Description: PDF :- http://www.shmoocon.org/2012/presentations/Jeong_Wook_Oh_AVM%20Inception%20-%...
Binary instrumentation was traditionally an area for native code examination. But it is also possible to apply the same technique to bytecode that uses a virtual machine. We are surrounded by many types of virtual machines these days. One of them is AVM - and the truth is that AVM has been one of the largest targets for exploitation over the last few years. It has been prone to multiple vulnerabilities including CVE-2011-0611 and CVE-2011-0609. Because the issue covers both the bytecode and native world, the actual analysis of the vulnerability can take a long time compared to more traditional vulnerabilities.
We developed bytecode instrumentation (in this case AVM bytecode instrumentation) to solve this challenging problem. What the analysts see from the crash dumps or debug traces are the dynamically generated code. Even though it.s not impossible to debug the problem tracing this dynamically generated JIT code, it would be much quicker if we knew what was really happening at the bytecode level.
Jeong Wook Oh works for Microsoft Malware Protection Center handling vulnerability-centric cases. Usually he handles post-mortem cases, but he also contributes to Microsoft Vulnerability Research (MSVR) program. Before MMPC, he worked for eEye Digital Security as a product develop engineer and for WebSense as a security researcher. He.s the creator of DarunGrim project (http://darungrim.org). The tool is an open-source patch analysis tool which can be used to analyze vendor patch without source code. He.s now mostly interested in binary instrumentation technologies and emulation stuff.
Tags: securitytube , shmoocon , shmoo con , hacking , hackers , information security , convention , computer security , shmoo 12 , shmoocon 12 , shmoocon-2012 ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.