1、#BHAS BlackHatEventsBridging the Gap:Bridging the Gap:Type Confusion and Boundary Vulnerabilities Type Confusion and Boundary Vulnerabilities Between WebAssembly and JavaScript in V8Between WebAssembly and JavaScript in V8Nan Wang,Zhenghang Xiao#BHAS BlackHatEventsAbout usNan Wang eternalsakura13 Se
2、curity researcher focusing on browser vulnerability research.Chrome VRP Top 3 Researcher in 2022/2023/2024 Facebook Top 2 Whitehat Hacker in 2023 MSRC Ranked 6th in Q3 2024 Speaker of BlackHat USA 2023/BlackHat Asia 2023/ZeroCon 2024/BlackHat USA 2024Zhenghang XiaoKipreyyy Security researcher on SER
3、ES TECH.Second-year Masters candidate at NISL Lab,Tsinghua University Focusing on browser security and fuzzing Chrome VRP top researcher in 2023&2024 Credited by Facebook,Google,etc.Speaker of BlackHat USA 2023&2024/ZeroCon 2024#BHAS BlackHatEventsOffensive Security Technique Attack Behavior Modelin
4、gMulti-source Big Data IntelligenceCyber Security LLMRealistic Cyber DrillsThreat Vulnerability IntelligenceCrowdsourced Security TestingSecurity Risk AssessmentProviding One-stop Cyber Security Solutions For Government&Enterprise Clients.ABOUT SERES:An Innovative Network Security Company Focusing O
5、n Offensive&Defensive Security Applications#BHAS BlackHatEventsAgenda1.Introduction2.Type Confusion between WasmObject and JSObject3.UAF in V8 WasmInternalFunction GC4.Type Confusion in WebAssembly JSPI Wrapping5.Conclusion#BHAS BlackHatEventsIntroductionIssueFirst ExploitedDescriptionJavaScript or
6、WebAssembly330588502Pwn2OwnIncorrect parsing of Wasm TypesWebAssembly323694592V8CTFSignature mismatch in specialized wasm-to-js wrappersWebAssembly339458194ITWWrong handling of Wasm Structs in JavaScript runtimeBoth339736513V8CTFWrong handling of Wasm Structs in JavaScript runtimeBoth346197738V8CTFM