JCON ONLINE 2022

In fact, Java serialization was well designed for its intended purposes. In the 1990s, big issues of the day were the transparent persistence of objects and distributed objects. Transparent persistence is the ability to save and restore objects without requiring explicit code in those objects. With distributed objects, objects and interactions between objects are transmitted over a network, as in Java RMI. In the context of the late 1990s, Java serialization supported both goals quite well. Over the years, the design flaws and security weaknesses were recognized. We will discuss how data serialization and deserialization are used in software, the dangers of deserializing untrusted input, and how to avoid deserialization vulnerabilities.