Пожалуйста, обратите внимание, что пользователь заблокирован
Description
Слайды: https://powerofcommunity.net/poc202...me and the V8 Sandbox 10+ times with WASM.pdf
Browsers are a complex piece of software with multiple components integrated together. Every one of these components, as well as the integration layers between them, are potential sources of bugs. However, not all bugs are equal - exploitability of the initial bug is sometimes questionable, and mitigation bypasses are often required to obtain fully arbitrary code execution even within the renderer. In Chrome this mitigation is known as the V8 Sandbox, which attempts to prevent any memory corruption within the V8 Sandbox region from affecting any other memory region. This makes exploiting the initial bug to a fully arbitrary code execution much more challenging... or so was considered as such.
In this talk, I demonstrate how WebAssembly still serve as a great attack vector that provide troves of both the initial bug and V8 Sandbox bypass. I first share the story behind finding a WASM bug in V8 through variant analysis and exploiting it at TyphoonPWN 2024, and show how fixing this bug revealed another stunningly simple variant-of-a-variant bug exploited in v8CTF. I also introduce another bug in WASM TurboFan compiler caused by an innocent typo, and show how analyzing a seemingly unexploitable bug can reveal significant exploitability in some configurations and platforms. I continue on to a massive list of 10+ V8 Sandbox bypasses in WASM, opening up a whole new paradigm of bypass techniques that require significant efforts to fully patch. This research, while spanning over only a short period of approximately 2 months, enabled me to win multiple hacking competitions and VRPs for a total of $250K+.
Throughout the talk, I provide both the big picture and detailed technical walkthrough on finding bugs in Chrome's WASM implementation and exploiting them in the modern Chrome environment. I challenge the common misconception that "browser bugs are hard", whereas quite a few of them can be found and exploited without breaking a sweat. The talk will conclude with a sneak peek of future works on WASM implementation in other major browsers and a demonstration of the exploits.
Слайды: https://powerofcommunity.net/poc202...me and the V8 Sandbox 10+ times with WASM.pdf