Exploits of legacy Flash VMs constitute one of the largest and highest impact attack surfaces of today’s web. They are the primary vehicle for web-based ransomware and banking trojans, accounting for ∼80% of successful Nuclear exploits and six of the top ten exploit kit vulnerabilities in 2016. More than 90% of malicious web pages abuse Flash, making Flash the #1 attack medium for malicious pages. And the threat is growing: market proportion of Flash Player exploits grew more than 150% in 2016 relative to the previous year. The prevalence of attacks that exploit known, patchable vulnerabilities in legacy Flash VMs can be traced to a perfect storm of at least three major trends: First, Flash’s seamless integration of almost every major web media format (images, sounds, videos, etc.) into a highly portable bytecode binary with strong DRM capabilities, makes it extremely compelling for the highly dynamic web content desired by today’s developers and end-users. Flash is consequently the tool of choice for over 3 million developers worldwide, including powering 24 of Facebook’s top 25 games, and over 20,000 apps on Google Play and Apple’s App Store. Second, this power and flexibility has led to an extremely complex VM implementation that must support live streaming of all these different media formats, leading to a risk of implementation vulnerabilities associated with each format. As a result, the Flash Player regularly has among the top web vulnerability disclosures per year (e.g., it claimed the most CVEs of any application in 2016), and a rapidly evolving version history. This rapid version churn inevitably means that hundreds of distinct Flash Player versions are currently deployed by end-users worldwide, each with its own vulnerabilities and idiosyncrasies. Studies estimate that nearly 62% of Internet Explorer users, 37% of Edge users, and 32% of Safari and Firefox users are running outdated Flash Player versions that leave them unprotected against well-known attacks.
Third, defense research on Flash has been impeded by the fact that the most widely deployed Flash VMs are closed-source, and content for them is purveyed in binary-only form without sources. The Flash ActionScript (AS) bytecode language has many features
that make apps difficult to statically analyze at the binary level, including gradual typing, runtime code generation, dynamic class loading, and direct access to security-relevant system resources via a variety of runtime APIs. Consequently, Flash defense has
The most common third-party Flash exploit protections deployed today therefore take the form of relatively weak network-level filters that scan transmitted Flash binaries for structural malformities known to trigger bugs in unpatched, legacy VMs. However, many Flash exploits cannot be reliably detected via such static analyses. For example, many of the highest impact Flash attacks (e.g., Angler EK) exploit use-after-free (UAF) vulnerabilities to achieve arbitrary remote code execution. Since AS is a Turing-complete language, it is impossible to statically predict whether any given call site in the binary might receive a freed object argument when the code is ultimately executed by an arbitrary receiving VM. Accurate static filtering of such attacks is therefore provably infeasible in general.
My research team last year designed and developed Inscription the first Flash defense that automatically transforms and secures untrusted AS binaries in-flight against major Flash Player VM exploits without requiring any updates or patches of VMs or web browsers. Inscription works by modifying incoming Flash binaries with extra security programming that self-checks against known VM exploits as the modified binary executes. Flash apps modified by Inscription are therefore self-securing. This hybrid static-dynamic approach
affords Inscription significantly greater enforcement power and precision relative to static filters.