Put in One Bug and Pop Out More: An Effective Way of Bug Hunting in Chrome

Presented at Black Hat USA 2021, Aug. 4, 2021, 3:20 p.m. (40 minutes).

Bugs are rarely unique. Software with a growing system size typically involves multiple teams responsible for the development of numerous features. Considering the complexity of the codebase, there is a high probability that bugs shared with similar code patterns may exist in many places throughout the codebase.<br> <br>In this presentation, we take Chrome as an example to present how to discover new vulnerabilities based on historical vulnerabilities. We will introduce several types of code patterns that are prone to be vulnerable in Chrome, from the shallower to the deeper. For each pattern, we will describe it in detail by summarizing from some classic bugs, and present not only the basic workflow of finding similar bugs but also the approach to adjust and refine the pattern to discover new bugs distinct from the originals. We finally found 24 vulnerabilities and got 11 CVEs in Chrome through those patterns. At last, we will detail how to exploit one of them which we used to escape the Chrome sandbox in the Tianfu Cup 2020 Cybersecurity Contest, and this is the first time winning the Chrome category with sandbox escape in the public contest since 2015.

Presenters:

  • Guang Gong - Team Leader, 360 Alpha Lab
    Guang Gong is a senior security researcher of 360 Security and the team leader of 360 Alpha Lab. His research interests include Windows rootkits, virtualization, and Cloud computing. He currently focuses on mobile security, especially on hunting and exploiting Android vulnerabilities. He and his team have found more than 300 vulnerabilities of Google and Qualcomm. He has pwned various Android devices in many hacking competitions. A recently discovered exploit chain helped him win the highest reward in the history of all Google VRP programs.
  • Leecraso &nbsp; - Security Researcher, 360 Alpha Lab
    Leecraso (@leecraso) is a security researcher of 360 Alpha Lab and is a former CTF player from Lancet. His research interests are reverse engineering and browser security. He was the Chrome winner of the Tianfu Cup 2020.
  • Rong Jian - Security Researcher, 360 Alpha Lab
    Rong Jian is a security researcher at 360 Alpha Lab. His research focuses on Browser security. He was a winner of the Chrome category in the TianFu Cup 2020 Cybersecurity Contest.

Links:

Similar Presentations: