The Art of Software Security Assessment

Browser Exploitation in Vista (PacSec 08 Speech)

mark November 25th, 2008

Two weeks ago I spoke at PacSec on browser exploitation in Vista. Although it was based on the talk Alex and I gave at BlackHat, there was some new material in this talk and a slightly different focus. Specifically, I targeted web languages (in particularly .NET and Java), and the implications these languages have on memory corruption-style exploits. Some of the topics covered include “Virtual Shellcode” (writing shellcode in a language such as Java rather than native code in order to bypass DEP), statically located DLLs in web pages (we covered this at blackhat), and overwriting native stubs in .NET. The slides are now available here for anyone who is interested.

Discussion

Permanent Link | Trackback URI | Comments RSS

The Book

This blog provides running commentary from Mark Dowd, John McDonald, and Justin Schuh, the authors of the book: The Art of Software Security Assessment. You can purchase a copy from Amazon, or directly from the publisher, Addison-Wesley, and peruse the sample chapter on C Language vulnerabilities.
Tags
- Errata (5)
- Discussion (31)
- Auditing (9)
  - Windows (6)
  - Unix (3)
  - C/C++ (9)
  - SQL (2)
  - Web (5)
- Spot the Vuln (2)
Archives
- July 2009 (2)
- November 2008 (2)
- October 2008 (1)
- August 2008 (2)
- June 2008 (1)
- May 2008 (1)
- April 2008 (2)
- February 2008 (2)
- January 2008 (2)
- August 2007 (1)
- July 2007 (1)
- April 2007 (1)
- February 2007 (6)
- January 2007 (6)
- December 2006 (13)

Continued ramblings on software security and code auditing

Browser Exploitation in Vista (PacSec 08 Speech)

Leave a Reply

The Book

Tags

Archives