王楠与肖正航与郭学浩与戴秦润_超级帽子戏法四次利用Chrome和Firefox_WP.pdf

1、White Paper(Super Hat Trick:Exploit Chrome and Firefox Four Times)1White Paper(Super Hat Trick:Exploit Chrome and Firefox Four Times)BackgroundWith the widespread use of the JavaScript language,JavaScript engines are becoming increasingly feature-rich.There are various JavaScript engines,such as V8

2、used by Google Chrome and SpiderMonkey used by Firefox.From runtime support to compilation optimization,they add a lot of new code,but with it comes a bunch of hidden security issues.We have once again identified four high-risk vulnerabilities in these new implementations:one is related to a classic

3、 callback issue within the new runtime support implementations,another is related to type confusion caused by missing type checking in the compilation optimization,and BackgroundCallback issue in runtime supportBackgroundRoot cause analysisHow to exploitIncorrect Assumption on JS MapBackgroundRoot c

4、ause analysisHow to exploitInitialization Flaw in WebAssembly InstancesBackgroundRoot cause analysisHow to exploitInteger Overflow in WebAssembly JITBackgroundRoot cause analysisHow to exploitConclusionsWhite Paper(Super Hat Trick:Exploit Chrome and Firefox Four Times)2the remaining two are related

5、to wasm gc issuesimproper initialization order and integer overflow,resulting in controllable out-of-bounds read/write.Callback issue in runtime supportBackgroundThe first part is a callback issue,which is hidden in the runtime support code logic,and is related to a new Javascript proposal.Before di

6、ve deeper into the root causes of vulnerability,lets first have a brief understanding of the background knowledge.In 2015,a new data structure Set,was introduced into the Javascript,to make the developer more easier to code.However,as you can see,the functions available in this Set structure are ver