让缓存缓存让 WebAssembly 组装：敲响 Chrome 的外壳.pdf

《让缓存缓存让 WebAssembly 组装：敲响 Chrome 的外壳.pdf》由会员分享，可在线阅读，更多相关《让缓存缓存让 WebAssembly 组装：敲响 Chrome 的外壳.pdf（102页珍藏版）》请在三个皮匠报告上搜索。

1、#BHUSA BlackHatEventsLet the Cache Cache and Let the WebAssembly Assemble:Knocking on Chromes ShellEdouard Bochin(le_douds),Tao Yan(Ga1ois)and Bo QuPalo Alto Networks#BHUSA BlackHatEvents2About UsSecurity Researchers Offensive Research:MSRC Top 10*times100+CVEs in Browser,Office,Windows,PDF,etc.Defe

2、nsive research:Threat analysis,detection researchPatent Inventors:New defense and detection techniquesPwn2Own Winners Chrome/MSEdgeDouble Tap Pwn2Own 2024 Vancouver Windows Escalation of Privilege Pwn2Own 2021 Vancouver Conference Speakers Black Hat(USA,EU,Asia,MEA)CanSecWest Blue Hat POC HITCON Vir

3、us Bulletin REcon Etc.#BHUSA BlackHatEvents3Agenda Introduction Let the Cache Cache Tricking V8 engine enum cache Exploiting the enum cache vulnerability Let the WebAssembly Assemble The V8 Sandbox and WebAssembly internals Escaping the V8 Sandbox with the novel“field confusion”technique Putting It

4、All Together Summary&Takeaways#BHUSA BlackHatEvents4IntroductionTypical V8 exploit chain targeting Google Chrome without V8 SandboxChrome Sandbox Escape/OS KernelVulnV8 VulnMemory CorruptionArbitrary Read/WriteRenderer Code ExecutionCode Execution Outside Chrome#BHUSA BlackHatEvents5IntroductionTypi

5、cal V8 exploit chain targeting Google Chrome with V8 SandboxExploit Primitives outside V8 SandboxV8 VulnMemory CorruptionArbitrary Read/WriteV8 Sandbox EscapeCode Execution Outside ChromeRenderer Code ExecutionChrome Sandbox Escape/OS KernelVuln(Inside V8 Sandbox)#BHUSA BlackHatEvents6V8 SandboxExte

6、rnal ObjectObject1Object2Raw 64bits pointerRaw 64bits pointerBefore V8 Sandbox Beta(Chrome M123)all existing sandbox escape techniques relied on raw pointers stored inside the V8 Sandbox.V8 Sandbox Beta release removed all the raw pointers from the Sandbox,killing all the publicly available techniqu