Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

SBOM.EXE: Countering Dynamic Code Injection based on Software Bill of Materials in Java

Aman Sharma, Martin Wittlinger, Benoit Baudry, Martin Monperrus

TL;DR

The paper addresses the challenge of runtime code-injection in Java exploiting dynamic class loading. It proposes SBOM.exe, which builds a comprehensive BOMI that aggregates environment, supply-chain, and runtime classes and enforces it at runtime via a Java agent, aided by bytecode canonicalization to handle non-determinism. The approach mitigates three high-profile CVEs (Log4Shell, H2, Commons Configuration) while remaining compatible with real-world applications like PDFBox, ttorrent, and GraphHopper, with modest overhead after warm-up. This runtime integrity mechanism leverages SBOM data to block potentially malicious dynamic classes, offering a practical defense against dynamic class-loading attacks in Java.

Abstract

Software supply chain attacks have become a significant threat as software development increasingly relies on contributions from multiple, often unverified sources. The code from unverified sources does not pose a threat until it is executed. Log4Shell is a recent example of a supply chain attack that processed a malicious input at runtime, leading to remote code execution. It exploited the dynamic class loading facilities of Java to compromise the runtime integrity of the application. Traditional safeguards can mitigate supply chain attacks at build time, but they have limitations in mitigating runtime threats posed by dynamically loaded malicious classes. This calls for a system that can detect these malicious classes and prevent their execution at runtime. This paper introduces SBOM.EXE, a proactive system designed to safeguard Java applications against such threats. SBOM.EXE constructs a comprehensive allowlist of permissible classes based on the complete software supply chain of the application. This allowlist is enforced at runtime, blocking any unrecognized or tampered classes from executing. We assess SBOM.EXE's effectiveness by mitigating 3 critical CVEs based on the above threat. We run our tool with 3 open-source Java applications and report that our tool is compatible with real-world applications with minimal performance overhead. Our findings demonstrate that SBOM.EXE can effectively maintain runtime integrity with minimal performance impact, offering a novel approach to fortifying Java applications against dynamic classloading attacks.

SBOM.EXE: Countering Dynamic Code Injection based on Software Bill of Materials in Java

TL;DR

The paper addresses the challenge of runtime code-injection in Java exploiting dynamic class loading. It proposes SBOM.exe, which builds a comprehensive BOMI that aggregates environment, supply-chain, and runtime classes and enforces it at runtime via a Java agent, aided by bytecode canonicalization to handle non-determinism. The approach mitigates three high-profile CVEs (Log4Shell, H2, Commons Configuration) while remaining compatible with real-world applications like PDFBox, ttorrent, and GraphHopper, with modest overhead after warm-up. This runtime integrity mechanism leverages SBOM data to block potentially malicious dynamic classes, offering a practical defense against dynamic class-loading attacks in Java.

Abstract

Software supply chain attacks have become a significant threat as software development increasingly relies on contributions from multiple, often unverified sources. The code from unverified sources does not pose a threat until it is executed. Log4Shell is a recent example of a supply chain attack that processed a malicious input at runtime, leading to remote code execution. It exploited the dynamic class loading facilities of Java to compromise the runtime integrity of the application. Traditional safeguards can mitigate supply chain attacks at build time, but they have limitations in mitigating runtime threats posed by dynamically loaded malicious classes. This calls for a system that can detect these malicious classes and prevent their execution at runtime. This paper introduces SBOM.EXE, a proactive system designed to safeguard Java applications against such threats. SBOM.EXE constructs a comprehensive allowlist of permissible classes based on the complete software supply chain of the application. This allowlist is enforced at runtime, blocking any unrecognized or tampered classes from executing. We assess SBOM.EXE's effectiveness by mitigating 3 critical CVEs based on the above threat. We run our tool with 3 open-source Java applications and report that our tool is compatible with real-world applications with minimal performance overhead. Our findings demonstrate that SBOM.EXE can effectively maintain runtime integrity with minimal performance impact, offering a novel approach to fortifying Java applications against dynamic classloading attacks.
Paper Structure (33 sections, 1 equation, 3 figures, 5 tables)

This paper contains 33 sections, 1 equation, 3 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Dynamicity of the Java Runtime
  4. The Software Supply Chain
  5. Threat Model
  6. Design & Implementation
  7. System Overview
  8. Indexing
  9. Environment Indexer
  10. Supply Chain Indexer
  11. Dynamic Code Generation Indexer
  12. SBOM Runtime Watchdog
  13. Bytecode Canonicalization
  14. BOMI Integrity
  15. Implementation
  16. ...and 18 more sections

Figures (3)

  • Figure 1: Overview of the Log4Shell vulnerability.
  • Figure 2: Overview of SBOM.exe, a novel system to detect and mitigate code injection attacks in Java systems.
  • Figure 3: Login screen of the H2 database engine with the malicious input and the default user credentials.