Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bromium Confidential. CVE-2012-4969 IE CMshtmlEd UAF.

Published byJeffrey Philip Ball Modified over 9 years ago

Similar presentations

Presentation on theme: "Bromium Confidential. CVE-2012-4969 IE CMshtmlEd UAF."— Presentation transcript:

1 Bromium Confidential

2 CVE-2012-4969 IE CMshtmlEd UAF

3 But did you ever wonder how we ended up here? And where are we going?

4 Bromium Confidential

5

6

7

8

9

10

11 Phun Profit/War Hacking For: 70s Now

12

13 strcpy(dst, src);

14

15

16

17

18 2006 brought VT-x 90s

19

20 Microcode updates should be signed… so this shouldn’t be a problem… Chip Vendor OS Vendor Your CPU after boot add ecx, ebx == many micro instructions

21 SEH func Stack Heap spray attack NOPs + Shellcode SEH

22

23

24

25 Smart Pointers

26 All dynamic Objects in IE Process Heap IE as of June 2014 User created Objs Critical IE Objs Process Heap Isolated Heap Heap Separation

27 HeapFree() Freed by Allocator Right away IE as of July 2014 Secure HeapFree() Put on List to be Freed later Based on heuristics Delay Free

28 Kernel Exploits Hypervise every process Least privilege

29 Robert Cailliau, Jean-François Abramatic and Tim Berners-Lee at the 10th anniversary of the WWW Consortium

30

31

32

33 Without a hypervisor, weakness is Kernel exploit or something like: /* shocker: docker PoC VMM-container breakout (C) 2014 Sebastian Krahmer * Demonstrates that any given docker image someone is asking * you to run in your docker setup can access ANY file on your host, * e.g. dumping hosts /etc/shadow or other sensitive info, compromising * security of the host and any other docker VM's on it.

34

35

36 while(this_side_of_heaven) { c = catalyst(war||commerce); //currently cyberwar fuels 0day fascination x = build(c); y = break(x); if( y && motivation) attack(); x = fix(x, y); c, x = rebuild_innovate(x, smaller, cheaper, complexity++, security); }

37 Bromium Confidential labs.bromium.com@jareddemott

Download ppt "Bromium Confidential. CVE-2012-4969 IE CMshtmlEd UAF."

Similar presentations

Ian Pratt SVP, Products Bromium Inc.

Ian Pratt SVP, Products Bromium Inc.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Memory Management Questions answered in this lecture: How do processes share memory? What is static relocation? What is dynamic relocation? What is segmentation?

Memory Management Questions answered in this lecture: How do processes share memory? What is static relocation? What is dynamic relocation? What is segmentation?
Chapter 6 Limited Direct Execution

Chapter 6 Limited Direct Execution
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Day 11 Processes. Operating Systems Control Tables.

Day 11 Processes. Operating Systems Control Tables.
A. Frank - P. Weisberg Operating Systems Process Scheduling and Switching.

A. Frank - P. Weisberg Operating Systems Process Scheduling and Switching.
OS Spring’03 Introduction Operating Systems Spring 2003.

OS Spring’03 Introduction Operating Systems Spring 2003.
Process in Unix, Linux and Windows CS-3013 C-term 20081 Processes in Unix, Linux, and Windows CS-3013 Operating Systems (Slides include materials from.

Process in Unix, Linux and Windows CS-3013 C-term Processes in Unix, Linux, and Windows CS-3013 Operating Systems (Slides include materials from.
Unix & Windows Processes 1 CS502 Spring 2006 Unix/Windows Processes.

Unix & Windows Processes 1 CS502 Spring 2006 Unix/Windows Processes.
Build Test Integrat e Deploy Develop Languages Frameworks Cloud and Infra Data platforms.

Build Test Integrat e Deploy Develop Languages Frameworks Cloud and Infra Data platforms.
1 Process Description and Control Chapter 3 = Why process? = What is a process? = How to represent processes? = How to control processes?

1 Process Description and Control Chapter 3 = Why process? = What is a process? = How to represent processes? = How to control processes?
1 Privacy Enhancing Technologies Elaine Shi Lecture 4 Principles of System Security slides partially borrowed from Jonathan Katz.

1 Privacy Enhancing Technologies Elaine Shi Lecture 4 Principles of System Security slides partially borrowed from Jonathan Katz.
CSE 451: Operating Systems Autumn 2013 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.

CSE 451: Operating Systems Autumn 2013 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.
Virtualization Technology Prof D M Dhamdhere CSE Department IIT Bombay Moving towards Virtualization… Department of Computer Science and Engineering, IIT.

Virtualization Technology Prof D M Dhamdhere CSE Department IIT Bombay Moving towards Virtualization… Department of Computer Science and Engineering, IIT.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Process in Unix, Linux, and Windows CS-3013 A-term 20081 Processes in Unix, Linux, and Windows CS-3013 Operating Systems (Slides include materials from.

Process in Unix, Linux, and Windows CS-3013 A-term Processes in Unix, Linux, and Windows CS-3013 Operating Systems (Slides include materials from.
Least-Privilege Isolation: The OKWS Web Server Brad Karp UCL Computer Science CS GZ03 / M030 12 th December, 2008.

Least-Privilege Isolation: The OKWS Web Server Brad Karp UCL Computer Science CS GZ03 / M th December, 2008.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,

Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,

Similar presentations

Ads by Google