Keynote:Application Sandboxes: Know thy limits presented at OWASPAppSecCalifornia 2014

by Rahul Kashyap,

Summary : As we secure applications leveraging sandboxes, it is important to understand the attack surface as it presents opportunities for attackers. In this talk we’ll decompose application sandboxes from the lens of a pen-tester. We look at various popular sandboxes such as Google Chrome, Adobe ReaderX, and Sandboxie, amongst others, and discuss the limitations of each technology and its implementation details. Further, we discuss in depth with live exploits how to break out of each category of sandbox by leveraging various kernel and user mode exploits – something that future malware could leverage. Some of these exploit vectors have not been discussed widely and awareness is important.