CanSecWest 2011 - Day 3
Chris Eng and Brandon Creighton of Veracode were first to go up on stage. In the third CanSecWest talk about an Adobe product, they exposed many security issues in ColdFusion web applications. At first they talked about the usual suspects like XSS and SQL injection and what these attacks look like in ColdFusion code. Then they went through a few other issues that are specific to ColdFusion and not existant in other web application frameworks. For me, the funniest part was the incredible amount of variables that are supposed to be server side read-only but still writable by web applications. This has plenty of potential for all sorts of unintedend havoc.
The second talk was about automated pointer analysis by my former co-worker Vincenzo Iozzo and his friend Giovanni Gola. They talked about doing interprocedural pointer analysis with the goal of automatically finding bugs like double-frees. After about five minutes in I got a work-related call that occupied me for the next half an hour. Shortly after I had headed back into the conference room, the fire alarm went off. I already had ReCon 2010 flashbacks but fortunately it turned out to be a false alarm. I can't say I saw a lot about that talk, but I am sure it was good.
The fourth and last talk about an Adobe Product came from Richard Johnson of Sourcefire. He described some of the internals of the Acrobat Reader sandbox, that abstraction layer that was introduced in Acrobat Reader 10 to mitigate the effects of Acrobat Reader exploits. He also talked about some of the potential weaknesses in the sandbox, for example how the networking code and the filesystem code is not properly sandboxed, potentially allowing attackers to send file information over the network.
More work-related issues made me miss much of the talk about fuzzing by Dan Kaminski, Adam Cechetti, and Mike Eddington. From what I saw they set their fuzzers on applications like MS Office, OpenOffice, and Acrobat Reader and tried to draw conclusions about improvements in products security from the number of exploitable crashes (as determined by !exploitable) they got. The talk itself was pretty entertaining but the methodology they used to draw the conclusions did not always seem to be solid. Several people asked very good question during the discussion after the talk. In the end, the speakers made their raw fuzzing results data available to everyone in the form of a SQL dump.
Comments
Display comments as Linear | Threaded