Achilles' Heel of JS Engines: Exploiting Modern Browsers During WASM Execution

WebAssembly (WASM) is a high-performance compiled language that is assembly-like and executes at high speeds in the browser. It can also be extended to Cloud Native, Mobile, IoT, blockchain and other fields. WASM bytecode is first compiled into machine code by the compiler and then executed in the WASM virtual machine. In our previous research [1], we discovered a number of security issues in the WASM compilation phase of the Safari browser. However, through analysis of these vulnerabilities, we found that most of them are difficult to exploit. The reason is that although they caused serious memory corruption during the compilation phase, it was limited by the "predefined code path", which restricted the method of using the bug to hijack the control flow. Fortunately, we found that the execution phase has a more flexible operating space than the compilation phase. Wrong compilation results and problems in the environment itself will provide good exploitation primitives for vulnerabilities in this phase and the current vulnerability mitigation measures in the WASM execution phase are fewer than those in JavaScript, which makes the vulnerabilities in the execution phase good targets of bug hunting. We analyzed the attack surface of WebAssembly execution, categorizing these vulnerabilities into three types: Runtime Build Issues, ByteCode Execution Issues and External Interaction Issues. To find these vulnerabilities, we developed targeted fuzzing tools and discovered over 10 vulnerabilities in the JavaScript engines of Chrome, Firefox, and Safari. By exploiting these vulnerabilities, we successfully achieved Remote Code Execution (RCE) on multiple modern browsers. In this talk, we will discuss some of the interesting vulnerabilities we found and demonstrate how to exploit them. [1]https://ift.tt/bOjYmKR By: Bohan Liu | Senior Security Researcher, Tencent Security Xuanwu Lab Zong Cao | Security Researcher, University of Chinese Academy of Sciences Zheng Wang | Security Researcher, Tencent Security Xuanwu Lab Yeqi Fu | PhD Student, National University of Singapore Cen Zhang | Postdoctoral Researcher, Nanyang Technological University Full Abstract and Presentation Materials: https://ift.tt/sIECONR

source https://www.youtube.com/watch?v=X2JQrQQmOLA