Black Hat //Webcast
Showcase Showdown: Browser Security Edition
// Shawn Moyer and Ryan Smith, Accuvant LABS
PAt no other point in the evolution of computing has user experience (as well as attack surface) been so defined by a single piece of software as it is today. Still, no authoritative picture of the true defensive capabilities of the three major web browsers has existed. This session will present the results of our research into six key areas of browser security, and release new, actionable metrics for browser security with a focus on real-world exploitability.
This talk introduces quantifiable, objective comparisons of every key facet of browser security, and we believe it will spark a more scientific debate on the topic. Rather than relying on conjecture and punditry, our results introduce sound, measurable criteria for browser defenses, and provide real metrics for how each browser meets those criteria.
Shawn Moyer manages the Research Consulting Practice for Accuvant LABS, working with some of the most-renowned security researchers in the world to perform private on-spec vulnerability research, software audits, and reverse engineering for a global customer base ranging from utilities and financials to telecommunications and software firms.
Ryan Smith is the Chief Scientist of Accuvant LABS. While focusing primarily on vulnerability research and exploit development, Ryan’s previous security consulting and engineering experience has included a variety of roles as both a consultant and technical lead at other major security companies, including Verisign’s iDefense LABS, ISS X-Force, and Neohapsis.
Ryan has been featured in multiple publications including ComputerWorld, The Register, and DarkReading. Ryan has completed major research in vulnerability discovery, exploitation techniques, reverse-compilation and anti-anti-debugging. Ryan has given presentations at BlackHat conferences (including the most recent BlackHat USA event in 2010) and is a sought after speaker on complex security topics. In 2008, Smith received the “Pwnie” award for “Best Server Side Bug” for research involving default remote compromise vulnerability in Microsoft’s IP stack, which affected Microsoft systems worldwide over IPv4 and IPv6. In 2009, Smith received the “Pwnie” award once again for “Best Client Side Bug” for his work with the Microsoft ActiveX video control within Internet Explorer.
Karl Snider is currently the Market Segment Manager for Application Security and Compliance at IBM Security Systems. A software developer by training, Karl has participated extensively in all phases of the development life cycle, including development, design, architecture, system engineering, project management and product management.