Raising the Bar on Browser Attacks

VANCOUVER–If there’s one thing that emerged from all of the craziness that was CanSecWest, Pwn2Own and Pwnium, it’s that life is becoming more difficult for researchers and attackers looking to exploit modern browsers. It’s not impossible, of course, but it’s certainly not the warm-up exercise that it was four or five years ago.

Browser attacksVANCOUVER–If there’s one thing that emerged from all of the craziness that was CanSecWest, Pwn2Own and Pwnium, it’s that life is becoming more difficult for researchers and attackers looking to exploit modern browsers. It’s not impossible, of course, but it’s certainly not the warm-up exercise that it was four or five years ago.

The headlines that come out of Pwn2Own each year paint a picture of researchers sitting down at a MacBook Pro or Windows laptop, firing up their exploits and popping the target browser, with all of this taking roughly 90 seconds. That’s the shiny exterior of the process. What the headlines don’t tell you is that before Charlie Miller or Vincenzo Iozzo or Chaouki Bekrar sits down at the desk in the crowded little hotel conference room here, they’re all spending weeks or sometimes months looking for the perfect vulnerability and developing a reliable exploit for it.

In the pre-exploit mitigation days, that process was fairly straightforward and reasonable. Spend some time banging on your browser of choice, look for an interesting crash, try to turn that into an exploitable bug and then develop an exploit for it. The introduction of exploit mitigations such as ASLR and DEP in Windows and sandboxes in Google Chrome and Internet Explorer a few years ago have made that process much more complicated, time-consuming and frustrating for researchers. That, of course, was the whole idea, and to hear the researchers who participated in Pwn2Own and Pwnium tell it, it’s worked quite well.

Rather than using just one specific vulnerabilty to compromise a browser, researchers and attackers now need to chain several bugs together in most cases, and even then it can all be for naught if they can’t get out of the sandbox at the end of it. With protected mode in IE and the sandbox in Chrome, that’s a major obstacle, even for researchers at the top of their game.

“The Chrome sandbox is much harder [to break out of] because we have a bug in protected mode in IE,” said Bekrar, whose VUPEN team won Pwn2Own this year after compromising Chrome and IE.

Both of those attacks involved multiple bugs chained together in order to allow the team to break out of the browser’s sandbox. While his team ultimately was successful, Bekrar said the process of finding and exploiting those vulnerabilities was a difficult one. It took two researchers more than a month to work out the IE attack and exploit, and the bug in the browser’s protected mode that they used as part of it is valuable enough that they’re going to be able to use it in future attacks on IE. 

Things are going to become even more difficult, too, as Microsoft and some of the other browser vendors are preparing to add further exploit mitigations to their browsers in upcoming versions. IE 10, which is coming as part of Windows 8 and is in consumer preview now, has some new security features that protect against memory leaks and exploitation of use-after-free bugs. Bekrar said that even though the bugs they used against IE in Pwn2Own work against IE 10, he’s confident that exploiting the newer browser will be a much harder task.

“It will make exploitation much harder and more complicated,” he said.

In the case of Chrome, the sandbox has presented such a challenge to researchers that Google decided to pledge a $1 million fund for its own Pwnium contest this year as a way to entice them to produce bugs in the browser for as much as $60,000 per bug. Two researchers took them up on the offer, including one anonymous entrant named PinkiePie who told Ryan Naraine at Zero Day that he’d worked on the Chrome exploit for about 10 days.

That’s a lot of work. The rewards in the contests obviously make that effort worthwhile, but it’s a testament to the work done by Microsoft and Google to lock down their browsers that even with all of that cash available, only a handful of researchers stepped forward to try their hands. Of course, what the contests also showed is that none of these browsers can stand up to the focused efforts of a dedicated attacker (or team of attackers), but that’s not news. What’s important is that it’s getting more difficult for those people and that the browsers can withstand the efforts of casual attackers. 

That’s progress and that’s something.

Suggested articles