Learn, hack!

URL

http://www.sourceconference.com/bos10pubs/SOURCE%20Boston%202010%20Clark%20slides.ppt

File name

SOURCE%20Boston%202010%20Clark%20slides.ppt

File size

313.0 KB

MD5

979219607f92d87294670aa5e495abe9

SHA1

34cdc8da849709ce3c321186bac0da195180abc0

WebOS developers work with a large spectrum of web and system languages, including JavaScript, Java, and C++. WebOS is the first mobile platform that primarily uses web languages; however, we believe that they will become more common as platform vendors court the massive web developer community. But, web developers do not understand how the subtleties of how the mobile security model differs from that of the web. For example, WebOS does not enforce the Same Origin Policy (SOP) and some valuable user data is shared. Consequently, minor web application vulnerabilities have a much larger impact on WebOS phones. Almost all WebOS applications run as JavaScript within a WebKit process. However, the same privileges do not apply to all applications. Attackers can use attacks, such as Cross-Site Scripting or buffer overflows, to compromise low-privileged applications and then exploit WebOS unique vulnerabilities classes, such as Card Parameter Injection, to compromise system services and elevate privileges. This presentation will show how to find and exploit these vulnerabilities, a topic which has never been discussed in a public forum. Combined, the presenters published the first WebOS security information and responsibly disclosed over ten WebOS vulnerabilities. Discovering these vulnerabilities required developing innovative security testing techniques. For example, we created a WebOS specific fuzzing agent that uses JavaScript to monitor and detect application failures. We plan on releasing these tools at SOURCE Boston.