Ki Chan Ahn

Adventures on Hunting for Safari Sandbox Escapes


The bug hunting section is divided into 2 parts. First, I describe 2 ways to build a customized fuzzer that targets IPC functions. An existing state-of-art fuzzer is modified to make it work with daemons, and the fuzzer design and internals will be presented. The second part describes Variant analysis, and goes through the process of finding new variants of a publicly disclosed exploitable bug. This part will walk through a Webkit bug as well as a sandbox escape, which will be used as a base to discuss variant analysis.

In the end of the presentation, I talk about some pointers and tips that help bughunting in general, based on my experience. If you are interested in how an attacker finds sandbox escapes or bughunting in general, then this talk is for you.


Ki Chan Ahn is an offensive security researcher working for Exodus Intelligence. He has interest in vulnerability research in various Operating Systems, Browsers, and Hypervisors. Prior to Exodus Intelligence, he has worked as a security researcher for the Department of Defense, after his 5 year penetration testing work in the finanacial sector. Recently, his main focus is finding RCE and SBX bugs for various browsers.