The Language Of Trust: Exploiting Trust Relationships In Active Content presented at BlueHat 2009

by Ryan Smith (Accuvant Labs), David Dewey (IBM ),

Tags: Security

Summary : Interactive content has become increasingly powerful and more flexible over the last few years, with major functionality additions appearing in several web-based technologies such as Javascript, .NET, and via browser plugins. These functionality changes, coupled with increasingly complex cross-communication layers, have created a nuanced and precarious trust layer between many different previously unrelated components.
This presentation attempts to address the issue of trust in the context of active content, and how it is more complicated than it might first appear. We will demonstrate the exploitation of these trust relationships at different levels of applications, from subverting architectural security controls to memory corruption vulnerabilities that lead to arbitrary execution.