Attacking the modern browser and its plugins is becoming harder. Vendors are employing numerous mitigation technologies to increase the cost of exploit development. An attacker is now forced to uncover multiple vulnerabilities to gain privileged-level code execution on his targets. First, an attacker needs to find a vulnerability, leak an address to get around ASLR, and bypass DEP to gain code execution within the renderer process. The attacker then needs to bypass the application sandbox to elevate his privileges, which will allow him to do something interesting. Our journey begins at the sandbox and investigates some of the more obscure techniques used to violate this trust boundary.
What should you focus on when you are auditing a sandbox implementation? There are the traditional approaches: find a memory corruption vulnerability in IPC message handling, attack the kernel to get SYSTEM-level privilege escalation, or abuse shared memory regions. Sure, any of these will work but they may not be the easiest way. Our presentation will examine four bypass techniques successfully used in winning entries at this year's Pwn2Own contest. We will analyze the attack vector used, root causes, and possible fixes for each technique. These uncommon, yet highly effective, approaches have been used to bypass the most advanced application sandboxes in use today, and understanding them will provide a unique perspective for those working to find and verify such bypasses.