Azimuth Security: August 2010 <body onload='MM_preloadImages(&apos;http://www.azimuthsecurity.com/images/a_02.gif&apos;,&apos;http://www.azimuthsecurity.com/images/r_02.gif&apos;,&apos;http://www.azimuthsecurity.com/images/t_02.gif&apos;,&apos;http://www.azimuthsecurity.com/images/s_02.gif&apos;)'><script type="text/javascript"> function setAttributeOnload(object, attribute, val) { if(window.addEventListener) { window.addEventListener('load', function(){ object[attribute] = val; }, false); } else { window.attachEvent('onload', function(){ object[attribute] = val; }); } } </script> <div id="navbar-iframe-container"></div> <script type="text/javascript" src="https://apis.google.com/js/platform.js"></script> <script type="text/javascript"> gapi.load("gapi.iframes:gapi.iframes.style.bubble", function() { if (gapi.iframes && gapi.iframes.getContext) { gapi.iframes.getContext().openChild({ url: 'https://www.blogger.com/navbar.g?targetBlogID\x3d509652393303233687\x26blogName\x3dAzimuth+Security\x26publishMode\x3dPUBLISH_MODE_HOSTED\x26navbarType\x3dBLUE\x26layoutType\x3dCLASSIC\x26searchRoot\x3dhttp://blog.azimuthsecurity.com/search\x26blogLocale\x3den\x26v\x3d2\x26homepageUrl\x3dhttp://blog.azimuthsecurity.com/\x26vt\x3d1038547295672672920', where: document.getElementById("navbar-iframe-container"), id: "navbar-iframe" }); } }); </script>
azimuth security services training resources about BLOG
project zeus
"You will not be informed of the meaning of Project Zeus until the time is right for you to know the meaning of Project Zeus."
Archives
Current Posts
April 2010
May 2010
August 2010
September 2012
February 2013
March 2013
April 2013
May 2013
June 2013
December 2013
March 2014
January 2015
Posts
The Chrome Sandbox Part 2 of 3: The IPC Framework
The Chrome Sandbox Part 2 of 3: The IPC Framework
posted by Anonymous @ 8/28/2010 07:55:00 AM  

This post is the second part of a 3-part series about the Chrome sandbox. In the first post, I presented a basic overview of the Chrome process architecture and presented a breakdown of the attack surfaces for performing privilege escalations. This post continues our exploration of Chrome by focusing on one of the major attack surfaces identified - the IPC framework. As detailed in the previous post, this framework is used by Chrome to expose functionality to other processes by exporting a number of callback methods that client processes may invoke, much in the same way that traditional RPC client/server interaction occurs. This post discusses the inner workings of the IPC framework - a background to how it works, how messages are serialized and routed, and how to enumerate the attack surface to find processing exposed to untrusted  inputs. Several vulnerabilities that were uncovered during my audit are also presented to help illustrate what kind of vulnerabilities can occur at various levels of process interaction.

Read more »

Labels: , , , ,

7 comments
© Copyright 2013 Azimuth Security Pty Ltd