This talk, after introducing some basic ChakraCore internals and the problems of compiling dynamically typed code, will dive into ChakraCore's JIT compiler and its compilation phases. The focus will be on
de-mystifying the inner workings of the global optimizer which performs multiple complex optimizations. We will reflect on what kind of bugs can be introduced during this process and how they could be leveraged to compromise the Edge renderer process. As an example, we will outline the root cause of CVE-2018-8266 and showcase how to turn it into an arbitrary memory read/write primitive for a full renderer compromise.
Bruno is an independent security researcher with a strong interest in browser security and full chain exploitation through browsers. He previously wrote and presented about Firefox exploitation. He demonstrated Firefox RCE and Firefox info leak at Hack2Win eXtreme 2018. He also enjoys playing CTF with the german team Eat, Sleep, Pwn, Repeat.