Presentation Material
Abstract
Web Browsers form the first line of defense in a remote attack. Because of its popularity and its rapidly changing landscape in order to provide consumers with the latest features, they form a wide attack surface and are often targeted. With a focus on Safari’s Webkit, this talk covers how to identify, analyze and exploit vulnerabilities in its two major components: WebCore and JavascriptCore. The talk explains how objects are allocated and stored in memory followed by an understanding of how JIT optimizations work, and discusses how JIT optimization can be abused to find vulnerabilities. Certain exploit primitives (addrof and fakeobj) are discussed and how arbitrary read/write can be achieved using those primitives. The talk also looks at some of the latest mitigations introduced in recent versions of Webkit and its impact on exploitation, concluding with techniques on how to effectively fuzz the Javascript engine using grammar-based fuzzing in order to find exploitable vulnerabilities.
AI Generated Summary
The talk provides a technical overview of modern browser security, focusing on the WebKit rendering engine and its JavaScriptCore (JSC) component. It details browser architecture, emphasizing the separation of the rendering process and the role of the JavaScript interpreter and JIT compiler as primary attack surfaces.
Key technical findings include the structure ID randomization in JSC, which complicates object faking by requiring a leaked JSCell header. The presentation explains JIT compilation tiers, bailout mechanisms via clobberWorld, and recent mitigations such as IsoHeaps (type-isolated heaps), Gigacage (pointer range restriction), and Pointer Authentication (PAC) on iOS. These defenses hinder traditional use-after-free and type confusion exploits.
The core of the exploitation discussion centers on constructing primitives. An “address-of” primitive leaks object addresses via type confusion. A “fake object” primitive requires crafting a valid JSCell header, including a correct structure ID, often necessitating a prior leak. Arbitrary read/write is achieved by manipulating an object’s “butterfly” pointer, which directs property/element access to attacker-controlled memory. The shift from direct shellcode injection to Return-Oriented Programming (ROP) is noted due to mitigations like Hardened WebKit’s separate writable/executable JIT mappings.
Practical takeaways stress the importance of building debug versions of WebKit for analysis, using tools like lldb, and understanding JavaScript value representations (nan-boxing). The talk concludes by advising focused fuzzing on JSC and WebCore, acknowledging that while mitigations raise the exploitation bar, fundamental vulnerabilities in complex engines persist.