Sign In

Communications of the ACM

ACM TechNews

Despite Pwn2own 2014 Hacks, Application Sandboxing Still Critical

View as: Print Mobile App Share:
A sandbox.

Application sandboxing was chief among the mitigation techniques used to successfully exploit vulnerabilities in browsers and software at the recent CanSecWest security conference's Pwn2Own hacking contest.


Bug hunters and researchers attending the recent CanSecWest security conference's Pwn2Own hacking contest were able to successfully demonstrate 35 exploits of some of the most popular browsers and software suites. Despite these successes, participants and organizers say the results of this year's contest show that popular software is increasingly more secure and harder to compromise.

Brian Gorenc with HP's Security Research group says most of the successful exploits had to target multiple vulnerabilities in order to succeed. "As the mitigations get added in to technologies, it is becoming more difficult," he notes. "It takes a significant amount of time to develop that chain of exploits." Chief among these mitigation techniques is the use of application sandboxing.

Most major browsers and software have implemented sandboxing, thus requiring attackers to create exploits simply to defeat or escape the sandbox before they can exploit the targeted software.

However, Carnegie Mellon University's Will Dormann says sandboxing alone is not enough. He suggests security professionals apply several other controls, such as running the Firefox browser's NoScript add-on and Microsoft's Enhanced Mitigation Experience Toolkit (EMET). EMET, for example, was able to mitigate all of the zero-day exploits of Internet Explorer used at Pwn2Own in 2013.

View Full Article


Abstracts Copyright © 2014 Information Inc., Bethesda, Maryland, USA


No entries found