WebKit Everywhere: Secure or Not?

Presented at Black Hat Europe 2014, Oct. 17, 2014, 12:15 p.m. (30 minutes).

WebKit is widely used as a web rendering engine by applications present on almost all popular PC platforms including Windows, Mac OS X, as well as mobile platforms such as iOS and Android. Usually a single vulnerability in WebKit - either logic or memory corruption one - utilized with appropriate exploit techniques can result in a remote code execution impacting various applications, regardless of what platforms they are running on.

After years of security improvements made by Apple, Google, and other companies and communities, WebKit became one of the most secure engines amongst web rendering engines. The security improvements mainly focused on reducing the number of critical vulnerabilities such as Use-After-Free, heap overflow, etc. More importantly, exploitation mitigations implemented in WebKit and its corresponding JavaScript engines (JavaScriptCore and V8) also dramatically increased the difficulty level of a successful exploitation.

Difficult, but not impossible.

Despite the strong security, defeating WebKit-based applications is still feasible. In this talk, I will discuss the details of these security enhancements and the approach I took to defeat them. The talk will be illustrated by demos of two exploits. The first one is a Webkit vulnerability deployed using several advanced exploit techniques to deliver a remote code execution that doesn't rely on Heap Spray technique and can be reliably ran on x64 Safari browser. The second one will demonstrate that similar techniques also apply to mobile applications.

At the end of our talk, we will provide recommendations on how to improve security of WebKit-based applications.


Presenters:

  • Liang Chen - KeenTeam
    After several years of working for Top 500 software vendor companies and investment banks in security response roles, Liang Chen is now a senior security researcher at KeenTeam. Liang has a strong research experience on software vulnerability exploitation and vulnerability discovery. During these years, Liang's major research area was browser exploitation including Safari, Chrome, Internet Explorer, etc on both PC and mobile platform. Liang is the winner of iPhone Safari category in Mobile Pwn2own 2013, also Liang won Mavericks Safari category in Pwn2Own 2014. Liang is a SANS GIAC Advisory Board Member. He is a current holder of CISSP, GCIH, GREM, MCSE and MCITP.

Links:

Similar Presentations: