Fuzzing for bugs yields poor results on offense. Too many other people looking with same tools, long dev time. #youkillityoueatit
-
-
Talking from experience with pwn2own
#youkillityoueatitpic.twitter.com/1fZFKHpnov
-
How do you find logic flaws? In a word, experience. Lots of vague advice: try threat modeling, identify trust boundaries, think really hard.
-
This talk summarizes pretty well another reason why I won't use Android. Rich IPC enables trivial attacks between sandboxed apps.
-
MWR is abusing a trick in Android Chrome to reflect Android IPC calls all over the place. Feels like exploiting XSS.
-
Here's the Chrome feature that enabled MWR's Pwn2own exploit. It allows attacks where forms can POST local data backhttps://groups.google.com/a/chromium.org/forum/m/#!topic/chromium-reviews/xEaI6q7lQdg …
-
and here's the fix from Chrome https://bugs.chromium.org/p/chromium/issues/detail?id=659492 …
-
Thanks for covering our talk.
#youkillityoueatit -
No prob, it was pretty great! Talks are always better when you tell a good story.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.