Abstract
Web Browsers form the first line of defense in a remote attack. Because of its popularity and its rapidly changing landscape in order to provide consumers with the latest features, they form a wide attack surface and are often targeted. With a focus on Safari’s Webkit, this talk covers how to identify, analyze and exploit vulnerabilities in its two major components: WebCore and JavascriptCore. The talk explains how objects are allocated and stored in memory followed by an understanding of how JIT optimizations work, and discusses how JIT optimization can be abused to find vulnerabilities. Certain exploit primitives (addrof and fakeobj) are discussed and how arbitrary read/write can be achieved using those primitives. The talk also looks at some of the latest mitigations introduced in recent versions of Webkit and its impact on exploitation, concluding with techniques on how to effectively fuzz the Javascript engine using grammar-based fuzzing in order to find exploitable vulnerabilities.