Как справедливо отмечают Маркус и Эми из Ret2Systems , лучший способ начать исследование уязвимостей в новой области - это собрать все возможные ресурсы по теме.
По этой причине мы будем собирать и перечислять здесь все полезные ресурсы по архитектуре WebKit и JavaScriptCore, относящиеся к исследованию уязвимостей.
Видео
Источник: https://zon8.re/posts/jsc-architecture-reading-list-for-vulnerability-researchers/
По этой причине мы будем собирать и перечислять здесь все полезные ресурсы по архитектуре WebKit и JavaScriptCore, относящиеся к исследованию уязвимостей.
Видео
- Michael Saboff — JavaScriptCore, many compilers make this engine perform HolyJS 2019 - This talk covers how JavaScriptCore transforms JS source into bytecode, and then executes that bytecode using various tiers in the engine. The talk provides details on the four tiers that execute JS, the purpose of each tier and how code execution moves between those tiers.
- The WebKit Browser Engine An Overview - LinuxConf 2013 - A dated but good basic introduction to the Webkit browser engine.
- JavaScriptCore’s DFG JIT - JSConf EU 2012 - This talk takes a look at what DFG JIT is and how it works.
- A Tale of Types, Classes, and Maps - JSCamp Barcelona 2018 - Benedikt Meurer - Introduction to the main four JavaScript engines and how they work. Discusses optimixation, deoptimization fundamentals and differences in each engine.
- JavaScript engines - how do they even? - JSConf EU 2017 - Franziska Hinkelmann - Introduction to JIT, optimizing compilers and compiler differences in each JavaScript engine.
- JavaScript Engines: The Good Parts - JSConf EU 2018 - Mathias Bynens & Benedikt Meurer - Introduction to the four main JavaScript engines. Covers JavaScript engine fundamentals, handling of different objects, transition trees, and a high level comparison between the optimizing/JIT compilers in each JS engine.
- Rendering in WebKit - Google Developers - (Dated) Eric Seidel explains the process from loading the resources, building the DOM tree, and the various trees involved in rendering.
- The Butterfly of a JSObject - Part of LiveOverflow’s excellent series on browser exploitation. LiveOverflow explains what bufferflies are in JavaScriptCore.
- Introducing the WebKit FTL JIT
- Inverting Your Assumptions: A Guide to JIT Comparisons
- JavaScript engine fundamentals: Shapes and Inline Caches
- Introducing the B3 JIT Compiler
- A New Bytecode Format for JavaScriptCore
- Introducing Riptide: WebKit’s Retreating Wavefront Concurrent Garbage Collector
- Assembling WebAssembly
- A Guide to Assertion Macros in WebKit
- Speculation in JSC (Slides)
- Gigacage
- Overview of Webkit CSS JIT Compiler
- Some Brief Notes on Webkit Heap Hardening
- Concurrent JavaScript It Can Work
Источник: https://zon8.re/posts/jsc-architecture-reading-list-for-vulnerability-researchers/