The Most Secure Browser? Pwning Chrome from 2016 to 2019

Presented at Black Hat USA 2019, Aug. 7, 2019, 11:15 a.m. (50 minutes)

Browser security is always a prevalent topic in security research. Due to the great design and long-term effort, browsers have been more and more secure. The last time Chrome was pwned in Pwn2Own dates back to Mobile Pwn2Own 2016. In that contest, we, Keen Security Lab of Tencent, pwned Nexus 6P via Chrome browser. This year, we are willing to share our full, in-depth details on the research of Chrome security.<br><br>JavaScript engines are an attractive target for browser attackers. Security researchers published their amazing methods, such as CodeAlchemist and Fuzzili. We developed a methodology Semantic Equivalent Transform (SET), and it is distinct because<br><ul><li>Simple. SET is inherently immune to grammar and semantic errors, so we don't need to write a lot of analysis code.</li><li>Effective. We've found 8 pwn2own-available v8 bugs using it in the past three years.</li><li>Versatile. There are many scenarios where SET can play a role.</li></ul><br>We will then share novel exploitation techniques we used in Pwn2Own. For instance, although most researchers have realized JIT is a good target for bug hunting, few people notice JIT could also be used to do exploitation. We will show how we used some general JIT fragments to exploit low-quality bugs. After that, we will share other interesting cases and our latest bug. <br><br>Finally, we'll share our recent research on sandbox bypass. We have pwned Chrome three times since 2016. We will share the details of our IPC bugs and bring a demo when we pwned Chrome in March 2019.<br><br>To the best of our knowledge, this presentation will be the first to talk about complete methodology to pwn Chrome (find and exploit bugs in both v8 and sandbox) in public.

Presenters:

• Gengming Liu - Security Researcher, Keen Security Lab of Tencent
  Gengming Liu is a security researcher at KeenLab of Tencent. He has been participating in Pwn2Own since 2016. He is the vice-captain of eee CTF team and the former captain of AAA CTF team. He also plays CTFs as a member of b1o0p and A*0*E, which won the second place in DEFCON CTF 2016 and third place in DEFCON CTF 2017.
• Zhen Feng - Senior Security Researcher, Keen Security Lab of Tencent
  Zhen Feng is a senior security researcher at KeenLab. He has a great deal of experience in security of browsers. He took part in the four pwn2own games in 2016 and 2017 with the team and found most of the vulnerabilities used in browser targets. He focuses on compiler security now.

Links:

• https://www.blackhat.com/us-19/briefings/schedule/#the-most-secure-browser-pwning-chrome-from-2016-to-2019-16274
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2019/The Most Secure Browser Pwning Chrome from 2016 to 2019.mp4
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2019/The Most Secure Browser Pwning Chrome from 2016 to 2019.en.transcribed.srt (subtitles)
• https://www.youtube.com/watch?v=OoL9nyu-f-Q

Similar Presentations:

• Black Hat USA 2021 / Put in One Bug and Pop Out More: An Effective Way of Bug Hunting in Chrome
• Black Hat Europe 2020 Virtual / Shield with Hole: New Security Mitigation Helps Us Escape Chrome Sandbox to Exfiltrate User Privacy
• Black Hat USA 2019 / Death to the IOC: What's Next in Threat Intelligence