Breaking the Chrome Sandbox with Mojo

Presented at Black Hat USA 2022, Aug. 10, 2022, 4:20 p.m. (40 minutes).

If you manage to exploit a Chrome renderer vulnerability, you find yourself in a tight sandbox. Access to OS resources like the file system are greatly restricted and site isolation still enforces the web security guarantees. To allow such strong restrictions, various IPC services provide required functionality to the renderer process which themselves can become a target for sandbox escapes.

In this talk, we will take a look at Mojo, the IPC framework in Chrome. I will explain the protocol's inner workings using three logic bugs as examples. Finally, we're going to write a reliable exploit for a seemingly impossible race condition.


Presenters:

  • Stephen Röttger - Software Engineer, Google
    Stephen Röttger (@_tsuro) is interested in browser security, hardware vulnerability research and CTF competitions. Stephen is working in the v8 security team at Google.

Links:

Similar Presentations: