Merken

A Little Less Conversation, A Little More ActionScript

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
are matlab how member Mao mom would on our Embudo all home I did a long while a thousand 17
right so I am wondering glitch jails moment by usually triangle by warning which as I said this 2 talks ago focus on static analysis of binary is moss most specifically on quite Science Board abilities of both usually in in kernel uh 1st kernel and goes to Ieave typically spend most of my time in the Windows kernel but this week took abundances Mac OS and I was training some of we spend more time in our sex and that when as well also very much like to write automation to augment my reverse-engineering efforts on the part of the reason for this is over Trend Micro zero-day initiative we buy vulnerabilities and and when the people that has that them has to do because analysis on them to determine whether they're exploitable whether they're interesting harmful impactful so and so forth our team is the 1 the top suppliers because we're buying the vulnerabilities of abilities and CDs for Microsoft intervene and that last point is actually probably the most important for this talk in that side as a result have to do a lot of analysis of the W vulnerabilities as you probably itself from the EU the XSLT talk we do a lot of reader bugs but there's also a flat abilities and somebody trying focuses stock kind of from my perspective the analyst perspective and in addition to doing secure itself I have recently is discover that I very much enjoyed travel but it's only January 20 17 of it on 4 continents actually later took my 1st steps on Antarctica in january 1st which was quite awesome but by its opening
up with a very very minimal primer on its units 3 and I very very minimal of main thing I wanna go is that of the thing I want point out is that there are 2 massive API differences and behind the scenes at differences but the only thing I'm really trying to point out is type enforcement specifically because most of the vulnerabilities that have been present in ActionScript to have been due to lack of Type enforcement and at the language later the so here is an
example of that lifted from Wikipedia and hopefully that's readable and most important line and track all here is vortex flow where you as you can tell there's no real way to know what kind of object that is just by knowing that you have a variable context low looking at the rest of the you can kind of glean that's probably a text field because this function create text is being called on it and then later on when the next line we have . text being sent to a string you can kind of guess that it's got that that text property is expected to be a string but there's nothing there to enforce that for you additionally if that assignment were to reach down into a C function into native code with ActionScript you there's nothing to force the object the you're setting it to to be a string unto you had native code when I specifically mean by that is if you do vortex followed up text equals text too low then it would try and you take caution on text low converted to a string and how it all happened with the native code and not within the language itself and that alone is part of why redefinition attacks have been so prevalent there so here's ActionScript 3 also lifted from Wikipedia from the same page actually and it note that this time when you have text alone you have Cohen text field so in this case the languages enforcing the type of text to be a text field object and if new text field return anything that was not a text field or a descendant of then it would throw an error and nothing else will continue on likewise with . text it's expected to be a string an assignment of anything that is not a string or can be coerced to a string will uh will cause an and then as I said before the API is quite a bit more massive than with ActionScript 2 and it's continuing to grow words ActionScript 2 is basically stagnant I did see some modifications in some editions but they seem to be rather silent and nothing changed as far as the official API ideas so as I said I'm going to try and approach this from my perspective the analyst perspective of if you look at this crash it is pretty worthless especially since I accidentally clipped out the value of EDI which is register being read from the publisher even with that it's still pretty worthless all you can really tell is that that that you hear a BANG he pon ever just destroying re that memory memory is that EDI in this particular case I have pitch upon and that this value is its freedom and you don't really have any idea why you can't see the crash in the binary but there's really nothing useful you can glean from it the the I If you try and run this on multiple versions because Adobe Flash this get passed every month you'll see roughly the exact same crash but in varying locations so if you were trying to do analysis on say 1 case that may not be too bad but if you're getting you know 20 30 cases over a course of a couple months that's gonna be a pain uh there's no real easy way of being you know for sure that 2 bugs are not duplicates of each other or if they're maybe just variance where some copy and paste of the exact same code and it is happening near each other so that the crash itself is not that useful we can look at the proof of concept and the proof of concept that this is 1 I picked out particularly because it was reported to assist part of town but most interesting thing about this is the exact same vulnerability was present in both ActionScript to an ActionScript 3 and the report fractions for 2 0 was is now is on such as well as an enormous CDI researcher and then the ActionScript 3 vulnerability was submitted to us by Nicolas Joly during and in 2015 by looking at the perfor concept and the data brokers Iady knew what the bug was what I would do this but if we look at the proof of concept the use 1 of the 1st things that stands out is that you have you have convolution filter and then you have this new object with a constant value of of property and that function words that modifies matrix X in the convolution filter and then the very very last line is used as part of an array and all the other elements in an array is an integer and if you look at the value of function it also returning an integer so we can kind of going that that's that this probably use after free and we know that because of if writing to you a reading from free data but also because of values being modified you have an array that is going to be iterated through that's the property being assigned to matrix and you have what appears to be some attempt of reclaiming that free memory by allocating new file reference objects the so this and that kind of being a 10 year standard redefinition reentrant type of ability as far as actually proving this right now we just set of come the hypothesis there's the way their ways of testing is dynamically but we want actually prove it by looking at the binary but to do that we need to find a nicely where it is in the binary but couple needles we can look for this convolution filters matrix X and there's matrix i for whatever reason chose convolution filter matrix X probably would have made more sense but doing a string search of this in think flash debugger projector but the same would apply for fasciitis EX we end up with a number of hits and some of these are more useful than others some these are not so interesting but found convolution filter class in convolution filter object to be a little bit more interesting but those were not as helpful but if you go to the first one you'll see that you're in a our data section and that for 8 Lisa thousand 2 thousand bytes in either direction you just have other strings but nothing really obviously interesting but what I ended up doing is I just sort quicker at a Python to start off at Texas a DB 5 3 1 8 and just keep iterating 1 headed time over and over again until you hit a header that has data references to actually had to do this a couple times because there were some places where I'd of thought that there was a reference and another 1 was there by mistake or not quite sure but not quite as not quite well wanted so continue on until we found something interesting there's this FWS for those who don't know FWS is the magic bytes for an unencrypted us with file and on completely unrelated tangent every time I have tried my hands in the bathrooms a CWS I immediately think of compressed lists but so if we look at the single data reference to FWS we see that it is pushed on the stack and right adjacent so that is an integer x 9 C 8 9 that is also a suspect based solely on this I kind of surmise that there isn't a swift that's embedded inside Adobe Flash and its present CX and its present in the flesh the vertebra debugger projectors so I ran i'd API . get many bytes but on XDB 360 weighted with the size of Texas 98 9 and then drop to the disk and then just through into 1 of the freely available to compile so use FF Dec origi packs and that resulted in but the
nice clean actionscript was ActionScript too and I did initially sales looking for nationals from 3 vulnerability but still this is the progress of so we have a bunch of ActionScript you and everything seems to start off by calling making calls to its native in its constructor and all the calls status native in its constructor consist of calls where you have to integer arguments and nothing more and they all kind of scene be constrained to values and the 1st arguments to a slave natives constructor seems to be used a lot as you can see here escape escape person parts football have 100 but in addition to that there's a lot of course a assess nativeness native excessive which are based on calls from its native and the interesting thing is that there's a lot of strings their use in its native is native excessive so that's clearly where accesses and properties are being put on arbitrary objects but is needed in its constructor or not actually set anywhere but clearly they must be defining created somewhere else so I went back to the binary and I did a search for a it's
native and found to its 1st it was within this with phi just on the disk so not interesting but at least confirmation that it it's there the 2nd 1 was in our data section and actually had a data reference to it and kind of should have done by apologizing events and kind of should have taken my screen before actually running my script because like everyone as you can see here in the bottom right it's as a steward but same here where I've already rename the function based on that we can see that there is an native-code hammer that gets loaded and it instantiates both of these functions to be called what happens is that is to native but it is too and see him there but if it's called with a native all and the this function and 0 will be kind the index with space constructor than 1 will be the index and the entire the interesting thing about this is that both of these functions when they're called 0 go through a kind of an input sanitization where they'll check to make sure they only have 2 arguments and then I'll check to make sure that both arguments can be are either images are can be coerced into images and then they end up calling a function and this function is interesting in that it goes through a very large array the array that I have the renamed to is to native table and it just by looking through this function were it was see where that array is also would get the size of the array this is a comparison against acts for a a heads for a ends up being the entire size of the array and so if we look at it now we have an array of D word which ends up being the 1st argument to a as native in is constructed and then we have the Hammond functions and so on going back to going back to
the ActionScript 2 we got from this where we can see that if we're going to call it say it's made of 100 that's going to go into the hand for as 4 100 and then that 2nd value is still unknown but that's going to vary for everything additionally when you have the caused set native and set native excessive but the way these work is the 1st argument is going to be an object that the 2nd argument is going to be the native code hand the ID as it would be like x 65 and 69 next 90 so and so forth but after that is a comma-separated string and become a separate string is going to start at the 0 1 now blanking I think 1 of them unless you have a optional 4th argument if you have a 4th argument like in that 1st called it it's a native here then all started that value and then increment onward and then after the native accessories you have getter and setter methods so it'll actually jump by 2 you know what I mean by that is for the 2nd goal is that native on 0 0 0 . browse will end up being Goku will go through the native code him for 20 2 0 5 and it'll have a method ID or by UID whatever of 0 whereas virtual assets cash as a cast purge will start off the 20 3rd to 206 but the and here's just the example of what the disassembly or with the decompilation ends up looking like you have this method I deem grad at the topic and then you have a switch statement that of iterates through an ax differently based on that argument again be different and that a lot of times you're was used for the constructors but a couple times 100 reviews were constructed but it very is based on based on the property of API objects themselves and none of that as far as I know is document anywhere I just ended up calling in is the large structures I only have a partially documented but it's enough to be ordered isolate where particular calls are going to end up in ActionScript to land
so the the and then looking at ActionScript set to 4 for the tree will of for convolution filter we can see that it's going to go through the native code handler for 1109 and it's going to be constructed by the case eightyfour 0 and apparently inherits from bit-mapped filter but because it's prototype is set to bit-mapped filter and then it has a number of properties that a set all through its set native excessive 1109 is still the uh native code handle that it's going to go through them and it starts off at the at 1 so matrix X will be method I 1 into you and the matrix will be method ID 5 and 6 and analysis of the modal so the exact code path and then analysis of the version right after will show how the patched it and I go into that because that's not really 1 try show this just a good example to that talk about ActionScript for but it's been it's been very very useful for making it very easy to to patch defend you but analysis all sorts of stuff without having do normal been defined as that gets quite messy on flash the but as I
said that we were try look for in a history but do analysis on its 3 not on the history book so continue on in our list the strings from earlier we see another string match that looks very similar to the is to swift match so trying to the exact same trick that we end up going up and if we keep on walking the extra or walking they heads over and over again open up until we get a data reference to it we end up with whatever the renamed to built-in is 3 ABC data but I now know that it's a ABC data but at the time I was a little lost it didn't seem to have a format they couldn't get any information about it even looking at how it was used in the binary was not the the simplest and thankfully ABM + is open source and so I was able to look at cost slash avian quarter TVB and see the native initializer class and it is part of that I ended up writing my own actions group I could person to iterate through this in its entirety enemy would then map things the just using that the avian so the ABM and ABC documentation was quite fantastic but being able to reference the implementation itself was very very helpful because the documentation is great but implantation tells you exactly how
it's actually being done so looking at a native initializer we can see that there's this function of the this is the initialization of the native initializer object and then fill in classes is called and and fill in methods is called and they're both the arguments of phone classes and fill methods are of values that are in the data section of the binary and the built-in underscore AOT info is where the ashes were bike could itself is so if we look at the Assembly
itself we can see something that looks pretty similar I'm actually exactly similar and using this unable to find so fucked find these methods and then I'm a Warsaw renaming things uh 1 thing I notice and notice a little bit later is that there's actually 2 sets of of embedded actionscript like the 1 that seems to be called built in and the other seems to be called a shell were top level of both of these are present in the avian + source code however they do not match in the slightest and none of the proprietary if you guys are all available in the open-source implementations so cop convolution filter for example is not there but everything that of all the methods that they use their to load everything in San everything up still applies directly In here's just the initial top level 1 and political so in order to pass the ActionScript by code not the most complicated of formats but there are several tools that you have to iterate through so it starts off with constant pools what this is is in you and double so on and so forth float has a star by it because it is it is optional but it's actually can buy it controlled within succumb defines and for whatever reason they don't have it all their own opted for doubles the following that is method information which can contains a return types and primary types and names that I am grabbing a constant pool of mostly ignored except for the strengthening space namespace sets and multi names the metadata information I'm completely ignoring them person if only so that I'm able to continue on to the next but after that is instance information and then class information script information that the body information and I'm grabbing all of those of method body information here is the 1 I'm using lease out of as I only really care about the traits for and the method ID because that'll be vital when I actually map out what I'm seeing through the a raise to the to the functions that reference them and then and I mentioned traits and it's all of these but treated things like trait getter setter method class stuff like that and basic which is extra properties on In recent here's with the need
class info looks like this if you have a function and then a class ID and then the rest is not as important but it is still very useful elements storing all this data so they can then later reference and the whole kind explain why it later on but just looking at the uh looking at some the other arguments to fill in classes still methods were it was see the need Class Infrastructures and it's just a very large array of that that's about the size of which is handled by the actions group ICA but also by when the arguments to the constructor to the native initializes the object it and
then following that is needed method info which just consists of a set of basically to function pointers followed by method IT and once again passing this all just to grab this method ideas so I can mess things up later on and here is in the binary restrict foreign it alright so going back to you convolution filter we have some actions we have some action could code we don't exactly know what it looks like i've wrote an action tree Bikel parser and I did person method body information but I did not pass the instructions adenopathy exceptions and that got a little more involved and I really cared to do in Python but thankfully there's a guy named Vladimir I this by a cyber who wrote a tool called already see dazzle our which is quite fantastic it's the it's would admitted the Dakota the top and so you can see that for the center for the matrix property it's about has a rough idea of convolution filter incidence matrix center it takes an array and returns nothing the flag text 20 just specify that this is a native function likewise together for a matrix X so takes it returns a number and has a flag x 20 as well so if we look at the at the compilation of the player global and for those who don't know global is a set of API is that's released by Adobe every patch what's available on the site same page that you download the debugger projectors from right he did but to compel those the see that these functions are all marked as native and that the title matches which is perfect but I
always like to confirm that what I'm saying what I believe is actually true on the left side we have more output from our ABC does a man on the right side we have the decompilation from from their global organ and so it's on the right so we start off with called a super and then we write this dot matrix acts by sending it to the value of the argument matrix X and left side kind of halfway through you can see get local 0 and they construct super 0 that matches and then the next block right after that is get local 0 get local 1 and then initialize the matrix X property and all that matters of 1 and that's just great confirmation that what we're seeing is actually matching will be but what we believe should be
so 1 of the things I found just 1 poking around avian plus to try and it basically trigram I parser try to make sure that everything out I was writing actually matched up with how Adobe Flash was doing things what is that these pure methods on these call infrastructures and these are structures that exist both in the debugger in the production our general availability of builds of flash but in the debug built specifically they end up being a little bit more interesting there could be defined with some macro gobbledy-gook select pure method Kurata so on and so forth so if if you look at pure method that is then using another macro define call well defined call info is conditionally defined on the presence of well on the definition of energy in a score verbose and if and j reposes true is defined then name gets appended to the end of the structure of which is quite fantastic because if we then look at that structure
we just have a pointer to an address and what ends up being a D word another D word for the ACC sets and then a pointer to a string and that actually works of fantastically for some heuristics just looking for exactly that I'm just making sure all those values are saying and that you have an address to function as well as an average of about yeah a reference to a name and can end up with these call infrastructures and get even more information out but just automatically and it works fairly well on everything I was able to see that was defined in the Code of been find in the binary itself as well as a few more that were not defined in the source which is always false it all in all they were renamed and renaming find 208 call infrastructures and I actually end up renaming lot more than that as far as names go but only because I'm also renamed the addresses as well for the if the edges of the structures will but going away from the convolution filter stuff and just looking at what Michael does versus what other what are ABC doesn't does as well as the global at a top we have a function definition from our PC ASM and it's for accessibility outdoor send events and at the bottom we have my output my output is pretty crappy but it's only really meant for me which is why it that it's that matter know and the kind working at the middle and working the starting at the middle and going away in and start off with optional false and we look at the bottom we have optional false a hex true of verse sorry flagging x 20 and then flag has optional and that's covered by the 40 because has option was 8 the and then it takes in a display object followed by to you and you in sampling in which all that matches and then a returned avoid and all that seems
to match word up their global has done so all 3 match and just more further confirmation that decorum running the IPython have renamed things is actually on the right track in is making the right is doing the right things so so 1 of the last things I did a probably a month and a half maybe a month ago was I have access because I am passing all the class closures because of that personal the class structures have access to the class closure creation functions so basically all the functions in it implies slash generated that have the name Creek class closure 1 of the functions on the sets of functions that incredibly useful to look at or the instance creation procedures because all of these are where the BT was get set and that if you look at this code it it's a fairly simple in that the 1st thing that really happens is that you take in the argument and then it dereferencing can the table the reference and get the Create instance Proc and said that to something but and as I mentioned
C C underscore and in my nomenclature is equipped come to class class closure
of functions and i have access to those in my code so just writing semester here 6 unable to rename those and I have 200 and something of them automatically renamed to the create instance prox up just getting a little bit extra information there are a bunch of are not getting just because there'll be more complicated or there's an inheritance or of NPOs reasons actually but it's still very very helpful so all in all I have a 77 addresses related to ActionScript 2 and those are only the 277 actionscript native-code hammers but then all lot more when it comes to you ActionScript 3 and there's probably more to be found but so far just with this I'm able to massively simplify my reversing in the triage efforts which is quite quite awesome and I was going to do a demo real quick but I think I actually say that for a couple of slides and
so In December 2015 and Chucky had mentioned that basically a lot of flashbulbs there were being published ActionScript to would not ActionScript 3 and that kind of his hold true for 20 16 as well as seen in slight operate arise in the vulnerabilities in ActionScript 3 but mostly seem to be found through fuzzing but I think a huge part of that is that ActionScript 3 is a rather difficult to what follows because the type safety of do redefinition attacks again because the type safety but also much harder do analysis on and part of the motivation for this was the fact that it's harder but also because they're so but the monthly updates make it such a pain to do any sort of analysis and I needed some way of just being overtaken IDB from scratch and have it just run on renamed things and get myself back to working say without having to do been different get the knowledge from the previous month back in that there's still a lot more work to be done and 1 of things I was actually hoping to get done for this presentation was PDB generation dense PDB Japan work in the past for example of March no sometime in 2015 Microsoft really symbols for NTD alone and task kernel that did not have any the symbols for when you type information for the pair of intelligence and so forth and I wrote some code that just stole it from our previous symbol and injected into the current i currently have the ability to MIT PDB is but still have a some work to do before it actually ends of being fully useful but hopefully soon and on that note I am wondering which of UN initiative and so the only questions please ask them actually try show my code running which may not work with the projector but there with me the effects
also thank you to have to raise as I recently got a new matter for analysis of 1 not and it was an idea was crashing on the latest version but something to do with the touch power and they were very quick and hopeful about it I that will just have to be readable enough right so if we look here we see what's a byte array but there's nothing there but only really just fresh so that I'm not really I'm not thinking things and loading on IDD 2 the flesh yeah the right so it starts off by looking for the built-in a history actions thereby code and then follows it up by looking for the shell top-level bytecode and lastly it does the ActionScript 2 I'm I'm also adding a decent number of types like it cool so I now have all the diary the function as well as anything else that may possibly use it and so if I look at that get but this is basically the exact same code so that I showed earlier worm showing the creed instance procedure of from the class closure but but then also if I go to any these functions I can get the type information that's going to go to them and some this particular case I know that it returning avoided a native function and it takes in a rectangle and a blathering and that's about it does anyone have any questions but if someone asks a habeas EDI challenge going in form were features folic can acid the the but of course is is
available on github so I did mean at answer but I do not have available yet I am planning on releasing it but there is some co-planar plenty to do specifically around the heuristics to find the this is what the finding the créances procedures is rather gross I know what the worst part is finding the native initializer calls I need a clean that up I'm most likely going to clean up by you just switching unicorn and not doing it the way I'm currently doing called thank you very much fewer
Resultante
Hydrostatik
Kernel <Informatik>
Punkt
Momentenproblem
Twitter <Softwareplattform>
Binärcode
Analysis
Computeranimation
Kernel <Informatik>
Hydrostatik
Reverse Engineering
Perspektive
Fokalpunkt
Bildschirmfenster
Computersicherheit
Softwareschwachstelle
Analysis
Programm
Binärdaten
Addition
Krümmung
Fokalpunkt
Programmfehler
Offene Menge
Softwareschwachstelle
Mereologie
Client
Matrizenrechnung
Bit
Punkt
Freeware
Formale Sprache
Versionsverwaltung
Symboltabelle
Maschinensprache
Element <Mathematik>
Statistische Hypothese
Computeranimation
Richtung
Homepage
Einheit <Mathematik>
Code
Notepad-Computer
Beamer
E-Mail
Gerade
Wirbel <Physik>
Serviceorientierte Architektur
Softwaretest
Lineares Funktional
Bruchrechnung
Filter <Stochastik>
Kategorie <Mathematik>
Ruhmasse
Digitalfilter
Kontextbezogenes System
Konstante
Datenfeld
Funktion <Mathematik>
Rechter Winkel
Ganze Zahl
Festspeicher
Beweistheorie
Garbentheorie
URL
Lesen <Datenverarbeitung>
Standardabweichung
Zeichenkette
Fehlermeldung
Subtraktion
Ausnahmebehandlung
Klasse <Mathematik>
Zahlenbereich
Systemzusammenbruch
Stammdaten
Code
Demoszene <Programmierung>
Multiplikation
Weg <Topologie>
Perspektive
Mini-Disc
Datentyp
Varianz
Analysis
Fehlermeldung
Einfache Genauigkeit
Mailing-Liste
Elektronische Publikation
Datenfluss
Programmfehler
Objekt <Kategorie>
Programmfehler
Softwareschwachstelle
Debugging
Faltungsoperator
Mereologie
Wort <Informatik>
Speicherverwaltung
Verkehrsinformation
Parser
Stammdaten
Raum-Zeit
Computeranimation
Demoszene <Programmierung>
Mini-Disc
Maskierung <Informatik>
Skript <Programm>
Bildgebendes Verfahren
Schreib-Lese-Kopf
Touchscreen
Parametersystem
Konstruktor <Informatik>
Addition
Lineares Funktional
Kategorie <Mathematik>
Systemaufruf
Paarvergleich
Ein-Ausgabe
Ereignishorizont
Objekt <Kategorie>
Ganze Zahl
Softwareschwachstelle
Automatische Indexierung
Mereologie
Wort <Informatik>
Garbentheorie
Zeichenkette
Tabelle <Informatik>
Matrizenrechnung
Virtualisierung
Versionsverwaltung
Iteration
Zahlenbereich
Maschinensprache
Code
Computeranimation
Gradient
Netzwerktopologie
Wechselsprung
Datenstruktur
Prototyping
Analysis
Konstruktor <Informatik>
Parametersystem
Befehl <Informatik>
Kategorie <Mathematik>
Systemaufruf
Auswahlverfahren
Quick-Sort
Objekt <Kategorie>
Patch <Software>
Menge
Faltungsoperator
Zeichenkette
Parametersystem
Lineares Funktional
Matching <Graphentheorie>
Klasse <Mathematik>
Gruppenoperation
Gruppenkeim
Implementierung
Mailing-Liste
Digitalfilter
Stammdaten
Binärcode
Computeranimation
Objekt <Kategorie>
Elektronischer Fingerabdruck
Dateiformat
Garbentheorie
Information
Analysis
Zeichenkette
Bit
Multiplikation
Ausnahmebehandlung
Metadaten
Nabel <Mathematik>
Gruppenoperation
Klasse <Mathematik>
Gruppenkeim
Implementierung
Element <Mathematik>
Information
Code
Raum-Zeit
Computeranimation
Übergang
Metadaten
Multiplikation
Code
Datentyp
Skript <Programm>
Skript <Programm>
Konstruktor <Informatik>
Parametersystem
Lineares Funktional
Namensraum
Datentyp
Kategorie <Mathematik>
Namensraum
Open Source
Quellcode
Instantiierung
Objektklasse
Variable
Keller <Informatik>
Zeichenkette
Objekt <Kategorie>
Menge
Last
Faltungsoperator
Schwimmkörper
Dateiformat
Information
Ordnung <Mathematik>
Instantiierung
Matrizenrechnung
Web Site
Jensen-Maß
Selbst organisierendes System
Compiler
Gruppenoperation
Zahlenbereich
Inzidenzalgebra
Computeranimation
Homepage
Wurm <Informatik>
Netzwerktopologie
Fahne <Mathematik>
Zeiger <Informatik>
Beamer
Funktion <Mathematik>
Metropolitan area network
Parametersystem
Lineares Funktional
Kategorie <Mathematik>
Cybersex
Ausnahmebehandlung
p-Block
Parser
Konstruktor <Informatik>
Patch <Software>
Menge
Einheit <Mathematik>
Rechter Winkel
Debugging
Faltungsoperator
Information
Bit
Datensichtgerät
Adressraum
Oval
Information
Code
Computeranimation
Datensichtgerät
Fahne <Mathematik>
Mittelwert
Fahne <Mathematik>
Trennschärfe <Statistik>
Minimum
Zeiger <Informatik>
Datenstruktur
Funktion <Mathematik>
Caching
Lineares Funktional
Heuristik
Systemaufruf
Boolesche Algebra
Quellcode
Biprodukt
Konfiguration <Informatik>
Objekt <Kategorie>
Energiedichte
Datenstruktur
Menge
Debugging
Faltungsoperator
Wort <Informatik>
Information
Makrobefehl
Algebraisch abgeschlossener Körper
Parametersystem
Lineares Funktional
Objektklasse
Matching <Graphentheorie>
Klasse <Mathematik>
Code
Algorithmische Programmiersprache
Computeranimation
Weg <Topologie>
Funktion <Mathematik>
Menge
Rechter Winkel
Wort <Informatik>
Instantiierung
Tabelle <Informatik>
Heuristik
Bit
Adressraum
Kombinatorische Gruppentheorie
Analysis
Code
Computeranimation
Kernel <Informatik>
Task
Dämpfung
Adressraum
Datentyp
Vererbungshierarchie
Beamer
Analysis
Soundverarbeitung
Lineares Funktional
Datentyp
Teilbarkeit
Typprüfung
Symboltabelle
Quick-Sort
Programmfehler
Dichte <Physik>
Rechenschieber
Generator <Informatik>
Softwareschwachstelle
Mereologie
Information
Instantiierung
Maschinenschreiben
Algebraisch abgeschlossener Körper
Bloch-Funktion
Dualitätstheorie
Nabel <Mathematik>
Atomarität <Informatik>
Gruppenoperation
Klasse <Mathematik>
Versionsverwaltung
Rechteck
Zahlenbereich
Oval
E-Mail
Code
Computeranimation
Unendlichkeit
Bildschirmmaske
Datentyp
Byte-Code
Normalvektor
Demo <Programm>
Gammafunktion
Leistung <Physik>
Analysis
Lineares Funktional
Wurm <Informatik>
Heuristik
Gerade
Algorithmische Programmiersprache
Datenstruktur
Einheit <Mathematik>
COM
Rechter Winkel
Zustand
Mereologie
Hochvakuum
Dynamisches RAM
Bildschirmsymbol
Information
Instantiierung

Metadaten

Formale Metadaten

Titel A Little Less Conversation, A Little More ActionScript
Serientitel REcon 2017 Brussels Hacking Conference
Teil 20
Anzahl der Teile 20
Autor Spelman, Jasiel
Lizenz CC-Namensnennung 4.0 International:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
DOI 10.5446/32386
Herausgeber REcon
Erscheinungsjahr 2017
Sprache Englisch
Produktionsort Brüssel

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract According to a study from 2015, Adobe Flash Player comprised eight of the top 10 vulnerabilities leveraged by exploit kits. Most exploit developers rely on fuzzing the values to ASNative within ActionScript 2/ActionScript 3 in order to discover weaknesses. This usually occurs without actually knowing what data to send and where it will end up. However, these bug hunters have shared little information on how to reverse Flash itself, if they even know. What is public is primarily on how people have found and exploited similar vulnerabilities. What has always been missing is a deeper understanding of Flash as a whole – until now. This talk details techniques that allow researchers to perform mappings between ActionScript 2/ActionScript 3 and their undocumented counterparts. This moves analyzing Flash from simple fuzzing techniques to in-depth reverse engineering. We begin with how Flash starts up the AS2/AS3 virtual machines then work through to demonstrating the mapping of native functions. Finally, we’ll demonstrate the effectiveness of these techniques by marking up the flash debugger projector and using it to analyze a vulnerability in Adobe Flash. By examining the internals of Flash’s ActionScript implementations, researchers gain a new and unique visibility in finding and analyzing zero-day exploits.
Schlagwörter WanderingGlitch

Ähnliche Filme

Loading...