Lately we have seen how sandboxing technology is positively altering the software security landscape. From the Chrome browser, to Adobe Reader, to Mac and iOS applications, sandboxing has become one of the main exploit mitigation technologies that software has come to rely on. As with all critical security technologies, they need to be understood and scrutinized, mainly to see how effective they are, or at the very least, to satisfy one's curiosity. The sandbox implementations for Adobe's Flash Player certainly piqued ours.
Our talk will explore the internals of three sandbox implementations for Flash: Protected Mode Flash for Chrome, Protected Mode Flash for Firefox, and Pepper Flash. And of course, we will show that an exhaustive exploration of the Flash sandboxes will eventually yield gold as we discuss and demonstrate some Flash sandbox escape vulnerabilities we found along the way.
We start with a look at the high level architecture of each sandbox implementation. Here we will define the role of each process and the connections between them. In the second part, we will dive deep into the internal sandbox mechanisms at work such as the sandbox restrictions, the different IPC protocols in use, the services exposed by higher-privileged processes, and more. In the third part of our talk we will take a look at each sandbox's security and talk about the current limitations and weaknesses of each implementation. We will then discuss possible avenues to achieve a sandbox bypass or escape. Throughout all this we will be pointing out the various differences between these implementations.
Paul Sabanal is a security researcher on IBM ISS's X-Force Advanced Research Team. He has spent most of his career as a reverse engineer, initially as a malware researcher and now focusing mainly on vulnerability analysis and exploit development. He has previously presented at Blackhat with Mark Yason on the subject of C++ reversing and Adobe Reader's Protected Mode Sandbox. His main research interests these days are in protection technologies and automated binary analysis tools. He is currently based in Manila, Philippines.
Mark Vincent Yason is a security researcher on IBM's X-Force Advanced Research team. Mark's current focus area is vulnerability and exploit research -he analyzes known vulnerabilities, discovers new vulnerabilities, studies exploitation techniques, and creates detection guidance/algorithms which are used in the development of IDS/IPS signatures. He also previously worked on malware research which naturally involved some degree of software protection research. He authored the paper "The Art of Unpacking" and co-authored the papers "Reversing C++" and "Playing In The Reader X Sandbox", all of which were previously presented at BlackHat.