Project Level: Honours

 

This is a joint project with Oracle and their expertise lies in program analysis and security. The candidate should have a strong background in probability (e.g. knowledge of Markov models, bayesian inference, MCMC methods, etc.). A good understanding of programming language is desirable.

 Deserialisation is the process of creating an in-memory data structure or object from a persistent format (e.g. bytes, JSON, XML), and it is common to many programming languages, e.g., Java, Python, etc.  In order to recreate objects in memory, language runtimes execute code (e.g. constructors), meaning that an attacker who controls the serialised payload can often achieve arbitrary code execution by chaining together gadgets that sit on the class path of an application. In this project, we want to explore how probabilistic programming could help estimate the likelihood that a class or a sequence of classes could be turned into a deserialisation gadget chain. The project will involve collecting benign and malicious deserialisation payloads, performing lightweight static analysis to extract code features, and designing various probabilistic programs to detect malicious deserialisation payloads

Project members

Dr Nan Ye

Lecturer in Statistics&Data Science
Mathematics