Presented at
Summercon 2013,
June 8, 2013, noon
(50 minutes)
Paul and Dion ask: What Would Paul Kocher Do? We will present two methods for disclosing heap addresses in ECMAScript engines without a traditional wild read/write primitive. The first technique [1] takes advantage of timing differences exposed via a popular hastable implementation technique. The second technique [2] exploits observable weak references and a common garbage collection implementation technique. We'll demonstrate and discuss the implementation of each technique. Finally, we'll discuss attempts applying these techniques to multiple engines including both successes and failures. Side channels aren't just for cryptographers.
Presenters:
-
pa_kt
pa_kt is a Senior Research Engineer on Sourcefire's Vulnerability Research team. 10+ years of experience in reverse engineering in various roles (like malware analyst or vulnerability researcher) and MSc in computer science help him to fullfil his current responsibilities at Sourcefire, which include (but are not limited to) automating various stages of vulnerability discovery and triage.
-
Dionysus Blazakis
Dionysus Blazakis is a programmer. He once wrote an exploit. He sometimes skips sleep to curse at his computer for 12 hours or so. Mostly, he fails to find anything interesting in the dark corners of software systems. He often tries new programming languages. He lives in Baltimore with his wife and two kids.