justin November 26th, 2008
The Frequency X blog has a writeup on a NULL pointer dereference bug I found a while ago in Firefox. I always find these types of bugs interesting because they require such unique approaches to getting code execution. If you’re similarly inclined, you can read the post and follow the details of the exploit process yourself.
mark November 25th, 2008
Two weeks ago I spoke at PacSec on browser exploitation in Vista. Although it was based on the talk Alex and I gave at BlackHat, there was some new material in this talk and a slightly different focus. Specifically, I targeted web languages (in particularly .NET and Java), and the implications these languages have on memory corruption-style exploits. Some of the topics covered include "Virtual Shellcode" (writing shellcode in a language such as Java rather than native code in order to bypass DEP), statically located DLLs in web pages (we covered this at blackhat), and overwriting native stubs in .NET. The slides are now available here for anyone who is interested.
jm October 13th, 2008
We didn’t realize that we were terrible bloggers until it was far too late to do anything about it.
Effective blogging probably has many components, but I believe one of the key tactics is to state a controversial opinion that will necessarily highlight a point of conflict between two reasonably sized groups of people. (I believe you get bonus points if one of the groups of people is actually completely fictional. You get even more bonus points if the point of "conflict" is actually a subtle trick of language that causes a group of people that agree to argue with themselves.) If done artfully, this generally results in much Internet chaos, which I think we can all agree is a lot of fun for everyone.
So, besides being terribly lazy at times, we’re just not the most opinionated guys in the world. Personally, I think having only one opinion is just intellectually lazy, and that you should try to have at least three or four for any given issue. Mark’s opinions tend to center around vegemite, currency hedging strategies, and the extent to which using Hex-Rays makes you "suck at Internet." Justin’s opinions are classified and have to go through pre-pub review. So far, all we’ve gotten out of him is that he likes Batman. (I suspect this is because he actually *is* Batman, but that’s a topic for our next scheduled post in Q3 2009.)
Anyway, the point of this rambling pre-amble is three-fold:
1. Justin is probably Batman.
2. A page long preamble that doesn’t mention the point of the article is almost certainly not a technique of effective blogging.
3. I do have several strong opinions about software security and thought I’d give proper blogging a shot.
So, here goes. One of the things that offends my delicate sensitivities is this idea:
mark August 7th, 2008
Hi there,
Alex Sotirov and I are presenting at BlackHat USA today on bypassing the Windows Vista memory protections in the context of the web browser in a speech titled "How to Impress Girls with Browser Memory Protection Bypasses". Specifically, we will be discussing how rich browser functionality can be utilized to help lessen the impact of memory protections (and in some cases, completely negate them). Some of the techniques we will be discussing are known ones, whereas others are new approaches that we haven’t seen discussed in public forums before.
We have written an extensive paper documenting how the various memory protections function, and how to break them. The paper that accompanies the speech is available here (we also have slides and code available). Some of the more interesting topic areas we will be covering include:
- "Stack Spraying", an alternative method to heap spraying with some additional benefits
- Exploiting poor permissions, such as Java’s RWX memory allocator, and
- Utilizing .NET binaries to map data at an attacker-controlled memory location with arbitrary page protections applied to that data.
Finally, we did some field testing and found that this kind of research does occasionally impress girls, but ongoing research in this area is needed. Therefore, Alex and I will continue this research, starting right here in Vegas. :)
mark June 13th, 2008
I had intended to post a blog entry here concerning the MJPEG disclosure in the recent MS drop. This is basically one of the bugs John and I were alluding to at CanSecWest earlier this year when discussing vulnerabilities in Windows media software. However, one of the joys of working for an employer with a blog is that I have to contribute to it as well as this one. So, rather than repeat the same post twice, I will redirect you to my post on ISSs blog: http://blogs.iss.net/. (It is currently the second post from the top.)
mark May 9th, 2008
I know the blog has been fairly quiet lately, but as you can see, I’ve been busy doing some Internet research.
mark April 22nd, 2008
Hey there,
As we mentioned a while ago on this blog, John and I presented at CansecWest on finding vulnerabilities in Windows media software. We have uploaded the slides now to our website, and you can download them here.
mark April 12th, 2008
Adobe released a patch recently for the Flash Player application that addresses several vulnerabilities, one of which I discovered. Although it initially seemed like the ability to exploit this bug was fairly limited, I found an interesting methodology that I was able to use to reliably exploit the bug. I have documented the details of it for interested readers here.
Enjoy!
mark February 26th, 2008
Hi there,
As Justin indicated in his last post, he and I will be delivering a "dojo" class on finding vulnerabilities in contemporary C/C++-based applications. We have really tried to focus on delivering fresh and interesting material on the subject, rather than just regurgitating the same old stuff you have heard 100 times before (although, admittedly, some of that stuff is necessary). Our goal is to create a class that will examine not only vulnerability classes, but the processes that you need to follow to find those spicy 0day bugs. The stuff I have put in has proven successful for me, and hopefully will give attendees insight into the practical application of vulnerability knowledge on high-value targets.
In other news, I am also giving a talk at CansecWest with John McDonald on Windows Media stuff. Here, we are going to discuss the various media architectures prevalent on Windows OSs for developing both filters (codecs) and playback software. After touching on the architecture, we will discuss enumeration of attack surface and how to go about auditing media-based software (codecs in particularly) for vulnerabilities. It turned out that due to time constraints (our speech is 1 hour), we will not be able to present all the material we have prepared in its entirety, however we will probably leave all the content in the slides that get posted on the website.
Hope to see you all there!
This blog provides running commentary from Mark Dowd, John McDonald, and Justin Schuh, the authors of the book: The Art of Software Security Assessment. You can purchase a copy from Amazon, or directly from the publisher, Addison-Wesley, and peruse the sample chapter on C Language vulnerabilities.