Bromium Confidential

CVE IE CMshtmlEd UAF

But did you ever wonder how we ended up here? And where are we going?

Bromium Confidential

Phun Profit/War Hacking For: 70s Now

strcpy(dst, src);

2006 brought VT-x 90s

Microcode updates should be signed… so this shouldn’t be a problem… Chip Vendor OS Vendor Your CPU after boot add ecx, ebx == many micro instructions

SEH func Stack Heap spray attack NOPs + Shellcode SEH

Smart Pointers

All dynamic Objects in IE Process Heap IE as of June 2014 User created Objs Critical IE Objs Process Heap Isolated Heap Heap Separation

HeapFree() Freed by Allocator Right away IE as of July 2014 Secure HeapFree() Put on List to be Freed later Based on heuristics Delay Free

Kernel Exploits Hypervise every process Least privilege

Robert Cailliau, Jean-François Abramatic and Tim Berners-Lee at the 10th anniversary of the WWW Consortium

Without a hypervisor, weakness is Kernel exploit or something like: /* shocker: docker PoC VMM-container breakout (C) 2014 Sebastian Krahmer * Demonstrates that any given docker image someone is asking * you to run in your docker setup can access ANY file on your host, * e.g. dumping hosts /etc/shadow or other sensitive info, compromising * security of the host and any other docker VM's on it.

while(this_side_of_heaven) { c = catalyst(war||commerce); //currently cyberwar fuels 0day fascination x = build(c); y = break(x); if( y && motivation) attack(); x = fix(x, y); c, x = rebuild_innovate(x, smaller, cheaper, complexity++, security); }

Bromium Confidential