Security Research Index
keeping up with the latest security research
CanSecWest
Mar 9-11, 2011
Black Box Auditing Adobe Shockwave
Aaron and Logan presented an overview of the work the ZDI team has done on reverse engineering the undocumented SmartHeap custom memory allocator in Adobe Shockwave. The talk was focused on the methodology for reversing a large code base with no symbols using dynamic analysis. They described the WinDBG extensions they've writen in Python to automate the program analysis and inspect the SmartHeap heap in a way similar to the WinDBG !heap command. The most interesting technique in the talk was the the use of function call histograms built using runtime tracing to identify the alloc, free and realloc functions.
SMS-o-Death: From Analyzing To Attacking Mobile Phones on a Large Scale
Nico and Collin fuzzed different models of feature phones (non-smartphones) by sending malformed SMS messages to them and discovered numerous vulnerabilities. Some of the bugs could be used to crash the phones or even brick them. Unfortuantely, the presenters were not able to exploit any of them due to the diffculty of debugging the phone OSes. The talk focused not on the technical details of the vulnerabilities, but on the potential large scale attacks against network operators. For example, rebooting 10,000 phones at the same time would supposedly overload the operator network and could be used for extortion. Responding to these vulnerablities is difficult, because most feature phones were not designed to be easily updated. In addition, the responsibility for servicing the customers' phones is often with the operators rather than the original manifacturers.
Runtime Firmware Integrity Verification: What Can Now Be Achieved
The Broadcom NetXtreme network adapter uses a MIPS CPU that can be monitored and single-stepped by the host. The presenters used this functionality to implement an Intrusion Prevention System (IPS) for this network adapter. They read the firmware image from the adapter memory at startup and single step the MIPS CPU, ensuring that the instructions executing match the original firmware. This allows them to detect potential exploitation of the network adapeter and prevent execution from non-code segments. They also maintain a shadow stack and use it to prevent control flow modification. Their task is made easier by the fact that the Broadcom firwamre does not contain any self-modifying code and does not use fucntion pointers at all.
Despite the fact that they are single stepping the MIPS CPU and executing multiple checks on every instruction, their system achieves surprising performance. They reportedly achieve gigabit throughput using only one core of the host CPU for performing the verification. The effect of this system on network latency is unknown.
Welcome To Rootkit Country
Graeme targeted an under-studied class of devices -- enterprise-grade firewalls, routers, and UTMs -- in order to determine how difficult they would be to rootkit. He covered major vendors including Cisco, CheckPoint, Juniper, Watchguard, Fortinet, Sonicwall, and others. The goal in each case was to install custom firmware, bypassing any safeguards put in place by the vendor. The research did not focus on exploring the types of attacks that could be carried out by the rootkit code itself, but rather the range of devices for which rootkitting would be possible. Perhaps unsurprisingly, some products had lax security mechanisms, including hardcoded passwords and no integrity checking on firmware images. Others used CRCs or required certain bytes or paths to conform to expected values. Ultimately, Graeme was able to get firmware running on all devices except the SonicWall. He concluded by pointing out that the Playstation 3 has superior integrity protection than most firewall/UTM products.
iPhone and iPad Hacking
Ilja's presentation was a rapidfire overview of the many security problems in third-party iPhone apps that results from the insecure design of the iOS APIs. The most interesting attack was a result of the way UIWebView controls render file formats such as XLS, PDF and RTF. These file formats are parsed and converted into HTML that is inserted directly into the DOM of the enclosing HTML. Any data escaping vulnerability in a file format parser parser can lead to XSS in the UIWebView control. Since many developers implement JavaScript-to-ObjC bridges for their UIWebView controls, an XSS vulnerability there would result in arbitrary code execution on the phone. Other vulnerabilities covered in the presentation included directory traversal bugs through NULL bytes in NSStrings, insecure ciphersuites in the default SSL implementation and a new technique for exploitation of format string vulnerabilities through the "%@" format specifier.
A Castle Made of Sand: Adobe Reader X Sandbox
Richard Johnson's talk was an overview of the Adobe Reader X sandbox and his approach to auditing it. He described the IPC mechanism that the renderer process uses to talk to the broker process and his implementtion of a basic fuzzer for it. He presented the list of security-sensitive operations that the sandbox policy does not prevent, including opening network sockets, reading files and accessing the clipboard. His conclusion was that the sandbox in Adobe Reader X is good at preventing the installation of rootkits, but does nothing to prevent an attacker from stealing files from the system or pivoting to other systems on the internal network.
Understanding and Exploiting Flash ActionScript Vulnerabilities
Haifei Li's talk was a description of a new technique for exploiting type confusion vulnerabilities in the Flash ActionScript JIT engine. The JIT engine includes a bytecode verifier that ensures the type safety of the code before executing it. The talk focused on one particular vulnerability in the bytecode verifier (CVE-2010-3654) that allowed data of the wrong type to be passed to or returned from an ActionScript function. Haifei used the type confusion in the JIT engine to read memory from the process and exploit the vulnerability bypassing both DEP and ASLR.
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Dan, Adam and Mike used the same set of 100,000 test files to fuzz the versions of Microsoft Office, OpenOffice, Foxit and Adobe Reader released from 2003 up to present day. Since each version of each application was fuzzed with the same test cases, this experiement was designed to compare the number of crashes in different version. Their results showed that the number of fuzz crashes has been steadily decreasing over the years, indicating that the code quality of these applications is improving. Also, fuzzing still finds bugs.