ODDFuzz

AntTech

Apr 19, 2023 · Information Security

ODDFuzz: Discovering Java Deserialization Vulnerabilities via Structure‑Aware Directed Greybox Fuzzing

The paper presents ODDFuzz, a structure‑aware directed greybox fuzzing framework that combines lightweight static taint analysis with targeted fuzzing to efficiently discover previously unknown Java deserialization (ODD) vulnerabilities, achieving higher recall and precision than existing tools and uncovering six new CVE‑rated bugs in popular Java frameworks.