Modern attacks on the Chrome browser : optimizations and deoptimizations
Introduction
Late 2019, I presented at an internal Azimuth Security conference some work on hacking Chrome through it's JavaScript engine.
One of the topics I've been playing with at that time was deoptimization and so I discussed, among others, vulnerabilities in the deoptimizer. For my talk at InfiltrateCon 2020 in …
more ...Circumventing Chrome's hardening of typer bugs
Introduction
Some recent Chrome exploits were taking advantage of Bounds-Check-Elimination in order to get a R/W primitive from a TurboFan's typer bug (a bug that incorrectly computes type information during code optimization). Indeed during the simplified lowering phase when visiting a CheckBounds node if the engine can guarantee that …
more ...Introduction to TurboFan
Introduction
Ages ago I wrote a blog post here called first dip in the kernel pool, this year we're going to swim in a sea of nodes!
The current trend is to attack JavaScript engines and more specifically, optimizing JIT compilers such as V8's TurboFan, SpiderMonkey's IonMonkey, JavaScriptCore's Data …
more ...