New Trends in Browser Exploitation: Attacking Client-Side JIT Compilers

Presented at Black Hat USA 2018, Aug. 8, 2018, 11:15 a.m. (50 minutes).

As finding reliably exploitable vulnerabilities in web browser engines becomes gradually harder, attackers turn to previously less explored areas of the code. One of these seems especially interesting: just-in-time (JIT) compilers built into the JavaScript engines to maximize their performance by turning JavaScript code into optimized machine code at runtime. With commonly multiple tiers of JIT compilers (speak multiple different compilers) and an excessive focus on performance at the cost of added complexity, they are an attractive target for security researchers. Furthermore, the bugs found in them often turn out to be easily and reliably exploitable. Last but not least, JIT compilers appear to be "future proof" targets as their prevalence (and complexity) will likely continue to grow in the future.

This talk will explore the inner workings of JIT compilers for the JavaScript language with a focus on security relevant aspects. First, the challenges faced by such compilers as well as the common solutions implemented by the most prominent engines will be described. Afterwards, the attack surface of client-side JIT compilers will be explored together with a discussion of the rather unique vulnerabilities frequently found in them. Finally, a specific, but fairly typical JIT compiler vulnerability will be presented, along with the process of its discovery. This vulnerability was used in Pwn2Own 2018 to successfully exploit Safari on macOS. A brief walkthrough of its exploitation, yielding a near 100% reliable exploit that completes within a few milliseconds, will conclude this talk.


Presenters:

  • Samuel Groß - Independent Researcher,  
    Samuel Groß is an independent security researcher and, in his spare time, a Master's student at Karlsruhe Institute of Technology. He has been researching browser security for some years now and has published multiple articles on the subject, including a Phrack paper about JavaScript engine exploitation techniques at the example of JavaScriptCore, the JavaScript engine inside WebKit/Safari. He successfully participated in the yearly Pwn2Own contest in 2017 and 2018, both times demonstrating a remote exploit against Safari which also gained root or kernel-mode code execution on the underlying macOS system. Recently he has started offering trainings on browser exploitation in which he dedicates a full day to JIT compiler internals.

Links:

Similar Presentations: