2014_EN_BrowserFuzzing_RosarioValotta

Recommendations

Info

David vs goliath • Finding exploitable Vulnerabilities is becoming increasingly harder • Browsers are becoming more secure • Bigger and competitive market • If you’re a lonely security researcher with a slingshot you cannot compete with that bug-killing armada out there… • Old approaches don’t work any more • You need new ideas and a new approach, you need to know where to throw your stones.
Memory corruption vulns: a primer • Special kind of access violation bugs • Av bug is said to exploitable if: • It allows to control execution flow • the attacker has full control on the register causing the violation ACCESS VIOLATIONS Trying to perform r/w operations on illegal or restricted memory locations Attempt to write to an invalid memory location pointed by a register WRITE GS Violation READ Attempt to read from a register pointing to an invalid memory location HEAP CORRUPTI ON DEP Violation /Read AV on EIP READ AV mov eax, [ebx] call [eax] G<strong>EN</strong>ERIC register (eax=deadbeef) mov eax, [edx]
Page 1 and 2: BROWSER FUZZING IN 2014: David vs G
Page 3 and 4: 你好 ! • Hi beijing! I am rosa
Page 5: Vulnerabilities market Providers Bu
Page 9 and 10: Usual Targets for Browser fuzzing R
Page 11 and 12: DOM fuzzing • DOM has a complex d
Page 13 and 14: Stone #1 - Fuzzing/with/TIME
Page 15 and 16: • browsers are event-driven JS ti
Page 17 and 18: • Event objects are dispatched to
Page 19 and 20: Fuzzing with events setTimeout(fn,0
Page 21 and 22: FUZZing with XHR (2/2) Similar cons
Page 23 and 24: …the other side of the party •
Page 25 and 26: Stone #2 - Fuzzing/with/space
Page 27 and 28: Using legacy engines • By default
Page 29 and 30: Cross engines interactions • When
Page 31 and 32: Introducing fileja • A prototype
Page 33 and 34: SOME RESULTS #1 Registers: EAX = 0x
Page 35 and 36: SOME RESULTS #3 Registers: EAX = 0x
Page 37 and 38: Registers: EAX = 0x00454545 - EBX =
Page 39 and 40: SOME RESULTS #7 Caught a Write Acce
Page 41 and 42: SOME RESULTS #9 Caught a Read Acces
Page 43: Thankyou 谢谢

2014_EN_BrowserFuzzing_RosarioValotta

Create successful ePaper yourself

Delete template?

Save as template?