Introduction to Browser Exploitation

4200€ | 30th of September to the 3rd of October 2024 | Espace Vinci, Rue des Jeuneurs, Paris, France

The browser training starts with a JavaScript crash course where we discuss several objects related to JavaScript and their implementations on a JavaScript engine. Next, we go over the commonalities of a browser's architecture, and look at the renderer and the sandbox, using Chrome as an example. Our emphasis is on the JavaScript engine in the renderer process. We develop a birds-eye understanding of it and observe how the peculiarities of the JavaScript language influence the design of a JIT compiler.

Important structures and key concepts such as Object shapes, SSA, IR, Inline Caches, and a few other fundamental concepts relevant to JavaScript engine exploitation are explained in detail. The course dives into the environment of v8, ranging from the execution pipeline to recent mitigations. Once the basics of browsers and JIT are laid out, we use a simple case study to illustrate a browser vulnerability. This is followed by an explanation of JavaScript exploitation primitives. Two real-world vulnerabilities are introduced, and the student is expected to solve simple challenges that will help in the understanding of the inner workings of the exploit. The course will emphasize the similarities and differences of the two vulnerabilities, with the first one serving as a foundation for the second. The challenges will be supported by the theory all along the course. Finally, a quick overview on fuzzing JavaScript engines and browser mitigations is covered.

After attending this fast-paced course, a student can expect to have dropped a foundational anchor on browser security research that enables them to further pursue its depths.


Objectives of the training

Browser architecture and identifying attack surfaces

Understanding of JavaScript from a user's perspective

JavaScript Engine internals, attacking JIT compilers

Applying bug hunting methodologies to Browsers

Visualize the progress of JavaScript fuzzers via coverage

Comparing characteristics of implementation of major Browsers

Writing JavaScript engine exploits

Understanding mitigations across Browsers

The trainer

Who will run this training?

Javier
Jimenez

Exodus Intelligence
@n30m1nd

Javier Jimenez is a vulnerability researcher at Exodus Intelligence currently focusing on browser exploitation with a big focus on bug hunting via fuzzing.

Javier has given trainings at conferences such as BSides London and BlackHat USA, and has many other public blog posts on exploit development research. These also include the discovery of vulnerabilities in Apache httpd and Chrome's V8.

Syllabus

What will we do?

Summary

This training starts with JavaScript basics, browser architecture, and JavaScript engine internals, with a focus on Chrome’s V8 JavaScript engine. It explains key concepts like Object shapes, Intermediate Representations, and Just-in-Time (JIT) compilers, essential for JavaScript exploitation. Theory and practicals are weaved together enabling you to analyze and exploit real-world V8 vulnerabilities including in newer components such as Maglev.

Vulnerability researchers with no prior experience in browsers will find the entire breadth of the course to be instructive. We also delve into advanced topics in fuzzing and exploitation of new V8 components.

Day-by-day

Day 1 - Browser Overview

  • JavaScript crash course: arrays, typed arrays, objects. Browser architecture overview; browser engine; renderer; sandbox.
  • How a JavaScript engine works; what is a Just-in-Time (JIT) compiler.
  • Object shapes; Single Static Assignment form (SSA); and the types of browser vulnerabilities.
  • JavaScript vulnerabilities such as Type-confusion and Out-of-bounds write.

Day 2 - Introduction to JavaScript Exploitation

  • V8 JavaScript engine ecosystem: Ignition, Turbofan, Maglev, WebAssembly, etc.
  • Analyzing old bugs in the V8 engine to understand the basics of JavaScript engine exploitation. WebAssembly info leak and Type-confusion.
  • Bug hunting in browsers; full browser, WebAssembly and JavaScript fuzzing. Overview on static analysis tools.

Day 3 - ArrayShift Built-in case study (2021)

  • JIT compilers and similarities amongst the implementation of the 3 major browsers.
  • V8 code analysis and looking at Turbolizer output for an in-depth view of the compiler pipeline.
  • In-depth understanding of Arrays in JavaScript and their importance for JavaScript engine exploitation.
  • Practicals on exploiting the case study.

Day 4 - Maglev Allocation Folding case study (2024)

  • Overview of Maglev in the JIT pipeline and visualizing a vulnerability using Maglev-IR.
  • Allocation Folding and root cause analysis of the vulnerability.
  • Modifying the JavaScript engine to aid debugging.
  • Practicals on exploiting the case study.
  • Overview of the current state of mitigations in browsers and JavaScript engines.

Students requirements

  • Familiarity with Ubuntu Linux.
  • Familiarity with GDB.
  • Basic C knowledge.
  • Familiarity with common vulnerabilities and exploitation techniques.

Hardware requirements

  • x86_64 CPU
  • At least 100 GB of free disk space.
  • At least 12 GB of RAM.
  • Ability to plug in an untrusted USB drive or download from the Internet.

Software Requirements

  • VMWare Player or VirtualBox.

Provided to students

  • Course slides.
  • Virtual machines via USB or online link.

Other trainings

What else might interest you?

Android Kernel Security

Vitaly Nikolenko

Hypervisor development for security analysis

Satoshi Tanda

Advanced Active Directory and Azure exploitation

Hugo Vincent & Wilfried Bécard

Attacking Instant Messaging Applications

Iddo Eldor & Jacob Bech

iOS for Security Engineers

Quentin Meffre & Etienne Helluy-Lafont

Practical Baseband Exploitation

Pedro Ribeiro & Nitay Artenstein

Software Deobfuscation Techniques

Tim Blazytko

Windows Exploit Engineering Foundation

Cedric Halbronn