Showing Posts From
June 2014
- 20 Jun 2014
Isolated Heap & Friends - Object Allocation Hardening in Web Browsers
Web browsers have implemented object allocation hardening techniques to mitigate use-after-free vulnerabilities. These techniques include Internet Explorer's Isolated Heap, Firefox's Presentation Arena, and Chrome's PartitionAlloc. Each approach aims to constrain memory allocation strategies and make exploitation more difficult by separating object types and controlling memory reuse.
- 18 Jun 2014
BeagleBone Black, GNU Radio, and HackRF One
This guide details setting up a BeagleBone Black with Ångström Linux to compile GNU Radio and HackRF drivers. The tutorial provides step-by-step instructions for configuring an embedded Linux system to work with a HackRF One software-defined radio. Configuration involves installing dependencies, setting up system settings, and building software components for software-defined radio applications.
-
Dave Hartley - 12 Jun 2014
Fracking With Hybrid Mobile Applications
Dave Hartley's presentation explores the security implications of hybrid mobile applications across multiple platforms. The talk examines how hybrid apps combine web and native application features using frameworks like PhoneGap. It highlights security risks introduced by WebView and cross-platform development approaches that allow web code to access local device resources.
- Dave Hartley
- 12 Jun 2014
Native Bridge's Over Troubled Water
Mobile security research by Dave Hartley explored vulnerabilities in mobile advertising networks across multiple platforms. The study investigated cross-platform exploitation potential in Windows Phone, Android, Blackberry, and iOS operating systems. Findings focused on identifying security issues within popular mobile ad networks.
- Dave Hartley
- 12 Jun 2014
Putting JavaScript Bridges into (Android) Context
This article explores techniques for obtaining Android Context in WebView JavaScript-to-Java bridge vulnerabilities. Multiple methods for retrieving Context are investigated using reflection and Java Native Interface (JNI) techniques. The research demonstrates approaches to accessing system resources and package information during post-exploitation scenarios in Android applications.
- 5 Jun 2014
Continued Adventures with iOS UIWebViews
This article explores security vulnerabilities in iOS UIWebViews, specifically focusing on custom NSURLProtocol implementations. The research demonstrates how attackers can bypass naive security checks by manipulating HTTP headers and using techniques like XMLHttpRequest to access restricted resources. A proof-of-concept JavaScript payload is presented to illustrate potential exploitation methods for file access and data exfiltration.