ODDFuzz: Discovering Java Deserialization Vulnerabilities via Structure‑Aware Directed Greybox Fuzzing

1. Introduction

Recently, Ant Security’s offensive research lab collaborated with Yangzhou University and Tsinghua University on the paper ODDFuzz: Discovering Java Deserialization Vulnerabilities via Structure‑Aware Directed Greybox Fuzzing , which was accepted to IEEE S&P 2023, one of the four top conferences in network and system security and a CCF‑A recommended venue. The acceptance demonstrates the academic value of Ant’s vulnerability‑mining research.

Professor Zhang Chao of Tsinghua University highlighted that Java is a core language in banking, securities, insurance, Internet, and trusted‑computing domains, and that Open Dynamic Deserialization (ODD) vulnerabilities pose a serious threat. The collaboration produced ODDFuzz, a directed fuzzing approach that markedly improves the efficiency and effectiveness of ODD vulnerability discovery, finding previously unknown bugs in real‑world software.

Ant Security’s offensive lab focuses on Java security research, having discovered and patched high‑impact remote command execution bugs in Spring, WebLogic, Apache Dubbo, and other widely deployed frameworks, and its work has been accepted to top venues such as ICSE and IEEE S&P.

2. Background

Serialization converts an object’s state into a byte stream for transmission or storage; deserialization reconstructs the object. In micro‑service and remote‑call environments, serialization is ubiquitous, and maliciously crafted inputs can trigger arbitrary code execution via unsafe deserialization. Existing automated detection methods suffer from high false‑positive and false‑negative rates.

2.1 Open Dynamic Deserialization (ODD)

ODD refers to the ability of an application architecture to dynamically generate arbitrary object types during deserialization, improving flexibility but also exposing the system to uncontrolled object injection and remote code execution (RCE) attacks.

2.2 Threat Model

The model assumes an attacker can control a deserialization entry point, inject a malicious object, and cause the application to execute a chain of attacker‑controlled methods (a gadget chain) that reaches a security‑sensitive sink, e.g., in Oracle WebLogic Server.

3. Challenges

Existing tools struggle with (1) Java’s runtime polymorphism, leading to path explosion in static analysis; (2) constructing syntactically and semantically valid nested objects for fuzzing; and (3) guiding fuzzing toward security‑sensitive sinks because traditional coverage metrics are ineffective for directed gadget‑chain discovery.

4. Methodology

4.1 System Architecture

ODDFuzz consists of two main modules: (1) a call‑chain identification module that performs lightweight static taint analysis on compiled artifacts (JAR/WAR/Class) to enumerate candidate chains, and (2) a verification module that builds syntactically valid injection objects and drives a directed fuzzing loop with stepwise mutation and hybrid feedback. When a generated object reaches a sink, the corresponding chain is reported as exploitable.

4.2 Lightweight Taint Analysis

ODDFuzz extracts method summaries focusing on assign, load, store, and call statements, propagating taint from source variables to potential sinks. It enumerates 16 source methods and 30 sink methods covering RCE, JNDI injection, system‑resource access, and SSRF attacks. A depth‑first search over the taint graph, combined with class‑hierarchy analysis, yields candidate call chains while limiting traversal depth to avoid infinite loops.

4.3 Structure‑Aware Seed Generation

To create valid injection objects, ODDFuzz builds an attribute‑tree that mirrors the nested class hierarchy of a candidate chain. Each node represents a class or field; leaf nodes hold concrete primitive or reference values. The tree is populated via reflection, and linked sub‑trees are merged when a field’s type participates in the next controllable method.

4.4 Hybrid‑Feedback Seed Scheduling

ODDFuzz computes two feedback metrics for each seed: (a) seed distance, measured as the average basic‑block distance to the target sink using only blocks belonging to the candidate chain, and (b) controllable‑method coverage, i.e., how many branches of the chain have been exercised. Seeds with smaller distance and higher coverage receive more energy during fuzzing.

4.5 Stepwise Seed Mutation

Instead of raw bit‑flipping, ODDFuzz maps the structured object to a list of untyped bits (parameters). Mutations on these bits correspond to property‑level changes in the object. Primitive fields are mutated randomly; reference fields are replaced with randomly chosen subclasses; array fields receive random lengths and element values. The stepwise strategy gradually steers the object toward the sink.

5. Evaluation

5.1 Effectiveness

Using the widely‑cited ysoserial dataset as a benchmark, ODDFuzz discovered 16 known gadget chains, whereas the best industrial tool (Gadget Inspector) and a recent academic approach (SerHybrid) each found only 3. This demonstrates superior recall and precision.

5.2 New Vulnerability Discoveries

Testing ODDFuzz on real‑world frameworks (Oracle WebLogic Server, Apache Dubbo, Sonatype Nexus) uncovered six previously unreported deserialization vulnerabilities, five of which have been assigned CVE identifiers. The tool has also been deployed internally at Ant Group, confirming its practical utility.

6. Conclusion

ODDFuzz implements a structure‑aware directed greybox fuzzing framework that automatically discovers Java ODD vulnerabilities with high effectiveness and efficiency. The evaluation validates its superiority, and the open‑source release (https://github.com/ODDFuzz/ODDFuzz) aims to foster further research in Java deserialization security.