Web Browser Exploitation
Samuel Groß
Dates
12-15 February 2018Capacity
18Price
4.000,- €Introduction
Modern web browsers pose a challenging and attractive target for security researchers. However, with ever growing codebases and increasing code complexity, the barrier to entry for security research in this area has been rising as well. This training is designed to prepare students for a successful entry into this field. Students will learn to identify, analyze, and exploit vulnerabilities in the context of a renderer process. Through various hands-on exercises, students get practical experience and gain a good understanding of the respective code bases. Excercises will be designed for Chrome and Firefox, although most of them can also be completed on Edge and/or Safari.
The training will roughly be divided into two parts: the first part provides an in-depth introduction to web browser internals (such as the DOM and JavaScript engines) with a focus on security relevant components. The second part of the training will then focus on identifying and exploiting vulnerabilities in the renderer process, and where to go from there. On the last day there will also be a CTF-style event in which students go all the way from auditing a small browser component to writing a reliable exploit and gaining code execution inside the renderer process.
While no previous experience with browser internals is required, students should be moderately familiar with memory corruption exploitation, low-level process internals, common debuggers, and C++. For students that do not wish to install compiler toolchains etc. directly on their laptop, Linux-based virtual machine images for Firefox and Chrome will be provided.
- Objectives
- Understanding of browser internals
- Working exploit development environment
- Familiarity with browser code base(s)
- Knowledge of typical vulnerabilities
- Ability to identify and reliably exploit vulnerabilities in the renderer
- Techniques for post (renderer) exploitation
Agenda
- Introduction
- Architecture of a modern browser
- Overview of the 4 major web browsers
- Setting up a “development” environment
- Obtaining, building and navigating available source code
- JavaScript for the exploit writer
- The DOM
- Overview of the DOM and its implementation
- Web Events
- Memory management and reference counting
- Typical vulnerabilities
- JavaScript Engines
- Internals of a JavaScript engine
- Type conversions and other “userland” callbacks
- JavaScript memory managment and garbage collection
- JIT compilers
- Browser bindings
- Typical vulnerabilities
- Other Components
- Networking
- Databases
- SVG
- ...
- Identifying Vulnerabilities
- Identifying the attack surface
- Where to look for vulnerabilities
- Types of vulnerabilities
- Code auditing
- Fuzzing
- Security Mechanisms
- Exploit mitigations in the different browsers
- Sandboxing overview
- The Same-origin policy and where it is implemented
- Exploitation
- Root-cause analysis
- Achieving arbitrary memory read/write
- Gaining code execution
- Building reliable exploits
- Avoiding GC crashes
- CTF
- Audit a small browser component
- Construct an arbitrary memory read/write primitive
- Develop a reliable exploit
Prerequisites
Students should
- Be familiar with memory corruption exploitation
- Be comfortable with C++ and know some JavaScript basics
- Bring a laptop running Windows, macOS or Linux, with at least 75GB disk space and 8GB RAM
- (Optionally) have a disassembler (IDA Pro recommended) available if they want to work on Microsoft Edge
- Have VMWare installed if they want to use the provided VM images
Bio
Samuel is a Master’s student at Karlsruhe Institute of Technology and security researcher in his spare time. He has been researching browser security for some years now and has published multiple articles on the subject, including a Phrack paper on JavaScriptCore (the JavaScript engine inside WebKit/Safari) exploitation. In 2017 he partnered with Niklas Baumstark to compete in the pwn2own competition and the team succeeded in remotely exploiting Safari and subsequently gaining root access to the underlying macOS system.
Samuel Groß
