Rating is available when the video has been rented.
This feature is not available right now. Please try again later.
Published on May 7, 2015
AppSec California 2015 - Day 2, Track 4, Slot 1
marshalling pickles: how deserializing objects will ruin your day
Object serialization technologies allow programs to easily convert in-memory objects to and from various binary and textual data formats for storage or transfer – but with great power comes great responsibility, because deserializing objects from untrusted data can ruin your day. We will look at historical and modern vulnerabilities across different languages and serialization technologies, including Python, Ruby, and Java, and show how to exploit these issues to achieve code execution. We will also cover some strategies to protect applications from these types of attacks.
“Chris Frohoff is a Cyber Security Engineer at Qualcomm with a focus on Application Security; he performs Application Security Assessments and Penetration Tests, and sometimes dabbles in Incident Response, Reverse Engineering, and general research mischief. In a former life, Chris developed enterprise web applications and services at Sony Network Entertainment and UC San Diego. His primary areas of geekdom include programming languages, parsers/compilers/interpreters, crypto, covert channels, HTTP/REST, and JVM stuff.
Gabriel Lawrence leads the Application Security team at Qualcomm, doing Application Security Assessments, Penetration Tests, Incident Response, Reverse Engineering, and anything else that comes his way. He’s developed enterprise applications, founded three startups, and run Information Security for UC San Diego.”