1. InfoconDB
  2. Black Hat
  3. Black Hat Asia 2019
  4. Using the JIT Vulnerability to Pwn Microsoft Edge

Using the JIT Vulnerability to Pwn Microsoft Edge

Presented at Black Hat Asia 2019, March 29, 2019, 2:15 p.m. (60 minutes)

<p>To speed up the javascript code, the modern browser introduces the Just-In-Time(JIT) compiler to javascript engine, which is also used by the Microsoft Edge javascript engine chakra. Because the javascript is a dynamic, untyped language before JIT compiling, the engine will collect the type information (called profile data) when the interpreter is executed the bytecode. The JIT engine will then do a great deal of optimization during compilation. Implementing a JIT compiler is a complex project, using the profile data to further optimize increases this complexity, which may lead to vulnerability in the implementation.<br><br>This topic contains the following sections:</p><p>First, we will introduce the chakra JIT engine architecture, detailing the optimization in the compiler each phase.\</p><p>Second, we will put forth the attack surface in the JIT compiler. To speed up the code run, JIT compiler will do a lot of optimization in each phase. When the optimization is implemented incorrectly, it may lead to a vulnerability.</p><p>Third, focus on some interesting vulnerabilities which were found according to the attack surface. We’ll also look into the mitigation Microsoft has introduced into chakra engine in order to address the special type JIT vulnerabilities.</p><p>Fourth, we will give a full exploit demo (may be 0day vulnerability) to describe how to write an exploit from vulnerability to arbitrary code execution in the latest windows 10 x64 platform. We will give two methods to bypass Control Flow Guard(CFG), explaining how to construct ROP gadgets on the windows 10 x64 platform.</p>

Presenters:

  • Shenrong Liu - Security Researcher, Tencent
    Shenrong Liu (@<span data-sheets-value="{"1":2,"2":"cyriliu"}" data-sheets-userformat="{"2":8403841,"3":{"1":0},"10":2,"11":0,"12":0,"14":[null,2,0],"15":"Arial","16":10,"26":400}">cyriliu</span>) is a security researcher at Tencent Zhanlu Lab (@ZhanluLab), mainly focusing on javascript scripting engine's security, such as V8 and spiderMonkey. Recently, they are trying to find the problems of just in time compiling. In the past runtime code and CORS's security were their work objectives.
  • Zhenhuan Li - Senior Security Researcher, Tencent
    Zhenhuan Li (@zenhumany) is a senior security researcher of Tencent Zhanlu Lab (@ZhanluLab). He has seven years of experience in vulnerability & exploit research. He has presented at Black Hat Asia, Cansecwest and Hitcon security conference. He won the Microsoft Mitigation Bypass Bounty in 2016, the Microsoft Edge Web Platform on WIP Bounty and was MSRC Top 17 in 2016.

Links:

Similar Presentations: