Marc Schönefeld
Marc Schönefeld has been involved with the deeper details of java
security for about seven years and showed the success of the presented
method by finding a large range of CVE relevant vulnerabilities.
After having worked in the banking IT for 10 years he moved to a large
operating system vendor to identify and prevent vulnerable parts in
open source java distributions. He has spoken on major conferences
such as Blackhat, RSA, XCon, HackInTheBox and PacSec.
2002: Blackhat Security Aspects Bytecode Engineering
2003: Java Vulnerabilities, joint paper with iDefense
2003: Java Vulnerabilities (shown at RSA Europe)
2004: D-A-CH Security: Java Side-Channel attacks
2004: DIMVA: Java Vulnerabilities
2004: Second place in RSA European Security Award
2005: RSA USA, Java Security Antipatterns (=> Bellua, Xcon, HITB)
2006: DIMVA: Practical Impact of Java Security Antipatterns (=> Blackhat, Xcon, HITB, WebSec)
2006: PacSec: Security Aspects of .NET WCF
2007: PacSec: Intellectual Property Protection in Java and JEE |
| Java / JEE Security 安全性班 |
線上報名 |
(understanding the attacker and defenders view)
Description:
JEE is known as a framework to build java business applications.
Vulnerabilities in these applications are on the one hand introduced by
the software, and on the other and more likely created by the
application developers. For a complete JEE security audit it is
therefore more important to build up the skill to „feel“ the attack
surface than just applying pre-build exploits that only expose framework
bugs.
This class starts with describing the important parameters that define
the attack surface, such as dangerous code patterns, configuration
settings and reasonable secure defaults. Examples of real-life
vulnerabilities are used introduce the participatents to the experience
that simple bugs are able to create holes, we cover both perspectives,
the bug and the fix. The curriculum goes on with presenting and train
the use of the tool set, necessary to spot vulnerable code parts. We
presented techniques such as code skim reading, binary scanning, reverse
engineering and interpreting the hidden security message of harmless
looking heap, thread and stack dumps.
The trainer has been involved with the deeper details of java security
for about seven years and showed the success of the presented method by
finding a large range of CVE relevant vulnerabilities. This class does
not require prior knowledge of the java bytecode set but a deeper
understanding how JVMs work mixed with creativity is very helpful to
transfer the presented techniques into personal success.
The examples and exercises shown in this class cover apache tomcat,
apache geronimo and sun glassfish. |
The topics presented are:
- The Java architecture, JVMs and bytecode
- The java security model
- Secure programming in a nutshell
- Java vulnerabilities, how they differ from C-type bugs
- The JEE architecture
- Open holes in JEE, how to spot them
- How to harden a JEE server
- Tools and toys to prepare and conduct JEE pentests
- Writing self-assessment clients
- Short excursion to web security, xss and xsrf, how to spot and prevent
- in JEE
Examples, examples, …
|
|
