Browser-Pwn
The world of Browsers is dominated by 4 major players:
- Chromium/Chrome (Blink-Engine)
- Firefox (Gecko-Engine)
- Safari (WebKit-Engine)
- Edge (Blink-Engine (former EdgeHTML-Engine)
The following is split into two parts:
- Information that helps to understand their architecture and implementation and how to build them from sources
- Information that helps finding their calculator popping feature
Table of Contents
- Engines
- Exploitation
- Tools
- JavaScript Docs
Engines
Engine-Overview
- Javascript Engine Fundamentals: the good, the bad, and the ugly
- Javascript Engine Fundamentals: Shapes and Inline Caches
- JavaScript Engines - how do they even (Video)
Browse the Sources
Of course you can use you're own favorite setup to browse the sources. However, those repos are relatively large and I tried a couple different setups until I found something that worked for me. So if you don't have good setup already, here are a couple of my experiences that might help you:
- CTags (+Vim): Works well with following references and calls. If you're used to navigate through large source-trees with this puristic setup, it can be a good option for you. The downside being of course the lack of the features most of the big IDEs come with nowadays.
- CLion: I use JetBrain products for a lot of my coding activities, but CLion didn't work well for me, especially following references. Of course this might be due to setup issues.
- Eclipse: I haven't used it in a while, but this turned out to be a good option. Unfortunately, it takes a lot of resources for the indexer to run through the code.
- Here is a setup description for the Chromium-Project, but it works similarly for the other projects as well.
- ccls+VSCode This is the best option for me so far. ccls is very fast with indexing the repos and works great with VSCode. You can also combine it with other editors and IDEs see https://github.com/MaskRay/ccls/wiki/Editor-Configuration
Chromium (Blink)
Articles:
The JavaScript-Engine of Blink is V8.
V8
Project | GitHub | Source | How2Build
Build (Ubuntu 18.04):
$ git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git
$ export PATH=$PATH:./depot_tools
$ gclient
$ mkdir ./v8 && cd ./v8
$ fetch v8 && cd v8
$ git pull
$ gclient sync
$ ./build/install-build-deps.sh
$ tools/dev/gm.py x64.release
$ out/x64.release/d8
Useful flags:
--print-opt-code
: code generated by optimizing compiler--print-byte-code
: bytecode generated by interpreter--trace-ic
: different object types a call site encouters--trace-opt
and--trace-deopt
: which functions are (de)optimized--trace-turbo
: TurboFan traces for the Turbolizer visualization
Articles:
JIT-Compiler: TurboFan
V8 provides a visualization for TurboFan called Turbolizer
Articles:
Turbolizer usage:
- Run v8 with
--trace-turbo
:d8 --trace-turbo foo.js
- Generates json files e.g.
turbo-foo-0.json
- Goto
v8/tools/turbolizer
and install with npm as described inREADME.md
- Serve directory e.g.
python -m SimpleHTTPServer 8000
- Browse to
localhost:8000
and openturbo-foo-0.json
Firefox (Gecko)
The JavaScript-Engine of Gecko is Spidermonkey.
Spidermonkey
Source
Build (Ubuntu 18.04):
$ wget -O bootstrap.py https://hg.mozilla.org/mozilla-central/raw-file/default/python/mozboot/bin/bootstrap.py && python bootstrap.py
$ git clone https://github.com/mozilla/gecko-dev.git && cd gecko-dev
$ cd js/src
$ autoconf2.13
# This name should end with "_DBG.OBJ" to make the version control system ignore it.
$ mkdir build_DBG.OBJ
$ cd build_DBG.OBJ
$ ../configure --enable-debug --disable-optimize
# Use "mozmake" on Windows
$ make -j 6
$ js/src/js
JIT-Compiler: IonMonkey
Spidermonkey provides a visualization for IonMonkey called IonGraph
Source
Safari (Webkit)
The JavaScript-Engine of Webkit is JavaScriptCore (JSC).
JavaScriptCore
Articles:
Source
- Runtime: Source/JavaScriptCore/runtime
Build (Ubuntu 18.04):
# sudo apt install libicu-dev python ruby bison flex cmake build-essential ninja-build git gperf
$ git clone git://git.webkit.org/WebKit.git && cd WebKit
$ Tools/gtk/install-dependencies
$ Tools/Scripts/build-webkit --jsc-only --debug
$ cd WebKitBuild/Release
$ LD_LIBRARY_PATH=./lib bin/jsc
JIT-Compiler: LLInt+ Baseline JIT + DFG JIT + FTL JIT
WebKit has a 4-Layer JIT-Compiler system, representing the tradeoff between overhead performance cost and performance benefit.
Articles:
Source
- LLInt (Low Level Interpreter)
- Baseline JIT
- DFG JIT (Data Flow Graph JIT)
- FTL JIT (Faster Than Light Just In Time compiler)
Edge (Blink/EdgeHTML)
Since Edge switched to Blink and the Chromium Project as its Rendering-Engine, Edge is using v8. Originally, Edge had is own Rendering-Engine called EdgeHTML, which used the ChakraCore JavaScript-Engine.
ChakraCore
Docs
Source
Build (Ubuntu 18.04):
# To build ChakraCore on Linux: (requires Clang 3.7+ and Python 2)
$ apt-get install -y git build-essential cmake clang libicu-dev libunwind8-dev
$ git clone https://github.com/Microsoft/ChakraCore && cd ChakraCore
$ ./build.sh --cc=/usr/bin/clang-3.9 --cxx=/usr/bin/clang++-3.9 --arch=amd64 --debug
$ out/Debug/ch
Exploitation
Exploitation-Overview
- Saelo: Attacking JavaScript-Engines
- Awesome-Browser-Exploitation
- Attacking WebKit applications (Slides)
- Saelo: Attacking Client-Side JIT Compilers - BlackHat 2018
- j0nathanj: From Zero to ZeroDay (Finding a Chakra Zero Day)
- Saelo: Fuzzili - (Guided-)fuzzing for JavaScript engines
Chromium Pwn
Articles
- Exploiting TurboFan Through Bounds Check Elimination
- saelo: Exploiting Logic Bugs in JavaScript JIT Engines
CTF-Challenges
- 34c3: v9
- 35c3: Krautflare
- CSAW-Finals-2018: ES1337
- Plaid CTF 2018: Roll a dice
- Google CTF Finals 2018: Just In Time
- *CTF 2019: oob-v8
- RealWorldCTF Quals 2019: accessible
RealWorld
- MobilePwn2Own 2013 - Chrome on Android
- https://halbecaf.com/2017/05/24/exploiting-a-v8-oob-write/
- niklasb: Chrome IPC Exploitation
- CVE-2019-5782 Write-Up
- CVE-2019-5790
- CVE-2019-5786 Chrome Remote Code Execution Vulnerability Analysis
Hardening & Mitigations
Firefox Pwn
Articles
- Playing around with SpiderMonkey
- OR'LYEH? The Shadow over Firefox
- A journey into IonMonkey: root-causing CVE-2019-9810
CTF-Challenges
- 33c3: Feuerfuchs
- Blaze 2018: blazefox
- Sources
- WriteUp
- WriteUp (Exploit-Script)
- WriteUp (Exploit-Script)
- Build+WriteUp
- 35c3 FunFox
RealWorld
- Introduction to SpiderMonkey exploitation
- Use-after-free in Spidermonkey (Beta 53)
- https://saelo.github.io/posts/firefox-script-loader-overflow.html
- Use-after-free in SpiderMonkey (64.0a1)
- CVE-2019-11707 Type Confusion
- CVE-2019-11708 & CVE-2019-9810
Safari Pwn
CTF-Challenges
RealWorld
- http://www.phrack.org/papers/attacking_javascript_engines.html
- Fuzzing Webkit and analysis of CVE-2019-8375
- CVE-2017-2446 WriteUp
- https://saelo.github.io/posts/jsc-typedarray.slice-infoleak.html
- https://github.com/saelo/pwn2own2018/tree/master/stage0
- https://github.com/LinusHenze/WebKit-RegEx-Exploit
- https://github.com/W00dL3cs/exploit_playground/tree/master/JavaScriptCore
Hardening & Mitigations
- Heap-hardening
- CagedPtr Source & ArrayBuffer Example
Edge
Articles
- bkth: Tale of Chakra Bugs
- bkth: Attacking Edge Through the JavaScript-Compiler
CTF-Challenges
- Plaid 2017: chakrazy
- N1CTF 2018: Chakra
- RealWorldCTF Quals 2019: Appetizer
- Trend Micro CTF 2019: ChakraCore 400
RealWorld
- bkth, S0rryMyBad: Non JIT Bug, JIT Exploit
Tools
Libraries:
Utils
Debugging
- shadow jemalloc heap exploitation framework (heap allocator used by Firefox)