Alexandre Bartel, Professor at Umeå University, has, in collaboration with European research colleagues, studied major weaknesses in one of the world's largest programming languages. Image: Mattias Pettersson
Alexandre Bartel, Professor at Umeå University, has, in collaboration with European research colleagues, studied major weaknesses in one of the world's largest programming languages. Image: Mattias Pettersson

Press release -

Major security flaws in Java applications – European researchers warn

Alexandre Bartel, Professor of Software Engineering and Security at Umeå University, in collaboration with several European researchers, has extensively analysed weaknesses in software written in one of the world's most widely used programming languages.

“This involves flaws in the processes that retrieve and recreate information – such as customer accounts, transactions, or patient records. These vulnerabilities can create huge costs for businesses, governments and public authorities."

Java is behind applications used in mobile games, robots, embedded systems or business applications. Over the years, several security flaws have been reported and now European researchers have investigated whether and how these have been addressed. They have looked at Java products that use deserialisation, the process of restoring packaged information to its previous state, such as user settings, game functions, shopping carts or banking applications, and carried out an in-depth analysis of existing vulnerabilities and attacks.

Big companies affected

“We have identified weaknesses and how they have been addressed. The problem is that the programmers seem to repeat the same mistakes over and over again and therefore reintroduce the vulnerabilities", Professor Bartel says.
In the study "An In-Depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities", which was conducted in collaboration with Eric Bodden, Professor at Paderborn University, Yves Le Traon, Professor at the Université du Luxembourg and Imen Sayar, now researcher at INRIA, several examples are given:

  • Flaws in PayPal's critical applications – gave access to production databases
  • Vulnerabilities at the San Francisco Department of Transportation – the attackers gained control of 2,000 computers and blocked the payment systems
  • Equifax, the largest US credit reporting agency in the US – suffered an attack in which the attacker managed to steal 147.7 million pieces of personal data

What the European researchers are seeing is that the flow of bytes, the flow of information, opens for modification by attackers. “It is during the actual deserialisation process, when the information is recreated, that the attacker can gain total control over the receiving system. Even very small changes in the code can make systems vulnerable to attacks", Alexandre Bartel says.

Serious flaws

Most Java programs rely on external libraries and there is no easy way to fix the affected systems. Alexandre Bartel argues that to prevent security flaws from being introduced in new code, the developers should avoid using Java deserialisation altogether. "Our findings suggest that the entire supply chain of the developed application should be thoroughly verified throughout the application's lifecycle. The findings are very serious as they have the potential to be costly, not only for companies but also for society at large", says Alexandre Bartel.

Received considerable interest

The study has attracted considerable interest and was published in the highly regarded and selective Transactions on Software Engineering and Methodology journal, TOSEM, of the Association of Computing Machinery, ACM. The findings were also presented at ICSE, the International Conference on Software Engineering, which is one of the most prestigious conferences in the field.

Bartel and his research group are now developing methods to more efficiently detect these vulnerabilities and prevent attacks.

ABOUT Serialisation and deserialisation
Processes in computer science that involve saving a data structure or object state in a format that can then be stored or transferred to another computing environment. It involves "translating" data structures into a stream of bytes to facilitate storage in, for example, a memory, a file or during data transfer to another machine. Examples include: Pharmaceutical systems, where governments require packaging to be coded so that it can be tracked throughout the supply chain. Game development: to store and load game data such as player progress, settings and saved games. Financial sector: storage and transmission of data on financial transactions between banks and other financial systems.

Topics

Categories

Umeå University
Umeå University is one of Sweden’s largest institutions of higher education with over 37,000 students and 4,300 faculty and staff. The university is home to a wide range of high-quality education programmes and world-class research in a number of fields. Umeå University was also where the revolutionary gene-editing tool CRISPR-Cas9 was discovered that has been awarded the Nobel Prize in Chemistry.

At Umeå University, distances are short. The university's unified campus encourages academic meetings, an exchange of ideas and interdisciplinary co-operation, and promotes a dynamic and open culture in which students and staff rejoice in the success of others.

Contacts

Sara-Lena Brännström

Sara-Lena Brännström

Communications officer Faculty of Science & Technology +46 90 786 72 24

Related media Download images for media use

Bartel_Alexandre_4365_220209_MPN
  • Bartel_Alexandre_4365_220209_MPN
  • License: Media Use
    The content may be downloaded by journalists, bloggers, columnists, creators of public opinion, etc. It can be used and shared in different media channels to convey, narrate, and comment on your press releases, posts, or information, provided that the content is unmodified. The author or creator shall be attributed to the extent and in the manner required by good practice (this means, for example, that photographers should be attributed).
  • File format: .jpg
  • Size: 6720 x 4480, 7.26 MB
Download

Umeå University

Umeå University is one of Sweden's largest universities with over 37,000 students and 4,300 employees. The university is home to a wide range of education programmes and world-class research in a number of fields. Umeå University was also where the gene-editing tool CRISPR-Cas9 was discovered – a revolution in gene-technology that was awarded the 2020 Nobel Prize in Chemistry.

Founded in 1965, Umeå University is characterised by tradition and stability as well as innovation and change. Education and research on a high international level contributes to new knowledge of global importance, inspired, among other things, by the 2030 Agenda for Sustainable Development. The university houses creative and innovative people that take on societal challenges. Through long-term collaboration with organisations, trade and industry, and other universities, Umeå University continues to develop northern Sweden as a knowledge region.

The international atmosphere at the university and its unified campus encourages academic meetings, an exchange of ideas and interdisciplinary co-operation. The cohesive environment enables a strong sense of community and a dynamic and open culture in which students and staff rejoice in the success of others.

Campus Umeå and Umeå Arts Campus are only a stone's throw away from Umeå town centre and are situated next to one of Sweden's largest and most well-renowned university hospitals. The university also has campuses in the neighbouring towns Skellefteå and Örnsköldsvik.

At Umeå University, you will also find the highly-ranked Umeå Institute of Design, the environmentally certified Umeå School of Business, Economics and Statistics and the only architectural school with an artistic orientation – Umeå School of Architecture. The university also hosts a contemporary art museum Bildmuseet and Umeå's science centre – Curiosum. Umeå University is one of Sweden's five national sports universities and hosts an internationally recognised Arctic Research Centre.

Umeå University
Universitetsområdet
SE-901 87 Umeå
Sweden
Umeå University homepage
Image database
Media relations
Prospective students
Open positions at Umeå University
Umeå city information
Visit our other newsrooms