Inside AVM

In 2011, I presented research[1] at CanSecWest on exploiting Flash JIT type confusion bugs. While this research has been proved useful, Flash vulnerabilities are still of major concern to the community, and we continue to see a large number of Flash vulnerabilities being discovered by black-hat attackers, vendors, and white-hat researchers[2].

Regardless of the continuing popularity of these vulnerabilities as the target of exploits, it is still unclear what the "coding fault" actually is for Flash Bytecode-level vulnerabilities. In addition, current research is limited by a lack of meaningful fuzzing methodologies beyond dumb-fuzzing. We need to provide better solutions for these problems.

In order to address these issues, this paper examines the results of reverse engineering on Flash Player and reviewing source code from the Tamarin project[3]. By understanding the entire Flash ActionScript implementation, not only will we know how to debug ActionScript on Flash Player but also:

1. We will know the root cause of Flash vulnerabilities on the ASM level, as well as how they are patched (we use the "famous" CVE-2011-0609 as an example).
2. We can develop a meaningful fuzzer running in memory which is able to cover various Flash Bytecode bugs.

In addition, we will introduce our Flash ActionScript parser during the presentation. The parser was designed from researchers' perspective so it should be significantly helpful for deep AVM research/tests.