SlideShare a Scribd company logo

Jwis2011 ruo ando

Ruo Ando
Ruo Ando

1. The document analyzes obfuscated JavaScript exploitation using the process debug manager extension of Microsoft Visual Studio. 2. This extension allows tracing of JavaScript behavior like function calls and property changes during execution, which can help analyze sophisticated attacks using techniques like binary encoding and obfuscation. 3. The debugging extension provides a higher-level view of the scripting environment compared to traditional low-level debuggers, helping bridge the "semantic gap" between the kernel/user modes and the web application layer.

TechnologyNews & Politics
1 of 20
Download to read offline
Analysis of obfuscated Java Script exploitation using process debug manager Ruo Ando Network Security Institute, National Institute of Information and Communication Technology, Tokyo, Japan
Introduction towards alternative Java Script debugger • Nowadays, Java Scripts are everywhere (including Android and Google App Engine) with the pervasive of JSON (RFC 4627) , JQuery (AJAX interface) and so on. • Consequently, Java Scripts has become sophisticated with binary coding of attack code and obfuscation using concatenation which imposes a great burden on security analysis. • Unfortunately, there does not exist useful debuggers specified for this kind of Java Script eploitation. • In this paper we propose the application of extension of MS visual studio debugging extension for providing a new techniques for tracing Java Script behavior. • Proposed system could extract features of some representative web attacks such as google Operation Aurora (MS10-002), IE styleObject (MS09-072) exploit.
the old new thing; impact and memory of google aurora operation ultra-sophisticated advanced persistent attack • The attack was named "Operation Aurora" by Dmitri Alperovitch, Vice President of Threat Research at cyber security company McAfee which informs this attack of WhiteHouse on Janurary 2010. • Origin: Operation Aurora is a cyber attack which began in mid-2009 and continued through December 2009. The attack was first publicly disclosed by Google on January 12, 2010, in a blog post. In the blog post, Google said the attack originated in China. • Ultra sophisticated: The attacks were both sophisticated and well resourced and consistent with an advanced persistent threat attack. The attack has been aimed at dozens of other organizations, of which Adobe Systems, Juniper Networks and Rackspace have publicly confirmed that they were targeted. According to media reports, Yahoo, Symantec, Northrop Grumman, Morgan Stanley and Dow Chemical were also among the targets. • Google and china: As a result of the attack, Google stated in its blog that it plans to operate a completely uncensored version of its search engine in China "within the law, if at all", and acknowledged that if this is not possible it may leave China and close its Chinese offices.Official Chinese media responded stating that the incident is part of a U.S. government conspiracy. Aurora operation is said to be Chinese Government’s attempts to wipe out Google from mainland.
BACKGROUND: attack vector is very short. But … Can we analyze (or debug) this IE exploitation using commodity probes? <html><head><script> function ev1 (evt) { var sc = unescape("%u9090%u19eb%u4b5b%..) e1 = document.createEventObject (evt); var sss = Array (826, 679, 798, 224, 770, 427, 819, document.getElementById ("sp1").innerHTML = ""; 770, 707, 805, 693, 679, 784, 707, 280, window.setInterval (ev2, 50); 238, 259, 819, 336, 693, 336, 700, 259, 819, 336, } 224, 770, 427, 770, 322, 805, 819, 686, function ev2 () 805, 812, 798, 735, 770, 721, 280, 336, 448, 371); { var arr = new Array; p = "¥u0c0d¥uu0c0d¥u0c0d¥u0c0d"; for (var i = 0; i < sss.length; i ++) { for (i = 0; i < x1.length; i ++) { arr[i] = String.fromCharCode (sss [i] / 7); x1 [i].data = p; } }; var cc = arr.toString (); var t = e1.srcElement; cc = cc.replace (/,/g, ""); } cc = cc.replace (/@/g, ","); </script> eval (cc); </head> var x1 = new Array (); for (i = 0; i < 200; i ++) { <body> x1 [i] = document.createElement ("COMMENT") <span id="sp1"><IMG SRC="aaa.gif" x1 [i].data = "abc"; onload="ev1(event)" width="16" height="16"></span> }; var e1 = null; </body> It is impossible to trace the script engines’ behavior allocating memory and gif processing !
the new old thing: web attack and Java Script • Java Scripts are everywhere (including Android and Google App Engine) with the pervasive of JSON (RFC 4627) , JQuery (AJAX interface) and so on. • Unfortunately again, there have not been striking probing (debugging) frames for tracing Java Script behavior such as google aurora operation said before. • In this paper we exploit the debugger extension of Microsoft Visual Studio 2010 (or later) debugging extension for tracking some famous Java Script exploitation dynamically. • Windows OS has longer history and therefore more mature interfaces to probe Java Script Execution. • We can conclude Microsoft PDM extension provide new aspect for analyzing malicious Java Script. • Techniques we have obtained here could be applied for constructing probe modules for other systems such as Dalvik VM of Android because the Java Script behavior should be the same regardless of OS (platform) types.
Commodity Debugger is not always enough ! Java Script and its semantic gap • Current popular debugging Malicious Java Script tools such as ollyDBG and Bad thing has been happened winDBG are not optimized (or enough) for tracing the behavior of Web scripting. MS Active Scripting Engine • Sementic gap between kernel / user mode debugger and web Memory Allocate Read/Write application execution layer. File I/O request We can’t estimate the Semantic Gap USER mode debugger event occurred above Can’t understand by naïve memory and what is going on IO request. API. MS Dynamic Link Binaries • Semantic gap means that Jscript.DLL etc probe running in user / kernel mode layer lacks the Native I/O request IRQ packets knowledge of higher level events such as web browser KERNEL mode debugger property change.
PDM and SDM: an extension of Microsoft Visual Studio 2005 – 2010 and later • PDM and SDM are components of the extension of Microsoft Visual Studio Extension. • PDM and SDM provides higher level of debugging view mainly for web scripting such as Java Script. • Process Debug Manager (PDM) is a component to make all running programs available to VSPackage (Visual Studio debugger components). Manage chain: PDM makes the target process available to SDM and DE. Session debug • By registering PDM, we can track the manager (SDM) manages several Debug Engine function call of high-level API invoked (DE). DE uses expression evaluator and symbol by web browser. Also, property change handler. SDM wraps IDebugExpression2 interface to obtain a stack frame with a help of (such as variable substitution) can be DE by IDebugThread2::EnumFrameInfo. logged.
Behavior description of Java Script in this paper ①File Name r = debugDocument[i]- >GetName(DOCUMENTNAMETYPE_URL,&filenameStr[i]); ②Function fDesc[i].pdsf ->GetDescriptionString(0,&functionStr[i]); b2s(functionStr[i],function,BUFLEN); ③Code (substitution) debugProperty = funcs->getDebugProperty(f); getPropertyInfoRecursive(debugProperty,props,0); ④Code(loop) props- >propertyIsChanged(propInfos[i].m_bstrFullName,propInfos[i].m_bstrVa lue)==TRUE)
Sample output: www.yahoo.co.jp Start Logging On: 2011/02/18 19:16:49 Process ID of IE Process ID:7072 MaxDepth 1 Process Name:Windows Internet Explorer Filename:http://www.yahoo.co.jp/ Depth of logging Function:JScript global code window:DispHTMLWindow2:{...} err:Object:{...} Function invoked ver:Undefined:undefined YAHOO:Undefined:undefined d:Undefined:undefined $:Undefined:undefined Property change 14:var ver="ga3_ie" ver:String:"ga3_ie" 15:if(typeof YAHOO=="undefined"||!YAHOO) Executed code 15:var YAHOO={} substitute YAHOO:Object:{...} 15:YAHOO.namespace=function(){var a=arguments,b=null,d,e,c;for(d=0;d<a.length;d=d+1){c =(""+a[d]).split(".");b=YAHOO;for(e=(c[0]=="YAHOO") Executed code ?1:0;e<c.length;e=e+1){b[c[e]]=b[c[e]]||{};b=b[c[e]]}}ret Loop urn b} ……
Proposed system: IE initialization and main loop Main loop IApplicationDebugger::onHandleBreakPoint Internet Explorer ①URL: what kinds of URL accessed ? hr = sfDesc[i].pdsf->GetCodeContext(&codeContext); if(hr!=S_OK){goto out ;} hr = codeContext->GetDocumentContext(&docContext[i]); if(hr!=S_OK){goto out;} hr = docContext[i]->GetDocument(&debugDocument[i]); Published by if(hr!=S_OK){goto out;} hr = debugDocument[i]->GetName PDM and SDM (DOCUMENTNAMETYPE_URL,&filenameStr[i]); (VS DGB extension) ②Property Change: ②-1:What kinds of function invoked ? sfDesc[i].pdsf->GetDescriptionString(0,&functionStr[i]); b2s(functionStr[i],function,BUFLEN); ②-2:What kinds of variables changed ? Internet Explorer debugProperty = funcs->getDebugProperty(f); (debuggee) getPropertyInfoRecursive(debugProperty,props,0);
Two core interfaces of SDM / PDM • IRemoteDebugApplication Interface This registered interface allows the session debug manager (SDM) to obtain information about programs that have been "published" through the IDebugProgramPublisher2 interface. Outside the debugger Debugger connect, start and stop • IApplicationDebugger Interface Represents a running application. It does not need to correspond to an operating-system process. Typically, a debugger targets an application for debugging. The Process Debug Manager typically implements the application object. Inside the debugger CauseBreak, handling breakPoint
Publishing IE (1) injecting my callbacks hr =PDM->WatchForProviderEvents( 0, method description // Tell the PDM that we want it to stop watching IDebugProgram NULL, Provider2:: Obtains information about // The PDM GetProvider programs running, filtered in ProcessDat a variety of ways. implementation of this interface does a not require the 'port' parameter IDebugProgram processId, Provider2:: Gets a program node, given a GetProvider specific process ID. // the process id to query ProgramNo de ScriptEngineFilter, IDebugProgram // We are interested in script code Establishes a callback to watch for Provider2:: provider events associated GUID_NULL, WatchForP with specific kinds of roviderEve // no launching engine processes. nts pMyCallback IDebugProgram Establishes a locale for any // callback interface Provider2:: language-specific resources SetLocale needed by the DE. ); Callbacks to inject
Publishing IE (2) querying and unmarshaling before launch for(DWORD pnode = 0;pnode<procData.ProgramNodes.dwCount;pnode++){ IDebugProviderProgramNode2 *dppn; hr = procData.ProgramNodes.Members[pnode] ->QueryInterface(__uuidof(IDebugProviderProgramNode2),(void**)&dppn); if(hr == S_OK){ IRemoteDebugApplication *rda; CHECK 1 QueryInterface: inspects hr = dppn->UnmarshalDebuggeeInterface wheter the object (__uuidof(IRemoteDebugApplication),(void**)&rda); (IE in this case) supports a certain COM interace. If this if(hr == S_OK){ method returns S_OK, procList[numScriptProcs]=processes[cp]; Windows OS increments the object reference count applicationDebugger[numScriptProcs] = new and the application can JSLogApplicationDebugger use the interface. (processId.ProcessId.dwProcessId,rda,maxDepth,maxStack, CHECK 2 heckGlobal); applicationDebugger[numScriptProcs]->startDebugging(); This method is used when the numScriptProcs++; debug engine is running in the Visual Studio process space } and the program being debugged is running in its own process space. OK. Start debugger using Obtains a specified interface across process boundaries. IRemoteDebugApplication Interface
Two core interfaces of proposed system: active script debugger interface • IRemoteDebugApplication Interface for connect / start / stop debugger of IE IRemoteDebugApplication::ResumeFromBre Continues an application that is currently in a breakpoint. akPoint IRemoteDebugApplication::CauseBreak Causes the application to break into the debugger at the earliest opportunity. IRemoteDebugApplication::Conn Connects a debugger to this application. ectDebugger IRemoteDebugApplication::DisconnectDebug Disconnects the current debugger from the application. ger IRemoteDebugApplication::GetDebugger Returns the current debugger connected to the application. Provides a mechanism for the debugger IDE, running out-of-process to the IRemoteDebugApplication::CreateInstanceAt application, Application to create objects in the application process. IRemoteDebugApplication::QueryAlive Indicates if the application is responsive. IRemoteDebugApplication::Enum Enumerates all threads known to be associated with the Threads application. IRemoteDebugApplication::GetName Returns the name of this application node. Returns the application node under which all nodes associated with the IRemoteDebugApplication::GetRootNode application are added. IRemoteDebugApplication::EnumGlobalExpr Enumerates the global expression contexts for all languages running in this essionContexts application.
Two core interfaces of proposed system: active script debugger interface • IDebugApplication Interface for cause/handle breakpoint of IE method description IDebugProgramProvider Obtains information about programs running, 2::GetProviderProcessDa filtered in a variety of ways. ta IDebugProgramProvider Gets a program node, given a specific process 2::GetProviderProgramN ID. ode IDebugProgramProvider Establishes a callback to watch for provider 2::WatchForProviderEve events associated with specific kinds of nts processes. IDebugProgramProvider Establishes a locale for any language-specific 2::SetLocale resources needed by the DE. Visual Studio Debugging Extensibility: http://msdn.microsoft.com/en-US/library/bb147088%28v=VS.80%29.aspx
Property change detection in the main loopDigging stack frames online Inspecting stack frames ①Get Function Name typedef struct sfDesc[i].pdsf- tagDebugStackFrameDescriptor { >GetDescriptionString(0,&functionStr[i]); IDebugStackFrame *pdsf; DWORD_PTR dwMin; DWORD_PTR dwLim; ②Get File and URL BOOL fFinal; DebugCodeContext* codeContext; IUnknown *punkFinal; } hr = sfDesc[i].pdsf- DebugStackFrameDescriptor; >GetCodeContext(&codeContext); ③Get Property Change typedef struct DebugPropertyInfo{ debugProperty = funcs- DBGPROP_INFO_FLAGS dwValidFields; >getDebugProperty(f); BSTR bstrName; getPropertyInfoRecursive(debugProperty, BSTR bstrType; BSTR bstrValue; props,0); BSTR bstrFullName; IDebugStackFrame::GetCodeContext DBGPROP_ATTRIB_FLAGS dwAttrib; IDebugStackFrame::GetDescriptionString IDebugProperty* pDebugProp; IDebugStackFrame::GetLanguageString }; IDebugStackFrame::GetThread
Experiment ①Google Aurora Attack (MS10-002 HTML object memory corruption) MS10-002 is HTML object memory corruption, known as Google aurora attack.This cyber attack began in mid 2009 and first publicly disclosed by Google on January by a blog post. The attack was also named as ”Operation Aurora” by Dmitri Alperovitch. McAfee Labs discovered that Aurora was included file path on the attacker’s machine. • MSB-MS10-002 • CVE-2010-0249 • OSVDB-61697 ② Active Directory Federation Service Attack (MS09-072 ATL headers vulnerability) MS09-072 is the vulnerability of Internet Explorer, which affects Microsoft Active Directory Federation Service (ADFS). In MS07-072, an active X control build with Microsoft Active Template Library (ATL) headers could allow advisory to execute remote code. The ATL vulnerability prompted an out-of-band release earlier this year from Microsoft. • MSB-MS09-072 • CVE-2009-3672 • OSVDB-50622 • BID-37085
Experiment Google Aurora Attack 1: Start Logging On: 2011/05/30 23:13:54 2: Process ID:3652 3: MaxDepth 2 4: Process Name:Windows Internet Explorer 5: Filename:http://192.168.20.160:8080/qMoTNjaQzbNF 6: Function:JScript global code 7: window:DispHTMLWindow2:{...} 8: window.clientInformation:Object:{...} 9: --- snip --- 10: window.event:IHTMLEventObj:null 11: window.external:Object:{...} 12: window.frameElement:IHTMLFrameBase:null 13: window.window:DispHTMLWindow2:{...} 14: pNrDlDURxbASLo:Undefined:undefined 15: OEJkQgrKoGXtKSVTgyyRcGTmCnvRxUl:Undefined:undefined 16: CLLFyYpDX:Undefined:undefined Payload 17: HBohOxVqidZHilqXmLPfqaMYiv:Undefined:undefined 18: 5:var pNrDlDURxbASLo = '0c053e66...' 19: pNrDlDURxbASLo:String:"0c053e66..." 20: 6:var OEJkQgrKoGXtKSVTgyyRcGTmCnvRxUl = '' 21: OEJkQgrKoGXtKSVTgyyRcGTmCnvRxUl:String:"[s]" 22: 7:i = 0 23: i:Number:0 Anomaly Loop detected! 24: 7:i<pNrDlDURxbASLo.length 25: 8:OEJkQgrKoGXtKSVTgyyRcGTmCnvRxUl += Exploit or Heap spray? 26: String.fromCharCode 27: (parseInt(pNrDlDURxbASLo.substring(i, i+2), 16)) 28: OEJkQgrKoGXtKSVTgyyRcGTmCnvRxUl:String:"[s][s]" var n=unescape("%u0c0d%u0c0d"); 29: 7:i+=2 30: i:Number:2 while(n.length<=524288) n+=n; 31: 7:i<pNrDlDURxbASLo.length 32: 8:OEJkQgrKoGXtKSVTgyyRcGTmCnvRxUl += n=n.substring(0,524269-sc.length); 33: String.fromCharCode var x=new Array(); 34: (parseInt(pNrDlDURxbASLo.substring(i, i+2), 16)) 35: OEJkQgrKoGXtKSVTgyyRcGTmCnvRxUl:String:"[s][s][s]" for(var i=0;i<200;i++) {x[i]=n+sc;}
Experiment MS09-072 1: Start Logging On: 2011/05/31 00:18:46 2: Process ID:688 3: MaxDepth 2 4: Process Name:Windows Internet Explorer 5: Filename:http://192.168.20.160:8080/1FysKckbN 6: Function:JScript - onload function 7: 20:sFsSfxRecSIXauNmBnB() 8: Function:sFsSfxRecSIXauNmBnB 9: DRBfZcPV:Undefined:undefined Payload? 10: AcHKfoIb:Undefined:undefined 14: 6:var DRBfZcPV = unescape 15: DRBfZcPV:Object:{...} 16: 7:var AcHKfoIb = DRBfZcPV('%u350d%ufc03%u747a%u4976%u2593%f9f%' ) 17: AcHKfoIb:String:"*******" 18: 8:var OSGwFEcn = 19: DRBfZcPV( "%"+"u"+"0"+"c"+"0"+"c"+"%u"+"0") 20: OSGwFEcn:String:"**" 21: 9:var pGgrrYDr = 20 + AcHKfoIb.length 22: pGgrrYDr:Number:520 23: 10:while (OSGwFEcn.length < pGgrrYDr) 24: 10:OSGwFEcn +=OSGwFEcn Anomaly loop detected! 25: OSGwFEcn:String:"****" 26: 10:while (OSGwFEcn.length < pGgrrYDr) Malicious code is scanning 27: 10:OSGwFEcn+=OSGwFEcn Memory … 28: OSGwFEcnn:String:"********" 29: 10:while (OSGwFEcn.length < pGgrrYDr) 30: 10:OSGwFEcn+=OSGwFEcn 31: OSGwFEcn:String:"******************" 32: 10:while (OSGwFEcn.length < pGgrrYDr) 33: 10:OSGwFEcn+=OSGwFEcn 34: OSGwFEcn:String:"**********************************"I
Conclusion and further works Writing alternative Java Script debugger is exciting challenge! It works partly now. • Java Scripts are everywhere (including Android and Google App Engine) with the pervasive of JSON (RFC 4627) , JQuery (AJAX interface) and so on. • However and further work: there have not been striking probing (debugging) frames for tracing Java Script behavior. • In this paper we exploit the debugger extension of Microsoft Visual Studio 2010 (or later) debugging extension for tracking some famous Java Script exploitation dynamically. Extensibility for other operating systems and platforms • Windows OS is the shortest path to understand Java Script behavior. Windows OS has longer history and therefore more mature interfaces to probe Java Script Execution. Techniques we have obtained here could be applied for constructing probe modules for other systems such as Dalvik VM of Android because the Java Script behavior should be the same regardless of OS (platform) types. IT IS NOT ENOUGH :- Memory dump is necessary, eventually idea: anomaly loop detection of Java Script + active memory monitoring by DLL injection etc.

Recommended

Css2011 Ruo Ando
Css2011 Ruo AndoCss2011 Ruo Ando
Css2011 Ruo Ando
Ruo Ando
 
Dynamic Groovy Edges
Dynamic Groovy EdgesDynamic Groovy Edges
Dynamic Groovy Edges
Jimmy Ray
 
TangoWithDjango - ch8
TangoWithDjango - ch8TangoWithDjango - ch8
TangoWithDjango - ch8
Asika Kuo
 
JavaScript Interview Questions and Answers | Full Stack Web Development Train...
JavaScript Interview Questions and Answers | Full Stack Web Development Train...JavaScript Interview Questions and Answers | Full Stack Web Development Train...
JavaScript Interview Questions and Answers | Full Stack Web Development Train...
Edureka!
 
CTS Conference Web 2.0 Tutorial Part 2
CTS Conference Web 2.0 Tutorial Part 2CTS Conference Web 2.0 Tutorial Part 2
CTS Conference Web 2.0 Tutorial Part 2
Geoffrey Fox
 
Java presentation
Java presentationJava presentation
Java presentation
Karan Sareen
 
iPhonical and model-driven software development for the iPhone
iPhonical and model-driven software development for the iPhoneiPhonical and model-driven software development for the iPhone
iPhonical and model-driven software development for the iPhone
Heiko Behrens
 
Communication in Node.js
Communication in Node.jsCommunication in Node.js
Communication in Node.js
Edureka!
 

Recommended

Css2011 Ruo Ando
Css2011 Ruo AndoCss2011 Ruo Ando
Css2011 Ruo Ando
Ruo Ando
 
Dynamic Groovy Edges
Dynamic Groovy EdgesDynamic Groovy Edges
Dynamic Groovy Edges
Jimmy Ray
 
TangoWithDjango - ch8
TangoWithDjango - ch8TangoWithDjango - ch8
TangoWithDjango - ch8
Asika Kuo
 
JavaScript Interview Questions and Answers | Full Stack Web Development Train...
JavaScript Interview Questions and Answers | Full Stack Web Development Train...JavaScript Interview Questions and Answers | Full Stack Web Development Train...
JavaScript Interview Questions and Answers | Full Stack Web Development Train...
Edureka!
 
CTS Conference Web 2.0 Tutorial Part 2
CTS Conference Web 2.0 Tutorial Part 2CTS Conference Web 2.0 Tutorial Part 2
CTS Conference Web 2.0 Tutorial Part 2
Geoffrey Fox
 
Java presentation
Java presentationJava presentation
Java presentation
Karan Sareen
 
iPhonical and model-driven software development for the iPhone
iPhonical and model-driven software development for the iPhoneiPhonical and model-driven software development for the iPhone
iPhonical and model-driven software development for the iPhone
Heiko Behrens
 
Communication in Node.js
Communication in Node.jsCommunication in Node.js
Communication in Node.js
Edureka!
 
Javascript Dependency Management
Javascript Dependency ManagementJavascript Dependency Management
Javascript Dependency Management
Sean Duncan
 
You suck at Memory Analysis
You suck at Memory AnalysisYou suck at Memory Analysis
You suck at Memory Analysis
Francisco Ribeiro
 
Open Social Summit Korea
Open Social Summit KoreaOpen Social Summit Korea
Open Social Summit Korea
Arne Roomann-Kurrik
 
Client-Side Packages
Client-Side PackagesClient-Side Packages
Client-Side Packages
Domenic Denicola
 
JavaScript: DOM and jQuery
JavaScript: DOM and jQueryJavaScript: DOM and jQuery
JavaScript: DOM and jQuery
維佋 唐
 
Ten Minutes To Tellurium
Ten Minutes To TelluriumTen Minutes To Tellurium
Ten Minutes To Tellurium
John.Jian.Fang
 
Tellurium 0.7.0 presentation
Tellurium 0.7.0 presentationTellurium 0.7.0 presentation
Tellurium 0.7.0 presentation
John.Jian.Fang
 
Lecture java basics
Lecture java basicsLecture java basics
Lecture java basics
eleksdev
 
Java questions with answers
Java questions with answersJava questions with answers
Java questions with answers
Kuntal Bhowmick
 
Naresh Kumar
Naresh KumarNaresh Kumar
Naresh Kumar
Naresh K
 
Architecting non-trivial browser applications (Jazoon 2012)
Architecting non-trivial browser applications (Jazoon 2012)Architecting non-trivial browser applications (Jazoon 2012)
Architecting non-trivial browser applications (Jazoon 2012)
Marc Bächinger
 
IOC + Javascript
IOC + JavascriptIOC + Javascript
IOC + Javascript
Brian Cavalier
 
Building web apps with node.js, socket.io, knockout.js and zombie.js - Codemo...
Building web apps with node.js, socket.io, knockout.js and zombie.js - Codemo...Building web apps with node.js, socket.io, knockout.js and zombie.js - Codemo...
Building web apps with node.js, socket.io, knockout.js and zombie.js - Codemo...
Ivan Loire
 
Jet presentation
Jet presentationJet presentation
Jet presentation
Peter Sellars
 
Tellurium.A.New.Approach.For.Web.Testing.V5
Tellurium.A.New.Approach.For.Web.Testing.V5Tellurium.A.New.Approach.For.Web.Testing.V5
Tellurium.A.New.Approach.For.Web.Testing.V5
John.Jian.Fang
 
From YUI3 to K2
From YUI3 to K2From YUI3 to K2
From YUI3 to K2
kaven yan
 
Visage Android - Cleaner APIs, Cleaner UIs
Visage Android - Cleaner APIs, Cleaner UIsVisage Android - Cleaner APIs, Cleaner UIs
Visage Android - Cleaner APIs, Cleaner UIs
Stephen Chin
 
Midiendo la calidad de código en WTF/Min (Revisado EUI Abril 2014)
Midiendo la calidad de código en WTF/Min (Revisado EUI Abril 2014)Midiendo la calidad de código en WTF/Min (Revisado EUI Abril 2014)
Midiendo la calidad de código en WTF/Min (Revisado EUI Abril 2014)
David Gómez García
 
Google App Engine for Java v0.0.2
Google App Engine for Java v0.0.2Google App Engine for Java v0.0.2
Google App Engine for Java v0.0.2
Matthew McCullough
 
Ajax with DWR
Ajax with DWRAjax with DWR
Ajax with DWR
gouthamrv
 
Bhavin_Resume
Bhavin_ResumeBhavin_Resume
Bhavin_Resume
bhavin patel
 
JSUG - Filthy Flex by Christoph Pickl
JSUG - Filthy Flex by Christoph PicklJSUG - Filthy Flex by Christoph Pickl
JSUG - Filthy Flex by Christoph Pickl
Christoph Pickl
 

More Related Content

What's hot

Javascript Dependency Management
Javascript Dependency ManagementJavascript Dependency Management
Javascript Dependency Management
Sean Duncan
 
You suck at Memory Analysis
You suck at Memory AnalysisYou suck at Memory Analysis
You suck at Memory Analysis
Francisco Ribeiro
 
Open Social Summit Korea
Open Social Summit KoreaOpen Social Summit Korea
Open Social Summit Korea
Arne Roomann-Kurrik
 
Client-Side Packages
Client-Side PackagesClient-Side Packages
Client-Side Packages
Domenic Denicola
 
JavaScript: DOM and jQuery
JavaScript: DOM and jQueryJavaScript: DOM and jQuery
JavaScript: DOM and jQuery
維佋 唐
 
Ten Minutes To Tellurium
Ten Minutes To TelluriumTen Minutes To Tellurium
Ten Minutes To Tellurium
John.Jian.Fang
 
Tellurium 0.7.0 presentation
Tellurium 0.7.0 presentationTellurium 0.7.0 presentation
Tellurium 0.7.0 presentation
John.Jian.Fang
 
Lecture java basics
Lecture java basicsLecture java basics
Lecture java basics
eleksdev
 
Java questions with answers
Java questions with answersJava questions with answers
Java questions with answers
Kuntal Bhowmick
 
Naresh Kumar
Naresh KumarNaresh Kumar
Naresh Kumar
Naresh K
 
Architecting non-trivial browser applications (Jazoon 2012)
Architecting non-trivial browser applications (Jazoon 2012)Architecting non-trivial browser applications (Jazoon 2012)
Architecting non-trivial browser applications (Jazoon 2012)
Marc Bächinger
 
IOC + Javascript
IOC + JavascriptIOC + Javascript
IOC + Javascript
Brian Cavalier
 
Building web apps with node.js, socket.io, knockout.js and zombie.js - Codemo...
Building web apps with node.js, socket.io, knockout.js and zombie.js - Codemo...Building web apps with node.js, socket.io, knockout.js and zombie.js - Codemo...
Building web apps with node.js, socket.io, knockout.js and zombie.js - Codemo...
Ivan Loire
 
Jet presentation
Jet presentationJet presentation
Jet presentation
Peter Sellars
 
Tellurium.A.New.Approach.For.Web.Testing.V5
Tellurium.A.New.Approach.For.Web.Testing.V5Tellurium.A.New.Approach.For.Web.Testing.V5
Tellurium.A.New.Approach.For.Web.Testing.V5
John.Jian.Fang
 
From YUI3 to K2
From YUI3 to K2From YUI3 to K2
From YUI3 to K2
kaven yan
 
Visage Android - Cleaner APIs, Cleaner UIs
Visage Android - Cleaner APIs, Cleaner UIsVisage Android - Cleaner APIs, Cleaner UIs
Visage Android - Cleaner APIs, Cleaner UIs
Stephen Chin
 
Midiendo la calidad de código en WTF/Min (Revisado EUI Abril 2014)
Midiendo la calidad de código en WTF/Min (Revisado EUI Abril 2014)Midiendo la calidad de código en WTF/Min (Revisado EUI Abril 2014)
Midiendo la calidad de código en WTF/Min (Revisado EUI Abril 2014)
David Gómez García
 

What's hot (18)

Javascript Dependency Management
Javascript Dependency ManagementJavascript Dependency Management
Javascript Dependency Management
 
You suck at Memory Analysis
You suck at Memory AnalysisYou suck at Memory Analysis
You suck at Memory Analysis
 
Open Social Summit Korea
Open Social Summit KoreaOpen Social Summit Korea
Open Social Summit Korea
 
Client-Side Packages
Client-Side PackagesClient-Side Packages
Client-Side Packages
 
JavaScript: DOM and jQuery
JavaScript: DOM and jQueryJavaScript: DOM and jQuery
JavaScript: DOM and jQuery
 
Ten Minutes To Tellurium
Ten Minutes To TelluriumTen Minutes To Tellurium
Ten Minutes To Tellurium
 
Tellurium 0.7.0 presentation
Tellurium 0.7.0 presentationTellurium 0.7.0 presentation
Tellurium 0.7.0 presentation
 
Lecture java basics
Lecture java basicsLecture java basics
Lecture java basics
 
Java questions with answers
Java questions with answersJava questions with answers
Java questions with answers
 
Naresh Kumar
Naresh KumarNaresh Kumar
Naresh Kumar
 
Architecting non-trivial browser applications (Jazoon 2012)
Architecting non-trivial browser applications (Jazoon 2012)Architecting non-trivial browser applications (Jazoon 2012)
Architecting non-trivial browser applications (Jazoon 2012)
 
IOC + Javascript
IOC + JavascriptIOC + Javascript
IOC + Javascript
 
Building web apps with node.js, socket.io, knockout.js and zombie.js - Codemo...
Building web apps with node.js, socket.io, knockout.js and zombie.js - Codemo...Building web apps with node.js, socket.io, knockout.js and zombie.js - Codemo...
Building web apps with node.js, socket.io, knockout.js and zombie.js - Codemo...
 
Jet presentation
Jet presentationJet presentation
Jet presentation
 
Tellurium.A.New.Approach.For.Web.Testing.V5
Tellurium.A.New.Approach.For.Web.Testing.V5Tellurium.A.New.Approach.For.Web.Testing.V5
Tellurium.A.New.Approach.For.Web.Testing.V5
 
From YUI3 to K2
From YUI3 to K2From YUI3 to K2
From YUI3 to K2
 
Visage Android - Cleaner APIs, Cleaner UIs
Visage Android - Cleaner APIs, Cleaner UIsVisage Android - Cleaner APIs, Cleaner UIs
Visage Android - Cleaner APIs, Cleaner UIs
 
Midiendo la calidad de código en WTF/Min (Revisado EUI Abril 2014)
Midiendo la calidad de código en WTF/Min (Revisado EUI Abril 2014)Midiendo la calidad de código en WTF/Min (Revisado EUI Abril 2014)
Midiendo la calidad de código en WTF/Min (Revisado EUI Abril 2014)
 

Similar to Jwis2011 ruo ando

Google App Engine for Java v0.0.2
Google App Engine for Java v0.0.2Google App Engine for Java v0.0.2
Google App Engine for Java v0.0.2
Matthew McCullough
 
Ajax with DWR
Ajax with DWRAjax with DWR
Ajax with DWR
gouthamrv
 
Bhavin_Resume
Bhavin_ResumeBhavin_Resume
Bhavin_Resume
bhavin patel
 
JSUG - Filthy Flex by Christoph Pickl
JSUG - Filthy Flex by Christoph PicklJSUG - Filthy Flex by Christoph Pickl
JSUG - Filthy Flex by Christoph Pickl
Christoph Pickl
 
Scripting Oracle Develop 2007
Scripting Oracle Develop 2007Scripting Oracle Develop 2007
Scripting Oracle Develop 2007
Tugdual Grall
 
JavaScript Libraries: The Big Picture
JavaScript Libraries: The Big PictureJavaScript Libraries: The Big Picture
JavaScript Libraries: The Big Picture
Simon Willison
 
Web Performance Part 4 "Client-side performance"
Web Performance Part 4 "Client-side performance"Web Performance Part 4 "Client-side performance"
Web Performance Part 4 "Client-side performance"
Binary Studio
 
How I learned to stop worrying and love embedding JavaScript
How I learned to stop worrying and love embedding JavaScriptHow I learned to stop worrying and love embedding JavaScript
How I learned to stop worrying and love embedding JavaScript
Kevin Read
 
Embedding V8 in Android apps with Ejecta-V8
Embedding V8 in Android apps with Ejecta-V8Embedding V8 in Android apps with Ejecta-V8
Embedding V8 in Android apps with Ejecta-V8
Kevin Read
 
SF JUG - GWT Can Help You Create Amazing Apps - 2009-10-13
SF JUG - GWT Can Help You Create Amazing Apps - 2009-10-13SF JUG - GWT Can Help You Create Amazing Apps - 2009-10-13
SF JUG - GWT Can Help You Create Amazing Apps - 2009-10-13
Fred Sauer
 
Cannibalising The Google App Engine
Cannibalising The Google App EngineCannibalising The Google App Engine
Cannibalising The Google App Engine
catherinewall
 
[JMaghreb 2014] Developing JavaScript Mobile Apps Using Apache Cordova
[JMaghreb 2014] Developing JavaScript Mobile Apps Using Apache Cordova[JMaghreb 2014] Developing JavaScript Mobile Apps Using Apache Cordova
[JMaghreb 2014] Developing JavaScript Mobile Apps Using Apache Cordova
Hazem Saleh
 
DotNet Introduction
DotNet IntroductionDotNet Introduction
DotNet Introduction
Wei Sun
 
Node azure
Node azureNode azure
Node azure
Emanuele DelBono
 
"JavaME + Android in action" CCT-CEJUG Dezembro 2008
"JavaME + Android in action" CCT-CEJUG Dezembro 2008"JavaME + Android in action" CCT-CEJUG Dezembro 2008
"JavaME + Android in action" CCT-CEJUG Dezembro 2008
Vando Batista
 
Usability in the GeoWeb
Usability in the GeoWebUsability in the GeoWeb
Usability in the GeoWeb
Dave Bouwman
 
FRAUD DETECTION IN ONLINE AUCTIONING
FRAUD DETECTION IN ONLINE AUCTIONINGFRAUD DETECTION IN ONLINE AUCTIONING
FRAUD DETECTION IN ONLINE AUCTIONING
Satish Chandra
 
WEB-VR by Ankitkumar Singh
WEB-VR by Ankitkumar SinghWEB-VR by Ankitkumar Singh
WEB-VR by Ankitkumar Singh
Ankitkumar Singh
 
Node js
Node jsNode js
Node js
Chirag Parmar
 
gDayX 2013 - Advanced AngularJS - Nicolas Embleton
gDayX 2013 - Advanced AngularJS - Nicolas EmbletongDayX 2013 - Advanced AngularJS - Nicolas Embleton
gDayX 2013 - Advanced AngularJS - Nicolas Embleton
George Nguyen
 

Similar to Jwis2011 ruo ando (20)

Google App Engine for Java v0.0.2
Google App Engine for Java v0.0.2Google App Engine for Java v0.0.2
Google App Engine for Java v0.0.2
 
Ajax with DWR
Ajax with DWRAjax with DWR
Ajax with DWR
 
Bhavin_Resume
Bhavin_ResumeBhavin_Resume
Bhavin_Resume
 
JSUG - Filthy Flex by Christoph Pickl
JSUG - Filthy Flex by Christoph PicklJSUG - Filthy Flex by Christoph Pickl
JSUG - Filthy Flex by Christoph Pickl
 
Scripting Oracle Develop 2007
Scripting Oracle Develop 2007Scripting Oracle Develop 2007
Scripting Oracle Develop 2007
 
JavaScript Libraries: The Big Picture
JavaScript Libraries: The Big PictureJavaScript Libraries: The Big Picture
JavaScript Libraries: The Big Picture
 
Web Performance Part 4 "Client-side performance"
Web Performance Part 4 "Client-side performance"Web Performance Part 4 "Client-side performance"
Web Performance Part 4 "Client-side performance"
 
How I learned to stop worrying and love embedding JavaScript
How I learned to stop worrying and love embedding JavaScriptHow I learned to stop worrying and love embedding JavaScript
How I learned to stop worrying and love embedding JavaScript
 
Embedding V8 in Android apps with Ejecta-V8
Embedding V8 in Android apps with Ejecta-V8Embedding V8 in Android apps with Ejecta-V8
Embedding V8 in Android apps with Ejecta-V8
 
SF JUG - GWT Can Help You Create Amazing Apps - 2009-10-13
SF JUG - GWT Can Help You Create Amazing Apps - 2009-10-13SF JUG - GWT Can Help You Create Amazing Apps - 2009-10-13
SF JUG - GWT Can Help You Create Amazing Apps - 2009-10-13
 
Cannibalising The Google App Engine
Cannibalising The Google App EngineCannibalising The Google App Engine
Cannibalising The Google App Engine
 
[JMaghreb 2014] Developing JavaScript Mobile Apps Using Apache Cordova
[JMaghreb 2014] Developing JavaScript Mobile Apps Using Apache Cordova[JMaghreb 2014] Developing JavaScript Mobile Apps Using Apache Cordova
[JMaghreb 2014] Developing JavaScript Mobile Apps Using Apache Cordova
 
DotNet Introduction
DotNet IntroductionDotNet Introduction
DotNet Introduction
 
Node azure
Node azureNode azure
Node azure
 
"JavaME + Android in action" CCT-CEJUG Dezembro 2008
"JavaME + Android in action" CCT-CEJUG Dezembro 2008"JavaME + Android in action" CCT-CEJUG Dezembro 2008
"JavaME + Android in action" CCT-CEJUG Dezembro 2008
 
Usability in the GeoWeb
Usability in the GeoWebUsability in the GeoWeb
Usability in the GeoWeb
 
FRAUD DETECTION IN ONLINE AUCTIONING
FRAUD DETECTION IN ONLINE AUCTIONINGFRAUD DETECTION IN ONLINE AUCTIONING
FRAUD DETECTION IN ONLINE AUCTIONING
 
WEB-VR by Ankitkumar Singh
WEB-VR by Ankitkumar SinghWEB-VR by Ankitkumar Singh
WEB-VR by Ankitkumar Singh
 
Node js
Node jsNode js
Node js
 
gDayX 2013 - Advanced AngularJS - Nicolas Embleton
gDayX 2013 - Advanced AngularJS - Nicolas EmbletongDayX 2013 - Advanced AngularJS - Nicolas Embleton
gDayX 2013 - Advanced AngularJS - Nicolas Embleton
 

More from Ruo Ando

KISTI-NII Joint Security Workshop 2023.pdf
KISTI-NII Joint Security Workshop 2023.pdfKISTI-NII Joint Security Workshop 2023.pdf
KISTI-NII Joint Security Workshop 2023.pdf
Ruo Ando
 
Gartner 「セキュリティ&リスクマネジメントサミット 2019」- 安藤
Gartner 「セキュリティ&リスクマネジメントサミット 2019」- 安藤Gartner 「セキュリティ&リスクマネジメントサミット 2019」- 安藤
Gartner 「セキュリティ&リスクマネジメントサミット 2019」- 安藤
Ruo Ando
 
解説#86 決定木 - ss.pdf
解説#86 決定木 - ss.pdf解説#86 決定木 - ss.pdf
解説#86 決定木 - ss.pdf
Ruo Ando
 
SaaSアカデミー for バックオフィス アイドルと学ぶDX講座 ~アイドル戦略に見るDXを専門家が徹底解説~
SaaSアカデミー for バックオフィス アイドルと学ぶDX講座 ~アイドル戦略に見るDXを専門家が徹底解説~SaaSアカデミー for バックオフィス アイドルと学ぶDX講座 ~アイドル戦略に見るDXを専門家が徹底解説~
SaaSアカデミー for バックオフィス アイドルと学ぶDX講座 ~アイドル戦略に見るDXを専門家が徹底解説~
Ruo Ando
 
解説#83 情報エントロピー
解説#83 情報エントロピー解説#83 情報エントロピー
解説#83 情報エントロピー
Ruo Ando
 
解説#82 記号論理学
解説#82 記号論理学解説#82 記号論理学
解説#82 記号論理学
Ruo Ando
 
解説#81 ロジスティック回帰
解説#81 ロジスティック回帰解説#81 ロジスティック回帰
解説#81 ロジスティック回帰
Ruo Ando
 
解説#74 連結リスト
解説#74 連結リスト解説#74 連結リスト
解説#74 連結リスト
Ruo Ando
 
解説#76 福岡正信
解説#76 福岡正信解説#76 福岡正信
解説#76 福岡正信
Ruo Ando
 
解説#77 非加算無限
解説#77 非加算無限解説#77 非加算無限
解説#77 非加算無限
Ruo Ando
 
解説#1 C言語ポインタとアドレス
解説#1 C言語ポインタとアドレス解説#1 C言語ポインタとアドレス
解説#1 C言語ポインタとアドレス
Ruo Ando
 
解説#78 誤差逆伝播
解説#78 誤差逆伝播解説#78 誤差逆伝播
解説#78 誤差逆伝播
Ruo Ando
 
解説#73 ハフマン符号
解説#73 ハフマン符号解説#73 ハフマン符号
解説#73 ハフマン符号
Ruo Ando
 
【技術解説20】 ミニバッチ確率的勾配降下法
【技術解説20】 ミニバッチ確率的勾配降下法【技術解説20】 ミニバッチ確率的勾配降下法
【技術解説20】 ミニバッチ確率的勾配降下法
Ruo Ando
 
【技術解説4】assertion failureとuse after-free
【技術解説4】assertion failureとuse after-free【技術解説4】assertion failureとuse after-free
【技術解説4】assertion failureとuse after-free
Ruo Ando
 
ITmedia Security Week 2021 講演資料
ITmedia Security Week 2021 講演資料 ITmedia Security Week 2021 講演資料
ITmedia Security Week 2021 講演資料
Ruo Ando
 
ファジングの解説
ファジングの解説ファジングの解説
ファジングの解説
Ruo Ando
 
AI(機械学習・深層学習)との協働スキルとOperational AIの事例紹介 @ ビジネス+ITセミナー 2020年11月
AI(機械学習・深層学習)との協働スキルとOperational AIの事例紹介 @ ビジネス+ITセミナー 2020年11月AI(機械学習・深層学習)との協働スキルとOperational AIの事例紹介 @ ビジネス+ITセミナー 2020年11月
AI(機械学習・深層学習)との協働スキルとOperational AIの事例紹介 @ ビジネス+ITセミナー 2020年11月
Ruo Ando
 
【AI実装4】TensorFlowのプログラムを読む2 非線形回帰
【AI実装4】TensorFlowのプログラムを読む2 非線形回帰【AI実装4】TensorFlowのプログラムを読む2 非線形回帰
【AI実装4】TensorFlowのプログラムを読む2 非線形回帰
Ruo Ando
 
Intel Trusted Computing Group 1st Workshop
Intel Trusted Computing Group 1st WorkshopIntel Trusted Computing Group 1st Workshop
Intel Trusted Computing Group 1st Workshop
Ruo Ando
 

More from Ruo Ando (20)

KISTI-NII Joint Security Workshop 2023.pdf
KISTI-NII Joint Security Workshop 2023.pdfKISTI-NII Joint Security Workshop 2023.pdf
KISTI-NII Joint Security Workshop 2023.pdf
 
Gartner 「セキュリティ&リスクマネジメントサミット 2019」- 安藤
Gartner 「セキュリティ&リスクマネジメントサミット 2019」- 安藤Gartner 「セキュリティ&リスクマネジメントサミット 2019」- 安藤
Gartner 「セキュリティ&リスクマネジメントサミット 2019」- 安藤
 
解説#86 決定木 - ss.pdf
解説#86 決定木 - ss.pdf解説#86 決定木 - ss.pdf
解説#86 決定木 - ss.pdf
 
SaaSアカデミー for バックオフィス アイドルと学ぶDX講座 ~アイドル戦略に見るDXを専門家が徹底解説~
SaaSアカデミー for バックオフィス アイドルと学ぶDX講座 ~アイドル戦略に見るDXを専門家が徹底解説~SaaSアカデミー for バックオフィス アイドルと学ぶDX講座 ~アイドル戦略に見るDXを専門家が徹底解説~
SaaSアカデミー for バックオフィス アイドルと学ぶDX講座 ~アイドル戦略に見るDXを専門家が徹底解説~
 
解説#83 情報エントロピー
解説#83 情報エントロピー解説#83 情報エントロピー
解説#83 情報エントロピー
 
解説#82 記号論理学
解説#82 記号論理学解説#82 記号論理学
解説#82 記号論理学
 
解説#81 ロジスティック回帰
解説#81 ロジスティック回帰解説#81 ロジスティック回帰
解説#81 ロジスティック回帰
 
解説#74 連結リスト
解説#74 連結リスト解説#74 連結リスト
解説#74 連結リスト
 
解説#76 福岡正信
解説#76 福岡正信解説#76 福岡正信
解説#76 福岡正信
 
解説#77 非加算無限
解説#77 非加算無限解説#77 非加算無限
解説#77 非加算無限
 
解説#1 C言語ポインタとアドレス
解説#1 C言語ポインタとアドレス解説#1 C言語ポインタとアドレス
解説#1 C言語ポインタとアドレス
 
解説#78 誤差逆伝播
解説#78 誤差逆伝播解説#78 誤差逆伝播
解説#78 誤差逆伝播
 
解説#73 ハフマン符号
解説#73 ハフマン符号解説#73 ハフマン符号
解説#73 ハフマン符号
 
【技術解説20】 ミニバッチ確率的勾配降下法
【技術解説20】 ミニバッチ確率的勾配降下法【技術解説20】 ミニバッチ確率的勾配降下法
【技術解説20】 ミニバッチ確率的勾配降下法
 
【技術解説4】assertion failureとuse after-free
【技術解説4】assertion failureとuse after-free【技術解説4】assertion failureとuse after-free
【技術解説4】assertion failureとuse after-free
 
ITmedia Security Week 2021 講演資料
ITmedia Security Week 2021 講演資料 ITmedia Security Week 2021 講演資料
ITmedia Security Week 2021 講演資料
 
ファジングの解説
ファジングの解説ファジングの解説
ファジングの解説
 
AI(機械学習・深層学習)との協働スキルとOperational AIの事例紹介 @ ビジネス+ITセミナー 2020年11月
AI(機械学習・深層学習)との協働スキルとOperational AIの事例紹介 @ ビジネス+ITセミナー 2020年11月AI(機械学習・深層学習)との協働スキルとOperational AIの事例紹介 @ ビジネス+ITセミナー 2020年11月
AI(機械学習・深層学習)との協働スキルとOperational AIの事例紹介 @ ビジネス+ITセミナー 2020年11月
 
【AI実装4】TensorFlowのプログラムを読む2 非線形回帰
【AI実装4】TensorFlowのプログラムを読む2 非線形回帰【AI実装4】TensorFlowのプログラムを読む2 非線形回帰
【AI実装4】TensorFlowのプログラムを読む2 非線形回帰
 
Intel Trusted Computing Group 1st Workshop
Intel Trusted Computing Group 1st WorkshopIntel Trusted Computing Group 1st Workshop
Intel Trusted Computing Group 1st Workshop
 

Recently uploaded

Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 

Recently uploaded (20)

Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 

Jwis2011 ruo ando

  • 1. Analysis of obfuscated Java Script exploitation using process debug manager Ruo Ando Network Security Institute, National Institute of Information and Communication Technology, Tokyo, Japan
  • 2. Introduction towards alternative Java Script debugger • Nowadays, Java Scripts are everywhere (including Android and Google App Engine) with the pervasive of JSON (RFC 4627) , JQuery (AJAX interface) and so on. • Consequently, Java Scripts has become sophisticated with binary coding of attack code and obfuscation using concatenation which imposes a great burden on security analysis. • Unfortunately, there does not exist useful debuggers specified for this kind of Java Script eploitation. • In this paper we propose the application of extension of MS visual studio debugging extension for providing a new techniques for tracing Java Script behavior. • Proposed system could extract features of some representative web attacks such as google Operation Aurora (MS10-002), IE styleObject (MS09-072) exploit.
  • 3. the old new thing; impact and memory of google aurora operation ultra-sophisticated advanced persistent attack • The attack was named "Operation Aurora" by Dmitri Alperovitch, Vice President of Threat Research at cyber security company McAfee which informs this attack of WhiteHouse on Janurary 2010. • Origin: Operation Aurora is a cyber attack which began in mid-2009 and continued through December 2009. The attack was first publicly disclosed by Google on January 12, 2010, in a blog post. In the blog post, Google said the attack originated in China. • Ultra sophisticated: The attacks were both sophisticated and well resourced and consistent with an advanced persistent threat attack. The attack has been aimed at dozens of other organizations, of which Adobe Systems, Juniper Networks and Rackspace have publicly confirmed that they were targeted. According to media reports, Yahoo, Symantec, Northrop Grumman, Morgan Stanley and Dow Chemical were also among the targets. • Google and china: As a result of the attack, Google stated in its blog that it plans to operate a completely uncensored version of its search engine in China "within the law, if at all", and acknowledged that if this is not possible it may leave China and close its Chinese offices.Official Chinese media responded stating that the incident is part of a U.S. government conspiracy. Aurora operation is said to be Chinese Government’s attempts to wipe out Google from mainland.
  • 4. BACKGROUND: attack vector is very short. But … Can we analyze (or debug) this IE exploitation using commodity probes? <html><head><script> function ev1 (evt) { var sc = unescape("%u9090%u19eb%u4b5b%..) e1 = document.createEventObject (evt); var sss = Array (826, 679, 798, 224, 770, 427, 819, document.getElementById ("sp1").innerHTML = ""; 770, 707, 805, 693, 679, 784, 707, 280, window.setInterval (ev2, 50); 238, 259, 819, 336, 693, 336, 700, 259, 819, 336, } 224, 770, 427, 770, 322, 805, 819, 686, function ev2 () 805, 812, 798, 735, 770, 721, 280, 336, 448, 371); { var arr = new Array; p = "¥u0c0d¥uu0c0d¥u0c0d¥u0c0d"; for (var i = 0; i < sss.length; i ++) { for (i = 0; i < x1.length; i ++) { arr[i] = String.fromCharCode (sss [i] / 7); x1 [i].data = p; } }; var cc = arr.toString (); var t = e1.srcElement; cc = cc.replace (/,/g, ""); } cc = cc.replace (/@/g, ","); </script> eval (cc); </head> var x1 = new Array (); for (i = 0; i < 200; i ++) { <body> x1 [i] = document.createElement ("COMMENT") <span id="sp1"><IMG SRC="aaa.gif" x1 [i].data = "abc"; onload="ev1(event)" width="16" height="16"></span> }; var e1 = null; </body> It is impossible to trace the script engines’ behavior allocating memory and gif processing !
  • 5. the new old thing: web attack and Java Script • Java Scripts are everywhere (including Android and Google App Engine) with the pervasive of JSON (RFC 4627) , JQuery (AJAX interface) and so on. • Unfortunately again, there have not been striking probing (debugging) frames for tracing Java Script behavior such as google aurora operation said before. • In this paper we exploit the debugger extension of Microsoft Visual Studio 2010 (or later) debugging extension for tracking some famous Java Script exploitation dynamically. • Windows OS has longer history and therefore more mature interfaces to probe Java Script Execution. • We can conclude Microsoft PDM extension provide new aspect for analyzing malicious Java Script. • Techniques we have obtained here could be applied for constructing probe modules for other systems such as Dalvik VM of Android because the Java Script behavior should be the same regardless of OS (platform) types.
  • 6. Commodity Debugger is not always enough ! Java Script and its semantic gap • Current popular debugging Malicious Java Script tools such as ollyDBG and Bad thing has been happened winDBG are not optimized (or enough) for tracing the behavior of Web scripting. MS Active Scripting Engine • Sementic gap between kernel / user mode debugger and web Memory Allocate Read/Write application execution layer. File I/O request We can’t estimate the Semantic Gap USER mode debugger event occurred above Can’t understand by naïve memory and what is going on IO request. API. MS Dynamic Link Binaries • Semantic gap means that Jscript.DLL etc probe running in user / kernel mode layer lacks the Native I/O request IRQ packets knowledge of higher level events such as web browser KERNEL mode debugger property change.
  • 7. PDM and SDM: an extension of Microsoft Visual Studio 2005 – 2010 and later • PDM and SDM are components of the extension of Microsoft Visual Studio Extension. • PDM and SDM provides higher level of debugging view mainly for web scripting such as Java Script. • Process Debug Manager (PDM) is a component to make all running programs available to VSPackage (Visual Studio debugger components). Manage chain: PDM makes the target process available to SDM and DE. Session debug • By registering PDM, we can track the manager (SDM) manages several Debug Engine function call of high-level API invoked (DE). DE uses expression evaluator and symbol by web browser. Also, property change handler. SDM wraps IDebugExpression2 interface to obtain a stack frame with a help of (such as variable substitution) can be DE by IDebugThread2::EnumFrameInfo. logged.
  • 8. Behavior description of Java Script in this paper ①File Name r = debugDocument[i]- >GetName(DOCUMENTNAMETYPE_URL,&filenameStr[i]); ②Function fDesc[i].pdsf ->GetDescriptionString(0,&functionStr[i]); b2s(functionStr[i],function,BUFLEN); ③Code (substitution) debugProperty = funcs->getDebugProperty(f); getPropertyInfoRecursive(debugProperty,props,0); ④Code(loop) props- >propertyIsChanged(propInfos[i].m_bstrFullName,propInfos[i].m_bstrVa lue)==TRUE)
  • 9. Sample output: www.yahoo.co.jp Start Logging On: 2011/02/18 19:16:49 Process ID of IE Process ID:7072 MaxDepth 1 Process Name:Windows Internet Explorer Filename:http://www.yahoo.co.jp/ Depth of logging Function:JScript global code window:DispHTMLWindow2:{...} err:Object:{...} Function invoked ver:Undefined:undefined YAHOO:Undefined:undefined d:Undefined:undefined $:Undefined:undefined Property change 14:var ver="ga3_ie" ver:String:"ga3_ie" 15:if(typeof YAHOO=="undefined"||!YAHOO) Executed code 15:var YAHOO={} substitute YAHOO:Object:{...} 15:YAHOO.namespace=function(){var a=arguments,b=null,d,e,c;for(d=0;d<a.length;d=d+1){c =(""+a[d]).split(".");b=YAHOO;for(e=(c[0]=="YAHOO") Executed code ?1:0;e<c.length;e=e+1){b[c[e]]=b[c[e]]||{};b=b[c[e]]}}ret Loop urn b} ……
  • 10. Proposed system: IE initialization and main loop Main loop IApplicationDebugger::onHandleBreakPoint Internet Explorer ①URL: what kinds of URL accessed ? hr = sfDesc[i].pdsf->GetCodeContext(&codeContext); if(hr!=S_OK){goto out ;} hr = codeContext->GetDocumentContext(&docContext[i]); if(hr!=S_OK){goto out;} hr = docContext[i]->GetDocument(&debugDocument[i]); Published by if(hr!=S_OK){goto out;} hr = debugDocument[i]->GetName PDM and SDM (DOCUMENTNAMETYPE_URL,&filenameStr[i]); (VS DGB extension) ②Property Change: ②-1:What kinds of function invoked ? sfDesc[i].pdsf->GetDescriptionString(0,&functionStr[i]); b2s(functionStr[i],function,BUFLEN); ②-2:What kinds of variables changed ? Internet Explorer debugProperty = funcs->getDebugProperty(f); (debuggee) getPropertyInfoRecursive(debugProperty,props,0);
  • 11. Two core interfaces of SDM / PDM • IRemoteDebugApplication Interface This registered interface allows the session debug manager (SDM) to obtain information about programs that have been "published" through the IDebugProgramPublisher2 interface. Outside the debugger Debugger connect, start and stop • IApplicationDebugger Interface Represents a running application. It does not need to correspond to an operating-system process. Typically, a debugger targets an application for debugging. The Process Debug Manager typically implements the application object. Inside the debugger CauseBreak, handling breakPoint
  • 12. Publishing IE (1) injecting my callbacks hr =PDM->WatchForProviderEvents( 0, method description // Tell the PDM that we want it to stop watching IDebugProgram NULL, Provider2:: Obtains information about // The PDM GetProvider programs running, filtered in ProcessDat a variety of ways. implementation of this interface does a not require the 'port' parameter IDebugProgram processId, Provider2:: Gets a program node, given a GetProvider specific process ID. // the process id to query ProgramNo de ScriptEngineFilter, IDebugProgram // We are interested in script code Establishes a callback to watch for Provider2:: provider events associated GUID_NULL, WatchForP with specific kinds of roviderEve // no launching engine processes. nts pMyCallback IDebugProgram Establishes a locale for any // callback interface Provider2:: language-specific resources SetLocale needed by the DE. ); Callbacks to inject
  • 13. Publishing IE (2) querying and unmarshaling before launch for(DWORD pnode = 0;pnode<procData.ProgramNodes.dwCount;pnode++){ IDebugProviderProgramNode2 *dppn; hr = procData.ProgramNodes.Members[pnode] ->QueryInterface(__uuidof(IDebugProviderProgramNode2),(void**)&dppn); if(hr == S_OK){ IRemoteDebugApplication *rda; CHECK 1 QueryInterface: inspects hr = dppn->UnmarshalDebuggeeInterface wheter the object (__uuidof(IRemoteDebugApplication),(void**)&rda); (IE in this case) supports a certain COM interace. If this if(hr == S_OK){ method returns S_OK, procList[numScriptProcs]=processes[cp]; Windows OS increments the object reference count applicationDebugger[numScriptProcs] = new and the application can JSLogApplicationDebugger use the interface. (processId.ProcessId.dwProcessId,rda,maxDepth,maxStack, CHECK 2 heckGlobal); applicationDebugger[numScriptProcs]->startDebugging(); This method is used when the numScriptProcs++; debug engine is running in the Visual Studio process space } and the program being debugged is running in its own process space. OK. Start debugger using Obtains a specified interface across process boundaries. IRemoteDebugApplication Interface
  • 14. Two core interfaces of proposed system: active script debugger interface • IRemoteDebugApplication Interface for connect / start / stop debugger of IE IRemoteDebugApplication::ResumeFromBre Continues an application that is currently in a breakpoint. akPoint IRemoteDebugApplication::CauseBreak Causes the application to break into the debugger at the earliest opportunity. IRemoteDebugApplication::Conn Connects a debugger to this application. ectDebugger IRemoteDebugApplication::DisconnectDebug Disconnects the current debugger from the application. ger IRemoteDebugApplication::GetDebugger Returns the current debugger connected to the application. Provides a mechanism for the debugger IDE, running out-of-process to the IRemoteDebugApplication::CreateInstanceAt application, Application to create objects in the application process. IRemoteDebugApplication::QueryAlive Indicates if the application is responsive. IRemoteDebugApplication::Enum Enumerates all threads known to be associated with the Threads application. IRemoteDebugApplication::GetName Returns the name of this application node. Returns the application node under which all nodes associated with the IRemoteDebugApplication::GetRootNode application are added. IRemoteDebugApplication::EnumGlobalExpr Enumerates the global expression contexts for all languages running in this essionContexts application.
  • 15. Two core interfaces of proposed system: active script debugger interface • IDebugApplication Interface for cause/handle breakpoint of IE method description IDebugProgramProvider Obtains information about programs running, 2::GetProviderProcessDa filtered in a variety of ways. ta IDebugProgramProvider Gets a program node, given a specific process 2::GetProviderProgramN ID. ode IDebugProgramProvider Establishes a callback to watch for provider 2::WatchForProviderEve events associated with specific kinds of nts processes. IDebugProgramProvider Establishes a locale for any language-specific 2::SetLocale resources needed by the DE. Visual Studio Debugging Extensibility: http://msdn.microsoft.com/en-US/library/bb147088%28v=VS.80%29.aspx
  • 16. Property change detection in the main loopDigging stack frames online Inspecting stack frames ①Get Function Name typedef struct sfDesc[i].pdsf- tagDebugStackFrameDescriptor { >GetDescriptionString(0,&functionStr[i]); IDebugStackFrame *pdsf; DWORD_PTR dwMin; DWORD_PTR dwLim; ②Get File and URL BOOL fFinal; DebugCodeContext* codeContext; IUnknown *punkFinal; } hr = sfDesc[i].pdsf- DebugStackFrameDescriptor; >GetCodeContext(&codeContext); ③Get Property Change typedef struct DebugPropertyInfo{ debugProperty = funcs- DBGPROP_INFO_FLAGS dwValidFields; >getDebugProperty(f); BSTR bstrName; getPropertyInfoRecursive(debugProperty, BSTR bstrType; BSTR bstrValue; props,0); BSTR bstrFullName; IDebugStackFrame::GetCodeContext DBGPROP_ATTRIB_FLAGS dwAttrib; IDebugStackFrame::GetDescriptionString IDebugProperty* pDebugProp; IDebugStackFrame::GetLanguageString }; IDebugStackFrame::GetThread
  • 17. Experiment ①Google Aurora Attack (MS10-002 HTML object memory corruption) MS10-002 is HTML object memory corruption, known as Google aurora attack.This cyber attack began in mid 2009 and first publicly disclosed by Google on January by a blog post. The attack was also named as ”Operation Aurora” by Dmitri Alperovitch. McAfee Labs discovered that Aurora was included file path on the attacker’s machine. • MSB-MS10-002 • CVE-2010-0249 • OSVDB-61697 ② Active Directory Federation Service Attack (MS09-072 ATL headers vulnerability) MS09-072 is the vulnerability of Internet Explorer, which affects Microsoft Active Directory Federation Service (ADFS). In MS07-072, an active X control build with Microsoft Active Template Library (ATL) headers could allow advisory to execute remote code. The ATL vulnerability prompted an out-of-band release earlier this year from Microsoft. • MSB-MS09-072 • CVE-2009-3672 • OSVDB-50622 • BID-37085
  • 18. Experiment Google Aurora Attack 1: Start Logging On: 2011/05/30 23:13:54 2: Process ID:3652 3: MaxDepth 2 4: Process Name:Windows Internet Explorer 5: Filename:http://192.168.20.160:8080/qMoTNjaQzbNF 6: Function:JScript global code 7: window:DispHTMLWindow2:{...} 8: window.clientInformation:Object:{...} 9: --- snip --- 10: window.event:IHTMLEventObj:null 11: window.external:Object:{...} 12: window.frameElement:IHTMLFrameBase:null 13: window.window:DispHTMLWindow2:{...} 14: pNrDlDURxbASLo:Undefined:undefined 15: OEJkQgrKoGXtKSVTgyyRcGTmCnvRxUl:Undefined:undefined 16: CLLFyYpDX:Undefined:undefined Payload 17: HBohOxVqidZHilqXmLPfqaMYiv:Undefined:undefined 18: 5:var pNrDlDURxbASLo = '0c053e66...' 19: pNrDlDURxbASLo:String:"0c053e66..." 20: 6:var OEJkQgrKoGXtKSVTgyyRcGTmCnvRxUl = '' 21: OEJkQgrKoGXtKSVTgyyRcGTmCnvRxUl:String:"[s]" 22: 7:i = 0 23: i:Number:0 Anomaly Loop detected! 24: 7:i<pNrDlDURxbASLo.length 25: 8:OEJkQgrKoGXtKSVTgyyRcGTmCnvRxUl += Exploit or Heap spray? 26: String.fromCharCode 27: (parseInt(pNrDlDURxbASLo.substring(i, i+2), 16)) 28: OEJkQgrKoGXtKSVTgyyRcGTmCnvRxUl:String:"[s][s]" var n=unescape("%u0c0d%u0c0d"); 29: 7:i+=2 30: i:Number:2 while(n.length<=524288) n+=n; 31: 7:i<pNrDlDURxbASLo.length 32: 8:OEJkQgrKoGXtKSVTgyyRcGTmCnvRxUl += n=n.substring(0,524269-sc.length); 33: String.fromCharCode var x=new Array(); 34: (parseInt(pNrDlDURxbASLo.substring(i, i+2), 16)) 35: OEJkQgrKoGXtKSVTgyyRcGTmCnvRxUl:String:"[s][s][s]" for(var i=0;i<200;i++) {x[i]=n+sc;}
  • 19. Experiment MS09-072 1: Start Logging On: 2011/05/31 00:18:46 2: Process ID:688 3: MaxDepth 2 4: Process Name:Windows Internet Explorer 5: Filename:http://192.168.20.160:8080/1FysKckbN 6: Function:JScript - onload function 7: 20:sFsSfxRecSIXauNmBnB() 8: Function:sFsSfxRecSIXauNmBnB 9: DRBfZcPV:Undefined:undefined Payload? 10: AcHKfoIb:Undefined:undefined 14: 6:var DRBfZcPV = unescape 15: DRBfZcPV:Object:{...} 16: 7:var AcHKfoIb = DRBfZcPV('%u350d%ufc03%u747a%u4976%u2593%f9f%' ) 17: AcHKfoIb:String:"*******" 18: 8:var OSGwFEcn = 19: DRBfZcPV( "%"+"u"+"0"+"c"+"0"+"c"+"%u"+"0") 20: OSGwFEcn:String:"**" 21: 9:var pGgrrYDr = 20 + AcHKfoIb.length 22: pGgrrYDr:Number:520 23: 10:while (OSGwFEcn.length < pGgrrYDr) 24: 10:OSGwFEcn +=OSGwFEcn Anomaly loop detected! 25: OSGwFEcn:String:"****" 26: 10:while (OSGwFEcn.length < pGgrrYDr) Malicious code is scanning 27: 10:OSGwFEcn+=OSGwFEcn Memory … 28: OSGwFEcnn:String:"********" 29: 10:while (OSGwFEcn.length < pGgrrYDr) 30: 10:OSGwFEcn+=OSGwFEcn 31: OSGwFEcn:String:"******************" 32: 10:while (OSGwFEcn.length < pGgrrYDr) 33: 10:OSGwFEcn+=OSGwFEcn 34: OSGwFEcn:String:"**********************************"I
  • 20. Conclusion and further works Writing alternative Java Script debugger is exciting challenge! It works partly now. • Java Scripts are everywhere (including Android and Google App Engine) with the pervasive of JSON (RFC 4627) , JQuery (AJAX interface) and so on. • However and further work: there have not been striking probing (debugging) frames for tracing Java Script behavior. • In this paper we exploit the debugger extension of Microsoft Visual Studio 2010 (or later) debugging extension for tracking some famous Java Script exploitation dynamically. Extensibility for other operating systems and platforms • Windows OS is the shortest path to understand Java Script behavior. Windows OS has longer history and therefore more mature interfaces to probe Java Script Execution. Techniques we have obtained here could be applied for constructing probe modules for other systems such as Dalvik VM of Android because the Java Script behavior should be the same regardless of OS (platform) types. IT IS NOT ENOUGH :- Memory dump is necessary, eventually idea: anomaly loop detection of Java Script + active memory monitoring by DLL injection etc.