Explore the evolving landscape of Java vulnerabilities and exploitation techniques in this Black Hat USA 2013 conference talk. Delve into the security challenges faced by Oracle Java over a three-year period, examining vulnerability trends, attack surfaces, and the shift from classic memory corruption issues to abuses of the reflection API. Gain insights into the top five vulnerability types submitted to the Zero Day Initiative (ZDI) program, and learn about specific weaknesses in Java sub-components. Analyze how attackers and exploit kit authors leverage these vulnerabilities, and discover the techniques used in the Pwn2Own competition. Understand Oracle's response to recent security issues and the steps taken to address them. Equip yourself with valuable knowledge for vulnerability research and auditing of Java components in this comprehensive exploration of Java security.
Java Every-Days - Exploiting Software Running on 3 Billion Devices
Overview
Syllabus
Intro
Solution
Introduction
Vulnerability Sample Set
Oracle Java's Footprint and Software Architecture
Vulnerability Trending and Attack Surface
Vulnerability Statistics 2011-2013
Oracle Java Patch Statistics
Zero Day Initiative Submission Trends
Insight into Vulnerability Classes (CWE)
CWE-265 Breakdown and Historical Timeline
Styles of Memory Corruption
Top 7 Vulnerability Classes in the Java
Extrapolating Sub-component Weaknesses
Java Sub-component Weaknesses
Library Sub-component Weaknesses
2D Sub-component Weaknesses
JavaFX Sub-component Weaknesses
Leveraging Sub-component Weaknesses
Threat Landscape
Vulnerability Prevalence in Toolkits
Exploitation Techniques
Case Study
Vendor Response Review
Handling Vulnerability Disclosure
Package Restriction List Modifications
Oracle Weathered Quite The Storm
Good Luck Bug Hunting!
Taught by
Black Hat
