SlideShare uma empresa Scribd logo

44 con slides (1)

G
geeksec80
Tecnologia
1 de 51
Baixar para ler offline
Browser Bug Hunting Memoirs of a last man standing Atte Kettunen (@attekett) OUSPG https://code.google.com/p/ouspg/
Picture by @dominic_sim
Started at OUSPG in summer 2011 First security bug from Chrome 2011-12 Since then ~100 Vulns ~60 Rewards 39 CVEs Atte Kettunen
Mozilla since 2004 - Sec-High/Critical $3,000 Google since 2010 - Typical security bugs $1,000-$3,133.7 - Possibility for bonus rewards ● PoC, exploit, awesomeness (Microsoft 2013 June 25 - July 25) Browser Bug Bounty Programs
Easy to get started - Lots of bugs o/ Helpful vendor security teams and supportive responses to first bug submissions Supportive (secretive/competitive) community of other bounty hunters Browser Bug Bounty Programs
● Use-after-free ○ DOM ○ CSS ○ Rendering ● Buffer-overflow ○ Media formats ○ Parsers ○ Decoders ○ Coordinates Where the bugs are
AddressSanitizer - global-buffer-overflow - READ of size 2 #0 nsCharTraits<unsigned short>::length() #1 nsAString_internal::Assign() . Repro-file: <link rel="stylesheet" href="data:text/css;charset=utf-16, p#two%1%7Bbackground-color%65535A%3B%7D% 0D%0A"/> Some bug - CVE-2012-4185 - Firefox
AddressSanitizer - heap-use-after-free - READ of size 2 #0 WebCore::nextBreakablePosition() #1 ...::RenderBlock::LineBreaker::nextLineBreak() . Repro-file: <html><body> <ruby> <q style="column-gap:2;">a </ruby> <cite style="word-break: break-all;">a <q style="text-transform:uppercase;">a <sup style="text-overflow:ellipsis;"> </body></html> Some bug - Regression - Chrome
==3213== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7f50cd6ffcf8 at pc 0x7f50dd159dde bp 0x7fff3e0accd0 sp 0x7fff3e0accc8 READ of size 2 at 0x7f50cd6ffcf8 thread T0 #0 0x7f.de in WebCore::CSSParser::lex(void*) ???:0 #1 0x7f.78 in cssyyparse(void*) ???:0 #2 0x7f.40 in WebCore::CSSParser::parseDeclaration() . Repro-file: <a style=top:-1px> Some bug - Regression - Chrome
Three golden rules: Hunting for living
Three golden rules: 1. Stay green Hunting for living
Three golden rules: 1. Stay green - Features Hunting for living
Three golden rules: 1. Stay green - Features 2. Stay green - Competition Hunting for living
Three golden rules: 1. Stay green - Features 2. Stay green - Competition 3. Stay green - Tools Hunting for living
1. Stay green - Features ● New features are published all the time ○ New code o/ ● Some changes are not highlighted ○ Minor updates to JavaScript API support etc. ● Old bugs fixed ○ New code o/ ● Old features can change ○ Prefixes disappear(-webkit,-moz), ○ Features can get disabled Hunting for living
1. Stay Green - Features ● Firefox Aurora - Release note: "Partial support for Web Audio, targeted at web developers for testing" (May 17, 2013) Hunting for living
2. Stay green - Competition ● Tools ○ Different approach -> Different bugs? ● Targets ○ Find new minefields ● Platforms ○ Different code on different platforms Hunting for living
2. Stay green - Competition @cevans: "@j00ru has melted polar ice with his PDF fuzzing on 9k cores." Hunting for living
3. Stay green - Tools ● Instrumentations ○ New instrumentation -> detect new issues ● Build environments ○ Broken builds @#!¤#... ● Fuzzers ○ New techniques Hunting for living
3. Stay green - Tools <Q>: WTF??? On Chromium startup: ==25254== ERROR: AddressSanitizer: global-buffer-overflow on address 0x000011d3dde5 at pc 0x5ab21a bp 0x7fff00659450 sp 0x7fff00659428 READ of size 10 at 0x000011d3dde5 thread T0 #0 0x5ab219 in __interceptor_memcmp _asan_rtl_ #1 0xa1edc08 in fillInUnixFile .../sqlite/amalgamation/sqlite3.c:28654 #2 0xa1efe7c in unixOpen .../sqlite/amalgamation/sqlite3.c:29294 <A>: Diff of /trunk/tools/build/scripts/slave/runtest.py: + # Avoid aggressive memcmp checks until http://crbug.com/178677 is fixed. + os.environ['ASAN_OPTIONS'] = 'strict_memcmp=0' Hunting for living
● Instrumentation ● Fuzzers ● Hardware/Infrastructure Tools
● Clang compiler plugin ● Adds instrumentation to check memory access at runtime ● Similar to Valgrind ● Only 2x slowdown ● Created at Google ● Used by Google & Mozilla ● Linux & OS X ● http://www.chromium.org/developers/testing/addresssanitizer AddressSanitizer
● Awesome with use-after-frees ● Very good for buffer-overflows and out of bounds access ● Good but confused with type confusions AddressSanitizer
==6==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000268d0 at pc 0x7f845771029f bp 0x7fff...2a0 sp 0x7fffc7eea298 READ of size 8 at 0x6070000268d0 thread T0 (chrome) #0 0x7f845771029e (... /asan-linux-release-209136/chrome+0x96f229e) #1 0x7f84576aacea (... /asan-linux-release-209136/chrome+0x968ccea) #2 0x7f8451ce00f3 (... /asan-linux-release-209136/chrome+0x3cc20f3) . 0x6070000268d0 is located 64 bytes inside of 72-byte region [0x607000026890,0x6070000268d8) freed by thread T19 (AudioOutputDevi) here: #0 0x7f844f58e101 (... /asan-linux-release-209136/chrome+0x1570101) #1 0x7f845887b5ec (... /asan-linux-release-209136/chrome+0xa85d5ec) . AddressSanitizer
==6==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000268d0 at pc 0x7f845771029f bp 0x7fff...2a0 sp 0x7fffc7eea298 READ of size 8 at 0x6070000268d0 thread T0 (chrome) #0 0x7f845771029e in WebCore::WaveShaperDSPKernel:: lazyInitializeOversampling(...) .../WebKit/Source/wtf/OwnPtr.h:138 #1 0x7.a in WebCore::WaveShaperProcessor::setOversample(...) ... /WebKit/Source/modules/webaudio/WaveShaperProcessor.cpp:70 . 0x6070000268d0 is located 64 bytes inside of 72-byte region [0x607000026890,0x6070000268d8) freed by thread T19 (AudioOutputDevi) here: #0 0x7.1 in operator delete(void*) _asan_rtl_ #1 0x7.c in WebCore::AudioDSPKernelProcessor::uninitialize() src/third_party/WebKit/Source/wtf/OwnPtrCommon.h:47 . AddressSanitizer
● Used to instrument binaries ● Redirects heap-related calls to own run- time library ● Currently only heap-instrumentation ● Chrome/Chromium only atm. ● About 3x Slowdown ● Windows only ● https://code.google.com/p/sawbuck/wiki/SyzyASanDesignDocument SyzyASan
SyzyASAN error: heap-buffer-overflow on address 0x0379D1A7 (stack_id=0x44CB69D7) READ of size 8 at 0x0379D000 #0 0x000068ef23be in (unknown) #1 0x000068f387f4 in (unknown) #2 0x000068eeb486 in (unknown) #3 0x000068e8add7 in (unknown) . . . SyzyASan
Bad access information: +0x000 alloc_stack : [62] 0x0f999970 Void +0x0f8 alloc_stack_size : 0x3c '<' +0x0fc alloc_tid : 0x14a8 +0x100 free_stack : [62] (null) +0x1f8 free_stack_size : 0 '' +0x1fc free_tid : 0 +0x200 error_type : 3 ( HEAP_BUFFER_OVERFLOW ) +0x204 access_mode : 0 ( ASAN_READ_ACCESS ) +0x208 access_size : 8 +0x20c shadow_info : [128] "06499E3F is 23 bytes beyond 384-byte block [06499CA8,06499E28)." +0x290 microseconds_since_free : 0 SyzyASan
Crash stack: chrome_dll!SkOpSegment::addTCoincident+0x18e chrome_dll!SkOpContour::calcCoincidentWinding+0x9f chrome_dll!CoincidenceCheck+0x3c chrome_dll!Op+0x26a . Allocation stack: asan_rtl!asan_HeapAlloc+0x48 chrome_dll!malloc+0x17 chrome_dll!realloc+0x15 chrome_dll!SkOpSegment::addT+0x9b chrome_dll!AddIntersectTs+0xceb chrome_dll!Op+0x244 SyzyASan
● Heap allocation monitoring for Windows ● No feedback - Only crash :( ● “Works” on Chrome/Chromium ● env: CHROME_ALLOCATOR="winheap" ● Enable Chrome error reporting -> minidumps ● Firewall Chrome( No free 0-days for Google ;) ) ● Debugging tools x86 Page-Heap
ExceptionAddress: 564a0cd7 (chrome_..!WebCore:: WaveShaperDSPKernel::lazyInitializeOversampling+0x0...06) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 27261fe4 Attempt to read from address 27261fe4 . STACK_TEXT: chrome_...!WebCore::WaveShaperDSPKernel:: lazyInitializeOversampling+0x6 [... webkitsourcemoduleswebaudiowaveshaperdspkernel.cpp @ 53] chrome_...!WebCore::WaveShaperProcessor::setOversample+0x29 . APPLICATION_FAULT_INVALID_POINTER_READ_chrome!WebCore:: WaveShaperDSPKernel::lazyInitializeOversampling+6 Dump-analysis
● Dumb fuzzing ○ Yes, still works ○ Yes, you can still find bugs with bit-flipping of image-files ● Smart fuzzing ○ Finds bugs fast but runs out of bugs faster. :( Fuzzers
Dumb fuzzing ● Radamsa || Surku o/ ○ https://code.google.com/p/ouspg/ ● Mutate old repros ( find ./src/ -type d -name *crashtest* | xargs ls; ) ● Collect winnings Fuzzers
Smart fuzzing ● W3C/MDN(/MSDN) ● Again stay green ● Most of the JavaScript APIs in browsers are really similar ● Some of the public tools have the logic in them already ● W3C spec + grep + sed = $$$ Fuzzers
Smart fuzzing WebAudio API - PannerNode - Specification interface PannerNode : AudioNode { void setPosition(double x, double y, double z); void setOrientation(double x, double y, double z); void setVelocity(double x, double y, double z); attribute double refDistance; attribute double maxDistance; attribute double rolloffFactor; }; Fuzzers
Smart fuzzing 2D Canvas API - Specification // rects void clearRect(unrestricted double x, unrestricted double y, unrestricted double w, unrestricted double h); void fillRect(unrestricted double x, unrestricted double y, unrestricted double w, unrestricted double h); // shadows attribute unrestricted double shadowOffsetX; // (default 0) attribute unrestricted double shadowOffsetY; // (default 0) attribute unrestricted double shadowBlur; // (default 0) Fuzzers
Individuals: ● Physical machines -> sysadmining <3 ● SSD <3 ● RAM++ ● Vicious cycle of Bug->Bounty->New HW->Bug->Bounty... Hardware/Infrastructure
8x Dual Core CPU, 2GB ram, USB-stick, aka. Badgers OUSPG - 2011
University HW: Badgers 6x Quad core AMD A10, 16GB ram, SSD 6x Dual Dual Core AMD antique, 8GB, 10k rpm BYOD: 4x Quad core i7-3770K, 16GB ram, SSD And additional 30+ cores misc hardware with 133.7+ GB of ram and bunch of SSDs OUSPG - 2013
OUSPG - 2013
ClusterFuzz aka. CF ● Google fuzzing cluster ● 2012 - ○ 6000 Chrome instances ○ 50m+ test cases per day ○ Plans for quadrupling at that time ● ASAN, multiple fuzzers, minimization, regression ranges, verify fixes, dupes & dupes & dupes... Hardware/Infrastructure
“cluster-fuzz is a soulless bug hunting machine. It has no want or need for your gratitude. It lives only to feed on bugs.” ClusterFuzz
● 12 machines running 24/7 ● ~50 cores, ~133.7GB of RAM ● approx. 20m test cases per day ● 19 file-formats ● git, scp, auto-update, auto-minimize ● Radamsa and ... My stuff
● Browser fuzzer harness ● Written in JavaScript ( Node.js ) ● Linux, Windows, OS X ● Test case generators and instrumentations loaded as modules ● Uses WebSockets for test case injection to browser ● Stable - https://code.google.com/p/ouspg/downloads/list ● Trunkish - https://github.com/attekett/NodeFuzz NodeFuzz
Requirements: Google Chrome installed $ sudo apt-get install nodejs $ git clone https://github.com/attekett/NodeFuzz.git $ cd NodeFuzz $ npm install $ vim config.js #Optional $ node nodefuzz.js NodeFuzz - Setup - Ubuntu
● Fairly new JS API (Chrome 2011, FF 2013) ● "The API has been designed to allow modular routing.(UAF) Basic audio operations are performed by audio nodes that are linked together to form an audio routing graphs.(UAF/BOF) Inside a same context, several sources are supported, with different kind of channel layout.(UAF/BOF) This modular design allows for great flexibility and for the creation of complex audio functions and of dynamic effects. (BOF)" - MDN NodeFuzz - module - WebAudio
Bugs found: ● Chrome - 4 UAF, 3 BOF ● Firefox - 1 UAF, 8 BOF NodeFuzz - module - WebAudio
CVE-2013-0879 - Chrome - BOF <script> try{var context= new webkitAudioContext()}catch(e){} try{var oscillator= context.createOscillator()}catch(e){} try{oscillator.start(0.701,0.7,0.7)}catch(e){} setInterval(function(){ try{oscillator.connect(context.destination);}catch(e){} },4) try{oscillator.stop(0.70)}catch(e){} </script> NodeFuzz - module - WebAudio
CVE-2013-2845 - Chrome - UAF <script> var Context0= new webkitAudioContext() var Analyser0=Context0.createAnalyser(); var WaveShaper0=Context0.createWaveShaper(); var Convolver3=Context0.createConvolver(); Analyser0.connect(WaveShaper0); WaveShaper0.connect(Context0.destination); Convolver3.connect(Analyser0); setInterval(function(){ Analyser0.disconnect(); },4) </script> NodeFuzz - module - WebAudio
DEMO!!! && Q&A

Recomendados

Hardware Open Source
Hardware Open SourceHardware Open Source
Hardware Open Source
Tiago Maluta
 
CUDA lab's slides of "parallel programming" course
CUDA lab's slides of "parallel programming" courseCUDA lab's slides of "parallel programming" course
CUDA lab's slides of "parallel programming" course
Shuai Yuan
 
Segmentation Faults, Page Faults, Processes, Threads, and Tasks
Segmentation Faults, Page Faults, Processes, Threads, and TasksSegmentation Faults, Page Faults, Processes, Threads, and Tasks
Segmentation Faults, Page Faults, Processes, Threads, and Tasks
David Evans
 
Maker Movement
Maker MovementMaker Movement
Maker Movement
Jingfeng Liu
 
Ganeti - build your own cloud
Ganeti - build your own cloudGaneti - build your own cloud
Ganeti - build your own cloud
Dobrica Pavlinušić
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Anne Nicolas
 
Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре Linux
Positive Hack Days
 
Arduino and the real time web
Arduino and the real time webArduino and the real time web
Arduino and the real time web
Andrew Fisher
 

Recomendados

Hardware Open Source
Hardware Open SourceHardware Open Source
Hardware Open Source
Tiago Maluta
 
CUDA lab's slides of "parallel programming" course
CUDA lab's slides of "parallel programming" courseCUDA lab's slides of "parallel programming" course
CUDA lab's slides of "parallel programming" course
Shuai Yuan
 
Segmentation Faults, Page Faults, Processes, Threads, and Tasks
Segmentation Faults, Page Faults, Processes, Threads, and TasksSegmentation Faults, Page Faults, Processes, Threads, and Tasks
Segmentation Faults, Page Faults, Processes, Threads, and Tasks
David Evans
 
Maker Movement
Maker MovementMaker Movement
Maker Movement
Jingfeng Liu
 
Ganeti - build your own cloud
Ganeti - build your own cloudGaneti - build your own cloud
Ganeti - build your own cloud
Dobrica Pavlinušić
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Anne Nicolas
 
Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре Linux
Positive Hack Days
 
Arduino and the real time web
Arduino and the real time webArduino and the real time web
Arduino and the real time web
Andrew Fisher
 
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
Retrieva inc.
 
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
Area41
 
DEF CON 27 - workshop - GUILLAUME ROSS - defending environments and hunting m...
DEF CON 27 - workshop - GUILLAUME ROSS - defending environments and hunting m...DEF CON 27 - workshop - GUILLAUME ROSS - defending environments and hunting m...
DEF CON 27 - workshop - GUILLAUME ROSS - defending environments and hunting m...
Felipe Prado
 
Scratch pcduino
Scratch pcduinoScratch pcduino
Scratch pcduino
Jingfeng Liu
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis
Moabi.com
 
Build your own private blockchain based on ethereum
Build your own private blockchain based on ethereumBuild your own private blockchain based on ethereum
Build your own private blockchain based on ethereum
Mehran Pourvahab
 
Countering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by MalwareCountering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by Malware
Tyler Borosavage
 
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NoSuchCon
 
[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical
Moabi.com
 
syzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugssyzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugs
Dmitry Vyukov
 
Hardware backdooring is practical : slides
Hardware backdooring is practical : slidesHardware backdooring is practical : slides
Hardware backdooring is practical : slides
Moabi.com
 
Digging for Android Kernel Bugs
Digging for Android Kernel BugsDigging for Android Kernel Bugs
Digging for Android Kernel Bugs
Jiahong Fang
 
[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection
Moabi.com
 
A (Mis-) Guided Tour of the Web Audio API
A (Mis-) Guided Tour of the Web Audio APIA (Mis-) Guided Tour of the Web Audio API
A (Mis-) Guided Tour of the Web Audio API
Edward B. Rockower
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
DefconRussia
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniques
Satpal Parmar
 
Gnu linux on arm for $50 - $100
Gnu linux on arm for $50 - $100Gnu linux on arm for $50 - $100
Gnu linux on arm for $50 - $100
Dobrica Pavlinušić
 
iCloud keychain
iCloud keychainiCloud keychain
iCloud keychain
Alexey Troshichev
 
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary dataKernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Anne Nicolas
 
Device tree
Device treeDevice tree
Device tree
Rouyun Pan
 
ppeeeee
ppeeeeeppeeeee
ppeeeee
jimena vega
 
Find and work with your technical cofounder
Find and work with your technical cofounderFind and work with your technical cofounder
Find and work with your technical cofounder
Daniel Jarjoura
 

Mais conteúdo relacionado

Mais procurados

hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
Area41
 
Countering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by MalwareCountering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by Malware
Tyler Borosavage
 
[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical
Moabi.com
 
Hardware backdooring is practical : slides
Hardware backdooring is practical : slidesHardware backdooring is practical : slides
Hardware backdooring is practical : slides
Moabi.com
 
[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection
Moabi.com
 
A (Mis-) Guided Tour of the Web Audio API
A (Mis-) Guided Tour of the Web Audio APIA (Mis-) Guided Tour of the Web Audio API
A (Mis-) Guided Tour of the Web Audio API
Edward B. Rockower
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
DefconRussia
 
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary dataKernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Anne Nicolas
 

Mais procurados (20)

コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
 
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
 
DEF CON 27 - workshop - GUILLAUME ROSS - defending environments and hunting m...
DEF CON 27 - workshop - GUILLAUME ROSS - defending environments and hunting m...DEF CON 27 - workshop - GUILLAUME ROSS - defending environments and hunting m...
DEF CON 27 - workshop - GUILLAUME ROSS - defending environments and hunting m...
 
Scratch pcduino
Scratch pcduinoScratch pcduino
Scratch pcduino
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis
 
Build your own private blockchain based on ethereum
Build your own private blockchain based on ethereumBuild your own private blockchain based on ethereum
Build your own private blockchain based on ethereum
 
Countering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by MalwareCountering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by Malware
 
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
 
[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical
 
syzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugssyzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugs
 
Hardware backdooring is practical : slides
Hardware backdooring is practical : slidesHardware backdooring is practical : slides
Hardware backdooring is practical : slides
 
Digging for Android Kernel Bugs
Digging for Android Kernel BugsDigging for Android Kernel Bugs
Digging for Android Kernel Bugs
 
[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection
 
A (Mis-) Guided Tour of the Web Audio API
A (Mis-) Guided Tour of the Web Audio APIA (Mis-) Guided Tour of the Web Audio API
A (Mis-) Guided Tour of the Web Audio API
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniques
 
Gnu linux on arm for $50 - $100
Gnu linux on arm for $50 - $100Gnu linux on arm for $50 - $100
Gnu linux on arm for $50 - $100
 
iCloud keychain
iCloud keychainiCloud keychain
iCloud keychain
 
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary dataKernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
 
Device tree
Device treeDevice tree
Device tree
 

Destaque

Mental health ppt.
Mental health ppt.Mental health ppt.
Mental health ppt.
gusto80
 
Understanding Mental Health and Mental Illness
Understanding Mental Health and Mental IllnessUnderstanding Mental Health and Mental Illness
Understanding Mental Health and Mental Illness
TeenMentalHealth.org
 

Destaque (7)

ppeeeee
ppeeeeeppeeeee
ppeeeee
 
Find and work with your technical cofounder
Find and work with your technical cofounderFind and work with your technical cofounder
Find and work with your technical cofounder
 
The work environment
The work environmentThe work environment
The work environment
 
Mental health
Mental healthMental health
Mental health
 
Mental health ppt.
Mental health ppt.Mental health ppt.
Mental health ppt.
 
Mental Math Strategies for Grade 3
Mental Math Strategies for Grade 3Mental Math Strategies for Grade 3
Mental Math Strategies for Grade 3
 
Understanding Mental Health and Mental Illness
Understanding Mental Health and Mental IllnessUnderstanding Mental Health and Mental Illness
Understanding Mental Health and Mental Illness
 

Semelhante a 44 con slides (1)

44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON
 
Kettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleKettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in style
DefconRussia
 
Why kernelspace sucks?
Why kernelspace sucks?Why kernelspace sucks?
Why kernelspace sucks?
OpenFest team
 
Molecular Shape Searching on GPUs: A Brave New World
Molecular Shape Searching on GPUs: A Brave New WorldMolecular Shape Searching on GPUs: A Brave New World
Molecular Shape Searching on GPUs: A Brave New World
Can Ozdoruk
 
mloc.js 2014 - JavaScript and the browser as a platform for game development
mloc.js 2014 - JavaScript and the browser as a platform for game developmentmloc.js 2014 - JavaScript and the browser as a platform for game development
mloc.js 2014 - JavaScript and the browser as a platform for game development
David Galeano
 
C# Production Debugging Made Easy
C# Production Debugging Made Easy C# Production Debugging Made Easy
C# Production Debugging Made Easy
Alon Fliess
 
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Ron Munitz
 
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)Building android for the Cloud: Android as a Server (AnDevConBoston 2014)
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)
Ron Munitz
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
Electron
ElectronElectron
Electron
ITCP Community
 

Semelhante a 44 con slides (1) (20)

44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
 
Kettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleKettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in style
 
Why kernelspace sucks?
Why kernelspace sucks?Why kernelspace sucks?
Why kernelspace sucks?
 
Programar para GPUs
Programar para GPUsProgramar para GPUs
Programar para GPUs
 
Molecular Shape Searching on GPUs: A Brave New World
Molecular Shape Searching on GPUs: A Brave New WorldMolecular Shape Searching on GPUs: A Brave New World
Molecular Shape Searching on GPUs: A Brave New World
 
mloc.js 2014 - JavaScript and the browser as a platform for game development
mloc.js 2014 - JavaScript and the browser as a platform for game developmentmloc.js 2014 - JavaScript and the browser as a platform for game development
mloc.js 2014 - JavaScript and the browser as a platform for game development
 
Why use JavaScript in Hardware? GoTo Conf - Berlin
Why use JavaScript in Hardware? GoTo Conf - Berlin Why use JavaScript in Hardware? GoTo Conf - Berlin
Why use JavaScript in Hardware? GoTo Conf - Berlin
 
NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge Solution
 
A million ways to provision embedded linux devices
A million ways to provision embedded linux devicesA million ways to provision embedded linux devices
A million ways to provision embedded linux devices
 
Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...
Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...
Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...
 
Introduction to Docker (as presented at December 2013 Global Hackathon)
Introduction to Docker (as presented at December 2013 Global Hackathon)Introduction to Docker (as presented at December 2013 Global Hackathon)
Introduction to Docker (as presented at December 2013 Global Hackathon)
 
C# Production Debugging Made Easy
C# Production Debugging Made Easy C# Production Debugging Made Easy
C# Production Debugging Made Easy
 
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
 
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)Building android for the Cloud: Android as a Server (AnDevConBoston 2014)
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)
 
Exploring the Internet of Things Using Ruby
Exploring the Internet of Things Using RubyExploring the Internet of Things Using Ruby
Exploring the Internet of Things Using Ruby
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
 
Node azure
Node azureNode azure
Node azure
 
DevOpSec_DockerNPodMan-20230220.pdf
DevOpSec_DockerNPodMan-20230220.pdfDevOpSec_DockerNPodMan-20230220.pdf
DevOpSec_DockerNPodMan-20230220.pdf
 
Electron
ElectronElectron
Electron
 
Docker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQ
Docker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQDocker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQ
Docker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQ
 

Mais de geeksec80

Sipoc diagram (1)
Sipoc diagram (1)Sipoc diagram (1)
Sipoc diagram (1)
geeksec80
 
Sipoc diagram (1)
Sipoc diagram (1)Sipoc diagram (1)
Sipoc diagram (1)
geeksec80
 
Sipoc diagram
Sipoc diagramSipoc diagram
Sipoc diagram
geeksec80
 
Python arsenal for re (1)
Python arsenal for re (1)Python arsenal for re (1)
Python arsenal for re (1)
geeksec80
 
Python arsenal for re
Python arsenal for rePython arsenal for re
Python arsenal for re
geeksec80
 
02 banking trojans-thomassiebert
02 banking trojans-thomassiebert02 banking trojans-thomassiebert
02 banking trojans-thomassiebert
geeksec80
 
44 con slides
44 con slides44 con slides
44 con slides
geeksec80
 
Rpc调试通用
Rpc调试通用Rpc调试通用
Rpc调试通用
geeksec80
 
Bh us 11_tsai_pan_weapons_targeted_attack_wp
Bh us 11_tsai_pan_weapons_targeted_attack_wpBh us 11_tsai_pan_weapons_targeted_attack_wp
Bh us 11_tsai_pan_weapons_targeted_attack_wp
geeksec80
 
Taking browsers fuzzing new
Taking browsers fuzzing newTaking browsers fuzzing new
Taking browsers fuzzing new
geeksec80
 
529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]
geeksec80
 
Deep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_level
Deep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_levelDeep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_level
Deep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_level
geeksec80
 
2012 04-16-ultrasurf-analysis (2)
2012 04-16-ultrasurf-analysis (2)2012 04-16-ultrasurf-analysis (2)
2012 04-16-ultrasurf-analysis (2)
geeksec80
 
12058 woot13-kholia
12058 woot13-kholia12058 woot13-kholia
12058 woot13-kholia
geeksec80
 
Https interception proxies
Https interception proxiesHttps interception proxies
Https interception proxies
geeksec80
 
Introduction to ida python
Introduction to ida pythonIntroduction to ida python
Introduction to ida python
geeksec80
 
Automated antlr tree walker
Automated antlr tree walkerAutomated antlr tree walker
Automated antlr tree walker
geeksec80
 

Mais de geeksec80 (19)

Sipoc diagram (1)
Sipoc diagram (1)Sipoc diagram (1)
Sipoc diagram (1)
 
Sipoc diagram (1)
Sipoc diagram (1)Sipoc diagram (1)
Sipoc diagram (1)
 
Sipoc diagram
Sipoc diagramSipoc diagram
Sipoc diagram
 
Python arsenal for re (1)
Python arsenal for re (1)Python arsenal for re (1)
Python arsenal for re (1)
 
Python arsenal for re
Python arsenal for rePython arsenal for re
Python arsenal for re
 
02 banking trojans-thomassiebert
02 banking trojans-thomassiebert02 banking trojans-thomassiebert
02 banking trojans-thomassiebert
 
44 con slides
44 con slides44 con slides
44 con slides
 
Fuzz nt
Fuzz ntFuzz nt
Fuzz nt
 
Rpc调试通用
Rpc调试通用Rpc调试通用
Rpc调试通用
 
Bh us 11_tsai_pan_weapons_targeted_attack_wp
Bh us 11_tsai_pan_weapons_targeted_attack_wpBh us 11_tsai_pan_weapons_targeted_attack_wp
Bh us 11_tsai_pan_weapons_targeted_attack_wp
 
Taking browsers fuzzing new
Taking browsers fuzzing newTaking browsers fuzzing new
Taking browsers fuzzing new
 
529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]
 
Deep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_level
Deep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_levelDeep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_level
Deep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_level
 
2012 04-16-ultrasurf-analysis (2)
2012 04-16-ultrasurf-analysis (2)2012 04-16-ultrasurf-analysis (2)
2012 04-16-ultrasurf-analysis (2)
 
12058 woot13-kholia
12058 woot13-kholia12058 woot13-kholia
12058 woot13-kholia
 
Https interception proxies
Https interception proxiesHttps interception proxies
Https interception proxies
 
Taint scope
Taint scopeTaint scope
Taint scope
 
Introduction to ida python
Introduction to ida pythonIntroduction to ida python
Introduction to ida python
 
Automated antlr tree walker
Automated antlr tree walkerAutomated antlr tree walker
Automated antlr tree walker
 

Último

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Último (20)

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 

44 con slides (1)

  • 1. Browser Bug Hunting Memoirs of a last man standing Atte Kettunen (@attekett) OUSPG https://code.google.com/p/ouspg/
  • 3. Started at OUSPG in summer 2011 First security bug from Chrome 2011-12 Since then ~100 Vulns ~60 Rewards 39 CVEs Atte Kettunen
  • 4. Mozilla since 2004 - Sec-High/Critical $3,000 Google since 2010 - Typical security bugs $1,000-$3,133.7 - Possibility for bonus rewards ● PoC, exploit, awesomeness (Microsoft 2013 June 25 - July 25) Browser Bug Bounty Programs
  • 5. Easy to get started - Lots of bugs o/ Helpful vendor security teams and supportive responses to first bug submissions Supportive (secretive/competitive) community of other bounty hunters Browser Bug Bounty Programs
  • 6. ● Use-after-free ○ DOM ○ CSS ○ Rendering ● Buffer-overflow ○ Media formats ○ Parsers ○ Decoders ○ Coordinates Where the bugs are
  • 7. AddressSanitizer - global-buffer-overflow - READ of size 2 #0 nsCharTraits<unsigned short>::length() #1 nsAString_internal::Assign() . Repro-file: <link rel="stylesheet" href="data:text/css;charset=utf-16, p#two%1%7Bbackground-color%65535A%3B%7D% 0D%0A"/> Some bug - CVE-2012-4185 - Firefox
  • 8. AddressSanitizer - heap-use-after-free - READ of size 2 #0 WebCore::nextBreakablePosition() #1 ...::RenderBlock::LineBreaker::nextLineBreak() . Repro-file: <html><body> <ruby> <q style="column-gap:2;">a </ruby> <cite style="word-break: break-all;">a <q style="text-transform:uppercase;">a <sup style="text-overflow:ellipsis;"> </body></html> Some bug - Regression - Chrome
  • 9. ==3213== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7f50cd6ffcf8 at pc 0x7f50dd159dde bp 0x7fff3e0accd0 sp 0x7fff3e0accc8 READ of size 2 at 0x7f50cd6ffcf8 thread T0 #0 0x7f.de in WebCore::CSSParser::lex(void*) ???:0 #1 0x7f.78 in cssyyparse(void*) ???:0 #2 0x7f.40 in WebCore::CSSParser::parseDeclaration() . Repro-file: <a style=top:-1px> Some bug - Regression - Chrome
  • 11. Three golden rules: 1. Stay green Hunting for living
  • 12. Three golden rules: 1. Stay green - Features Hunting for living
  • 13. Three golden rules: 1. Stay green - Features 2. Stay green - Competition Hunting for living
  • 14. Three golden rules: 1. Stay green - Features 2. Stay green - Competition 3. Stay green - Tools Hunting for living
  • 15. 1. Stay green - Features ● New features are published all the time ○ New code o/ ● Some changes are not highlighted ○ Minor updates to JavaScript API support etc. ● Old bugs fixed ○ New code o/ ● Old features can change ○ Prefixes disappear(-webkit,-moz), ○ Features can get disabled Hunting for living
  • 16. 1. Stay Green - Features ● Firefox Aurora - Release note: "Partial support for Web Audio, targeted at web developers for testing" (May 17, 2013) Hunting for living
  • 17. 2. Stay green - Competition ● Tools ○ Different approach -> Different bugs? ● Targets ○ Find new minefields ● Platforms ○ Different code on different platforms Hunting for living
  • 18. 2. Stay green - Competition @cevans: "@j00ru has melted polar ice with his PDF fuzzing on 9k cores." Hunting for living
  • 19. 3. Stay green - Tools ● Instrumentations ○ New instrumentation -> detect new issues ● Build environments ○ Broken builds @#!¤#... ● Fuzzers ○ New techniques Hunting for living
  • 20. 3. Stay green - Tools <Q>: WTF??? On Chromium startup: ==25254== ERROR: AddressSanitizer: global-buffer-overflow on address 0x000011d3dde5 at pc 0x5ab21a bp 0x7fff00659450 sp 0x7fff00659428 READ of size 10 at 0x000011d3dde5 thread T0 #0 0x5ab219 in __interceptor_memcmp _asan_rtl_ #1 0xa1edc08 in fillInUnixFile .../sqlite/amalgamation/sqlite3.c:28654 #2 0xa1efe7c in unixOpen .../sqlite/amalgamation/sqlite3.c:29294 <A>: Diff of /trunk/tools/build/scripts/slave/runtest.py: + # Avoid aggressive memcmp checks until http://crbug.com/178677 is fixed. + os.environ['ASAN_OPTIONS'] = 'strict_memcmp=0' Hunting for living
  • 21. ● Instrumentation ● Fuzzers ● Hardware/Infrastructure Tools
  • 22. ● Clang compiler plugin ● Adds instrumentation to check memory access at runtime ● Similar to Valgrind ● Only 2x slowdown ● Created at Google ● Used by Google & Mozilla ● Linux & OS X ● http://www.chromium.org/developers/testing/addresssanitizer AddressSanitizer
  • 23. ● Awesome with use-after-frees ● Very good for buffer-overflows and out of bounds access ● Good but confused with type confusions AddressSanitizer
  • 24. ==6==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000268d0 at pc 0x7f845771029f bp 0x7fff...2a0 sp 0x7fffc7eea298 READ of size 8 at 0x6070000268d0 thread T0 (chrome) #0 0x7f845771029e (... /asan-linux-release-209136/chrome+0x96f229e) #1 0x7f84576aacea (... /asan-linux-release-209136/chrome+0x968ccea) #2 0x7f8451ce00f3 (... /asan-linux-release-209136/chrome+0x3cc20f3) . 0x6070000268d0 is located 64 bytes inside of 72-byte region [0x607000026890,0x6070000268d8) freed by thread T19 (AudioOutputDevi) here: #0 0x7f844f58e101 (... /asan-linux-release-209136/chrome+0x1570101) #1 0x7f845887b5ec (... /asan-linux-release-209136/chrome+0xa85d5ec) . AddressSanitizer
  • 25. ==6==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000268d0 at pc 0x7f845771029f bp 0x7fff...2a0 sp 0x7fffc7eea298 READ of size 8 at 0x6070000268d0 thread T0 (chrome) #0 0x7f845771029e in WebCore::WaveShaperDSPKernel:: lazyInitializeOversampling(...) .../WebKit/Source/wtf/OwnPtr.h:138 #1 0x7.a in WebCore::WaveShaperProcessor::setOversample(...) ... /WebKit/Source/modules/webaudio/WaveShaperProcessor.cpp:70 . 0x6070000268d0 is located 64 bytes inside of 72-byte region [0x607000026890,0x6070000268d8) freed by thread T19 (AudioOutputDevi) here: #0 0x7.1 in operator delete(void*) _asan_rtl_ #1 0x7.c in WebCore::AudioDSPKernelProcessor::uninitialize() src/third_party/WebKit/Source/wtf/OwnPtrCommon.h:47 . AddressSanitizer
  • 26. ● Used to instrument binaries ● Redirects heap-related calls to own run- time library ● Currently only heap-instrumentation ● Chrome/Chromium only atm. ● About 3x Slowdown ● Windows only ● https://code.google.com/p/sawbuck/wiki/SyzyASanDesignDocument SyzyASan
  • 27. SyzyASAN error: heap-buffer-overflow on address 0x0379D1A7 (stack_id=0x44CB69D7) READ of size 8 at 0x0379D000 #0 0x000068ef23be in (unknown) #1 0x000068f387f4 in (unknown) #2 0x000068eeb486 in (unknown) #3 0x000068e8add7 in (unknown) . . . SyzyASan
  • 28. Bad access information: +0x000 alloc_stack : [62] 0x0f999970 Void +0x0f8 alloc_stack_size : 0x3c '<' +0x0fc alloc_tid : 0x14a8 +0x100 free_stack : [62] (null) +0x1f8 free_stack_size : 0 '' +0x1fc free_tid : 0 +0x200 error_type : 3 ( HEAP_BUFFER_OVERFLOW ) +0x204 access_mode : 0 ( ASAN_READ_ACCESS ) +0x208 access_size : 8 +0x20c shadow_info : [128] "06499E3F is 23 bytes beyond 384-byte block [06499CA8,06499E28)." +0x290 microseconds_since_free : 0 SyzyASan
  • 30. ● Heap allocation monitoring for Windows ● No feedback - Only crash :( ● “Works” on Chrome/Chromium ● env: CHROME_ALLOCATOR="winheap" ● Enable Chrome error reporting -> minidumps ● Firewall Chrome( No free 0-days for Google ;) ) ● Debugging tools x86 Page-Heap
  • 31. ExceptionAddress: 564a0cd7 (chrome_..!WebCore:: WaveShaperDSPKernel::lazyInitializeOversampling+0x0...06) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 27261fe4 Attempt to read from address 27261fe4 . STACK_TEXT: chrome_...!WebCore::WaveShaperDSPKernel:: lazyInitializeOversampling+0x6 [... webkitsourcemoduleswebaudiowaveshaperdspkernel.cpp @ 53] chrome_...!WebCore::WaveShaperProcessor::setOversample+0x29 . APPLICATION_FAULT_INVALID_POINTER_READ_chrome!WebCore:: WaveShaperDSPKernel::lazyInitializeOversampling+6 Dump-analysis
  • 32. ● Dumb fuzzing ○ Yes, still works ○ Yes, you can still find bugs with bit-flipping of image-files ● Smart fuzzing ○ Finds bugs fast but runs out of bugs faster. :( Fuzzers
  • 33. Dumb fuzzing ● Radamsa || Surku o/ ○ https://code.google.com/p/ouspg/ ● Mutate old repros ( find ./src/ -type d -name *crashtest* | xargs ls; ) ● Collect winnings Fuzzers
  • 34. Smart fuzzing ● W3C/MDN(/MSDN) ● Again stay green ● Most of the JavaScript APIs in browsers are really similar ● Some of the public tools have the logic in them already ● W3C spec + grep + sed = $$$ Fuzzers
  • 35. Smart fuzzing WebAudio API - PannerNode - Specification interface PannerNode : AudioNode { void setPosition(double x, double y, double z); void setOrientation(double x, double y, double z); void setVelocity(double x, double y, double z); attribute double refDistance; attribute double maxDistance; attribute double rolloffFactor; }; Fuzzers
  • 36. Smart fuzzing 2D Canvas API - Specification // rects void clearRect(unrestricted double x, unrestricted double y, unrestricted double w, unrestricted double h); void fillRect(unrestricted double x, unrestricted double y, unrestricted double w, unrestricted double h); // shadows attribute unrestricted double shadowOffsetX; // (default 0) attribute unrestricted double shadowOffsetY; // (default 0) attribute unrestricted double shadowBlur; // (default 0) Fuzzers
  • 37. Individuals: ● Physical machines -> sysadmining <3 ● SSD <3 ● RAM++ ● Vicious cycle of Bug->Bounty->New HW->Bug->Bounty... Hardware/Infrastructure
  • 38. 8x Dual Core CPU, 2GB ram, USB-stick, aka. Badgers OUSPG - 2011
  • 39. University HW: Badgers 6x Quad core AMD A10, 16GB ram, SSD 6x Dual Dual Core AMD antique, 8GB, 10k rpm BYOD: 4x Quad core i7-3770K, 16GB ram, SSD And additional 30+ cores misc hardware with 133.7+ GB of ram and bunch of SSDs OUSPG - 2013
  • 41.
  • 42. ClusterFuzz aka. CF ● Google fuzzing cluster ● 2012 - ○ 6000 Chrome instances ○ 50m+ test cases per day ○ Plans for quadrupling at that time ● ASAN, multiple fuzzers, minimization, regression ranges, verify fixes, dupes & dupes & dupes... Hardware/Infrastructure
  • 43. “cluster-fuzz is a soulless bug hunting machine. It has no want or need for your gratitude. It lives only to feed on bugs.” ClusterFuzz
  • 44. ● 12 machines running 24/7 ● ~50 cores, ~133.7GB of RAM ● approx. 20m test cases per day ● 19 file-formats ● git, scp, auto-update, auto-minimize ● Radamsa and ... My stuff
  • 45. ● Browser fuzzer harness ● Written in JavaScript ( Node.js ) ● Linux, Windows, OS X ● Test case generators and instrumentations loaded as modules ● Uses WebSockets for test case injection to browser ● Stable - https://code.google.com/p/ouspg/downloads/list ● Trunkish - https://github.com/attekett/NodeFuzz NodeFuzz
  • 46. Requirements: Google Chrome installed $ sudo apt-get install nodejs $ git clone https://github.com/attekett/NodeFuzz.git $ cd NodeFuzz $ npm install $ vim config.js #Optional $ node nodefuzz.js NodeFuzz - Setup - Ubuntu
  • 47. ● Fairly new JS API (Chrome 2011, FF 2013) ● "The API has been designed to allow modular routing.(UAF) Basic audio operations are performed by audio nodes that are linked together to form an audio routing graphs.(UAF/BOF) Inside a same context, several sources are supported, with different kind of channel layout.(UAF/BOF) This modular design allows for great flexibility and for the creation of complex audio functions and of dynamic effects. (BOF)" - MDN NodeFuzz - module - WebAudio
  • 48. Bugs found: ● Chrome - 4 UAF, 3 BOF ● Firefox - 1 UAF, 8 BOF NodeFuzz - module - WebAudio
  • 49. CVE-2013-0879 - Chrome - BOF <script> try{var context= new webkitAudioContext()}catch(e){} try{var oscillator= context.createOscillator()}catch(e){} try{oscillator.start(0.701,0.7,0.7)}catch(e){} setInterval(function(){ try{oscillator.connect(context.destination);}catch(e){} },4) try{oscillator.stop(0.70)}catch(e){} </script> NodeFuzz - module - WebAudio
  • 50. CVE-2013-2845 - Chrome - UAF <script> var Context0= new webkitAudioContext() var Analyser0=Context0.createAnalyser(); var WaveShaper0=Context0.createWaveShaper(); var Convolver3=Context0.createConvolver(); Analyser0.connect(WaveShaper0); WaveShaper0.connect(Context0.destination); Convolver3.connect(Analyser0); setInterval(function(){ Analyser0.disconnect(); },4) </script> NodeFuzz - module - WebAudio