Archive for August, 2008
Impressing Girls with Vista Memory Protection Bypasses
mark August 7th, 2008
Hi there,
Alex Sotirov and I are presenting at BlackHat USA today on bypassing the Windows Vista memory protections in the context of the web browser in a speech titled “How to Impress Girls with Browser Memory Protection Bypasses”. Specifically, we will be discussing how rich browser functionality can be utilized to help lessen the impact of memory protections (and in some cases, completely negate them). Some of the techniques we will be discussing are known ones, whereas others are new approaches that we haven’t seen discussed in public forums before.
We have written an extensive paper documenting how the various memory protections function, and how to break them. The paper that accompanies the speech is available here (we also have slides and code available). Some of the more interesting topic areas we will be covering include:
- “Stack Spraying”, an alternative method to heap spraying with some additional benefits
- Exploiting poor permissions, such as Java’s RWX memory allocator, and
- Utilizing .NET binaries to map data at an attacker-controlled memory location with arbitrary page protections applied to that data.
Finally, we did some field testing and found that this kind of research does occasionally impress girls, but ongoing research in this area is needed. Therefore, Alex and I will continue this research, starting right here in Vegas. :)
