LiteCobra: Enhancing Java Deserialization Vulnerability Detection with Call Graph Pruning

Xiangyu Zhang; Yating Yang; Tian Song

doi:10.1109/ICC52391.2025.11161270

LiteCobra: Enhancing Java Deserialization Vulnerability Detection with Call Graph Pruning

Xiangyu Zhang
, Yating Yang^*
, Tian Song

^*Corresponding author for this work

Beijing Institute of Technology

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Java deserialization vulnerabilities have become a critical security threat, challenging to detect and even harder to exploit due to deserialization's flexible and customizable nature. Researchers have proposed code property graph methods for comprehensive program analysis and controllability analysis algorithms to filter out irrelevant method calls. However, existing approaches often face limitations in accuracy and efficiency, especially in complex Java deserialization scenarios, leaving a gap in fully addressing this security issue. To address the challenges in detecting Java deserialization gadget chains, this paper proposes LiteCobra - a method that employs edge-cut optimization for rapid call graph construction and uses a controllability analysis algorithm for efficient pruning during Java deserialization gadget chain discovery. Our tests on the ysoserial dataset show that LiteCobra reduces the false positive rate by 67.5% and enhances efficiency by 49.6% compared to state-of-the-art approaches for detecting Java deserialization vulnerabilities. These results indicate that LiteCobra significantly enhances efficiency while maintaining high accuracy in detecting Java deserialization gadget chains.

Original language	English
Title of host publication	ICC 2025 - IEEE International Conference on Communications
Editors	Matthew Valenti, David Reed, Melissa Torres
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	6383-6388
Number of pages	6
ISBN (Electronic)	9798331505219
DOIs	https://doi.org/10.1109/ICC52391.2025.11161270
Publication status	Published - 2025
Externally published	Yes
Event	2025 IEEE International Conference on Communications, ICC 2025 - Montreal, Canada Duration: 8 Jun 2025 → 12 Jun 2025

Publication series

Name	IEEE International Conference on Communications
ISSN (Print)	1550-3607

Conference

Conference	2025 IEEE International Conference on Communications, ICC 2025
Country/Territory	Canada
City	Montreal
Period	8/06/25 → 12/06/25

Keywords

Code property graph
Context sensitivity
Gadget chains
Java deserialization

Access to Document

10.1109/ICC52391.2025.11161270

Cite this

Zhang, X., Yang, Y., & Song, T. (2025). LiteCobra: Enhancing Java Deserialization Vulnerability Detection with Call Graph Pruning. In M. Valenti, D. Reed, & M. Torres (Eds.), ICC 2025 - IEEE International Conference on Communications (pp. 6383-6388). (IEEE International Conference on Communications). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/ICC52391.2025.11161270

Zhang, Xiangyu ; Yang, Yating ; Song, Tian. / LiteCobra : Enhancing Java Deserialization Vulnerability Detection with Call Graph Pruning. ICC 2025 - IEEE International Conference on Communications. editor / Matthew Valenti ; David Reed ; Melissa Torres. Institute of Electrical and Electronics Engineers Inc., 2025. pp. 6383-6388 (IEEE International Conference on Communications).

@inproceedings{8b50dd62c6934f37afde082488632c1c,

title = "LiteCobra: Enhancing Java Deserialization Vulnerability Detection with Call Graph Pruning",

abstract = "Java deserialization vulnerabilities have become a critical security threat, challenging to detect and even harder to exploit due to deserialization's flexible and customizable nature. Researchers have proposed code property graph methods for comprehensive program analysis and controllability analysis algorithms to filter out irrelevant method calls. However, existing approaches often face limitations in accuracy and efficiency, especially in complex Java deserialization scenarios, leaving a gap in fully addressing this security issue. To address the challenges in detecting Java deserialization gadget chains, this paper proposes LiteCobra - a method that employs edge-cut optimization for rapid call graph construction and uses a controllability analysis algorithm for efficient pruning during Java deserialization gadget chain discovery. Our tests on the ysoserial dataset show that LiteCobra reduces the false positive rate by 67.5\% and enhances efficiency by 49.6\% compared to state-of-the-art approaches for detecting Java deserialization vulnerabilities. These results indicate that LiteCobra significantly enhances efficiency while maintaining high accuracy in detecting Java deserialization gadget chains.",

keywords = "Code property graph, Context sensitivity, Gadget chains, Java deserialization",

author = "Xiangyu Zhang and Yating Yang and Tian Song",

note = "Publisher Copyright: {\textcopyright} 2025 IEEE.; 2025 IEEE International Conference on Communications, ICC 2025 ; Conference date: 08-06-2025 Through 12-06-2025",

year = "2025",

doi = "10.1109/ICC52391.2025.11161270",

language = "English",

series = "IEEE International Conference on Communications",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "6383--6388",

editor = "Matthew Valenti and David Reed and Melissa Torres",

booktitle = "ICC 2025 - IEEE International Conference on Communications",

address = "United States",

}

Zhang, X, Yang, Y & Song, T 2025, LiteCobra: Enhancing Java Deserialization Vulnerability Detection with Call Graph Pruning. in M Valenti, D Reed & M Torres (eds), ICC 2025 - IEEE International Conference on Communications. IEEE International Conference on Communications, Institute of Electrical and Electronics Engineers Inc., pp. 6383-6388, 2025 IEEE International Conference on Communications, ICC 2025, Montreal, Canada, 8/06/25. https://doi.org/10.1109/ICC52391.2025.11161270

LiteCobra: Enhancing Java Deserialization Vulnerability Detection with Call Graph Pruning. / Zhang, Xiangyu; Yang, Yating ; Song, Tian.
ICC 2025 - IEEE International Conference on Communications. ed. / Matthew Valenti; David Reed; Melissa Torres. Institute of Electrical and Electronics Engineers Inc., 2025. p. 6383-6388 (IEEE International Conference on Communications).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - LiteCobra

T2 - 2025 IEEE International Conference on Communications, ICC 2025

AU - Zhang, Xiangyu

AU - Yang, Yating

AU - Song, Tian

PY - 2025

Y1 - 2025

N2 - Java deserialization vulnerabilities have become a critical security threat, challenging to detect and even harder to exploit due to deserialization's flexible and customizable nature. Researchers have proposed code property graph methods for comprehensive program analysis and controllability analysis algorithms to filter out irrelevant method calls. However, existing approaches often face limitations in accuracy and efficiency, especially in complex Java deserialization scenarios, leaving a gap in fully addressing this security issue. To address the challenges in detecting Java deserialization gadget chains, this paper proposes LiteCobra - a method that employs edge-cut optimization for rapid call graph construction and uses a controllability analysis algorithm for efficient pruning during Java deserialization gadget chain discovery. Our tests on the ysoserial dataset show that LiteCobra reduces the false positive rate by 67.5% and enhances efficiency by 49.6% compared to state-of-the-art approaches for detecting Java deserialization vulnerabilities. These results indicate that LiteCobra significantly enhances efficiency while maintaining high accuracy in detecting Java deserialization gadget chains.

AB - Java deserialization vulnerabilities have become a critical security threat, challenging to detect and even harder to exploit due to deserialization's flexible and customizable nature. Researchers have proposed code property graph methods for comprehensive program analysis and controllability analysis algorithms to filter out irrelevant method calls. However, existing approaches often face limitations in accuracy and efficiency, especially in complex Java deserialization scenarios, leaving a gap in fully addressing this security issue. To address the challenges in detecting Java deserialization gadget chains, this paper proposes LiteCobra - a method that employs edge-cut optimization for rapid call graph construction and uses a controllability analysis algorithm for efficient pruning during Java deserialization gadget chain discovery. Our tests on the ysoserial dataset show that LiteCobra reduces the false positive rate by 67.5% and enhances efficiency by 49.6% compared to state-of-the-art approaches for detecting Java deserialization vulnerabilities. These results indicate that LiteCobra significantly enhances efficiency while maintaining high accuracy in detecting Java deserialization gadget chains.

KW - Code property graph

KW - Context sensitivity

KW - Gadget chains

KW - Java deserialization

UR - https://www.scopus.com/pages/publications/105018475408

U2 - 10.1109/ICC52391.2025.11161270

DO - 10.1109/ICC52391.2025.11161270

M3 - Conference contribution

AN - SCOPUS:105018475408

T3 - IEEE International Conference on Communications

SP - 6383

EP - 6388

BT - ICC 2025 - IEEE International Conference on Communications

A2 - Valenti, Matthew

A2 - Reed, David

A2 - Torres, Melissa

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 8 June 2025 through 12 June 2025

ER -

Zhang X, Yang Y , Song T. LiteCobra: Enhancing Java Deserialization Vulnerability Detection with Call Graph Pruning. In Valenti M, Reed D, Torres M, editors, ICC 2025 - IEEE International Conference on Communications. Institute of Electrical and Electronics Engineers Inc. 2025. p. 6383-6388. (IEEE International Conference on Communications). doi: 10.1109/ICC52391.2025.11161270

LiteCobra: Enhancing Java Deserialization Vulnerability Detection with Call Graph Pruning

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this