Advanced Browser Exploitation

4 Day Training: August 1,2,3,4

Abstract

Web browsers are among the most utilized consumer facing software products on the planet. As the ubiquitous gateway to the internet, browsers introduce significant risk to the integrity of personal computing devices. In the race to protect users while advancing web technology, premiere browsers have become increasingly complex targets to compromise. Over the course of this training, students will receive a thorough introduction to vulnerability research as it pertains to modern web browsers. This includes identifying, evaluating, and weaponizing the latest vulnerability patterns via the exploitation of several recently patched vulnerabilities. Through this, students will experience the end to end process of developing memory corruption based exploits against these high value targets. This course will focus specifically on Google Chrome and Apple Safari.

Key Learning Objectives

  • Identify contemporary vulnerability patterns in web browsers
  • Become familiar with the architecture of modern web browsers
  • Build an in-depth understanding of browser internals and JavaScript engines
  • Develop an understanding of target-specific exploit techniques
  • Weaponize real-world vulnerabilities
  • Execute renderer-only attacks to hijack user sessions
  • Obtain a high level overview of browser sandboxing

Who Should Attend

This training is designed for vulnerability researchers who want to learn about browser internals in the context of security as well as contemporary JavaScript exploitation techniques.

Agenda

Day 1: Browser Architecture (General, Chrome, Safari/Webkit)

  • Breaking down modern browser architectures, major components
  • Setting up a browser research environment, building, debugging
  • Interfacing with different components of the browser (DOM, JS)
  • Introduction to JavaScript engines
  • A deep-dive into JavaScript engine internals
  • Low-level JavaScript types and natives

Day 2: JavaScript Internals in Exploitation (General, V8, JSC)

  • Garbage collection implementations
  • Current vulnerability patterns found in JS engines
  • Introduction to exploit building blocks (Primitives)
  • Leveraging JavaScript vulnerability classes
  • Layering exploit primitives

Day 3: JavaScript JIT Compilers (General, V8)

  • Overview of JavaScript JIT compiler pipelines
  • Exploring JIT debugging tools
  • Optimizations and typing
  • Type cache and speculation
  • JIT vulnerability classes, contemporary exploits

Day 4: JavaScript Exploit Engineering (General, V8, JSC)

  • Constructing arbitrary memory primitives
  • Overwriting JIT structures and control flow hijacking
  • Continuation of execution
  • Bypassing browser-specific mitigations
  • UXSS, SOP bypasses, and renderer-only attacks
  • N-Day exploitation

Pre-requisites

Attendees should be familiar with modern exploitation subjects (memory corruption, bug classes, DEP, ASLR, ROP), a working knowledge of C++ and JavaScript, some exposure to AMD64 assembly or low level systems, and Linux command line proficiency. This training will require a laptop which is able to connect to the Internet and perform SSH and VNC to a remote server.

Amy Burnett

Amy Burnett, RET2 Systems

Early Bird Pricing - Register Now

Amy is a senior security researcher and co-founder of RET2 Systems, where she specializes in research of browser security and mitigation bypass. She has spoken about and previously lead trainings on advanced browser exploitation at private events and several conferences. She and her team developed and publicly demonstrated a remote code exploit against Safari on MacOS for Pwn2Own 2018, which also leveraged a macOS bug to gain root level code execution.