Hackers of India

Browser Exploits - A New Model for Browser Security

 Saumil Shah 

2008/10/29


Presentation Material

Abstract

This presentation is in two parts: (a) Exploring the browser’s attack surface and (b) the Teflon approach for fine-grained browser security.

This presentation begins with an examination of the fundamental architecture of a browser and its components to get a proper understanding of the full attack surface. The focus then moves to key concepts that are leveraged in practical exploitation of browsers. A few examples of popular browser exploits and an example “0-day” exploit shall be demonstrated. The talk also goes to show how the next generation of Javascript delivered exploits render current defense mechanisms useless. Antivirus programs and malware scanners are already being proved ineffective and cannot continue to identify and stop browser exploits in the future. The talk then moves on to new proposed defense mechanisms that attack the very principles that browser exploits depend on.

The second part of the presentation revolves around Teflon. Work on Teflon started in March 2008. Teflon 1.0 shall be released in this talk. Teflon is built upon the concept of fine-grained browser security. We shall demonstrate how Teflon succeeds in thwarting the next generation of browser attacks demonstrated earlier.