WebAssembly Is All You Need:Exploiting Chrome and the V8 Sandbox 10+ times with WASM
DAY 2
13:50-
14:30
Browsers are a complex piece of software with multiple components integrated together. Every one of these components, as well as the integration layers between them, are potential sources of bugs. However, not all bugs are equal - exploitability of the initial bug is sometimes questionable, and mitigation bypasses are often required to obtain fully arbitrary code execution even within the renderer. In Chrome this mitigation is known as the V8 Sandbox, which attempts to prevent any memory corruption within the V8 Sandbox region from affecting any other memory region. This makes exploiting the initial bug to a fully arbitrary code execution much more challenging… or so was considered as such.
In this talk, I demonstrate how WebAssembly still serve as a great attack vector that provide troves of both the initial bug and V8 Sandbox bypass. I first share the story behind finding a WASM bug in V8 through variant analysis and exploiting it at TyphoonPWN 2024, and show how fixing this bug revealed another stunningly simple variant-of-a-variant bug exploited in v8CTF. I also introduce another bug in WASM TurboFan compiler caused by an innocent typo, and show how analyzing a seemingly unexploitable bug can reveal significant exploitability in some configurations and platforms. I continue on to a massive list of 10+ V8 Sandbox bypasses in WASM, opening up a whole new paradigm of bypass techniques that require significant efforts to fully patch. This research, while spanning over only a short period of approximately 2 months, enabled me to win multiple hacking competitions and VRPs for a total of $250K+.
Throughout the talk, I provide both the big picture and detailed technical walkthrough on finding bugs in Chrome’s WASM implementation and exploiting them in the modern Chrome environment. I challenge the common misconception that “browser bugs are hard”, whereas quite a few of them can be found and exploited without breaking a sweat. The talk will conclude with a sneak peek of future works on WASM implementation in other major browsers and a demonstration of the exploits.
-
Location :
-
Track 2(HALL A)
-
-
Category :
-
U25
-
-
Share :
Speakers
-
Jongseong Kim
スンヒョン・イ
Seunghyun Lee, a.k.a. Xion (@0x10n), is a Ph.D. student in the Computer Science Department at Carnegie Mellon University. He received his bachelor’s degree in CS/EE at KAIST, where he worked as a research intern in Hacking Lab. His research focuses on system security, binary analysis, automatic vulnerability discovery and exploit generation.
His recent works involve vulnerability research and exploitation of browsers and the Linux kernel, and have found and exploited multiple vulnerabilities in hacking competitions. His notable achievements include winning two browser entries in Pwn2Own Vancouver 2024, winning the top payout on TyphoonPWN 2024 with a Chrome entry, and winning multiple entries in Google kernelCTF and v8CTF. He has presented his research in domestic and international security conferences including POC2023. He is also an occasional CTF player and has received the DEF CON Black Badge for winning DEF CON CTF in '23/'24 as part of Maple Mallard Magistrates.