Garbage collection is a fundamental part of any JavaScript engine. From a security research perspective it is interesting both as a rich attack surface and as a source of primitives for exploitation and reliability. However, despite the integral role it plays in V8, public documentation on its internals is generally scarce, and few public proof of concept exploits relating to bugs in the GC exist. This talk aims to bring to light V8’s various garbage collectors. Specifically we will discuss current development efforts relating to the ongoing switch from precise to conservative root tracking and explain an initial access bug we found in the Minor Mark-Sweep collector. We will also discuss the interaction between the GC and V8’s heap sandboxing mitigation, demonstrating a GC based heap sandbox escape.
Richard Abou Chaaya is a security researcher at Trenchant. He is particularly interested in fuzzing and browser vulnerability research.
John Stephenson is a security researcher with a primary focus on remote code execution in the browser.
