://topolik-at-work.blogspot.co.nz/2016/04/java-deserialization-dos-payloads.html.
  58. Xiaohu Qie, Ruoming Pang, and Larry Peterson. Defensive programming: Using an annotation toolkit to build dos-resistant software. ACM SIGOPS Operating Systems Review, 36(SI):45-60, 2002. Google Scholar
  59. Roger Riggs, Jim Waldo, Ann Wollrath, and Krishna Bharat. Pickling state in the java system. In Proceedings COOTS'96. USENIX, 1996. Google Scholar
  60. Luis Rodero-Merino, Luis M. Vaquero, Eddy Caron, Adrian Muresan, and Frédéric Desprez. Building safe paas clouds: A survey on security in multitenant software platforms. Comput. Secur., 31(1):96-108, February 2012. URL: http://dx.doi.org/10.1016/j.cose.2011.10.006.
  61. Christophe Scholliers, Éric Tanter, and Wolfgang De Meuter. Computational contracts. Science of Computer Programming, 98(P3):360-375, 2015. Google Scholar
  62. Marc Schönefeld. Refactoring of Security Antipatterns in Distributed Java Components. Schriften aus der Fakultät Wirtschaftsinformatik und Angewandte Informatik der Otto-Friedrich-Universität Bamberg. University of Bamberg Press, 2010. Google Scholar
  63. Robert W Shirey. Internet security glossary, version 2, 2007. [Online; accessed 25-November-2016]. URL: https://tools.ietf.org/html/rfc4949.
  64. Steve Sounders. Velocity and the Bottom Line, 2009. [Online; accessed 25-November-2016]. URL: http://radar.oreilly.com/2009/07/velocity-making-your-site-fast.html.
  65. Christopher Späth, Christian Mainka, Vladislav Mladenov, and Jörg Schwenk. Sok: Xml parser vulnerabilities. In Proceedings WOOT'16. USENIX, 2016. Google Scholar
  66. Katrina Tsipenyuk, Brian Chess, and Gary McGraw. Seven pernicious kingdoms: a taxonomy of software security errors. IEEE Security Privacy, 3(6):81-84, Nov 2005. URL: http://dx.doi.org/10.1109/MSP.2005.159.
  67. Changzhou Wang, Guijun Wang, Haiqin Wang, Alice Chen, and Rodolfo Santiago. Quality of service (qos) contract specification, establishment, and monitoring for service level management. In Proceedings EDOCW'06. IEEE, 2006. Google Scholar
  68. Xstream, a simple library to serialize objects to xml and back again, 2016. [Online; accessed 31-October-2016]. URL: http://x-stream.github.io/.
Questions / Remarks / Feedback

Feedback for Dagstuhl Publishing

Thanks for your feedback!

Feedback submitted

Could not send message

Please try again later or send an E-mail