Why Black Lists are Bad
The Flawed Concept of Blacklisting
Application developers have a common approach to mitigating deserialization risks by creating blacklists of classes that could be dangerous when deserialized. This approach was also taken by Veeam when addressing CVE-2024-40711. However, history has shown that blacklists are rarely complete.
The Limitations of Blacklisting
Blacklists, also known as block-lists or deny-lists, are based on the idea that a list of all bad classes can be created and updated as new bad classes are introduced. However, this approach is flawed. As researchers have noted, this idea is based on a “very optimistic and provably flawed” assumption.
The Reality of Blacklisting
The reality is that it is extremely difficult to find new deserialization gadgets in programming languages and frameworks. While it is still possible, products have their own codebase and can contain abusable classes that can be misused during deserialization. This is before even considering third-party libraries.
The Importance of Context
It is essential to consider the context in which blacklisting is being implemented. The approach may seem logical, but it is based on a flawed assumption. Blacklists are not a foolproof solution to the problem of deserialization risks.
Conclusion
In conclusion, blacklists are not a reliable solution to the problem of deserialization risks. The approach is based on a flawed assumption and is rarely complete. It is essential to consider the context in which blacklisting is being implemented and to look for alternative solutions that can effectively mitigate deserialization risks.
FAQs
Q: What is blacklisting?
A: Blacklisting, also known as block-listing or deny-listing, is an approach to mitigating deserialization risks by creating a list of classes that could be dangerous when deserialized.
Q: Why is blacklisting flawed?
A: Blacklisting is flawed because it is based on the assumption that a list of all bad classes can be created and updated as new bad classes are introduced. This assumption is optimistic and provably flawed.
Q: What is the alternative to blacklisting?
A: The alternative to blacklisting is to look for alternative solutions that can effectively mitigate deserialization risks. This may involve implementing other security measures, such as input validation and data encryption, to ensure the security of the system.
