Advanced Browser Exploitation

4 Day u_long 32 CPE Hour Training: August 2020 * AUG 1-7

Amy Burnett, RET2 Systems

Abstract

Web browsers are among the most utilized consumer facing software products on the planet. As the ubiquitous gateway to the internet, browsers introduce significant risk to the integrity of personal computing devices. In the race to protect users while advancing web technology, premiere browsers have become increasingly complex targets to compromise. Over the course of this training, students will receive a thorough introduction to vulnerability research as it pertains to modern web browsers. This includes identifying, evaluating, and weaponizing the latest vulnerability patterns via the exploitation of several recently patched vulnerabilities. Through this, students will experience the end to end process of developing memory corruption based exploits against these high value targets. This course will focus specifically on Google Chrome and Apple Safari.

Key Learning Objectives

  • Identify contemporary vulnerability patterns in web browsers
  • Become familiar with the architecture of modern web browsers
  • Build an in-depth understanding of browser internals and JavaScript engines
  • Develop an understanding of target-specific exploit techniques
  • Weaponize real-world vulnerabilities
  • Execute renderer-only attacks to hijack user sessions
  • Obtain a high level overview of browser sandboxing

Who Should Attend

This training is designed for vulnerability researchers who want to learn about browser internals in the context of security as well as contemporary JavaScript exploitation techniques.

Agenda

Module 1: Browser Architecture (General, Chrome, Safari/Webkit)

  • Breaking down modern browser architectures, major components
  • Setting up a browser research environment, building, debugging
  • Interfacing with different components of the browser (DOM, JS)
  • Introduction to JavaScript engines
  • A deep-dive into JavaScript engine internals
  • Low-level JavaScript types and natives

Module 2: JavaScript Internals in Exploitation (General, V8, JSC)

  • Garbage collection implementations
  • Current vulnerability patterns found in JS engines
  • Introduction to exploit building blocks (Primitives)
  • Leveraging JavaScript vulnerability classes
  • Layering exploit primitives

Module 3: JavaScript JIT Compilers (General, V8)

  • Overview of JavaScript JIT compiler pipelines
  • Exploring JIT debugging tools
  • Optimizations and typing
  • Type cache and speculation
  • JIT vulnerability classes, contemporary exploits

Module 4: JavaScript Exploit Engineering (General, V8, JSC)

  • Constructing arbitrary memory primitives
  • Overwriting JIT structures and control flow hijacking
  • Continuation of execution
  • Bypassing browser-specific mitigations
  • UXSS, SOP bypasses, and renderer-only attacks
  • N-Day exploitation

Pre-requisites

Attendees should be familiar with modern exploitation subjects (memory corruption, bug classes, DEP, ASLR, ROP), a working knowledge of C++ and JavaScript, some exposure to AMD64 assembly or low level systems, and Linux command line proficiency. This training will require a laptop which is able to connect to the Internet and perform SSH and VNC to a remote server.