Scheduled on: January 27 at 17:00
According to a study from 2015, Adobe Flash Player comprised eight of the top 10 vulnerabilities leveraged by exploit kits. Most exploit developers rely on fuzzing the values to ASNative within ActionScript 2/ActionScript 3 in order to discover weaknesses. This usually occurs without actually knowing what data to send and where it will end up. However, these bug hunters have shared little information on how to reverse Flash itself, if they even know. What is public is primarily on how people have found and exploited similar vulnerabilities. What has always been missing is a deeper understanding of Flash as a whole – until now.
This talk details techniques that allow researchers to perform mappings between ActionScript 2/ActionScript 3 and their undocumented counterparts. This moves analyzing Flash from simple fuzzing techniques to in-depth reverse engineering. We begin with how Flash starts up the AS2/AS3 virtual machines then work through to demonstrating the mapping of native functions. Finally, we’ll demonstrate the effectiveness of these techniques by marking up the flash debugger projector and using it to analyze a vulnerability in Adobe Flash. By examining the internals of Flash’s ActionScript implementations, researchers gain a new and unique visibility in finding and analyzing zero-day exploits.