Tackling Privilege Escalation with Offense and Defense

Explore a comprehensive conference talk from Black Hat that delves into privilege escalation vulnerabilities and defense strategies in JavaScript engines. Learn about surprising discoveries made by Zero Day Initiative program researchers, which were instrumental in verifying application hardening processes. Gain insights into the elimination of vulnerabilities within a security model implemented in a JavaScript engine through a multi-pronged approach. Examine the architecture, attack surfaces, and bypass techniques used in JavaScript engines, including privileged contexts, trusted functions, and folder-level scripts. Understand the history of JavaScript, key design decisions, and implementation challenges. Discover how static analysis, point analysis, and security information flow contribute to defending against privilege escalation attacks. Benefit from the expertise of Abdul-Aziz Hariri and Edgar Pek as they share their findings and strategies for tackling this critical security issue.

Introduction
Who are you
Ideal Reader
Architecture
The IE Rush
JavaScript Attack Surface
JavaScript Engine
privileged and unprivileged contexts
trusted functions
folderlevel scripts
bin file
decompile tool
attacking the engine
why bypass restrictions
discovery
root level eval
trusted function
fix
identity
global
xqdialogue
Adobe patch
JJS API bypasses
Defending the engine
History of JavaScript
Design Decisions
Key Features
Reference Monitor
Implementation Problem
Implementation Example
Static Analysis
Point Analysis
Security Information Flow
Soundness is not necessary
Soundness is not binary
Conclusion