Why black lists are unhealthy
Utility builders have gotten within the behavior of mitigating deserialization dangers by creating blacklists of courses that may very well be harmful when deserialized, and as watchTowr explains, this was additionally Veeam’s strategy when addressing CVE-2024-40711. Nevertheless, historical past has proven that blacklists are hardly ever full.
“Blacklists (often known as block-lists or deny-lists) are based mostly on a really optimistic (and provably flawed) concept that we will simply make an inventory of all of the unhealthy courses, and we simply preserve a report of every part unhealthy that may be executed and replace our checklist as and when new unhealthy is launched,” the researchers wrote.
“Fortunately, as an trade, we really have already got an inventory of all of the unhealthy courses on the earth, and so that is flawless logic. There are a few bitter truths although: This can be a lie. Whereas we will agree that these days it’s extraordinarily arduous to search out new deserialization devices in programming languages and frameworks (though nonetheless attainable), merchandise have their very own codebase and may include abusable courses that may be misused throughout deserialization,” the researchers added. “That is earlier than we even get on to third social gathering libraries.”
