A Hacker's Perspective - PowerPoint PPT Presentation

1 / 14
About This Presentation
Title:

A Hacker's Perspective

Description:

Silverlight Security A Hacker's Perspective Kamran Bilgrami / Angelo Chan Agenda Silverlight overview Scope Key concepts Demos Recommendations Q&A Silverlight ... – PowerPoint PPT presentation

Number of Views:174
Avg rating:3.0/5.0
Slides: 15
Provided by: Goo7663
Category:

less

Transcript and Presenter's Notes

Title: A Hacker's Perspective


1
A Hacker's Perspective
Silverlight Security
  • Kamran Bilgrami / Angelo Chan

2
Agenda
  • Silverlight overview
  • Scope
  • Key concepts
  • Demos
  • Recommendations
  • QA

    
3
Silverlight Overview
  • User
  • Cross-browser, cross-platform
  • Media-rich (audio/video)
  • Run in-browser, out-of-browser
  • .xap - archive of assemblies, manifest
  •  
  • Programmer
  • .NET programming model
  • Networking and LINQ support

4
Silverlight architecture
  • Presentation (e.g. Media)
  • CoreCLR (optimized)

5
Silverlight overview - security
  • Run-time security modes 
  • In browser, out of browser
  • Sandbox
  • User initiated, same origin policy

   
6
Scope
  • In scope
  • Vulnerabilities against Silverlight related
    components
  •  
  • Out of scope
  • Classical attacks (SQL Injection, XSS etc)
  •  
  •  
  • Due to XAP/CoreCLR, hackers can now apply .NET
    assembly hacking techniques to your web
    application

7
Useful concepts
  • XAP
  • CoreCLR
  • Intermediate Language (IL)
  •   
  • Widely Available Tools
  • ILASM/ILDASM
  • Reflector
  • ReflexIL
  •  
  • Signing/Tamper detection
  • Obfuscation (Protect IP)

8
Demos
9
Demo 1 Summary
  • Problems
  • Code not obfuscated
  • Tamper-able Assembly
  • Client side Business logic
  • Solutions
  • Use code obfuscation
  • Assembly Signing
  • Server Side Business

10
Demo 2 Summary
  • Starting conditions
  • Code was obfuscated
  • Tamper resistant
  • IP / Business logic on server side 
  • Run-time hacking
  • Bypass tamper detection
  • Bypass server business logic

11
Recommendations
  • Web security - XSS, data encryption
  • CLR - Obfuscation, signing
  • Domain-specific - e.g. banking application
  • Legal

12
QA
  •   

13
References
  • Silverlight Security Overview - MSDN
  • Silverlight Architecture - MSDN
  • SOS command reference - MSDN
  • CLR Inside Out - MSDN
  • http//www.windowsdebugging.com

kamran_at_windowsdebugging.com angelo_at_windowsdebuggin
g.com
14
 
Write a Comment
User Comments (0)
About PowerShow.com