Java Every-Days: Exploiting Software Running on 3 Billion Devices

DEF CON 21

Presented by: Brian Gorenc, Jasiel Spelman
Date: Sunday August 04, 2013
Time: 11:00 - 11:45
Location: Track 3
Track: Track 3

Over the last three years, Oracle Java has become the exploit author's best friend. And why not? Java has a rich attack surface, broad install base, and runs on multiple platforms allowing attackers to maximize their return-on-investment. The increased focus on uncovering weaknesses in the Java Runtime Environment (JRE) shifted research beyond classic memory corruption issues into abuses of the reflection API that allow for remote code execution. This talk focuses on the vulnerability trends in Java over the last three years and intersects public vulnerability data with Java vulnerabilities submitted to the Zero Day Initiative (ZDI) program.

We begin by reviewing Java's architecture and patch statistics to identify a set of vulnerable Java components. We then highlight the top five vulnerability types seen in ZDI researcher submissions that impact these JRE components and emphasize their recent historical significance. The presentation continues with an in-depth look at specific weaknesses in several Java sub-components, including vulnerability details and examples of how the vulnerabilities manifest and what vulnerability researchers should look for when auditing the component.

Finally, we discuss how attackers typically leverage weaknesses in Java. We focus on specific vulnerability types attackers and exploit kits authors are using and what they are doing beyond the vulnerability itself to compromise machines. We conclude with details on the vulnerabilities that were used in this year's Pwn2Own competition and review steps Oracle has taken to address recent issues uncovered in Java.

Brian Gorenc

Brian Gorenc (@MaliciousInput, @thezdi) is the Manager of Vulnerability Research in HP's Security Research organization. His primary responsibility is running the Zero Day Initiative (ZDI) program and doing root cause analysis on ZDI submissions. Brian's current research centers on discovering vulnerabilities in popular software, analyzing attack techniques, and identifying vulnerability trends. Prior to joining HP he worked for Lockheed Martin on the F-35 Joint Strike Fighter program where he led the development effort of the Information Assurance (IA) products in the JSF's mission planning environment.

Jasiel Spelman

Jasiel Spelman (@WanderingGlitch) is a vulnerability analyst and exploit developer for the Zero Day Initiative (ZDI) program. His primary role involves performing root cause analysis on ZDI submissions to determine exploitability, followed by developing exploits for accepted cases. Prior to being part of ZDI, he was a member of the Digital Vaccine team where he wrote exploits for ZDI submissions and helped develop the ReputationDV service from TippingPoint. Jasiel's focus started off in the networking world but then shifted to development until transitioning to security. He has a B.A. in Computer Science from the University of Texas at Austin.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats