Internet Security Systems - AlertCon(TM)

Upcoming Blackhat '09 Talk

Posted by Mark Dowd on July 17, 2009 at 3:02 PM EDT.

Well, it's that time of year again, BlackHat is nearly upon us! I would like to announce that myself, Ryan Smith, and David Dewey will be presenting this year on "Attacking Interoperability".  The issues that we will be discussing are pervasive in any software that employs interoperability between different components, however our focus will be on web browsers.  Here is a little bit of a run down:

Basically, we realized that there has been a continual increase in the desire for direct communications between disparate technologies, particularly in rich client software.  While we are happy to reap the benefits of such innovations, the security consequences of introducing these communication channels has been largely unexplored.  Take browser plugins for example.  There is quite a lot of literature about targeting a plugins exposed entry points, as well as fuzz-testing tools that will enumerate and attack these interfaces.  On the other hand, there is nearly nothing written about the security implications of the marshalling layers and interoperability controls themselves.  During our research into this area, we have found not only a significant number of vulnerabilities, but also entire classes of vulnerabilities that have had very little or no coverage to date.  Therefore, our presentation is aimed at discussing these vulnerability classes - not just from an abstract point of view, but giving concrete examples of various APIs that lend themselves to these kinds of problems, and what they look like in real code.  We will also speak about issues surrounding trust transitivity - the implicit extension of trust given to a plugin or browser component, and how that components features might be abused to bypass protection features implemeted within the browser.  We will demostrate such an attack by bypassing one of the major protection features of a popular browser.  We will present material that is relevant to all popular contemporary browsers - including IE, Firefox, Safari, and Chrome.

Hope to see you all there!

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.