SBOM.EXE: Countering Dynamic Code Injection based on Software Bill of Materials in Java

TL;DR

SBOM.EXE is a proactive Java security system that constructs a supply chain-based allowlist of classes to prevent malicious dynamic class loading at runtime, effectively mitigating supply chain attacks like Log4Shell.

Contribution

Introduces SBOM.EXE, a novel runtime safeguard for Java applications that enforces a supply chain-based allowlist to prevent malicious class loading.

Findings

Successfully mitigated 3 critical CVEs.

Compatible with real-world applications with minimal performance overhead.

Effectively maintains runtime integrity against dynamic classloading attacks.

Abstract

Software supply chain attacks have become a significant threat as software development increasingly relies on contributions from multiple, often unverified sources. The code from unverified sources does not pose a threat until it is executed. Log4Shell is a recent example of a supply chain attack that processed a malicious input at runtime, leading to remote code execution. It exploited the dynamic class loading facilities of Java to compromise the runtime integrity of the application. Traditional safeguards can mitigate supply chain attacks at build time, but they have limitations in mitigating runtime threats posed by dynamically loaded malicious classes. This calls for a system that can detect these malicious classes and prevent their execution at runtime. This paper introduces SBOM.EXE, a proactive system designed to safeguard Java applications against such threats. SBOM.EXE constructs a comprehensive allowlist of permissible classes based on the complete software supply chain of the application. This allowlist is enforced at runtime, blocking any unrecognized or tampered classes from executing. We assess SBOM.EXE's effectiveness by mitigating 3 critical CVEs based on the above threat. We run our tool with 3 open-source Java applications and report that our tool is compatible with real-world applications with minimal performance overhead. Our findings demonstrate that SBOM.EXE can effectively maintain runtime integrity with minimal performance impact, offering a novel approach to fortifying Java applications against dynamic classloading attacks.