当前位置:首页 > 报告详情

弥合差距:V8 中 WebAssembly 和 JavaScript 之间的类型混淆和边界漏洞.pdf

上传人: 竿*** 编号:981833 2025-11-29 45页 8.90MB

1、#BHAS BlackHatEventsBridging the Gap:Bridging the Gap:Type Confusion and Boundary Vulnerabilities Type Confusion and Boundary Vulnerabilities Between WebAssembly and JavaScript in V8Between WebAssembly and JavaScript in V8Nan Wang,Zhenghang Xiao#BHAS BlackHatEventsAbout usNan Wang eternalsakura13 Se

2、curity researcher focusing on browser vulnerability research.Chrome VRP Top 3 Researcher in 2022/2023/2024 Facebook Top 2 Whitehat Hacker in 2023 MSRC Ranked 6th in Q3 2024 Speaker of BlackHat USA 2023/BlackHat Asia 2023/ZeroCon 2024/BlackHat USA 2024Zhenghang XiaoKipreyyy Security researcher on SER

3、ES TECH.Second-year Masters candidate at NISL Lab,Tsinghua University Focusing on browser security and fuzzing Chrome VRP top researcher in 2023&2024 Credited by Facebook,Google,etc.Speaker of BlackHat USA 2023&2024/ZeroCon 2024#BHAS BlackHatEventsOffensive Security Technique Attack Behavior Modelin

4、gMulti-source Big Data IntelligenceCyber Security LLMRealistic Cyber DrillsThreat Vulnerability IntelligenceCrowdsourced Security TestingSecurity Risk AssessmentProviding One-stop Cyber Security Solutions For Government&Enterprise Clients.ABOUT SERES:An Innovative Network Security Company Focusing O

5、n Offensive&Defensive Security Applications#BHAS BlackHatEventsAgenda1.Introduction2.Type Confusion between WasmObject and JSObject3.UAF in V8 WasmInternalFunction GC4.Type Confusion in WebAssembly JSPI Wrapping5.Conclusion#BHAS BlackHatEventsIntroductionIssueFirst ExploitedDescriptionJavaScript or

6、WebAssembly330588502Pwn2OwnIncorrect parsing of Wasm TypesWebAssembly323694592V8CTFSignature mismatch in specialized wasm-to-js wrappersWebAssembly339458194ITWWrong handling of Wasm Structs in JavaScript runtimeBoth339736513V8CTFWrong handling of Wasm Structs in JavaScript runtimeBoth346197738V8CTFM

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据文章内容,以下是全文关键点的概括: 1. **WASM与JavaScript边界问题**:WASM与JavaScript之间的边界存在类型混淆和边界漏洞,导致安全风险。 2. **具体案例**:文章列举了多个案例,如CVE-2024-5158、CVE-2024-7550等,展示了WASM与JS边界问题导致的漏洞。 3. **WASM GC提案**:WASM GC提案引入了基于对象的引用类型和自动垃圾回收,增加了复杂性。 4. **JavaScript Promise Integration API**:JSPI API允许WASM调用异步JavaScript函数,但存在安全风险。 5. **模糊测试**:模糊测试对于发现WASM与JS交互中的漏洞至关重要。 6. **引擎级改进**:V8引擎正在通过改进和打补丁来解决这个问题。
"WASM与JS边界漏洞揭秘" WebAssembly的隐患" WebAssembly漏洞的克星"
客服
商务合作
小程序
服务号
折叠