Tackling Privilege Escalation with Offense and Defense

Presented at Black Hat Europe 2019, Dec. 5, 2019, 11:55 a.m. (50 minutes)

Over the past couple of years, various JavaScript APIs have been closely examined by security researchers. They've been audited and fuzzed thoroughly for classic memory corruption issues like buffer overflows, use-after-frees, and type confusions. Nevertheless, there's an interesting class of vulnerabilities that requires manual auditing rather than fuzzing. This class of bugs surfaced back in 2015, and researchers discovered how to exploit it to allow them to bypass built-in security restrictions within the JavaScript engine. Chaining these privilege escalations with undocumented features in Adobe Reader enabled reliable arbitrary code execution. When one bypass was patched, researchers would discover new and innovative ways to circumvent the restrictions. To make matters worse, leveraging these JavaScript API restriction bypasses opened the door to numerous memory corruption issues that existed in the less audited security-relevant JavaScript APIs. Even with sandbox protection an untrusted document executing JavaScript code in the privileged context provides avenues for abuse.

Efforts on both the offensive and defensive side of the field were kicked off to combat this class of issues. This presentation will focus on the efforts to combat this class of vulnerabilities which leveraged the exploitation expertise of the researchers along with the knowledge of engineers to implement mitigations against the rising tide of these weaknesses. On the offensive side, researchers thoroughly analyzed the ways in which JavaScript APIs can be abused to elevate execution from unprivileged into privileged context. On the defensive side, engineers leveraged instances of privilege escalations to devise methods that interprets each escalation in the context of general security invariant violations. The security invariants can be described and understood through a formal framework of information flow security properties.

We will describe some of the surprising discoveries by researchers submitting to the Zero Day Initiative program, which were used to verify the application hardening as it occurred. Over the years, this multi-pronged approach eliminated a large set of vulnerabilities resident in a security model implemented in a JavaScript engine.


  • Edgar Pek - Security Researcher, Adobe Inc.
    Edgar Pek is security researcher at Adobe, Inc. where he works on application security. He holds a PhD from University of Illinois where he worked on light-weight formal verification for security of systems software.
  • Abdul-Aziz Hariri - Vulnerability Analysis Manager, Trend Micro Zero Day Initiative
    Abdul-Aziz Hariri is the Zero Day Initiative program analyst's manager. In this role, Hariri manages the day-to-day case load by accepting, distributing and pricing vulnerabilities submitted to the Zero Day Initiative (ZDI) program, which is the world's largest vendor-agnostic bug bounty program. Prior to joining ZDI, Hariri worked as an independent security researcher and threat analyst for Morgan Stanley emergency response team. During his time as an independent researcher, he was profiled by Wired magazine in their 2012 article, Portrait of a Full-Time Bug Hunter. In 2015, Abdul was part of the research team that submitted "Breaking Silent Mitigations - Gaining code execution on Isolated Heap and MemoryProtection hardened Internet Explorer" to the Microsoft bounty program. Their submission netted one the highest payouts to date from the Microsoft bounty program where the proceeds went to many STEM organizations. Twitter: @abdhariri


Similar Presentations: