2014_EN_BrowserFuzzing_RosarioValotta

Recommendations

Info

memory protections and sandboxes IN MODERN BROWSERS and OSs CONTROLLING EIP is not enough to gain arbitrary code execution OS memory Protections DATA EXECUTION Prevention: not executable stack, must chain rop gadgets to compose an executable shellcode ASRL: HIGH Entropy randomization, cannot rely on fixed memory addresses when jumping to rop gadgets /GS: stack buffer security check, cannot overflow stack using attacker input Browser Protections SANDBOX/Protected mode: every browsing window runs with LOW privileges and cannot access to FILE SYSTEM or other critical machine’s data structures Safe browsing/Smartscreen: technologies to block execution of dowloaded files based on file signature and reputation Safe seh: eh security check, cannot overwrite eh routine to get code execution on exceptions EVEn if some bypass techniques exist, defeating memory protections and evading browser sandboxes can be a tough work.
Usual Targets for Browser fuzzing R<strong>EN</strong>DERING <strong>EN</strong>GINE is the most complex module of browser architecture: displays HTML ,XML, SVG, MATHML, VML documents and images. It can display other types of data via plug-ins or extensions (PDF, Media file, fonts, etc) • It is its responsibility to parse HTML, apply CSS and build an internal tree model of the web page called “DOM” • Every logical operation performed on the web tree is executed on the DOM before rendering is done Weapons of choice to effectively fuzz rendering engine are: 1. Fuzzing file formats 2. Fuzzing DOM
Page 1 and 2: BROWSER FUZZING IN 2014: David vs G
Page 3 and 4: 你好 ! • Hi beijing! I am rosa
Page 5 and 6: Vulnerabilities market Providers Bu
Page 7: Memory corruption vulns: a primer
Page 11 and 12: DOM fuzzing • DOM has a complex d
Page 13 and 14: Stone #1 - Fuzzing/with/TIME
Page 15 and 16: • browsers are event-driven JS ti
Page 17 and 18: • Event objects are dispatched to
Page 19 and 20: Fuzzing with events setTimeout(fn,0
Page 21 and 22: FUZZing with XHR (2/2) Similar cons
Page 23 and 24: …the other side of the party •
Page 25 and 26: Stone #2 - Fuzzing/with/space
Page 27 and 28: Using legacy engines • By default
Page 29 and 30: Cross engines interactions • When
Page 31 and 32: Introducing fileja • A prototype
Page 33 and 34: SOME RESULTS #1 Registers: EAX = 0x
Page 35 and 36: SOME RESULTS #3 Registers: EAX = 0x
Page 37 and 38: Registers: EAX = 0x00454545 - EBX =
Page 39 and 40: SOME RESULTS #7 Caught a Write Acce
Page 41 and 42: SOME RESULTS #9 Caught a Read Acces
Page 43: Thankyou 谢谢

2014_EN_BrowserFuzzing_RosarioValotta

Create successful ePaper yourself

Delete template?

Save as template?