Presentation Material
Abstract
This presentation is in two parts: (a) Exploring the browser’s attack surface and (b) the Teflon approach for fine-grained browser security.
This presentation begins with an examination of the fundamental architecture of a browser and its components to get a proper understanding of the full attack surface. The focus then moves to key concepts that are leveraged in practical exploitation of browsers. A few examples of popular browser exploits and an example “0-day” exploit shall be demonstrated. The talk also goes to show how the next generation of Javascript delivered exploits render current defense mechanisms useless. Antivirus programs and malware scanners are already being proved ineffective and cannot continue to identify and stop browser exploits in the future. The talk then moves on to new proposed defense mechanisms that attack the very principles that browser exploits depend on.
The second part of the presentation revolves around Teflon. Work on Teflon started in March 2008. Teflon 1.0 shall be released in this talk. Teflon is built upon the concept of fine-grained browser security. We shall demonstrate how Teflon succeeds in thwarting the next generation of browser attacks demonstrated earlier.
AI Generated Summarymay contain errors
Here is a summarized version of the content:
The speaker discusses their project, Teflon,,, which aims to prevent malicious code from running on web pages. They explain that they are currently rewriting DOM mutations to detect and sanitize malicious tags, but this approach may break some functionality. The speaker acknowledges that their JavaScript skills are limited and welcomes contributions to the project.
Teflon does not use signatures to identify bad behavior, unlike antivirus software. Instead, it focuses on detecting specific types of tags or extensions that are commonly used for malicious purposes. The goal is to create a declarative model where websites can specify what types of content they want to allow or block.
The speaker also discusses the concept of a “non-executable heap” and how it could potentially prevent certain types of attacks, such as Heap sprays. They argue that while existing technologies like DEP/NX do exist, they are not widely adopted, and evangelizing their use may be more effective than developing new solutions.
Overall, the speaker is exploring ways to improve web security by preventing malicious code from running on web pages and promoting the adoption of secure coding practices.