Blackhat USA 2007 (Presentation Material)
mark August 7th, 2007
Hi!
Well, we just arrived home from Las Vegas on Sunday after delivering our talk at Blackhat about breaking C++ applications. It seemed to be received pretty well. For anyone interested, the slides should be available on their website, but we have also archived them here.
Enjoy!
- Discussion , Windows , Unix , Auditing , C/C++
good stuff!
have you ever considered security holes in object orientation in general? some examples from java would be overly extensible classes, classloader bootstrapping, etc.
-s
Saad! Wow, its literally been like 10 years! Hope things find you well. :>
If Im reading your question right, then, no, we havent personally done much original research into the issues that tend to affect object oriented code in the sort of mobile threat environment. Those kinds of issues are definitely pretty cool, as they can get pretty creative, but I can only recall a couple of auditing projects off-hand where those kinds of language/run-time level security controls were ultimately relevant to the overall system security. That said, I didnt do a whole lot of embedded / cell phone software review, and didnt encounter Java applets or similar client-side code very much in my travels.
Im trying to think of situations where Im wrong, but all I can come up with is maybe QTJava, or maybe logic bugs related to the use of reflection based on user input in frameworks like struts.
Anyway, last time I looked at this stuff, I found this database to have some really good Java-specific coverage:
http://www.fortifysoftware.com/vulncat/
Any chance well see similar material in the new edition of the book?
Assuming we get to do a 2nd edition, we will most certainly include this stuff (and more)
Youre the one with the negative attitude; Im the one with the negative memcpys.
- Mark Dowd, Internet Hero