Combating Java Deserialisation Vulnerabilities with Look-Ahead Object Input Streams (LAOIS)
Abstract
Java Serialisation is an important and useful feature of Core Java that allows developers to transform a graph of Java objects into a stream of bytes for storage or transmission and then back into a graph of Java objects.
Unfortunately, the Java Serialisation architecture is highly insecure and has led to numerous vulnerabilities, including remote code execution (RCE) and denial-of-service (DoS) attacks. Any Java program that deserializes a stream is susceptible to such vulnerabilities unless proper mitigations are taken.
One such mitigation strategy is look-ahead deserialisation or look-ahead object input streams (LAOIS). This whitepaper examines Java deserialisation vulnerabilities and evaluates various LAOIS solutions including JDK Enhancement Proposal (JEP) 290.