Abstract
It has been a decade since I started talking about computer security. 10 years have witnessed a change in threat landscapes, attack targets, exploits, techniques and damage. Two eco-systems are slowly and surely converging into one. On one hand, we have the application layer. Much has been talked about it. There is a steady trickling flow of XSS, XSRF, SQL injection and the usual suspects. Some of them are under the guise of “Web 2.0″, and some of them are as ancient as CGI attacks of 1999. On the other hand, we have the desktop. Dominating the desktop is the browser, with its horde of assistants. Exploitation in this space has accelerated in the last 3 years.
How will the threat landscape change with the advent of new technologies and services? New standards are emerging, and the darling child of the web is HTML 5. A closer look at standards reveals and awful mess. Are the standards mitigating any security concerns? More importantly, will browser vendors and web application developers really respect the standards? The browser wars taught us that “might is right”. If everyone breaks the web, that becomes a new adopted standard. New technologies, coupled with popular online services make for some very interesting exploit delivery techniques.
This talk explores some innovative exploit delivery techniques that are born as a result of bloated standards and services designed without much thought towards security. We cover techniques where exploits can be delivered through URL shorteners and images. We take a look at some browser exploits. This talk ends with a discussion on exploit sophistication, ranging from highly polished and elegant techniques such as Return Oriented Programming to the downright crude and ugly techniques such as DLL Hijacking. How will we combine all this together? And will Anti-Virus still save us all?