Windows 8 introduces lots of security improvements; one of the most interesting features is the Metro-style app. It not only provides fancy user interface, but also a solid application sandbox environment. All Metro-style applications run in AppContainer, and the AppContainer sandbox isolates the execution of each application. It can make sure that an App does not have access to capabilities that it hasn't declared and been granted by the user.
This presentation will introduce the design of Metro-style app as well as AppContainer sandbox. We will dive into details of the architecture and see how it works, how does it protect from a malicious App attack. After reviewing the design, we are going to look for possible attack vectors to bypass the sandbox. Analysis will start from low level to high level. We will describe how we find the target to attack, and how we do analyze in different layers, such as debug of APLC, COM server attack, WinRT API fuzzing, and logic flaw discovery. Not only the methodology, we will also demonstrate some problems we have discovered, including tricks to bypass AppContainer to access files, launch program, and connect to Internet.
Sung-ting (TT) is a manager of an advanced threat research team in core tech department of Trend Micro. His major areas of interest include document exploit, malware detection, sandbox technologies, system vulnerability and protection, web security, cloud and virtualization technology. He also has been doing document application security research for years, and has presented his researches in Black Hat USA 2011, Syscan Singapore 10 and Hacks in Taiwan 08. He and Ming-chieh are members of CHROOT security group in Taiwan.
Ming-chieh's (Nanika) major areas of expertise include vulnerability research, exploit techniques, malware detection and mobile security. He has 10+ years of experience on vulnerability research on Windows platform and malicious document and exploit. He has discovered numerous Windows system and document application vulnerabilities, such as Microsoft Office, Adobe PDF, and Flash. He frequently presents his researches at security conferences, including Black Hat USA 2012, Syscan Singapore/Taipei/Hong Kong 08/10, Hacks in Taiwan Conference 05/06/07/09/10/12. Ming-chieh is a staff research engineer with Trend Micro. He and Sung-ting are members of CHROOT security group in Taiwan.