Hab auf dem Linuxtag nen Talk zum Projekt Blitzableiter angehört. Ist echt ein sehr interessantes Projekt, gerade weil Flash ein ziemlich häufiges Angriffsziel ist. Ein RC kam vor 2 Monaten raus, ist also noch nicht Final:
http://blitzableiter.recurity.com/Ne Präsentation von der BlackHat USA 2010 findet Ihr hier:
http://www.recurity-labs.com/content/pub/FX_Blitzableiter_BHUSA2010.pdfund hier noch ein paar mehr Infos:
BlitzableiterBasics
The general idea behind Blitzableiter is a method called normalization through recreation. The potentially malicious input file is read, parsed and interpreted as completely as possible, applying very strict rules of specification compliance in the process. If the input file is violating those rules, it is rejected as invalid. After the initial parsing, the original input file is discarded completely and a new file is created, based on the information obtained from the original input file.
Optionally, Blitzableiter can modify Adobe Flash Bytecode before creating the output file. This allows to modify code logic within Flash files for additional security checks, which may not be available or functioning properly in the native runtime environment. Currently, only Bytecode for the Adobe Virtual Machine 1 is supported.
Blitzableiter itself is entirely managed code for the .NET runtime environment. This prevents malicious Flash files from targeting the Blitzableiter parser instead of the Flash runtime parser for exploitation of memory corruptions, as .NET provides superior protection against those. The library also uses the arithmetic overflow checks available in the Common Language Runtime to detect integer overflow attacks against the Flash runtime.
The goal of Blitzableiter is to be able to parse any part of a Flash file eventually and hereby to provide complete protection coverage of the format. Currently, only a subset (although a growing one) of the format's different sub-types is validated.
http://blitzableiter.recurity.com/wiki/blitzableiter/BlitzableiterBasics
