As major JavaScript engines matured over time, attackers and researchers turned to specific and complex areas such as Just-in-Time compilation to find exploitable vulnerabilities. This talk will give insight into how ChakraCore (Microsoft's Edge JavaScript engine) JIT compiler works and highlights typical vulnerabilities with a case study of a bug.
While memory safety mitigations have drastically increased the difficulty of exploiting memory corruption bugs in Microsoft Edge, single bugs in the ChakraCore JavaScript engine are often still powerful enough to construct full exploits. As the core engine has matured over time, attackers and researchers turned to specific and complex aspects such as Just-in-Time compilation to find exploitable vulnerabilities.
This talk, after introducing some basic ChakraCore internals and the problems of compiling dynamically typed code, will dive into ChakraCore's JIT compiler and its compilation phases. The focus will be on
de-mystifying the inner workings of the global optimizer which performs multiple complex optimizations. We will reflect on what kind of bugs can be introduced during this process and how they could be leveraged to compromise the Edge renderer process. As an example, we will outline the root cause of CVE-2018-8266 and showcase how to turn it into an arbitrary memory read/write primitive for a full renderer compromise.
Bruno is an independent security researcher with a strong interest in browser security and full chain exploitation through browsers. He previously wrote and presented about Firefox exploitation. He demonstrated Firefox RCE and Firefox info leak at Hack2Win eXtreme 2018. He also enjoys playing CTF with the german team Eat, Sleep, Pwn, Repeat.
