GrayDuck: the Sword of Damocles for Duck Typing in Dynamic Language Deserialization

Duck typing is a flexible programming style in dynamic languages, enabling the achievement of complex behaviors using less code. The use of duck typing is currently widespread; however, the question is whether its use in code is truly safe. In fact, improper use of duck typing may introduce unexpected security threats. In this paper, we reveal another side of duck typing, showing how it can exacerbate the impact of deserialization vulnerabilities and expand the range of attack options for attackers. We present three cases of duck typing misuse and theoretically demonstrate how such misuse can expand the attack surface of deserialization vulnerabilities. Additionally, we design a static analysis tool, GrayDuck, to construct a Class Relation Graph (CRG) that clearly delineates the range of classes accessible through each deserialization operation and identify instances of duck typing misuse along with the associated attack surfaces so that to assess the potential harm. We utilized this tool to scan 5 Python programs known to have real deserialization vulnerabilities, detecting 7 issues of deserialized object duck typing misuse and calculating the corresponding expansions of the attack surfaces.