SlideShare una empresa de Scribd logo

HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox

Hackito Ergo Sum
Hackito Ergo Sum
Tecnología
1 de 44
Descargar para leer sin conexión
A Castle Made of Sand Adobe Reader X Sandbox Richard Johnson rjohnson@sourcefire.com
Adobe Acrobat • “Adobe Reader is free software that lets you open, view, search, digitally sign, verify, and print PDF files. To date, more than 600 million copies of Adobe Reader have been distributed worldwide on 23 platforms and in 33 languages” http://www.adobe.com/products/reader/faq.html
Agenda • Why Adobe needs a sandbox • What's in a Sandbox • Windows Sandboxing • Adobe Reader Sandbox Architecture • Attacking Sandboxes • Conclusion
Internet Usage Statistics • As of June, 2010 there were 2 billion internet users http://www.internetworldstats.com/stats.htm – 600 million Reader downloads = 30% market http://www.w3schools.com/browsers/browsers_stats.asp • Chrome market share was 23.8% in January, 2011 – Roughly 476 million users
Adobe Acrobat Security History • Acrobat Reader CVE Vulnerabilities Memory Http Bypass # of Code Gain # of Year DoS Overflow Corruptio XSS Response somethin CSRF Vulnerabilities Execution Privileges exploits n Splitting g 1999 1 1 1 2000 1 1 1 2001 1 2002 1 2003 3 2 1 2004 6 5 4 2005 9 4 5 3 2006 7 2 3 1 2 2007 9 3 3 1 2 1 1 1 2008 11 2 8 4 1 3 2009 39 14 30 17 10 1 1 4 2010 68 35 60 33 29 2 3 1 4 2011 28 10 22 8 8 2 4 Total 184 70 140 72 50 6 1 4 8 1 12 % Of All 38.0 76.1 39.1 27.2 3.3 0.5 2.2 4.3 0.5 http://www.cvedetails.com/product/497/Adobe-Acrobat-Reader.html?vendor_id=53
Adobe Acrobat Security History • Acrobat CVE Vulnerabilities # of Code Memory Bypass Gain # of Year Vulnerabilitie DoS Overflow XSS CSRF Execution Corruption something Privileges exploits s 2000 1 1 1 2003 3 2 2004 3 2 2 2005 2 1 1 1 2006 4 2 1 1 2 2007 4 1 1 2 1 2008 15 1 10 4 2 1 3 2009 49 18 39 22 14 2 4 2010 65 33 58 33 28 2 3 1 3 2011 28 10 22 8 8 2 4 Total 174 64 138 72 53 6 5 8 1 10 % Of All 36.8 79.3 41.4 30.5 3.4 2.9 4.6 0.6 http://www.cvedetails.com/product/921/Adobe-Acrobat.html?vendor_id=53
Adobe Acrobat Security History • Adobe CVE Vulnerabilities – 358 Vulnerabilities – 278 Vulnerabilities lead to code execution – 22 Exploits in the wild – 15 Exploits achieve code execution • “During the Q1 2010, 48 percent of all exploits involved malicious PDFs, making Adobe Reader the most exploited software.” http://www.esecurityplanet.com/article.php/3925701/RSA-New-Frontiers-in-Threat-Research.h
Google Chrome Security History • Chrome CVE Vulnerabilities – 244 Vulnerabilities – 36 Vulnerabilities lead to code execution – 12 Exploits in the wild – 3 Exploits achieve code execution
Adobe Acrobat X • These statistics prompted a security push to make the next version of Adobe Acrobat significantly more resilient to hacking attempts • Adobe Acrobat X products have been hardened to utilize operating system provided mitigations on the Windows Platform • In addition, a new sandbox designed to limit the impact of successful exploitation attempts has been implemented
Use of Windows Mitigations • Address Space Layout Randomization – Adobe has modified all internal code to take advantage of random image mappings • Data Execution Prevention – Enabled with PERMENENT flag • “…Q2 of last year, PDF attacks fell to 30 percent...” http://www.esecurityplanet.com/article.php/3925701/RSA-New-Frontiers-in-Threat-Research.h
Windows Mitigations Fail • Sadly, 3rd party libraries that do not support ASLR can be forced to load via PDF http://blogs.adobe.com/security/SampleSignedPDFDocument.pdf
The Sandbox Concept • A sandbox is a mitigation strategy centered around the concept of isolating complex code into a lower privileged process which is managed by a higher privileged process • The higher privileged process is less prone to attack due to reduced attack surface and can restrict resources from a compromised lower privileged process
Sandbox Architecture Requirements • Sandbox mitigations require the ability to: – Create a child process with restricted access to resources – Communicate between the processes to broker request access to resources
Sandbox Architecture on Windows • Process Restrictions – Restricted process tokens – Restricted process job object • IPC Mechanisms for System Call brokering – Sockets, Pipes, Shared Memory, Files, etc
Sandbox Architecture on Windows • Restricted process tokens – Create processes with restricted privileges BOOL CreateRestrictedToken( BOOL WINAPI CreateProcessAsUser( HANDLE ExistingTokenHandle, HANDLE hToken, DWORD Flags, LPCTSTR lpApplicationName, DWORD DisableSidCount, LPTSTR lpCommandLine, PSID_AND_ATTRIBUTES SidsToDisable, LPSECURITY_ATTRIBUTES DWORD DeletePrivilegeCount, lpProcessAttributes, PLUID_AND_ATTRIBUTES PrivilegesToDe LPSECURITY_ATTRIBUTES lete, lpThreadAttributes, DWORD RestrictedSidCount, BOOL bInheritHandles, PSID_AND_ATTRIBUTES SidsToRestrict, DWORD dwCreationFlags, PHANDLE NewTokenHandle LPVOID lpEnvironment, ); LPCTSTR lpCurrentDirectory, LPSTARTUPINFO lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation );
Sandbox Architecture on Windows • Restricted job object BOOL CreateCustomDACL(SECURITY_ATTRIBUTES * pSA) { // Built-in guests are denied all access. // Anonymous logon is denied all access. HANDLE WINAPI CreateJobObject( // Administrators are allowed full control. LPSECURITY_ATTRIBUTES // Modify these values as needed to generate the lpJobAttributes, proper LPCTSTR lpName // DACL for your application. ); TCHAR * szSD = TEXT("D:") // Discretionary typedef struct _SECURITY_ATTRIBUTES { ACL DWORD  nLength; TEXT("(D;OICI;GA;;;BG)") // Deny access to LPVOID lpSecurityDescriptor; // built-in guests BOOL   bInheritHandle; TEXT("(D;OICI;GA;;;AN)") // Deny access to } SECURITY_ATTRIBUTES, // anonymous *LPSECURITY_ATTRIBUTES; logon TEXT("(A;OICI;GA;;;BA)"); // Allow full BOOL WINAPI AssignProcessToJobObject( control HANDLE hJob, ● // to administrators HANDLE hProcess ); if (NULL == pSA) return FALSE; return ConvertStringSecurityDescriptorToSecurityDescripto r( szSD, SDDL_REVISION_1,
Adobe Reader X Sandbox Design • Adobe enables the sandbox through a configuration option called ‘Protected Mode’ • Separation of rendering code from basic process initialization and management code – 25mb broker process – 200mb rendering process
Adobe Reader X Sandbox Design • Rendering process has restricted tokens which disallow writing to the file system or executing new processes • Requests for system resources are denied and then requested from the broker process via a shared memory protocol • Requests are validated against internal policy
Adobe Reader X Sandbox Design • OS denies requests to resources • Broker gets request and checks ACLs • Broker gets resource and duplicates the handle http://blogs.adobe.com/asset/2010/10/inside-adobe-reader-protected-mode-part-1-design
Adobe Reader X Sandbox Design http://blogs.adobe.com/asset/2010/11/inside-adobe-reader-protected-mode-part-3-broker-process-policies-and-inter-process-commun
Adobe Reader X Sandbox Config • Configuration settings – JavaScript enabled by default – JavaScript global object security policy – JavaScript blacklist – ACLs for file, registry, process access – Log file disabled by default
JavaScript Blacklist • Blacklist is stored in the registry • Blacklist is capable of blocking API names – Withstands obfuscation methods – Does not come with any blocked by default • Blacklist cannot pattern match or prevent generic algorithms for spraying • More: http://vrt-blog.snort.org/2010/01/acrobat-javascript-blacklist-framework.html
Sandbox Analysis • Determine rights of separate processes • Determine IPC mechanisms in use • Validate resource requests are denied • Fuzz or audit broker resource request parser
• Adobe Reader 9 Token restriction Adobe Reader X Broker Sandbox Analysis
• Adobe Reader X Broker Token restriction Adobe Reader X Renderer Sandbox Analysis
Sandbox Analysis • Job limits – Limit of one ActiveProcess – No changing or creating desktops – Cannot use handles associated with another job – Denied access to ChangeDisplaySettings – Denied access to ExitWindows – Denied access to SystemParametersInfo
Sandbox Analysis • Determine IPC mechanisms in use – Trace APIs related to various IPC mechanisms – Catching creation of IPC endpoints can be as simple as using Windbg
Sandbox Analysis • Determine IPC mechanisms in use – Clipboard – COM – Data Copy – DDE – File Mapping – Mailslots – Pipes – RPC – Windows Sockets
Sandbox Analysis • Memory mappings are backed to pagefile and may be named or unnamed • If unnamed, the handle must be passed to the child process via DuplicateHandle
Sandbox Analysis • Windbg can trace mappings for you r $t0 = 0; r $t1 = 0; bp KERNELBASE!CreateFileMappingW ".if (poi(@esp + 4)) = -1 { .echo ; kn 5 ; .printf "nCreateFileMappingWnHandle: %xn", poi(@esp + 4) ; ddu esp + 24 l1 ; gu ; .printf "Mapped Memory Handle: %xnn", @eax ; r $t0 = @eax ; g } .else { g } " bp KERNELBASE!MapViewOfFile ".if (poi(@esp + 4)) = $t0 { r $t1 = poi(@esp + 24) ; .echo ; kn 5 ; gu ; .printf "nMapViewOfFilenMapped Address: %x Size: %dnSetting memory breakpointnn", @eax, @$t1 ; ba r 4 @eax ".echo Mapped Memory Access ; kn 4 ; ub ; g" ; g } .else { g } " bp KERNELBASE!OpenFileMappingW "kn 5 ; .echo ; .printf "OpenFileMappingWnPath: [%mu]", poi(@esp + c) ; .if(poi(@esp + 4)) & 2 { .printf " FILE_MAP_WRITE" } ; .if(poi(@esp + 4)) & 4 { .printf " FILE_MAP_READ" } ; .echo ; .echo ; g" bp DuplicateHandle ".echo ; .printf "DuplicateHandle: %x", poi(@esp + 8) ; .echo ; .echo ; g" bp ConnectNamedPipe bp CreateNamedPipeW bp AcroRd32Exe+0xc08f ".echo Attach to client”
Sandbox Analysis • Windbg can trace mappings for you # ChildEBP RetAddr 00 0041ec44 7700ac7e KERNELBASE!OpenFileMappingW 01 0041ec60 7700ac11 SHLWAPI!SHCreateSharedSection+0x16 02 0041ec90 7700acf6 SHLWAPI!OpenGlobalCounterFileMappingAndMapMemory+0x3d 03 0041eca8 7700e9de SHLWAPI!GetGlobalCounterMemoryAddress+0x3d 04 0041ecb4 75dac572 SHLWAPI!SHGlobalCounterGetValue+0xd OpenFileMappingW Path: [windows_shell_global_counters] FILE_MAP_WRITE FILE_MAP_READ -------------------- DuplicateHandle: 1e4 -------------------- # ChildEBP RetAddr 00 0041f0f0 00f2f824 KERNELBASE!CreateFileMappingW 01 0041f118 00f3023b AcroRd32Exe+0x1f824 02 0041f138 00f2e438 AcroRd32Exe+0x2023b 03 0041f230 00f4bf6b AcroRd32Exe+0x1e438 04 0041f360 00f1bdfa AcroRd32Exe+0x3bf6b CreateFileMappingW Handle: ffffffff 0041f118 0041f138 ".A.ò 쿐 ৬.A 찔 . 꼨 . 戅 ø" Mapped Memory Handle: 220 -------------------- DuplicateHandle: 220
Sandbox Analysis • Windbg can trace mappings for you # ChildEBP RetAddr 00 0041f0f0 00f2f870 KERNELBASE!MapViewOfFile 01 0041f118 00f3023b AcroRd32Exe+0x1f870 02 0041f138 00f2e438 AcroRd32Exe+0x2023b 03 0041f230 00f4bf6b AcroRd32Exe+0x1e438 04 0041f360 00f1bdfa AcroRd32Exe+0x3bf6b -------------------- MapViewOfFile Mapped Address: a4a0000 Size: 4321592 Setting memory breakpoint -------------------- Mapped Memory Access # ChildEBP RetAddr 00 0041f0f8 00f2f963 AcroRd32Exe+0x237ac 01 0041f118 00f3023b AcroRd32Exe+0x1f963 02 0041f138 00f2e438 AcroRd32Exe+0x2023b 03 0041f230 00f4bf6b AcroRd32Exe+0x1e438 AcroRd32Exe+0x23795: 00f33797 8d0480 lea eax,[eax+eax*4] 00f3379a 8d148508000000 lea edx,[eax*4+8] 00f337a1 8b4508 mov eax,dword ptr [ebp+8] 00f337a4 53 push ebx 00f337a5 8907 mov dword ptr [edi],eax 00f337a7 8955fc mov dword ptr [ebp-4],edx 00f337aa 8908 mov dword ptr [eax],ecx
Attacking IPC Message Format • Adobe uses a shared memory structure to request resources from the broker process • This additional attack surface deserves a critical look from a code quality perspective • We can inject a DLL to request resources in a loop with corrupt values
Attacking IPC Message Format • Inject a DLL for fuzzing int InjectDLL(HANDLE hProcess, char *moduleName) { unsigned char *remoteBuffer; LPTHREAD_START_ROUTINE loadLibraryAddr; HANDLE hThread; DWORD moduleNameLen, ret; moduleNameLen = strlen(moduleName) + 1; remoteBuffer = (unsigned char *)VirtualAllocEx( hProcess, NULL, moduleNameLen, MEM_COMMIT, PAGE_READWRITE); WriteProcessMemory(hProcess, remoteBuffer , moduleName, moduleNameLen, NULL); loadLibraryAddr = (LPTHREAD_START_ROUTINE)GetProcAddress( GetModuleHandleA("kernel32.dll"), "LoadLibraryA"); hThread = CreateRemoteThread( hProcess, NULL, 0, loadLibraryAddr, (void *)remoteBuffer, 0, NULL); ret = WaitForSingleObject(hThread, 5 * 1000); ... }
Attacking IPC Message Format • Fuzz from within the DLL BOOL APIENTRY DllMain(HANDLE hModule, DWORD dwReason, LPVOID lpReserved) { if(dwReason == DLL_PROCESS_ATTACH ) { MessageBoxA(NULL, "Dll injected!", "Fuzzer Dll", MB_OK); if((hFuzzThread = CreateThread( NULL, // default security attributes 0, // use default stack size FuzzerFunction, // thread function name NULL, // argument to thread function 0, // use default creation flags &dwFuzzThreadId)) == NULL) // returns the thread identifier { MessageBoxA(NULL, "Failed to create fuzzing thread", "Fuzzer Dll", MB_OK); } ... } return TRUE; }
Attacking IPC Message Format • Fuzz from within the DLL DWORD WINAPI FuzzerFunction(LPVOID lpParam) { DWORD iteration = 0; FILE *file; do { char *path = GenFuzzedString(); file = fopen(path, "r"); if(file != NULL) fclose(file); file = fopen(path, "w"); if(file != NULL) fclose(file); ... } while (iteration++ < ITERATIONS); return 0; }
If All Else Fails • Kernel exploitation will bypass ALL usermode sandbox architectures • Download the slides and whitepaper from yesterday’s talk on Windows Kernel Exploitation
Unrestricted Access • Socket and Handle use is not restricted – Could use PDF exploit as a pivot point into a sensitive network using less sophisticated attacks to achieve persistence • Reading of the file system is not restricted – Combined with above flaw, file system may be dumped over a socket
Unrestricted Access • Reading from Clipboard is not restricted • Log file is disabled by default – When it is enabled, it is stored in one of the few writable directories by default
Future Potential • Network Sandboxing (LeBlanc) – A solution is outlined in http://blogs.msdn.com/b/david_leblanc/archi – tl;dr – Use Windows Firewall to limit connections to and from the acrord32.exe process
Future Potential • File I/O Sandboxing (rjohnson) – On launch copy required resources to a temp directory – Limit all reads to the temp directory rather than allowing global read access
Future Potential • Utilize 64-bit process advantages (anti-spray) • Javascript blacklist could be utilized to prevent loading of generic spray code – Currently only blacklist APIs rather than allow a fingerprinting mechanism • Embedded Flash interpreter should gain same sandbox as in the browser
Conclusion • Adobe is moving in the right direction • Improvements need to be implemented on other platforms • Offering configuration that includes the ability to enable available solutions would lead to a more secure sandbox
Questions? Thank you! rjohnson@sourcefire.com http://vrt-blog.snort.org/ @richinseattle

Recomendados

Business Opportunities in Thailand
Business Opportunities in ThailandBusiness Opportunities in Thailand
Business Opportunities in ThailandChanin Khaochan
 
AEC and Human Resources Development
AEC and Human Resources DevelopmentAEC and Human Resources Development
AEC and Human Resources DevelopmentSakda Hwankaew
 
Steel industry analysis
Steel industry analysisSteel industry analysis
Steel industry analysisadditya1
 
Coference call
Coference callCoference call
Coference callEternit S.A.
 
Aslam Mehdi etbs2012
Aslam Mehdi etbs2012Aslam Mehdi etbs2012
Aslam Mehdi etbs2012Aslam Mehdi
 
Module 2.2
Module 2.2Module 2.2
Module 2.2druhbrown
 
Connecting Dubai to Global Markets-Dubai Exports
Connecting Dubai to Global Markets-Dubai ExportsConnecting Dubai to Global Markets-Dubai Exports
Connecting Dubai to Global Markets-Dubai ExportsDubaiExports
 
OTN - Private Sector Trade Note - vol 6 2011
OTN - Private Sector Trade Note - vol 6 2011OTN - Private Sector Trade Note - vol 6 2011
OTN - Private Sector Trade Note - vol 6 2011Office of Trade Negotiations (OTN), CARICOM Secretariat
 

Recomendados

Business Opportunities in Thailand
Business Opportunities in ThailandBusiness Opportunities in Thailand
Business Opportunities in ThailandChanin Khaochan
 
AEC and Human Resources Development
AEC and Human Resources DevelopmentAEC and Human Resources Development
AEC and Human Resources DevelopmentSakda Hwankaew
 
Steel industry analysis
Steel industry analysisSteel industry analysis
Steel industry analysisadditya1
 
Coference call
Coference callCoference call
Coference callEternit S.A.
 
Aslam Mehdi etbs2012
Aslam Mehdi etbs2012Aslam Mehdi etbs2012
Aslam Mehdi etbs2012Aslam Mehdi
 
Module 2.2
Module 2.2Module 2.2
Module 2.2druhbrown
 
Connecting Dubai to Global Markets-Dubai Exports
Connecting Dubai to Global Markets-Dubai ExportsConnecting Dubai to Global Markets-Dubai Exports
Connecting Dubai to Global Markets-Dubai ExportsDubaiExports
 
OTN - Private Sector Trade Note - vol 6 2011
OTN - Private Sector Trade Note - vol 6 2011OTN - Private Sector Trade Note - vol 6 2011
OTN - Private Sector Trade Note - vol 6 2011Office of Trade Negotiations (OTN), CARICOM Secretariat
 
ミャンマーのIT業とAWITDの戦略
ミャンマーのIT業とAWITDの戦略ミャンマーのIT業とAWITDの戦略
ミャンマーのIT業とAWITDの戦略Open Source Software Association of Japan
 
Engagement metrics dec 2012
Engagement metrics dec 2012Engagement metrics dec 2012
Engagement metrics dec 2012Absolute Radio
 
Do these earthquakes have any connection
Do these earthquakes have any connectionDo these earthquakes have any connection
Do these earthquakes have any connectionvpshedbalkar
 
คะแนนม.3 ปี53 3 5
คะแนนม.3 ปี53 3 5คะแนนม.3 ปี53 3 5
คะแนนม.3 ปี53 3 5Aj Yawwalak
 
Precious Metals 1
Precious Metals 1Precious Metals 1
Precious Metals 1Piyush Agarwal
 
Engagement Metrics April 2012
Engagement Metrics April 2012Engagement Metrics April 2012
Engagement Metrics April 2012Absolute Radio
 
Engagement Metrics May 2012
Engagement Metrics May 2012Engagement Metrics May 2012
Engagement Metrics May 2012Absolute Radio
 
Dairy Exports from India 2013
Dairy Exports from India 2013Dairy Exports from India 2013
Dairy Exports from India 2013Asian Food Regulation Information Service
 
Apresentação Institucional RI - Maio 2012
Apresentação Institucional RI - Maio 2012Apresentação Institucional RI - Maio 2012
Apresentação Institucional RI - Maio 2012Embraer RI
 
Sum52 53
Sum52 53Sum52 53
Sum52 53Pantip Duangjan
 
Case Study Of Human Centered Design
Case Study Of Human Centered DesignCase Study Of Human Centered Design
Case Study Of Human Centered Designguest85f55a
 
Movable type seminar 20120411
Movable type seminar 20120411Movable type seminar 20120411
Movable type seminar 20120411Six Apart
 
Embraer 4Q09 Results
Embraer 4Q09 ResultsEmbraer 4Q09 Results
Embraer 4Q09 ResultsEmbraer RI
 
Embraer 4 q09 results_final
Embraer 4 q09 results_finalEmbraer 4 q09 results_final
Embraer 4 q09 results_finalEmbraer RI
 
รายงานโครงงานคอมพิวเตอร์
รายงานโครงงานคอมพิวเตอร์รายงานโครงงานคอมพิวเตอร์
รายงานโครงงานคอมพิวเตอร์geeranan
 
Embraer IR Presentation Apr.12
Embraer IR Presentation Apr.12Embraer IR Presentation Apr.12
Embraer IR Presentation Apr.12Embraer RI
 
紙copi Night 2009.12.04
紙copi Night 2009.12.04紙copi Night 2009.12.04
紙copi Night 2009.12.04Isshu Rakusai
 
2006 - Embraer A&I Meeting Financials
2006 - Embraer A&I Meeting Financials2006 - Embraer A&I Meeting Financials
2006 - Embraer A&I Meeting FinancialsEmbraer RI
 
Encontro de Investidores em NY - Apresentação Resultados Financeiros (Ingles)
Encontro de Investidores em NY - Apresentação Resultados Financeiros (Ingles)Encontro de Investidores em NY - Apresentação Resultados Financeiros (Ingles)
Encontro de Investidores em NY - Apresentação Resultados Financeiros (Ingles)Embraer RI
 
2006* Encontro De Investidores Em Ny ApresentaçãO Resultados Financeiros (I...
2006* Encontro De Investidores Em Ny ApresentaçãO Resultados Financeiros (I...2006* Encontro De Investidores Em Ny ApresentaçãO Resultados Financeiros (I...
2006* Encontro De Investidores Em Ny ApresentaçãO Resultados Financeiros (I...Embraer RI
 
Speed is Essential for a Great Web Experience
Speed is Essential for a Great Web ExperienceSpeed is Essential for a Great Web Experience
Speed is Essential for a Great Web ExperienceDigicure ApS
 
[F1]nuance
[F1]nuance[F1]nuance
[F1]nuanceNAVER D2
 

Más contenido relacionado

La actualidad más candente

Engagement metrics dec 2012
Engagement metrics dec 2012Engagement metrics dec 2012
Engagement metrics dec 2012Absolute Radio
 
Do these earthquakes have any connection
Do these earthquakes have any connectionDo these earthquakes have any connection
Do these earthquakes have any connectionvpshedbalkar
 
คะแนนม.3 ปี53 3 5
คะแนนม.3 ปี53 3 5คะแนนม.3 ปี53 3 5
คะแนนม.3 ปี53 3 5Aj Yawwalak
 
Engagement Metrics April 2012
Engagement Metrics April 2012Engagement Metrics April 2012
Engagement Metrics April 2012Absolute Radio
 
Engagement Metrics May 2012
Engagement Metrics May 2012Engagement Metrics May 2012
Engagement Metrics May 2012Absolute Radio
 

La actualidad más candente (8)

ミャンマーのIT業とAWITDの戦略
ミャンマーのIT業とAWITDの戦略ミャンマーのIT業とAWITDの戦略
ミャンマーのIT業とAWITDの戦略
 
Engagement metrics dec 2012
Engagement metrics dec 2012Engagement metrics dec 2012
Engagement metrics dec 2012
 
Do these earthquakes have any connection
Do these earthquakes have any connectionDo these earthquakes have any connection
Do these earthquakes have any connection
 
คะแนนม.3 ปี53 3 5
คะแนนม.3 ปี53 3 5คะแนนม.3 ปี53 3 5
คะแนนม.3 ปี53 3 5
 
Precious Metals 1
Precious Metals 1Precious Metals 1
Precious Metals 1
 
Engagement Metrics April 2012
Engagement Metrics April 2012Engagement Metrics April 2012
Engagement Metrics April 2012
 
Engagement Metrics May 2012
Engagement Metrics May 2012Engagement Metrics May 2012
Engagement Metrics May 2012
 
Dairy Exports from India 2013
Dairy Exports from India 2013Dairy Exports from India 2013
Dairy Exports from India 2013
 

Similar a HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox

Apresentação Institucional RI - Maio 2012
Apresentação Institucional RI - Maio 2012Apresentação Institucional RI - Maio 2012
Apresentação Institucional RI - Maio 2012Embraer RI
 
Case Study Of Human Centered Design
Case Study Of Human Centered DesignCase Study Of Human Centered Design
Case Study Of Human Centered Designguest85f55a
 
Movable type seminar 20120411
Movable type seminar 20120411Movable type seminar 20120411
Movable type seminar 20120411Six Apart
 
Embraer 4Q09 Results
Embraer 4Q09 ResultsEmbraer 4Q09 Results
Embraer 4Q09 ResultsEmbraer RI
 
Embraer 4 q09 results_final
Embraer 4 q09 results_finalEmbraer 4 q09 results_final
Embraer 4 q09 results_finalEmbraer RI
 
รายงานโครงงานคอมพิวเตอร์
รายงานโครงงานคอมพิวเตอร์รายงานโครงงานคอมพิวเตอร์
รายงานโครงงานคอมพิวเตอร์geeranan
 
Embraer IR Presentation Apr.12
Embraer IR Presentation Apr.12Embraer IR Presentation Apr.12
Embraer IR Presentation Apr.12Embraer RI
 
紙copi Night 2009.12.04
紙copi Night 2009.12.04紙copi Night 2009.12.04
紙copi Night 2009.12.04Isshu Rakusai
 
2006 - Embraer A&I Meeting Financials
2006 - Embraer A&I Meeting Financials2006 - Embraer A&I Meeting Financials
2006 - Embraer A&I Meeting FinancialsEmbraer RI
 
Encontro de Investidores em NY - Apresentação Resultados Financeiros (Ingles)
Encontro de Investidores em NY - Apresentação Resultados Financeiros (Ingles)Encontro de Investidores em NY - Apresentação Resultados Financeiros (Ingles)
Encontro de Investidores em NY - Apresentação Resultados Financeiros (Ingles)Embraer RI
 
2006* Encontro De Investidores Em Ny ApresentaçãO Resultados Financeiros (I...
2006* Encontro De Investidores Em Ny ApresentaçãO Resultados Financeiros (I...2006* Encontro De Investidores Em Ny ApresentaçãO Resultados Financeiros (I...
2006* Encontro De Investidores Em Ny ApresentaçãO Resultados Financeiros (I...Embraer RI
 
Speed is Essential for a Great Web Experience
Speed is Essential for a Great Web ExperienceSpeed is Essential for a Great Web Experience
Speed is Essential for a Great Web ExperienceDigicure ApS
 
[F1]nuance
[F1]nuance[F1]nuance
[F1]nuanceNAVER D2
 
Las ม.2 ปีการศึกษา 2554
Las ม.2 ปีการศึกษา 2554Las ม.2 ปีการศึกษา 2554
Las ม.2 ปีการศึกษา 2554Aobinta In
 
Q1 2012 Investor Handout
Q1 2012 Investor HandoutQ1 2012 Investor Handout
Q1 2012 Investor HandoutBayer
 
Going Mobile (2010) by Yiibu
Going Mobile (2010) by YiibuGoing Mobile (2010) by Yiibu
Going Mobile (2010) by YiibuBryan Rieger
 
校園安全白皮書
校園安全白皮書校園安全白皮書
校園安全白皮書貞昌 蘇
 

Similar a HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox (20)

Apresentação Institucional RI - Maio 2012
Apresentação Institucional RI - Maio 2012Apresentação Institucional RI - Maio 2012
Apresentação Institucional RI - Maio 2012
 
Sum52 53
Sum52 53Sum52 53
Sum52 53
 
Case Study Of Human Centered Design
Case Study Of Human Centered DesignCase Study Of Human Centered Design
Case Study Of Human Centered Design
 
Movable type seminar 20120411
Movable type seminar 20120411Movable type seminar 20120411
Movable type seminar 20120411
 
Embraer 4Q09 Results
Embraer 4Q09 ResultsEmbraer 4Q09 Results
Embraer 4Q09 Results
 
Embraer 4 q09 results_final
Embraer 4 q09 results_finalEmbraer 4 q09 results_final
Embraer 4 q09 results_final
 
รายงานโครงงานคอมพิวเตอร์
รายงานโครงงานคอมพิวเตอร์รายงานโครงงานคอมพิวเตอร์
รายงานโครงงานคอมพิวเตอร์
 
Embraer IR Presentation Apr.12
Embraer IR Presentation Apr.12Embraer IR Presentation Apr.12
Embraer IR Presentation Apr.12
 
紙copi Night 2009.12.04
紙copi Night 2009.12.04紙copi Night 2009.12.04
紙copi Night 2009.12.04
 
2006 - Embraer A&I Meeting Financials
2006 - Embraer A&I Meeting Financials2006 - Embraer A&I Meeting Financials
2006 - Embraer A&I Meeting Financials
 
Encontro de Investidores em NY - Apresentação Resultados Financeiros (Ingles)
Encontro de Investidores em NY - Apresentação Resultados Financeiros (Ingles)Encontro de Investidores em NY - Apresentação Resultados Financeiros (Ingles)
Encontro de Investidores em NY - Apresentação Resultados Financeiros (Ingles)
 
2006* Encontro De Investidores Em Ny ApresentaçãO Resultados Financeiros (I...
2006* Encontro De Investidores Em Ny ApresentaçãO Resultados Financeiros (I...2006* Encontro De Investidores Em Ny ApresentaçãO Resultados Financeiros (I...
2006* Encontro De Investidores Em Ny ApresentaçãO Resultados Financeiros (I...
 
Speed is Essential for a Great Web Experience
Speed is Essential for a Great Web ExperienceSpeed is Essential for a Great Web Experience
Speed is Essential for a Great Web Experience
 
[F1]nuance
[F1]nuance[F1]nuance
[F1]nuance
 
Las ม.2 ปีการศึกษา 2554
Las ม.2 ปีการศึกษา 2554Las ม.2 ปีการศึกษา 2554
Las ม.2 ปีการศึกษา 2554
 
Q1 2012 Investor Handout
Q1 2012 Investor HandoutQ1 2012 Investor Handout
Q1 2012 Investor Handout
 
Case Study Of Human Centered Design
Case Study Of Human Centered DesignCase Study Of Human Centered Design
Case Study Of Human Centered Design
 
Going Mobile (2010) by Yiibu
Going Mobile (2010) by YiibuGoing Mobile (2010) by Yiibu
Going Mobile (2010) by Yiibu
 
Apimec – 2 q07 results
Apimec – 2 q07 resultsApimec – 2 q07 results
Apimec – 2 q07 results
 
校園安全白皮書
校園安全白皮書校園安全白皮書
校園安全白皮書
 

Más de Hackito Ergo Sum

HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talkHES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talkHackito Ergo Sum
 
HES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking
HES2011 - Jon Oberheide and Dan Rosenberg - StackjackingHES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking
HES2011 - Jon Oberheide and Dan Rosenberg - StackjackingHackito Ergo Sum
 
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHackito Ergo Sum
 
HES2011 - Sebastien Tricaud - Capture me if you can
HES2011 - Sebastien Tricaud - Capture me if you canHES2011 - Sebastien Tricaud - Capture me if you can
HES2011 - Sebastien Tricaud - Capture me if you canHackito Ergo Sum
 
HES2011 - Eloi Vanderbeken - Hackito Ergo Sum Crackme
HES2011 - Eloi Vanderbeken - Hackito Ergo Sum CrackmeHES2011 - Eloi Vanderbeken - Hackito Ergo Sum Crackme
HES2011 - Eloi Vanderbeken - Hackito Ergo Sum CrackmeHackito Ergo Sum
 
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHackito Ergo Sum
 
HES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
HES2011 - Jon Larimer - Autorun Vulnerabilities on LinuxHES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
HES2011 - Jon Larimer - Autorun Vulnerabilities on LinuxHackito Ergo Sum
 
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARFHES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARFHackito Ergo Sum
 
HES2011 - joernchen - Ruby on Rails from a Code Auditor Perspective
HES2011 - joernchen - Ruby on Rails from a Code Auditor PerspectiveHES2011 - joernchen - Ruby on Rails from a Code Auditor Perspective
HES2011 - joernchen - Ruby on Rails from a Code Auditor PerspectiveHackito Ergo Sum
 
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...Hackito Ergo Sum
 
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7Hackito Ergo Sum
 
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...Hackito Ergo Sum
 
HES2011 - Itzik Kolter - Let me Stuxnet You
HES2011 - Itzik Kolter - Let me Stuxnet YouHES2011 - Itzik Kolter - Let me Stuxnet You
HES2011 - Itzik Kolter - Let me Stuxnet YouHackito Ergo Sum
 

Más de Hackito Ergo Sum (13)

HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talkHES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
 
HES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking
HES2011 - Jon Oberheide and Dan Rosenberg - StackjackingHES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking
HES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking
 
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
 
HES2011 - Sebastien Tricaud - Capture me if you can
HES2011 - Sebastien Tricaud - Capture me if you canHES2011 - Sebastien Tricaud - Capture me if you can
HES2011 - Sebastien Tricaud - Capture me if you can
 
HES2011 - Eloi Vanderbeken - Hackito Ergo Sum Crackme
HES2011 - Eloi Vanderbeken - Hackito Ergo Sum CrackmeHES2011 - Eloi Vanderbeken - Hackito Ergo Sum Crackme
HES2011 - Eloi Vanderbeken - Hackito Ergo Sum Crackme
 
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
 
HES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
HES2011 - Jon Larimer - Autorun Vulnerabilities on LinuxHES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
HES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
 
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARFHES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
 
HES2011 - joernchen - Ruby on Rails from a Code Auditor Perspective
HES2011 - joernchen - Ruby on Rails from a Code Auditor PerspectiveHES2011 - joernchen - Ruby on Rails from a Code Auditor Perspective
HES2011 - joernchen - Ruby on Rails from a Code Auditor Perspective
 
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
 
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
 
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
 
HES2011 - Itzik Kolter - Let me Stuxnet You
HES2011 - Itzik Kolter - Let me Stuxnet YouHES2011 - Itzik Kolter - Let me Stuxnet You
HES2011 - Itzik Kolter - Let me Stuxnet You
 

Último

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 

Último (20)

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 

HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox

  • 1. A Castle Made of Sand Adobe Reader X Sandbox Richard Johnson rjohnson@sourcefire.com
  • 2. Adobe Acrobat • “Adobe Reader is free software that lets you open, view, search, digitally sign, verify, and print PDF files. To date, more than 600 million copies of Adobe Reader have been distributed worldwide on 23 platforms and in 33 languages” http://www.adobe.com/products/reader/faq.html
  • 3. Agenda • Why Adobe needs a sandbox • What's in a Sandbox • Windows Sandboxing • Adobe Reader Sandbox Architecture • Attacking Sandboxes • Conclusion
  • 4. Internet Usage Statistics • As of June, 2010 there were 2 billion internet users http://www.internetworldstats.com/stats.htm – 600 million Reader downloads = 30% market http://www.w3schools.com/browsers/browsers_stats.asp • Chrome market share was 23.8% in January, 2011 – Roughly 476 million users
  • 5. Adobe Acrobat Security History • Acrobat Reader CVE Vulnerabilities Memory Http Bypass # of Code Gain # of Year DoS Overflow Corruptio XSS Response somethin CSRF Vulnerabilities Execution Privileges exploits n Splitting g 1999 1 1 1 2000 1 1 1 2001 1 2002 1 2003 3 2 1 2004 6 5 4 2005 9 4 5 3 2006 7 2 3 1 2 2007 9 3 3 1 2 1 1 1 2008 11 2 8 4 1 3 2009 39 14 30 17 10 1 1 4 2010 68 35 60 33 29 2 3 1 4 2011 28 10 22 8 8 2 4 Total 184 70 140 72 50 6 1 4 8 1 12 % Of All 38.0 76.1 39.1 27.2 3.3 0.5 2.2 4.3 0.5 http://www.cvedetails.com/product/497/Adobe-Acrobat-Reader.html?vendor_id=53
  • 6. Adobe Acrobat Security History • Acrobat CVE Vulnerabilities # of Code Memory Bypass Gain # of Year Vulnerabilitie DoS Overflow XSS CSRF Execution Corruption something Privileges exploits s 2000 1 1 1 2003 3 2 2004 3 2 2 2005 2 1 1 1 2006 4 2 1 1 2 2007 4 1 1 2 1 2008 15 1 10 4 2 1 3 2009 49 18 39 22 14 2 4 2010 65 33 58 33 28 2 3 1 3 2011 28 10 22 8 8 2 4 Total 174 64 138 72 53 6 5 8 1 10 % Of All 36.8 79.3 41.4 30.5 3.4 2.9 4.6 0.6 http://www.cvedetails.com/product/921/Adobe-Acrobat.html?vendor_id=53
  • 7. Adobe Acrobat Security History • Adobe CVE Vulnerabilities – 358 Vulnerabilities – 278 Vulnerabilities lead to code execution – 22 Exploits in the wild – 15 Exploits achieve code execution • “During the Q1 2010, 48 percent of all exploits involved malicious PDFs, making Adobe Reader the most exploited software.” http://www.esecurityplanet.com/article.php/3925701/RSA-New-Frontiers-in-Threat-Research.h
  • 8. Google Chrome Security History • Chrome CVE Vulnerabilities – 244 Vulnerabilities – 36 Vulnerabilities lead to code execution – 12 Exploits in the wild – 3 Exploits achieve code execution
  • 9. Adobe Acrobat X • These statistics prompted a security push to make the next version of Adobe Acrobat significantly more resilient to hacking attempts • Adobe Acrobat X products have been hardened to utilize operating system provided mitigations on the Windows Platform • In addition, a new sandbox designed to limit the impact of successful exploitation attempts has been implemented
  • 10. Use of Windows Mitigations • Address Space Layout Randomization – Adobe has modified all internal code to take advantage of random image mappings • Data Execution Prevention – Enabled with PERMENENT flag • “…Q2 of last year, PDF attacks fell to 30 percent...” http://www.esecurityplanet.com/article.php/3925701/RSA-New-Frontiers-in-Threat-Research.h
  • 11. Windows Mitigations Fail • Sadly, 3rd party libraries that do not support ASLR can be forced to load via PDF http://blogs.adobe.com/security/SampleSignedPDFDocument.pdf
  • 12. The Sandbox Concept • A sandbox is a mitigation strategy centered around the concept of isolating complex code into a lower privileged process which is managed by a higher privileged process • The higher privileged process is less prone to attack due to reduced attack surface and can restrict resources from a compromised lower privileged process
  • 13. Sandbox Architecture Requirements • Sandbox mitigations require the ability to: – Create a child process with restricted access to resources – Communicate between the processes to broker request access to resources
  • 14. Sandbox Architecture on Windows • Process Restrictions – Restricted process tokens – Restricted process job object • IPC Mechanisms for System Call brokering – Sockets, Pipes, Shared Memory, Files, etc
  • 15. Sandbox Architecture on Windows • Restricted process tokens – Create processes with restricted privileges BOOL CreateRestrictedToken( BOOL WINAPI CreateProcessAsUser( HANDLE ExistingTokenHandle, HANDLE hToken, DWORD Flags, LPCTSTR lpApplicationName, DWORD DisableSidCount, LPTSTR lpCommandLine, PSID_AND_ATTRIBUTES SidsToDisable, LPSECURITY_ATTRIBUTES DWORD DeletePrivilegeCount, lpProcessAttributes, PLUID_AND_ATTRIBUTES PrivilegesToDe LPSECURITY_ATTRIBUTES lete, lpThreadAttributes, DWORD RestrictedSidCount, BOOL bInheritHandles, PSID_AND_ATTRIBUTES SidsToRestrict, DWORD dwCreationFlags, PHANDLE NewTokenHandle LPVOID lpEnvironment, ); LPCTSTR lpCurrentDirectory, LPSTARTUPINFO lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation );
  • 16. Sandbox Architecture on Windows • Restricted job object BOOL CreateCustomDACL(SECURITY_ATTRIBUTES * pSA) { // Built-in guests are denied all access. // Anonymous logon is denied all access. HANDLE WINAPI CreateJobObject( // Administrators are allowed full control. LPSECURITY_ATTRIBUTES // Modify these values as needed to generate the lpJobAttributes, proper LPCTSTR lpName // DACL for your application. ); TCHAR * szSD = TEXT("D:") // Discretionary typedef struct _SECURITY_ATTRIBUTES { ACL DWORD  nLength; TEXT("(D;OICI;GA;;;BG)") // Deny access to LPVOID lpSecurityDescriptor; // built-in guests BOOL   bInheritHandle; TEXT("(D;OICI;GA;;;AN)") // Deny access to } SECURITY_ATTRIBUTES, // anonymous *LPSECURITY_ATTRIBUTES; logon TEXT("(A;OICI;GA;;;BA)"); // Allow full BOOL WINAPI AssignProcessToJobObject( control HANDLE hJob, ● // to administrators HANDLE hProcess ); if (NULL == pSA) return FALSE; return ConvertStringSecurityDescriptorToSecurityDescripto r( szSD, SDDL_REVISION_1,
  • 17. Adobe Reader X Sandbox Design • Adobe enables the sandbox through a configuration option called ‘Protected Mode’ • Separation of rendering code from basic process initialization and management code – 25mb broker process – 200mb rendering process
  • 18. Adobe Reader X Sandbox Design • Rendering process has restricted tokens which disallow writing to the file system or executing new processes • Requests for system resources are denied and then requested from the broker process via a shared memory protocol • Requests are validated against internal policy
  • 19. Adobe Reader X Sandbox Design • OS denies requests to resources • Broker gets request and checks ACLs • Broker gets resource and duplicates the handle http://blogs.adobe.com/asset/2010/10/inside-adobe-reader-protected-mode-part-1-design
  • 20. Adobe Reader X Sandbox Design http://blogs.adobe.com/asset/2010/11/inside-adobe-reader-protected-mode-part-3-broker-process-policies-and-inter-process-commun
  • 21. Adobe Reader X Sandbox Config • Configuration settings – JavaScript enabled by default – JavaScript global object security policy – JavaScript blacklist – ACLs for file, registry, process access – Log file disabled by default
  • 22. JavaScript Blacklist • Blacklist is stored in the registry • Blacklist is capable of blocking API names – Withstands obfuscation methods – Does not come with any blocked by default • Blacklist cannot pattern match or prevent generic algorithms for spraying • More: http://vrt-blog.snort.org/2010/01/acrobat-javascript-blacklist-framework.html
  • 23. Sandbox Analysis • Determine rights of separate processes • Determine IPC mechanisms in use • Validate resource requests are denied • Fuzz or audit broker resource request parser
  • 24. • Adobe Reader 9 Token restriction Adobe Reader X Broker Sandbox Analysis
  • 25. • Adobe Reader X Broker Token restriction Adobe Reader X Renderer Sandbox Analysis
  • 26. Sandbox Analysis • Job limits – Limit of one ActiveProcess – No changing or creating desktops – Cannot use handles associated with another job – Denied access to ChangeDisplaySettings – Denied access to ExitWindows – Denied access to SystemParametersInfo
  • 27. Sandbox Analysis • Determine IPC mechanisms in use – Trace APIs related to various IPC mechanisms – Catching creation of IPC endpoints can be as simple as using Windbg
  • 28. Sandbox Analysis • Determine IPC mechanisms in use – Clipboard – COM – Data Copy – DDE – File Mapping – Mailslots – Pipes – RPC – Windows Sockets
  • 29. Sandbox Analysis • Memory mappings are backed to pagefile and may be named or unnamed • If unnamed, the handle must be passed to the child process via DuplicateHandle
  • 30. Sandbox Analysis • Windbg can trace mappings for you r $t0 = 0; r $t1 = 0; bp KERNELBASE!CreateFileMappingW ".if (poi(@esp + 4)) = -1 { .echo ; kn 5 ; .printf "nCreateFileMappingWnHandle: %xn", poi(@esp + 4) ; ddu esp + 24 l1 ; gu ; .printf "Mapped Memory Handle: %xnn", @eax ; r $t0 = @eax ; g } .else { g } " bp KERNELBASE!MapViewOfFile ".if (poi(@esp + 4)) = $t0 { r $t1 = poi(@esp + 24) ; .echo ; kn 5 ; gu ; .printf "nMapViewOfFilenMapped Address: %x Size: %dnSetting memory breakpointnn", @eax, @$t1 ; ba r 4 @eax ".echo Mapped Memory Access ; kn 4 ; ub ; g" ; g } .else { g } " bp KERNELBASE!OpenFileMappingW "kn 5 ; .echo ; .printf "OpenFileMappingWnPath: [%mu]", poi(@esp + c) ; .if(poi(@esp + 4)) & 2 { .printf " FILE_MAP_WRITE" } ; .if(poi(@esp + 4)) & 4 { .printf " FILE_MAP_READ" } ; .echo ; .echo ; g" bp DuplicateHandle ".echo ; .printf "DuplicateHandle: %x", poi(@esp + 8) ; .echo ; .echo ; g" bp ConnectNamedPipe bp CreateNamedPipeW bp AcroRd32Exe+0xc08f ".echo Attach to client”
  • 31. Sandbox Analysis • Windbg can trace mappings for you # ChildEBP RetAddr 00 0041ec44 7700ac7e KERNELBASE!OpenFileMappingW 01 0041ec60 7700ac11 SHLWAPI!SHCreateSharedSection+0x16 02 0041ec90 7700acf6 SHLWAPI!OpenGlobalCounterFileMappingAndMapMemory+0x3d 03 0041eca8 7700e9de SHLWAPI!GetGlobalCounterMemoryAddress+0x3d 04 0041ecb4 75dac572 SHLWAPI!SHGlobalCounterGetValue+0xd OpenFileMappingW Path: [windows_shell_global_counters] FILE_MAP_WRITE FILE_MAP_READ -------------------- DuplicateHandle: 1e4 -------------------- # ChildEBP RetAddr 00 0041f0f0 00f2f824 KERNELBASE!CreateFileMappingW 01 0041f118 00f3023b AcroRd32Exe+0x1f824 02 0041f138 00f2e438 AcroRd32Exe+0x2023b 03 0041f230 00f4bf6b AcroRd32Exe+0x1e438 04 0041f360 00f1bdfa AcroRd32Exe+0x3bf6b CreateFileMappingW Handle: ffffffff 0041f118 0041f138 ".A.ò 쿐 ৬.A 찔 . 꼨 . 戅 ø" Mapped Memory Handle: 220 -------------------- DuplicateHandle: 220
  • 32. Sandbox Analysis • Windbg can trace mappings for you # ChildEBP RetAddr 00 0041f0f0 00f2f870 KERNELBASE!MapViewOfFile 01 0041f118 00f3023b AcroRd32Exe+0x1f870 02 0041f138 00f2e438 AcroRd32Exe+0x2023b 03 0041f230 00f4bf6b AcroRd32Exe+0x1e438 04 0041f360 00f1bdfa AcroRd32Exe+0x3bf6b -------------------- MapViewOfFile Mapped Address: a4a0000 Size: 4321592 Setting memory breakpoint -------------------- Mapped Memory Access # ChildEBP RetAddr 00 0041f0f8 00f2f963 AcroRd32Exe+0x237ac 01 0041f118 00f3023b AcroRd32Exe+0x1f963 02 0041f138 00f2e438 AcroRd32Exe+0x2023b 03 0041f230 00f4bf6b AcroRd32Exe+0x1e438 AcroRd32Exe+0x23795: 00f33797 8d0480 lea eax,[eax+eax*4] 00f3379a 8d148508000000 lea edx,[eax*4+8] 00f337a1 8b4508 mov eax,dword ptr [ebp+8] 00f337a4 53 push ebx 00f337a5 8907 mov dword ptr [edi],eax 00f337a7 8955fc mov dword ptr [ebp-4],edx 00f337aa 8908 mov dword ptr [eax],ecx
  • 33. Attacking IPC Message Format • Adobe uses a shared memory structure to request resources from the broker process • This additional attack surface deserves a critical look from a code quality perspective • We can inject a DLL to request resources in a loop with corrupt values
  • 34. Attacking IPC Message Format • Inject a DLL for fuzzing int InjectDLL(HANDLE hProcess, char *moduleName) { unsigned char *remoteBuffer; LPTHREAD_START_ROUTINE loadLibraryAddr; HANDLE hThread; DWORD moduleNameLen, ret; moduleNameLen = strlen(moduleName) + 1; remoteBuffer = (unsigned char *)VirtualAllocEx( hProcess, NULL, moduleNameLen, MEM_COMMIT, PAGE_READWRITE); WriteProcessMemory(hProcess, remoteBuffer , moduleName, moduleNameLen, NULL); loadLibraryAddr = (LPTHREAD_START_ROUTINE)GetProcAddress( GetModuleHandleA("kernel32.dll"), "LoadLibraryA"); hThread = CreateRemoteThread( hProcess, NULL, 0, loadLibraryAddr, (void *)remoteBuffer, 0, NULL); ret = WaitForSingleObject(hThread, 5 * 1000); ... }
  • 35. Attacking IPC Message Format • Fuzz from within the DLL BOOL APIENTRY DllMain(HANDLE hModule, DWORD dwReason, LPVOID lpReserved) { if(dwReason == DLL_PROCESS_ATTACH ) { MessageBoxA(NULL, "Dll injected!", "Fuzzer Dll", MB_OK); if((hFuzzThread = CreateThread( NULL, // default security attributes 0, // use default stack size FuzzerFunction, // thread function name NULL, // argument to thread function 0, // use default creation flags &dwFuzzThreadId)) == NULL) // returns the thread identifier { MessageBoxA(NULL, "Failed to create fuzzing thread", "Fuzzer Dll", MB_OK); } ... } return TRUE; }
  • 36. Attacking IPC Message Format • Fuzz from within the DLL DWORD WINAPI FuzzerFunction(LPVOID lpParam) { DWORD iteration = 0; FILE *file; do { char *path = GenFuzzedString(); file = fopen(path, "r"); if(file != NULL) fclose(file); file = fopen(path, "w"); if(file != NULL) fclose(file); ... } while (iteration++ < ITERATIONS); return 0; }
  • 37. If All Else Fails • Kernel exploitation will bypass ALL usermode sandbox architectures • Download the slides and whitepaper from yesterday’s talk on Windows Kernel Exploitation
  • 38. Unrestricted Access • Socket and Handle use is not restricted – Could use PDF exploit as a pivot point into a sensitive network using less sophisticated attacks to achieve persistence • Reading of the file system is not restricted – Combined with above flaw, file system may be dumped over a socket
  • 39. Unrestricted Access • Reading from Clipboard is not restricted • Log file is disabled by default – When it is enabled, it is stored in one of the few writable directories by default
  • 40. Future Potential • Network Sandboxing (LeBlanc) – A solution is outlined in http://blogs.msdn.com/b/david_leblanc/archi – tl;dr – Use Windows Firewall to limit connections to and from the acrord32.exe process
  • 41. Future Potential • File I/O Sandboxing (rjohnson) – On launch copy required resources to a temp directory – Limit all reads to the temp directory rather than allowing global read access
  • 42. Future Potential • Utilize 64-bit process advantages (anti-spray) • Javascript blacklist could be utilized to prevent loading of generic spray code – Currently only blacklist APIs rather than allow a fingerprinting mechanism • Embedded Flash interpreter should gain same sandbox as in the browser
  • 43. Conclusion • Adobe is moving in the right direction • Improvements need to be implemented on other platforms • Offering configuration that includes the ability to enable available solutions would lead to a more secure sandbox