Browser Exploits - A New Model For Browser Security presented at HITBSecConf Malaysia 2008

by Saumil Udayan Shah,

Tags: Security Browser

Summary : Presentation Title:Presentation Abstract:This presentation is in two parts: (a) Exploring the browser’s attack surface and (b) the Teflon approach for fine-grained browser security.This presentation begins with an examination of the fundamental architecture of a browser and its components to get a proper understanding of the full attack surface. The focus then moves to key concepts that are leveraged in practical exploitation of browsers. A few examples of popular browser exploits and an example “0-day” exploit shall be demonstrated. The talk also goes to show how the next generation of Javascript delivered exploits render current defense mechanisms useless. Antivirus programs and malware scanners are already being proved ineffective and cannot continue to identify and stop browser exploits in the future. The talk then moves on to new proposed defense mechanisms that attack the very principles that browser exploits depend on.The second part of the presentation revolves around Teflon. Work on Teflon started in March 2008. Teflon 1.0 shall be released in this talk. Teflon is built upon the concept of fine-grained browser security. We shall demonstrate how Teflon succeeds in thwarting the next generation of browser attacks demonstrated earlier.About SaumilSaumil continues to lead the efforts in security research at Net-Square. Saumil has had more than ten years experience with system administration, network architecture, integrating heterogenous platforms, and information security and has perfomed numerous ethical hacking exercises for many significant companies in the IT area. Saumil has been a regular speaker and trainer at conferences such as Blackhat, RSA, Hack-in-the-Box, IT Underground, CanSecWest, EUSecWest, Hack.LU, etc.Previously, Saumil held the position of Director of Indian operations at Foundstone Inc. and a senior consultant with Ernst & Young. Saumil has also worked at the Indian Institute of Management, Ahmedabad, as a research assistant. Saumil graduated from Purdue University with a master’s degree in computer science and a strong research background in operating systems, networking, infomation security, and cryptography. He got his undergraduate degree in computer engineering from Gujarat University, India. Saumil is a co-author of “Web Hacking: Attacks and Defense” (Addison Wesley, 2002) and is the author of “The Anti-Virus Book” (Tata McGraw-Hill, 1996)PAPERS PUBLISHED:- Facts and findings from the Honeynet project- Architectural vulnerabilities in Java application servers- One-way Web Hacking- HTTP Fingerprinting and advanced assessment techniques- Defeating automated web assessment- Spyware and adware, the quest for the consumer desktop- Web 2.0 Application Security