Digging Deep into the Flash Sandboxes

Channel:
United States All Hacking Cons
Subscribers:
5,970
Published on ● Video Link: https://www.youtube.com/watch?v=lJCVN1hKH0g


Duration: 45:55
2 views
0

Lately we have seen how sandboxing technology is positively altering the software security landscape. From the Chrome browser, to Adobe Reader, to Mac and iOS applications, sandboxing has become one of the main exploit mitigation technologies that software has come to rely on. As with all critical security technologies, they need to be understood and scrutinized, mainly to see how effective they are, or at the very least, to satisfy one's curiosity. The sandbox implementations for Adobe's Flash Player certainly piqued ours.

Our talk will explore the internals of three sandbox implementations for Flash: Protected Mode Flash for Chrome, Protected Mode Flash for Firefox, and Pepper Flash. And of course, we will show that an exhaustive exploration of the Flash sandboxes will eventually yield gold as we discuss and demonstrate some Flash sandbox escape vulnerabilities we found along the way.

We start with a look at the high level architecture of each sandbox implementation. Here we will define the role of each process and the connections between them. In the second part, we will dive deep into the internal sandbox mechanisms at work such as the sandbox restrictions, the different IPC protocols in use, the services exposed by higher-privileged processes, and more. In the third part of our talk we will take a look at each sandbox's security and talk about the current limitations and weaknesses of each implementation. We will then discuss possible avenues to achieve a sandbox bypass or escape. Throughout all this we will be pointing out the various differences between these implementations.

Presented By:
Paul Sabanal
Mark Vincent Yason

Black Hat - USA - 2012 Hacking conference
#hacking, #hackers, #infosec, #opsec, #IT, #security



Other Videos By All Hacking Cons


2021-12-31Secure Browser Plugins
2021-12-31Bouncer Land
2021-12-31Trust, Security and Society Presented By Bruce Schneier
2021-12-31Ghost in the Air Traffic
2021-12-31Random Number Generator in PHP
2021-12-31BlackOps
2021-12-31We have you by the Gadgets
2021-12-31Torturing OpenSSL
2021-12-31Probing The Mobile Operating Networks
2021-12-31Find Me in your Database
2021-12-31Digging Deep into the Flash Sandboxes
2021-12-31The Big Picture
2021-12-31SQL Injections
2021-12-31File Disinfection Framework Striking back at the Polymorphic Viruses
2021-12-31Easy Local Windows Kernel Exploitation
2021-12-31Blended Threats and JavaScript: a plan for permanent network compromise
2021-12-31The Info Leak Era Software Exploitation
2021-12-31How many bricks does it take to Crack a Microcell?
2021-12-31Windows 7 Phone Hacking & Exploitation
2021-12-31The Christopher Columbus Rule and DHS
2021-12-31Web Tracking for You


Tags:
data
hacker
security
computer
cyber
internet
technology
hacking
attack
digital
information
hack
online
crime
password
code
web
concept
thief
protection
network
scam
fraud
malware
secure
criminal
phishing
software
access
safety
system
firewall
communication
business
privacy
binary
account
spy
programmer
spyware
hacked
hacking conference
learn
how to
2022
2021
cybersecurity
owned
break in
google
securing
exploit
exploitation
recon
social engineering
Paul Sabanal
Mark Vincent Yason