Java and Java Virtual Machine Security Vulnerabilities and Their Exploitation Techniquess presented at BlackHatAsia 2002

by LSD ,

Summary : The presentation would be divided into two parts.
Part 1: Fundamental information about Java and JVM security will be presented in order to understand the second part of the presentation. In this introductory part we will briefly present Java language built-in security features, applet sandbox model,security manager and bytecode verifier.
Part 2: Will be focused on actual JVM security vulnerabilities and attack techniques. In this second part we will present common attack techniques that can be used against JVM. Along with that applet sandbox escaping techniques will be also discussed in the context of Internet Explorer and Netscape Communicator web browsers.
Next, a detailed discussion of several known (though unpublished) JVM security vulnerabilities along with their exploitation techniques will be presented. It will be followed by a presentation of some new and not yet published security vulnerabilities in Microsoft, SUN and Netscape's JVM implementations. At the end of the talk some thoughts will be given with regard to JVM security, the threats posed by its vulnerabilities and possible implication they might have for users of all kind of mobile equipment.
Last Stage of Delirium Research Group is a non-profit organization established in 1996 in Poland. Its main fields of activity cover various aspects of modern network and information security, with special emphasis on analysis of technologies for gaining unauthorized accesses to systems (including the actual search for vulnerabilities, developing reverse engineering tools, proof of concept codes as well as general technologies for exploitation of vulnerabilities). The group has significant experience in performing penetration tests (based upon own codes, tools and techniques) as well as in design and deployment of security solutions for complex network infrastructures including experiments with Intrusion Detection and Prevention Systems.
The group consists of four members, all graduates (M.Sc.) of Computer Science from the Poznan University of Technology. For the last six years they have been working as Security Team at Poznan Supercomputing and Networking Center. As the LSD Research Team, they have also discovered several vulnerabilities for commercial systems and provided proof of concept codes for many others. More information including samples of their work can be found at the LSD website.