王楠与肖正航与郭学浩与戴秦润_超级帽子戏法四次利用Chrome和Firefox.pdf

1、#BHUSA BlackHatEventsSuper Hat TrickExploit Chrome and Firefox Four TimesNan Wang,Zhenghang Xiao#BHUSA BlackHatEventsAbout usNan Wang eternalsakura13 Security researcher at 360 Vulnerability Research Institute Focusing on hunting Chrome vulnerabilities Chrome VRP top 10 researcher in 2021/2022/2023

2、Facebook Top 2 whitehat hacker in 2023 Speaker of BlackHat USA 2023/BlackHat Asia 2023Zhenghang XiaoKipreyyy Individual security researcher First-year Masters candidate at NISL Lab,Tsinghua University Focusing on browser security and fuzzing Chrome VRP top researcher#3 in 2023 Credited by Facebook,G

3、oogle,etc.Speaker of BlackHat USA 2023#BHUSA BlackHatEventsAbout us 360 Vulnerability Research InstituteAccumulated more than 3,000 CVEsWon the highest bug bounty in history from Microsoft,Google and AppleSuccessful pwner of several Pwn2Own and Tianfu Cup eventshttps:/ BlackHatEventsAgenda1.Callback

4、 issue in runtime support2.Incorrect Assumption on JS Map3.Initialization Flaw in WebAssembly Instances4.Integer Overflow in WebAssembly JIT#BHUSA BlackHatEventsCallback issue in runtime supporthttps:/ BlackHatEventsBackgroundThe JavaScript Set was introduced to the language in the ES2015 spec.Incom

5、plete functionality(add/clear/delete/has).#BHUSA BlackHatEventsBackgroundThe JavaScript Set was introduced to the language in the ES2015 spec.Incomplete functionality(add/clear/delete/has).How to operate on or compare more than one set before?#BHUSA BlackHatEventsBackgroundThe JavaScript Set was int

6、roduced to the language in the ES2015 spec.Incomplete functionality(add/clear/delete/has).How to operate on or compare more than one set before?write your own functions#BHUSA BlackHatEventsBackgroundHow to operate on or compare more than one set now?Write your own functionsobsoletedNew Proposal!Stag